Volume 14, Issue 2

RFID's Security Problem

Technology Review (02/09) Vol. 112, No. 1, P. 72; Naone, Erica

New U.S. passport cards and driver's licenses issued by Washington and New York state are designed to enable U.S. citizens to cross international borders more efficiently through the use of radio frequency identification (RFID) tags containing identity data that can be scanned by readers. But RFID technology has generated controversy because of its potential for privacy infringement, and studies of the new cards indicate that they can be exploited by ID thieves as well as by governments for the purpose of tracking people. Both the federal passport cards and the Washington driver's licenses boast electronic product code (EPC) tags that earned a passing grade from the U.S. Homeland Security Department, and which are inexpensive as well as capable of being read from an unusually long way off. Researchers from the University of Washington and RSA Laboratories see the latter capability as a means to facilitate invasive tracking, and also perceive a privacy issue in the tags' ability to store a unique number. The researchers also conclude that border security would be threatened by unauthorized reading, since the cards' ID numbers can be easily retrieved and therefore easily counterfeited. In addition, the Washington cards' EPC tags can be disabled by a ""kill"" command that is supposed to come from authorized users, and the state's failure to set the PIN on the cards it distributed means that anyone with RFID readers can set it themselves and issue kill orders. Some of the weaknesses in the federal passport cards and the Washington licenses are not apparent in New York's enhanced driver's licenses, which contain chips with serial numbers to guard against counterfeiting. Their memory banks are locked to shield them against unauthorized use of commands, but the New York licenses also raise the same privacy concerns the other cards do.

View Full Article | Return to Top

Researcher Proposes Statistical Method to Enhance Airport Secondary Security Screenings

University of Texas at Arlington (02/03/09)

University of Texas at Austin computational biologist William H. Press says he has developed a better way to select people for secondary security screenings at airports. Press calls the method square root bias sampling, and says it statistically chooses people for extra screening more efficiently and fairly. In security screenings at airports, individuals are taken aside for more thorough screening based on their "prior probability," which could include their ethnic profile. For example, the statistical information used might consider someone from the profiled group, Group P, as 16 times more likely to be a terrorist than someone from the average group, Group A. With square root bias sampling, individuals in Group P would be screened only four times more often then people in Group A, as four is the square root of 16. Fewer people from Group P would face repeated screenings, but they would still be screened more than the average person. The current approach screens the same people over again, which is not the best way to use security resources, Press says.

View Full Article | Return to Top

Mars Rover Recovers After Bout of Amnesia

New Scientist (02/03/09) Courtland, Rachel

On January 25, the Mars rover Spirit failed to perform the day's instructions, and the rover also may have suffered amnesia, as it failed to record its activities in its non-volatile memory. Spirit appears to be operating normally now, but the rover's controllers are still not sure what happened. "At this time, we don't know whether the problem was a one-time eventwhether it was induced by a cosmic rayor whether it might be an indicator of aging hardware," says NASA project manager John Callas. Spirit's controllers originally believed the rover may have remained stationary because it was confused about its location, so the team commanded the rover to orient itself by finding the Sun with its panoramic camera. Spirit pinpointed the Sun, which was several degrees away from where the rover expected it to be, and the team determined that the source of the misalignment was a slight offset in the rover's accelerometers. However, the offset does not explain why the rover did not move, and it is unclear how long the rover operated with the accelerometer glitch. The rover, which has been on Mars for five years, is emerging from its winter hibernation. Over the winter, Spirit was temporarily classified to be in "serious but stable" condition after a dust storm caused the rover's power levels to drop to an unprecedented low. Enough sunlight is now reaching the rover's solar panels to provide it with enough power for more than an hour of activity.

View Full Article | Return to Top

Student Open Source Software Brings Personal Finance to the iPhone

Rensselaer Polytechnic Institute (02/03/09) DeMarco, Gabrielle

Rensselaer Polytechnic Institute computer science students Amit Kumar and Devin Ross, part of the Rensselaer Center for Open Software, have developed Vault, open-source software for Apple's iPhone that enables users to log, track, and manage their personal spending. "People are always carrying their phone everywhere already," Ross says. "We saw the potential to centralize a task that many people could use daily." Categories such as groceries have been programmed into Vault, but users will be able to add categories for other expenses. The software logs the transaction and modifies the user's account balance. Kumar and Ross have designed Vault to use the global positioning system to find the closest bank branch, and allows users to link to the bank's Web site or place a call to the bank. Users do not log their personal account information into the software.

