Tarun Wadhwa is a research fellow with Singularity University and a researcher with the Hybrid Reality Institute.

On Saturday, The Washington Post Editorial Board jumped into a center of a decades-old debate by declaring their support for the creation of a universal national identity card.  Their argument, that the problem of illegal immigration cannot be solved with enforcement alone, is sound.  But their conclusion, that these problems can somehow be fixed by mandating a new type of document, is both shortsighted and misguided.

In reality, the process of implementing an American national identity card would be an expensive logistical and bureaucratic nightmare – and its usage alone wouldn’t bring about the types of reforms that legislators have been promising.

That’s because the problems with our broken outdated identity systems run deeply; they cannot be fixed with the “Band-Aid” approach that Washington is so fond of using.  The foundation of our system is built on top of a numbering scheme that was created in the 1930s for an entirely different purpose.  Adding strict requirements for a new identity document on top of an already dysfunctional system wouldn’t be anything more than a superficial, political solution.

Instead of spending the money to create new government departments to manage, protect, and update the records of over 300 million people, we’d be far better served by modernizing, cleaning, and standardizing the systems and databases that are already in use.

In this country, we have given the responsibility of maintaining records and issuing identity cards to state and local governments, and let each handle it their own way.  As a result, our nation’s systems are only as strong as their weakest link.  This practice was supposed to foster innovation, but instead it has lead to messy patchwork of restrictions and regulations that has undermined the credibility of the entire system.

The Bush Administration realized that creating national standards was critical to shoring up the whole system.  With the REAL ID Act of 2005, they instituted a de facto national identity system by mandating that records be centralized and state-issued IDs be brought up to a common standard.  When the legislation was ultimately implemented, it was done with virtually no public debate or input from important stakeholders (like the state governments who now have to deal with the new requirements).  How these programs are implemented sometimes matter more than how they are designed – unhappy state legislatures are still dragging their feet to meet the requirements over seven years later.

But there’s a lot more that can be done to fix the system now besides just making new laws.  In the last decade, several technologies have advanced to a point where they can now be used quite effectively to help state and local governments overhaul their systems.

Some of the largest inefficiencies in our systems occur because information stored in different government databases is not being shared properly.  With the plummeting cost of storing and transmitting data, sharing information has become much more practical.  Biometric identification is alsohelping counties to automatically weed through the fake, duplicate, and fraudulent entries with a speed and precision not before possible.  US-VISIT, the Department of Homeland Security’s biometric entry program, has also shown how this technology can scale and be effective in every day usage.

These changes can be deployed immediately, while a new identity system can take a long time to gain traction (if it ever does at all).  The longer a system is in place, the harder it is to change, and that is especially true when you’re dealing with something at the core of so many basic government functions.

At the same time, the very basis for identification systems are changing from improving government functions to enabling citizen services.  The identification needs of today’s citizens are more sophisticated than ever before – a physical card with their name is no longer sufficient; citizens need a portable, secure way to identify who they are both online and offline.

We may be reaching a point where the systems behind an identity card are becoming more important than the token itself.  The question of what type of card you are using is becoming more irrelevant everyday.  If we can improve our systems, we may be able to reap many of the benefits of having a national identity card without the burden or cost of actually having to implement one.

Expect legislators to tell us in great detail why this is not possible.  They will point to how divided we are, how large our population is, and explain to us that we’ll be fine if we don’t take action.  But while we are making these excuses, countries in the developing world are doing incredible things with their ID systems.  India is collecting biometric data from over one billion residents to issue them each a unique identification number.  Indonesia is made up of 17,000 islands – they just enrolled over one hundred million people into a new identity system in less than a year.  Ghana just broke a world record by biometrically registering and verifying 13 million people in just 48 hours.

Improving our identity systems should be a national priority – regardless of what happens with immigration reform.  Every single day people are inconvenienced, marginalized, and find themselves victims of identity theft because of our country’s faulty identity systems.  The American people deserve better than to be presented with a false choice.  They shouldn’t have to choose between trusting in a relic from the last century that keeps failing them, and being forced into carrying an experimental document they don’t need.

photo credit: Christi Nielsen via photopin cc

Get your exploit here, get your exploit here! Only days after Oracle patched a critical hole in Java, a new vulnerability is being sold on the black market for $5,000 or the highest bidder.

A post popped up on a “hacker forum,” according to Krebs on Security, the day after Oracle released its fix for Java. The post, created by one of the forum’s administrators, boasted about a zero-day attack in Java that is not included in any exploit packs — or bundled tools to aid a person in hacking someone’s systems that are often sold on these underground markets. The advertisement has since been removed from the website, perhaps because someone already paid up the money. It read, in part:

“And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.”

The hacker did mention, however, that the exploit came with Java source code and that it is a “weaponized version.” Bids higher than $5,000 are, of course, accepted.

The most recent hold Java fixed allowed hackers to enter a computer by using compromised websites as the entry-point into Java. Once in the system, they could steal any information, or hook up the computer to a botnet — or a string of infected computers that can be used to launch attacks against other computers.

The Department of Homeland Security issued a message prior to the fix, urging people to disable Java until it was patched up. After the patch came, however, DHS was unconvinced and warned people that Java likely still had holes in it, and that people should keep Java disabled.

Spilled coffee image via Shutterstock

The Department of Homeland Security warned today that you should still disable Java soon after Oracle released a patch for a hole in Java that enabled hackers to sneak into your computer to steal information or hook you up to a botnet.

“DHS is skeptical because it’s highly likely yet another Java vulnerability is found soon, starting this all over again,” said F-Secure chief research officer Mikko Hypponen in an email to VentureBeat. “The problem is the Java plugin in the browser. Remove the plugin from your daily browser. Then, if some site that you really need needs Java, use a secondary browser with the plugin enabled just for that site.”

The hole recently fixed in Java 7 enables an attacker to secretly install software on your computer by using an infected website to access Java and secretly slip into your system. Criminals may also create fake websites intended to trick a user into thinking that it is legitimate. From there, the hackers can grab your personal information or use your computer as part of a botnet string that could be used to attack other systems.

“Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11,” the Department of Homeland Security warned in its advisory, “This will help mitigate other Java vulnerabilities that may be discovered in the future.”

The hole affects Windows computers, Macs, and Linux machines. DHS warns that other devices that use Java 7 may also be at risk.

Oracle provides detailed instructions on how to disable Java on a number of different systems on its website.

hat tip The New York Times; Homeland Security image via DonkeyHotey/Flickr

Oracle patched the hole in Java 7 on Sunday that enabled hackers to steal personal information and use your computer to attack other systems.

The fix comes only after the Department of Homeland Security issued a warning about the hole, urging people to stop using Java until a fix was made available. Cyber-criminals exploited the vulnerability by using websites infected with malware to access Java and get inside a computer system. Hackers could both infect legitimate websites and set up fake websites that looked legitimate in order to trick people into visiting the site. Once there, the virus would work in the background, secretly infecting the system without the victim’s knowledge.

Oracle specifically states that it has changed Java’s security level from medium to high, meaning Java will always ask the user whether it is OK to run the Java web application that is attempting to launch. This is meant to mitigate the “silent attack” approach.

At the time DHS distributed its warning, Apple blacklisted Java completely for any Mac OS X (Mac operating systems) computer to protect its systems. Previously, Apple computers were affected by a hole in Java that enable the Flashback trojan to perform a similar attack. Whether Apple will reinstate Java is unknown.

Oracle notes that in order for the fix to be complete, you must re-enable Java if you previously disabled it, per the DHS’ recommendation.

hat tip New York Times; Oracle buildings image via Mark Coggins/Flickr

(Updated)

The U.S. Department of Homeland Security’s Computer Emergency Readiness Team says no one should use Java until Oracle fixes a hole that permits attackers to jump inside your computer and steal information.

“We estimate that about 100 million computer users are now in immediate danger of getting exploited. Given the current circumstances – wide availability of the exploit code and no fix from Oracle scheduled for the near future – disabling the Java feature in the browser is the wisest choice,” Bitdefender senior e-threat analyst Bogdan Botezatu told VentureBeat in an email.

Java is a widely-used programming language, now overseen by Oracle, that runs on many different platforms, including PCs, Macs, and mobile devices. Java programs are supposed to run in a secure “sandbox,” but security researchers recently found a vulnerability that allows attackers to infect that computer’s systems with software that further allows them to steal personally identifiable information. Of course, that can lead to bank accounts being drained or identity theft.

Beyond that, however, the hole also lets the attacker hook your computer up to a botnet, or a string of computers that can be used to do the bidding of the cyber criminal.

The malicious software is distributed through infected websites that Homeland Security points out could be made to look like legitimate websites.

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” the Homeland Security advisory states. “To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available.”

This vulnerability only affects PCs, but a recent and similar incident involving the “Flashback Trojan” showed that Java has weaknesses in Macs as well. According to MacRumors Apple isn’t taking any chances this time and has blacklists Java entirely for its OS X.

We have contacted Oracle and will update the post if we hear back from the company.

UPDATE 1/12/2013: Oracle has stated that “a fix will be available shortly” for the Java flaw, Reuters reports.

via Reuters; Oracle image via Peter Kaminski/Flickr

The world now has access to a list of words and phrases that the U.S. Department of Homeland Security uses to monitor social networks and news article comments for terrorism and general threats against the country.

The list was part of a 39-page “2011 Analyst’s Desktop Binder” document that was released due to a Freedom of Information Act request by privacy watchdog organization Electronic Privacy Information Center. The list contains references to all the related governmental agencies, obvious references to threats (attack, nuclear threat, etc.) and then some pretty generic words like pork, cloud, electric, port, dock, and many others.

The overall report is interesting because it sheds some light on how these security agencies are trained to track potential threats online, but it does raise more than a few questions. For instance, why is Homeland Security tracking many vague terms, and what do they do with this information once its been identified as a possible threat?

The department claims that the practice is simply to monitor activity and not to track anti-U.S. comments made by individuals — a practice currently employed by the governments of Iran and Syria.

The FBI is also getting into the business of crawling social media sites for possible threats against the country with a new tool, as VentureBeat reported back in January.

We’ve embedded the Homeland Security Department’s document below for further inspection. Let us know what you think in the comments.

Via Daily Mail; Image via Andrea Danti/ Shutterstock

In a release, Alabama Department of Homeland Security Director Spencer Collier said that his agency was conducting a forensic analysis to determine what information might have been obtained by the hackers.

The ties to Anonymous come from claims on the group’s Twitter and Tumblr feeds. As usual with the hacktivists, the attack was linked to a political protest. A page from the hacked site bore the tag line of the group and stated that this was a response to, “recent racist legislation in an attempt to punish immigrants as criminals.”

The Guy Fawkes masks worn by the group have become the symbol of their movement. They are a reference to the comic book series V for Vendetta, written by Alan Moore and first published in 1982. That story chronicles a masked man’s attempts to take down the British government.

Writing in The Guardian earlier this week, Moore said he approved of the movement which has borrowed his trademark mask. “Today’s response to similar oppressions seems to be one that is intelligent, constantly evolving and considerably more humane…As for the ideas tentatively proposed in that dystopian fantasy thirty years ago, I’d be lying if I didn’t admit that whatever usefulness they afford modern radicalism is very satisfying. In terms of a wildly uninformed guess at our political future, it feels something like V for validation.”

British citizens Leigh Van Bryan (pictured, middle) and his friend Emily Bunting recently flew to Los Angeles for a holiday trip and instead were interrogated for five hours and locked up over night, according to The Sun newspaper.

Bryan told The Sun that he and his friend were treated like terrorists for quipping on social media. In the the U.K., “destroying” is slang for partying. And Bryan’s tweet about “diggin’ Marilyn Monroe up” is a reference to the TV show Family Guy.

The incident shows how next-generation law enforcement, where government agents monitor social networks for criminal activity, can go horribly astray. Like something out of Minority Report, the government admitted last week that it planned to take its social media monitoring to a new level by creating a tool that crawls Twitter, Facebook, and other networks to catch more crimes before they happen. But with the government’s over-reaction in this latest incident, perhaps it should reconsider.

Bryan and his friend were detained in separate cells overnight after being questioned, and Bryan shared a cell with suspected drug dealers. The two were put on a return flight to the U.K. the next morning. In a smart move, Bryan has since switched his Twitter profile to private.

You can see Bryan’s offending tweets and the official report by Homeland Security below:

One Christmas Eve, security consultant John Strauchs received a call about a new maximum security system he’d installed in a US prison. “All the doors popped open on death row,” said the person on the other end.

Strauchs’ (pictured below, right), who owns a security consulting company, thankfully didn’t have his own prison doors hacked into that night. Rather a part of his security system was leaking enough voltage to trip the electronic locks keeping the prisoners safe in their cells. The close call was too close for Strauchs, who knew if this sort of event can happen by accident, there has to be a way to exploit it.

“[I asked myself] what could you do if you [tripped the doors] deliberately? The answer is: we can do anything,” said Strauchs in an interview with VentureBeat.

Soon thereafter, the media started reporting about the Stuxnet virus affecting programmable logic controllers (PLC), or computers that control electronic devices programmed to perform automatically, and Strauchs had an “epiphany.” According to him, most security systems don’t use PLCs, but maximum security prisons are an exception, leading him to believe a similar vulnerability could be exploited.

So, Strauchs and his team went to work poking at the hole in the system, and it didn’t take long to break into a prison system. The team created malicious code, only 30 lines, using legitimate software, which only racked up a $2,500 price tag. Not too much if you’ve got a little extra saved and feel like opening some prison doors on a Saturday, but the price tag gets even lower if you don’t buy the software outright.

“We went totally legimate,” explained Strauchs, “But if we were not scrupulous and got the software off the internet, it would have cost $500.”

Executing the code can be done in one of two ways; you can “social engineer,” or in essence talk your way, into the physical location of the targeted prison and install a USB drive with the malicious code, or you can find internet access and surf your way in. The latter, in theory, should be very hard to execute, as prison central control systems aren’t supposed to have any access to the internet. There’s no reason to have it. But Sean P. McGurk, former director of the National Cybersecurity and Communications Integration Center for the Department of Homeland Security, told the Washington Times that his team always found internet connections in the 400 plus prison control systems he visited.

“I’ve designed 114 justice design systems and I can’t imagine why central control ever needs internet access, or for that matter a USB drive,” said Strauchs, who went on to say he saw a prison guard checking his Facebook account in a control center he once toured.

The more dangerous part is that central control may never know doors have been opened. In fact, the code can cloak its activity, making it seem as if everything is fine. But just because doors have been opened doesn’t mean prisoners can immediately escape. There are a few hurdles to pass before reaching the outside, which is why Strauchs believes an attack like this is more geared toward internal initiatives. Indeed, the malware can be rigged to keep doors closed as well.

“If you are a [gang member], you prevent a door from opening, and you start a prison fire,” Strauchs gave as a possible use case other than freeing convicts.

Before bringing the vulnerability to the masses, Strauchs’ team set up multiple presentations for federal agencies, and in the end promised not to release the code itself, though Strauchs believes it so easy to duplicate that withholding it isn’t protecting people for very long.

Currently, a few agencies have started to look into the issues, despite the one main one which may simply be lack of education.

“I think a lot of it is telling people that there is a vulnerability. Most people in America aren’t computer savvy and don’t want to be,” said Strauchs, “But once they understand this a serious vulnerability … they will comply.”

[Prison doors via Shutterstock]

[via Washington Times]

Just a few months ago, no one would have cared about such an appointment. But now the move is critical for Sony to regain the credibility and respect it lost during the hacking attack.

During the weeks-long outage of the PlayStation Network, Sony promised that it would hire a top executive to run security at the company as part of an effort to reassure users that such a breach would never happen again. The outage left gamers without the ability to play multiplayer games and it did considerable damage to Sony’s brand.

Philip Reitinger, former director of the U.S. National Cyber Security Center, will become senior vice president and will report to general counsel Nicole Seligman, the Japanese electronics company said.

“Certainly the network issue was a catalyst for the appointment,” a Sony spokesman said to Reuters. “We are looking to bolster our network security even further.”

Sony said the hacker attack against the company cost more than $171 million, based on expenses such as lost PSN revenue and hiring security contractors to bring the network back up.

---

GamesBeat 2013 is our fifth annual conference on disruption in the video game market. You'll get 360-degree perspectives from top gaming executives, developers, and analysts on what’s to come in the industry. Our theme this year is “The Battle Royal.” Check out full event details here, and grab your early-bird tickets here!

---

With so many hacking incidents in the news right now, including events with Lockheed Martin and Sony, the Homeland Security advisory is particularly worrisome. If a hacker had a clear path to, say, a nuclear power plant’s systems, who knows what damage could be done?

Homeland Security warned specifically of vulnerabilities in software made by Beijing-based Sunway ForceControl. The company makes supervisory control and data acquisition (SCADA) software, which controls and monitors manufacturing plants and equipment used in all sorts of industries. The security holes, which were found by NSS Labs researcher Dillon Beresford, could allow hackers to issue denial-of-service attacks or remotely execute code on critical systems.

Upon learning about the security flaws, Homeland Security notified both Sunway and China’s National Vulnerability Database. Sunway said it has issued patches for both holes.

Sunway’s products are mostly used in China, but the report says the software is also used in parts of Europe, the Americas, Asia, and Africa. Industries that use SCADA software include “petroleum, petrochemical, defense, railways, coal, energy, pharmaceutical, telecommunications, water, manufacturing, and others,” according to the Homeland Security advisory.

How concerned are you about hacking incidents? Do you think companies need to be taking extra precautions with cybersecurity?

The Department of Homeland Security is well aware of the vulnerabilities of cyberspace and has made taming the Wild Wild West of the internet a high priority.

Jane Holl Lute, deputy director of Homeland Security, said in a keynote speech at the Black Hat security conference in Las Vegas today that it isn’t right to accept as inevitable that cyberspace will be a war zone for the foreseeable future, an ungovernable place where users have to beware what they do.

In introducing Holl Lute, Jeff Moss (pictured, left), organizer of the Black Hat conference and a one-time hacker known as Dark Tangent, said that nothing we do online is secure. After billions spent on security and tons of products from security vendors, we still can’t browse the web, shop, write emails, or explore the web in a secure manner. Yet the world depends on the internet as the engine for innovation and commerce. (See our roundup of all Black Hat and Defcon stories).

Holl Lute said the Department of Homeland Security’s mission is five-fold: prevent a terrorist attack, secure our borders, enforce our immigration laws, ensure the safety and security of cyberspace, and build a resilient and safe society able to deal with unanticipated hazards. The mission for cyberspace isn’t just to defend against attacks, but to enable innovation and commerce. The very fact that cyberspace is included in the department’s top five missions shows that the current presidential administration cares about the problems at a high level, she said.

“We have expectations of transparency, inclusivity and reciprocity,” she said. “We need to part from the romantic notion of cyberspace as the Wild Wild West or a combat zone. We must have rules.”

To keep everyone from coming into conflict, the government must create a better environment, with firebreaks and space for everyone. If you’re wondering where the specifics are, there weren’t that many. But Holl Lute said the government is protecting its own agencies through a program known as Einstein 2 and is deploying a stronger cyber defense initiative in the fall.

One of the problems is that laws haven’t kept up with the rapid changes in technology. “Laws anticipate the familiar,” Holl Lute said. “It takes time.”

In the meantime, Holl Lute called on the security researchers attending the show to help in the effort. She referred to them as the “ablest generation,” more connected and gadget aware than any prior generation.

“I’m a person that believes this country can protect itself,” Holl Lute said, asked if a security catastrophe is inevitable. “What will we make possible, in order to deal with what we don’t know.”