Essays Tagged "IEEE Security & Privacy"

Page 4 of 4

Security Information Management Systems: Solution, or Part of the Problem?

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2004

We in the computer security industry are guilty of over-hyping and under-delivering. Again and again, we tell customers that they need to buy this or that product in order to be secure. Again and again, customers buy the products and are still not secure.

Firewalls didn’t keep out network attackers, and ignored the fact that the notion of “perimeter” is severely flawed. Intrusion detection systems didn’t keep networks safe, and worms and viruses do considerable damage despite the prevalence of anti-virus products. Intrusion prevention systems are being hyped as the new solution, but we all know that they won’t prevent intrusions…

Voting Security

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2004

Voting seems like the perfect application for technology, but actually applying it is harder than it first appears. To ensure that voters can vote honestly, they need anonymity, which requires a secret ballot. Through the centuries, different civilizations have done their best with the available technologies. Stones and pottery shards dropped in Greek vases led to paper ballots dropped in sealed boxes. Mechanical voting booths and punch cards replaced paper ballots for faster counting. Now, new computerized voting machines promise even more efficiency, and remote Internet voting promises even more convenience…

Security and Compliance

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2004

It’s been said that all business-to-business sales are motivated by either fear or greed. Traditionally, security products and services have been a fear sell: fear of burglars, murders, kidnappers, and—more recently—hackers. Despite repeated attempts by the computer security industry to position itself as a greed sell—”better Internet security will make your company more profitable because you can better manage your risks”—fear remains the primary motivator for the purchase of network security products and services.

The problem is that many security risks are not borne by the organization making the purchasing decision. An organization might be perfectly rational about securing its own networks against threats like theft of proprietary information and business interruption. But the adverse effects of privacy loss are borne more by those whose privacy has been breached. In economics, this is known as an “externality”; an effect of an organizational decision that don’t affect the organization…

Customers, Passwords, and Web Sites

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2004

Criminals follow money. Today, more and more money is on the Internet: millions of people manage their bank, PayPal, or other accounts-and even their stock portfolios-online. It’s a tempting target-if criminals can access one of these accounts, they can steal a lot of money.

And almost all these accounts are protected only by passwords.

You already know that passwords are insecure. In my book Secrets and Lies (published way back in 2000), I wrote: “…password crackers can now break anything that you can reasonably expect a user to memorize.”

Airplane Hackers

  • Bruce Schneier
  • IEEE Security & Privacy
  • November/December 2003

View or Download in PDF Format

Nathaniel Heatwole is a student at Guilford College. Several times between 7 February and 15 September 2003, he tested airline security. First, he smuggled in box cutters, clay resembling plastic explosives, and bleach simulating bomb-making chemicals through security. Then he hid these things in airplane lavatories, along with notes. Finally, he sent an email to the US Transportation Security Administration (TSA) titled “Information Regarding Six Recent Security Breaches.”

The problem is that the TSA never asked him to test its security. In this same vein, computer networks have been plagued for years by hackers breaking into them. But these people aren’t breaking into systems for profit; they don’t commit fraud or theft. They’re breaking into systems to satisfy their intellectual curiosity, for the thrill, and just to see if they can…

The Speed of Security

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2003

“The Slammer worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes.” (See “Inside the Slammer Worm,” p. 33 of this issue.)For the six months prior to the Sapphire (or SQL Slammer) worm’s release, the particular vulnerability that Slammer exploited was one of literally hundreds already known. Microsoft provided a patch, but many ignored it (so many patches, so little time). However, on 25 January 2003 at 05:30 UTC, installing that one patch suddenly became the most important thing system administrators could do to improve their security. A day later, a system administrator could install hundreds of other patches, but no one knows which patch will become the next vitally important one, or when…

Guilty Until Proven Innocent?

  • Bruce Schneier
  • IEEE Security & Privacy
  • May/June 2003

In April 2003, the US Justice Department administratively discharged the FBI of its statutory duty to ensure the accuracy and completeness of the National Crime Information Center (NCIC) database. This enormous database contains over 39 million criminal records and information on wanted persons, missing persons, and gang members, as well as information about stolen cars and boats. More than 80,000 law enforcement agencies have access to this database. On average, the database processes 2.8 million transactions each day.

The US Privacy Act of 1974 requires the FBI to make reasonable efforts to ensure the database records’ accuracy. However, in April, the Justice Department exempted the system from the law’s accuracy requirements…

Locks and Full Disclosure

  • Bruce Schneier
  • IEEE Security & Privacy
  • March/April 2003

The full disclosure vs bug secrecy debate is a lot larger than computer security. Blaze’s paper on master-key locking systems in this issue is an illustrative case in point. It turns out that the ways we’ve learned to conceptualize security and attacks in the computer world are directly applicable to other areas of security—like door locks. But the most interesting part of this entire story is that the locksmith community went ballistic after learning about what Blaze did.

The technique was known in the locksmithing community and in the criminal community for over a century, but was never discussed in public and remained folklore. Customers who bought these master key systems for over a century were completely oblivious to the security risks. Locksmiths liked it this way, believing that the security of a system is increased by keeping these sorts of vulnerabilities from the general population…

We Are All Security Consumers

  • Bruce Schneier
  • IEEE Security & Privacy
  • January/February 2003

Computer security is vital, and IEEE is launching this new magazine devoted to the topic. But there’s more to security than what this magazine is going to talk about. If we don’t help educate the average computer user about how to be a good security consumer, little of what we do matters.

Dozens of times a day, we are security consumers. Every time we cross the street, we’re buying security. When we brush our teeth in the morning, we’re buying security. We buy security when we lock our door, or our car. When you reach down at a checkout counter to buy a candy bar and notice that the package has been opened, why do you reach for another? It’s because for the price of the candy bar, you want to also buy as much security as you can…

Sidebar photo of Bruce Schneier by Joe MacInnis.