Archive for September 2012
The Washington Post has a good article on social engineering attacks. It is a good treatment of the topic.
Short answer, humans are the weak link, and can be defeated with extremely high probability.
The take away from this whole thing is that we need to be building security systems that don’t rely on humans not being tricked into compromising their own security. A lot of security architects take a “blame the victim” stance. User’s have other things to worry about than security. We need to make sure security happens even if they are not paying attention to it.
Despite all the work on dual factor authentication and other new security methodologies, in general our passwords are the keys to the kingdom.
In many cases, such at ATMs, we are limited to 4 digit numeric PINs.
This post to DataGenetics does a good job of analyzing how bad we are at picking PINs and how easy we make things for the attackers.
It is worth a read.
Short answer: you can hack a over 10% of accounts by guessing “1234″.
The New Scientist has an article on the FBI’s Next Generation Identification (NGI) program.
It started out as a project to replace the old fingerprint database, but will now include biometrics, DNA, voice prints, and facial recognition.
The idea is to database all the mugshots so people can be quickly identified after arrest, or possibly so surveillance video could be compared to the database to identify possible suspects.
Obviously lots of civil liberties issues here, but still a very long way from the paranoid hollywood inspired rantings about real time global surveillance with integrated biometrics.
NBC News is reporting that the iOS UDIDs leaked last week were actually stolen from Blue Toad publishing company. Comparing the leaked data with Blue Toad’s data showed 98% correlation which makes them almost certainly the source.
They checked the leaked data against their own after receiving a tip from an outside researcher who had analyzed the leaked data.
It is certainly possible that this data had been stolen earlier and that, in tracking that crime, the FBI had obtained the stolen information. This strongly suggests that this is not a case of the FBI conducting some kind of massive surveillance activity.
The other possibility is that Anonymous and Antisec are simply lying about the origin of the information as part of an anti-government propaganda campaign.
Either way, it is a big knock on their credibility, unless you think this whole thing is just a conspiracy to protect the FBI.
In the tradition of Jonathan Swift’s “A Modest Proposal” is “The Dictator’s Practical Guide to Internet Power Retention, Global Edition”.
Under the pretext of being a guide on how to crack down on Internet dissent for dictators, it does a nice job of analyzing how the Internet is used by dissidents, and the techniques used by governments to crack down on those practices.
Thanks to boingboing for bringing this to my attention.