WSIS Physical Security Cracked 196
An anonymous reader writes "A group of activists has apparently bypassed physical security checks at the WSIS Meetings. Not only did they bypass the physical security with a fake card, they found the system uses RFID tags to monitor participants -- possibly even who they interact with and their movements through the conference."
Feels good (Score:5, Funny)
Re:Feels good (Score:2)
What the ``activists'' did was present a fake ID. Whoop de freakin' do. Certainly something stupid on part of the summit organizers, but not exactly failing to ``keep a couple of geeks out of a conference room.''
The part I really don't get, though, is the fuss about the RFID tags. Guess what? I bet they were using them for the same thing that sup
Re:Feels good (Score:5, Interesting)
And so forth. The issue is not necessarily so much that the organizers are hostile as that they're incompetant in the very matter they're holding a conference about.
RTFA (Score:5, Informative)
Re:RTFA (Score:2)
That said, I would argue that privacy and security are key among such issues, and would hope that those involved in such a society would be knowledgable regarding it.
Re:RTFA (Score:2)
No, they also pointed out issues completely unrelated to the badges -- such as displaying members' information in such a way that others could observe or record it, easy circumvention of the metal detectors, and the like.
The security badges they scammed are no different than the ones we've all been wearing to get into our day jobs for the past 10 years.
The badge I wear to get into my day job is passive -- needs an EM field
Re:RTFA (Score:3, Insightful)
There are a variety of smart card and RFID standards, and the two are different animals. This "press release" did nothing to clarify what the cards were. If these guys were such amazing hackers we would know if it is a tag or a ca
Re:Feels good (Score:5, Insightful)
The security at the conference is weak, and they're collecting personal data while they navigate the conference.
I think they've pretty much proven they're the wrong people for the job.
Re:Feels good (Score:4, Funny)
don't underestimate 2-bit encryption (Score:2)
huh? (Score:4, Funny)
sidenote: all them kids in the clubs must be great crackers .. I see them "cracked" and "bypassed physical security" all the time .. .. this is slashdot .. no one goes to clubs here ..
.. Wait .. how's this different than any other place that asks for your information .. like Police and Lawyers Love E-ZPass [slashdot.org]?
oh wait
then they disect the card that were given to them to find out that they have RFID chips but no one seems to know what it does.
Re:huh? (Score:3, Interesting)
Re:huh? (Score:5, Funny)
Re:huh? (Score:2, Funny)
And Maxim...
Re:huh? (Score:2)
Re:huh? (Score:4, Funny)
Re:huh? (Score:2)
But you just admitted that very thing to a thousand strangers. :)
</tongue-in-cheek>
Re:huh? (Score:1, Funny)
Re:huh? (Score:2, Interesting)
You get the same discount, you get to have some fun trading cards around and stuff, and they can't track you nearly as easily.
Re:huh? (Score:2)
I do this too! There should be a website to host such an exchange program - send in a [somestore] card, a SASE, and get a random [somestore] card back (same kind as you send in of course).
Re:huh? (Score:1)
None of this would be a problem if the people making these decisions were in any way whatsoever educated in computer science. They're not, however, and considering their complete and utter incompetence regarding everything else they do... why should their involvement here be any better?
Re:huh? (Score:5, Insightful)
One is a venue which wants to transfer money from your wallet to them in exchange for alcohol and a good time. The government says they aren't allowed to take money from people below a certain age, so they don't let them in. If you have a fake ID, then why would the club care that you choose to spend your money on their product?
One is a venue filled with the heads of governments of numerous countries, government ministers, UN bigwigs (like the Secretary-General), and other such VIPs (in some people's eyes). It doesn't want to sell people a product which the government has decreed you have to be a certain age to have, but possibly wants to stop VIPs being harrassed and bombs being planted.
Re:huh? (Score:3, Interesting)
Even worse. I think the article said "...a name from the WSIS website of attendees." No cracking, unless you consider surfing the web "cracking".
Well. . . (Score:5, Funny)
Yep, it was fairly easy to sneak my tin foil hat in.
so this is like 'hacking' (Score:5, Funny)
Re:so this is like 'hacking' (Score:2, Funny)
"Bypassed security" (Score:5, Insightful)
Basically the "researchers" represented themselves as being someone else and used a fake (potentially) illegal piece of identification. Doesn't seem clever, just seems fraudulent.
They then go on to speculate about how "data mining" and RFID might be used for all sorts of nasty tricks and end up sounding like a bunch of paranoid crack-pots.
So, if I buy a fake passport on a street corner and then use it enter Germany, did I just "crack" Germany's security and can I get my picture on Slashdot?
John.
Re:"Bypassed security" (Score:5, Insightful)
Re:"Bypassed security" (Score:3, Insightful)
So to fix the problem that the "researchers" exposed you need a participant to submit _prior_ to the conference some token that only they would know or have. So they could have demanded a photo, fingerprint, eye scan, urine sample before hand. Then they could have demanded the same when getting your badge.
But you have to ask whether that would be an appropriate level of secur
Re:"Bypassed security" (Score:4, Insightful)
Re:"Bypassed security" (Score:2)
Obviously.
And it would be of great concern to Germany. Just as this should be of great concern to the organisers of the summit.
The probably don't want protesters or terrorists getting in just as much as Germany doesn't want illegal immigrants or terrorists getting through its security.
Re:"Bypassed security" (Score:3, Interesting)
Re:"Bypassed security" (Score:5, Insightful)
1) These people have little concern for security, seeing as how they didn't even comply with the multiple applicable laws governing that sort of conference
2) These people have little concern for privacy, again, as they didn't comply with multiple applicable laws on the matter
3) Their ineptitude could possibly be opening these people for extortion or blackmail, or even endangering their lives.
4) These are the people who are deciding how the internet is going to be governed
U.N. and the Internet (Score:3, Insightful)
Not to get too off-topic, but I don't think that I like the direction that they want to take the Internet. Yes, it spans the globe, but it's something that a lot of private and public American funding went into designing, developing, and maintaining. I understand the need for standards, but I don't think that the U.N. is really right for governing the Internet. They have a hard enough time running peacekeeping missions
Re:U.N. and the Internet (Score:2)
Re:U.N. and the Internet (Score:2, Insightful)
The UN might be more capable/powerful running those missions if the U.S. were paying their share of the contribution.
The U.S. had the single largest contribution to the idea of a global information network in the form of the Internet. If the rest of the world wants one of their own, let them create it themselves.
Ha, but a European guy invented HTML, without which 'American' internet would be pretty useless, would
Re:U.N. and the Internet (Score:2)
Oh yeah - what made the int
Re:"Bypassed security" (Score:2)
The procedures of how personal data is being handled during WSIS break the principles of the Swiss Federal Law on Data Protection of June 1992 [2], the European Union Data Protection Directive 95/46/EC [3] and the United Nation guidelines concerning Computerized personal data files adopted by the General Assembly on December 1990.
They said "how the data is being handled", they didn't elaborate more, and I'm not qualified to speculate on the legality of anything. My objective was more to
Re:"Bypassed security" (Score:2)
Re:"Bypassed security" (Score:5, Interesting)
The security at freaking MacWorld was better (or worse, depending on your perspective) than this the last time I went! Unless you got your badge via mail, you had to produce not only your ID but also the credit card that you used to register. Not infallible, but at least a challenge - and Javits wasn't full of diplomats, either.
Re:"Bypassed security" (Score:3, Funny)
Give it a try. I think that's how David Hasselhoff got his big break.
Re:"Bypassed security" (Score:2)
No. That could only happen in three ways:
Re:"Bypassed security" (Score:2)
No, but I'm sure it would appear on a few mug shots.
Re:"Bypassed security" (Score:2)
Yes.
and can I get my picture on Slashdot?
No, because there is no particular expectation that German security is any better than that of, say, France or the US. European nations don't have a lot of security along their borders with other Western nations. So, it isn't hard for an American to enter Germany, France, or the UK illegally.
However, there is a natural expectation that security
Might have been an inside job (Score:2)
The system includes also a X-Ray and metal screening system. Two days before we were in the Congress bringing all kind of boxes and equipment. No physical access security was implemented until the very late time and we could move inside freely carrying any items.
Why were they bringing in equipment two days before? Were they testing security or were they employeed to carry stuff around by the conference? If the latter is true then it isn't much of an accomplishment to
easy solution (Score:3, Funny)
No Seriously... (Score:2)
google seems to think so [google.com] The truth of the matter is that a microwave oven is massively over-powered for the job of killing RFID tags
Further proof (as if any was needed) (Score:4, Funny)
Tracking locations? (Score:4, Interesting)
Re:Tracking locations? (Score:3, Interesting)
Nothing is safe. (Score:5, Insightful)
Still Important (Score:4, Insightful)
What information of use could be gleaned at future meetings or other UN events? The same people very likely do event security for this and other conferences, and the type of information that could be gleaned or the damage that could be done at other events is something to be taken seriously.
