Security/Privacy

AOL techie jailed for selling email database to spammers

Posted Thu, 2005-08-18 11:12 by geekwisdom
AOL techie jailed for selling email database to spammers, it just goes to show that all the encryption, security policies, and peer reviewed code in the world won't help you if you're people can be bought.

Hide your wireless network in plain sight

Posted Wed, 2005-08-03 21:01 by geekwisdom
Imagine that wardrivers are casing your neighborhood. You've suppressed your SSID, you have WEP enabled and you've placed your wireless access point in a DMZ. You limit access to your wireless network by MAC address, block all most all traffic from the DMZ and require all your wireless clients to log into the real network via VPN in order to do anything. Sounds pretty good so far. The fact is that a hacker parked in your neighbor's driveway can still cause problems. How about making his life a little more difficult. What if when he turns on NetStumbler he sees 53,000 access points? Where would he start to look for yours? Enter Black Alchemy's Fake AP. FakeAP makes your Linux or *BSD machine look like thousands of wireless access points by broadcasting thousands of counterfeit beacon frames. This alone won't solve your wireless security issues but combined with the ideas mentioned above it might serve to confuse any miscreants looking to cause trouble. At least you won't be a soft target. References

Does MasterCard's SecureCode Protect Cardholders or Merchants?

Posted Wed, 2005-07-20 11:42 by geekwisdom

The basic idea behind MasterCard's SecureCode program is that a cardholder can attach a personal message and a password (the SecureCode) to their credit card. When the cardholder attempts to make a purchase using the card at a merchant that supports SecureCode the payment processor--not the merchant--presents their personal message and asks them to enter their SecureCode. After authenticating the SecureCode the payment processor completes the transaction and the cardholder goes on their merry way. If authentication fails the charge is declined and the transaction is cancelled. Bottom line, SecureCode is a way for the card processor to authenticate the cardholder.

Encrypted RSS

Posted Sat, 2005-07-16 18:48 by geekwisdom
Here's an interesting idea for encrypting RSS and then decrypting it in your browser (Firefox). Have a look at Joe Gregorio's article: Secure RSS Syndication

Misplaced Trust or Lack of Education?

Posted Mon, 2005-06-06 10:55 by geekwisdom

The headline reads, "Professor charged with stealing students' IDs." At first glance this appears to be a case of misplaced trust. The professor asks his students to sign into his class by signing their name and placing their social security numbers on the sign-in sheet. The professor then uses the information to open up a bunch of department store credit cards. I submit that this incident happened because students don't know what their social security number is supposed to be used for and the federal government has not done enough to discourage the use of the SSN for non-social security matters.

This whole thing raises some questions. Does the organization--the community college in this case--even know what the SSN is supposed to be used for? What is the student to think? How does the student know whether it's safe to provide the information or not? What could the students have been told in advance that would have prevented this situation? Who should have told them; the college, their high school, their parents, the governemt, who? What is the SSN supposed to be used for anyway?

Attack of the SSN and DOB

Posted Fri, 2005-04-15 09:30 by geekwisdom

Altered Grades Lead to Student’s Arrest, reads the headline. Upon further reading it is clear to me that naivete in system design combined with unscrupulous behavior are to blame. I am so sick of hearing about systems that have been access by people impersonating authorized users. Many times these systems are protected by passwords and the hole that makes them vulnerable is the utility for resetting the password when a user forgets it.

How can an administrator say, "...illegal access to the computer grading system was not the result of a deficiency or flaw in the program." Of course there was a flaw! The flaw exists in the logic that lead to the procedure to reset a user's password using their Social Security Number and Date of Birth. Two elements of data that are trivial to obtain and never designed to be secret!

Mitigating Identity Theft

Posted Fri, 2005-04-15 09:08 by geekwisdom
Mitigating Identity Theft by Bruce Schneier.
Identity theft is the new crime of the information age. A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies, and other financial institutions. Then he racks up debt in the person's name, collects the cash, and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions -- credit card companies in particular -- the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.
Read More...