Eller Security Lab @ The Hoffman E-Commerce Lab

Bruce Schneier, commenting on secrecy versus security, argues that secrecy and security aren’t the same thing and that secrecy makes a poor foundation for security. In the article, he discusses the issue of hiding information about network outages — the FCC wants more information, DHS wants less. Schneier’s argument is that the terrorists will figure out where the vulnerabilities are, but hiding that information from citizens prevents us from exposing those same vulnerabilities to sunshine (the best disinfectant, according to Justice Louis Brandeis). (more…)

Like many little boys back then, I had a book about the secret world of ninjas, which explained that ninjas would hide “in plain sight” by simply standing where nobody expected to see anything. Despite many attempts, however, someone always spotted me standing against the backyard wall in sunny southern California, dressed head-to-toe in black fabric. Although I wasn’t very successful at hiding in plain sight, many people have long worked to hide messages in plain sight. While cryptography promises to encrypt messages to make them unreadable by those without decryption keys, there’s still a critical flaw – those who intercept the message know that you’re trying to hide something. While strong cryptography might make most computational attacks infeasible, there are other ways to attack – bribery (also known as the purchase-key attack) and the notorious “rubber hose” attack, where one simply beats the key holder until the he gives up the key. (more…)

Sim City: Terrortown in Posts from Wired 14.10 offers an interesting perspective on cyberterrorism by suggesting that the devil of cyberterrorism is in the details. In a simulation exercise, the cyberterrorists hack into a fictional hospital’s drug dosage database, alter highway message signs, and wreak havoc in small ways. The author, Chris Suellentrop, points out that even in the simulated exercise the most damage was due to a truck bomb, which had the highest death toll. But terrorism isn’t about death, it’s about fear. The CDC estimates that 36,000 people die in the United States every year from flu — a far larger number than the number killed on September 11th. But 9/11 frightens people in a way that the flu doesn’t and while cyberterrorism might bring the country to the brink of collapse, it offers the potential to exploit the many vulnerabilities that lurk through our computer-intensive existence.

Imagine that a company keeps its personnel records behind a locked door at corporate headquarters, with a slot in the door for people to submit applications. An applicant slides in his application and then, wondering if his own personal information is secure, tries the doorknob and to his surprise, it turns. He enters the room to see a pile of applications on the floor, copies several of them to prove the unlocked door, and then calls a reporter to say that Company X’s personnel records are poorly protected. What’s the appropriate penalty in this case for the applicant? What if the company hires a locksmith who spends two weeks fixing the lock, preventing the company from accepting job applications? Is the original applicant responsible for the financial loss to the company, which can’t accept applications for two weeks? (more…)

The MIS Department, in collaboration with the School of Public Administration and Policy (SPAP), has recently begun several initiatives in teaching, research and community outreach in information security. (more…)