Bike locks

Posted on January 13, 2008 by Max Aller

With many people living off campus, biking is a popular method for getting to class in a timely manner.  Bikes can be quite expensive, however, and riders are usually forced to put them in a public location (for sake of convenience/necessity).  As such, there are some security measures that can be taken to deter thieves from stealing these expensive publicly-displayed commodities.  The most common (and only?) tool used to this end is a bike lock.  For those of you who don’t know, bike locks are basically some loop of metal that has a lock to break the continuity.  The two types I’m familar with are the U-shaped locks (with a bar across the top of the U containing a lock) and, more commonly, the snake of heavy cable that has a lock in the middle somewhere.  With bikes as prevalent as they are, keeping them from getting stolen is a high priority.
Continue reading

Posted in Availability, Physical Security, Security Reviews | Tagged , | 4 Comments

Security Review – The USPS Mailbox

Posted on January 13, 2008 by mccoyt

Overview

The blue USPS mailbox, a ubiquitous object on American streets today, is one of the most recognizable security devices currently in use. Despite its many shapes and sizes, its purpose boils down simply to one of protection of privacy, integrity, and access control. Customers who drop off letters or packages in a mailbox expect their mail to be protected from the prying eyes of strangers, safe from theft, and handled only by authorized USPS personnel. Indeed, the promise of security has helped the USPS to remain competitive over the years. Continue reading

Posted in Physical Security, Security Reviews | 2 Comments

RFID embedded in prisoners

Posted on January 13, 2008 by gbc3

The UK has proposed to embed offenders with RFID chips as part of an expansion of the electronic tagging scheme that would allow British officials to to help enforce home curfews.  This sort of tagging already exists within pets like cats and dogs that have been properly licensed. The RFID tag will contain information about who they are, where they live, and the offending record. The use of this technology will be used to keep certain criminals out of certain hot zones at which a crime may occur, for example, a sex offender, entering a school zone.  Continue reading

Posted in Availability, Integrity, Privacy, Security Reviews | 5 Comments

Security Review: “Biometric” Passports

Posted on January 13, 2008 by zaxim

I recently had to get a new passport; one with a computer chip, and a handy brochure touting why it was so great, and how I was protected by “two tier system.”  This post is to analyze these “Biometric Passports,” their current defenses, as well as possible security vulnerabilities and possible repercussions of their use.  Can anyone say people tracking? Continue reading

Posted in Miscellaneous, Security Reviews | 3 Comments

Security Review – Fire Hydrants

Posted on January 12, 2008 by jkivligh

This is a security review of a fascinating device known as a fire hydrant. To state the obvious, a fire hydrant is designed to allow certain city personnel (firefighters) access to high pressure water in the case of an emergency. They need quick access and proximity to the water, so hydrants must be scattered throughout the city (or campus). Because there are so many of them, they should be cheap to make and cheap to keep adversaries from tampering with them. Continue reading

Posted in Physical Security, Security Reviews | Comments Off on Security Review – Fire Hydrants

“The Club” as a vehicle theft deterrence

Posted on January 12, 2008 by cbhacking

Steering wheel locks, in particular The Club,[1] are a standard method for securing automobiles against theft. They work by attaching to the steering wheel in such a way that the wheel cannot be turned sufficiently for driving, and then locking in place until unlocked with a key. They are simple to use, compatible with essentially any vehicle, and when in place are an effective theft deterrent. The following is a review of the Club and similar fork-based steering wheel locks. Continue reading

Posted in Physical Security | Tagged , , , | 5 Comments

Security Review – Parental Controls for TV

Posted on January 11, 2008 by robert

Summary

Parental controls on television sets (or on the Internet, or mobile phones, etc.) allow parents to restrict the media to which their children have access to an age-appropriate level. Parental controls allow parents to restrict access to television based on a variety of different factors, including rating, the content that produced the rating (e.g., violence, language, nudity, etc.), and occasionally even the time that the shows are on (no movies after 11:00PM, kids). Of course, sometimes cartoons can get a little raunchy while still technically meeting none of the filter criteria, so parents can also block shows individually.

