Category Archives: Security

Little black helicopters from space

It might seem overly tongue-in-cheek at first glance, but the Register’s ongoing coverage of Google satellite imagery has some interesting implications for privacy and information control. In general I think it good that we have better navigational aids, but clearly there will be some issues for anyone who is trying to fly below radar, so to speak. It actually reminds me of sand dunes in Baja that do a poor job of hiding Mexican military equipment from ground view, yet from the sky…

On a slightly-related note, the flashearth site has a nice view of what future interfaces couold look like. I wonder if anyone at Google is working on (or cares about) flat map distortion characteristics?

Shared secret exposes CA sensitive data

Weak algorithms (e.g. your name and and a shared secret) used to “seed” new systems are another area where two-factor authentication (TFA) can really help improve security.

Here’s a story from the San Francisco Chronicle that illustrates how things might happen now if unique and random passwords, let alone TFA, are not planned for the system launch:

“The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system.

Teacher names and employee identification numbers are also visible to anyone logging onto the system, which is used locally by school districts including San Francisco, San Jose and Hayward.

The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher’s user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox.”

Schneier on the ATM story

Bruce Schneier picked up the ATM story today on his blog, with an interesting perspective. He says “how lucky everyone was”…I posted something in his comments section about the liability issues raised in the article, which is where I felt I would have been headed anyway.

Bruce also has added an excellent link to Ross Anderson’s page regarding phantom withdrawls.

Time to give this trackback thingy a try…

ATM Fraud and Bank Security

The Register has a fascinating report on how British Banks failed to deal with the fact that phantom withdrawls from ATMs were a real problem, until a man of integrity discovered it and (arguably) saved the system:

“This is the story of how the UK banking system could have collapsed in the early 1990s, but for the forbearance of a junior barrister who also happened to be an expert in computer law – and who discovered that at that time the computing department of one of the banks issuing ATM cards had “gone rogue”, cracking PINs and taking money from customers’ accounts with abandon.”

I posted it on Bruce’s blog today as well:

http://www.schneier.com/blog/archives/2005/10/us_regulators_r.html#c21979