Daily Archives: May 16, 2010

Inside the Australian Government’s Scary Web Site on Microchip ID Implants

bnet.com | May 13, 2010

By Jim Edwards

If the Australian government really doesn’t want to implant its citizens with PositiveID (PSID) microchips, it sure isn’t helping itself with its Web page dedicated to a “literature review” of different patient identification technologies, including VeriChip, “palm vein scanning,” radio frequency identification, and other dystopian sci-fi ideas.

While the New South Wales Department of Health Web page is ostensibly a reference point for officials who want to reduce medical errors caused by patient mixups, it looks pretty scary if you’re someone who thinks that society is heading toward a Minority Report-style dictatorship in which everyone carries a compulsory microchip implant. And there are lots of those people.

Managers ought to be aware that transparency has a flip side: The same information can look mighty different when viewed by unintended audiences.

Australia is in the middle of a healthcare reform, and a central plank of those changes is the introduction of a “personally controlled electronic health record system,” or e-Health scheme, that gives each Australian a 16-digit ID number. By unfortunate coincidence, PositiveID’s VeriChip device also relies on a 16-digit system, and its Health Link medical records product sounds exactly like the online database Australia is creating.

So, paranoid Americans who believe President Obama wants to introduce a socialist World Government that controls its subjects via RFID chips just caught a lucky break: Australia is giving us all a sneak preview.

Related:

Computer scientists find car computer systems surprisingly easy to hack or disrupt

Boffins warn on car computer security risk

Not that difficult – once you’re in

The Register | May 14, 2010

By John Leyden

A typical family car runs 100 MB of binary code spread across 50–70 processors, the researchers estimate. The use of computer technology brings improvements in efficiency and safety, via technologies such as anti-lock brakes, but it also throws up a range of new risks.

The researchers reckon “an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems”.

The 11-person team based this warning on an array of lab and road tests where they were able to carry out a variety of undesirable actions including “disabling the brakes, selectively braking individual wheels on demand, stopping the engine”. The team were able to easily bypass rudimentary security concerns, using techniques such as maliciously bridging supposedly isolated subnets.

Part of the team’s trickery includes the use of malware as well as reverse-engineering, packet sniffing, fuzzing and a custom tool, called CARSHARK (a car network analyser and packet injection utility).

Related

Cars’ Computer Systems Called at Risk to Hackers

All manner of attacks were possible with these techniques including messing with car radios and dashboards. The researchers were able to “display arbitrary messages, falsify the fuel level and the speedometer reading”.

Throughout the testing the team focused on how attackers might be able to mess with a car’s internal network given access. What they don’t consider is how this access might be obtained in the first place, as they openly state in the research paper. Ways into a car computer network include user-installed subsystems, such as audio players, that link into internal networks as well as vehicle dashboards.

“In the US, the federally-mandated On-Board Diagnostics (OBD-II) port, under the dash in virtually all modern vehicles, provides direct and standard access to internal automotive networks,” the researchers explain.

Telematics systems such as General Motors’ OnStar that provide services such remote diagnostics, and stolen vehicle recovery, also link into internal networks and might (at least theoretically) provide another way in for attackers. The team suggest two attack scenarios: physical access by a mechanic or valet and hacking into one or other of the wireless networks car systems are plugged into.

In our car we identified no fewer than five kinds of digital radio interfaces accepting outside input, some over only a short range and others over indefinite distance. While outside the scope of this paper, we wish to be clear that vulnerabilities in such services are not purely theoretical. We have developed the ability to remotely compromise key ECUs in our car via externally-facing vulnerabilities, amplify the impact of these remote compromises using the results in this paper, and ultimately monitor and control our car remotely over the Internet.

The research do not name the car used in the test because “we believe the risks identified… arise from the architecture of the modern automobile and not simply from design decisions made by any single manufacturer”.

It’s worth saying, on the remote hacker risk, that no such remote attacks have ever been recorded and experiments designed to load malware onto car systems using Bluetooth have drawn a blank. Inserting a malicious component given physical access to a car appears far more straightforward and, of course, given hands-on access all manner of non-electronic skullduggery is easily possible. The researchers found electronic disruption far easier to pull off than they expected.