View Full Article | Return to Top

Catalonian Researchers Design Smart Room

Plataforma SINC (02/04/09)

Researchers at the Polytechnic University of Catalonia in Spain have developed a "smart room" that can interact with people. The room contains 85 microphones and eight cameras that serve as the eyes and ears of a projected talking head capable of recognizing speakers and focusing on their position. The room is intended to change how users interact with computers by presenting an interface that more closely resembles what humans are accustomed to. "We don't interact with another human with a monitor, keyboard, and mouse, rather we talk to a person, who sees us and reacts accordingly," says project researcher Josep Ramon Casas. "This room works in the same way." When a person enters the room, a multi-mode detection system is used to detect and analyze the individuals. The room's cameras and microphones allow it to see and hear what is going on inside, and to react when addressed by a person. Casas says the projected head moves in sync with its speech, and can move to look at the person it is talking to. He says the room is meant to provide the information-based functions that modern computers provide, but in a more innovative and natural way. The researchers say the smart room could be applied to an educational environment. During a class, the room could alert the teacher when students raise their hand, play a message to continue the lesson if the teacher leaves, help students complete tasks on time, and provide students with homework reminders when they leave.

View Full Article | Return to Top

W3C: Interoperability Key to Social Networking

eWeek (02/04/09) Taft, Darryl K.

A World Wide Web Consortium (W3C) report on the future of social networking calls for an interoperable distributed social Web framework. The report says social networking applications should share profiles and data across networks so companies can offer new Web 2.0 applications. The report, based on the W3C's Workshop on the Future of Social Networking, noted that social networking sites are hindered by a lack of interoperability. Workshop participants said that enabling users to share profiles and data across multiple networks would allow social networking sites to grow and create possibilities for a decentralized architecture for the social Web. Workshop participants also noted that many users are unaware of the impact of social networking on their privacy. The two-day conference focused on a variety of topics, including the nature of less centralized and more distributed social network architectures, the increase of contextual information associated with social networking users, and the tendency for existing social networks to exclude potential users with disabilities or mobile devices.

View Full Article | Return to Top

Google Makes it Easy to Spy on Kids, Workers

Associated Press (02/05/09) Liedtke, Michael

Google recently upgraded its mobile maps software with a feature called Latitude that allows users with mobile devices to automatically share their location with others. The feature expands on a tool released in 2007 that allows mobile phone users to check their own location on a Google map. The new feature raises several security concerns, but Google is trying to address this issue by requiring each user to manually turn on the tracking software and making it easy to turn off or limit access to the service. Google says it will not retain any information on its users' movements, and that only the last location recorded by the tracking service will be stored on Google's computers. The software uses cell phone towers, global positioning systems, or a Wi-Fi connection to find users' locations in the United States and 26 other countries. Each user can decide who can monitor their location. Latitude will initially work on Blackberrys and devices running on Symbian software or Microsoft's Windows Mobile. Eventually the software will be able to operate on some T-1 Mobile phones running Google's Android software and Apple's iPhone and iTouch devices. Google also is offering a PC version of the feature. The PC program will allow people who do not have a mobile phone to find the locations of contacts or keep track of their children.

View Full Article | Return to Top

NASA Fashions Mountain Climbing Robot

Network World (02/05/09) Cooney, Michael

The U.S. National Aeronautics and Space Administration (NASA) has unveiled Axel, a prototype rover that is capable of traversing extremely rough terrain, including rappelling off cliffs, traveling over steep and rocky terrain, and exploring deep craters. NASA says Axel could help future robotic spacecraft better explore and investigate foreign planets such as Mars, and help search-and-rescue missions explore dangerous terrain on Earth. The single-axel robot contains computing and wireless communications capabilities, has an inertial sensor for autonomous operations, and is capable of operating upside down and right side up. Axel also has a tether that allows it to attach to and descend from a larger lander, rover, or another anchor point. The single-axel design allows the robot to be part of a larger system in which an Axel robot could be deployed by a larger rover to explore steep terrain, or multiple Axel rovers could be coordinated in a variety of configurations to carry larger payload modules. Axel also could become part of the Energetically Autonomous Tactical Robot (EATR) project that NASA recently announced. The EATR project is intended to develop and demonstrate an autonomous robotic platform capable of performing long-range, long-endurance missions without the need for manual or conventional re-fueling.

