Monday, September 21, 2009

Security Smorgasbord, Vol 1, No. 2

Interesting mix of security news, from the concrete (could very well effect you) to the esoteric.

First up, this is the Month of Facebook Vulnerabilities. Every now and then, someone in the security community will kick off a "Month of X Vulnerabilities" to highlight, well, lousy security in X. In the past we've seen this for Apple, Twitter, and Browsers (I've probably forgotten several targets). This month, it's Facebook Applications which (surprise!) often don't have much security. The responses mostly seem to be "Hey thanks - we've fixed it", but a couple are (ahem) less cordial:

Responsiveness: I did not receive any responses from Manakki, but they did patch the hole – the example URI below now brings up a page that says, “Please go away.”

Vulnerability Status: Patched

Well, then. At least they fixed it. Clicky through to see who's playing ball and who's a grump. Especially if you use Facebook Apps.

Next up is a retrospective on 60 years of cryptography, with a neat slide show of past cypher machines. No discussion of cipher machines if complete, of course, without one of these:
That's an Enigma Machine, as use by the Germans in World War II. They have these on display at the National Cryptologic Museum at NSA (open to the public, and highly recommended if you're ever in the neighborhood of Laurel, MD - don't forget to pick up an NSA coffee mug at the NSA store!). Seizing the Enigma is also highly recommended, if the history of cryptography is your bag, baby. The Enigma was a machine that would scramble messages, so that when a Wehrmacht unit radioed another, it was impossible to read. Breaking it was a huge breakthrough for the Allies, and was one of the most closely held secrets of the war - because if the Germans had know that Eisenhower was reading all their mail, they'd have changed the code.



Lastly, there's another Facebook story, about how some smart kids at MIT have studied people's Facebook Friend networks, and think they can identify who's gay. They call it - I kid you not - "Gaydar":

Using that information, they “trained” their computer program, analyzing the friend links of 1,544 men who said they were straight, 21 who said they were bisexual, and 33 who said they were gay. Gay men had proportionally more gay friends than straight men, giving the computer program a way to infer a person’s sexuality based on their friends.

Then they did the same analysis on 947 men who did not report their sexuality. Although the researchers had no way to confirm the analysis with scientific rigor, they used their private knowledge of 10 people in the network who were gay but did not declare it on their Facebook page as a simple check. They found all 10 people were predicted to be gay by the program. The analysis seemed to work in identifying gay men, but the same technique was not as successful with bisexual men or women, or lesbians.

“It’s just one example of how information could be inadvertently shared,” said Jernigan. “It does highlight risks out there.”

Not earth-shaking, I know: if you're gay, you probably have a lot of gay friends. Mapping patterns of Facebook connections lets any Tom, Dick, or Harry figure this out. Nothing that your friends didn't already figure out, just that this is public knowledge on Al Gore's Intarwebz.

This is actually one of they ways we beat Al Qaeda in Iraq: if you're a terrorist, you probably know other terrorists. Once there was a critical mass of information in a database, the network of cells started to unravel. Just ask Achmed.

So there you go - a trifecta of security goodness. Don't spend it all in the same place!

1 comment:

Anonymous said...

The Polish contribution to the breaking of Enigma was likely their most influential contribution to the war effort. If you haven't read it, the book "The Secret War" (Michael Patterson) is a fascinating read, too.

Jim