In starting this project we expected to spend significant effort reverse-engineering, with non-trivial effort to identify and exploit each subtle vulnerability. However, we found existing automotive systems — at least those we tested — to be tremendously fragile. Indeed, our simple fuzzing infrastructure was very effective and to our surprise, a large fraction of the random packets we sent resulted in changes to the state of our car.

The academics rounded off the study by considering how the security shortcomings they highlighted might be addressed. Their paper, Experimental Security Analysis of a Modern Automobile, which is due to be published in the 2010 IEEE Symposium on Security and Privacy, can be found here (pdf). ®

Independent security expert Ken Tindell has written to us to express his skepticism about the significance of the research.

“I was utterly shocked to discover that apparently if you prise open an embedded system, reflash its program code, you can pretty much do anything to the I/O connected to the system,” he said. “Well knock me down with a feather.”

“Until I sold my company to Bosch in 2003, I was heavily involved in this area of computing, so I can say with some confidence that this ‘discovery’ is sheer foolishness. The only risk they encountered was a theoretical one (viz. that a telematics system connected to the in-vehicle networking could hack the car). It’s highly theoretical because the challenges of hacking a car are vastly more than hacking a banking system. I just can’t see anyone bothering,” he concluded.

Google vacuuming up personal information from Wi-Fi networks for years


In this Aug. 7, 2009 file photo Google employee Arthur Poirier, on a camera-equipped tricycle, records images for Google’s Street View Maps in Paris, Friday, Aug. 7, 2009. Google Inc. issued an apology Friday May 14, 2010, acknowledging it has been vacuuming up and recording fragments of people’s online activities broadcast over public Wi-Fi networks in many countries while expanding its street mapping feature. The German minister for consumer protection Ilse Aigner criticized Google on Saturday, May 15, saying the U.S. Internet giant still lacks an understanding of the need for privacy, calling it an “alarming incident” happening apparently illegally over some years. (AP Photo/Jacques Brinon, File)

Germany lashes out at Google for privacy breach

AP | May 15, 2010

By JUERGEN BAETZ

BERLIN — Germany’s consumer protection minister strongly criticized Google for a widespread privacy breach and insisted Saturday the U.S. Internet giant must cooperate better with data protection authorities.

Google Inc. issued an apology Friday, acknowledging it has been vacuuming up fragments of people’s online activities broadcast over public Wi-Fi networks for the past four years while expanding a mapping feature called “Street View.”

Minister Ilse Aigner said the “alarming incident” showed that Google still lacks an understanding of the need for privacy.

“According to the information available to us so far, Google has for years penetrated private networks, apparently illegally,” her office said in a statement Saturday.

The ministry also accuses Google of withholding information requested by German regulators.

Only two weeks ago, Google was telling Germany’s consumer protection authorities that it was only recording the network’s names and addresses. Repeated questions about whether the company was gathering even more data remained unanswered, the statement said.

“Maintaining people’s trust is crucial to everything we do,” Alan Eustace, Google’s top engineering executive, wrote in a blog post. “We are acutely aware that we failed badly here.”

Google has characterized its collection of snippets from e-mails and Web surfing done on public Wi-Fi networks as a mistake and said it has taken steps to avoid a recurrence. The company said it only recently discovered the problem following the inquiry from German regulators.

“Street View” provides photographs of neighborhoods taken by Google cameras. The service has been enormously controversial in Germany and other countries as privacy groups and authorities fear that people — filmed without their consent — could be seen doing things they didn’t want to be seen doing or in places where they didn’t want to be seen.

The German ministry is now demanding that Google follow through on pledges to disclose its activities to data protection authorities in all countries.

“It also has to be disclosed to German data protection agencies which information is registered and how the illegitimately gathered data of unprotected wireless networks will be deleted,” Aigner’s ministry said.

Google gathered about 600 gigabytes of data from Wi-Fi networks in more than 30 countries, including the United States. Google plans to delete it all as soon as it gains clearance from government authorities. None of the information has appeared in Google’s search engine or on other services, according to Eustace.

The latest incident has prompted Google to abandon its effort to collect Wi-Fi network data.

In an apparent show of its commitment to privacy, Google also said it will introduce a new option next week that will let it users encrypt searches on its Web site as an added protection against unauthorized snooping.

