Current events: Sony Ericsson a victim of its own employee

By sal at 10:54 pm on January 16, 2009 | 7 Comments

Issues of stealing physical or intellectual property (physically or electronically) in the context of a malicious company insider are closely interrelated, as some common prevention mechanisms can be adopted for both.

According to the recent article by Mikael Ricknas, cell phone prototypes were stolen from the company by its own employee. As Mikael points out, despite the fact that total cost did not exceed about $90000, there could have been bigger indirect losses if competing companies were made aware of these designs.

As one of my employers at one of the security companies I worked for mentioned, “opportunity” is the key word for why thefts occur. Company employees often have the most of such opportunity. Even employees with good intentions, as mentioned in an article by Alex Johnson, Cybercrooks’ best friend? Experts say it’s you are among the biggest threats to company security.

Depriving company employees of all of such opportunities is an impossible task as long as it has employees, but significatly reducing chances of such breaches from occuring is possible by at least two well-known means. The latter article mentions commonly cited policy of “least privilege” as one of the ways of prevention. Also, electronic monitoring and recording of activities and making employees know of such monitoring, or at least creating an impression of the existence of such monitoring could be another one of the most effective methods for deterring or shifting away such crimes.

Some ethical issues, such as privacy protection, employer-employee trust will, apparently, arise from overusing some of the methods, and companies will always have to find a good balance. Although Sony Ericsson did not appear to disclose much details about the event, it is, undoubtedly, beneficial for society in general that crimes of this type are made public, as it emphasizes the problem, and (in case if arrest followed,) can serve as yet another deterrent.

Filed under: Current Events,Ethics,Physical Security,Privacy7 Comments »

Absent student forfeits raffle

By stemcel at 9:23 pm on | 6 Comments

Here at the University of Washington CSE Department we often have events called Tech Talks, where guest companies come in and give a demonstration of their technologies and expertise. Tech talks are usually interesting, and the visiting companies usually bring free company-branded “swag” and often have raffles for bigger, more exciting prizes. But what usually draws hungry CS students (this one, anyway) is the free food that the company inevitably brings. I’ve never won anything.

Last night we had a tech talk given by Palantir Technologies, a very promising-looking company that aims to transform the way people work with large data sets by making it easier to discover and visualizing trends and connections in the ever-accumulating mountains of data generated by our modern technological culture. They had a great sales pitch, a fascinating presentation, tons of free swag (hyperbole here, but it was really a lot), and quality free frood from Taco del Mar. And at the end of the evening they planned to raffle off an iPod touch. Not everyone stayed for the whole event, but as it wound down the time for the raffle finally came.

(Read on …)

Filed under: Current Events,Ethics,Integrity,Physical Security6 Comments »

Current Event: Government plans massive internet backbone security upgrade

By Erik Turnquist at 9:15 pm on | 2 Comments

The U.S. Federal government is planning to spend millions of dollars upgrading the backbone of the internet’s routing system. Specifically the Department of Homeland Security (DHS) is planning to quadruple its budget for improvements (from $600,000 to $2.5 million per year), which supposedly should improve the security of communications on the internet.

By implementing these changes, the DHS hopes that man in the middle attacks as well as the modification of data can be prevented. These upgrades target two major portions of the internet’s infrastructure; the border gateway protocol (BGP), and the domain name system (DNS). For BGP, the updated protocol will be called BGPsec. This adds digital signatures to BGP announcements. Security researchers have claimed that BGP is one of the weakest links of the internet because of its numerous vulnerabilities. Attacks against this protocol can be disastrous because they are often targeted at large portions of the infrastructure and not individual hosts. For DNS, the improved DNSsec will hopefully make it harder for attackers to hijack web traffic because hosts will be able to verify their domain names and IP addresses with digital signatures and public-key encryption.

(Read on …)

Filed under: Current Events,Policy2 Comments »

Security Review: Implantable Drug Delivery Device

By Orion at 9:08 pm on | 4 Comments

Companies such as the Massachusetts-based biotech company, MicroCHIPS, are developing what they call “intelligent implanted devices” for long-term internal patient monitoring and treatment. Patients which would normally require frequent blood tests, monitoring, or drug injections can instead implant a device which is able to deliver doses of drugs on command or at regular intervals as well as monitor the patient and transmit this data to a receiver. These devices tend to be made of titanium and are currently about the size of an Oreo cookie but miniaturization is in the works. They have many potential uses, such as continuous glucose level monitoring for diabetic patients, needle-less, pain-less insulin injections on command, scheduled, decreasing doses of morphine for recovering addicts, scheduled and targeted chemotherapy, and frequent and regular release of anabolic agents to treat osteoporosis. A cause for concern, perhaps, the MicroCHIP device can currently be activated and signaled to release drug doses over a wireless link.

(Read on …)

Filed under: Security Reviews4 Comments »

Security Review: UW Bookstore

By Frung at 6:56 pm on | 7 Comments

Everyone knows the bookstore sells books only after a tremendous markup. But does that really mean they can afford to employ lax security?

Consider the situation of the books department: all of the textbooks for every class in the university are housed in a single room smaller than the main Kane lecture hall. Much smaller, actually. About half of the floor space is taken up by racks of books. Under everyday conditions this is fine, because generally less than ten customers are browsing around at a given time. The problem becomes apparent just before the quarter begins, when the book room becomes so crowded that standing in the register line I sometimes think that I’m back in Disneyland, waiting for a ride on Splash Mountain.

Imagine my disappointment when I realize I’m actually in line to empty my wallet in exchange for ten pounds of paper.

All these bodies in such a small area can help to hide a malicious book-snatcher masquerading as a customer. Booknappers need simply gather target books into their backpacks and force their ways upstream around the registers and out of the store. The UW bookstore provides no substantial countermeasures.

(Read on …)

Filed under: Physical Security,Security Reviews7 Comments »

Security Review: Edible Chips

By cuijunwu at 6:14 pm on | 2 Comments

The California based company Proteus has created an edible computer chip designed to mark a new way of monitoring patient drug intake. The process involves two pieces of technology: a small chip containing sensors and a small patch worn by the patient. The chip is attached to a pill, swallowed by the patient, and then activated once it enters the patient’s stomach. Once activated the chip sends signals to the patch. The patch can track data like heart rate, respiratory rate, temperature, and body angle. This data is then automatically uploaded via Bluetooth to an online repository and given a timestamp. Doctors can use this data to monitor whether a patient is correctly taking his or her medication or the effects of the medication from the convenience of their cell phones or personal computer. This product, named Raisin, is currently in clinical trials.

(Read on …)

Filed under: Security Reviews2 Comments »

Taxpayer Data at IRS Remains Vulnerable

By yonderin at 3:24 pm on | 3 Comments

The Government Accountability Office (GOA) realeased a report last week
stating vulnerabilities in the security system used by the IRS to protect
taxpayer data. The report showed the IRS has number of security issues
in the way that it protect sensitive data.

Some of the major security issues include: the IRS doesn’t encrypt certain
types of sensative data, user IDs and passwords can be easily obtained by
any user on the network, and they don’t enforce strong password rules for
authenticating users.

A lack of an agency-wide security program and no annual review of risk
assessment are the root of many of these issues. As a result, the IRS is
especially vulnerable to attackers with inside information, wich could expose
taxpayer and financial data.

The GOA cited several specific security problems. Among those were the
following: A contractor-maintained website has exposed usernames and passwords;
any authenticated user on the network has access to shared drives containing
sensative data like taxpayer informaiton and social sercutity numbers;
financial information and account data were tranferred from the IRS’s accounting
system without first being encrypted; inadequately logging various security
events at data centers.

The IRS is currently trying to improve it’s security system. They have taken
several steps to do this thus far, including, better controls for authenticating
users, patching critical vulnerabilites quickly, and forming a better plan
for logging critical business processes.

IRS Commissioner Douglas Shulman responded to GOA report, stating that data
security and privacy are of the utmost importance to the IRS, and said that
they would release a detailed corrective action plan stating how they would
fix the vulnerabilites discovered.

This report by the GOA followed the October release by the general for tax
administration that also criticised the IRS’s security controls. That report
was mostly critical of the security vulnerabilities found in new $1 billion
system called CADE the IRS is rolling out to eventually manage all taxpayer
accounts. They were also critical of the $700 million system called AMS that
is designed to provide faster access to the taxpayer information stored in
the CADE database. The report cited several weaknesses with access control,
system access monitoring, and disaster rocovery involving the CADE and AMS
systems, which pose a direct threat to sensative taxpayer data.

With indentity theft rising each year and more and more security breaches
occurring, keeping sensative data is of the utmost importance. The IRS
databases contains sensative information on almost every American citezen. The
IRS’s lack of security measures to protect the information of taxpayers could
result in a large security breach that could affect millions of Americans.
With such a poor security system in place, it is only a matter of time until
a security breach occurs unless the IRS acts quickly implement an agency-wide
security plan to keep sensative information secure.

The fact that these kinds of vulnerabilties exist in a government system
housing a wealth of sensative data on millions of Americans demonstrates the
much larger issue today. Too few institutions are concerned with protecting the
sensative data within their databases. Security is still an afterthought,
security patches are issued and holes are fixed, rather developing a secure
system from the start. The new CADE and AMS systems the IRS is rolling out
is just another demostration of how systems need to be designed with security
in mind from the start, and that simply is still not happening.

Filed under: Miscellaneous3 Comments »

US Passports now all have RFID tags

By qwerty at 1:13 pm on | 4 Comments

The security review on the EU passports reminded me of this one:  As of October 2006, all US passports will contain RFID chips in them, which, when read reveal all the information that is printed on the passport itself, as well as a digital photo of the passport holder.  This brings up a privacy issue since basically we will now all be holding passports that can be read without our consent.  When using an RFID system, in which data can be read off of the small computer chip inside the passport – only by being in proximity to a reader.  This means that an adversary can do what is called ‘skimming’ in which they can intercept the transmission between the reader and the passport – obtaining all the passport’s data, undetected.  This is very similar to ‘packet sniffing’ on the internet.  Just as one can sit in a coffee shop and read your gmail without you knowing, eavesdroppers can now sit at the airport and read your passport without you knowing.  (Read on …)

Filed under: Security Reviews4 Comments »

South Korean Woman Tricks Fingerprint Scanner in Japan

By lidor7 at 12:14 pm on | 5 Comments

Back in April 2008, a South Korean woman who was banned from entering Japan for 5 years slipped through security at airports using a fake password and some special tape.  The immigration control system in Japan features a state-of-the-art biometrics fingerprint scan.  Each person is scanned, and their fingerprints are cross-checked with a database containing fingerprints of fugitives and foreigners with deportation records.  However, the system, which cost $40+ million USD to implement all over Japan, was defeated using special tape on her fingers.

This security vulnerability came into light when the South Korean woman was spotted in Nagano, Japan in August 2008.  She was questioned before being deported, revealing that a South Korean broker supplied her with a fake passport and special tape to trick the fingerprint scanners.  It is believed that many other foreigners have entered the country in the same fashion.

It’s interesting to note that the fingerprint scanner was an additional security measure on top of checking passports.  The details of the exploit aren’t mentioned in the article, but it may have been the case that the new fingerprint scanners were heavily relied upon to establish identity, and the passports may not have been as closely scrutinized.  Preventive measures may have included a closer inspection of passports as a well as someone to stand by the fingerprint scanner to verify there’s no “tape” or any trickery going on.  Of course, ideally a state-of-the-art fingerprint scanner wouldn’t be tricked by some sort of tape.  But without recovering some of the special tape, it may be difficult to design against such an attack.  Additionally, the problem with security with hardware is that it’s difficult to fix.  You can’t just patch it like you can with software.  The biometric scanners cost over $40 million USD, and upgrading them all would be very costly.

What’s interesting about this particular use of a fingerprint scanner that makes it easy to circumvent in this fashion is that rather than establishing an identity to grant access, it establishes identity to deny access.  Creating a random fingerprint that doesn’t match a fugitive is much easier than creating a specific fingerprint that matches someone with priviledged access.

It’s not clear how the Japanese have reacted to this incident, but I’m sure if such an event occured in the US, there would be a lot of outcry about what a waste of money it was to implement such systems if they can be so easily circumvented.  The question now is, how does one address the issue without spending millions more?

The straight-forward and costly answer is to redesign all the fingerprint scanners.  This would require some of the tape in order to test against.  This is probably a very costly route.  Another option is to disregard the security issue and go after the source, the South Korean broker that supplied the tape — a route that the Japanese will probably pursue regardless.  Yet another option is to place other security measures to either strengthen the rest of the immigration process (after all, the fake passport defeats the system as well) or to monitor the fingerprint devices more carefully.  Likely airports will implement the latter option, since it is relatively cheap and may satisfy the public.  However, in general, the public’s trust and belief in high-tech security measures such as biometrics may be somewhat shaken.

This article can be found in several places: [Sydney Morning Herald] or [Daily Yomiuri Online]

Filed under: Current Events5 Comments »

Security Review | SIDA Badges and Airport Access Control

By lee at 2:46 am on | 2 Comments

The Technology

SIDA (Secure Identification Display Area) badges are identification devices issued to airport personnel, which establish which areas of the airport an employee is authorised to access. Each airport has its own SIDA badge classification system and issuing authority. The badges themselves are printed on standard credit card-sized media, with elements such as the employee name, picture and card expiration date printed on the front, along with a prominent colouration and/or lettering, which indicates the access level of the employee. On the back is a magstripe, used to grant access at SIDA entry points, typically in combination with a PIN. In addition, personnel who need to frequently enter and exit sterile areas may be issued badges that can be used to bypass sterile area security screening procedures.

(Read on …)

Filed under: Physical Security,Security Reviews2 Comments »
Next Page »