Within our first day or two of arriving at Notre Dame, all of us got our student ID card. This required being photographed, and then getting the card with the strip on the back. This card served as our key to get into dorms, our meal ticket, and a virtual debit card on campus with FlexPoints and Domer Dollars being deducted from them. Periodically cards get worn down and the strip on the back no longer works much to the annoyance of the dining hall ladies who then have to punch in student ID numbers after several failed swipes. Sometimes, people lose them and have to get another one. Overall though, this card is with us almost continually for four years. There are plenty of security questions to consider when thinking about our ID cards though.
For all the access that the card provides, it really has very little security. In many ways, this is a good thing as no one wants to be hassled with producing multiple forms of ID or signing something every time they go to the dining hall or do laundry. There is a picture on the ID, but that picture is taken freshman year, and most people change in appearance plenty over their four years. Plenty of times the cashier doesn't even look at the picture to begin with, and in the case of Domer Dollars used on vending machines or laundry machines, there is no check at all. If a card is lost or stolen, anyone can use that card until it is reported and canceled. As a key, after parietals or when entering some side doors, only dorm residents can enter, and they require a swipe of the card and then punching in a four digit code, the student's birthday by month and day. However, if someone really wanted to get into a dorm, it would be easy enough to find out a birthday. Also, as I figured out due to my card getting really worn down and falling apart, the strip part of the card actually peels away from the front of the card with the name and photo. If someone really wanted to, they could switch card identities or make a false front and attach the back to it.
If I were an attacker trying to exploit these cards for my own use, the thing to do would be to quickly buy things with Domer Dollars or FlexPoints once I stole or found one. The attacker could spend some of it without ever having anyone even see the ID at vending machines and that type of thing. In another situation, if the person even looked vaguely similar, cashiers rarely look at the picture, and if they did, the person could just say that the picture was taken four years ago when they were a freshman. It would be difficult to buy a lot of things of large value, but it would be very easy to steal small amounts of money this way. Also, if a non-student wanted to get into dorms and had a card, this would be extremely easy for them to do with a stolen or found card. They could use this as a way to steal from dorm rooms. Once the owner realizes the card is gone, they will likely go get a new one, at which point the stolen or found card will no longer work. However, in the meantime, someone could spend quite a bit of money, and I don't think the student would get refunded if it was discovered.
It would be very difficult to make the ID card a lot more secure unless students were greatly inconvenienced. If the card system was changed, dorms would be difficult to get into, lines would move slower in the dining hall and the Huddle, along with many other things. A few things that could help would be to issue a new ID with a new picture every year so that pictures were more up-to-date. At the same time, there could be an increase in awareness on the part of the dining hall workers and cashiers to actually look at the picture. If there was a big difference, they could ask for a second form of ID. Part of the problem now is that most people seem to be too trusting.
Another suggestion might be to allow students to pick their own pin instead of making it automatically be the birthday as this could be easily found out. This might be expensive, but there could be a way to require a pin number before Domer Dollars can be used for laundry or for buying anything else. There is currently a way online to track use of Domer Dollars and Flex Points. Perhaps this should be better publicized so students can check usage on a more regular basis and see if anything looks suspicious.
To a large degree, there just has to be some risk acceptance though in order to keep the convenience of students in mind. The good thing is that the only personal information contained on the card is the student ID number, so stealing a card would not enable the thief to find out too much. Also as often as students use their IDs, they would likely quickly notice if their card was missing. They might look for it for a while in an attempt to avoid paying the replacement fee, but within a fairly short amount of time, they would have to get a new card, which would make the old card invalid. Thus, the risks are not such that too much increased security would make sense.
Wednesday, November 11, 2009
Tuesday, November 10, 2009
Sunday, November 8, 2009
60 Minutes: Hacking the Nation
http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml?tag=contentMain;cbsCarousel
I left my TV on after watching some football and ended up catching this story. It talks about the vulnerability of our power grids and the threat of hackers. It also talks about attacks that have taken place in other countries. It also explores the threat on banks and our information-based economy. Like most news stories, I'm sure there's some stuff that isn't exactly the way they make it seem, but it's an interesting piece.
I left my TV on after watching some football and ended up catching this story. It talks about the vulnerability of our power grids and the threat of hackers. It also talks about attacks that have taken place in other countries. It also explores the threat on banks and our information-based economy. Like most news stories, I'm sure there's some stuff that isn't exactly the way they make it seem, but it's an interesting piece.
Wednesday, November 4, 2009
Expert Pessimistic about the Future of Network Security
Founder and CEO of FirEye Inc., a network security appliance vendor, Ashar Aziz was interviewed by SearchSecurity.com abut the ever changing world of information and network security. Throughout the interview, Aziz consistently expresses his doubt that absolute information and network security is possible. Aziz maintains and elaborates on the evolving world of security- malware and botnets being his main emphasis.
Aziz maintains that it is nearly impossible to block or control the malicious activity criminals across the World Wide Web are initiating. Sometimes the malicious malware or stealthy botnets are in avertedly put out into the public domain by harmless bystanders. Whatever the case may be, Aziz states that malware and technologies such as botnets will always be adapting to the newest security measures and developments in order to allow criminals to get what they want; whether that be personal information, credit card account numbers, or data.
Modern malware has adapted in order to communicate information back to the active party seeking information. As Aziz states, “it comes in passively via a Web exploit, a .pdf attack, a JavaScript class of attack and then it’s going back out via HTTP.” Thus hackers are easily capable of theft of data or financial information. Conficker is recently popular botnet that has enjoyed some success. As Aziz explains them, “they crawl in, they crawl right back out and the machine becomes controllable.” Conficker was spreading such “drive-by downloads” through simple exploitation acts. No matter the security, Aziz maintains there will always be a risk involved with the storing of an individual’s coveted information.
Although it has been reiterated over and over again, simple security checks by all individuals are needed. Password strengths, firewall updates, and the like are just some of the common necessities required to ensure the utmost security. As Aziz alleged, security will always be a major concern for those within the information field. There is no way around the ever changing technology of computer hacking.
Source: "Modern malware, stealthy botnets, adapt quickly, expert says" SerachSecurity.com Retrieved 3 Nov 2009. (http://searchsecurity.techtarget.com/news/interview/0,289202,sid14_gci1373367,00.html).
Tuesday, November 3, 2009
Security Review: iPod Touch
The iPod touch is one of the newer technologies released by Apple. For those who know the iPhone, it is basically an iPhone without phone capabilities. It allows users to store and listen to music, store and access photos and videos, use applications, and access the internet using a wireless internet connection. It has a 3.5 inch touch screen that allows the user quick, intuitive access to all its features. Like other iPods, it synchronizes with a computer using iTunes. Also, though, it can download applications straight to the iPod with access to a wireless internet. It can be linked up to e-mail and browse the internet just like a regular computer.
There are three primary security goals that I would have if I were the owner. The first is simply the physical security of the iPod. The iPod is compact, but easily slipped into a pocket or snatched if out of sight for a moment. Maintaining the physical security of the iPod will ensure confidentiality, integrity, and availability.
The second goal i would have would be to try to protect the iPod from unauthorized users. The iPod does allow for a 4 digit passcode to prevent random access. This would limit availability to only those who were permitted, confidentiality and integrity of any information stored on the device.
Finally, the use of wireless internet requires some goals. Just like using any wireless internet, you would want to make sure you are using a secure wireless network that you know. Otherwise, confidentiality and integrity could be compromised.
The main assets in question are access to any e-mail accounts linked to the e-mail application, any information stored on the iPod or in any of the applications, and anything involving the use of the internet, especially web server traffic and history.
Looking at physical security, if I was an attacker trying to attempt to exploit the technology, I could easily fit my hand around the device and slip it to some place where it could be removed. If I was able to get a hold of another person's iPod, chances are that there wouldn't be a passcode on it. It just isn't convenient to have to put that passcode in everytime you want to use it. Even if there is a passcode though, it is only 4 numerical digits. This doesn't allow for a very secure passcode. If I got a hold of it and was able to access it, and that person had hooked up their e-mail, you normally don't have to do anything but hit the e-mail button to look at their e-mail and send e-mail. Also, users must manually clear a browser history, cookies, and cache. These things would allow disclosure and alteration.
If the iPod would connect to an unsecured network, I believe someone would be able to track all of the traffic, just as if it was a normal computer. This is definitely a vulnerability.
I also think that an attacker might try to exploit the iPod using an application to get remote access to an iPod, which could possibly eventually lead to spreading of viruses or worms, hacking into networks, etc.
There is definitely a risk of someone other than the owner to have easy access that that owner's information. It would be important to make sure that you choose to connect only to secure networks that you know and avoid the risk of being tracked. If you want the access that the iPod gives you, however, you would have to accept the risk of its physical security. You could get insurance, but they wouldn't be able to prevent access to any information on the lost or stolen iPod. A very cautious owner could look into seeing if there is an alternative way to lock up the iPod so that protection from unauthorized people would be prevented.
Reference:
http://www.apple.com/ipodtouch/what-is/ipod.html
There are three primary security goals that I would have if I were the owner. The first is simply the physical security of the iPod. The iPod is compact, but easily slipped into a pocket or snatched if out of sight for a moment. Maintaining the physical security of the iPod will ensure confidentiality, integrity, and availability.
The second goal i would have would be to try to protect the iPod from unauthorized users. The iPod does allow for a 4 digit passcode to prevent random access. This would limit availability to only those who were permitted, confidentiality and integrity of any information stored on the device.
Finally, the use of wireless internet requires some goals. Just like using any wireless internet, you would want to make sure you are using a secure wireless network that you know. Otherwise, confidentiality and integrity could be compromised.
The main assets in question are access to any e-mail accounts linked to the e-mail application, any information stored on the iPod or in any of the applications, and anything involving the use of the internet, especially web server traffic and history.
Looking at physical security, if I was an attacker trying to attempt to exploit the technology, I could easily fit my hand around the device and slip it to some place where it could be removed. If I was able to get a hold of another person's iPod, chances are that there wouldn't be a passcode on it. It just isn't convenient to have to put that passcode in everytime you want to use it. Even if there is a passcode though, it is only 4 numerical digits. This doesn't allow for a very secure passcode. If I got a hold of it and was able to access it, and that person had hooked up their e-mail, you normally don't have to do anything but hit the e-mail button to look at their e-mail and send e-mail. Also, users must manually clear a browser history, cookies, and cache. These things would allow disclosure and alteration.
If the iPod would connect to an unsecured network, I believe someone would be able to track all of the traffic, just as if it was a normal computer. This is definitely a vulnerability.
I also think that an attacker might try to exploit the iPod using an application to get remote access to an iPod, which could possibly eventually lead to spreading of viruses or worms, hacking into networks, etc.
There is definitely a risk of someone other than the owner to have easy access that that owner's information. It would be important to make sure that you choose to connect only to secure networks that you know and avoid the risk of being tracked. If you want the access that the iPod gives you, however, you would have to accept the risk of its physical security. You could get insurance, but they wouldn't be able to prevent access to any information on the lost or stolen iPod. A very cautious owner could look into seeing if there is an alternative way to lock up the iPod so that protection from unauthorized people would be prevented.
Reference:
http://www.apple.com/ipodtouch/what-is/ipod.html
Sunday, November 1, 2009
Side-Channel Attacks: The Neglected Threat
Imagine sitting with your laptop at the student center, one of the campus computer clusters, or even your own dorm room with the window open. So far you have been good with protecting your information, you take a class on information security, you have the most recent anti-virus, your passwords contain many digits and characters, and you only connect to WPA2 wifi points if necessary. Nevertheless, you are at risk to lesser known threats known as side-channel attacks.
According to a fairly recent article in Scientific American, a side channel attack, “exploit[s] the unprotected area where the computer meets the real world: near the keyboard, monitor or printer, at a stage before the information is encrypted or after it has been translated into human readable form.” Essentially, the signals your computer emits, the sounds of a keyboard or printer, and the images displayed on a monitor.
In class, a recent case study focused on a very high tech form of this known as TEMPEST, where electromagnetic waves from the monitor are received and reconstructed on another monitor. Though this attack requires operators and some-what sophisticated equipment, there are even lower tech side-channel attacks. Simple microphones paired with special software have been proven to accurately reconstruct information from dot-matrix printers, and new advances are making it possible to predict the information printed by inkjet printers. Also, a webcam with software can track the motion of your fingers and quickly identify passwords and other sensitive input. A scientist in Germany, Michael Backes, recently developed a project to reconstruct monitor images by simply looking the reflection of nearby objects, such as a teapot and even the user’s eyes to record the exact information on the monitor. He used a telescope paired with a digital camera. Using even higher-powered equipment and editing techniques used by astronomers, he could reconstruct reflections on people’s eyes from 30 ft away.
Though seldom mentioned or reported as a cause of an attack, side-channel attacks are proven methods that should not be neglected. They cannot be mass distributed over the web or easily automated, but nevertheless can beat all encryption to gain your information. They are difficult to adequately defend against. In the case of reflections, even privacy monitor filters do not work, as they intensify the light projected onto your eyes. Essentially, we must all be more careful where and how we access information. Despite the convenience of mobile devices, avoid reading bank statements and other records in public view. Refrain from using public wifi zones or computer cafes for sensitive information, where malevolent attackers can set up listening devices, webcams, or telescopes across the street beforehand. Know that side-channel attacks are limited in range and information to access and vigilance to suspicious surroundings is the key to protecting yourself.
Source(s):
Gibbs, W. W. (2009, April 27). How Hackers Steal Secrets From Reflections. Retrieved October 31, 2009, from Scientific American Magazine: http://www.scientificamerican.com/article.cfm?id=hackers-can-steal-from-reflections
According to a fairly recent article in Scientific American, a side channel attack, “exploit[s] the unprotected area where the computer meets the real world: near the keyboard, monitor or printer, at a stage before the information is encrypted or after it has been translated into human readable form.” Essentially, the signals your computer emits, the sounds of a keyboard or printer, and the images displayed on a monitor.
In class, a recent case study focused on a very high tech form of this known as TEMPEST, where electromagnetic waves from the monitor are received and reconstructed on another monitor. Though this attack requires operators and some-what sophisticated equipment, there are even lower tech side-channel attacks. Simple microphones paired with special software have been proven to accurately reconstruct information from dot-matrix printers, and new advances are making it possible to predict the information printed by inkjet printers. Also, a webcam with software can track the motion of your fingers and quickly identify passwords and other sensitive input. A scientist in Germany, Michael Backes, recently developed a project to reconstruct monitor images by simply looking the reflection of nearby objects, such as a teapot and even the user’s eyes to record the exact information on the monitor. He used a telescope paired with a digital camera. Using even higher-powered equipment and editing techniques used by astronomers, he could reconstruct reflections on people’s eyes from 30 ft away.
Though seldom mentioned or reported as a cause of an attack, side-channel attacks are proven methods that should not be neglected. They cannot be mass distributed over the web or easily automated, but nevertheless can beat all encryption to gain your information. They are difficult to adequately defend against. In the case of reflections, even privacy monitor filters do not work, as they intensify the light projected onto your eyes. Essentially, we must all be more careful where and how we access information. Despite the convenience of mobile devices, avoid reading bank statements and other records in public view. Refrain from using public wifi zones or computer cafes for sensitive information, where malevolent attackers can set up listening devices, webcams, or telescopes across the street beforehand. Know that side-channel attacks are limited in range and information to access and vigilance to suspicious surroundings is the key to protecting yourself.
Source(s):
Gibbs, W. W. (2009, April 27). How Hackers Steal Secrets From Reflections. Retrieved October 31, 2009, from Scientific American Magazine: http://www.scientificamerican.com/article.cfm?id=hackers-can-steal-from-reflections
"Foursquare"
“Twitter” is apparently already over the hill, and replacing it is the new website, “Foursquare”. This New York based website is the up and coming social networking site. Like “Twitter” it allows your friends to know what you are up to at any given moment. However, “Foursquare” adds an extra element to the idea of “Twitter”; instead of having the user give a quick summary of what he or she is doing, users of “Foursquare” will “check in” to a city, a bar, or a restaurant, etc. Once your geographical/social status is updated, your friends are sent a message that tells them where you are and what you are doing so that if they are in the same area, they can join you. Through “Foursquare” you can also list the venues that you would like to visit or would recommend that your friends should visit. Another interesting factor that separates “Foursquare” from “Twitter” is that you win points for checking in. A user’s points are displayed on the site and if he or she checks into a location enough times, then they can be named the “mayor” of that establishment.
To capitalize on this site, the creators of “Foursquare” gather the information to potentially sell to businesses that want to get their names out there. This information has great potential to be used for research and advertising.
As a social networking site, “Foursquare” has great potential because it leads to personal contact as opposed to sites that focus on conversation and friendship online. However, many are worried about the privacy implications that go along with broadcasting one’s exact location. At one point, CNN.com referred to this new service “as an invite to have your house robbed”. In addition to leaving one’s physical belongings vulnerable to theft, broadcasting the locations where one will be using one or multiple credit cards could make it even easier for hackers to piece together personal information to sell on the black market of stolen identities. The location information that users of “Foursquare” will provide via “check in” will be time logged, so that information could be helpful to obtaining credit card information if it was compared with the transactions of that evening at any establishment. This site could also be used to keep fraudulent purchases under the radar by matching purchases made with stolen credit card information match the city that the “Foursquare” user is in.
There are many ethical and security implications of adding location to a social networking site as “Foursquare” has done, and it will be interesting to see if people choose to ignore the risk in favor of making more connections.
Sources:
"Privacy is dead, and social media hold smoking gun - CNN.com." CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News. Web. 29 Oct. 2009..
"What is Foursquare? - Pocket-lint." Gadget Reviews, Product News, Electronic Gadgets - Pocket-lint. Web. 29 Oct. 2009..
To capitalize on this site, the creators of “Foursquare” gather the information to potentially sell to businesses that want to get their names out there. This information has great potential to be used for research and advertising.
As a social networking site, “Foursquare” has great potential because it leads to personal contact as opposed to sites that focus on conversation and friendship online. However, many are worried about the privacy implications that go along with broadcasting one’s exact location. At one point, CNN.com referred to this new service “as an invite to have your house robbed”. In addition to leaving one’s physical belongings vulnerable to theft, broadcasting the locations where one will be using one or multiple credit cards could make it even easier for hackers to piece together personal information to sell on the black market of stolen identities. The location information that users of “Foursquare” will provide via “check in” will be time logged, so that information could be helpful to obtaining credit card information if it was compared with the transactions of that evening at any establishment. This site could also be used to keep fraudulent purchases under the radar by matching purchases made with stolen credit card information match the city that the “Foursquare” user is in.
There are many ethical and security implications of adding location to a social networking site as “Foursquare” has done, and it will be interesting to see if people choose to ignore the risk in favor of making more connections.
Sources:
"Privacy is dead, and social media hold smoking gun - CNN.com." CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News. Web. 29 Oct. 2009.
"What is Foursquare? - Pocket-lint." Gadget Reviews, Product News, Electronic Gadgets - Pocket-lint. Web. 29 Oct. 2009.
Subscribe to:
Posts (Atom)
Posts
