A Django site.
April 30, 2008

Inside Security News
insecnews
is about »
» Files on Publicly Accessible Machines

It has been a while since there has been a post on the Uni. Security Blog. There is good reason, lots of work, you would have guessed correctly.

What has happened recently and I have come out of my hole to write something?

InfoSecurity Europe 2008 for starters.

Yes, we went to it and had a fun time looking around at what is new and hip in Industry (from an IT security point of view.). And, yes we got a few freebies (mainly pens). Undergrads and Graduates might be interested in visiting the exhibition as companies have someone from HR hunting for new blood. There were also lots of free training sessions and seminars (and lots of info can be ofund on the site http://www.infosec.co.uk). I still have no idea why Google was there showcasing their premium email service (How about we argue about Google being more secure than your Outlook server?). At least they were there, not like Symantec that just had a sticker on a pillar under HP. Overall, it was great. If you want to go to the talks you need more than one day though!

and Security at Glamorgan Uni.

Before the Uni. administrators start going crazy, let me make it clear that I am not attacking any of their systems or methods. Having said that let me get started. I skim (like you don’t skim read things!) read a great article on ‘The Psychology of Security’ by Ryan West, Communications of the ACM, (Vol.51, Num.4, 2008, pp34-40) and exerted the following:

‘Risk and uncertainty are extremely difficult concepts for people to evaluate. For designers of security systems, it is important to understand how users evaluate and make decisions regarding security.

Users aren't stupid, they're unmotivated. ...To conserve mental resources, we generally tend to favor quick decisions based on learned rules and heuristics. While this type of decision making is not perfect, it is highly efficient. It is efficient in the sense it is quick, it minimizes effort, and the outcome is good enough most of the time. This partially accounts for why users do not reliably read all the text relevant in a display or consider all the consequences of their actions.’ (do I hear someone saying ‘like you skim reading’).

Where am I going with this exert? After sitting on one of the PCs in the 24hour Open Lab (J1), I found a series of interesting information from students that previously where sitting on the machine. The amount of assignments, dissertations and personal items (e.g. photos) just sitting on the machine waiting for someone else to come and pick them up, is tremendous. It is important to remove any work to avoid others from making copies of your work.

With this posting I would like to raise Student awareness, when saving work locally on publicly used machines. Why? Cause anyone can access a document and plagiarise/copy it. Save all your work and documents to a personalised folder and delete it once you have transferred your work to a USB stick or CD.

November 21, 2007

Inside Security News
insecnews
is about »
» To be (encrypted) or not to be? That was the question.

Yesterday was an eventful day in British news, as far as computer security is concerned always. No, I am not talking about the 'Windows random number generator is so not random' [1, 2] by which all cryptographic systems using Windows Operating System's (here Win. 2000) pseudo-random number generator (PRNG) are vulnerable.

Update: Computerworld.com reported [5] that Windows XP contains the bug and a fix will be provided with SP3 (out next year). Also...

'...Windows Vista, Windows Server 2008, and Windows Server 2003 SP2 are not affected... '
'Because the company has determined that the PRNG problem is not a security vulnerability, it is unlikely to provide a patch.'

I am talking about the 25 million records [3] that was stored on two disks and were lost while on transit (by unrecorded delivery) to the National Audit office. The disks included names, addresses, date of birth, national insurance numbers and bank accounts. They did mention they where protected by a password. Nice one!

The second interesting news from yesterday was that of the animal rights activists [4] having to surrender (Section 51) any cryptographic keys they know or make the encrypted information 'intelligible' (Section 49) under RIPA. This is of special interest as it is the first case by which the new sections of Regulation of Investigatory Powers Act (RIPA) are being used.

An interesting mention by the BBC News [4] site is that: 'The BBC news website talked to one animal rights activist who had their computer seized in May and has received a letter from the CPS.'. Poor employee, think the BBC will think twice before interviewing an activist again?

Future watch: Let see what happens when pharmaceuticals start producing 'acute Alzheimer's disease for a year pill'. Oh right… encryption will be so weak with bad implementations we wont need the keys anyway.

Links Used:
[1] 'Windows random number generator is so not random' - http://www.theregister.co.uk/2007/11/13/windows_random_number_gen_flawed/

[2] Leo Dorrendorf and Zvi Gutterman and Benny Pinkas, 'Cryptanalysis of the Random Number Generator of the Windows Operating System', ACM CCS 2007 conference - http://eprint.iacr.org/2007/419

[3] 'Darling says 25m records 'lost'' - http://news.bbc.co.uk/2/hi/uk_news/politics/7103566.stm

[4] 'Campaigners hit by decryption law' - http://news.bbc.co.uk/2/hi/technology/7102180.stm

[5] 'Microsoft confirms that XP contains random number generator bug' - http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId;=9048438