Essays Tagged "IEEE Security & Privacy"

Page 4 of 5

Economics of Information Security

  • Ross Anderson and Bruce Schneier
  • IEEE Security & Privacy
  • January/February 2005

View or Download in PDF Format

Several years ago, a number of researchers began to realize that many security systems fail not so much for technical reasons as from misplaced incentives. Often the people who could protect a system were not the ones who suffered the costs of failure. Hospital medical-records systems provided comprehensive billing-management features for the administrators who specified them, but were not so good at protecting patients’ privacy. Auto- matic teller machines suffered from fraud in countries like the United Kingdom and the Netherlands, where poor regulation left banks without sufficient incentive to se- cure their systems, and allowed them to pass the cost of fraud along to their customers. And one reason the Internet is insecure is that liability for attacks is so diffuse…

Authentication and Expiration

  • Bruce Schneier
  • IEEE Security & Privacy
  • January/February 2005

View or Download in PDF Format

There’s a security problem with many Internet authentication systems that’s never talked about: there’s no way to terminate the authentication.

A couple of months ago, I bought something from an e-commerce site. At the checkout page, I wasn’t able to just type in my credit-card number and make my purchase. Instead, I had to choose a username and password. Usually I don’t like doing that, but in this case I wanted to be able to access my account at a later date. In fact, the password was useful because I needed to return an item I purchased…

Security Information Management Systems: Solution, or Part of the Problem?

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2004

View or Download in PDF Format

We in the computer security industry are guilty of over-hyping and under-delivering. Again and again, we tell customers that they need to buy this or that product in order to be secure. Again and again, customers buy the products and are still not secure.

Firewalls didn’t keep out network attackers, and ignored the fact that the notion of “perimeter” is severely flawed. Intrusion detection systems didn’t keep networks safe, and worms and viruses do considerable damage despite the prevalence of anti-virus products. Intrusion prevention systems are being hyped as the new solution, but we all know that they won’t prevent intrusions…

Voting Security and Technology

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2004

View or Download in PDF Format

Voting seems like the perfect application for technology, but actually applying it is harder than it first appears. To ensure that voters can vote honestly, they need anonymity, which requires a secret ballot. Through the centuries, different civilizations have done their best with the available technologies. Stones and pottery shards dropped in Greek vases led to paper ballots dropped in sealed boxes. Mechanical voting booths and punch cards replaced paper ballots for faster counting. Now, new computerized voting machines promise even more efficiency, and remote Internet voting promises even more convenience…

Security and Compliance

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2004

View or Download in PDF Format

It’s been said that all business-to-business sales are motivated by either fear or greed. Traditionally, security products and services have been a fear sell: fear of burglars, murders, kidnappers, and—more recently—hackers. Despite repeated attempts by the computer security industry to position itself as a greed sell—”better Internet security will make your company more profitable because you can better manage your risks”—fear remains the primary motivator for the purchase of network security products and services…

Customers, Passwords, and Web Sites

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2004

View or Download in PDF Format

Criminals follow money. Today, more and more money is on the Internet: millions of people manage their bank, PayPal, or other accounts—and even their stock portfolios—online. It’s a tempting target—if criminals can access one of these accounts, they can steal a lot of money.

And almost all these accounts are protected only by passwords.

You already know that passwords are insecure. In my book Secrets and Lies (published way back in 2000), I wrote: “…password crackers can now break anything that you can reasonably expect a user to memorize.”…

Airplane Hackers

  • Bruce Schneier
  • IEEE Security & Privacy
  • November/December 2003

View or Download in PDF Format

Nathaniel Heatwole is a student at Guilford College. Several times between 7 February and 15 September 2003, he tested airline security. First, he smuggled in box cutters, clay resembling plastic explosives, and bleach simulating bomb-making chemicals through security. Then he hid these things in airplane lavatories, along with notes. Finally, he sent an email to the US Transportation Security Administration (TSA) titled “Information Regarding Six Recent Security Breaches.”

The problem is that the TSA never asked him to test its security. In this same vein, computer networks have been plagued for years by hackers breaking into them. But these people aren’t breaking into systems for profit; they don’t commit fraud or theft. They’re breaking into systems to satisfy their intellectual curiosity, for the thrill, and just to see if they can…

The Speed of Security

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2003

View or Download in PDF Format

“The Slammer worm was the fastest computer worm in history. As it began spreading throughout the Internet, it doubled in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes.” (See “Inside the Slammer Worm,” p. 33 of this issue.)For the six months prior to the Sapphire (or SQL Slammer) worm’s release, the particular vulnerability that Slammer exploited was one of literally hundreds already known. Microsoft provided a patch, but many ignored it (so many patches, so little time). However, on 25 January 2003 at 05:30 UTC, installing that one patch suddenly became the most important thing system administrators could do to improve their security. A day later, a system administrator could install hundreds of other patches, but no one knows which patch will become the next vitally important one, or when…

Guilty Until Proven Innocent?

  • Bruce Schneier
  • IEEE Security & Privacy
  • May/June 2003

View or Download in PDF Format

In April 2003, the US Justice Department administratively discharged the FBI of its statutory duty to ensure the accuracy and completeness of the National Crime Information Center (NCIC) database. This enormous database contains over 39 million criminal records and information on wanted persons, missing persons, and gang members, as well as information about stolen cars and boats. More than 80,000 law enforcement agencies have access to this database. On average, the database processes 2.8 million transactions each day…

Locks and Full Disclosure

  • Bruce Schneier
  • IEEE Security & Privacy
  • March/April 2003

View or Download in PDF Format

The full disclosure vs bug secrecy debate is a lot larger than computer security. Blaze’s paper on master-key locking systems in this issue is an illustrative case in point. It turns out that the ways we’ve learned to conceptualize security and attacks in the computer world are directly applicable to other areas of security—like door locks. But the most interesting part of this entire story is that the locksmith community went ballistic after learning about what Blaze did.

The technique was known in the locksmithing community and in the criminal community for over a century, but was never discussed in public and remained folklore. Customers who bought these master key systems for over a century were completely oblivious to the security risks. Locksmiths liked it this way, believing that the security of a system is increased by keeping these sorts of vulnerabilities from the general population…

Sidebar photo of Bruce Schneier by Joe MacInnis.