Sunday, February 26, 2006

The Insecurity Of High-Value Databases

The big Brit bank raid shows how the Blair's national identity database will be compromised by terrorists, so making the country less safe.

Brit debate has focused on the cards themselves and their civil liberties implications, missing the much scarier central identity database.

The database is needed because ID cards will be as forgeable as any other card - you'll just encapsulate your own biometric data with your false identity data onto a forged card. The only way to stop that is to check cards against a central database of all legal ID cards.

Most terrorists will dodge the entire system by posing as illegal immigrants (Brit PC rules protect them), or tourists. But if they do want Brit identities, the database will be a cornucopia.

The best way of attacking high value targets is by compromising insiders - this was pioneered by the IRA and has been extended by the Brit criminal fraternity (or maybe the IRA again):
(A) security manager...was hijacked on his way home from work at the Securitas depot in Tonbridge, Kent. His wife...and eight-year-old son...were (also) abducted after bogus police officers called at the family’s home...and told them he had been badly injured in a a car crash.

All three were taken to the depot where the gang used threats against them to force staff inside to open up. They stole an estimated £50m, some £24m of it belonging to the Bank of England.

Security industry sources have revealed that (the security manager) had no key or code to allow himself into the building.

The robbers, wearing balaclava masks and carrying handguns, threatened to kill his son unless a security guard in a bullet-proof, bomb-proof pod inside the depot — who could see what was happening via an intercom CCTV system — allowed them through a security door.
The same technique will work against every user with access to the national identity database. Users with write access will be particularly at risk, and will need 24*7 protection:

In future senior employees...are likely to be given panic buttons in their cars or high-technology “voice bars” that they can pull open to start an immediate dialog with their control rooms if their cars are stopped or tailed.

The industry has brought in psychologists to study the reactions of victims in robberies and has found that if another human life is in danger, staff will normally act automatically to help. In future it wants computerized systems with disembodied Big Brother-like voices issuing commands to staff seeking access to high-security buildings.

The above examples can be fairly easily penetrated, and hopefully the industry will come up with better defenses - but none will be 100% effective.


So Blair's central database will give a terrorists access to the full identity of every Brit - poetically, including Blair himself.

Another triumph of socialism.