Posts in Kudos, Opinions and Rants

Re: Security Absurdity

Wednesday, May 17, 2006 by spaf in General, Kudos, Opinions and Rants,

This is a great blog posting: Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. The data and links are comprehensive, and the message is right on. There is a tone of rant to the message, but it is justified.

I was thinking of writing something like this, but Noam has done it first, and maybe more completely in some areas than I would have. I probably would have also said something about the terrible state of Federal support for infosec research, however, and also mentioned the PITAC report on cyber security.

[posted with ecto]

What is Higher Education’s Role in Regards to ID Theft?

Thursday, April 06, 2006 by Matt Rose in Kudos, Opinions and Rants,

A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is more susceptible, so I've started a list:

Willingness To Share Information: If myspace, facebook, and the numerous blog sites like livejournal are any indication, younger adults tend to be more open about providing personal information. While these sites may not be used by identity thieves, they nonetheless illustrate students' willingness to divulge intimate details of their personal lives. Students might be more forthcoming with their SSN, account information and credit card numbers than are their elders.
Financial Inexperience: Many college students are out on their own for the first time. Many also are in "control" of their finances for the first time. With that lack of experience comes a lack of experience with and knowledge about tracking expenditures and balancing checkbooks. College students are an easier target for identity thieves who can ring up several purchases before being noticed.
Access to Credit: A walk around campus during the first few weeks of the year also reveals another contributing factor. Students are lured into applying for credit cards by attractive young men and women handing out free T-shirts and other junk. It is not unusual for a college freshman to have three or four credit cards with limits of $1000 to $5000.
Lost Credit Cards and Numbers: This might be a stretch, but I know many college students who periodically loose their wallets, purses, etc. and who did not act quickly in canceling their debit and credit cards. I also know many who have accidentally left a campus bar without closing their tab. It would be trivial to get access to someone else's card at these establishments. Along with this reason comes access to friends' and roommates' cards.

I'm sure there are many more contributing factors. What interests me is determining the appropriate role of the university in helping to prevent identity theft among this age group. Most colleges and universities now engage in information security awareness and training initiatives with the goal of protecting the university's infrastructure and the privacy of information covered by regulations such as FERPA, HIPPA, and so on. Should higher education institutions extend infosec awareness campaigns so that they deal with issues of personal privacy protection and identity theft? What are the benefits to universities? What are their responsibilities to their students?

For educational organizations interested in educating students about the risks of identity theft, the U.S. Department of Education has a website devoted to the topic as does EDUCAUSE.

Useful Awareness Videos

Wednesday, April 05, 2006 by Matt Rose in Infosec Education, Kudos, Opinions and Rants, Reviews,

The results are in from the EDUCAUSE Security Task Force's Computer Security Awareness Video Contest. Topics covered include spyware, phishing, and patching. The winning video, Superhighway Safety, uses a simple running metaphor, a steady beat, and stark visual effects to concisely convey the dangers to online computing as well as the steps one can take to protect his or her computer and personal information.

The videos are available for educational, noncommercial use, provided that each is identified as being a winning entry in the contest. In addition to being great educational/awareness tools, they should serve as inspiration for K-12 schools as well as colleges and universities.

Using Virtual Machines to Defend Against Security and Trust Failures

Monday, February 20, 2006 by Pascal Meunier in General, Kudos, Opinions and Rants, Secure IT Practices,

According to the National Vulnerability Database (http://nvd.nist.gov), the number of vulnerabilities found every year increases: 1253 in 2003, 2343 in 2004, and 4734 in 2005. We take security risks not only by choosing a specific operating system, but also by installing applications and services. We take risks by browsing the web, because web sites insist on running code on our systems: JavaScript, Flash (ActionScript), Java, ActiveX, VBscript, QuickTime, and all the plug-ins and browser extensions imaginable. Applications we pay for want to probe the network to make sure there isn't another copy running on another computer, creating a vector by which malicious replies could attack us. Games refuse to install in unprivileged accounts, so they can run their own integrity checkers with spyware qualities with full privileges (e.g., WoW, but others do the same, e.g., Lineage II), that in turn can even deny you the capability to terminate (kill) the game if it hangs (e.g., Lineage II). This is done supposedly to prevent cheating, but allows the game companies full access and control of your machine, which is objectionable. On top of that those games are networked applications, meaning that any vulnerability in them could result in a complete (i.e., root, LocalSystem) compromise. It is common knowledge that if a worm like MyTob compromises your system, you need to wipe the drive and reinstall everything. This is in part because these worms are so hard to remove, as they attack security software and will prevent firewalls and virus scanners from functioning properly. However there is also a trust issue -- a rootkit could have been installed, so you can't trust that computer anymore. So, if you do any sensitive work or are just afraid of losing your work in progress, you need a dedicated gaming or internet PC. Or do you? Company VMWare offers on their web site the free download of VMWare player, as well as a "browser appliance" based on Firefox and Ubuntu Linux. The advantages are that you don't need to install and *trust* Firefox. Moreover, you don't need to trust Internet Explorer or any other browser anymore. If a worm compromises Firefox, or malicious JavaScripts change settings and take control of Firefox, you may simply trash the browser appliance and download a new copy. I can't overemphasize how much less work this is compared to reinstalling Windows XP for the nth time, possibly having to call the license validation phone line, and frantically trying to find a recent backup that works and isn't infected too. As long as VMWare player can contain the infection, your installation is preserved. Also hosted on the VMWare site are various community-created images allowing you to test various software at essentially no risk, and no configuration work! After experiencing this, I am left to wonder, why aren't all applications like a VMWare "appliance" image, and the operating system like VMWare player? They should be. Efforts to engineer software security have obviously failed to contain the growth of vulnerabilities and security problems. Applying the same solutions the same problems will keep resulting in failures. I'm not giving up on secure programming and secure software engineering, as I can see promising languages, development methods and technologies appearing, but at the same time I can't trust my personal computers, and I need to compartmentalize by buying separate machines. This is expensive and inconvenient. Virtual machines provide us with an alternative. In the past, storing entire images of operating systems for each application was unthinkable. Nowadays, storage is so cheap and abundant that the size of "appliance" images is no longer an issue. It is time to virtualize the entire machine; all I now require from the base operating system is to manage a file system and be able to launch VMWare player, with at least a browser appliance to bootstrap... Well, not quite. Isolated appliances are not so useful; I want to be able to transfer documents from appliance to appliance. This is easily accomplished with a USB memory stick, or perhaps a virtual drive that I can mount when needed. This shared storage could become a new propagation vector for viruses, but it would be very limited in scope. Virtual machine appliances, anyone? Note (March13, 2006): Virtual machines can't defend against cross-site scripting vulnerabilities (XSS), so they are not a solution for all security problems.

Didn’t we learn anything from WarGames?

Friday, February 17, 2006 by Ed Finkler in Kudos, Opinions and Rants, Secure IT Practices,

My s.o. and I watched WarGames last night, and I enjoyed it not only for the kitschy nostalgia of an 8-inch floppy disk, but for some of the lessons of good information security practices that we still have trouble remembering:

Don't write down your password. Matthew Broderick's character is able to break into his high school's computer system and alter his grades because he reads the password off the secretary's desk every couple weeks.
Don't make high-security systems publicly accessible. The W.O.P.R. computer (wasn't that a great name?) that controls the launch of the US nuclear arsenal is accessed over a public phone line. Firewalls, anyone? Bueller?

It does seem like folks are generally getting a lot better with #2, but #1 seems to be a tougher nut to crack. It's understandable, because it's much more of a human behavior issue, but sometimes you just wonder, have we learned nothing in 20 years? :)

Recent Blogs

Blog Archive

Posts in Kudos, Opinions and Rants

Page Content

Re: Security Absurdity

Recent Blogs

Blog Archive