This in from SecurityFocus. Attention, all that didn’t heed Bruce Schneier’s call to renew your passport... It may be too late.

DHS said that it had completed deployment of the first U.S. e-Passports at the San Francisco International Airport. The move is the first in a series of deployments required to meet the October 26, 2006 congressional deadline requiring all U.S. ports of entry to compare and authenticate data in e-Passports.

As e-Passports become more prevalent, we’re just going to see more holes poked in them.

I’ve got kind of an interesting perspective, as my dad spent his whole career dealing with the problems of paper documents. In my opinion, e-Passports are neither completely evil, nor are they a silver bullet. It will still take excellent work by the individuals at our ports of entry to weed out illegal entrants.

‘Phishing’ scams on the rise, survey finds. Next I expect to see an article about how water is still wet.

Over 157,000 unique phishing messages were sent out around the world in the first half of 2006, an increase of 81 percent compared with the six-month period to end-December 2005…. according to the bi-annual Internet Security Threat Report from security software vendor Symantec.

I guess Symantec has to do something to drum up business. After all, they’ve already warned customers will have a hard time getting their software security to work with Windows Vista thanks to Vista’s enhanced Security Center and PatchGuard features.

I just recently took a trip to Chennai, India for my best friend’s wedding. The airport security going over and coming back was interesting. My trip over was about a week after they banned all liquids, and the day twelve people were arrested on an India bound flight .
I arrived at JFK airport in New York, head up to the Lufthansa desk, and the agent asks me if I’m going to India, “yep”, – and a big red stamp with 4 Ss goes on my boarding pass. This qualified me for the extra special security. Not only did I have to go through the secondary security, they asked for my passport, and were copying information from it. I’m not sure what information they copied, as I was in the machine that blows air on you, but I’m guessing that it was both my passport number and, since they were opened to the page with my Indian visa, my visa number. Every other member of my party (9 of us) also had to go through this “extra” security.

I got through security a lot faster than I expected, and so I was waiting for a while for my flight. They were selling sodas in the terminal, they just wouldn’t let us on the plane with them.

Coming back from India, security was a bit different. First we waited in line to put all of our luggage (including carry-ons) through x-ray machines, then in line to get our boarding pass, then 2 hours in immigration. Finally, we are allowed through “personal” security where our carry-ons were checked again as well as men going through metal detectors. Women had a special line, which was curtained off . There were two women military officers in a small room, and used a hand scanner on us, then let us walk to our flight.

In Frankfurt, there’s a special set of gates for flights heading to the US, where you can’t buy liquids at all. To get to these gates, you have to have a boarding pass landing in the US, and go through security again. Our carry-ons were sent through an x-ray machine again, but this time, there was no metal detector. We were all patted down (or as I referred to it – groped) before being allowed into the boarding area. Again, no liquids were allowed through (supposedly).

During this entire flight back, I never walked through a metal detector, although arguably, I was searched more throughly than just walking through a detector. Also, while waiting for our delayed flight, a friend was going outside security to grab some food, and I asked him to buy me some Chicken McNuggets. I don’t normally eat them with sauce, so I didn’t think anything of it, but he comes back with the nuggets and three packages of BBQ sauce. Last I checked, BBQ sauce was a liquid….

The rest of the world seems to do well without all the security theater we have in the US, and it’s a burden on foreign airports to accomodate us.

Wireless communications have been used on the battlefield since the first world war and are critical for staying in touch with deployments near and far. Word today is that Hezbollah hacked Israeli communications during the battles in Israel and Lebanon in August 2006.

Using technology most likely supplied by Iran, special Hezbollah teams monitored the constantly changing radio frequencies of Israeli troops on the ground. That gave guerrillas a picture of Israeli movements, casualty reports and supply routes. It also allowed Hezbollah anti-tank units to more effectively target advancing Israeli armor, according to the officials.

My guess is that they weren’t able to decipher the communications at all; Israel is host to some of the top cryptographic minds and companies. However, just by tracking the transmissions they learned enough about what was going on to prepare themselves better.

It’s easy to fall victim to believing too much in the resilience of your cryptographic algorithms and forget that radio silence is still the best way to keep your communications hidden from the enemy.

Lifehacker had a link to an article on Wired News regarding some good ways to prevent pretexting.

We’ve talked about pretexting before. It is essentially the practice of pretending to be someone you are not to get information you’re not supposed to have.

Now, I didn’t like everything on the list (like getting a disposable cell phone – too CIA for most people), though I decided to highlight some areas that are easy and effective.

