Since the days of waking up at 5am to watch the Tour de France live with my dad at eight years old, I’ve been a big fan of bikes. I’ve since grown to love riding them, and spent several years as an avid road racer. While I’m somewhat of an anomaly, many of you also rely on cycling for transportation to class, to work, and elsewhere. Unlike cars, which are just slightly harder to steal, bikes are the candy-from-a-baby in the world of theft. One magazine article I read several years ago had a “professional bike thief” (probably a security professional who learned methods of theft in his research) attempt to steal a bike secured by one each of every available bike lock on the market at the time. In public. The result? All but a single lock could be circumvented so quickly that nobody in the area even noticed that it was not unlocked by normal means.

I have to say, I am particularly bitter about bike security. A few years ago I was living in Stevens Court with a few friends. A past summer job at Gregg’s Greenlake Cycles had yielded an absurdly cheap employee purchase of a Lemond Tourmalet, a very nice road bike. I wasn’t using it to commute to school (who locks up a bike like that around the Ave?), but I did have it in our apartment so I could go riding. One day I came home and it had been stolen from my living room. My roommates had left the front windows wide open and the door unlocked. Go go speed racer, go.

Ahem…anectodes. So back to bike locks. Here’s the breakdown:
Assets:

• The bike: This one is fairly straightforward. The main asset is the bike itself.
• The value of the bike, either monetary or functional.

Adversaries/Threats:

• Many bike thefts are crimes of opportunity. Often, adversaries are not hardened criminals, but those taking advantage of an easy gain.
• Scalpers are the most common pre-meditated bike thiefs. They steal bikes for resale of the bike or its parts. Especially on more expensive bikes, the parts are, separately, worth more than the bike as a complete product. A 10-speed Shimano Dura-Ace component set (just shift levers, gears, chain, brakes, and derailleurs) could run almost $1,500. A pair of good Ksyrsium road wheels (not tires, just the wheels) can cost $1,100.
• Generic thiefs.

Potential Weaknesses:
Bikes are incredibly difficult to secure. Part of this has to do with the way they are built. Each bike component is just screwed or bolted on. Bikes need to be light and mobile so emphasis is not on security. Often security is a non-consideration. Moreover, due to the common use cases (transportation, recreation, or racing), it is impractical to transport heavy-duty security mechanisms along with the bike.

• Parts are not well-secured. They can be removed quickly and easily with conventional tools.
• With the exception of the frame, most components are either plastic, carbon, or very lightweight metal alloys that can be snapped or cut with hands or the most basic of implements.
• Because the various components all come apart, it is impossible to secure all of the securable and valuable parts of the bike without multiple locks.
• Most locks are just for show. Cable locks can be cut with wire or bolt cutters. Chains can be dealt with using bolt cutters of varying strengths. Hacksaws can cut most any cable, chain, or lock bolt, since all but the most expensive locks use cheap, unhardened, and generally low-quality steel. Finally, many of the locks themselves are insecure. Keyed locks are often easy to pick. Circular locks were shown crackable with a mere ball-point.
• People don’t bother. Many bikes are left unsecured, especially if the owner anticipates a short stop.
• Human error causes locking to fail. Many fail to grasp the detachability of the various bike components or underestimate the time it would take for a good thief to disassemble impeding components. You’ll see many lone wheels still locked to racks, or a frame by itself without any wheels, the fork and drivetrain stripped.

Potential Defenses:

• The greatest defense for a bike locked in public is to not be worth stealing. Nobody will ever waste their time trying to jack a cheap, old, or poorly maintained bike. If you’re commuting, especially in sketchy parts of time (*cough* the ave *cough*), don’t do it with a $2,500 road bike. Get yourself a used bike at a garage sale and ride that. If you are going to ride a nice bike, obfuscate it. Paint it over with an ugly color and bad paint job. Scratch it up. Plaster it with stickers. Get it dirty. None of these will work spectacularly well, but it never hurts.
• By a GOOD lock. This is especially true if you don’t heed the advice above. I would have no problem spending $100 on a bike lock for a nice bike. The very best bike lock out there will not stop a thief, but the best lock used correctly may impede them enough that they are deterred in a given context. So what is a good lock? Usually the way to go is either a good U-lock or fat, FAT chain and lock. If you actually care, I would recommend either the Kryptonite New York Fahgettaboudit Chain (https://www.kryptonitelock.com/products/ProductDetail.aspx?cid=1001&scid=1002&pid=1168) or U-Lock (https://www.kryptonitelock.com/products/ProductDetail.aspx?cid=1001&scid=1000&pid=1095). If you do get a U-lock, make sure it’s brand new and doesn’t have a tubular lock (the kind that gets insta-picked with a pen).
• Lock the bike properly. The frame MUST be locked to a secure beam. Ideally, you want to lock the frame, back wheel, and front wheel. With a single good lock, however, this is impossible. I, personally, simply lock the back wheel and frame with a single lock (carrying two locks is far too impractical…but I may come back to find a missing front wheel one of these days).
• Don’t take a bike to a known sketchy area in the first place.

Conclusions:

The bottom line is that if a crew with a van and power tools wants your bike…it’s just going to go. Sorry. If a single good bike thief with hand tools wants your bike, there’s also a good chance it won’t be there when you come back. The good news is that by far, most thefts are NOT committed by experts, but rather by fools taking advantage of an opportunity that you’ve given them. Take your lock seriously, lock your bike properly, and hope for the best.

They say that one of the best ways to learn a foreign language is to immerse yourself in it.  If you want to learn French, move to France.  This blog is designed to immerse you in the security culture and to force you to think about security on a regular basis, such as when you’re reading news articles, talking with friends about current events, or when you’re reading the description of a new product on Slashdot.  Thinking about security will no longer be a chore relegated to the time you spend in lecture, on assigned readings, on textbook assignments, or on labs.  You may even start thinking about security while you’re out walking your dog, in the shower, or at a movie.  In short, you will be developing “The Security Mindset” and will start thinking like a seasoned security professional.

It is also extremely important for a computer security practitioner (and actually all computer scientists) to be aware of the broader contextual issues surrounding technology. Technologies don’t exist in isolation, rather they are but one small aspect of a larger ecosystem consisting of people, ethics, cultural differences, politics, law, and so on.  This blog will give you an opportunity to discuss and explore these “bigger picture” issues as they relate to security.  As an added bonus, this blog will also give you an opportunity to exercise your writing and critical thinking skills in a cooperative learning environment with your peers. 

Course Blog Requirements.  You should read this blog regularly.  Within the first five weeks of the course you must submit at least one current events article and one security review (due Feb 6 at 11pm). You must also submit at least one current events article and one security review within the last five weeks of this course (due March 13 at 11pm).  You must also post a blog comment for each week that you do not post a main current events or security review article (where each week “ends” on Fridays at 11pm).  Hence, by the end of the class, you will have written at least 10 times in the blog (2 current events, 2 security reviews, and 6 comments).  All your posts and comments should be high-quality, thoughtful, and well-formulated.

There are some excellent examples of past security reviews here.  (The requirements for these past security reviews may, however, be different than the requirements for this version of the course.  So please pay attention to the specific requirements for this version of the course.)

You should tag your current events articles under the “Security Reviews” category.  You should also select any other relevant categories.

Blog comments.  Your comment should be a thoughtful reflection on the original article and earlier comments. One- or two-liners are not sufficient. You might draw in other examples to support the original article’s thesis, and then explain why these are good examples. Or you might give several concrete counter examples, and explain why they are counter examples. You might also raise an issue that the original article didn’t fully address.

Post early, post often.  This year we are giving you significant flexibility in when you make your posts.  But we encourage you to post early and post often.

You will receive extra credit for posting current events and security reviews early (but within the same 1/2 of the quarter).  Each current event and each security review post is worth 12 points.  If you submit your first security review in the 4th week of the quarter, it will get 1 extra credit point, if you submit it in the 3rd week of the quarter it will get 2 extra credit points, and so on.  Your second security review must be submitted in the last 5 weeks of the course (this is what we meant by “within the same 1/2 of the quarter”); if you submit it in the 6th week, you will get 4 extra credit points, and so on.  The same holds for the current event articles.

