eid - Page 4

  • It is now time to make your ideas and proposals about a secure EID public or known

    We are happy to announce that the omerta around the EID has broken in a big way and would ask all those that have kept silent to get their ideas and information together and to hand it over to us or to the parliament or to FEDICT whatever you are most comfortable with.

    It is now or never and if you miss this big chance you will be confronted with our remark if you say it later, why didn't you say that before.

    We would even call for a DELPHI research about our EID project that doesn't take into account who says what but that takes into account what is being said and that tries to get all the specialists on EID and security together about a big masterplan for the coming years and the axes around which the new EID should work.

    We also think that it is maybe time for parliament to step in and form a permament commission to follow up on technology questions. We are having one after another since january (EID, EVOTE, EHEALTH, ESECURITY, BELGACOM accounts hacked, **** online service unsecurity, .......) How do the representatives hope to have any knowledge, backup specialists and follow-up if they don't have a permanent committee with specialists and representatives that can exchange and coordinate information with collagues from all over the world who have the same speciality.

    By the way we are still looking for new reports, articles and things to make public or to send through at backchannels. We are also looking for people to blog here (ask an account) or to help (even if it was an hour a week) with different sideprojects or specific follow-up sections on this site. I don't care if you agree with everything written here or not.

  • Onderzoek over EID door Leuvense professoren online

    op vraag van de onderzoekers werd dit offline genomen

  • EID : I am a man now and a woman online

    source datanews

    Because of a programming error a few hundred Belgians have an electronic ID that present them as the opposite sex if they would use their EID online. Men became women and women became men. The dream of everyone, no ? Only it is only virtual.

    It is a men's world ..... and women wear the pants..... That is equality  :) joke

    serious : quality control ?  

  • EID some articles about the EID video and the privacywall leak

    http://www.zdnet.be/news.cfm?id=85162

    http://www.datanews.be/nl/news/90-7-18216/privacyfilter-in-eid-kan-omzeild-worden.html

    http://www.datanews.be/fr/news/90-55-18225/le-filtre-de-protection-des-donnees-privees-dans-l-eid-peut-etre-contourne.html

     

  • EID : we are no part of a hidden campaign

    We have been reading strange things in the comments about the articles that mention the video, so lets make some things clear

    * We are not part of any FUD campaign by any firm that wants to get money from Fedict for whatever reason. The only reason of these postings is to have an open discussion about the procedures, security, democratic control just as we have about thousands of other subjects in everyday life and politics. So why is any discussion about an aspect of IT dangerous or suspect ? And why should citizens and politicians and other stakeholders have no active say and play in what we do with the IT infrastructure and our privacy in it ?

    We even volunteered to get together with FEDICT without any pay to exchange ideas only we aren't sure how to organize this and guarantee our privacy and relative anonimity (and freedom of speech as a result of this) and also the legal status under the cybercriminality law.  

    * We are not a "bunch of open- source geeks" that try to get the EID project broken or whatever obscure manipulative scheme that is being imagined. We are all professionals working in professional environments following professional rules and books in a professional way. THis is our freedom of speech - how amateuristic it may look. As we are professional and read and work a lot, we have too little time to do everything the way we would like it to be done, but within that timeframe we try to do our best.

    * We are not agents of the prime minister trying to destroy the federal IT infrastructure as some french speaking commentor thought. We will work with any active democratic politician that has the honest and responsable belief that our IT infrastructure in Belgium needs more resources and policies to be defended. We will work with any democratic politician of any region to do the same thing there. If you read the postings you will see that no one in the .be atmosphere is being ruled out. It also depends a bit on time.

    * we are not hackers but professional securityresearchers of which some have chosen to be public, others to publish some things under their own name and other stuff under the 'mixed' belsec name and still others that just want or need to be somewhat anonymous. It is not who says it, but what is being said that is important. The brightest minds can say sometimes the most stupid things.

    Hackers just destroy or manipulate things. The stuff in the video was given to the parliaments some months ago. It is only because the subject in the video was being mentioned in the parliament that we deemed it necessary to make it public so everybody knows what we are talking about.

    We try always to be responsable and not everything that we receive is being published and not everything that we know is being tested and not everything that we find is being published immediately. We haven't published that there was sometime ago a serious programming error on a xxxxxx linked to a nuclear facility in Belgium. We informed our backchannels about it and waited three months to get it fixed.

    This is why we want first and foremost that there would be a general responsable disclosure policy in Belgium.

  • EID why developers hate security and want to forget about it

    You know, the big problem with the Belgian EID card is that almost everybody forgot about their PIN code anyway. So for an EID enabled application of the first hour to become deployable you're actually forced to use the Belgian EID card without ever invoking any operation (like the compute digital signature APDU 0x00, 0x2A, 0x9E, 0x9A) that requires a PIN code. Even the security pop-up of the EID middleware about some application that will readout your private data from the card might freak out end users this much that they will flood your help desk in no time. Making the big audience to use the Belgian EID will take some time and will require us (security developers, architects, whatever it is you're doing with this freaking card) to lower the security constraints in a controlled way

    http://cup-of-java.blogspot.com/2008/05/belgian-eid-security.html

  • FEDICT responds to the film about EID and some thoughts about the solution

    First a big applause for the developer of the workaround. If he of she wouldn't have thought about doing this test and making it available in a responsable way, than the whole discussion would be put under the carpet. The technicians and engineers would say 'trust us, we know - this is too complicated for press and politicians - we don't need control - we are in control' The politicians would say that they don't understand what we are saying, that they want proof, that whatever......

    Peter Strickx, chief technology officer Fedict says that he was not amused when he confronted with the film several weeks ago and that he contacted Zetes the firm responsable for the EID middleware to search immediately for a solution. They will now foresee a popup everytime something wants to read the information on the file.

    http://www.datanews.be/nl/news/90-7-18216/privacyfilter-in-eid-kan-omzeild-worden.html (ps we are no hackers - there is profit or mayhem involved)

    Reaction : we have to see it running and we have still received no confirmation on paper by Fedict that they want to meet us and that it would be interesting to have some of us test some things out and that letter must also make clear what the legal conditions are of these meetings and experiments. (bluehack example by Microsoft).

    On the first sight I am not sure that this will solve it. First of all we have to rethink the way updates are sent to the middleware. With other words only updated-patched middleware should be able to use online services. The update process should be as simple as Adobe and Microsoft and some others but it should not leave a choice. Period. Secondly I am personally a believer - I didn't make the video by the way - in sandboxing and believe that the EID transactions and software should be sandboxed on a machine and use as little as possible other applications and functions of the OS. Thirdly I believe in encrypting internal processes of a software like this.  Any other thoughts, just post them.....

    Oh and yes Fedict says that Zetes the firm responsable for the middleware has the highest security certification possible and so on. Well, they will need to send someone to the CEH hackers courses to learn to think creatively.

  • Book with 'Best of Practices for developers of EID Middleware'

    http://users.skynet.be/fa283208/pdf/DISBooksalespage.pdf

    there is a book with best practices for developers of middleware for EID but you have to buy it. This is a bit a pity. Best practices should be open and free documents - open for discussion and rethinking - and free to be found and used by everyone because what is a best practice worth if too few people use it or know it ?

    Maybe the organizers of this book - we applaud the fact that it exists - should think about setting the book free for a while - to be sure that everybody who is developing middleware - or testing it - will use the best practices available.

    As it is clear after the hearings about cybersecurity in the parliament that the Belgian administrations like Fedict will have to develop norms, standards and best practices and tests.

  • Belgian EID about the video

    The video is made by some excellent security expert who can chose to come out or not. In the beginning there were different interpretations about what the legal consequences could be, but I think we have respected the forms of responsable disclosure.

    It is high time in Belgium to set up standards for responsable disclosure and respect and cooperation with independent and respectful security researchers.

    The video was handed over in january and was transmitted to Fedict by the representative Roel Deseyn. Fedict has analysed the video and they have "learned a few things". 

    After the intervention by the representative we have no choice but to publish the video so it is clear to everybody what we are talking about. It makes no sense that people would start guessing and talking about is and what isn't in the video.

    The most astonishing thing is the simplicity of it. (for a programmer that is). We didn't expect this to be possible. We expected that the program that reads your information on your Electronic Identity Card to have been submitted to bypass and attack and cracktests. We expected that you couldn't change registry things like that. We didn't expect that it would just look at the name of the program and wouldn't take any other characteristic of a program as identifier. We didn't expect it to forget to alert the user that something was reading the information on your Electronic Identity Card.

    You also have to understand that we are - just like our counterparts - creative thinkers. We don't follow strict rules and procedures and just do the things nobody expects us to do normally but we are curious to see what would happen. Sounds like the chaos theory of hacking (fuzzing is a bit like that). So when during the month of EID we started getting information in bits and pieces about different aspects of the procedures, standards, hidden reports, aspects that weren't sure and some rumours that need to be confirmed to publish them we decided to stop the investigation after this video because there was no  legal framework (responsable disclosure) under which we could continue. With the video we had the feeling that we had the missing piece for a scenario.

    Do you have to pannick now and throw the card in your dustbin ? No. At one side we stay that you have to treat your EID like your credit card. You should treat it with the same care and precautions and don't put it in machines you don't trust or know and be sure that your machine is well protected and cleaned before you do so. Do you lose something ? Well not directly, but we are creative thinkers and there are scenario's possible, but these haven't been tested - as these would be illegal under the present law.

    You will see that our motto is "trust is good but control is better", well this is all what security is about. You can have the biggest names in security and auditing making thick books with procedures and tests but when a smart kid on the block bypasses all these smart-asses than there is a problem with that. Penetration and manipulation testing is very important in security research and auditing because - if done right - it is the final certification that your product of network can withstand the actual world of hackers, crackers and attackers. EID is too important to be just a gimmick that is used for promotion of persons or enterprises. If EID will ever become an essential instrument of our everyday life, than it better be saver than just good enough.

  • How to hack (intercept) the information on an Belgian Electronic Identity Card

    The explanation has been given in the parliament by a representative during an question about the need for security standards with EID. It is responsable disclosure because the responsable institution has been informed since long and has got all the time that would be necessary to prepare the necessary corrections. We will publish more information about this bypass of all the EID security later this evening.

    By the way. The coding was not my work but it was the work of one of the best securityspecialists we happen to know. It is up for him to come out or not.

    The Belgian security bloggers are always interested in other breath-taking security research and if necessary we will use - as is here the case - use the backchannels to fix problems or alert the responsable institutions before coming public with it.

    This is the text that is so interesting that we will translate the most important parts under the flemish text

    03.03 Roel Deseyn (CD&V - N-VA): Mijnheer de minister, het antwoord is in zekere zin generiek. U brengt iets op de markt maar u maakt zich blijkbaar niet zoveel zorgen over de securityaspecten. Ik weet dat de architectuur van de card zo geconcipieerd is dat zij kan worden gelezen door geautoriseerde programma’s, zoals de software die bij de card is geleverd. Het volstaat echter zelf een applicatie te schrijven en die de naam van een browser te geven opdat dat programma bij hacking toegang zou hebben tot de gegevens van de kaart.

    Men moet de kaart niet steeds valideren als gebruiker. Men moet niet telkens op OK drukken om de gegevens te laten lezen. Dit is misschien wat technisch, maar u moet zich inbeelden, mijnheer de minister, wat er gebeurt als de gebruiker die zijn eID in de lezer stopt niet op OK moet drukken. Zo kunnen verschillende applicaties gebruikmaken van de gegevens van de kaart. Fedict was gevoelig voor die bezorgdheid. Ik heb contact gehad met de mensen en met de voorzitter van Fedict en men blijkt bereid een nieuwe versie van de protocolsoftware op de markt te brengen. Dat toont precies aan dat standaarden en kwaliteitsprocedures noodzakelijk zijn. Trouwens, ook Deloitte en Ernst & Young hebben zich daar vroeger over gebogen met het departement. Ik zou graag weten of daar een vervolg op is gekomen. Ik meen dat het antwoord dat wij de internationale minimumprocedures onderschrijven om compatibiliteit te garanderen een goede zaak is, maar daarmee zijn allerminst het securtityaspect of het privacyaspect uitgeput. Dat zullen wij bij de jaarlijkse follow-up verder uitbenen.

    We translate "I Know Mr Minister that the information on the EID card can be read by whatever application that is programmed to take the browser name that receives from the socalled 'privacyfirewall' (sic) for the EID the right to read all the information that is on your EID. Fedict the national institution that is responsable for the EID has been informed and is working on a new protocol. It shows that standards and qualitychecks are necessary. I would also like to know what happened with the Report from Deloitte and Ernst and Young about that matter. "

    So what is the impact. If you make a virus in a botnet that will take the name of the browser if it finds the EID readersoftware on the PC it will collect all the information on the EID card and that can be send to a central crime dropserver. Take that on the same criminal dropserver you have listings of creditcards from Belgians, than you can check the names. Take the information from the EID and the information from the creditcard and you have 'ID theft' on a massive scale.

    Secondly other research that has been published here have shown that the reader software and the reader and the pincodes aren't that well protected neither.

    What should you do. If you use EID your computer should be very professionally secured and checked before you use it. You should only use secure EID-readers and you shouldn't use it on computers that you don't know.

  • a very interesting discussion about Belgian EID and Middleware

    It is maybe being missed by some, but there is a very interesting discussion taking place about Belgian EID and Middleware on this blog.

    At one side there is Marc Stern from approach.be which has been one of the architects of the Belgian EID system and still works for it (as consultant now)

    and at the other side there is a firm that has made its own OpenID plugin that would serve as a middleware for Belgian EID and would ask your PIN code, which Marc Stern finds not safe.

    http://blogs.skynet.be/index.html?l1=communication&l2=blogs&l3=my_blog&l4=post&post_ID=5819056&myblog=belsec&new_lang=nl

    The discussion is interesting because Belgian EID in the beginning was founded on some principles of open source, although one wanted to keep the Middleware under control. This group of developers has taken the concept of open middleware a step further.

    Personally I don't like it because it opens a whole new can of possibilities for phishers and we have written already somethings about the security of the Belgian EID reader software. (click on EID in subjects). It wouldn't be wise to add another securityproblem that can grow out of control.

  • Belgian EID and the Microsoft question

    Itprofessional publishes today a 2 page article about the bubble that the Belgian EID is becoming. Under the last government Minister Van Velthoven made it his petproject and every so many weeks there were new announcements and project and it couldn't become less than the biggest ID project on earth. Even Bill Gates came along received a bogus card (forgery) and told everybody how interested he was in this project. Today, according to the article most of the Microsoft EID veterans in Belgium have gone, Redmond has lost interest and the new Belgian Microsoft executives have expressed criticism (and repeat it in this article) that the Belgian EID is not fully compatible with European norms for EID.

    Bruno Segers (ex Microsoft) tries to save the face a bit for FEDICT the responsable project managers for the roll-out and development of EID, but the criticism from the developers of EID compatible products is harsh and without excuse. THe documentation is not helpful, if you know how to find and interpret that information. And even if there are hundreds of applications that could work with EID, than it is clear that there is no communication anymore, nor for the developers, nor for the public that is web2.0, advertised and usable.

    As Agoria (the organisation of the hightech industry in Belgium) says it is time for something new. They say 'communication' (which costs a lot of money and just doesn't solve anything because already too much money has been spent on such campaigns) but maybe it is more coordination, more involvement and more integration that is needed between the different stakeholders.

    And maybe people don't want their EID to be a paymentcard. Maybe people don't want to use their EID for a lot of other things. Maybe people just want their EID to be just that, an EID.  

    and maybe there are other reasons for this season of discontent. 

  • Vulnerable EID login servers without monitoring

    and than there are login servers that fail and show on their login page all the technical information that one would need to hack the server, because it isn't patched and it is in some open source stuff (I like PERMANENTLY SECURED open source not ORPHANED INSECURE open source) 

    It is a service that is being used for civil servants to log in with their EID. This is an important service because it is after this login that civil servants can give rights to other civil rights to see the information of enterprises and civilians.

    The problem is an internal error. The attacker would have to do nothing himself to see all the necessary information.

    The servers hasn't been patched since MARCH 2007 and there are for the moment 10 different exploits possible against such servers in the same state.

    More information is available for those whom it should concern - even if this unsecure server concerns all of us.

     

  • EID replacing the root certificates and rootservers

    http://eid.belgium.be/nl/navigation/documents/45834.html

    all info there

    if you call that techical robust and tested and prepared info that is....

  • EID BEST PRACTICE TO KEEP ALWAYS IN MIND

    It has now been reconfirmed for the third time by other sources.

    If you want to use your EID from a personal or network PC you should be sure before you do such a thing that your computer has an antivirus that is updated and has controlled your PC BEFORE you start using your EID. Patching and firewall are naturally also in order.

    The EID software is NOT made to be used on an infected or non-protected PC or webservice (this is for the service-administrators that want to incorporate EID In their webservice). 

    This means for networkadministrators that if you want to use EID you have to be assured before that the PC's are being protected, scanned and in order.

    Naturally it seems to me that the EID reader software should maybe be incorporated in the securitysuites and sandboxed, tunneled and controlled and protected from there. Just an (business) idea.  

     

  • EID must read articles

    About pîncodes and chips and new ways to intercept and defraud these systems. Nothing is safe all the time anytime

    http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf

    http://cryptome.org/UK-Chip-PIN-07.pdf  a confidential report (UK) about fraud and problems with chipcards

    http://www.cl.cam.ac.uk/%7Erja14/Papers/Phish-and-Chips.pdf 

    so how are you going to upgrade the EID norms and software and chips if necessary ?

    To the comments this :  stop presuming things and taking things for granted. 

  • Roel Deseyn stelt parlementaire controle op EID voor

     Mondelinge vraag van dhr volksvertegenwoordiger Roel Deseyn over de E-ID in het parlement

     

    Geachte heer minister,


    Tijdens de hoorzittingen in de Kamer bleek duidelijk dat standaarden en normen zeer belangrijk zijn voor een IT-project.  Het is binnen de Belgische context ook belangrijk dat er Belgische normen worden ontwikkeld op basis van onze wetgeving en behoeften.  Tijdens de lancering van EID werd met veel publiciteit aangekondigd dat er een nieuwe, eigen Belgische standaard zou worden ontwikkeld.  Reacties uit de IT-wereld doen vermoeden dat dit tot op heden nog niet werd gerealiseerd.


    Bovendien bestaat het risico dat er structurele problemen kunnen optreden met de EID of dat het systeem ten prooi valt aan misbruiken.  Indien dit zou gebeuren, heeft dit een ernstige weerslag op belangrijke delen van onze maatschappij.  Parlementair democratisch toezicht dringt zich dan ook op.
    Vandaar de volgende vragen:


    Kan de minister ons toelichten of er gewerkt wordt aan een Belgische kwaliteitsstandaard voor onze EID?  In welke mate is deze standaard reeds gerealiseerd?


    Hoe staat de minister tegenover de suggestie om het parlement jaarlijks een rapport te geven over de stand van zaken binnen het EID-project?  Staat de minister open voor een jaarlijks moment tot vraagstelling?

     

  • Will our EID have medical data or not ?

    In Belgium we have an electronic E-ID. When it was launched it was announced that it would also be used to integrate our other identity papers. We have a drivers licence for example and a special card for our social security (SIS).

    The goal was to integrate the SIS card with the EID, but there are questions rising about EID and the whole discussion about putting the most privacyprone information (our medical information) on an EID about which there seems to be (a not so public) discussion (thanks to the cybercriminality law) is something that seems to be cooling the EID fever.

    For people new about the discussion, please read our subjectline EID carefully behind the lines.

    It seems now that some specialists and policy makers don't think this is still a good idea and that it should be better to set up a network between the medical service providers without a specific card but by which there would be no medial data on the EID. At last this is the rumor-information that we have taken up. If true this would be a very good decision.

    Putting everything on the EID seems to be for some like preparing Belgium for Identity Theft on an unknown scale.  

     

  • Belgian EID : Are the cardreaders still safe

    He doesn't think so

  • Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
    • you know, the kind of stuff that never happens, anyway it's now your problem even if the official middleware is not signed
    • And apparently even some readers with integrated keypads are not safer :-(
    • And, oh, I did a small test with lkl, a userland keylogger and of course the PIN typed into the beid graphical prompt could be easily captured.
  • He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
  • Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
  • The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.