(In)security at the University of Birmingham

February 25th, 2007 at 15:15 UTC by Richard Clayton

I travelled to the University of Birmingham on Friday to give a guest lecture to their undergraduates on Anonymity and Traceability. It was given in a smart new lecture theatre, which had what Birmingham apparently call a lectern PC at the front with buttons to give the speaker control of the room’s AV devices and lighting, along with a proper PC running various Windows applications, so you can plug in your USB flash drive and display your material.

As you can see from the photo, they have a rather trivial security model for using this PC:

Birmingham Lectern PC with text “Username=user” and “Password=user&2006″

The text (apologies for a rather fuzzy photo) says: "Username=user" and "Password=user&2006".

With a little thought, it can be seen that most likely this isn’t really a security issue at all, but a software design issue. I rather suspect that there just isn’t a way of turning off the login function, and the PC can’t be used to access any other important systems — and no-one wants to see lectures delayed if the password isn’t to hand. That’s undoubtedly why they’ve used proper Dymo-style tape for the information, rather than relying on the traditional yellow sticky, which could get lost!

Entry filed under: Security engineering

6 comments Add your own

  • 1. Mark Lomas  |  February 25th, 2007 at 17:57 UTC

    I imagine that many university departments do this - a couple of weeks ago I saw a similar piece of Dymo tape at UCL.

    Microsoft’s recommended way of hiding the login dialogue is the automatic login facility - http://support.microsoft.com/kb/315231 - but read all of their warnings before doing this.

    It is a good idea to set up a distinct security policy for such machines. Disable the password-protected screensaver and make sure that the account used cannot login to other machines.

  • 2. Dan Cvrcek  |  February 25th, 2007 at 19:10 UTC

    I’m just thinking if one could use such computer for spreading trojan horse programs to the machines of lecturers via USB flash disks. It is, of course, quite unlikely but some students might be interested in the content of some hard drives ;-) http://it.slashdot.org/article.pl?sid=06/06/08/2151222

  • 3. csir  |  February 26th, 2007 at 19:50 UTC

    They even use WEP for wifi… then again like the CS wifi I would imagine you cant do much other than steal bandwidth in theory.

    BTW Mark Ryan at University of Birmingham has started a new MSc Computer Security MSc. I’m sure he and his most excellent students would quite enjoy a thought provoking lecture from you guys.Spend long enough reading Ross Anderson’s book http://www.cs.bham.ac.uk/~mdr/

  • 4. Mike Bond  |  March 2nd, 2007 at 09:18 UTC

    I’ve just been advising some potential customers about the risks of using any old USB flash drive instead of a floppy disk for file transfer between unetworked key management workstations and their main network. Would people agree with my assessment that floppy disks are the safest way of transferring a file without accidentally running it, or having other local attacks performed?

    BTW Mark Ryan at University of Birmingham has started a new MSc Computer Security MSc

    I was talking to Mark at FC 2007. Birmingham is expanding and there’s a lectureship up for grabs in case anyone is interested (by 9th march)… http://www.jobs.ac.uk/jobfiles/BK196.html

    Mike.

  • 5. Clive Robinson  |  March 6th, 2007 at 18:33 UTC

    Mike,

    “risks of using any old USB flash drive instead of a floppy disk for file transfer”

    Only if they know what the write protect tab is for ;)

    Seriously though no mutable storage device is immune including CD-Rs that have not been closed properly so as normal you pay your money and take your chosen risk.

    The downside of floppy disks is tha lack of capacity, I have seen one or two Power Point Slides (not the whole presentation) that would not fit into 1.44Mbyte (or 2MByte if you bend the specs a bit).

    The sad thing is that it would not be that difficult to make a USD thumb drive with a proper write protect switch or other more reliable security mechanism however it appears not to be a “market option” at present.

    You might want to have a chat with a company like FTDI in Glasgow

    http://www.ftdichip.com/

    They specialise in designing USB devices and they might well be able to help you come up with quite a good design for a USB device that would meet your customers requirments…

  • 6. CSIR  |  March 19th, 2007 at 18:00 UTC

    I bought a “PQI Cool Drive” must be around 4-5 years back for a small fortune. It has a hardware write protect switch, small but works. No idea as to whether still in production, very high qality hence probably not the most popular in today’s buy 1 get 1 free market.

    http://www.pqi.com.tw/product2.asp?oid=&cate1=18&PROID=31

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed

Calendar

February 2007
M T W T F S S
« Jan   Mar »
 1234
567891011
12131415161718
19202122232425
262728