Saturday, June 29, 2013

The danger of license plate scanning systems and other unauthorized databases

The license plate scanning systems allow you to build databases that are used to draw the path of a vehicle within a geographical area where there is a certain minimum amount of surveillance cameras connected to the system capture / scan / ANPR.

That way, you can achieve extremely valuable metadata, and technological infrastructure necessary to obtain relatively cheap and accessible in Argentina.

The problem is that they are a gray area to regulate: a database that stores information publicly available (tuition, is visible from anyone on the street), but accumulates extremely sensitive metadata: because the State has the information and the ability to associate patent data (owner, model, etc..), usual routes traveled by a vehicle that has given tuition.

In Argentina the gray area occurs in this type of database "derived" is not entirely governed by the law, at most could be legally challenged at some point, if data traffic / travel is reached using as evidence in a trial.

Similarly, this notion is preferably avoided by any means, and tour metadata are mainly used for research and obtaining other evidence of crimes, less controversial and / or with the potential to be challenged legally, but even trigger a public controversy leading to regulate a gray area that today is not regulated.

Examples of possible problems:

Most of these databases use "internal" in the security forces are accessed by operators who are not specialists, and many rigid and strict procedures hardening of access must be followed in order to ensure that access to metadata tracking enrollments remain available only as specifically authorized - and eventually auditable - for this, and not made available to third parties interested eyes, and worse, third parties from which there is no knowledge and no one is going to be audited.

The problem is given in the current databases are immersed in highly connected systems, and a database that few or almost no one is aware is particularly appropriate for unauthorized access, precisely because many users of networks and systems could eventually be connected to the database, have no true idea of ??the importance of being wrong and / or minimal skipping hardening rules.

For example, are classic examples of de-securitization of facilities and secure computer networks include:

- USB ports in the access terminals to the database, where anyone can connect:

* USB Keychain: they may contain trojans built to work in disconnected networks (with "air gap", which do not have any Internet network link) and go riding infrastructure "dropboxes" data (which will keep the stolen information , which will be transferred to key the next time you connect), but directly go installing backdoors that try to connect to the Internet.

* USB devices via 3G or Wifi connectivity: thus, an alleged safe immediately becomes a network connected to the Internet, with the number of potential problems that this entails.
etc.

- To allow access to the facility smartphones: hacking possibilities are from few to total in the case of a targeted attack that is using smartphones as "post" to achieve circumvent the "air gap" that keeps the network safe Base disconnected.

- Let there be no surveillance, automatic constant video recording for operators: A security measure extremely simple to use (almost all medium sized supermarkets hereinafter implemented in their collection boxes), if absent, generates deshusada the possibility of invalidating all other measures, for example, an operator simply because if lost or stolen credentials (ideally 2-factor: credenciales-smartcards/contraseña), that way if anyone else - including other authorized operator - used access, there is no way to identify the person who impersonó the operator. etc.

Conclusions

That is, the potential for misuse of databases with sensitive metadata is great, and have no criminal problems - yet - simply because very few people - ordinary citizens and "civilian" unrelated mainly security forces - is to both the potential of these tools in the usual political games, economic, socio-economic, etc..

As "players" sufficiently motivated and well funded require access - legally or illegally - to metadata, we may see the first cases - public - misuse of these databases.

If Argentina is almost a habit which complete records appear - privadísimos and very restricted access - photocopied out of court, it is expected that given the superlative value of the metadata (as opposed to a "simple" file for example), eventually give rise to important interests move toward trying to access them illegally, which effectively will be much easier if people totally ignore the danger and the real value of these databases.

Tuesday, June 18, 2013

XBOX ONE in june
Today we will discuss the microsoft xbox one, the new generation console that comes with microsoft polemics.

Technical characteristics are known, eight cores AMD, AMD Radeon graphics card, 8GB RAM DDR3 and 500GB internal storage. It also has Blu ray reader and is accompanied by kinetic 2 which comes with an upgrade to play in low light.

The completely redesigned, more square, perfectly straight lines, it has gone from a game console into a multimedia center for our home. According to some PS4 is focused on ONE XBOX Gamers and the whole family.

Some of the connection are to be connected to electric power, HDMI, USB 3.0 positions, optical audio, ethernet connection, kinect and an infrared port is not yet known what is its usefulness.

What is the controversy of this console? to start, we will have to connect once every 24 Hs Internet, one of the negatives is that games can not be delivered to more than one person at once. Something is rumored that will have regional limit, ie if you buy a game in Japan may not be used in Europe.

What it is going to allow the sale of second-hand, but only in approved.

Hand in hand with this console will come out some games like dead rising 3 spark project, forza motorsport 5, halo spartan assault.

This console cost Many euros, it is estimated that will be released in November. In this case includes the kinect.