Personally, I despise the UN - but they (through US) are a force in the world and a breach of their security is nothing to laugh at too quickly.
Historical parallel.. (Score:5, Insightful)
[RFID] Late night on slashdot and the nightmare... (Score:5, Insightful)
They are going to put these in tires. When you buy your tires the seller is going to be required to enter your information in a database.
One day when you are going a little too fast in a school zone or run a yellow that switches to red too fast an underground computer is going to sense the rfid in your tire, immediately reporting the number via rf link to police headquarters.
You would think that this would be for the purpose of giving you a ticket. You're right, you will get a ticket. But that is not the end the trail for your rfid number.
It immediately gets sent to the state government where it checks to make sure you are not a deadbeat dad that the wherabouts of are unknown. Simultaneously sending it to the FBI to see if you are a name on the "patriot" act watchlist and indexes your location. If you drive on the same street on a regular basis they will know where to find you.
You're not a deadbeatdad, lawbreaker, or terrorist you say??? Well the trail that your rfid number takes does not end there. Your rfid number is sold by cashed-strapped states to a commercial database under the auspices of "risk mitigation" that insurance companies subscribe to. Because you were speeding, you are at an increased risk and your car insurance rates are subsquently raised. Because you drive dangerously, your health insurance rates are also raised. Maybe they cancel your policy outright.
You're thinking I'll just remove the rfid. No you won't. Driving with unregistered tires is against the law, and if the police can't scan you as you drive past his cruiser he pulls you over and immediately suspends your license and impounds your car. But you won't be able to remove it anyway, without destroying the tire, as it is purposefully integrated with the "steel belt".
Does the trail end for your rfid tire number now? No, it most certainly doesn't. To see where it leads further, you are going to have to talk to my patent attorney.
Re:[RFID] Late night on slashdot and the nightmare (Score:1, Informative)
Lemme clue you in, there's this wild and crazy technology that puts a unique identifier on every automobile driving on public roads. It's linked to your name in state databases and it's required by LAW. It's called a license plate, you dumb shit.
And amazingly, if you get caught by an officer speeding in a school zone or blowing a red light, they will run your license plate in their little laptop to see if you have any warrants out, like
Re:[RFID] Late night on slashdot and the nightmare (Score:2, Informative)
That is the big difference. The fact that this information will be entered into several hundred databases automatically.
Re:[RFID] Late night on slashdot and the nightmare (Score:3, Informative)
Pay cash, (until the gov stops printing it, they must accept it) give them a fake name and phone number (the phone book is full of them), buy or make a RFID reader and locate the tag in the tire and cut that section of the tire out and put it in a microwave for about 30 seconds. DING! The RFID tag is fried, now replace the cutout in the tire and freely run down kids in school crosswalks with the red lights.
Hmm, just read the rest of your
Re:[RFID] Late night on slashdot and the nightmare (Score:2)
What if they put RFID in the cash?
Re:[RFID] Late night on slashdot and the nightmare (Score:3, Interesting)
NarratorDan
Counterfeit - cash or card? (Score:2)
CASH too easy to counterfeit??? As a certified terroristcriminal(TM), I'd rather work with the credit/debit cards. Smart chips are fun to hack. Anyway, CC companies don't care about fraud, they just push the costs onto the merchant. ;-)
Re:[RFID] Late night on slashdot and the nightmare (Score:2)
-Hotels.
-Flights.
-Rental Cars.
-Anything via the Internet or phone.
Good luck with the cash, dude. I like the sentiment, I agree with it, but realistically?
Re:[RFID] Late night on slashdot and the nightmare (Score:2)
And the tire guy merely records your car license plate and/or VIN in the transaction. Same result.
Re:[RFID] Late night on slashdot and the nightmare (Score:3, Informative)
Noppe, not thinking of it - in the "congestion zone" of London they are already DOING this!
Re:[RFID] Late night on slashdot and the nightmare (Score:2)
But then, are you going to make illegal the large parking lots full of swappable tires outside, say, WalMart? Or any Mall? How long would it take to exchange 1 "hot" tire without the knowledge of the donor?
Why stop at tires anyway? A tag in the battery would be more difficult to remove, and look at all the power available for
Re:[RFID] Late night on slashdot and the nightmare (Score:2)
You're not a deadbeatdad, lawbreaker, or terrorist (Score:2)
How is this different than a ticket issued by a cop who's using radar, and by the way-
the state I live in, and every one I have lived in- automatically does give moving violations to insurance agencies, and rates do rise! based on violations of the motor vehicle sort..
