Have a great spring break everyone!
To readers of this blog: Please expect low activity for a while. The University of Washington is on the quarter system, and our quarter just ended. Everyone in the class is, of course, encouraged to still contribute articles to this blog. And we’ll continue using this blog (or more sophisticated forum environments) in future courses. Stay tuned for more information 
.
The Husky Union Building is the center of life on campus. It is home to the Associated Students of the University of Washington, hundreds of student clubs and organizations, the university bookstore, food vendors, university employee payroll and accounting, information services, games area, campus-wide lost & found, US Bank, bike shop, hair salon, newsstand, event services, and many more departments.
Summary:Home automation systems in general attempt to enable home owners to have a “smart” house. Instead of light switches you have integrated panels that control everything from your lights, to your shades, to your entertainment system, climate control, alarm system, motorized locks, etc. Some specific examples of such systems like those offered by Control4 use wireless communications between the panels and devices they control. Some also have integration with cell phone applications. One of the selling points for these systems is that they improve security.
This is a security review of “Smart Guns,” a general class of locking/use prevention mechanisms for firearms that rely on biometrics or other authentication indicators (such as “smart” chips embedded in the gun and in rings or other tokens worn by the intended user) to identify a person who is authorized to use the firearm, while preventing unauthorized persons from discharging the weapon. The Wikipedia article has some further broad overview information regarding the subject.
Summary:
It is now very common to do business with companies that will by default (or even as a requirement to patronize) permanently store credit card and associated personal information in a database to help speed up future transactions or insure them against liability. While this action can sometimes be a convenience to consumers it is worth exploring how it is a general security risk.
Assets:
Adversaries:
Weaknesses:
Defenses:
Risk Analysis:
There is a very real risk that personal information will be compromised when stored in company’s databases. Perhaps the most interesting threats are those waged by adversaries who pursue a social engineering route. There is an interesting incident recounted in Kevin Mitnick’s book “The Art of Deception” (google “art deception filetype:pdf” p. 47) where a son is able to get his father’s credit card number from a videostore in a matter of minutes without leveraging his relationship or anything personal about his father.
Conclusion:
The only practical approach consumers can take to limiting the risks that go with having credit card information in company databases (other than opting out altogether) is to be vigilant in recognizing when information might have been compromised. As consumers we have a broad range of choices to make when patronizing businesses, and ultimately the most important thing to do is to recognize one’s own habits and assess the threats accordingly.
As our professor has continually emphasized throughout the quarter, one of the primary aims of our course has been to go beyond technical details of current computer security in order to learn the security mindset. This new way of thinking enables us to analyze security issues in the future regardless of particular directions that technology may take. It also enables us to examine the security of less technical entities like physical locks, parking meters, etc. As I was considering some of these less technical systems, I began to realize the pervasive implications of applying the security mindset to broader aspects of life and so began my examination of the human heart.
Recently, Governor Eliot Spitzer of New York was revealed to have been involved with a prostitution ring despite his façade of crusading against white collar crime. As a result, his reputation was tarnished, his career ended and his family has been deeply hurt. Although this is just another note in the continual drumbeat of tragedies we hear about in the news, the frequency of these incidents, clearly demonstrate that each of us is vulnerable to fall in similar ways. How can we defend our lives (and hearts) against being deceived into compromising our integrity and falling into these common pitfalls?
A second observation motivating this study comes from the fact that insiders are often the adversaries who cause the most damage and harm because they are trusted and by nature must have access to the assets we desire to protect. Human beings are often the weakest component of any security system. This review of the human heart will hopefully provide insight into ways to protect the integrity of trusted insiders as well as our own hearts in relation to the people who trust us.
Finally, defending the human heart has significant ramifications in every aspect of physical/computer security. Much of the violence that takes place on campuses (e.g. shootings, assault, etc.) have at their root a compromised heart (e.g. someone who has been continually hurt and lashes out in despair to cause pain to others after he/she has received so much). Many of the adversaries in computer security scenarios are motivated by financial gain, prestige, and other related incentives, which are deceptive and violate the worth and personhood of the people they attack. If people’s hearts were able to be defended, many of the human adversaries that we encounter in typical security reviews might in fact become allies; the ideas in this post are tools that can provide another layer of defense in depth.
Summary:
As humans we are cursed by the need for a number of basic necessities. Among these include nutritious food, clean air, and of course water. In this brief post I will focus on the later of these.
While the importance of securing our computing systems and infrastructures cannot be stressed enough, the importance of ensuring that everyone has access to clean water far surpasses any other consideration simply because it is essential for our health and well-being. It would indeed be tragic to lose a life savings due to identify theft, but such loss pales in comparison to the health risks involved with contaminated or otherwise unsanitary water. Financial loss can be recovered, while the same cannot be said about the loss of life, life years, or the degraded quality of life in the years that one does have. Unfortunately, while some risks to our water supply seem far fetched and highly unlikely, others are very real and seemingly unavoidable. (Read on …)
Summary
Car GPS navigation systems are handy tool for finding one’s way on the road. With features like local points of interest, address book and SD card backup it would not be surprising if becomes a common everyday item soon. Here is a review for a GPS navigation system similar to the Magellan Maestro 4200:
I’ve seen a few people on this blog cover various aspects of cellphone security, including the new iphone 3rd party support and GPS tracking, however I haven’t seen anything covering the most basic of cellphone features, voice communication. It seems to me there are just as many, if not more, security implications that arise by the simple act of eavesdropping or account spoofing as there are in the more modern functions of cell phones. (Read on …)
Being a frequent visitor to Japan and thus knowing its people and culture fairly well, I thought it’d be appropriate for me to conduct a review on the new ‘taspo’ RFID cards which Yoshi also mentioned a while back. The ‘taspo’ cards are being introduced in Japan in an attempt to reduce underage smoking. They are to be used with cigarette vending machines.