[IS&T Security-FYI] Newsletter, July 18, 2008

Monique Yeaton myeaton at MIT.EDU
Fri Jul 18 14:38:46 EDT 2008 

In this issue:

1. Security and Human Behavior
2. MIT Personal Certificates and Kerberos Passwords


-----------------------------------------
1. Security and Human Behavior
-----------------------------------------

We all cherish our privacy. Then we go and divulge everything about  
ourselves on Facebook, provide our credit card numbers across the Web,  
and happily load up on insecure mobile devices like cellphones. What  
causes this paradoxical behavior?

A few weeks ago at MIT, some of the brightest minds came together to  
share their knowledge at a first ever "Security and Human Behavior"  
conference, open by invitation only. This high-powered collection of  
computer scientists met at MIT humbly asking behavior experts for  
help, in an effort to get a better feel for the people they are trying  
to protect.

What we see is that scammers are successful because they have a feel  
for what fools people. Scientists who are working hard to make safe  
computers, airports, cities, etc., often aren't endowed with the same  
feeling. Security experts such as Bruce Schneier, who attended the  
conference, see this as a way of getting at new answers to old  
problems. "Many real attacks on information systems exploit psychology  
more than technology," Schneier says. "Security design is by nature  
psychological, yet many systems ignore this."

Social engineers learn how to fool people rather than becoming  
technology experts. Why spend years trying to hack into a bank, when  
you can just ask an account holder to give you their name and  
password? Young adults, those who use the Web to socialize or play  
games, are the easiest targets. Recently, a 17-year-old learned the  
hard way when his mother confronted him with loan applications for  
vehicles he had filled out. Apparently, one of the games he was  
playing on his Facebook page offered extra points in exchange for  
filling out an application that asked for a Social Security number. He  
provided that information, a decision he now finds embarrassing.

Findings from surveys conducted by scientists at Carnegie Mellon were  
revealed at the MIT conference, showing our privacy principles are  
wobbly. We are more likely to open up depending on who is asking, how  
they ask, and in what context. Informal and unprofessional online  
atmospheres encourage self-revelation, while those that are more  
formal and include assurances of privacy cause participants to clam up.

Attendees of the conference hope this meeting will spur more  
interdisciplinary discussions. Terrorism experts or other types of  
privacy and security researchers can use such conferences to work with  
psychologists to find answers to the same types of questions.

Article about the conference:
<http://redtape.msnbc.com/2008/07/cambridge-mass.html>

Article about online thieves:
<http://www.abcnews.go.com/print?id=5382302>

Research by Carnegie Mellon on privacy and information security:
<http://www.heinz.cmu.edu/~acquisti/research.htm#privacy>

--------------------------------------------------------------------
2. MIT Personal Certificates and Kerberos Passwords
--------------------------------------------------------------------

As you may know, many MIT services and applications require personal  
certificates.  Secure websites include Employees Self Service, WebSIS,  
Parking, etc.  Each July, one must renew their MIT personal  
certificate on each computer/ laptop in use.

To get an MIT personal certificate, please complete the form at:
<http://ca.mit.edu/>

You will need your MIT ID number, your Kerberos (Athena) username and  
your Kerberos (Athena) password before you start.  The whole process  
will take less than 10 minutes to complete.

Please change your Kerberos password if you haven't done so for over a  
year. The certificate server will validate the last time you changed  
your Kerberos password and if it is less than a year, will remind you  
to do so.

You can change your password via this website:
<http://wserv.mit.edu/cpw>

Recommendations for setting a password can be found here:
<http://web.mit.edu/ist/topics/network/passwords.html>

Concise instructions and links to the certificate servers are on this  
web page:
<http://web.mit.edu/ist/topics/certificates/guide.html>

If you encounter any problems getting your personal certificate,  
assistance is available from the Computing Help Desk.  You may contact  
them at <computing-help at mit.edu> or x3-1101, Monday through Friday  
8:00am to 6:00pm.


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list