View Full Article | Return to Top

Ballot Box Blues Continue

Government Computer News (02/05/09) Jackson, William

Nearly a quarter of U.S. overseas and military voters who requested ballots for the 2008 Presidential election did not receive them, and 40 percent received ballots too late to be sure they would be returned in time to be counted, according to a survey of 24,000 overseas and military voters conducted by the Overseas Vote Foundation (OVF). During the 2008 election, about 4.75 million voters used three OVF Web sites to help them cast ballots in their respective state elections. State programs that allow the use of email messages and faxes to request absentee ballots in the past election did not appear to help very much, as nearly 24 percent of respondents who emailed requests and 21 percent of those who faxed their requests did not receive ballots. A common problem is the length of time it takes for paper documents to reach voters and election officials through traditional mail. OVF president Susan Dzieduszycka-Suinat says voters also are partially to blame, as they do not read and follow instructions. For example, many states that allow emailed and faxed registration forms or absentee ballot requests require that electronic requests be verified by signed copies sent by mail, a step that is often ignored by voters. Dzieduszycka-Suinat says a better solution is to allow the electronic delivery of blank ballots to voters, which is supported by the National Institute of Standards and Technology (NIST). Ballots could be securely distributed by telephone, fax, email, and Web-based services using existing technology safeguards, NIST says.

View Full Article | Return to Top

Engineering Graduate Student Narrows Gap Between High-Resolution Video and Virtual Reality

UCSD News (02/04/09) Siedsma, Andrea

University of California, San Diego (UCSD) graduate student Han Suk Kim has developed a "mipmap" algorithm that reduces high-resolution video content so it can be played interactively in virtual-reality environments (VEs). Kim also has developed several optimization solutions that will allow for a stable video playback frame rate, even when the video is projected onto non-rectangular VE screens. Jurgen Schulze, Kim's advisor and a project scientist at UCSD's division of the California Institute for Telecommunications and Information Technology (Calit2), says Kim's algorithm will allow for the display of super high-resolution 4K video in Calit2's virtual auditorium. Kim developed his algorithm from a technique called mipmapping, which is used to design computer games, flight simulations, and three-dimensional (3D) imaging systems. Using mipmapping to reduce the level of detail and downscale the size of high-resolution video allows for the streaming of video in real time at 25 frames per second. Kim added various optimizations for constant frame and rendering rates, which enabled him to rotate, zoom, and manipulate the video playback screen to create a fully interactive, 3D experience. "Our approach reduces the memory required to display high-resolution images, depending on distance and visual perspective," Kim says. "If the area is big and close to the viewer's face, the video is streamed at a high resolution; if it's small and far away from the viewer's face, it's streamed at a low resolution."

View Full Article | Return to Top

The Cybercrime Wave

National Journal (02/07/09) Vol. 41, No. 6, P. 22; Harris, Shane

The online crime business has never been better and the rising threat of cybercrime stems from criminals' realization that the Internet offers a more profitable, efficient, and less risky avenue for theft than physical attacks. Online fraud cases referred to the Internet Crime Complaint Center in 2007 totaled $239 million, and a Symantec study of online criminal behavior and its accompanying business models concluded that credit card data is the item most sought after by online black marketeers. RSA Security researcher Uriel Maimon says the cyber black market has a global outsourcing model in which hackers in different nations sell or rent their tools or services to criminals in other nations. An increase in fraud is inevitable as growing numbers of people pay their credit card bills online, open electronic brokerage accounts, or bank on the Internet. TJX was struck by a massive network intrusion in 2006 wherein tens of millions of account numbers were compromised, while in January payment processor Heartland Payment Systems reported an even larger data breach possibly orchestrated by "a global cyber-fraud operation," says Heartland's Robert Baldwin. The incident has spurred Heartland to develop "end-to-end encryption" to shield information as it passes through the network or is stored in databases. Intelligence and security officials also are concerned that tools and methods used by cyber-thieves could be employed by cyber-terrorists or nation-states to inflict damage on the U.S. economy. Computer-security consultant Tom Kellermann says that government, and not the market, is the only body that can fight cybercrime in a consistent manner. "The reality is, we've been building our vaults out of wood in cyberspace for too long," he warns.

View Full Article | Return to Top

Revolutionary Microchip Uses 30 Times Less Power

Rice University (02/08/09) Ruth, David

Rice University scientists have developed a microchip that runs seven times faster and uses 30 times less power than existing chip technology. Rice professor Krishna Palem says the chip's technology, dubbed probabilistic complementary metal-oxide semiconductor (PCMOS), builds on the CMOS technology already used by chip manufacturers, which means chipmakers will not have to buy new equipment to produce PCMOS chips. Palem says PCMOS uses probabilistic logic, a new form of logic developed by Palem and doctoral student Lakshmi Chakrapani. "A significant achievement here is the validation of Rice's probabilistic analogue to Boolean logic using PCMOS," says Intel's Shekhar Borkar. "Coupled with the significant energy and speed advantages that PCMOS offers, this logic will prove extremely important because basic physics dictates that future transistor-based logic will need probabilistic methods." Silicon transistors become noisy as they get smaller, and engineers have solved this problem by increasing the operating voltage to overpower the noise, making smaller transistors more power-hungry. PCMOS lowers the voltage and deals with noise and computational errors by embracing the errors and uncertainties using probabilistic logic, Palem says. The PCMOS prototypes are application-specific integrated circuits specially designed for encryption. The researchers plan to follow up their proof-of-concept work on encryption with proof-of-concept tests on microchips for cell phones, graphics cards, and medical implants.

View Full Article | Return to Top

Google Earth Dives Deep, Filling in Its Maps' Watery Gaps

New York Times (02/03/09) P. D3; Revkin, Andrew C.

When Google Earth first launched, the two-thirds of the planet that is covered by water was simply left blue. "We had this arbitrary distinction that if it was below sea level it didn't count," says Google's John Hanke. Google is now adding more data on bodies of water so new programming and data collection can be used to simulate oceans. The ocean images will soon undergo the most significant of several upgrades planned for Google Earth. Google also will add another feature, called Historical Imagery, which will enable users to scroll backward through decades of satellite images to watch how suburbia or coastal erosion affects the landscape. Another feature, called Touring, will allow users to create narrated, illustrated tours both above land and below the surface of the water to show off a hike or scuba diving spot. The effort to fill in the oceans started two years ago when Hanke met Sylvia Earle, a former chief scientist at the National Oceanic and Atmospheric Administration. Earle told Hanke that she loved how Google Earth showed users how one area relates to another, but asked why the water had been ignored. Since then, Earle and Hanke have worked to incorporate the oceans into Google Earth. Earle, Hanke, and others believe that adding bodies of water to Google Earth will help people see how they are connected to the oceans and increase public support for marine conservation.

View Full Article | Return to Top

Software Could Save Organizations 13,000 Pounds Each Month

University of Liverpool (02/05/09) Spark, Kate

Wasted computer power has prompted systems experts at the University of Liverpool to develop PowerDown, software that automatically shuts down computer systems after usage. At the Liverpool library, for example, 1,600 PCs were wasting 20,000 kilowatts (kW) each week. Liverpool's Lisa Nelson, who developed the software, says a PC left on 24 hours a day but used only 40 hours a week uses about 17 kW of electricity and wastes 13 kW. "That figure does not take into consideration other costs such as in air-conditioned buildings, where additional cooling is required to remove the heat created by active computers," Nelson says. The software automatically shuts computers down when they are left unused for half an hour. "PowerDown is simple to install and staff can choose to opt out if, for example, they are running particular software on a machine overnight without a user being logged in," she says.

View Full Article | Return to Top

GP Software 'to Prevent Heart Disease'

University of Nottingham (02/04/09) Thorne, Emma

QResearch, a not-for-profit partnership between the University of Nottingham and healthcare provider EMIS, has developed QRISK2, software that will help general practitioners more accurately assess which patients are the most at risk of developing heart disease. QRISK2 uses a new cardiovascular disease (CVD) equation based on 15 years' worth of primary care data to estimate an individual's risk of developing heart disease over the next 10 years. EMIS created a database of anonymous data collected from the health records of more than four million patients. Researchers from the universities of Edinburgh and Queen Mary, and Bristol and Medway Primary Care Trusts, were also involved in the project. QRISK2 accounts for the higher risk of developing CVD in patients from deprived areas and certain ethnic groups. QRISK2 also accounts for other risk factors, such as whether the patient already suffers from another pre-existing condition such as diabetes. "It will arm doctors with all the information they need to decide how best to target patients with preventative measures such as lifestyle advice and cholesterol-lowering treatments," says Nottingham professor Julia Hippisley-Cox. "We believe this formula has the potential to save many thousands of lives, by helping clinicians to more accurately predict those at risk of developing cardiovascular disease."

View Full Article | Return to Top

Wi-Fi Networks Offer Rich Environment for Spread of Worms

Government Computer News (01/30/09) Jackson, William

Malicious software code could infect an entire city in a period of several weeks by traveling over Wi-Fi networks that overlap each other, concludes a study by Indiana University computer scientists and researchers at the Complex Networks Lagrange Laboratory at the Institute for Scientific Interchange in Turin, Italy. The study found that the malicious code was able to spread over the networks because Wi-Fi hardware uses interoperable standards. Compounding the problem is the fact that many Wi-Fi users do not set up the security features on their routers and access points. However, the study noted that no hacker has yet taken advantage of the weaknesses of Wi-Fi to unleash a virus on an entire city. This is because the density of Wi-Fi networks has only recently reached the point where an epidemic outbreak would be possible, and because of the difficulty involved in writing malicious code for Wi-Fi routers. The study's authors note that hackers could be prevented from transmitting malicious code via Wi-Fi networks altogether if Wi-Fi users used strong passwords and Wi-Fi Protected Access technology instead of Wired Equivalent Privacy protocols. If these security measures were implemented in just 60 percent of Wi-Fi routers, malicious code could be stopped before it spread through an entire ecosystem.

View Full Article | Return to Top

NIST updates recommendations for IT security controls

By William Jackson

Draft release of FISMA guidance reflects changes in the threat environment and efforts to establish a common security baseline for IT systems across government

The National Institute of Standards and Technology has released an initial draft for public comment of a revised version of its Recommended Security Controls for Federal Information Systems and Organizations.

Although this is Revision 3 of Special Publication (SP) 800-53, NIST calls it the first major update of the guidelines since its initial publication in December 2005. NIST tries to revisit its security guidance every two years and update them as needed, said senior computer scientist Ron Ross. But revising a 200-plus-page comprehensive set of recommendations is expensive and time-consuming.

“We don’t want to undertake it unnecessarily,” Ross said. “But the threat environment has changed quite a bit and we’ve learned a lot in that time from the agencies in their implementation of the controls. All of this made a compelling need to do an update.”

SP 800-53 is part of a series of documents setting out standards, recommendations and specifications for implementing the Federal Information Security Management Act (FISMA). It is intended to answer these questions:

* What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?
* Have the selected security controls been implemented or is there a realistic plan for their implementation?
* What is the desired or required level of assurance (i.e. grounds for confidence) that the selected security controls, as implemented, are effective in their applications?

View Full Article | Return to Top

Recommended Security Controls for Federal Information Systems and Organizations

THE NEED FOR SECURITY CONTROLS TO PROTECT INFORMATION AND INFORMATION SYSTEMS he selection and implementation of appropriate security controls for an information system4 are important tasks that can have major implications on the operations5 and assets of an organization6 as well as the welfare of individuals and the Nation. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems:

•What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?
•Have the selected security controls been implemented or is there a realistic plan for their implementation?
•What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective7 in their application?

The answers to these questions are not given in isolation but rather in the context of an effective information security program for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks8 arising from its information and information systems.9 The security controls defined in Special Publication 800-53 (as amended) and recommended for use by organizations in protecting their information systems should be employed in conjunction with and as part of a well-defined and documented information security program. The information security program management controls described in Appendix G, complement the security controls for an information system described in Appendix F by focusing on the organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs.

View Full Article | Return to Top

From the Trenches

By SANS Ouch!

A computer used by one of our staff was compromised in December, and began sending email
advertisements for Viagra and Cialis to large numbers of addresses. We caught it fairly quickly
because we have monitors that look for that kind of behavior on our network. An analysis of the
computer showed that it had been infected when the user visited a small Mom-and-Pop type arts
& crafts store on the web. The Mom-and-Pop website had been “re-programmed” by someone in
Ukraine to send a blast of software attacks at anyone unlucky enough to visit it. One of these
attacks was directed against a vulnerability in a version of Apple QuickTime released just two
weeks before the attack. Symantec Anti-Virus stopped all of the attacks except the QuickTime
attack. Sadly, it only takes one successful attack to compromise any computer.
Lessons We Learned
Small Mom-and-Pop websites can pose a greater risk than the sites of big vendors like
Amazon.com. Owners of small businesses often don't have the expertise or resources to protect
their sites from being compromised and used by Bad Guys. Once a website has been
compromised, it can then be used to attack your computer.
Anti-virus is still a necessary defense, but it can’t do the whole job. In the past, computer
criminals wrote viruses that broadcast themselves all over the Internet, making it easier for antivirus
companies to identify them and develop a countermeasure quickly. Now, attacks are much
more targeted and the criminals have gotten better at making attack software that is harder to
detect. Anti-virus makers are finding it difficult to keep up with the criminals.
Bad Guys are targeting many applications that run on your computer, as well as the operating
system. The campus computer that was compromised was completely up-to-date with its
Windows security patches. But in order to keep your computer secure (besides patching
Windows, Internet Explorer, and Office, all done automatically through update.microsoft.com),
you have to patch commonly installed applications like QuickTime, RealPlayer, Adobe Reader,
Adobe Flash Player, and Sun Java, all of which can be attacked through your email or web
browser.

View Full Article | Return to Top

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License