IBM, Positive ID and Verichip hope to get all humans tagged with microchip implants

Tech enthusiasts and futurists think implantable radio chips, such as those embedded in Amal Graafstra’s hands, could mean safety, security and convenience. But civil libertarians are concerned about privacy.

FOXNews.com | May 14, 2010

Where’s Jimmy? Just Google His Bar Code

By Gene J. Koprowski

Scientists currently tag animals to study their behavior and protect the endangered, but some futurists wonder whether all humans should be tagged too.

Scientists tag animals to monitor their behavior and keep track of endangered species. Now some futurists are asking whether all of mankind should be tagged too.

Looking for a loved one? Just Google his microchip.

The chips, called radio frequency identification (RFID) tags, emit a simple radio signal akin to a bar code, anywhere, anytime. Futurists say they can be easily implanted under the skin on a person’s arm.

Already, the government of Mexico has surgically implanted the chips, the size of a grain of rice, in the upper arms of staff at the attorney general’s office in Mexico City. The chips contain codes that, when read by scanners, allow access to a secure building, and prevent trespassing by drug lords.

In research published in the International Journal of Innovation and Sustainable Development, Taiwanese researchers postulate that the tags could help save lives in the aftermath of a major earthquake. “Office workers would have their identity badges embedded in their RFID tags, while visitors would be given temporary RFID tags when they enter the lobby,” they suggest. Similarly, identity tags for hospital staff and patients could embed RFID technology.

“Our world is becoming instrumented,” IBM’s chairman and CEO, Samuel J. Palmisano said at an industry conference last week. “Today, there are nearly a billion transistors per human, each one costing one ten-millionth of a cent. There are 30 billion radio RFID tags produced globally.”

Having one in every person could relieve anxiety for parents and help save lives, or work on a more mundane level by unlocking doors with the wave of a hand or starting a parked car — that’s how tech enthusiast Amal Graafstra (his hands are pictured above) uses his. But this secure, “instrumented” future is frightening for many civil liberties advocates. Even adding an RFID chip to a driver’s license or state ID card raises objections from concerned voices.

Tracking boxes and containers on a ship en route from Hong Kong is OK, civil libertarians say. So is monitoring cats and dogs with a chip surgically inserted under their skin. But they say tracking people is over-the-top — even though the FDA has approved the devices as safe in humans and animals.

“We are concerned about the implantation of identity chips,” said Jay Stanley, senior policy analyst for the speech, privacy and technology program at the American Civil Liberties Union. He puts the problem plainly: “Many people find the idea creepy.”

“RFID tags make the perfect tracking device,” Stanley said. “The prospect of RFID chips carried by all in identity papers means that any individual’s presence at a given location can be detected or recorded simply through the installation of an invisible RFID reader.”

There are a number of entrepreneurial companies marketing radio tracking technologies, including Positive ID, Datakey and MicroChips. Companies started marketing the idea behind these innovative technologies a few years ago, as excellent devices for tracking everyone, all the time.

Following its first use in an emergency room in 2006, VeriChip touted the success of the subdermal chip. “We are very proud of how the VeriMed Patient Identification performed during this emergency situation. This event illustrates the important role that the VeriChip can play in medical care,” Kevin McLaughlin, President and CEO of VeriChip, said at the time.

“Because of their increasing sophistication and low cost, these sensors and devices give us, for the first time ever, real-time instrumentation of a wide range of the world’s systems — natural and man-made,” said IBM’s Palmisano.

But are human’s “systems” to be measured?

Grassroots groups are fretting loudly over civil liberties implications of the devices, threatening to thwart their  development for mass-market, human tracking applications.

“If such readers proliferate, and there would be many incentives to install them, we would find ourselves in a surveillance society of 24/7 mass tracking,” said the ACLU’s Stanley.

The controversy extends overseas, too. David Cameron, Britain’s new prime minister, has promised to scrap a proposed national ID card system and biometrics for passports and the socialized health service, options that were touted by the Labour Party.

“We share a common commitment to civil liberties, and to getting rid — immediately — of Labour’s ID card scheme,” said Cameron according to ZDNet UK.

These controversies are impacting developers. One firm, Positive ID, has dropped the idea of tracking regular folks with its chip technology. On Wednesday, the company announced that it had filed a patent for a new medical device to monitor blood glucose levels in diabetics. The technology it initially developed to track the masses is now just a “legacy” system for the Del Ray Beach, Fla., firm.

“We are developing an in-vivo, glucose sensing microchip,” Allison Tomek, senior vice president of investor relations and corporate communications, told FoxNews.com. “In theory it will be able to detect glucose levels. We are testing the glucose sensor portion of the product. It will contain a sensor with an implantable RFID chip. Today’s patent filing was really about our technology to create a transformational electronic interface to measure chemical change in blood.”

Gone are the company’s previous ambitions. “Our board of directors wants a new direction,” says Tomek. “Rather than focus on identification only, we think there is much more value in taking this to a diagnostic platform. That’s the future of the technology — not the simple ID.”

The company even sold off some of its individual-style tracking technology to Stanley Black and Decker for $48 million, she said.

These medical applications are not quite as controversial as the tracking technologies. The FDA in 2004 approved another chip developed by Positive ID’s predecessor company, VeriChip, which stores a code — similar to the identifying UPC code on products sold in retail stores — that releases patient-specific information when a scanner passes over the chip. Those codes, placed on chips and scanned at the physician’s office or the hospital, would disclose a patient’s medical history.

But like smart cards, these medical chips can still be read from a distance by predators. A receiving device can “speak” to the chip remotely, without any need for physical contact, and get whatever information is on it. And that’s causing concern too.

The bottom line is simple, according to the ACLU: “Security questions have not been addressed,” said Stanley. And until those questions are resolved, this technology may remain in the labs.

Crisis coerces EU members into ever closer union

By extending Brussels’ supervision over states’ budgets and expanding the central bank’s charter, the EU has made an historical step towards a centralised budgetary policy.

nrc.nl | May 10, 2010

By pledging a gargantuan amount of financial support last weekend, the European Union prevented financial markets from digging an even deeper hole for the euro.

The European currency wasn’t the only thing at stake, though. Recent weeks’ events came close to setting off a new financial crisis. Little has really changed since those fateful days in October of 2008. The financial system remains so densely and globally intertwined that a crisis in a small and relatively insignificant country like Greece can easily set off another economic powder keg.

Related

False Flag Operations: The Crisis Route to the New World Order

The over 700 billion euros in credit and guarantees that were trotted out last weekend will be supported by far-reaching monetary measures. The European Central Bank (ECB) will, again, provide the banking sector with unlimited liquidity. It has also announced it will, if necessary, buy up treasury bonds to shore up prices and ensure that effective interest rates paid by governments remain low.

Judging by the reaction from financial markets on Monday morning, the bailout seemed to be successful. But last weekend will cast a longer shadow. The constitutional consequences can be very extensive indeed. By announcing its decision to begin purchasing eurozone treasury bonds, the ECB has effectively strayed from the domain of monetary policy into the budgetary arena.

EU countries have agreed financial sureties will be accompanied by an extension of centralised EU supervision over member states’ budgets. The European Commission’s decision to raise funds on capital markets to provide troubled countries with credit is the beginning of a centralised and relatively autonomous EU budgetary policy. Also, the Maastricht Treaty clause that precludes eurozone countries from supporting each other financially, has been violated – in spirit if not in letter.

It has been a longstanding rule governing European integration: the process needs an occasional jolt to help speed it along. Many already had doubts a common currency could exist without a joint, centralised, budgetary policy, back when the euro was introduced. The creation of a monetary union without a corresponding political one was considered equally risky.

If the euro is to have a future, euro countries need to start coordinating their economic and budgetary policies, effectively rescinding a significant part of their national sovereignty in these areas. Last weekend was a first step in that direction.

Whether this should be cause for contentment is a question that remains to be answered. European publics, particularly those in Germany and the Netherlands, were largely sold on the euro by politicians’ promises that their national sovereignty would remain intact. We are now seeing the fallout of the inexorable mechanism behind European integration: one measure inevitably begets the next. European unification has come to lead a life of its own. Those who oppose it would be wise to take action fast, because by the end of the current process, an extensive loss of sovereignty will have become reality.