Continue reading

Posted in Miscellaneous, Physical Security, Security Reviews | 2 Comments

Security Review – Parking Meters

Posted on January 11, 2008 by aodle56

Summary

Parking meters are a common access control system used by thousands of people every day. There are many types of meters but for this assignment I will conduct a security review on a specific one. The meters I will discuss are located in the U-District and make use of tickets that driver’s must place on their car window. The tickets display an expiration date and time in addition to a barcode that can be scanned to ensure validity. They also have some extra markings of which I assume are there to make counterfeiting more difficult.

The system is designed to control the amount of cars that can park in a given zone, usually densely populated areas. Each driver that parks in a designated spot must retrieve a ticket from a nearby electronic parking meter. At the meter the driver electronically enters the desired time he/she wishes to reside in the parking spot (usually with a maximum of two hours) and then pays using a combination of coins, bills, and credit/debit cards. Once payment is confirmed, the machine prints out a ticket which the driver then places on the inside of his car window.

Of course, all this is useless without means of enforcing proper use of the system. In order to do this, a specially designated police force, or meter maids, patrol parking meter zones and periodically check meter tickets for validity. If a car is found with an expired ticket, invalid ticket, or with no ticket at all, the meter maid takes down the make, model, and license plate number of the vehicle and issues the owner of the vehicle a fine.

Assets and Security Goals

·         The parking spaces themselves are assets. The entity who owns the spaces would like to ensure that no one is illegally utilizing their property.

·         Potential earnings from those parking in the spaces are another asset. The owner of the space would like to generate as much revenue as possible from the drivers using their service. This includes preventing freeloaders from taking spaces that potential paying customers would have otherwise taken.

Adversaries and Threats

·         Drivers who park in metered spaces are potential adversaries. If they find ways to cheat the system are not only utilizing the actual property for free, but they are robbing the owner of potential revenue.

·         Random vandals are also potential adversaries. Vandals might deface, damage, or destroy parking meters around the city.

Potential Weaknesses

·         Insufficient amount of law enforcement officers to enforce correct usage. If there are not enough cops, then people will abuse the system more often.

·         Possibility of counterfeiting meter tickets. It might be possible for clever individuals to counterfeit the meter tickets and get by without ever paying for parking.

Potential Defenses

·         The obvious way to curb the potential weakness of too little law enforcement is to simply task more law enforcement officers to the job. There are, however, other ways to enforce the parking zones. For instance, automated sensors placed around the parking area could tell how long a particular car has been parked there. Through wireless transmission, the sensors could report back to the main meter machine, which could photograph license plates of illegally parked vehicles.

·         In order to stop people from counterfeiting tickets, you simply need to make the tickets very difficult to replicate. This is currently done in two ways. One, the tickets have various designs that would be fairly difficult to copy, and two, there is a barcode on each ticket that somehow conveys to the meter maids whether or not the ticket is valid.

Risk Evaluation

Weighing the potential weaknesses against the potential defenses gives one the idea that parking meters are relatively insecure. It would not be incredibly difficult for an adversary to take free space from the parking spot owner, and in turn rob them from potential revenue.

It seems to me the biggest weakness is the fact that there simply aren’t enough law enforcement officers tasked to the meters to make the threat of a ticket very intimidating. Considering this fact, if one were to do a moderately good job of counterfeiting tickets, even if they had invalid barcodes, they would probably be able to at least break even in terms of money saved on parking vs. amount paid in parking tickets. Law enforcement officers would likely see the ticket and move on.

Conclusion

Even though it is fairly obvious that parking meters would be relatively easy to cheat, I wouldn’t recommend drastically changing the system any time soon. The truth is, the city makes more money from the parking tickets people receive trying to cheat the system lazily, than they would by actually having those individuals go ahead and pay for the parking in the first place. This is a clear cut situation where both sides can benefit from the perceived lack of security.

Posted in Miscellaneous | 3 Comments

Security Review: Biometrics

Posted on January 11, 2008 by mstie74

Summary

Biometrics is an authentication mechanism that relies on identification or verification based on unique physiological characteristics.  Biometric devices employ fingerprint recognition, hand geometry, retina scanning, and other methods to identify or verify a person based on stored biometric information.  Biometric devices are becoming more prolific and are now standard on many laptops and computers.

Continue reading

Posted in Physical Security, Privacy, Security Reviews | 2 Comments

IMA Locker Security

Posted on January 11, 2008 by kurifodo

Summary:

At the UW IMA, members are allowed to checkout locker bins for a quarter where they may store their gym apparel. By checking out a bin, members are given a lock to use for the bin. The records of who has what bin and lock are kept in a binder, and the entries are recorded in pencil. In order to register for a bin, individuals must show a gym membership, and for students and staff, that would be their Husky IDs with a current registration sticker. Also, you must fill out a form with your student number, name, e-mail address, phone number, and I believe your resident address. All of this information is kept behind an open counter in the respective locker rooms.

Assets:

  • Gym members would undoubtedly like to keep their information private. Information such as addresses can be very sensitive pieces of information and if compromised can open doors to countless scams and other criminal activity.
  • The IMA takes measures to reduce theft in the locker rooms, and so safeguarding the lock combinations for individuals is an important measure. Once a thief has a combination, it would be very easy to gain access to the bin with the valuables.
  • The bins themselves are assets to the IMA since there are only a limited number of them. Checking out bins and locks to non-members could cause harm to their services due to handling more customers than needed.

Potential Adversaries/Threats:

  • The IMA employees who have access to the records. Employees have the easiest access to the records, and they also have the benefit of being in the locker rooms after hours when no people are present. This combination of circumstances would seem to give employees the best opportunity to be able to steal information or valuables.
  • Individuals who are not members of the IMA. Obviously, the IMA would like to keep out individuals who are not subscribed and paying the quarterly fees so they do not interfere with their business operations by slowing down operations, making equipment sparse, and sucking up their budget in general.
  • Individuals who are members of the IMA. Members of the IMA could have motives to steal from bins in the locker rooms just as much as employees. Albeit it might be more risky for these individuals, they still pose as threats as employees do.

Weaknesses:

  • Records are kept behind an open counter in a binder or filing cabinet. If the records were left unattended for a short duration of time, they could be easily accessed just by opening a drawer or binder.
  • The records for relating persons to bins/locks are written in pencil. Once these records are accessed, they could be easily and quickly modified (and most likely without a trace).

Potential Defenses:

  • A plastic or glass window could be installed where the counter is for registering a bin much like you see at movie theater box offices. This would prevent an individual from simply hopping the counter and being in the employee restricted area.
  • The records could be computerized. This way, they could be safeguarded by logging into the system. Also, it could be rigged to trace who logs in and when, so use of the records could be traced.

Risks and other issues:

Considering the assets listed above, I would say the private information and the bin/lock information of the members is the item at most risk. This is due to the ease of access to the records behind the open counter. As a secondary result of gathering this information, an individual could then open a bin easily because they would have the lock combination. Thus, stealing the valuables inside the bins would be at less risk than the previous asset since they would either need to successfully steal the combination first or break into the bin using force. Next, considering the threats and adversaries, I believe the employees have the least risk of being found out due to the reasons stated above. Members would have the second smallest risk from the list since they at least have access to the locker room, whereas non-members ideally do not. Finally, of the weaknesses above, I believe the first one listed is the easiest and least risky to pull off. This is due to the fact that modifying the records implies that you have gained access to them already.

I would say it is not likely the current system would evolve unless crime became a more common occurrence. Change requires effort, and the reality is, generally people do not like to put in effort unless it is needed. Also, as long as the system works (crime is not a concern) then why change? I think these are the main motivators which could cause change, so as long as the system maintains as it has, I do not see any foreseeable change.

By exploiting any of these vulnerabilities above, I would say such an act is definitely unethical. Exploiting these vulnerabilities is analogous to stealing, and as a society, we have agreed that stealing is wrong and should be punished. I do not believe this requires anymore explanation.

Conclusion:

Although there is not terribly sensitive information kept in the IMA locker records, it is still information that should be kept safer than it is. Many members of the gym keep their backpacks locked up temporarily when they use the facility. What do backpacks contain? Our livelihood as students; our books, music players, phones, laptops, homework, etc. If any of these were to be stolen due to laziness to keep our information safe, it would harm us significantly.

I do not see many individuals or groups who would try to access the IMA’s locker records for our personal information, however. The most sensitive private information they keep is perhaps our addresses and phone number. Perhaps a spammer might want these, or another advertising agent, but parsing large amounts of addresses and numbers from a hard copy source is not efficient. Thus, since the payoff is most likely small, it would seem unlikely that this would happen. It might be more likely that a crazed ex-friend would look up your information for their malicious intents.

Posted in Security Reviews | 1 Comment