I've been having this ethical oddity lately.. from my youth when I was a rebellious sort, to now when I have wife child home, and don't believe in 'breaking the law'
I do feel strongly people are entitled to
License plate (Score:2)
Re:[RFID] Late night on slashdot and the nightmare (Score:2)
Yawn (Score:1, Insightful)
> who they interact with and their movements through the conference.
Or they could just use a camera to follow your movements through the conference and see who you interact with. Nothing new here... move along.
What a load of bull (Score:1, Insightful)
You might as well drop one of these nifty wireless camera in each corner of the room, betcha it would be way more effective for tracking people's whereabouts.
PS/ I hear they (Privacy Enemies) can track me down and see wh
Convenience vs Security (Score:3, Insightful)
Since when did /. report on physical security? (Score:4, Insightful)
Just goes to show the inherent insecurity in demanding only a government-issued ID when many governments are involved. Any given state's drivers license has many anti-forgery features, but unless you have an inch-thick book with all of the features of every acceptable ID listed, an international event is gonna have a hard time relying on that alone.
Still, what's newsworthy about this failure? It happened at an important-to-the-Internet event, but it didn't really cause and damage...
Re:Since when did /. report on physical security? (Score:2)
Was anything done to prevent the real person showing up? If the organisers had discovered that person's badge had already been issued, they should have cancelled its clearance and sent someone through the crowd with a scanner looking for the associated rfid tag.
Mitnick should take advantage of this one (Score:2, Insightful)
Mr Delegate Do You See Why We Need To Crack Down! (Score:2, Insightful)
Do you not think the organizers knew there were limits to what they had to spend on security?
Rfid tags have the advantage of not needing an interpreter if the delegate only speaks another tongue.
See who gets painted by the same brush as these jerks, not scientists, not researchers...
New, unique technology (Score:2)
It is possible to track interaction around a room or hall between individuals, while also recording conversations, gestures and purchases.
The collected data can be recalled at any time, based on any combination of queries or profiles.
What kind of techical gadget is this?
My memory. Be afraid....be bery, very afraid.
Reminds me of Apple Stores (Score:2)
More than just Physical Security Issues (Score:4, Insightful)
Another frightening fact is that these jokers' security processes, if you consider the RFIDs as 'security',are violating the laws of both the host country and the EU. This is the biggest issue, IMHO. "Security" also means adhering to all applicable laws and regulations, in order to limit your liability, and the liability of your employer.
And what about these guys walking around snapping photos of the screener's monitors ? Whats up with that ?
The bottom line is that these "security experts" at SportAccess, or wherever, are incompetent. Their security model was ill-conceived, poorly executed, needlessly intrusive and (obviously) completely ineffective.
Re:More than just Physical Security Issues (Score:4, Insightful)
I'm sorry but you seem to be confused: laws are for little people, not big, wise, important people that can be trusted like our leaders.
TWW
So what about the person who was imitated? (Score:3, Insightful)
Fake ID cards (Score:3, Funny)
As part of physical security testing, my colleagues have successfully gained access to premises using
- a white sachet of tartare sauce
- a square-cut jam sandwich
It's difficult enough getting security guards to turn up for work on the minimum wage, let alone actually *challenge* people.Total BS - been there (Score:3, Interesting)
More on security: at the entrance you walk through metal detector gates, with a X-ray scanner for the bags. You are processed by 4 security guys - one takes your bags, other works the gate and X-ray scanner, third scans your badge and compares your face to picture on the badge to picture in the DB they get based on the RFID tag. All these images have to match. If there is any problem there is the fourth guy standing behind with a rifle.
Yes - the 1337 h4x0rz could have bypassed this by getting the official badges, because when you have the badge you don't have anything standing in your way. No - they could not have gotten to the bigwigs, because that part of the conference was separated, with stronger security checks, which were obviously not done just at the place, since the bigwigs were escoreted from their mansions, with the whole entourage, and I suppose that you don't expect presidents and prime-ministers to go around carrying badges on the straps around their necks, and walk through the metal-detector gates a few times.
In fact, the easiest way for "terrorists" to sneak in would be to get listed as active participants by a frendly government of a rogue state.
I wish that people would concentrate more on the positive results of WSIS, instead of spreading FUD.
