Archive for Security

racial profiling for terrorism

I’ve heard and read a number of people saying “political correctness be damned, we should use racial profiling to identify terrorists.” The problem I’ve always had with this is that it makes no sense. Try the following test, identify the terrorist:

  1. young muslim male
  2. young muslim female
  3. asian male or female
  4. caucasian male or female
  5. black male or female
  6. hispanic male or female

If you said that 1 and 2 have been terrorists and therefore we should profile them, you are partially right. However, what about all of the asian terrorists (e.g. Fillipinos)? Caucasians? Hmm, the IRA, David Koresh, Timmothy McVeigh, etc. As near as I can guess, the only racial groups that shouldn’t be profiled would be blacks and hispanics. This can’t work.

NBC Nightly News just had an interesting story on behavioral profiling being done at the airport in Orlando. Essentially, the police have been trained to look for suspicious behaviors, not suspicious racial characteristics. This is a much sane approach from the security perspective and can be much more effective with a lower rate of false positives.

POSTSCRIPT: from the security standpoint, any action needs to be considered from the risk mitigation standpoint. What’s the risk? What is the rate of false positives (FP) of the action? What are the costs of the FP? What is the rate of false negatives (FN)? Costs of the FN? etc, etc. Racial profiling fails under a risk mitigation analysis. Behavioral profiling may make sense.

Comments off

things that make a security officer cry

I spent a lot of time last week looking at an application in order to assess its security. The thing that was troubling me was that this is a web application and the primary form for data entry was defined like:

form name=”foo” method=”post” action=””

This means that the nothing happens when you hit submit on the form – at least not in the html world. So, I took a closer look and found that each of the buttons (submit and clear) actually had a field “onclick=’doSomething();’” attribute.

Okay, so we’re dealing with javascript. I can handle that. I grab the included javascript file and realize that I’m dealing with something exceedingly strange. The whole script is one line long and contains very little valid javascript. Instead it contains what looks like a brief function, a ton of line noise and a bunch of words at the end that are delimited with pipes (|).

Since it’s my job to be paranoid, I think, “ah ha! someone has something they’re trying to hide.” It takes me a bit, but I realize that the java script is actually an eval function with a number of arguments. Poking at the arguments, I realize that one is the line noise, one is 62, one is an array of words and one is the number of items in that array. The code at the beginning basically unparses the whole thing. It breaks the line noise into tokens. The tokens are indicies into the array in base 62! Base 62 b/c you can use numbers and upper and lower case letters for each digit.

The code takes all of the tokens and replaces them with the word in the right position. It then runs an eval() of the whole thing. Armed with this, I alert() on the final command, only to find that the whole thing is a fairly simple client side validation and Ajax based POST. There’s absolutely nothing sensitive there!


Update:  spoke to the developer.  This wasn’t an attempt at obfuscation, it was actually a test of a program he downloaded that is supposed to be a javascript accelerator.  It accelerates by creating a smaller version of your javascript so it downloads faster!  Never mind that it then takes 5 seconds to unpack the stupid thing.  🙁

Comments (1)

a nomenclature question

given that the vulnerability and the patches haven’t yet been released, does this constitute a “-1 day exploit?”

Comments off

Password security question

I wonder if these folks have read the recent article in the NY Times regarding prosopagnosia?

The company Passfaces has a password replacement technology that uses the brain’s ability to recognize faces. The idea is that the user selects a set of faces. They are then presented with a series of options where each of their faces is hidden in a group of other faces. By correctly selecting their faces, they authenticate themselves. The company says that using Passfaces will reduce calls to a help desk because people can remember faces for years without seeing them. There’s a demo which allows you to test how easy the system is.

I have some general concerns with the amount of entropy in such a solution, but the article presents a different challenge. Prosopagnosia is a disorder (or perhaps just a condition) where the person is unable to recognize faces. The NY Times article notes that researchers have found that as much as 2.5% of the population has prosopagnosia. This suggests to me that they would be unable to use Passfaces.

Oh, and the demo? I went back to Passfaces about 6 months after I first set up their demo – easily within the 2 year timeframe they note. I didn’t recognize a single face. I wonder if I have prosopagnosia? 🙂

Comments off

« Previous Page « Previous Page Next entries »