[tags]biometrics,USB,encryption,hacking[/tags]
One of our students who works in biometrics passed along two interesting article links.  This article describes how a password-protected, supposedly very secure USB memory stick was almost trivially hacked.  This second article by the same author describes how a USB stick protected by a biometric was also trivially hacked. I’m not in a position to recreate the procedure described on those pages, so I can’t say for certain that the reality is as presented.  (NB: simply because something is on the WWW doesn’t mean it is true, accurate, or complete.  The rumor earlier this week about a delay in the iPhone release is a good example.) However, the details certainly ring true.

We have a lot of people who are “security experts” or who are marketing security-related products who really don’t understand what security is all about.  Security is about reducing risk of untoward events in a given system.  To make this work, one needs to actually understand all the risks, the likelihood of them occurring, and the resultant losses.  Securing one component against obvious attacks is not sufficient.  Furthermore, failing to think about relatively trivial physical attacks is a huge loophole—theft, loss or damage of devices is simple, and the skills to disassemble something to get at the components inside is certainly not a restricted “black art.”  Consider the rash of losses and thefts of disks (and enclosing laptops) we have seen over the last year or two, with this one being one of the most recent.

Good security takes into account people, events, environment, and the physical world.  Poor security is usually easy to circumvent by attacking one of those avenues.  Despite publicity to the contrary, not all security problems are caused by weak encryption and buffer overflows!

[posted with ecto]

[tags]Google, spam, 419[/tags]

I recently blogged about some unsolicited email I received from a recruiter at Google.  Much to my surprised, I was shortly thereafter contacted by two senior executives at Google (both of whom I know).  Each apologized for the contact I had received; one assured me he would put in a positive recommendation if I wanted that sys admin position.

I have been assured that there will be some re-examination made of how these contacts are made.  So, score one for my blog changing the world!  Or something like it.

[posted with ecto]

[tags]cyber security reseach, PITAC[/tags]

I strongly urge you to read Jim Horning’s blog entry about a recent Congressional hearing on cyber security research—his blog is Nothing is as simple as we hope it will be.  (Jim posts lots of interesting items—you should add his blog to your list.)

I have been visiting Federal offices and speaking before Congress for almost 20 years trying to raise some awareness of the importance of addressing information security research.  More recently, I was a member of the President’s Information Technology Advisory Committee (PITAC).  We studied the current funding of cybersecurity research and the magnitude of the problem.  Not only was our report largely ignored by both Congress and the President, the PITAC was disbanded.  For whatever reason, the current Administration is markedly unsupportive of cyber security research, and might even be classed as hostile to those who draw attention to this lack of support.

Of course, there are many other such reports from other august groups that state basically the same as the PITAC report.  No matter who has issued the reports, Congress and the Executive Branch have largely failed to address the issues.

Thus, it is heartening to read of Chairman Langevin’s comments.  However, I’m not going to get my hopes up.

Be sure to also read Dan Geer’s written testimony.  It touches on many of the same themes he has spoken about in recent years, including his closing keynote at our annual CERIAS Security Symposium (save the dates—March 19 & 20, 2008—for the next symposium).

Copyright © 2007 by E. H. Spafford
[posted with ecto]

[tags]Passwords[/tags]
I’ve previously written about passwords in this blog (here, here and here).

I saw this post today—I think it is great!  I’m sure they will adopt this here at Purdue sometime soon.

[tags]Windows,MacOS, security flaws, patches, press coverage[/tags]
There’s been a lot of froth in the press about a vulnerability discovered in a “Hack the Mac” contest conducted recently.  (Example stories here and here.)  I’m not really sure where this mini-hysteria is coming from—there isn’t really anything shocking here.

First of all, people shouldn’t be surprised that there are security flaws in Apple products.  After all, those are complex software artifacts, and the more code and functionality present, the more likely it is the case that there will be flaws present—including serious flaws leading to security problems.  Unless special care is taken in design and construction (not evident in any widely-used system) vulnerabilities are likely to be present.

Given that, the discovery of one serious flaw doesn’t necessarily mean there are hundreds more lurking beneath the surface and that MacOS X is as bad (or worse) than some other systems.  Those bloggers and journalists who have some vulture genomes seem particularly prone to making sweeping announcements after each Apple-based flaw (and each Linux bug) is disclosed or a story about vulnerabilities is published.  Yes, there are some problems, and there are undoubtedly more yet to be found.  That doesn’t mean that those systems are inherently dangerous or even as buggy and difficult to protect as, for example, Windows XP.  Drawing such conclusions based on one or two data points is not appropriate; these same people should likewise conclude that eating at restaurants anywhere in the US is dangerous because someone got food poisoning at a roadside stand in Mexico last year!

To date, there appear to be fewer flaws in Apple products than we have seen in some other software.  Apple MacOS X is built on a sturdy base (BSD Unix) and doesn’t have a huge number of backwards compatibility features, which is often a source of flaws in other vendors’ products.  Apple engineers, too, seem to be a little more careful and savvy about software quality issues than other vendors, as least as evidenced by the relative number of crashes and “blue screen” events in their products.  The result is that MacOS X is pretty good right out of the box.

Of course, this particular flaw is not with MacOS X, but with Java code that is part of the Quicktime package for WWW browsers.  The good news is that it is not really a MacOS problem; the bad news is that it is a serious bug that got widely distributed; and the worse news is that it potentially affects other browsers and operating systems.

I have been troubled by the fact that we (CERIAS, and before that COAST) have been rebuffed on every attempt over the last dozen years to make any contact with security personnel inside Apple.  I haven’t seen evidence that they are really focused on information security in the way that other major companies such as Sun, HP and Microsoft are, although the steady patching of flaws that have not yet been widely reported outside the company does seem to indicate some expertise and activity somewhere inside Apple.  Problems such as this Quicktime flaw don’t give warm fuzzy feelings about that, however.

Apple users should not be complacent.  There are flaws yet to be discovered, and users are often the weakest link.  Malware, including viruses, can get into MacOS X and cause problems, although they are unlikely to ever be of the number and magnitude as bedevil Windows boxes (one recent article noted that vendors are getting around 125 new malware signatures a day—the majority are undoubtedly for Windows platforms).  And, of course, Mac machines (and Linux and….) also host browsers and other software that execute scripts and enable attacks.  Those who use MS Word have yet more concerns. 

The bottom line. No system is immune to attacks.  All users should be cautious and informed.  Apple systems still appear to be safer than their counterparts running Windows XP (the jury is out on Vista so far), and are definitely easier to maintain and use than similarly secured systems running Linux.  You should continue to use the system that is most appropriate for your needs and abilities, and that includes your abilities to understand and configure security features to meet your security needs.  For now, my personal systems continue to be a MacBook Pro (with XP and Vista running under Parallels) and a Sun Solaris machine.  Your own milage should—and probably will—vary.