In the AV industry, we’re not unaccustomed to security scare stories met with a debunking response. For example, Peter Norton was quoted in 1988 in Insight as saying that computer viruses were an urban myth, like the alligators supposed to inhabit the sewers of New York. (He did change his mind around 1990 when he gave his name to Symantec’s product.) Commodore also dismissed stories of the first Amiga virus as a hoax, if I remember rightly.
Sometimes, of course, the naysayers turn out to be right: there is still no Good Times virus, though some of the objections originally raised in response to that era of hoax malware look a little shabby now: clearly, email and documents can contain embedded malware, for example. But while I admire the UK government’s Home Office for its absolute assurance that Adam Laurie’s claim to have modified a British Identity Card’s microchip as "rubbish", I can’t say it reassures me. While I can’t vouch for the accuracy of Laurie’s claim, or say whether it constitutes a full-blown breach of the ID card mechanism, it seems to me that where there is even a partial proof of concept, there is, sooner or later, likely to be an exploit.
Microsoft is an organization that has learned the hard way not to offer too many hostages of fortune. Its Microsoft Security Bulletin Advance Notification for August 2009 indicates that the next Patch Tuesday (August 11th) will include nine updates, five of them rated as critical. Unfortunately, if the Home Office doesn’t learn that prioritising PR spin over realistic evaluation of the claim of risk is not a good idea, it risks not just the goodwill of the electorate, but also waking up someday soon to a breach that could endanger a great many people.
Of course, they may be right – I don’t do "electronic Pearl Harbor" predictions, and there may be as little risk as they claim. However, the statement by a spokesman that "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened" is more suggestive of obsessive denial than of realistic appraisal.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET