Security at schools, colleges, and other shared facilites

Talk about internet security, computer security, personal security, your social security number...
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Security at schools, colleges, and other shared facilites

Post by Tom T. » Fri Dec 02, 2011 3:56 am

(This is a continuation of a discussion started at Forum NoScript > General, "noscript at school". The NoScript-related questions were answered, and the discussion continues into general physical and electronic security at shared facilities. -- Tom T.)

w.learning wrote:The concept of working through the home computer is interesting; however, I don't have mobile broadband service. My connection at school is via the wireless capability of the laptop, and the budget does not allow taking on another bill at this time.

Didn't elaborate before, not knowing how familiar you were with the VPN concept. No additional bills required, only that the school's connection and your home connection are reasonably fast. Dial-up would take forever. I'm hoping that from school, you can connect to the global Internet, not just to the school's site, right?

How it works: You install the VPN product of your choice on both machines. There are a lot out there; I just named one I knew (because I've used it). From the laptop, you connect, using the school's wireless router as usual, but without worries, as this is encrypted. What you connect to is your home computer, which in essence becomes a web site (server), but private only to you. Hence "virtual private network". No one else can connect to your home machine. Then, using remote administration tools, you can work the home machine however you like. Or it may serve as a relay or proxy, depending on the details of the individual solution. This solves your concerns about the weak WEP encryption, and about possible malice in the school's system, except where their own site has been hacked, as mentioned.
As for the security at school: The IT department uses a third party web site provider and says that the bulk of the security is handled by the provider.

Who doesn't know enough to tell the school to use WPA2? Scary. :o
When I questioned WEP versus WPA2, the IT department did not understand my concern.

:shock: Time to hire new IT people. ... Are you sure you weren't at the Italian department, or Intercity Transit... (sheesh) Security is not a part of CSci curricula, a long-standing pet peeve. Point them to the articles describing how WEP is irretrievably broken, and can be cracked in 60 seconds or less. Love to know whether that has any impact.
Fortunately the laptop has some good security features included in the OEM installation. I have port locker and biometric features active. I am hoping that proves to be adequate to secure the computer if someone happens to get their hands on it. Do you have any comments on this that you would like to share with me?

Full-disk-encryption keeps getting better and better, though it takes some know-how. You can also leave it unencrypted, and just encrypt whichever files are personally-sensitive, using freeware such as TrueCrypt (which also offers full-disk encryption; you have to authenticate before booting). But if someone does get their hands on it, I'd be concerned about using it again; hence, the previous advice about physical security.

Port Locker does this:
Simply lock your USB port, printer and internet access for total protection! Port Locker is a data protection software application that reduces the risk of data leakage and data theft by locking and blocking USB ports from unauthorized data access via pen drives, memory cards, flash drives. It also restricts unauthorized printing and data transfer through the network.

Certainly helpful against the creep who shoves a flash drive in the machine while you're looking the other way, but doesn't stop someone with full access from simply starting up the machine and reading everything on it.

Spy shows remind us that biometrics can be defeated. If it's a fingerprint scanner, your fingerprints are everywhere, That was demonstrated at a conference touting a new such device, when someone lifted the speaker's print off of his water glass, and used it to enter, IIRC. Or they cut off your finger, in the scarier movies. I'd rather lose the computer.

Another possibility is to store all those TrueCrypt encrypted files on a CD or DVD (or flash drive, but don't trust "encrypted flash drives". Some are good; some are poorly implemented.) Have backup copies in a safe place. (nearby bank safe deposit box?) If yours are stolen, they're of no use unless the thief can con or beat the password out of you. TC adds a "plausible deniability" feature in which you encrypt phony, but sensitive-looking data (fake love letters, e. g.), then put your genuine data on the volume, using a different encryption key (password). If coerced, you can "reluctantly" give up the pw to the fake data, and they can't prove that any more exists. Details at that site.
As for noscript, I'll install it to add one more layer of protection.

By all means. And consider RequestPolicy, and the possibility of "sandboxing' or "virtualizing" the browser, so that any malware that does get in would not make it to the hard drive, but would be dumped upon close. There are a lot of them out there, none perfect, but one more layer of defense. Just so you get the general idea, I'll mention Sandboxie, not because it's better than the rest, but because I'm familiar with it, using it for years, and the home page illustrates the concept pretty well.

Hope that book was helpful :D
Any other questions, fire away.
Last edited by Tom T. on Fri Dec 02, 2011 8:17 am, edited 1 time in total.
Reason: explain split
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24

w.learning
Posts: 7
Joined: Thu Dec 01, 2011 3:41 pm

Re: noscript at school

Post by w.learning » Fri Dec 02, 2011 6:33 am

Thanks Tom,

quick replies first, more details to follow: Yes, I have unlimited (within reason) internet access at the school. I have used two sandboxes in the past, features of Avast and Acronis. I am comfortable with them and have heard Sandboxie recommended before. I have encountered difficulties in an attempt to set up a VM. At first glance RequestPolicy looks like it will warrant further inspection. I am hoping to be able to avoid having sensitive files requiring encryption, and am going to install a utility on my school dedicated flash drive which denies any autorun functions.

OK... details: I will take the time to explore the details of your recommendations. As the new laptop presents me with my first exposure to Windows 7, my learning curve here is going to be pretty steep. If I understand properly, networking the old desktop (XP machine) with the laptop may present problems if not done properly. I have found only one person locally who has not told me horror stories about making XP and 7 communicate with each other. I'm guessing that setting up the VPN will be similar. (If I understand your description properly, my best bet would be to make the desktop the relay link of the chain. laptop>desktop>internet>desktop>laptop) Thankfully I have until January 9 to get it sorted out. My plate is pretty full, and it may take that long for me to bring my knowledge base up to snuff.

In my conversation with the Intercity Transit (or whatever) department I told them that I considered the campus to be at best fertile ground for hackers and at worst a lepers' colony for malware. I substantiated my claim by telling them that the recent high school graduates probably think computer security is some guy in uniform who carries a laptop instead of a gun. Furthermore the insane fascination with social media probably results in more infected computers passing through the doors than anyone could easily catalog. The tech said he had never thought of it that way. I responded that the IT department is not my body guard, and I will take responsibility for my own security. The IT department may be of help after an attack, but I will defend myself in real time instead. His response was that I had presented a convincing argument which he would forward to the department head. Hopefully I have made a positive impact.

The course descriptions in the catalog show only one course devoted to security. It looks like about half the course involves enterprise security, concentrating on physical security rather on computer security. I share your concerns about that. There are other sources where I can learn the security aspects.

Your comments about someone attempting to access the laptop quickly without actually taking it are exactly what I was attempting to secure with the port locker and biometrics. The short time setting for Windows to lock the user account requires my enrolled finger print to log back on as well as the log on at boot. I do not foresee the possibility of leaving the computer unattended long enough for shut down and a reboot in safe mode. I know that there is no perfect security setup. I merely wish to make things tough on those who are pressed for time or not smart enough to gain access. Maybe they will move on to another machine instead. Once again the only sensitive information on the laptop will be that which is restricted to the campus web site.

I think I covered everything. Thanks again for sharing your knowledge with me.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: noscript at school

Post by dhouwn » Fri Dec 02, 2011 7:33 am

Tom T. wrote:LogMeIn Hamachi uses 5.x.x.x, which is not recognized on the public Internet
Theoretically it could be, it's a routable address.

w.learning wrote:When I questioned WEP versus WPA2, the IT department did not understand my concern.
Which explains why they were OK with it. :roll:

w.learning wrote:I have port locker and biometric features active.
I personally wouldn't call them security features, maybe nice-to-have's but in the end they don't give you any reliable protection against anything when someone get physical access.

Tom T. wrote:Security is not a part of CSci curricula, a long-standing pet peeve.
It isn't? At least it should be grazed when learning about distributed systems or such. But then who tells that the people at the third party even have such a diploma?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: noscript at school

Post by Tom T. » Fri Dec 02, 2011 8:08 am

dhouwn wrote:
Tom T. wrote:LogMeIn Hamachi uses 5.x.x.x, which is not recognized on the public Internet
Theoretically it could be, it's a routable address.

Sorry, I should have said "reserved space".
Tom T. wrote:Security is not a part of CSci curricula, a long-standing pet peeve.

dhouwn wrote:It isn't? At least it should be grazed when learning about distributed systems or such. But then who tells that the people at the third party even have such a diploma?

See the OP's quote confirming:
The course descriptions in the catalog show only one course devoted to security. It looks like about half the course involves enterprise security, concentrating on physical security rather on computer security.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: noscript at school

Post by Tom T. » Fri Dec 02, 2011 8:46 am

w.learning wrote:.... am going to install a utility on my school dedicated flash drive which denies any autorun functions.

No need... If it's the U3-LaunchPad enabled, their web site will disable that for you. Then you can configure your machine not to do autoruns.
The MS docs hint that this may be the default in Win 7. Haven't used 7 yet. But in Win XP, put each external drive in the USB port, open My Computer, r-click each > Properties > AutoPlay tab. On each drop-down menu item, click at the bottom, "Prompt me each time to choose an action." OK etc. You can also disable Autorun through the Registry, but since MS documents that fully (search disable autorun registry), my lips are sealed, in case you foobar it. ;) Again, they may have defaulted to that in 7.
w.learning wrote:OK... details: I will take the time to explore the details of your recommendations. As the new laptop presents me with my first exposure to Windows 7, my learning curve here is going to be pretty steep.

I'm doing it in the blind, but I'm sure experienced Win 7 users will fill in the blanks or make any needed XP>7 translations. :)
w.learning wrote: If I understand properly, networking the old desktop (XP machine) with the laptop may present problems if not done properly. I have found only one person locally who has not told me horror stories about making XP and 7 communicate with each other. I'm guessing that setting up the VPN will be similar. (If I understand your description properly, my best bet would be to make the desktop the relay link of the chain. laptop>desktop>internet>desktop>laptop)

It seems the ideal would be to shop for a vendor who allows you to download one XP-friendly version of the sw and one Win7-friendly version, with the vendor's sw doing the translations. (Whatever happened to that idea that Win 7 would contain an XP emulator? ... Ahh, here we go:
A new version of Microsoft Virtual PC, newly renamed as Windows Virtual PC was made available for Windows 7 Professional, Enterprise, and Ultimate editions. It allows multiple Windows environments, including Windows XP Mode, to run on the same machine. Windows XP Mode runs Windows XP in a virtual machine and redirects displayed applications running in Windows XP to the Windows 7 desktop

In my conversation with the Intercity Transit (or whatever) department I told them that I considered the campus to be at best fertile ground for hackers and at worst a lepers' colony for malware.

LOL! Thanks - I needed that! (been a long day.)
I substantiated my claim by telling them that the recent high school graduates probably think computer security is some guy in uniform who carries a laptop instead of a gun.

Naah, he's the guy who runs you through the metal detector, finds your computer, and confiscates it. :P
Furthermore the insane fascination with social media probably results in more infected computers passing through the doors than anyone could easily catalog.

TTTBF. (Too True To Be Funny. That's original, but pass it on... )
The tech said he had never thought of it that way. I responded that the IT department is not my body guard, and I will take responsibility for my own security. The IT department may be of help after an attack, but I will defend myself in real time instead. His response was that I had presented a convincing argument which he would forward to the department head. Hopefully I have made a positive impact.

Toss a pebble in a pond... I complained repeatedly to various persons in the County Government when their new web site required MS's dangerous ActiveX to use all services at the site. No one ever responded to me, but about a year later, the site had a gold-starred banner: "New! No ActiveX Required!"
No attribution, but I don't care. I like to think I made a difference, or perhaps me and a thousand others. You never know ... now I'm working on my online bank. They're the worst. :roll:
The course descriptions in the catalog show only one course devoted to security. It looks like about half the course involves enterprise security, concentrating on physical security rather on computer security. I share your concerns about that. There are other sources where I can learn the security aspects.

Thanks for backing up my comment to my very good friend and long-time Forum contributor dhouwn.
Your comments about someone attempting to access the laptop quickly without actually taking it are exactly what I was attempting to secure with the port locker and biometrics. The short time setting for Windows to lock the user account requires my enrolled finger print to log back on as well as the log on at boot. I do not foresee the possibility of leaving the computer unattended long enough for shut down and a reboot in safe mode.

Just worst-case-ing here: You put it on standby or log out of the user account, get a cup of coffee, someone takes your fingerprint off the machine with the tape he concealed, runs it over the scanner... can be done, or not? Never used one, so don't know the time window.
I know that there is no perfect security setup. I merely wish to make things tough on those who are pressed for time or not smart enough to gain access. Maybe they will move on to another machine instead.

That's really all we can ever do with our computers, houses, etc. -- secure them against as many attacks as possible without living in a locked vault, and convince the bad guy to go elsewhere. Good philosophy.
Once again the only sensitive information on the laptop will be that which is restricted to the campus web site.

You lost me there. The campus web site has personal info (DOB, Social Security #, etc.) available to anyone who logs in? :o Shame on them. (Strong crypto, strong pw, and strong pw control of who has access.) Whatever is on your laptop, if it's sensitive, it needs to be protected.

And not to start a whole new topic, but traces are left all over the machine: pagefile.sys, Recent lists and auto-complete/dropdown suggesstions (CCleaner and other apps help here), lots of places in the Registry where stuff is stored. (I did MS-documented Reg edits called "NoInstrumentation" and "NoRecentDocsHistory", but again, the onus is on the user to read the MS docs and warnings before messing with the Registry.)
I think I covered everything.

It's a subject that could be studied for a lifetime -- and by the time you learn it, it's changed. ;)
Thanks again for sharing your knowledge with me.

You're very welcome. And please keep spreading the word, both to theschool staff and to other students. Especially about NoScript, of course! :D
Last edited by Tom T. on Fri Dec 02, 2011 8:47 am, edited 1 time in total.
Reason: typo
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24

w.learning
Posts: 7
Joined: Thu Dec 01, 2011 3:41 pm

Re: Security at schools, colleges, and other shared facilite

Post by w.learning » Fri Dec 02, 2011 4:52 pm

briefly ...
I hope my sarcastic and tongue in cheek comments to the Intentionally Terrible department served to sharpen the words to the point of action. If so, there are many beneficiaries. I will consider myself to be an anonymous contributor to the welfare of the school community.

My comment about sensitive info on the laptop is twofold in nature. I configure all my browsers to accept only the cookies necessary to perform the tasks I desire and delete cookies and history when exiting, and I have made it a practice to Cclean at least once daily. Going any deeper on a regular basis just isn't my cup of tea. In my not so humble opinion anyone capable of hacking can attempt to harvest sensitive information from the school's database or through the website. The level of security (or lack of) will be proportional the the rate of success.

I'll include the USB considerations in my attempts to get up to speed on Windows 7 in the time I have allotted. This OS is the Home Premium version. An upgrade to facilitate XP mode won't fit into the budget for now.

The bometrics are not as simple as your reply paints. For space considerations or security reasons, who knows which, the sensor is too small for me to see a finger print captured on a piece of tape to work. The print is not scanned as a static image. The finger must be swiped in the same approximate speed, in the same orientation, and in the same approximate location of the scanner's window used to enroll the the image. I am still training myself to duplicate the movement to gain access on the first attempt. I am far from expert in these matters, but I see this to be a helpful feature, hopefully not a bug.

Thanks again to both of you for the friendly and informative replies. You have provided me with an improved insight. Knowledge properly applied is a powerful tool.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Security at schools, colleges, and other shared facilite

Post by dhouwn » Fri Dec 02, 2011 5:03 pm

w.learning wrote:This OS is the Home Premium version. An upgrade to facilitate XP mode won't fit into the budget for now.
Your college doesn't partake in the MSDNAA program?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Security at schools, colleges, and other shared facilite

Post by GµårÐïåñ » Fri Dec 02, 2011 8:19 pm

dhouwn wrote:Your college doesn't partake in the MSDNAA program?

Despite some of my objections to M$ and its existence in whole :twisted: I have to say that they are pretty damn good at their Academic Alliance program and work with as large a base as is willing to work with them. However, the problem is that some institutions don't have a motivated or caring enough IT department to reach out and setup that service with them. Also probably because there is a small cost associated with the institutions partnership as well. Its a pity though, I think all academia should have some sort of alliance with them. Reason being that I have seen pricy and out of reach software in retail being given to students for FREE in 80% of cases and in the rest less than $10-$50 which is pretty affordable no matter your budget and its legit. I have used my academic connections to help many who don't have it at their schools but you are right, its shame and they should work on getting that alliance setup, there is lots of upside and almost no (or very little) downside, mostly monetary if any.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Security at schools, colleges, and other shared facilite

Post by Tom T. » Sat Dec 03, 2011 4:49 am

Sorry, I realized later -- too much later -- that different versions of Windows is not an issue. You're accessing the global Internet with your Win 7, and all you need to do is install the remote-control sw on the XP machine.

I don't want to sound like I'm shilling for anyone, but the following product is *free*.
https://secure.logmein.com/products/free/register.aspx


Only need one copy of the sw, for XP:
https://secure.logmein.com/welcome/webh ... eader.html
Which Computers Need the LogMeIn Host Software?
You must install LogMeIn host software (Pro or Free) on each computer you want to be able to access remotely. You do not need to install LogMeIn host software to the device used to access another computer.

I. e., your laptop doesn't need *anything*.

Supported systems:
https://secure.logmein.com/welcome/webh ... _host.html
System Requirements – Host Computer

Before installing LogMeIn host software on the computer you want to access remotely, make sure the device meets the following requirements.
Supported Operating Systems

* Windows 7, Vista, XP, Server 2003, 2008 (all including 64-bit)
* Windows 2000 (32-bit)
* Mac OS 10.4 (Tiger), 10.5 (Leopard), 10.6 (Snow Leopard), and 10.7 (Lion) on both Power PC and Intel-based Macs


Check it out.

Thanks for clarifying on the biometrics, but it raises another concern:
The finger must be swiped in the same approximate speed, in the same orientation, and in the same approximate location of the scanner's window used to enroll the the image. I am still training myself to duplicate the movement to gain access on the first attempt. I am far from expert in these matters, but I see this to be a helpful feature, hopefully not a bug.

So you can't get into your own machine, at least not conveniently. If the scanner or its sw goes buggy, you cut your finger badly, break it and need a cast or splint.... Sounds like an obstruction. The full-disk-encryption may actually be easier, once done. Enter your strong pw at each boot; no one short of alphabet-soup agencies is going to get in. Will try to get some more info.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Security at schools, colleges, and other shared facilite

Post by Tom T. » Sat Dec 03, 2011 5:00 am

Full-system encryption, Open-source and free: http://www.truecrypt.org/docs/?s=system-encryption
System Encryption

TrueCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive where Windows is installed and from which it boots.

System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), hibernation files, swap files, etc., are always permanently encrypted (even when power supply is suddenly interrupted). Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted too.

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.... (more)

Supports Win 7 in both 32- and 64-bit flavors.

IMHO, this is both more secure than a biometric and provides thorough safety even if someone does gain physical access to the disk, though I haven't personally tested it yet. (My laptop is on a tight leash. ;) ) Perhaps someone who has can give us some feedback on it?

For backups, a full-disk-image backup, like (in alphabetical order) Acronis, Disk Snapshot, Norton Ghost, etc., could still work, as it copies bit-for-bit. The backup, too, is useless to a thief. If HD dies or whatever, restore the backup, use the same master pw, and should be good to go, AFAICT.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Security at schools, colleges, and other shared facilite

Post by dhouwn » Sat Dec 03, 2011 3:45 pm

Tom T. wrote:So you can't get into your own machine, at least not conveniently.
I wouldn't say that simply entering the password instead is that much more inconvenient.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Security at schools, colleges, and other shared facilite

Post by Tom T. » Sun Dec 04, 2011 11:09 am

dhouwn wrote:
Tom T. wrote:So you can't get into your own machine, at least not conveniently.
I wouldn't say that simply entering the password instead is that much more inconvenient.

Not having used biometrics, I could be mistaken, and probably am, so please forgive me, but I was under the impression that bio was *in addition to*, or *instead of*, Windows user password protection, and not merely an alternative.

Windows pw protection had a long reputation of being weak and vulnerable. Idk if they've improved it in 7, but the idea of the biometric, IIUC, is that pw or not, *no one* gets in without that fingerprint. If I'm mistaken, please correct me.

O/T to this post; delayed response to our previous exchange: If I were the Dean of a Computer Science school, security training would be, as they say, "baked in" to every course, not just some add-on for one semester (a few months). It would start with the very beginning of the curriculum. As the student learns fundamentals of data storage and transfer, processing, memory addressing, Assembly programming, etc. -- at each stage, they are taught how to secure these data and processes to the highest extent possible. Every programming language taught should include all Best Practices for secure coding in that language. And so on throughout the program, so that one graduates, not just able to write code, but to write it to the best known standards of security.

Many conversations have confirmed that this is not the case, at least in the US, sadly. (The results prove it, too. :evil: )

Is it better where you are?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Security at schools, colleges, and other shared facilite

Post by dhouwn » Tue Dec 06, 2011 7:40 am

Tom T. wrote:Windows pw protection had a long reputation of being weak and vulnerable. Idk if they've improved it in 7, but the idea of the biometric, IIUC, is that pw or not, *no one* gets in without that fingerprint. If I'm mistaken, please correct me.
No, it's an alternative. And the old password hashing algorithm (LM hash) was indeed very weak and vulnerable so you could get the password if you had the hash. But leaving the hashing algorithm aside, if you have physical access you can always "get in" and at least access all non-encrypted stuff.
Actually I wouldn't be surprised, if in the case an attacker gets long-term physical access you actually make it easier for him to access everything because AFAIK the key for decrypting the secure storage (where your private keys are stored for user certificates, EFS and such) is another hash generated from the password (using the same hash would be dumb since that one is physically stored for comparison on login) and so the biometrics unit would either have to store this hash too, or directly the password (or maybe a hash which is used as a basis for both hashes) which it then hands over to the OS in case it deems the fingerprint as matching.
All in all, you can't use biometrics for encryption. It's simply just some form of (heuristic) authentication and in the case someone has long-term physical access it might not protect against anything. Of course if the hashes are stored in hardware like in a smart-card or such then a practical attack from a layman might be relatively unlikely but that might be subject to change.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20100101 Firefox/9.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Security at schools, colleges, and other shared facilite

Post by Tom T. » Tue Dec 06, 2011 9:28 am

dhouwn wrote:
Tom T. wrote:Windows pw protection had a long reputation of being weak and vulnerable. Idk if they've improved it in 7, but the idea of the biometric, IIUC, is that pw or not, *no one* gets in without that fingerprint. If I'm mistaken, please correct me.
No, it's an alternative. And the old password hashing algorithm (LM hash) was indeed very weak and vulnerable so you could get the password if you had the hash. But leaving the hashing algorithm aside, if you have physical access you can always "get in" and at least access all non-encrypted stuff.
Actually I wouldn't be surprised, if in the case an attacker gets long-term physical access you actually make it easier for him to access everything because AFAIK the key for decrypting the secure storage (where your private keys are stored for user certificates, EFS and such) is another hash generated from the password (using the same hash would be dumb since that one is physically stored for comparison on login) and so the biometrics unit would either have to store this hash too, or directly the password (or maybe a hash which is used as a basis for both hashes) which it then hands over to the OS in case it deems the fingerprint as matching.
All in all, you can't use biometrics for encryption. It's simply just some form of (heuristic) authentication and in the case someone has long-term physical access it might not protect against anything. Of course if the hashes are stored in hardware like in a smart-card or such then a practical attack from a layman might be relatively unlikely but that might be subject to change.

You're preaching to the choir. (Does that idiom translate?) I gave OP MHO that biometric wasn't really safe, exactly as you did some posts above. Full-disk encryption, *properly implemented* (that always goes without saying), is best for the data. But if someone can get their hands on the machine long enough to tinker with the insides (and give it back to you, graciously declining the "reward" money in the "Lost-and-Found" ads), game over.

(e. g., hw keylogger hooking the keyboard *before* it gets to the processor, as per FBI anti-racketeering practices mentioned above, actually used to defeat encrypted drives. Etc. Use your imagination.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24

w.learning
Posts: 7
Joined: Thu Dec 01, 2011 3:41 pm

Re: Security at schools, colleges, and other shared facilite

Post by w.learning » Tue Dec 06, 2011 3:06 pm

Hmm... I thought I had notificatons set up to alert me of new posts... maybe not... Please forgive the delay in replying.

In no particular order:

The choice of password or biometrics is mine for every log on from the welcome screen. Both the password entry window and a biometric icon are present. I can, however, switch user accounts by simply swiping the proper finger while in another account. This one step process is quite convenient.

The issue of cutting a finger is one I have pondered. I will have to cross that bridge when I come to it. About an hour of research rewarded me with a trick to improve my biometric access. Rubbing the enrolled finger against the thumb increases the amount of skin oil and improves recognition. My fingers are typically dry, and I have been in the habit of rubbing my finger on a piece of fabric to dry it before attempting access. Using this trick has improved easy access. However, I enrolled the fingers using the dry technique, and I bet that resulted in a less than optimum saved image. In the near future I will repeat the finger print enrollment procedure using the trick to see if my access improves. I also found scanner cleaning recommendations which I will employ.

The password itself combines special characters, upper and lower case in random positions, and numerals. It is twelve characters long, is very meaningful to me, and is not vulnerable to a dictionary hack. I don't believe going beyond that will provide me with something I can remember and type quickly.

Initial questions about student discounts for software indicate the availability is restricted to Office Home and Student 2010. It is free as a download or $12 for the physical media. I will query this further when classes begin. A discounted upgrade for Windows 7 would be nice, but upgrading the XP machine is out of the question. It is a shared machine with several user accounts and multiple users on two of them. It would be impossible for me to please everyone and maintain the over 100 programs registered in Windows, not counting the ones which launch straight from an exe file.

What does "sw" stand for? software? It has been mentioned numerous times in the discussion of remote access and other topics.

I am hoping that security issues will be covered in the required introductory classes. In my own perfect world the reason for no positive replies to my queries on the topic are a result of misunderstanding the importance of security. --OR-- The typical user cares nothing about activities beyond using the machine for a desired task. Anything else which requires interaction is merely a nuisance. I view this as a weak point of a good GUI. It encourages laziness.

I will give some serious thought to encryption before embarking on the task of including it. Remote assistance and VPN are still occupying my decision process as I gain more information on them.

I have found your dialog as informative as the direct replies to my posts. Thanks for making this public. As an aside: I wish I could have included some of my comments about the IT department in [rant] [/rant] tags to include some animation.

respectfully submitted
Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0

Post Reply