CERIAS Blog - CERIAS - Purdue University

What is Higher Education’s Role in Regards to ID Theft?

Thursday, April 06, 2006 by Matt Rose in Kudos, Opinions and Rants,

A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is more susceptible, so I've started a list:

Willingness To Share Information: If myspace, facebook, and the numerous blog sites like livejournal are any indication, younger adults tend to be more open about providing personal information. While these sites may not be used by identity thieves, they nonetheless illustrate students' willingness to divulge intimate details of their personal lives. Students might be more forthcoming with their SSN, account information and credit card numbers than are their elders.
Financial Inexperience: Many college students are out on their own for the first time. Many also are in "control" of their finances for the first time. With that lack of experience comes a lack of experience with and knowledge about tracking expenditures and balancing checkbooks. College students are an easier target for identity thieves who can ring up several purchases before being noticed.
Access to Credit: A walk around campus during the first few weeks of the year also reveals another contributing factor. Students are lured into applying for credit cards by attractive young men and women handing out free T-shirts and other junk. It is not unusual for a college freshman to have three or four credit cards with limits of $1000 to $5000.
Lost Credit Cards and Numbers: This might be a stretch, but I know many college students who periodically loose their wallets, purses, etc. and who did not act quickly in canceling their debit and credit cards. I also know many who have accidentally left a campus bar without closing their tab. It would be trivial to get access to someone else's card at these establishments. Along with this reason comes access to friends' and roommates' cards.

I'm sure there are many more contributing factors. What interests me is determining the appropriate role of the university in helping to prevent identity theft among this age group. Most colleges and universities now engage in information security awareness and training initiatives with the goal of protecting the university's infrastructure and the privacy of information covered by regulations such as FERPA, HIPPA, and so on. Should higher education institutions extend infosec awareness campaigns so that they deal with issues of personal privacy protection and identity theft? What are the benefits to universities? What are their responsibilities to their students?

For educational organizations interested in educating students about the risks of identity theft, the U.S. Department of Education has a website devoted to the topic as does EDUCAUSE.

Useful Awareness Videos

Wednesday, April 05, 2006 by Matt Rose in Infosec Education, Kudos, Opinions and Rants, Reviews,

The results are in from the EDUCAUSE Security Task Force's Computer Security Awareness Video Contest. Topics covered include spyware, phishing, and patching. The winning video, Superhighway Safety, uses a simple running metaphor, a steady beat, and stark visual effects to concisely convey the dangers to online computing as well as the steps one can take to protect his or her computer and personal information.

The videos are available for educational, noncommercial use, provided that each is identified as being a winning entry in the contest. In addition to being great educational/awareness tools, they should serve as inspiration for K-12 schools as well as colleges and universities.

Illinois WiFi piggybacker busted

Friday, March 24, 2006 by Ed Finkler in Policies & Law, Secure IT Practices,

Ars Technica's Eric Bangeman posted a pointer and commentary about a case in Illinois where a WiFi piggybacker got caught and fined. This is apparently the third conviction in the US (two in Florida and this one) in the last 9 months. The Rockford Register reports:

In a prepared statement, Winnebago County State's Attorney Paul Logli said, "With the increasing use of wireless computer equipment, the people of Winnebago County need to know that their computer systems are at risk. They need to use encryption or what are known as firewalls to protect their data, much the same way locks protect their homes."

Firewall? I guess they didn't prepare the statement enough, but the intent is clear. Still, it seems that the focus is on the consumer's responsibility to lock down their network, ignoring the fact that the equipment that's churned out by manufacturers is far too difficult to secure in the best of circumstances, let alone when you have legacy gear that won't support WPA. Eric seems to agree:

Personally, I keep my home network locked down, and with consumer-grade WAPs so easy to administer, there's really no excuse for leaving them running with the default (open) settings.

"Easy" is very relative. It's "easy" for guys like us, and probably a lot of the Ars audience, but try standing in the networking hardware aisle at Best Buy for about 15 minutes and listen to the questions most customers ask. As I've touched on before, expecting them to secure their setups is just asking for trouble.

Web App Security - The New Battlefront

Friday, March 24, 2006 by Ed Finkler in Infosec Education, Secure IT Practices,

Well, we're all pretty beat from this year's Symposium, but things went off pretty well. Along with lots of running around to make sure posters showed up and stuff, I was able to give a presentation called Web Application Security - The New Battlefront. People must like ridiculous titles like that, because turnout was pretty good. Anyway, I covered the current trend away from OS attacks/vandalism and towards application attacks for financial gain, which includes web apps. We went over the major types of attacks, and I introduced a brief summary of what I feel needs to be done in the education, tool development, and app auditing areas to improve the rather poor state of affairs. I'll expand on these topics more in the future, but you can see my slides and watch the video for now:

Useful Firefox Security Extensions

Wednesday, March 15, 2006 by Ed Finkler in Secure IT Practices,

Mozilla's Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here's a roundup of some of the more useful ones I've found.

Add n' Edit Cookies This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience. This extension not only shows you all the details, but lets you modify them too. You'll be surprised at how many web apps do foolish things like saving your password in the cookie.
Dr. Web Anti-Virus Link Checker This is an interesting idea -- scanning files for viruses before you download them. Basically, this extension adds an option to the link context menu that allows you to pass the link to the Dr. Web AV service. I haven't rigorously tested this or anything, but it's an interesting concept that could be part of an effective multilayer personal security model.
FormFox This extension doesn't do a whole lot, but what it does is important -- showing a tooltip when you roll over a form submission button of the form action URL. Extending this further to visually differentiate submission buttons that submit to SSL URLs would be really nice (as suggested by Chris Shiflett).
FlashBlock Flash hasn't been quite as popular an attack vector as Javascript, but it still potentially could be a threat, and it's often an annoyance. This extension disables all embedded Flash elements by default (score one for securing things by default), allowing you to click to activate a particular one if you like. It lacks the flexibility I'd like (things like whitelists would be very handy), and doesn't give you much (any?) info about the Flash element before you run it, but it's still a handy tool.
LiveHTTPHeaders & Header Monitor LiveHTTPHeaders is an incredibly useful too for web developers, displaying all of the header traffic between the client and server. Header Monitor is basically an add-on for LiveHTTPHeaders that displays a chosen header in Firefox's status bar. They're not really specifically security tools, but they do offer a lot of info on what's really going on when you're browsing, and an educated user is a safer user.
JavaScript Option This restores some of the granularity Firefox users used to have over what Javascript can and cannot do. I'd like to see this idea taken farther (see below), but it's handy regardless.
NoScript This extension is pretty smooth. Of all the addons for Firefox covered here, this is the one to get. NoScript is a powerful javascript execution whitelisting tool, allowing full user control over what domains allow scripts to run. Notifications of blocked execution and the allowed domain interface are nearly identical to the built-in Firefox popup blocker, so users should find it comfortable to work with. NoScript can also block Flash, Java, and "other plugins;" forbid bookmarklets; block or allow the "ping" attribute of the tag; and attempt to rewrite links that execute javascript to go to their intended donation without triggering the script code. The one thing I'd really like to see from this extension would be more ganularity over what the Javascript engine can access. Now it's only "on" or "off," but being able to disable things like cookie access would eliminate a lot of potential security issues while still letting JS power rich web app interfaces. Also read Pascal Meunier's take on NoScript.
QuickJava Places handy little buttons in the status bar that let you quickly enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1). Hopefully a new version will be available soon.
ShowIP This is another tool that isn't aimed at security per se, but offers a lot of useful information. ShowIP drops the IP address of the current site in your status bar. Clicking on it brings up a menu of lookup options for the IP, like whois and DNS info. You can add additional web lookups if you like, as well as passing the IP to a local program. Handy stuff.
SpoofStick The idea with this extension is to make it easier to catch spoofing attempts by displaying a very large, brightly colored "You're on " in the toolbar. For folks who know what they're doing this isn't wildly useful, but it could be just the ticket for less savvy users. It requires a bit too much setup for them, though, and in the end I think this is something the browser itself should be handling.
Tamper Data Much like LiveHTTPHeaders, Tamper Data is a very useful extension for web devs that lets the user view HTTP headers and POST data passed between the client and server. In addition, Tamper Data makes it easy for the user to alter the data being sent to the server, which is enormously useful for doing security testing against web apps. I also like how the data is presented in TD a bit better than LiveHTTPHeaders: it's easier to see at a glance all of the traffic and get an overall feel of what's going on, but you can still drill down and get as much detail as you like.

Got more Firefox security extensions? Leave a comment and I'll collect them in an upcoming post.

[tags]firefox, extensions, security, privacy, safe_browsing, browser, web, flash[/tags]

What is Higher Education’s Role in Regards to ID Theft?

Recent Blogs

Blog Archive

Page Content

What is Higher Education’s Role in Regards to ID Theft?

Recent Blogs

Blog Archive