(In)security at the University of Birmingham

Security engineering

I travelled to the University of Birmingham on Friday to give a guest lecture to their undergraduates on Anonymity and Traceability. It was given in a smart new lecture theatre, which had what Birmingham apparently call a lectern PC at the front with buttons to give the speaker control of the room’s AV devices and lighting, along with a proper PC running various Windows applications, so you can plug in your USB flash drive and display your material.

As you can see from the photo, they have a rather trivial security model for using this PC:

Birmingham Lectern PC with text “Username=user” and “Password=user&2006″

The text (apologies for a rather fuzzy photo) says: "Username=user" and "Password=user&2006".

With a little thought, it can be seen that most likely this isn’t really a security issue at all, but a software design issue. I rather suspect that there just isn’t a way of turning off the login function, and the PC can’t be used to access any other important systems — and no-one wants to see lectures delayed if the password isn’t to hand. That’s undoubtedly why they’ve used proper Dymo-style tape for the information, rather than relying on the traditional yellow sticky, which could get lost!

6 thoughts on “(In)security at the University of Birmingham

  1. I imagine that many university departments do this – a couple of weeks ago I saw a similar piece of Dymo tape at UCL.

    Microsoft’s recommended way of hiding the login dialogue is the automatic login facility – http://support.microsoft.com/kb/315231 – but read all of their warnings before doing this.

    It is a good idea to set up a distinct security policy for such machines. Disable the password-protected screensaver and make sure that the account used cannot login to other machines.

    Reply

  3. They even use WEP for wifi… then again like the CS wifi I would imagine you cant do much other than steal bandwidth in theory.

    BTW Mark Ryan at University of Birmingham has started a new MSc Computer Security MSc. I’m sure he and his most excellent students would quite enjoy a thought provoking lecture from you guys.Spend long enough reading Ross Anderson’s book http://www.cs.bham.ac.uk/~mdr/

    Reply

  4. I’ve just been advising some potential customers about the risks of using any old USB flash drive instead of a floppy disk for file transfer between unetworked key management workstations and their main network. Would people agree with my assessment that floppy disks are the safest way of transferring a file without accidentally running it, or having other local attacks performed?

    BTW Mark Ryan at University of Birmingham has started a new MSc Computer Security MSc

    I was talking to Mark at FC 2007. Birmingham is expanding and there’s a lectureship up for grabs in case anyone is interested (by 9th march)… http://www.jobs.ac.uk/jobfiles/BK196.html

    Mike.

    Reply

  5. Mike,

    “risks of using any old USB flash drive instead of a floppy disk for file transfer”

    Only if they know what the write protect tab is for 😉

    Seriously though no mutable storage device is immune including CD-Rs that have not been closed properly so as normal you pay your money and take your chosen risk.

    The downside of floppy disks is tha lack of capacity, I have seen one or two Power Point Slides (not the whole presentation) that would not fit into 1.44Mbyte (or 2MByte if you bend the specs a bit).

    The sad thing is that it would not be that difficult to make a USD thumb drive with a proper write protect switch or other more reliable security mechanism however it appears not to be a “market option” at present.

    You might want to have a chat with a company like FTDI in Glasgow

    http://www.ftdichip.com/

    They specialise in designing USB devices and they might well be able to help you come up with quite a good design for a USB device that would meet your customers requirments…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *