(Gift) Card Security

One of the most common holiday gifts -- especially for that cousin you see twice a year, or whoever you picked for this year's gift exchange -- is the gift card. It's quick, it's easy, and it even looks like you managed to put a little thought into it. However, there are some potential security issues with gift cards.

First, gift cards are pretty insecure, physically speaking. It is very easy to lose (or steal) a gift card. In order to protect themselves from these thefts, retailers require gift cards to be activated at the point of sale -- which means that someone has to pay for a gift card before it can be used. Unfortunately, this means that the damages from gift card loss always fall on the consumers, rather than on the retailers.

Starbucks has an interesting way to solve this problem. If you receive a Starbucks gift card, you have two choices -- you can just use the card as it is, or you can register it by opening an account at starbucks.com and entering the information on the back of the card. You can register several cards to your starbucks.com account -- and most importantly, you can move the balances around between them whenever you want. This means that if you lose a card that still has $15 on it, you can simply go to your starbucks.com account, move the balance to a different card, and go buy your Pumpkin Spice Latte without worrying.

Second, some gift cards can be "hacked" fairly easily. Most gift cards display account numbers on the back, which can be used to track the balance of the card, and sometimes to use the card at a retailer's online store. If these numbers are not randomized, a hacker can get one or two gift cards, and begin testing other account numbers in a similar range -- much like Jon Oberheide did with gift cards from Panera. Even though the site used a CAPTCHA to prevent this behavior, Oberheide maneuvered around the CAPTCHA because the Panera site used an insecure direct object reference. Because the url contained the account number, Oberheide was able to write a script to check the balances of 50,000 cards.

This specific security breach is not particularly concerning for either Panera or the owners of the cards. Because Panera has no online store, there is no way that a hacker could use the card online to purchase things. For a store like Target or Old Navy, however, this breach would be an issue. A hacker could use this process to find an active card carrying a balance -- and then use that gift card account to go on an online shopping spree.

Retailers have several ways to get around this. Some package their cards in such a way that it is impossible to see the account number without tampering with the packaging. Other cards include a scratch-off PIN, which must then be entered in order to use the card at an online store. Clerks are advised not to sell cards that have clearly been tampered with, whether that means an open package or a scratched-off PIN.

Gift cards are an easy gift, but they come with some security concerns. It's a good idea to be careful, and notice the security measures that the gift cards you buy come with.

Sources:

http://jon.oberheide.org/blog/2009/04/15/panera-gift-card-security/

http://www.schneier.com/blog/archives/2006/12/gift_card_hack.html

Beware of Microsoft Security Updates

Recent reports have surfaced that some Microsoft users performing security updates have been faced with serious problems. Users are experiencing black screens, which experts are classifying the problems as "blackouts". The problems were submitted to Microsoft by a British security firm called Prevx. "The symptoms are very distinctive and troublesome," Prevx said. "After logging on there is no desktop, task bar, system tray or sidebar. Instead you are left with a totally black screen and a single My Computer Explorer window." The issue has been affecting Windows operating systems ranging from Windows NT through Windows 7.

Prevx addressed the issue and discovered that there appears to be 10 different scenarios which can cause the black out. These issues have been ongoing for years. However, in regard to the most recent security update, Prevx said changes to the way registry keys are handled appears to be the reason it is causing black screens.

In response to this event, the security team at Microsoft should perform more research on the black outs to find concrete causes for what is happening. Once they have found the underlying problems, past the registry keys, they should devise a patch for the operating systems to avoid further problems.


Source:

http://news.cnet.com/8301-13860_3-10406369-56.html?tag=newsEditorsPicksArea.0

Spammer Goes to Jail

In the article, "Spammer Gets Four Years In Jail For Stock Fraud Scheme," Robert Westervelt reports that last week, Alan M. Ralsky, the “Godfather of Spam,” was sentenced to prison for his role in a fraudulent stock spamming scheme. Ralsky and three accomplices, including John S. Bown, John Hui, and son-in-law Scott Bradley, responded to their 2007 indictment by pleading guilty to mail fraud, wire fraud, e-mail fraud, aggravated identity theft, money laundering, and also to violations of the CAN-SPAM Act. As a result, Ralsky will spend four years in prison.

Ralsky, a resident of West Bloomfield, Michigan, has been under investigation by the Federal Bureau of Investigations, the Postal Inspection Service, and the Internal Revenue Service for the last six years. According to the prosecution, Ralsky and his team established “botnets by infecting computers with malicious code to create and control an army of zombie machines that sent out millions of junk emails since 2003” (Westervelt 1). This spam advertised “pink sheet” stocks which produced an increase in the stock price, allowing the intended stock holders to sell for a large profit.

The report notes that this spamming scheme resulted in the laundering of millions of dollars, and, to quote the U.S. Attorney for the Eastern District of Michigan, “the Court has made it clear that advancing fraud through abuse of the Internet will lead to several years in prison.”

Once again, this appears to be a case where some personal investigation along with a skeptical approach to emails of this nature could have prevented or, at the very least, reduced the success of Ralsky and his fellow spammers. According to this article, McAfee Inc. reported that spam an malware levels are the highest level ever recorded. That being so, cases like these serve as a reminder to be cautious when encountering suspicious emails and always be aware of the dangers that inevitably accompany technology.

Source: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1375505,00.html

Security Review: The Jupiter Jack (as seen on TV)

The continuously looping infomercials featuring Billy Mays and Anthony Sullivan state that Bluetooth devices and headsets sold at cell phone stores are expensive, ranging from $50 - $150. The Jupiter Jack provides a low cost alternative as State and local governments are placing restrictions, requiring hands-free devices to be used in cars. The device works similar to an iPod or MP3 car adapter. The mobile phone is mounted to the dashboard and connected to a small, key-sized microphone and radio transmitter. The jack broadcasts the conversation to the car’s FM radio, “Instead of hearing music, you hear the other person’s voice.” The microphone also amplifies the user’s voice into the phone.

Any customer would be enticed by the low price tag around $20. However, this device has some serious security flaws. As one of the millions of cell phone users in the nation, I want my conversations out of the public domain. I should always be able to have clear communications with the other caller without outside interference. It is not difficult to see how the Jupiter Jack does little to protect the confidentiality, integrity, or availability of the user’s conversation.

Those seeking to attack users of the Jupiter Jack require little effort or equipment to achieve a variety of goals. These include gaining access to conversations without detection, interjecting the attacker’s voice into the conversation, and also denying service to Jupiter Jack users. Attackers can easily listen in on conversations, as both broadcast frequencies 88.7 and 99.3 FM are explicitly mentioned in the infomercials. Though inventor Jason Bobb claims the Jack is FCC approved with a range of 25 ft, bumper-to-bumper traffic puts attackers much closer. Longer range side-channel attacks are still a possibility with stronger receiver antennas. Although only the other person’s voice is supposedly broadcast, user reviews complain of an echo effect in the radio. Enhancing this echo, attackers can listen in on both sides of the conversation. By purchasing a Jupiter Jack, attackers have all the tools to deceptively broadcast into another conversation, or even cause enough interference to make the Jupiter Jack unusable.

Just as computer users with wireless internet are not always exchanging secure information or making online purchases, conversations on the Jupiter Jack will often be meaningless to attackers. However, this is a nationally advertised product that provides a low-cost headset. In a city, there may be thousands of Jupiter Jack users. All it takes is one user giving out or receiving sensitive information to make Jupiter Jack a lucrative target. Unlike Bluetooth, there is no encryption, and listening in on another conversation on your car radio is not illegal.

Users are left with few options. Either don’t speak on the Jack in crowded areas, where a hands-free is a must, or limit your conversations. Owners of the Jupiter Jack must simply accept that they have made their conversations very public. Those looking to cut costs have skipped the gimmicks of the Jupiter Jack and have simply purchased an audio wire to connect their phone directly to the car’s MP3 port. Bluetooth devices may be worth the encryption. Ultimately, driver’s safety does not have to compromise information security as easily as the Jupiter Jack does.

Discovery’s Pitchmen. “Pitches and Tests”

StarReviews. “Jupiter Jack”

Youtube. “Jupiter Jack”

Facebook Games: "Scams or the Next Killer App"

Web applications developed on social networking sites such as Facebook and MySpace are becoming a lucrative new business, making millions of dollars and attracting a growing pool of users. Anyone who has a profile is familiar with Zynga's games by now, including Farmville, Fish Ville, Cafe World, and Mafia Wars. As Belinda Luscombe puts it, "Social games promise the golden pork-chop combo of the addictiveness of computer game with the communality of Facebook and MySpace." The company even has hired a behavioral psychologist to develop more addicting applications.

As we have discussed in class, third parties on Facebook do not necessarily abide by all the privacy settings you set and can access your profile information. In the case of Zynga apps, users began sending complaints of mysterious charges. The parent of one user received a cell-phone bill that had $170 of extra charges. How did this happen?

In order to increase their value, these apps often contain many ads and offers for various services. Users looking to increase their points, scores, or standing will pay actual money or accept offers from advertised companies. People don't always know they are paying for offers from Netflix to text message services. Zynga incorporated thousands of these offers without properly monitoring the terms set by these ads. According to founder Mark Pincus, "I did every horrible thing in the book to just get revenues right away."

With countless third parties of third parties, the lack of oversight is to blame. For now Zynga has suspended offers and vows to review ads once they are reactivated. Facebook also claims to be placing stricter guidelines on third party apps. In order to prevent future scams, social networking sites, as well as the companies behind apps must take responsibility for their users’ safety online and ensure financial transactions are not made unintentionally. They must also ensure that offers are legitimate and that credit card use meets industry standards.

Users must also take precautions when utilizing applications. Giving out cell phone or credit card numbers, or any other information makes users vulnerable to unwarranted charges. Be wary when accepting offers. Know who is making the offer and the conditions included. Though a high score may be a click away on a Netflix offer, remember, it’s just a game.

Luscombe, Belinda. "Zynga Harvests The Cyberfarmer." Time, November 30, 2009: 59-60.
Available online: http://www.time.com/time/magazine/article/0,9171,1940668-2,00.html

Google Chrome OS

In 2010, Google will attempt to break into the operating system market with the release of Chrome OS. The driving principal behind the operation system is speed. Google’s engineers goal were to produce an experience similar to television, with regards to speed.
From a security point of view, one advantage of Chrome OS will have over the established PC model is that Chrome will not allow applications to install locally or make changes to the operating system. In laymen’s terms, instead of installing programs to the hard drive, like the established PC model, the programs will be available through the internet, like iphone apps. All of your data and applications will be automatically synced to the cloud. Matt Papakipos, engineering director on the projected, summed up this move by saying, "If I lose my Chrome OS machine, I should be able to go get a new machine, and have everything back up running in seconds" via the automated cloud backups.
As for encryption, all user data on every Chrome device will be encrypted, in case the device is lost or stolen. Another aspect of the boot process enhances security. “A verified boot process applies cryptographic signature keys to each chunk of code, so the system can check the validity of module of the operating system before it is allowed to execute. In the event that some element of code doesn't check out--due to malware or other corruption, the system will run an automated recovery procedure repair itself by redownloading the appropriate version of Chrome and reimaging the OS” (Strohmeyer).

http://www.pcworld.com/businesscenter/article/182655/google_chrome_os_unveiled_speed_simplicity_and_security_stressed

Problem takes no time in Windows 7

Microsoft has issued a security advisory to acknowledge a denial-of-service flaw affecting its newest operating systems — Windows 7 and Windows Server 2008 R2. Researcher Laurent Gaffié issued this after failed attempts to get Microsoft’s security response center to acknowledge that this was an issue that needs to be patched. Microsoft then released a Security Advisory 977544 with pre-patch mitigations and a confirmation that the “detailed” code could provide a roadmap for hackers to cause Windows 7 and Windows Server 2008 R2 systems to stop responding until manually restarted.

"The way an attacker would used this online is hosting a web page that contains a specially crafted URI. A user that browsed to that Web site will force an SMB connection to an SMB server controlled by the attacker, which would then send a malicious response back to the user. This response would cause the user’s system to stop responding until manually restarted. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the attacker’s site."

If users don't get the patch, Microsoft recommends that affected users block TCP ports 139 and 445 at the firewall. Windows users should also block all SMB communications to and from the Internet to help prevent attacks.

I thought this was funny because in the post below, it talks about the possible vulnerabilities that new programs present. It shows here that new programs will have holes that hackers are waiting to find. It makes it seem like no matter how on top of it a program may seem, it still will be vulnerable.

http://blogs.zdnet.com/security/?p=4938&tag=nl.e589

Security Review: WIndows 7

Windows 7 is the most recent version of Microsoft Windows available. Microsoft Windows is an operating system for use on personal computers and is the replacement for its predecessor Windows Vista. Windows 7 is focused on being more of an incremental upgrade of the windows line and has the goal of being fully compatible with applications and programs for older versions of Windows. Added features include a new taskbar called the Superbar, performance improvements and a new home networking system.

The biggest problem when releasing a new operating system is holes in the programming. One of the biggest goals then is to limit the amount of errors prior to release. It is important that a new operating system allows it's users to easily access the information they have stored on their hard drives, but also be able to secure it. Windows 7 has Bitlocker which will encrypt the entire hard disk. Also like all operating systems it allows users to have personal logins and passwords to protect their information. Also protecting the integrity of the OS by having cd keys to register each owner is important, otherwise you do not know who is using it.

Like i said above holes in the programming are the biggest problem for new operating systems, especially for big name OS like Windows. Hackers look to exploit these errors in programming to gain access to people's computers. In doing so they are able to tamper with information or change a computer in a zombie computer without the owner even knowing. Also The manufacturer needs to worry about hackers stealing their products. Hackers find ways to download operating systems for free and crack CD key algorithms to use the programs for free.

The biggest weakness seen so far with Windows 7 is the ability of hackers to break CD key algorithms. I have seen on multiple blogs hackers who have found workarounds as well to exploit Windows 7 that they borrowed from friends. Also since the home networking system is brand new I can see a hacker finding a way to exploit it. New programs are the easiest to exploit because it hasn't been tested by hackers yet. The risk in using the new Windows 7 or any OS is easily apparent. If a hacker gains access through a hole in the system or a backdoor they have complete access to your computer and can use it how they wish. I feel the new home networking system may be a new way for hackers to do this.

The best that Microsoft can do to avoid these complications and possible risk is to accept that they are going to happen. No operating system is perfect and because such large teams of people work on them there are bound to be problems. The best they can do is to skim blogs and have their own hackers try to break the system and come out with service packs and patches to fix any problems found.

http://gizmodo.com/5404781/windows-7-hacked-again-for-keyless-activation
http://reviews.cnet.com/windows/microsoft-windows-7-professional/4505-3672_7-33704140.html

Cyber Warfare: A Serious Threat

Cyber Warfare has always been seen as a minor security issue amongst several nations for the past couple decades. However, it seems as if the time is upon us where the skills and expertise of cybercriminals all over the world will be employed by government and military personnel of several powerful nations. Imagine instead of bombarding a town filled with military buildings and equipment, a country hires a team of hackers to botnet attack a country’s national bank- causing national mayhem. According to Paul B. Kurtz, an analyst at Good Harbor Consulting, that time is now.. With the releasing of his McAfee Report, “Virtually Here: The Age of Cyber Warfare”, Kurtz maintains that such incidents are occurring.

 

Cyber attacks have been reported in Estonia as well as Georgia, both of which have been viewed as traceable to Russia.  Many blame North Korea for the July 4^th attacks on South Korea and United States resources.  Congressman Peter Hoekstra (Rep. Michigan) publicly stated that a counterattack or action of “force or strength” against North Korea should have been conducted. Bank closures and manipulation of financial records were the congressman’s biggest fear.  All in all, Kurtz maintains that cyber warfare is a serious and real issue. Then again, he also insists that attributing suck attacks are very difficult. Nations can simply “go to the criminal underground to secretly pay for a massive botnet attack against its enemy.” Anonymity is standard procedure in the hacking community for obvious reasons. They do not want to be caught. They hardly ever are.

 

The first thing needed to be done by all nations around the world is to accept cyber warfare as a legitimate threat and concern for all countries.  If it is as easy as Kurtz explains, anybody can attack anybody. The smallest, most insignificant country or rebel group is now capable to infiltrate and cause destructive mayhem to the largest and most powerful countries such as the United States. It is a scary thought to digest. However, it must be digested. Security to prevent these attacks must be tightened. Cybercriminals all across the globe must be punished. The Internet with its public domains and free international access is the future’s battlegrounds. We must all treat it as so.  Yes, the Internet has opened many doors of opportunity; cyber warfare should not be one. Although I am not sure what legislative and diplomatic steps must be taken in order to avoid such incidences from occurring in the future and in larger proportions, I do know action is necessary sooner rather than later. As with all problems, awareness is the first step to a solution. Cyber warfare is a severe threat just as any other type of warfare.

Hackers pillage jailbroken iPhones

Hackers are obtaining personal data from jailbroken iPhones. The new malware called “iPhone/Privacy.A” uses the same approach as the “ikee” worm to silently snatch control of some iPhones. They then proceed to steal personal information from the hijacked iPhone, including e-mail messages, names from the address book, text messages, music and video files, photos and calendar entries. The ikee worm was released a week ago by Ashley Towns, a 21-year-old unemployed Australian programmer, who told the IDG News Service that he intended it as a prank.

The attacks only affect those Apple smartphones whose users have hacked, or “jailbroken” the devices to install unauthorized software or make calls on carriers other then the ones Apple assigns. "It's not surprising," said Charlie Miller, a noted researcher of iPhone vulnerabilities, when asked his take on the move toward malicious intent. "This 'vulnerability' gives you root access to the iPhone, which gives you full access. It's trivial to exploit, that doesn't need shellcode or anything like that."

This could be installed on a computer on display in a retail store, which cold then scan all iPhones that pass within the reach of its network. Or a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the Wi-Fi network in search of data. Similar malware could also do more than the data plundering that iPhone/Privacy.A is engaged in. Stealing personal data is certainly possible, as is running up the phone bill, sending bulk SMS messages and so on.

David Harley, director of malware intelligence at San Diego, Calif.-based security vendor ESET urged iPhone users to take caution and Apple to tackle the inherent security weaknesses of jailbroken iPhones. "This is more than a prank: It's an indication that the platform is regarded as a target for more than proof-of-concept messing about. Apple should be considering whether they should do some re-engineering to take into account vulnerabilities introduced by jailbreaking."

I thought that this article was interesting because I know so many friends who jailbreak there iPhones so that can get all the programs for free, but they don’t realize that they are really putting themselves into danger.

http://www.computerworld.com/s/article/9140699/Hackers_pillage_jailbroken_iPhones?taxonomyId=82

Electronic Bank Heist

The following blog was formulated from an article in the Wall Street Journal titled, "Hackers Indicated in Widespread ATM Heist," printed Wednesday, November 11, 2009. The article was written by Siobhan Gorman and Evan Perez.

FBI officials are currently cooperating with Royal Bank of Scotland in the ongoing investigation of what prosecutors in Atlanta, Georgia announced as one of the "most brazen and damaging electronic-bank heists disclosed to date." The U.S. Justice Department has indicated eight Russian and Eastern European computer hackers broke into ATMs in hundreds of cities world-wide and stole $9 million in a matter of hours. This is a primary case of the booming online theft from financial institutions, which accounts for more money stolen electronically, or in data breaches than through bank robberies.

Preparation for the heist began November 4, 2008, when the four hacker ring leaders broke into RBS WorldPay's computer network from a location outside the United States. The article states that "the alleged hackers targeted payrolls debit cards that companies issue employees for withdrawing their salaries," and then tried to destroy the data on the systems in order to cover up the break-in. Once the hackers were in the system, they boosted the maximum allowed withdrawal. The thieves distributed approximately 44 prepaid payroll card numbers and personal identification numbers to their network of "cashers". On November 8, 2008, they signaled to their "cashers" to begin withdrawing money and over the next 12 hours more than $9 million disappeared from accounts in 280 cities from Atlanta to Hong Kong. "Cashers" kept half the cash and sent the rest back to their ring leaders. RBS detected the breach on Nov. 10, 2008, and disclosed it publicly on Dec. 23, acknowledging that the data of 1.5 million cardholders was compromised and that also 1.1 million social security numbers may have been compromised. Although, the indictment makes no mention of the social security numbers possibly compromised. Currently, only one of the men accused was arrested and is awaiting trial, while the others are thought to be at large. Prosecutors in Atlanta announced indictments Tuesday, November 10, 2009. Four conspirators were charged with 16-counts that ranged from fraud to aggravated identity theft. The Royal Bank of Scotland ensured that its customers were reimbursed for stolen funds. The losses could have been much greater if a larger network was assembled by the accomplices, but some of the ATMs ran out of money.

The RBS hackers are one of two major cyber gangs law enforcement officials have been targeting in recent years because of their secular capabilities. The second is the group responsible for the online attacks on TJX. A United States Attorney states the RBS hackers to be "one of the most sophisticated computer hacking rings in the world." As evidence to this, the RBS group was working together from different parts of the country, sharing expertise and techniques even though they had never met each other. Another example of their highly intellectual ability is shown by one of the RBS hackers Russian ring leaders, who used a technique which manipulated the data and "developed a method used to reverse-engineer personal identification numbers from encrypted data on the network of RBS WorldPay." Today, a lawsuit against RBS WorldPay is still pending, alleging that the company failed to adequately protect customer data. But how can companies "adequately" protect data and prevent this from happening? It seems to be extremely difficult and almost impossible to avoid these highly intelligent and well organized hacking crimes.

ND IDs

Within our first day or two of arriving at Notre Dame, all of us got our student ID card. This required being photographed, and then getting the card with the strip on the back. This card served as our key to get into dorms, our meal ticket, and a virtual debit card on campus with FlexPoints and Domer Dollars being deducted from them. Periodically cards get worn down and the strip on the back no longer works much to the annoyance of the dining hall ladies who then have to punch in student ID numbers after several failed swipes. Sometimes, people lose them and have to get another one. Overall though, this card is with us almost continually for four years. There are plenty of security questions to consider when thinking about our ID cards though.

For all the access that the card provides, it really has very little security. In many ways, this is a good thing as no one wants to be hassled with producing multiple forms of ID or signing something every time they go to the dining hall or do laundry. There is a picture on the ID, but that picture is taken freshman year, and most people change in appearance plenty over their four years. Plenty of times the cashier doesn't even look at the picture to begin with, and in the case of Domer Dollars used on vending machines or laundry machines, there is no check at all. If a card is lost or stolen, anyone can use that card until it is reported and canceled. As a key, after parietals or when entering some side doors, only dorm residents can enter, and they require a swipe of the card and then punching in a four digit code, the student's birthday by month and day. However, if someone really wanted to get into a dorm, it would be easy enough to find out a birthday. Also, as I figured out due to my card getting really worn down and falling apart, the strip part of the card actually peels away from the front of the card with the name and photo. If someone really wanted to, they could switch card identities or make a false front and attach the back to it.

If I were an attacker trying to exploit these cards for my own use, the thing to do would be to quickly buy things with Domer Dollars or FlexPoints once I stole or found one. The attacker could spend some of it without ever having anyone even see the ID at vending machines and that type of thing. In another situation, if the person even looked vaguely similar, cashiers rarely look at the picture, and if they did, the person could just say that the picture was taken four years ago when they were a freshman. It would be difficult to buy a lot of things of large value, but it would be very easy to steal small amounts of money this way. Also, if a non-student wanted to get into dorms and had a card, this would be extremely easy for them to do with a stolen or found card. They could use this as a way to steal from dorm rooms. Once the owner realizes the card is gone, they will likely go get a new one, at which point the stolen or found card will no longer work. However, in the meantime, someone could spend quite a bit of money, and I don't think the student would get refunded if it was discovered.

It would be very difficult to make the ID card a lot more secure unless students were greatly inconvenienced. If the card system was changed, dorms would be difficult to get into, lines would move slower in the dining hall and the Huddle, along with many other things. A few things that could help would be to issue a new ID with a new picture every year so that pictures were more up-to-date. At the same time, there could be an increase in awareness on the part of the dining hall workers and cashiers to actually look at the picture. If there was a big difference, they could ask for a second form of ID. Part of the problem now is that most people seem to be too trusting.

Another suggestion might be to allow students to pick their own pin instead of making it automatically be the birthday as this could be easily found out. This might be expensive, but there could be a way to require a pin number before Domer Dollars can be used for laundry or for buying anything else. There is currently a way online to track use of Domer Dollars and Flex Points. Perhaps this should be better publicized so students can check usage on a more regular basis and see if anything looks suspicious.

To a large degree, there just has to be some risk acceptance though in order to keep the convenience of students in mind. The good thing is that the only personal information contained on the card is the student ID number, so stealing a card would not enable the thief to find out too much. Also as often as students use their IDs, they would likely quickly notice if their card was missing. They might look for it for a while in an attempt to avoid paying the replacement fee, but within a fairly short amount of time, they would have to get a new card, which would make the old card invalid. Thus, the risks are not such that too much increased security would make sense.

Slides

Here are the slides from class on:

• Operating System Security
• IT Security Law

60 Minutes: Hacking the Nation

http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml?tag=contentMain;cbsCarousel

I left my TV on after watching some football and ended up catching this story. It talks about the vulnerability of our power grids and the threat of hackers. It also talks about attacks that have taken place in other countries. It also explores the threat on banks and our information-based economy. Like most news stories, I'm sure there's some stuff that isn't exactly the way they make it seem, but it's an interesting piece.

Expert Pessimistic about the Future of Network Security

Founder and CEO of FirEye Inc., a network security appliance vendor, Ashar Aziz was interviewed by SearchSecurity.com abut the ever changing world of information and network security. Throughout the interview, Aziz consistently expresses his doubt that absolute information and network security is possible. Aziz maintains and elaborates on the evolving world of security- malware and botnets being his main emphasis.

            Aziz maintains that it is nearly impossible to block or control the malicious activity criminals across the World Wide Web are initiating.  Sometimes the malicious malware or stealthy botnets are in avertedly put out into the public domain by harmless bystanders.  Whatever the case may be, Aziz states that malware and technologies such as botnets will always be adapting to the newest security measures and developments in order to allow criminals to get what they want; whether that be personal information, credit card account numbers, or data.

            Modern malware has adapted in order to communicate information back to the active party seeking information.  As Aziz states, “it comes in passively via a Web exploit, a .pdf attack, a JavaScript class of attack and then it’s going back out via HTTP.” Thus hackers are easily capable of theft of data or financial information.  Conficker is recently popular botnet that has enjoyed some success. As Aziz explains them, “they crawl in, they crawl right back out and the machine becomes controllable.”  Conficker was spreading such “drive-by downloads” through simple exploitation acts. No matter the security, Aziz maintains there will always be a risk involved with the storing of an individual’s coveted information.

Although it has been reiterated over and over again, simple security checks by all individuals are needed.  Password strengths, firewall updates, and the like are just some of the common necessities required to ensure the utmost security.  As Aziz alleged, security will always be a major concern for those within the information field. There is no way around the ever changing technology of computer hacking.

Source: "Modern malware, stealthy botnets, adapt quickly, expert says" SerachSecurity.com Retrieved 3 Nov 2009. (http://searchsecurity.techtarget.com/news/interview/0,289202,sid14_gci1373367,00.html).

Security Review: iPod Touch

The iPod touch is one of the newer technologies released by Apple. For those who know the iPhone, it is basically an iPhone without phone capabilities. It allows users to store and listen to music, store and access photos and videos, use applications, and access the internet using a wireless internet connection. It has a 3.5 inch touch screen that allows the user quick, intuitive access to all its features. Like other iPods, it synchronizes with a computer using iTunes. Also, though, it can download applications straight to the iPod with access to a wireless internet. It can be linked up to e-mail and browse the internet just like a regular computer.
There are three primary security goals that I would have if I were the owner. The first is simply the physical security of the iPod. The iPod is compact, but easily slipped into a pocket or snatched if out of sight for a moment. Maintaining the physical security of the iPod will ensure confidentiality, integrity, and availability.
The second goal i would have would be to try to protect the iPod from unauthorized users. The iPod does allow for a 4 digit passcode to prevent random access. This would limit availability to only those who were permitted, confidentiality and integrity of any information stored on the device.
Finally, the use of wireless internet requires some goals. Just like using any wireless internet, you would want to make sure you are using a secure wireless network that you know. Otherwise, confidentiality and integrity could be compromised.
The main assets in question are access to any e-mail accounts linked to the e-mail application, any information stored on the iPod or in any of the applications, and anything involving the use of the internet, especially web server traffic and history.
Looking at physical security, if I was an attacker trying to attempt to exploit the technology, I could easily fit my hand around the device and slip it to some place where it could be removed. If I was able to get a hold of another person's iPod, chances are that there wouldn't be a passcode on it. It just isn't convenient to have to put that passcode in everytime you want to use it. Even if there is a passcode though, it is only 4 numerical digits. This doesn't allow for a very secure passcode. If I got a hold of it and was able to access it, and that person had hooked up their e-mail, you normally don't have to do anything but hit the e-mail button to look at their e-mail and send e-mail. Also, users must manually clear a browser history, cookies, and cache. These things would allow disclosure and alteration.
If the iPod would connect to an unsecured network, I believe someone would be able to track all of the traffic, just as if it was a normal computer. This is definitely a vulnerability.
I also think that an attacker might try to exploit the iPod using an application to get remote access to an iPod, which could possibly eventually lead to spreading of viruses or worms, hacking into networks, etc.
There is definitely a risk of someone other than the owner to have easy access that that owner's information. It would be important to make sure that you choose to connect only to secure networks that you know and avoid the risk of being tracked. If you want the access that the iPod gives you, however, you would have to accept the risk of its physical security. You could get insurance, but they wouldn't be able to prevent access to any information on the lost or stolen iPod. A very cautious owner could look into seeing if there is an alternative way to lock up the iPod so that protection from unauthorized people would be prevented.

Reference:
http://www.apple.com/ipodtouch/what-is/ipod.html

Side-Channel Attacks: The Neglected Threat

Imagine sitting with your laptop at the student center, one of the campus computer clusters, or even your own dorm room with the window open. So far you have been good with protecting your information, you take a class on information security, you have the most recent anti-virus, your passwords contain many digits and characters, and you only connect to WPA2 wifi points if necessary. Nevertheless, you are at risk to lesser known threats known as side-channel attacks.
According to a fairly recent article in Scientific American, a side channel attack, “exploit[s] the unprotected area where the computer meets the real world: near the keyboard, monitor or printer, at a stage before the information is encrypted or after it has been translated into human readable form.” Essentially, the signals your computer emits, the sounds of a keyboard or printer, and the images displayed on a monitor.

In class, a recent case study focused on a very high tech form of this known as TEMPEST, where electromagnetic waves from the monitor are received and reconstructed on another monitor. Though this attack requires operators and some-what sophisticated equipment, there are even lower tech side-channel attacks. Simple microphones paired with special software have been proven to accurately reconstruct information from dot-matrix printers, and new advances are making it possible to predict the information printed by inkjet printers. Also, a webcam with software can track the motion of your fingers and quickly identify passwords and other sensitive input. A scientist in Germany, Michael Backes, recently developed a project to reconstruct monitor images by simply looking the reflection of nearby objects, such as a teapot and even the user’s eyes to record the exact information on the monitor. He used a telescope paired with a digital camera. Using even higher-powered equipment and editing techniques used by astronomers, he could reconstruct reflections on people’s eyes from 30 ft away.

Though seldom mentioned or reported as a cause of an attack, side-channel attacks are proven methods that should not be neglected. They cannot be mass distributed over the web or easily automated, but nevertheless can beat all encryption to gain your information. They are difficult to adequately defend against. In the case of reflections, even privacy monitor filters do not work, as they intensify the light projected onto your eyes. Essentially, we must all be more careful where and how we access information. Despite the convenience of mobile devices, avoid reading bank statements and other records in public view. Refrain from using public wifi zones or computer cafes for sensitive information, where malevolent attackers can set up listening devices, webcams, or telescopes across the street beforehand. Know that side-channel attacks are limited in range and information to access and vigilance to suspicious surroundings is the key to protecting yourself.

Source(s):
Gibbs, W. W. (2009, April 27). How Hackers Steal Secrets From Reflections. Retrieved October 31, 2009, from Scientific American Magazine: http://www.scientificamerican.com/article.cfm?id=hackers-can-steal-from-reflections

"Foursquare"

“Twitter” is apparently already over the hill, and replacing it is the new website, “Foursquare”. This New York based website is the up and coming social networking site. Like “Twitter” it allows your friends to know what you are up to at any given moment. However, “Foursquare” adds an extra element to the idea of “Twitter”; instead of having the user give a quick summary of what he or she is doing, users of “Foursquare” will “check in” to a city, a bar, or a restaurant, etc. Once your geographical/social status is updated, your friends are sent a message that tells them where you are and what you are doing so that if they are in the same area, they can join you. Through “Foursquare” you can also list the venues that you would like to visit or would recommend that your friends should visit. Another interesting factor that separates “Foursquare” from “Twitter” is that you win points for checking in. A user’s points are displayed on the site and if he or she checks into a location enough times, then they can be named the “mayor” of that establishment.

To capitalize on this site, the creators of “Foursquare” gather the information to potentially sell to businesses that want to get their names out there. This information has great potential to be used for research and advertising.
As a social networking site, “Foursquare” has great potential because it leads to personal contact as opposed to sites that focus on conversation and friendship online. However, many are worried about the privacy implications that go along with broadcasting one’s exact location. At one point, CNN.com referred to this new service “as an invite to have your house robbed”. In addition to leaving one’s physical belongings vulnerable to theft, broadcasting the locations where one will be using one or multiple credit cards could make it even easier for hackers to piece together personal information to sell on the black market of stolen identities. The location information that users of “Foursquare” will provide via “check in” will be time logged, so that information could be helpful to obtaining credit card information if it was compared with the transactions of that evening at any establishment. This site could also be used to keep fraudulent purchases under the radar by matching purchases made with stolen credit card information match the city that the “Foursquare” user is in.

There are many ethical and security implications of adding location to a social networking site as “Foursquare” has done, and it will be interesting to see if people choose to ignore the risk in favor of making more connections.

Sources:
"Privacy is dead, and social media hold smoking gun - CNN.com." CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News. Web. 29 Oct. 2009. .
"What is Foursquare? - Pocket-lint." Gadget Reviews, Product News, Electronic Gadgets - Pocket-lint. Web. 29 Oct. 2009. .