Return-Path: <sentto-279987-4689-1021779935-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 18 May 2002 20:48:08 -0700 (PDT) Received: (qmail 2586 invoked by uid 510); 19 May 2002 03:45:34 -0000 Received: from n13.grp.scd.yahoo.com (66.218.66.68) by all.net with SMTP; 19 May 2002 03:45:34 -0000 X-eGroups-Return: sentto-279987-4689-1021779935-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.198] by n13.grp.scd.yahoo.com with NNFMP; 19 May 2002 03:45:35 -0000 X-Sender: fastflyer28@yahoo.com X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-8_0_3_2); 19 May 2002 03:45:34 -0000 Received: (qmail 15831 invoked from network); 19 May 2002 03:45:34 -0000 Received: from unknown (66.218.66.218) by m5.grp.scd.yahoo.com with QMQP; 19 May 2002 03:45:34 -0000 Received: from unknown (HELO web14505.mail.yahoo.com) (216.136.224.68) by mta3.grp.scd.yahoo.com with SMTP; 19 May 2002 03:45:34 -0000 Message-ID: <20020519034534.87007.qmail@web14505.mail.yahoo.com> Received: from [68.100.119.16] by web14505.mail.yahoo.com via HTTP; Sat, 18 May 2002 20:45:34 PDT To: iwar@yahoogroups.com In-Reply-To: <200205180306.g4I36rU20934@red.all.net> From: "e.r." <fastflyer28@yahoo.com> X-Yahoo-Profile: fastflyer28 Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sat, 18 May 2002 20:45:34 -0700 (PDT) Subject: Re: [iwar] [fc:Pentagon.Official:.Smart.Cards.Are.Not.Vulnerable.To.New.Hacks] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit It was in the paper today that smart cards are quite easy to hack. Op-ed on the matter to Fred Cohen <fc@all.net> wrote: [FC - I wouldn't belive this without checking it out for real - and if the official was wrong - that would likely be classified...] Pentagon Official: Smart Cards Are Not Vulnerable To New Hacks Defense Information and Electronics Report, 5/17/2002 No URL available. The Common Access Cards being issued to all Defense Department personnel at a furious pace are not vulnerable to recently discovered security weaknesses in some smart cards, the chairman of the DOD group coordinating the card roll-out said this week. The department is in the middle of a two-year effort to issue sophisticated Common Access Cards (CACs) to all 3.5 million DOD personnel for use in everything from accessing department computer networks to checking out materiel. The department hopes to have a card in the hands of every DOD employee by October 2003, said Dave Wennergren, chair of the DOD Smart Card Senior Coordinating Group and Navy chief information officer for e-business and security. Two computer security researchers presented findings at a symposium in Oakland, CA, May 13 that outlined a simple and inexpensive method for extracting information from some smart cards. Their method employs a camera flashgun and a microscope, the New York Times reported this week. In addition, a team of IBM researchers presented a paper at the same conference that outlined a weakness in the security of so-called subscriber identification module (SIM) smart cards. These cards are used widely in Europe to activate cell phones. Wennergren told Defense Information & Electronics Report May 15 that he had seen reports of the newly discovered vulnerabilities, but said DOD smart cards are fundamentally more "robust and sophisticated" than the cards that were exploited in the publicized vulnerability research. The CACs used by DOD are "the best of what's available now in the industry," he said, utilizing the latest standards for security and functionality. SIM cards and the other cards that were the subject of the vulnerability research lack many of the attributes of the Common Access Card, he said. CACs, for example, only carry a minimum amount of personal information and a unique "digital certificate." The digital certificate, as a part of the department's Public Key Infrastructure, is the method by which all DOD personnel will eventually access their computer workstations and DOD computer networks. The digital certificates on CACs are protected by strong encryption that would prevent anyone from making sense of information extracted from a card, Wennergren said. Furthermore, even if a card were lost and compromised, the user would simply cancel the digital certificate contained on that card, rendering it useless, and obtain a new one. As a further security precaution, a personal identification number must be used in conjunction with the CAC when accessing DOD computers. "All smart cards are not the same," Wennergren said. The word "smart card," in fact, refers to almost any card embedded with a computer chip that stores information. DOD cards have been developed with strict security in mind, Wennergren said, and have been certified by the National Security Agency as meeting NSA's strict security standards. Meanwhile, Wennergren said the CAC roll out is gaining momentum, as more and more stations for issuing CACs come online at DOD locations across the country. Specific software and a special printer is required for creating the cards, Wennergren said. The department is now issuing more than 5,000 each day, he said, a rate that is constantly increasing. As of May 13 about 590,000 DOD employees had been issued a CAC, he said. -- Hampton Stephens Yahoo! Groups SponsorADVERTISEMENT ------------------ http://all.net/ Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. --------------------------------- Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience [Non-text portions of this message have been removed] ------------------------ Yahoo! Groups Sponsor ---------------------~--> Take the Yahoo! Groups survey for a chance to win $1,000. Your opinion is very important to us! http://us.click.yahoo.com/NOFBfD/uAJEAA/Ey.GAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT