Sky’s Blog

Is security dead on the Internet? Yeah, it probably is—as long as we rely on software other people have written^[1]. Unless you’re capable of writing all of your own software, without any errors, and keeping it isolated from software written by anyone else, you’re never going to have a secure digital life^[2].

But there are things you can do to protect yourself. NGO-in-a-box has developed Security-in-a-box, a set of tools and tactics for your digital security. Worth taking a look!

It’s often said that “if we can envision it, we can create it,” but in the world of computer (and network) software this is only partially true. We can attempt to create it, but it will always have bugs in it. And those bugs are the chinks in the armor that allow malware to work and cyberwarfare to succeed.

---

[1] That’s because I can write a perfect program with no bugs, but nobody else can.

[2] See also The Social Graph of Malware, my site where I explore ways in which social engineering is used by the bad guys to get malware onto your computer.

Tweet This Post

In The Curious Case of the Invulnerable Browser, Roger Grimes of Infoworld writes about the recent CanSecWest 2009 PWN2OWN contest where hackers pitted their skills against web browsers to see how quickly they could break into a computer. The prize was the computer itself. Roger says that the state of browser security is actually pretty good, but even if browsers were inpenetrable, the major source of computer breakins is users browsing to a web site that then infects their computer. (continue reading…)

Tweet This Post

Cloud Computing- it’s a relatively new term for a relatively old concept. For at least six months now I’ve been thinking about two inevitabilities: 1) that my servers will fail some day soon; and 2) that I may have to rapidly scale (up) some customer’s site because it will suddenly have traffic needs well beyond the capacity of my servers.

The answer is pretty obvious to me – I’ll soon be eliminating my own serves in favor of purchasing computing power in whatever quantities I need at the time. Scalable on demand. From one of the cloud service providers that are coming online now.

(continue reading…)

Tweet This Post

The Clear program at San Francisco International Airport (SFO) has suffered an almost-predictable blow – a stolen laptop computer containing confidential records.

Clear is the program that pre-screens travelers, collects biometric data, puts this on a smart-card (embedded processor+memory, not RFID) and then allows travelers at a few high-traffic airports to go thru a quick-screen line (including a retinal scan to verify ID) rather than stand in lines with un-pre-screened passengers. They still get screened, but they “jump line,” sometimes skipping ahead of a hundred or more who are waiting in the regular lines.

Almost predictably, a laptop containing the data of 33,000 applicants (not participants) was stolen from a secured room at SFO. A spokesperson says “it [the laptop] was protected by two passwords” – but that doesn’t tell us whether the information was encrypted, how secure the encryption was, nor why sensitive information would be on a computer that is portable (and thus easy to steal) computer. (It is pretty easy to bypass password security unless the data is also encrypted – I’ve done it myself more than once on client computers where they’ve forgotted a password – takes about 10 minutes.) And we don’t know what other types of information might be on this computer.

Clear is run by an independent contractor under TSA oversight.

One interesting outcome was the comments ABC7 (San Francisco TV) collected – for instance “Clear customers say the sooner the changes are made the better, although no one seemed too worried about the security breach. ‘You’re information is everywhere and people volunteer their information on places like Facebook, on Twitter, on MySpace and stuff,’ … a traveler.” I don’t actually think they understand the breadth of information that was reported to be on that computer – this is information that is to be used in a security screening, not just social security numbers (though those may not have been present), and presumably known only to the applicant – a far broader range of confidential information than most other systems would hold. It just shows that people are resigned to living in a transparent world – probably until they are directly affected, of course.

KTVU reportage on this same story. KTVU also reports “The TSA requires RT service providers and sponsoring entities to encrypt all files containing participants’ sensitive personal information. Noncompliance with such requirements can result in actions including suspension of a program and possible civil penalties.” I have not verified this, and we don’t know the type of encryption that’s required – for instance a password on a ZIP file is probably not very secure, while encryption with a 2048-bit RSA key would be a lot harder to crack.

I earlier reported on “odd” scanning of my driver’s license at a regional airport, to which TSA replied (in comments on my blog) that it was (probably) an ultraviolet light (blacklight) being passed over the license to be sure it was genuine (this process reveals the “holographic” images in the license’s plastic layers). As I said, I was concerned that any scanned information that passed into a laptop computer allowed potential theft of this confidential information. Well, I guess this Clear incident further emphasizes that security information has no business being stored on a computer that can be physically stolen.

Tweet This Post