Entries Tagged "mail"

Page 3 of 3

Shoulder Surfing Keys

Here’s a criminal who “stole” keys, the physical metal ones, by examining images of them being used:

He surreptitiously videotaped letter carriers as they opened the boxes, zooming in on their keys. Lau used those images to calculate measurements for the grooves in the keys and created brass duplicates.


“The FBI is not aware of anything else like this,” bureau spokeswoman Jerri Williams said.

Technology causes security imbalances. Sometimes those imbalances favor the defender, and sometimes they favor the attacker. What we have here is a new application of a technology by an attacker.

Very clever.

Posted on September 7, 2005 at 11:35 AMView Comments

Hogwarts Security

From Karl Lembke:

In the latest Harry Potter book, we see Hogwarts implementing security precautions in order to safeguard its students and faculty.

One step that was taken was that all the students were searched – wanded, in fact – to detect any harmful magic. In addition, all mail coming in or out was checked for harmful magic.

In spite of these precautions, two students are nearly killed by cursed items.

One of the items was a poisoned bottle of mead, which made it onto school grounds and into a professor’s office.

It turned out that packages sent from various addresses in the nearby town were not checked. The addresses were trusted, and anything received from them was considered safe. When a key person was compromised (in this case, by a mind-control spell), the trusted address was no longer trustworthy, and a gaping hole in security was created.

Of course, since everyone knew everything was checked on its way into the school, no one felt the need to take any special precautions.

The moral of the story is, inadequate security can be worse than no security at all.

And while we’re on the subject, can you really render a powerful wizard helpless simply by taking away his wand? And is taking away a powerful wizard’s wand simply as easy as doing something to him at the same time he is doing something else?

One, this means that you’re dead if you’re outnumbered. All it would take it two synchronized wizards, both of much lower power level, to defeat a powerful wizard. And two, it means that you’re dead if you’re taking by surprise or distracted.

This seems like an enormous hole in magical defenses, one that wizards would have worked feverishly to close up generations ago.

EDITED TO ADD: Here’s a page on trust in the series.

Posted on September 4, 2005 at 3:27 PMView Comments

Tamper-Evident Paper Mailings

We’ve all received them in the mail: envelopes from banks with PINs, access codes, or other secret information. The letters are somewhat tamper-proof, but mostly they’re designed to be tamper-evident: if someone opens the letter and reads the information, you’re going to know. The security devices include fully sealed packaging, and black inks that obscure the secret information if you hold the envelope up to the light.

Researchers from Cambridge University have been looking at the security inherent in these systems, and they’ve written a paper that outlines how to break them:

Abstract. Tamper-evident laser-printed PIN mailers are used by many institutions to issue PINs and other secrets to individuals in a secure manner. Such mailers are created by printing the PIN using a normal laser, but on to special stationery and using a special font. The background of the stationery disguises the PIN so that it cannot be read with the naked eye without tampering. We show that currently deployed PIN mailer technology (used by the major UK banks) is vulnerable to trivial attacks that reveal the PIN without tampering. We describe image processing attacks, where a colour difference between the toner and the stationary “masking pattern” is exploited. We also describe angled light attacks, where the reflective properties of the toner and stationery are exploited to allow the naked eye to separate the PIN from the backing pattern. All laser-printed mailers examined so far have been shown insecure.

According to a researcher website:

It should be noted that we sat on this report for about 9 months, and the various manufacturers all have new products which address to varying degrees the issues raised in the report.

BBC covered the story.

Posted on August 30, 2005 at 7:59 AMView Comments

Mail-in Ballot Attack

Ampersand lives in Oregon, which does its voting entirely by mail. On Monday—the day a lot of Oregon voters got their ballots—someone knocked over Ampersand’s “No on 36” sign and stole his mailbox, presumably hoping to get his ballot and prevent him from voting “no” on Amendment 36. In fact, he’d happened to receive his ballot the previous Saturday, but it could easily have worked.

From “Alas A Blog

On Monday, someone came into our yard, knocked over our “No on 36” sign, and stole our mailbox (with Monday’s mail inside it).

I doubt this was just random vandalism; Oregon mailed out voter ballots last week (Oregon does the vote entirely by mail), and a huge number of Oregonians got their ballots on Monday. So I think someone grabbed our mailbox and ran hoping that they’d get our ballots and thus keep us from voting against measure 36.

I doubt this was part of any widespread effort. Surely anyone doing it on a large scale would get tired of hauling off mailboxes, and just steal the mail inside. It’s also hard to avoid getting caught, since you have to steal the mail during the day—after it’s delivered but before the resident comes home to get it.

Still, it is interesting how the predictably timed mailing of ballots, and the prevalence of political lawn signs, enables a very narrowly targeted attack.

Posted on October 29, 2004 at 2:12 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.