There was a lot of doom and gloom at BlackHat this year, but my favorite presentation was the one just picked up by the ACLU of Northern California

Researcher Nate Lawson has discovered that FasTrak transponders are vulnerable to sniffing, cloning, and surreptitious tracking of a driver’s comings and goings.

That is because the systems have no encryption or other technological protection measures to ensure that the information is not read by unauthorized readers or copied and cloned for misuse. Without protections, it is not just those toll booth and freeway sign readers that can track who you are and where you are going, but also that homegrown sniffer that Lawson plans to put up to collect information.

Lawson is amazed that “there has not already been widespread fraud, cloning, and selling of ‘free transponders’ that” were hacked and reprogrammed, he says. “There’s nothing there technically to prevent it.”

What he meant to say, I think, is that the system was not designed to prevent it today. However, an important point to his research is that the transponders also allow an attacker to WRITE data to them. This actually would allow the system to prevent abuse, should new/fixed code be installed with authentication capabilities.

Thus, something COULD be done to prevent and fix a number of flaws. The question is whether they will be done. In the meantime, you can not only sniff IDs and track people by the FasTrack system, but you can mix and install IDs as you please.

Hacking this system is actually not news, as Lawson suggests in the fact that he is buying transponders off the grey/black market. The officials surely watch this as well. They usually monitor some degree of abuse. Lawson is just the guy who wants credit for writing up his “research” and wants to be in the press for announcing the flaws, as opposed to building himself and his friends/family a free ride or making some pocket change for selling transponders.

In a similar case, Barbadians have harshly criticized the researcher who recently claimed to have “discovered” a snake on their island:

“If he needs to blow his own trumpet … well, fine,” said 43-year-old Barbadian Charles Atkins. “But my mother, who was a simple housewife, she showed me the snake when I was a child.”

One writer to the Barbados Free Press blog took an even tougher tone, questioning how someone could “discover” a snake long known to locals, who called it the thread snake.

At least Lawson did not try to rename FasTrack.

Anyone need more data on what is wrong with security in America? The Associated Press have posted a chilling story about the absolute wrong way to go about things:

Mayor Cheye Calvo got home from work, saw a package addressed to his wife on the front porch and brought it inside, putting it on a table. Suddenly, police with guns drawn kicked in the door and stormed in, shooting to death the couple’s two dogs and seizing the unopened package.

The problem is, the package was a “dead drop” scheme used by drug smugglers and the police assumed (stupidly and as intended by the smugglers) that because the package was addressed to the Mayor, it must be his. All the police watched for was for the suspect to take the package inside. The heavily armed officers frightened the Mayor’s mother-in-law, who screamed. They used this intimidation technique to claim they had to move into action, and cause the Mayor irreparable damage.

Two black labs were gunned down when “officers felt threatened”, but the uncertainty principle is evident here: the officers surely threatened the dogs, thereby giving themselves reason to kill them. It is hard to see what the police did to minimize such a threat or avoid harm to the suspects, as they seem to have used the “fire, ready, aim” approach to this incident. I have touched on this before in my review of Tazer lessons — police are now taught to be aggressive and to act with “pre-emptive” aggression and impunity towards civilians.

Calvo insisted the couple’s two black Labradors were gentle creatures and said police apparently killed them “for sport,” gunning down one of them as it was running away.

“Our dogs were our children,” said the 37-year-old Calvo. “They were the reason we bought this house because it had a big yard for them to run in.”

That suggests to me that their dogs were known risks to the police and were therefore targeted unfairly instead of anticipated and dealt with humanely, as the Mayor asserts.

“When all of this happened I was flabbergasted,” said next-door neighbor Edward Alexander. “I was completely stunned because those dogs didn’t hurt anybody. They barely bark.”

The case is the latest embarrassment for Prince George’s County officials. A former police officer was sentenced in May to 45 years in prison for shooting two furniture deliverymen at his home last year, one of them fatally. He claimed that they attacked him. In June, a suspect jailed in the death of a police officer was found strangled in his cell.

Calvo said he was astonished that police have not only failed to apologize, but declined to clear the couple’s names.

This event highlights everything about the wrong way to practice security — aggression without justification, and a failure to stand accountable. It breeds resentment among those who feel threatened and erodes the support needed to create real and lasting security.

His wife spoke through tears as she described an encounter with a girl who used to see the couple walking their dogs.

“She gave me a big hug and she said, `If the police shot your dogs dead and did this to you, how can I trust them?'” Tomsic said.

Exactly. That is the future generation of Americans, growing up with a distaste rather than a desire for law and order. Some argue that American soldiers in Iraq are not trained to be law enforcement officers and therefore can not bring the right results, but one look at the law enforcement officers in this and related cases suggests it is a much larger problem for America to resolve.

The Los Angeles Times reports that the nature of “repeated” and “extended” violations are giving lawmakers energy to introduce a new set of state laws:

In part because of the breaches, Gov. Arnold Schwarzenegger has endorsed legislation that would impose penalties on hospitals and healthcare workers for breaching patient privacy.

“Californians have every right to expect their medical records to be safeguarded and protected, and I am alarmed about repeated violations of patient confidentiality and the potential harm to the citizens of this state,” Schwarzenegger said in a statement. “By putting financial penalties in place for those employees and facilities that do not follow these laws, this legislation will lead to better care for all Californians.”

Under the legislation, being carried by Sen. Elaine Alquist (D-Santa Clara) and Assemblyman Dave Jones (D-Sacramento), healthcare workers who unlawfully view patient records would be fined from $1,000 to $250,000, depending on the seriousness of the violation. Hospitals and other health facilities would face fines of $25,000 to $250,000 for similar violations.

The legislation also would increase penalties for hospitals found to have put patients in jeopardy of harm or death, to $100,000 from $25,000.

Whether or not you agree with HIPAA, it is clear the CA state law that forced breach notification has been the most effective rule to date for information security practices and privacy. It will be interesting to see the effect of another CA privacy law dedicated to healthcare. Note, the governor recently struck-down a PCI-like bill in CA because he said the private sector was doing well enough regulating itself and did not need duplicate legislation or interference. So, for now, PCI might seem ugly to some but it is what an industry can do to keep ahead of hot-button topics for elected officials.