Re:Total BS - been there (Score:3, Insightful)
You know, if there was some kind of law that said all those powerful politicians have to wait in line and go through the security screenings just like us "little people", I bet airport security would be a lot better and more convenient than it is right now. I thought the President was a person, just like you and me. So if I have
Re:Total BS - been there (Score:2)
Re:Total BS - been there (Score:2)
The problem isn't really one-size-fits-all requirements. The problem is that the people who decide these things have decided that making people feel safe is more
Two comments (Score:4, Informative)
First, the security here is quite interesting...as other posters have mentioned, getting into the actual facility is more or less impossible without the proper badge. The exploit that these individuals used was to simply trick the badging desk - a location right next door manned (mostly) by teenage girls. I highly doubt that they're trained security professionals.
Two, the RFID badge has a range of about an inch. If there are transponders all over the place, I have yet to see them. The physical layout of the building would kaie it difficult to place them inconspicuously...there's far too much open space, with thirty foot ceilings...
Just my two cents (CHF)...
Security (Score:5, Insightful)
1) Security is hard work and requires the involvement of people with great integrity willing to work very hard. Security requires the highest level of attention to detail, trust that proceedures will be followed and absolute trust that when the proceedures don't work, don't apply or are circumvented that the individual will make the right decisions.
2) You cannot delegate security to any machine. This includes padlocks, safes, computers, surveilance systems, and alarm systems. These are all designed to assist the hard working humans with great integrity. They have no ability to make decisions when their processes fail, are circumvented or don't apply.
3) The inclusion of anyone without great integrity inside a secured area is insecure. Loose lips sink ships. This is why security is so difficult in any semi-democratic organization - there is no way to exclude those you can't trust.
4) Confidence is like corrosion. It slowly destroys even the strongest security just as corrosion will eventually sink the most powerful ship in the fleet.
Sounds like WSIS violated three of four of these rules.
Better case is made by the "pictures" page (Score:5, Informative)
In short, the photos show a group that appears to know how to spend a lot of money on toys, but doesn't know how to use them. I think this is a serious concern. The information they are collecting isn't providing security, and could actually undermine it.
The illusion of security is worse than no security at all.
This little stunt proves nothing (Score:2)
The World Summit of Information Society has contracted SportAccess, a Company of Kudelski Group, as the main responsible of an integrated solution for physical access control solution during the United Nations Summit of Information Society.
This stunt proves nothing about the security and privacy practices of WSIS, despite the general clamour in this forum. This was a minor slip-up of a third party, not WSIS itself. SportAccess gave passes to people who misrepresented themselves.
BTW - w
Re:'Activist' is such a misnomer (Score:5, Insightful)
n.
The use of direct, often confrontational action, such as a demonstration or strike, **in opposition to** or support of a cause
Nope, activist sounds right to me.
Re:'Activist' is such a misnomer (Score:5, Insightful)
Re:'Activist' is such a misnomer (Score:5, Interesting)
Political Leaning - "Left" to "Right"
Revolutionary - Liberal - Status Quo - Conservative - Reactionary
Government Intervention - "Weak" to "Strong"
Anarchist - Libertarian - Status Quo - Authoritarian
Re:'Activist' is such a misnomer (Score:3, Insightful)
Re:'Activist' is such a misnomer (Score:1)
Like Forest Gump, only with political clout.
Re:'Activist' is such a misnomer (Score:5, Interesting)
- It doesn't help that there are several topics of great import but huge controversy. The chief among these is Internet governance. In short: who gets to run the Internet?
Follow the links back a bit. [theregister.co.uk]***
The United States, Europe and English-speaking partners such as Australia favour the existing private-company organisation, ICANN. Whereas developing nations, China, India, Brazil, South Africa and others all want a recognised international body to run the show, ITU.
And for posters below who seem unimpressed that a quasi governmental agency can monitor who it is you mingle with, or go to private areas for private discussion - you deserve what you'll get. The internet so far has been a model of a borderless world. But many countries are terrified by this concept - you really want them collecting data, manipulating who the attendees will be to prevent certain individuals from blocking their plans? That's nuts.
Re:'Activist' is such a misnomer (Score:2)
Re:'Activist' is such a misnomer (Score:2)
(see above)
Re:WTF (Score:2)
Yes.
Is it too much to ask that the folks "in charge" let a true people's democracy develop without being waylaid and corrupted by corporate and special interests?
Well, got a history book? I'd say yes to this, as well.
Re:WTF (Score:2)
Re:RFID Tags sucks (Score:2)
How far can a cellphone can reach out to hit a cell tower? A mile or two? A tag in the battery ought to be able to reach out many yards, at least. Similarly, a tag in a car battery ought to have a good range...