Normal people like both things – and security is no different. If you want security to be adopted by your users two basic premises are important:

1. Easy for people.


2. Effective (that’s the one important for us security folk).

Too often we get the “easy” part but not the “effective” part.

My favorite pretexting defenses taken from the Wired News article:

Shred It.
Cross-shred documents that contain personal information before discarding them, and do not leave such documents lying around where maintenance workers and visitors can see them.

A decent shredder is pretty inexpensive these days – and very effective.

Leave Your Vital Stats Offline.
Do not publish your birth date or other personally identifiable information about you or your children on your MySpace or Facebook page.

This is free.

...guard personal information such as Social Security numbers, birth dates, account numbers and passwords to prevent someone from using the information to impersonate you and obtain your records.

To that end, don’t provide personal information over the phone, in an e-mail or in person to anyone unless you initiated the contact. Even then, be guarded about providing legitimate agencies with more information than they need.

Already over 20 million PCs worldwide are equipped with a tiny security chip called the Trusted Platform Module, although it is as yet rarely activated. But once merchants and other online services begin to use it, the TPM will do something never before seen on the Internet: provide virtually fool-proof verification that you are who you say you are.

Source: MSNBC

Wrong. It will prove that your machine is your machine.

Here’s a scenario:
Young person in a coffee shop with a laptop browsing the Web. They get up for a second – then (enter bad-guy), snatch and run. Now “bad-guy or gal” doesn’t need a password to login to your bank account online. Or savings, or Amazon account, etc.

That could be the not-so-distant future for two basic reasons.

1. People don’t use security.
2. Snatch and run is effective in any century.

Not to mention the privacy concerns. I have opened up a can of worms, feel free to add and take.

I read this on the mistrust of technology many people have and then came across an article talking about the pains of anonymous Web surfing.

Ever tried it? Most people don’t even know how, and as the author of the article points out – he missed some things that giving up some information gives you, such as Amazon.com recommendations. (I like those too).

Personally I agree that our fear of technology will wane with time and eventually we’ll simply get used to the inherent risks. Why not?

We do now with cell phones, credit cards, and grocery store “bonus” cards.

IBM has announced a combination of encryption technology and services to improve security and privacy.

The centerpiece of the solution is the introduction of the industry’s first fully encrypting data drive… The open-standards-based drive is designed to protect the data in the event that it is lost or stolen, rendering it unreadable to anyone who finds it… It will also provide customers with the ability to share encrypted tapes with their business partners.

The TS1120 Tape Drive utilizes public key cryptography, although it is not clear if it would make use of existing enterprise PKI or not. It seems to use PKI built into the IBM z/OS operating system. Key management is handled by the IBM Encryption Key Manager for Java.

I’m not sure if I should get excited about this or not.

via Jon Erickson’s DDJ Security blog: IBM: First-of-its-kind encryption?

When is private information not private? When you are “looking for a good time.” Take this ./ article for example. A graphic artist in Kirkland, Washington, Jason Fortuny thought it would be an interesting experiment to post to craigslist as a woman looking for a male partner. From the waxy.org article, he received :

178 responses, with 145 photos of men in various states of undress. Responses include full e-mail addresses (both personal and business addresses), names, and in some cases IM screen names and telephone numbers.

He then posted all the responses—unedited and in their entirety—on Encyclopedia Dramatica.

The fallout from this experiment may be deep, the personal destruction total. By sharing their personal details to an anonymous craigslist poster, have responders agreed this information is not private? Is Fortuny liable for the inevitable damages, resulting from divorces, firings, etc., because he posted the responses for the world to see? It will be interesting to see how—and if—this plays out in our legal system.

Don’t put things online that you don’t want people to know.

The fact that Xanga was fined 1 million dollars for disclosing the personal information of children under 13 is a fine well dished out. (Although it’s not really possible to verify age online to begin with).

Though, this is besides the point. Children and adults alike need to be educated about what the Internet is. Anything you put online is PUBLIC – and should be treated as such.

That is why this retaliation from Facebook users on a new feature surprises me.

While a typical profile on MySpace, Friendster, Facebook, and other sites is like an encyclopedia entry, this [new feature] is like an Associated Press newswire feed, giving you an update on any changes in your friends’ lives, every time you log on. No hunting around your friend’s pages for new stuff, it all comes to you.

What did people think? If you put something online, it is out there for anyone to get – whether they have an RSS feed to it or not.

The moral of the story is if you want something to be secret don’t put it online and if you work for CNN, make sure your mic is off