Language Selection

English French German Italian Portuguese Spanish

GAO study of RFID technology, policy seen flawed

Filed under
Security

A recently released Government Accountability Office study of radio frequency identity device security is flawed because it omits discussion of technologies and federal policies in the arena, according to smart-card industry executives.

GAO defended the report, saying it relied on information provided by other federal agencies and did not delve deep into individual RFID programs that the agencies are implementing.

The GAO report, titled Information Security: Radio Frequency Identification Technology in the Federal Government, discusses privacy and security aspects of RFID tags used for inventory control as well as contactless smart cards used to make personnel credentials. GAO issued the report May 27.

The report cites several privacy and security issues that RFID units can pose, such as "tracking an individual's movements, profiling an individual's habits, tastes or predilections and allowing for secondary uses of information." According to GAO, "While measures to mitigate these issues are under discussion, they remain largely prospective."

But as Patrick Hearn, business development director for Oburthur Card Systems of Chantilly, Va., stated, federal law, regulations and policies mandate many privacy and security protections for the use of smart cards in federal credentialing programs.

"The security measures-encryption and authentication-listed [by GAO as 'prospective'] all exist today and are incorporated into programs such as the State Department's e-passport program," Hearn wrote in an e-mail comment on the GAO report.

Hearn also cited the existence of the Federal Information Processing Standard 140-2, which applies to contactless smart cards issued to federal employees and contractors, as well as privacy and security rules mandated in the Federal Identity Management Handbook.

Hearn noted that the standards that apply to federal use of contactless smart cards mandate compliance with the Privacy Act of 1974, the e-Government Act of 2002, Office of Management and Budget memorandums relevant to the topic and National Institute of Standards and Technology standards for smart-card security and privacy.

Full Article.

More in Tux Machines

today's howtos

Leftovers: OSS

  • Report: If DOD Doesn't Embrace Open Source, It'll 'Be Left Behind'
    Unless the Defense Department and its military components levy increased importance on software development, they risk losing military technical superiority, according to a new report from the Center for a New American Security. In the report, the Washington, D.C.-based bipartisan think tank argues the Pentagon, which for years has relied heavily on proprietary software systems, “must actively embrace open source software” and buck the status quo. Currently, DOD uses open source software “infrequently and on an ad hoc basis,” unlike tech companies like Google, Amazon and Facebook that wouldn’t exist without open source software.
  • The Honey Trap of Copy/Pasting Open Source Code
    I couldn’t agree more with Bill Sourour’s article ‘Copy.Paste.Code?’ which says that copying and pasting code snippets from sources like Google and StackOverflow is fine as long as you understand how they work. However, the same logic can’t be applied to open source code. When I started open source coding at the tender age of fourteen, I was none the wiser to the pitfalls of copy/pasting open source code. I took it for granted that if a particular snippet performed my desired function, I could just insert it into my code, revelling in the fact that I'd just gotten one step closer to getting my software up and running. Yet, since then, through much trial and error, I’ve learned a thing or two about how to use open source code effectively.
  • Affordable, Open Source, 3D Printable CNC Machine is Now on Kickstarter
    The appeals of Kickstarter campaigns are many. There are the rewards for backers, frequently taking the form of either deep discounts on the final product or unusual items that can’t be found anywhere else. Pledging to support any crowdfunding campaign is a gamble, but it’s an exciting gamble; just browsing Kickstarter is pretty exciting, in fact, especially in the technological categories. Inventive individuals and startups offer new twists on machines like 3D printers and CNC machines – often for much less cost than others on the market.
  • Open Standards and Open Source
    Much has changed in the telecommunications industry in the years since Standards Development Organization (SDOs) such as 3GPP, ITU and OMA were formed. In the early days of telecom and the Internet, as fundamental technology was being invented, it was imperative for the growth of the new markets that standards were established prior to large-scale deployment of technology and related services. The process for development of these standards followed a traditional "waterfall" approach, which helped to harmonize (sometimes competing) pre-standard technical solutions to market needs.

Leftovers: BSD

  • The Voicemail Scammers Never Got Past Our OpenBSD Greylisting
    We usually don't see much of the scammy spam and malware. But that one time we went looking for them, we found a campaign where our OpenBSD greylisting setup was 100% effective in stopping the miscreants' messages. During August 23rd to August 24th 2016, a spam campaign was executed with what appears to have been a ransomware payload. I had not noticed anything particularly unusual about the bsdly.net and friends setup that morning, but then Xavier Mertens' post at isc.sans.edu Voice Message Notifications Deliver Ransomware caught my attention in the tweetstream, and I decided to have a look.
  • Why FreeBSD Doesn't Aim For OpenMP Support Out-Of-The-Box

Security Leftovers

  • FBI detects breaches against two state voter systems
    The Federal Bureau of Investigation has found breaches in Illinois and Arizona's voter registration databases and is urging states to increase computer security ahead of the Nov. 8 presidential election, according to a U.S. official familiar with the probe. The official, speaking on condition of anonymity, said on Monday that investigators were also seeking evidence of whether other states may have been targeted. The FBI warning in an Aug. 18 flash alert from the agency's Cyber Division did not identify the intruders or the two states targeted. Reuters obtained a copy of the document after Yahoo News first reported the story Monday.
  • Russians Hacked Two U.S. Voter Databases, Say Officials [Ed: blaming without evidence again]
    Two other officials said that U.S. intelligence agencies have not yet concluded that the Russian government is trying to do that, but they are worried about it.
  • FBI Says Foreign Hackers Got Into Election Computers
    We've written probably hundreds of stories on just what a dumb idea electronic voting systems are, highlighting how poorly implemented they are, and how easily hacked. And, yet, despite lots of security experts sounding the alarm over and over again, you still get election officials ridiculously declaring that their own systems are somehow hack proof. And now, along comes the FBI to alert people that it's discovered at least two state election computer systems have been hacked already, and both by foreign entities.
  • Researchers Reveal SDN Security Vulnerability, Propose Solution
    Three Italian researchers have published a paper highlighting a security vulnerability in software-defined networking (SDN) that isn't intrinsic to legacy networks. It's not a showstopper, though, and they propose a solution to protect against it. "It" is a new attack they call Know Your Enemy (KYE), through which the bad guys could potentially collect information about a network, such as security tool configuration data that could, for example, reveal attack detection thresholds for network security scanning tools. Or the collected information could be more general in nature, such as quality-of-service or network virtualization policies.
  • NV Gains Momentum for a Secure DMZ
    When it comes to making the shift to network virtualization (NV) and software-defined networking (SDN), one of the approaches gaining momentum is using virtualization technology to build a secure demilitarized zone (DMZ) in the data center. Historically, there have been two major drawbacks to deploying firewalls as a secure mechanism inside a data center. The first is the impact a physical hardware appliance has on application performance once another network hop gets introduced. The second is the complexity associated with managing the firewall rules. NV technologies make it possible to employ virtual firewalls that can be attached to specific applications and segregate them based on risk. This is the concept of building a secure DMZ in the data center. The end result is that the virtual firewall is not only capable of examining every packet associated with a specific application, but keeping track of what specific firewall rules are associated with a particular application becomes much simpler.