Welcome to P2PNET.net - The original daily p2p and digital news site. Always First!
Register | Login
RIAA News
Cool Stuff
MPAA News
Games / Consoles
News
Music
Movies
TV
Open Source
Mobiles
Advertising
Product News
P2P
Off Topic
Freedom
Politics
Interviews
Security
DRM
Links
Kids and Kartels
Search: 
Search
 
Web P2PNET   
   Search: 
Search
Torrent Site Tracker
MP3rocket
 
Add real-time p2pnet headlines to YOUR site ! Click here to download our newsfeed code
p2pnet - rss feed: http://p2pnet.net/p2p.rss | p2pnet celebrities: http://p2pnet.net/celeb.rss | Mobile? http://p2pnet.net/index-wml.php

US-VISIT security problems

p2p news / p2pnet: America’s RFID US-VISIT border security program is, “failing to adequately protect personal data being stored in databases and collected via RFID inlays embedded in its I-94 visa forms,” says a US Homeland Security report.

US-VISIT was launched in 2004 to boost border security by taking digital fingerprints and photographs of non-America visitors. But it, "resulted in many cases of mistaken identity,” said EPIC (Electronic Privacy Information Center) a year ago.

Thirty-two air crew members, "experienced fingerprint scanning mismatches that caused them to be improperly flagged by government watch lists," although half of them had already had undergone background checks, said EPIC.

Now “enhanced” security controls are need, says the Department of Homeland Security, Office of Inspector General (OIG).

RFID is short for Radio Frequency IDentification and according to the censored report, RFID, "allows sensitive information to be read and written to tags and for numerous tags to be scanned simultaneously from a greater distance. The flexibility and portability of RFID technology and devices, as well as the information that resides on the tags, increase the need for security and privacy controls."

Although various controls provide overall system security, "US-VISIT has not properly configured its AIDMS (Automated Identification Management System) database to ensure that data captured and stored is properly protected," states the report.

"Furthermore, while AIDMS is operating with an Authority to Operate, US-VISIT had not tested its contingency plan to ensure that critical operations could be restored in the event of a disruption. In addition, US-VISIT has not developed its own RFID policy or ensured that the standard operating procedures are properly distributed and followed at all POEs."

The audit comprised visits to US border point-of-entry stations, where the RFID-enabled forms are being tested, as well as interviews with US-VISIT and Customs and Border Patrol (CPB) personnel (US-VISIT is a CPB program), says an RFID Journal story, going on:

"The audit examined both the physical layer of the system - how the tags, readers and I-94 forms are used and secured - as well as whether adequate policies and procedures have been enacted to ensure the ‘confidentiality, integrity and availability’ of data contained in the Automated Identification Management System (AIDMS), which is the system of record used by the US-VISIT program to maintain databases for storing information about foreign nationals entering and exiting the country."

An OIG audit team used the Internet Security Systems’ Database Scanner to review database settings and to detect and analyze vulnerabilities on database servers, states the RFID Journal.

"It also used an RFID spectrum analyzer and an interrogator to attempt to read I-94 forms being carried by persons going through the ports of entry where the technology is being tested. While the DHS still considers the distribution and reading of RFID-enabled I-94 forms a proof-of-concept rather than a permanent technology deployment, it has distributed more than 150,000 of the forms."

The AIDMS database investigation, “’revealed some security vulnerabilities that could be exploited to gain unauthorized or undetected access to sensitive data [relating to person carrying I-94 forms],’ says the RFID Journal.

The vulnerabilities were, “based in the area of user account and password management and user access permissions, but the details of such vulnerabilities are removed from the redacted version of the report, available online".

During the audit, "the team was not able to use unauthorized interrogators to ‘communicate or read the Form I-94s at ports of entry,’ but it was able to pull the record indicator from sample forms in a laboratory setting, using a ‘more sophisticated reader,’ according to the report, though the redacted report does not detail what type of interrogator was used in the lab," says the story.

The report recommends US-VISIT should:

  • Develop and implement procedures to strengthen user account and password management processes relating to the AIDMS database. Procedures should include periodic vulnerability assessments and reviews of all user access.
  • Ensure that all vulnerabilities identified for which risks have not been assumed be remedied.
  • CENSORED

  • Test contingency plans, at least annually.
  • Develop and implement its own policy that addresses security controls over all components of an RFID system and ensures that policies and procedures are being followed at all affected POEs.

Digg this.

Also See:
mistaken identity - US-VISIT ‘full of tech problems’, July 10, 2006
RFID Journal - US-VISIT RFID Trial Shows Security Holes, July 7, 2006

p2pnet newsfeeds for your site.
rss feed: http://p2pnet.net/p2p.rss
Mobile - http://p2pnet.net/index-wml.php

This entry was posted on Saturday, July 8th, 2006 at 11:36 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1493 times

« previous ‘Forced’ into web cam sex acts
Will ads sink The Pirate Bay? next »

Leave a Reply
    Advertisments
Teksavvy