(Image is in the Public Domain)

According to EFF:

Colorado-based Ciber, Inc., the largest laboratory that tests software used in U.S. voting systems, has been temporarily banned from approving new systems following problems discovered last summer by the Election Assistance Commission (EAC).

The EAC found that Ciber was not following proper quality- control procedures and could not document that it was conducting all the required tests. Ciber's renewed petition for accreditation is currently under EAC review.

According to Consumer Affairs, Hawaii, Kansas, New Hampshire, Oklahoma, Pennsylvania, Rhode Island and Wisconsin now have Credit Freeze laws. However, it sounds as if you must be a victim before you can use the law (which is really, really stupid). A friend said once that this is like having to wear a seatbelt, but only after you've been in a car wreck. Sounds like a good analogy to me.

Sony literally hacked US citizens and got a slap on the wrist.

(Image used under: Creative Commons 2.0 [SRC][Mod][Comp])

Consumer Affairs reports a settlement with 39 states for Sony's use of a "rootkit" to try and prevent users from copying their music. This forced DRM was detected by computer experts and quickly raised a stir.

Most importantly,

Sony said it was "pleased" with the settlement and said it would stop using copy-protection software that cannot be easily removed from consumers' PCs

(Image used under: Fair Use doctrine)

The Washington Post reports that IE 7 will not have the long known flaw that allows a website to steal the data that may be hanging out in your clipboard.

For those who don't know, the clipboard is where anything you cut and paste hangs out. The trick is, it stays there until you cut or copy something else. So, if the last thing you copied was your tax record from one document to another and then you visit a nosy website, they could have all that data.

If it seems as stupid to you as it does to me that IE allowed this in the first place, then you'll understand why the security community knocks Microsoft products.

Wireless data is easy to steal. Why did we put it on our passports again?

(Image is in the Public Domain)

Schneier links to an article about RFID passports being cloned in under 5 minutes. The authorities have stopped denying it's possible and have shifted to denying that it can be used for any nefarious purposes.

The UK Home Office however dismissed the ability to get hold of the information on the chip. A spokesman said: "It is hard to see why anyone would want to access the information on the chip. " Other than the photograph, which could be obtained easily by other means, they would gain no information that they did not already have - so the whole exercise would be pointless: the only information stored on the ePassport chip is the basic information you can see on the personal details page."

Well, it sure is hard to see why anyone would want to see someone's credit report, criminal history, medical information, social security card, birth certificate… Are these people for real?

I never thought about it, but it's much easier to defeat TSA security than I realized.

(Image is in the Public Domain)

Bruce Schnier found an intereting article in the NY Times about a bored computer science student wrote a webpage that printed nearly identical boarding passes to those used by Northwest Airlines. Using the fake passes, people were successfully able to bypass airport security. The important part of this article, is the fact that the student did no hacking, no cracking, no breaking of any system. All he did was make passes that looked real.

No cryptographic recipe was cracked; no airline computer system was compromised. Without visiting an airport, Mr. Soghoian needed access to nothing other than a public Web site to embarrass those responsible for airport security.

As security professionals have been saying for years, these measures make life difficult for law-abiding citizens, but do little to stop the bad guys.

Oops. Sorry about all your data gosh golly wilikers!

(Image is used under the Pixabay license)

Consumer Affairs writes:

A laptop containing the personal information of 328,000 current and former employees of Boeing was stolen in Chicago, according to the company. The laptop theft was the third to befall Boeing in the past twelve months. Boeing is contacting the affected employees by mail and has promised to set up free credit monitoring for them through the Experian credit bureau.

(Image used under: Fair Use doctrine)

In Schneier's blog today, he writes about a University of Washington study explaining how to track people using their Nike+iPod Sport Kit (which uses RFID).

This is a great demonstration for anyone who is skeptical that RFID chips can be used to track people. It's a good example because the chips have no personal identifying information, yet can still be used to track people. As long as the chips have unique IDs, those IDs can be used for surveillance.

Schneier goes on to say:

To me, the real significance of this work is how easy it was. The people who designed the Nike/iPod system put zero thought into security and privacy issues. Unless we enact some sort of broad law requiring companies to add security into these sorts of systems, companies will continue to produce devices that erode our privacy through new technologies. Not on purpose, not because they're evil -- just because it's easier to ignore the externality than to worry about it.

Couldn't have said it better myself.

Wireless credit cards aren't ready. Avoid them.

(Image used under: Creative Commons 3.0 [SRC])

From the CASPAIN newsletter:

A member of the Senate Banking Committee denounced RFID "no-swipe" credit cards at a press conference Sunday. Senator Charles Schumer (D-NY) said contracts for the cards should have warning boxes disclosing "the known weaknesses of the technology." He cautioned cardholders about their vulnerability to identity thieves, commenting you "may as well put your credit card information on a big sign on your back."

RFID is an extremely dangerous technology if left unregulated and businesses are rushing to get it to the market before people know what's happening. That's why situations like this happen:

CASPIAN demanded a recall of RFID credit cards last month after the New York Times reported that a team of security researchers found that virtually every one of the "no-swipe" credit cards it tested was vulnerable to unauthorized charges and put consumers at risk for identity theft.

If you spend millions to deploy an encryption system, maybe you should make sure it's robust first?

(Image used under: Creative Commons 2.0 [SRC])

New RFID passports are supposed to make identity theft more difficult and to make it easier to spot fake passports like the ones used by the perpetrators of the 9/11 attacks.

First, making the data remotely secretly readable without every possessing or otherwise coming into contact with the passport hardly makes it more secure against identity theft. Second, it's hard to make fake documents, but easy to fake 1's and 0's. Last I checked your electrons look just like mine.

Besides the very obvious flaws in this idea, all it would take for the "secure passports" to turn into a nightmare of unprecedented proportions would be for the encryption to be broken. Oops, it's been done… and in under 48 hours of effort.

In the article, they mostly talk about the dangers of cloning passports, but I submit that the real danger is being easily, quickly, and remotely identified as a foreigner while you travel. Either way, they said it best in their final paragraph:

It may be that at some point in the future the government will accept that putting RFID chips in to passports is ill-conceived and unnecessary. Until then, the only people likely to embrace this kind of technology are those with mischief in mind.