Of course, there’s another reason to post early:  this course is quite demanding and we suspect you’ll only get busier as as the quarter progresses.  Plus, remember that each current events article must discuss an event that was not previously discussed on the blog.  This means that the earlier you post your current event article, the easier task you’ll have at finding an interesting event to discuss.

We will also give extra credit to those who actively use this blog to post extra articles or comments. 

Dan and the rest of the team from UW, UMass Amherst, and Harvard Medical School found that an implantable cardioverter defibrillator can leak private information and can allow unauthorized parties to modify settings that control, among other things, shock therapies.  

You can read Dan’s full paper and the FAQ, as well as his earlier work on the topic of medical device security.  You can also read summaries of Dan’s work in The New York Times, the Wall Street Journal, Reuters, and the Associated Press.  Bruce Schneier also provides excellent commentary.

Congratulations Dan!

To readers of this blog: Please expect low activity for a while. The University of Washington is on the quarter system, and our quarter just ended. Everyone in the class is, of course, encouraged to still contribute articles to this blog. And we’ll continue using this blog (or more sophisticated forum environments) in future courses.  Stay tuned for more information .

http://hackerskills.com/

The iPhone is an interesting subject for security review because there is are a wide range of potential entities that could attack the iPhone. The iPhone is an exceptional device because it is used not just as an address book, but also stores a lot of other private information such as website passwords, real time geographic location information, and web browsing history. Spammers, greedy corporations, data miners, enemies and ex-girlfriends might all have interest in exploiting weaknesses in the distribution system. Threats to this system might come from two angles: the phone and its data, or the distribution system for the application. Threats to the phone involve an attacker gaining access to personal/private data by exploiting an application through a web browser or over a cell phone network. Threats to the distribution model might include a hacker discovering how to install 3rd party applications that bypass Apple’s distribution model and thus evade the security measures in place.

One serious weakness in Apple’s distribution system is the impossibility of code reviewing every line of every program that is being distributed. This allows for the possibility of a developer introducing vulnerabilities onto the iPhones, whether it is their intent or not. These vulnerabilities can be in the form of buffer overflows or other stack vulnerabilities introduced by bad programming, or they could be intentional back doors introduced by dubious developers. These vulnerabilities are compounded by the fact that every application on the iPhone runs as the root user.

There are several defenses that might be employed against adversaries attacking either the phone itself or the distribution system. Apple requires developers who want to distribute their application to pay a $99 fee to obtain a digital signature with which to sign the application. This might serve as a deterrent against developers who might want to distribute malicious code, as their work will be easily traced back to them. Another defense against these kinds of malicious applications is the ability for Apple to stop distribution of applications that have been found to contain dubious code. It would also be good from a security standpoint for Apple to be able to remotely disable malicious programs. (But this brings up ethical issues). Apple might also implement code-review and static analysis procedures on the applications that are being submitted for distribution in order to stop malicious code from every reaching end-users.

With Apple’s new SDK, the risks are large. The iPhone carries a huge amount of personal data that is always up to date. A person’s phone being data mined, taken offline, or hijacked could cause huge losses financially, in privacy, and in convenience. If a person downloads third party applications, they are “assured by Apple” that the application is safe, which may be a problem if people lower their guard.

As Apple breaks new ground in the mobile market there are bound to be pitfalls along the way. Unfortunately the risks are high. People use their phones to contain a large amount of personal, sensitive, and real time data. The iPhone is essentially a mini computer that is always on the network. This is a huge asset to protect and from a company that isn’t necessarily used to dealing with such mission critical devices.

Apple’s business decisions for the iPhone are additionally complex. Traditionally being a very closed system company, it is surprising that they are going to such ends to open the device to third party developers. This puts a lot of reliance on the company’s ability to keep the parts of the pipeline that are secured, such as their developer SDK, the developer accountability, and distribution channel, secured. If any of these are compromised, Apple may be in a place of responsibility, possibly at a legal level.

Collaborative effort: jimg and robert

Summary:
The Emotive product is a headset for use in video games and other applications. The user places it on their head and it uses EEG to somehow detect emotions, thoughts, and facial expressions. These are broadcast wirelessly using a proprietary protocol. I am working under the assumption that it will need to “tune” itself to some brain.

Assets:

• The user would probably want to keep their emotions a secret. They can be considered very sensitive information, and they may wish to hide them or disable them
• Likewise, the users thoughts are also very sensitive. It would definitely pick up on other stray thoughts that aren’t related to the game.
• The thoughts and emotions should not remain on storage for long, as a “history” of someones thoughts can be incriminating evidence or something.

Potential Adversaries/Threats:

• Someone who has an interest in breaking proprietary protocols (read: hackers) can make it possible to intercept and decipher (or modify) the transmissions.
• Police men/SS officers can intercept it and use it in some form of Orwellian police state to find “thought offenders”
• Game developers who write their own SDK for handling the devices input may have nefarious ideas in mind, like using targeted advertisements based on player reactions, etc.
• Professor X (leader of the X-Men) already has the ability to read minds; he may find this device offensive or threatening and decide that it must be eliminated no matter the cost. Of course, he is a superhero and not a super villain, so we should probably worry more about Jean Grey/Phoenix.

Weaknesses:

• Proprietary protocol should be ringing alarm bells; the second that thing is cracked, there better be a way to update the firmware to do something else. Better yet, use something established like WPA while still allowing firmware upgrades.
• Wireless in general is a pretty bad idea when transmitting sensitive information; they should consider switching to a tethered system even if it does limit motion a bit.
• The firmware and SDK itself is susceptible to malicious users in that it can possibly be replaced/augmented by an adversary to collect different information, send false information, or relay information elsewhere.

Move over, traditional HCI. No longer shall we be bound to computers by the unintuitive, linear input of keyboards and mice. Electronic gaming company Emotiv is about to kick it up a vertebra with BCI: brain-computer interaction. The company is developing a headset called Project Epoc that processes the wearer’s brain signals in order to communicate wirelessly with a PC or video game console. Emotiv already offers a developer’s kit which helps developers utilize the headset’s separate abilities to monitor the wearer’s 1) facial expressions, 2) emotional state, 3) intent, and any combination thereof. In short, Project Epoc “makes it possible for games to be controlled and influenced by the player’s mind.” So throw away your clunky controllers that still require hands (should I keep my Guitar Hero controller? Will I play air guitar with my mind now?). Thought-controlled games are the future, man.

Emotiv may think their product is revolutionary and would be used only for good, that is, entertainment at the expense of no one. But the product developers need to keep certain assets in mind.

• Privacy of User’s Thought: the goal is to make sure user thoughts are known only to the headset as it records them and known to the game being played. This is important because people do not want to broadcast their emotional status and perhaps controversial (!) opinions to parties unknown. OK, most people don’t want this. Let’s just assume the apocalypse-prophesying-sandwich-board hobo’s thoughts are less important an asset in regards to this product.
• Authenticated Sources And Destinations of Wireless Transmission: the headset should communicate with the desired equipment (PC, Xbox, etc.), and equipment should only accept communication with relevant headsets. As users play a game, they do not want interfering devices controlling their game. Authentication and availability of service are important assets. We’re talking about their thoughts here. No one should stop them. What is this, 1984? Brazil? Anyway, I can’t think of a reason you would want to broadcast/receive headset communication to/from somewhere besides where you are located, playing your game.
• The User’s Brain: I think it goes without saying that the single organ that truly distinguishes humans as human is worth protecting. Emotiv claims electroencephalography, or EEG, is a non-invasive measurement of the electrical activity of the brain. Because the brain is central to Project Epoc’s operation, it is a very important security goal for Emotiv to make sure the device remains non-invasive.

Now you know what’s at stake. Yet who would take advantage of innocent gamers wearing this stylish crown?

• Stalkers, Murderers, Vagabonds, etc: I know I want to know the emotional state of my girlfriend before I enter my home. Is she cool, or should I lay low at a bar tonight? Project Epoc sounds capable of monitoring these sorts of things. Imagine what undesirables could do to her with this information.
• Professional Gaming Cheaters: this is a risk with any wireless device. Say we have a professional game player playing when money’s at stake. Can we say for sure it’s his headset controlling the game? This would be harder to monitor than if we just looked at his hands with a typical controller in them. So, a behind-the-scenes threat, who perhaps knows more or is higher skilled, could play for him. Just like the machine that everybody thought could play chess but it was actually a little person hiding inside, that’s cheating!
• The Government: a threat to your privacy, as the government might like the same information as stalkers above, but measurements of your disloyalty more so. There is also a threat to authentication. Say you’re exceptionally skilled at a space combat game that uses Project Epoc. If the government intercepted and relayed your thoughts, originally intended for your PC, in order to control an army of real-life starfighters to slaughter real-life aliens, would you want to know? What if they were innocent aliens?

Not much information is publicly available about Project Epic. Nevertheless, allow me to conjecture some security weaknesses. Hopefully what I come up with is obvious and Emotiv already considered it. What if they haven’t?

• Headset Modification: A possible weakness of Project Epoc is the inability for the helmet to know where it broadcasts thoughts. The intended destination is a PC or console owned by the wearer. What if it’s reconfigured to connect elsewhere too? The user is unaware; the thing still looks like any ordinary brainwave-reading headpiece lying around. And there’s no reason for the adversary-controlled receiver to ping the user back, informing him of the extra connection. A solution to this would be some form of intrusion detection that notifies the user if the helmet has been tampered with. And let this intrusion detection notify the user before he puts the helmet on, in case the device has been set from ‘non-invasively scan brainwaves’ to ‘kill’.
• Obscure Wireless Protocol: This doesn’t eliminate the possibility of passively scanning the helmet’s transmissions. Emotiv is using a proprietary wireless protocol for communicating with Project Epoc. This is a weakness, because the security of wireless protocols ought to be examined by as many people as possible. Emotiv is gunning for security by obscurity. The solution is releasing the specifications of their protocol to security community scrutiny and making damn sure Project Epoc’s connection is not susceptible to cryptographic attacks (the traffic is encrypted, right?).
• Disallowing Irrelevant Headsets: A receiver should only accept connections from Project Epoc headsets worn by people in the room. Otherwise, you let in the aforementioned threat of professional cheaters. Because the headset communicates wirelessly, this is difficult to verify on the receiver’s end. A solution might be to require the wearer to thoughtfully respond to a visual prompt on screen before starting up the game. But if the hidden cheater can see the screen too, this solves nothing. Another solution might be to require that relevant headsets be in the line of sight of the receiver, checking this by IR.

As cool as it sounds to strap up your dome for electroencephalography, there are genuine security risks Emotiv has to look into. Security isn’t a top concern in a lot of product advertisement but for the company’s sake I wouldn’t buy into the product until they address security. And they should confer about this with their third party developers, whose trustworthiness I haven’t even discussed here. Until this project dissolves or, if I were an optimist, more details are announced, I’ll be biting my nails in melancholy anticipation of Project Epoc.

Summary: Emotiv is primarily a video-game company that creates products that let people control games with their thoughts, both conscious and subconscious. Emotiv’s “Project Epoc” product is a stylish looking cap that uses electroencephalography (EEG) to measure the electrical activity of the wearer’s brain. It is able to sense the emotional state of a person as well as recognize a few simple intentions. It transmits the user’s input to the receiver wirelessly.

Assets and Security Goals:

1. Protecting the privacy of the user’s thoughts. People’s private thoughts should not be available for others to see.
2. Protecting the integrity of the user’s thoughts. People should not have thoughts that they didn’t think attributed to them.
3. Protecting the health and safety of the user. The device should not harm the user physically or mentally.

Potential Adversaries and Threats:

1. People want to know what other people are thinking. Employees want to steal ideas from coworkers, auctioneers want to know how much bidders are willing to pay, and desperate housewives want to know if their husbands know about their love affairs.
2. People want to trick other people. A malicious person could plant custom thoughts (like sell a certain stock) into a user by rewarding them in the game if they have that particular thought. This could be done by modifying the signals transmitted to the console, or by modifying the game program.
3. People want to physically harm other people. A malicious person could rig up the device to give an electric shock to heads of unsuspecting individuals.

Potential Weaknesses:

1. Weak encryption of transmitted signal. If the transmitted signal is not strongly encrypted, the privacy of the user’s thoughts could easily be compromised. This problem is exacerbated by the use of wireless communication, which makes capturing packets more undetectable.
2. Transmission of raw signals. If the device transmits the raw EEG signals to the console for processing, this provides much more information to hackers if they are able to compromise the system. A better solution is to first process the raw signals on the headset, and them transmit high level commands to the console. This would limit the amount of compromised information in the event of an attack.
3. Physical access to the user’s brain. The device needs to have access to the user’s brain in order to take EEG measurements. This is a problem because a malicious device could masquerade as the headset and also gain physical access to the user’s brain.

Product Summary

Project Epoc is a new kind of interface for the human computer interaction. It is based on recent developments in neuro-technology that have made this kind of product possible. The product is basically wireless head-gear with sensors. These sensors pick up the electrical signals produced by the brain of the person wearing it. The claim is that that it can detect thoughts feelings and expressions. The intended use of this headset is to use it to control games with the brain’s electrical signals, and according to the manufacturer, the user’s facial expressions, conscious thoughts and emotional states. The information regarding a person’s thoughts and emotional state would be transmitted to the game allowing for an experience that could be programmed to respond accordingly to that information.

Assumptions

For the purpose of this evaluation, I will assume that the manufacturer’s claims are true, and the Project Epoc headset can, in fact, relate the conscious thoughts, emotional states and facial expressions to a PC through its wireless interface.

Assets and Security Goals

• The content of the transmission: a person’s thoughts and feelings, is an asset to that person. It is a reasonable security goal to wish that your internal thoughts and emotions will remain private unless you wish to share them. While it is sometimes obvious that a person is very scared or uncontrollably happy, people can expect to keep all but very intense emotions private if they so choose. This content should only be available to the game the user is playing.
• The identity of a player as well as the duration, frequency and time of play at a given game is also considered an asset. One goal should be that no information about a person’s identity is gathered when playing games as this would infringe on privacy. This relates to the concept of confidentiality.
• The ability of the software to correctly interpret thoughts and emotions would be an asset. If the headset did not accurately transmit the brain’s electrical signals or process facial expressions the usefulness of this product would be questionable, and the game playing experience would be less than satisfying. This can also be related to the concept of integrity, ensuring that the correct signals reach the end device.

Potential Adversaries and Threats

• The maker of a game could be a potential adversary. If we assume in this case that the user is playing on a PC, the manufacturer could be monitoring how the player responds to the game in order to do market research, improve scenarios, or for other business purposes. The player would have no idea that their responses were being monitored in this way.
• Anyone with access to the PC the game is played could be a potential adversary. This includes friends, family members, repair people, roommates, etc. The adversary could put software on the PC to record the times, duration and content of any gaming session. This is a threat because it could be used to track a person’s location at a specific time, and their thoughts.
• The government is a potential adversary (duh!). Government agents could create a game that uses this technology, and tracks a player’s responses to certain situations. This game could require an internet connection for “enhanced content”. These recorded responses could be used to create profiles of individuals, and could be updated with new scenarios as long as a player uses the equipment. Excellent players could be targeted for recruiting into government agencies.

Potential Weaknesses

• The headset transmits information wirelessly, and this information could be intercepted by someone within range. Even if it was encrypted, the development kits used to interpret the signal are available from the manufacturer. The ability to intercept the conscious thoughts and emotions of someone is a potential weakness. Ensuring that the transmission is encrypted and isolated in the game only would be important.
• Another potential weakness is that the game responds to your thoughts and feelings, thus allowing anyone that can observe the game (either over the internet, or if they are in view of the screen) access to your non-verbalized brain processes. This sort of transparency of thought opens the door for someone to gain intimate knowledge without consent. One way to eliminate this would be to have some elements of the game that depend on chance as well as a player’s thoughts.
• Okay, this one is way out there, just warning you. One other weakness that could be exploited in this scenario is that this could be applied to some real event, where players are using their brainwaves to kill adversaries in the game, detonate bombs etc. and without knowing it, they actually ARE activating bombs or pulling the trigger, or maybe even commanding real intergalactic ships on a mission to kill the buggers…..