gregh  2007-10-10 10:22  Computing  security  webappdev   

gregh  2007-08-11 20:55  security  voting  votingmachines   

Just watched "Man of the Year" on HBO, with Robin Williams as a Jon Stewart-like character elected to the Presidency through buggy electronic voting machines. If you haven't seen Hacking Democracy, you really should.

But most importantly, review this from Bruce Schneier and the linked contents for a review on the sorry state of the software driving the voting machines are elections officials have been buying. It's frightening.

gregh  2007-08-02 13:21  Computing  Law_School  networking  security  usf   

Last summer, ZiefBrief reported that wireless was coming to the library. There was a note in that article: "(Our helpful Law IT staff ask us to remind you that, wireless being wireless, it will never be 100% secure. So please don't us it for your online banking and such!)"

I commented with some of my thoughts about why that was important. Our public networking uses a wildly insecure method for authenticating users and authorizing access. The first, most obvious problem is that no wireless encryption is used. All communications with the wireless network are in the clear, and anyone within range can watch your traffic. Second, there's no authentication of the wireless network; that is, there's no way for the user to know that the "USFWireless" SSID they connect to is, in fact, USFWireless. Finally, because there is no authentication of the wireless network and no wireless network authorization, authentication to the public network happens by means of a jail, which is opened by means of a form on an apparent transparent HTTP proxy.

Why is that a concern? Rather than redirect the request to an authentication host with an appropriate, properly sign TLS (nee SSL) certificate, the request is simply hijacked. Users are lulled into accepting these poorly signed certificates as a regular part of getting online. It becomes second nature to ignore those warnings, and I'm sure many do. That opens up a prime opportunity for a man-in-the-middle attack. Even if you send all of your traffic across an encrypted channel, if you get to the point you simply accept "bad" certificates, you no longer know who is watching your data.

This came to mind today as I was reading this article from the Washington Post. It describes new, automated tools for sniffing credentials from the "wire" and using them to connect to common online services. Similar attacks on USFConnect (the university intranet) aren't hard to imagine. It's never been particularly hard to pull this off; it's just that now folks are demonstrating automated tools to do the job.

And so, this is a gentle reminder to watch the certificates you're granted while you're surfing online. Be careful with the information you send around on insecure wireless networks, and that especially includes relatively public places like the law school. Perhaps one of these days, the IT folks will see fit to strengthen the protections; it's not hard, but the user support can be daunting. For the time being, wireless continues to be unsafe, even though its use can be a calculated risk.

gregh  2007-07-30 04:06  homeland_security  security  tsa   

Bruce Schneier interview with Kip Hawley, Part I:

Kip Hawley: Screening ideas are indeed thought up by the Office for Annoying Air Travelers and vetted through the Directorate for Confusion and Complexity, and then we review them to insure that there are sufficient unintended irritating consequences so that the blogosphere is constantly fueled.

Aha! We've had our hunches.

Imagine for a moment that TSA people are somewhat bright, and motivated to protect the public with the least intrusion into their lives, not to mention travel themselves. How might you engineer backwards from that premise to get to three ounces and a baggie?

The Vice President has investments in a company that manufacturers sample-size bottles.

gregh  2007-01-30 10:28  Politics  privacy  real_id  security   

Real-ID: Costs and Benefits:

All of these problems demonstrate that identification checks based on Real ID won’t be nearly as secure as we might hope. But the main problem with any strong identification system is that it requires the existence of a database. In this case, it would have to be 50 linked databases of private and sensitive information on every American -- one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks of this database are enormous. It would be a kludge of existing databases that are incompatible, full of erroneous data, and unreliable. Computer scientists don’t know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.

And yet, there's a group that will carry on insisting that this is something we must have. We open ourselves up to theft of identity information on a grand scale, and for what? As Schneier continues:

Even worse, as soon as you divide people into two categories -- more trusted and less trusted people -- you create a third, and very dangerous, category: untrustworthy people whom we have no reason to mistrust. Oklahoma City bomber Timothy McVeigh; the Washington, DC, snipers; the London subway bombers; and many of the 9/11 terrorists had no previous links to terrorism. Evildoers can also steal the identity -- and profile -- of an honest person. Profiling can result in less security by giving certain people an easy way to skirt security.

So, we do all of this Real ID nonsense, and what do we get? Oh, right. Less security. Along with the false sense of security, we also receive diminished privacy, heightened risks to privacy, greater government aggregation of data that is is unlikely to be able to manage, and just generally a worse situation than we had before.

gregh  2006-09-11 14:05  information_privacy  real_id  security   

Chronicle: Hacking of governor's computer suspected
Published comments had been taped, stored on office server:

Tom Marshal, spokesman for the CHP, confirmed Sunday that an investigation is under way into the security of the computer system in the governor's office.

Some experts said government computer systems are among the most vulnerable to outside hackers -- especially some systems used by California state agencies that are well known as antiquated.

"Government systems are penetrated on a regular basis," said Bev Harris, executive director of Black Box Voting, a Seattle-based group concerned about electronic voting and hacking.

"There's a lot of government offices that you wouldn't think would be vulnerable, but they have been penetrated," she said, citing the Pentagon as having its computers recently breached by a hacker.

I'll just reiterate that this is a prime example of why the Real ID Act's § 202(d)(12) is so frightening:

A state shall provide electronic access to all other states to information contained in the motor vehicle database of the state

What must be maintained in a state's motor vehicle database? Just ask § 202(d)(13):

A state shall maintain a state motor vehicle database that contains: (A) all data fields printed on DL/IDs issued by the state, and (B) motor vehicle drivers’ histories, including motor vehicle violations, suspensions, and points on license

In my hastily crafted law review bid this summer, I started off with a hypothetical intruder invading the motor vehicle department of a small state. From there, the notion of culling data from motor vehicle databases around the country doesn't seem too far fetched. Much of that data is very valuable. And very personal.

If this turns out to be an intruder hacking into the governor's office and running off with a digital audio recording, this should be an ominous warning to those who hold data that is valuable for more than just political shock value.

gregh  2006-09-05 07:02  homeland_security  security  tsa   

I went to Boston over Labor Day weekend.

As the last things I packed at 5 AM, I didn't give much thought to my toiletries as I threw my deodorant and toothpaste into an outside compartment of my bag and took off. I got to Oakland International, and the security line snaked through baggage claim, past 3 or 4 carousels, and up the back wall. Things didn't look promising. Thankfully, it was 6:00 AM and my flight didn't leave until 7:40.

The line moved very quickly, as it happened. Time wasn't going to be a problem.

But maybe security was? As we were getting ready to land, it struck me that I had inadvertently brought two prohibited items onto the plane: my gel deodorant and my tube of Crest toothpaste. Now, I had nothing evil planned, and the containers did actually hold deodorant and toothpaste. Nonetheless, if these things are so evil, how could they have been allowed to slip by? Surely a toothpaste tube shows up on an x-ray machine? What about a deodorant container?

Now, I don't really feel the current bans are all that meaningful or likely to prevent an attack, but I'd at least like to think items that are obviously not supposed to make it on a plane will be snagged. Especially if they're much more likely to cause a security situation.