Re: [iwar] [fc:Pentagon.Official:.Smart.Cards.Are.Not.Vulnerable.To.New.Hacks]

From: e.r. (fastflyer28@yahoo.com)
Date: 2002-05-18 20:45:34

Next message: Fred Cohen: "[iwar] [fc:A.Surge.in.Al.Qaeda.Messages]"
Previous message: e.r.: "Re: [iwar] [fc:U.S..Intercepting.Messages.Hinting.at.a.New.Attack]"
In reply to: Fred Cohen: "[iwar] [fc:Pentagon.Official:.Smart.Cards.Are.Not.Vulnerable.To.New.Hacks]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <20020519034534.87007.qmail@web14505.mail.yahoo.com>
To: iwar@yahoogroups.com
In-Reply-To: <200205180306.g4I36rU20934@red.all.net>
From: "e.r." <fastflyer28@yahoo.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Sat, 18 May 2002 20:45:34 -0700 (PDT)
Subject: Re: [iwar] [fc:Pentagon.Official:.Smart.Cards.Are.Not.Vulnerable.To.New.Hacks]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

 It was in the paper today that smart cards are quite easy to hack. Op-ed on the matter to
  Fred Cohen <fc@all.net> wrote: [FC - I wouldn't belive this without checking it out for real - and
if the official was wrong - that would likely be classified...]

Pentagon Official: Smart Cards Are Not Vulnerable To New Hacks

Defense Information and Electronics Report, 5/17/2002
No URL available.

The Common Access Cards being issued to all Defense Department personnel
at a furious pace are not vulnerable to recently discovered security
weaknesses in some smart cards, the chairman of the DOD group
coordinating the card roll-out said this week.

The department is in the middle of a two-year effort to issue
sophisticated Common Access Cards (CACs) to all 3.5 million DOD
personnel for use in everything from accessing department computer
networks to checking out materiel. The department hopes to have a card
in the hands of every DOD employee by October 2003, said Dave
Wennergren, chair of the DOD Smart Card Senior Coordinating Group and
Navy chief information officer for e-business and security.

Two computer security researchers presented findings at a symposium in
Oakland, CA, May 13 that outlined a simple and inexpensive method for
extracting information from some smart cards. Their method employs a
camera flashgun and a microscope, the New York Times reported this week.
In addition, a team of IBM researchers presented a paper at the same
conference that outlined a weakness in the security of so-called
subscriber identification module (SIM) smart cards. These cards are used
widely in Europe to activate cell phones.

Wennergren told Defense Information &amp; Electronics Report May 15 that he
had seen reports of the newly discovered vulnerabilities, but said DOD
smart cards are fundamentally more "robust and sophisticated" than the
cards that were exploited in the publicized vulnerability research. The
CACs used by DOD are "the best of what's available now in the industry,"
he said, utilizing the latest standards for security and functionality.

SIM cards and the other cards that were the subject of the vulnerability
research lack many of the attributes of the Common Access Card, he said.
CACs, for example, only carry a minimum amount of personal information
and a unique "digital certificate." The digital certificate, as a part
of the department's Public Key Infrastructure, is the method by which
all DOD personnel will eventually access their computer workstations and
DOD computer networks.

The digital certificates on CACs are protected by strong encryption that
would prevent anyone from making sense of information extracted from a
card, Wennergren said. Furthermore, even if a card were lost and
compromised, the user would simply cancel the digital certificate
contained on that card, rendering it useless, and obtain a new one. As a
further security precaution, a personal identification number must be
used in conjunction with the CAC when accessing DOD computers.

"All smart cards are not the same," Wennergren said.

The word "smart card," in fact, refers to almost any card embedded with
a computer chip that stores information.

DOD cards have been developed with strict security in mind, Wennergren
said, and have been certified by the National Security Agency as meeting
NSA's strict security standards.

Meanwhile, Wennergren said the CAC roll out is gaining momentum, as more
and more stations for issuing CACs come online at DOD locations across
the country. Specific software and a special printer is required for
creating the cards, Wennergren said.

The department is now issuing more than 5,000 each day, he said, a rate
that is constantly increasing. As of May 13 about 590,000 DOD employees
had been issued a CAC, he said.

-- Hampton Stephens

Yahoo! Groups SponsorADVERTISEMENT

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. 

---------------------------------
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience

[Non-text portions of this message have been removed]

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Take the Yahoo! Groups survey for a chance to win $1,000.
Your opinion is very important to us!
http://us.click.yahoo.com/NOFBfD/uAJEAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Next message: Fred Cohen: "[iwar] [fc:A.Surge.in.Al.Qaeda.Messages]"
Previous message: e.r.: "Re: [iwar] [fc:U.S..Intercepting.Messages.Hinting.at.a.New.Attack]"
In reply to: Fred Cohen: "[iwar] [fc:Pentagon.Official:.Smart.Cards.Are.Not.Vulnerable.To.New.Hacks]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT