UW Computer Security Research and Course Blog

University of Washington CSE PhD student Dan Halperin et al.’s paper on the security and privacy for pacemakers and implantable defibrillators just received the Best Paper Award at the annual IEEE Symposium on Security and Privacy (a.k.a. the “Oakland” conference).

Dan and the rest of the team from UW, UMass Amherst, and Harvard Medical School found that an implantable cardioverter defibrillator can leak private information and can allow unauthorized parties to modify settings that control, among other things, shock therapies.  

You can read Dan’s full paper and the FAQ, as well as his earlier work on the topic of medical device security.  You can also read summaries of Dan’s work in The New York Times, the Wall Street Journal, Reuters, and the Associated Press.  Bruce Schneier also provides excellent commentary.

Congratulations Dan!

I’m not sure if many people read this blog, but I recently noticed that the UW project Phalanx (slides, paper, and poster available from Colin Dixon’s site, recently featured on Slashdot) brought up the idea of countering botnets by setting up neutral (’white-hat’ was tossed around in the /. comments) botnets to negate the adverse effects.

Any thoughts on this? It’s a curiously fun conceptualization, but could this potentially be just digging a bigger grave for the internet?

Our research group (Charlie Reis, Yoshi Kohno, and Steve Gribble from UW CSE, and Nick Weaver from ICSI) has just presented a measurement study showing that many users are receiving web pages that have been modified in-flight.  The pages are changed between the web server and the user’s browser, either by ISPs injecting advertisements, enterprise firewalls injecting script code, or client-side proxies that block popups and ads.  These changes are often unwanted by either publishers or users, and they can also be dangerous: we found that several types of changes introduced bugs and security vulnerabilities into otherwise safe and functional pages.

To study this, we measured how often our own web page, http://vancouver.cs.washington.edu, was modified when users visited it.  A piece of JavaScript code that we call a “web tripwire” detected such modifications, allowing us to record the change and notify the user.  Our study found that about 1% of the 50,000 visitors to our page received a modified version.  While 70% of these changes were caused by client-side proxies, we did see many changes caused by ISPs and firewalls as well.

For more information on our study and our results, you can read our analysis at Detecting In-Flight Page Changes with Web Tripwires, as well as our recent NSDI 2008 paper (PDF).  Our results have also been covered recently in the news media here, here, and here.

If you would like to add a web tripwire to your own page, we have an open source toolkit that you can download and host on your web server.  We also have a web tripwire service that is hosted by our server, which you can add to your page with a single line of JavaScript code.

In a recent interview with “Condé Nast Portfolio”, Google CEO Eric Schmidt warns us all that a Microsoft-Yahoo merger might “break the internet” due to the consolidation of web-mail, instant messaging, and other services that would follow as a result. This relates to a still on the table 40+ billion dollar offer that Microsoft has proposed to Yahoo. While the deal is not cemented yet, representatives for the respective companies have reportedly had frequent rendezvous at Mayflower conference rooms to “feel things out” before big money exchanges hands.

The big issue at hand is the oncoming breaking of the Internet, which clearly has broad reaching implications, particularly for Google. The search giant has bet its entire business model on the premise that the Internet be categorically unbroken, at least most of the time, and has a vested interest in ensuring the continued heartbeat of the web. This is in contrast with Microsoft, which could deal with an Internet breakage without all that much worry for its bottom line. This fact should alarm anyone with perceptive eyes; perhaps “breaking the Internet” is the first gunshot in a drawn out war of attrition Microsoft has planned.

According to Schmidt, Microsoft’s previous antitrust trial was about breaking interoperable open systems. Thus, we should all be wondering what level of nefariousness currently runs through Microsoft’s veins that it would embark on a conquest to contort the consolidation of Yahoo’s web offerings in someway as to weaponize open systems into a torrent of Internet pain and disruptiveness. One can only grimace at the proverbial ring of power Microsoft will be able to wield when it is able commit such acts as merging its MSN messenger userbase with that of the wildly popular Yahoo Messenger.

The Internet using public should assess the risk for Internet breakage and policy makers should react accordingly. But we should also keep in mind that if a Microsoft Yahoo merger could break the Internet, smaller deals might lead to some sort of fractures or cracks in the Internet. For example, Microsoft recently invested several hundred million dollars into Facebook, which caused observable tremors in the Internet’s various tubes. Caveat emptor.

Source: http://www.portfolio.com/executives/features/2008/03/14/Google-CEO-Eric-Schmidt-Interview

Something that really piques one’s curiosity are the documents and reasons why governments and institutions choose to go in the paths they do.  One site that caters to uncovering these sensitive documents is Wikileaks, which has been frequently featured on /.’s homepage.  Although many documents revealed on Wikileaks is done so for the first time so a wide public audience (the entire internet, and effectively the world), many are legally available to the public, but often buried in the archives of the administration.

What really interests me about Wikileaks is the fact that it chooses to pop out at this time.  Vulnerabilities that are uncovered in this manner, even if they may be up to eighty years after the fact, may allow individuals and groups to exploit those same vulnerabilities in today’s organizations and technology.  Presenting this information in this ‘anarchist’ format certainly does illicit entertainment, but not learning from and rebuffing the same mistakes today with knowledge of past wrongdoing.

What do you guys think of Wikileaks?  Of course, censorship is probably not within the interest of WL, and definitely not of me - some of the material on the site really does need to catch the public’s eye.

From The Guardian, and on Slashdot.

Police in the United Kingdom may soon be be able to collect DNA samples from children if they exhibit behaviors that suggest they may commit crimes later in life, at least if Scotland Yard forensics director Gary Pugh has his way.

Pugh cites the importance of identifying future offenders, saying that “the number of unsolved crimes says we are not sampling enough of the right people.” Advocates of such programs, including the Institute for Public Policy Research, claim that most career criminals begin their lives of crime as early as 10 to 13 years old, and suggest that children from 5 to 12 years old should be profiled and sampled if they exhibit certain “risk factors.”

Even these advocates acknowledge that such treatment could have a “stigmatising” effect, but they do not seem to have any problem with gross violations of privacy in the name of improving public safety.  One concern that is not directly addressed in the article is the possibility that the negative attention such sampling and registration involves might even place more obstacles to a child’s chances of leading a normal life, perhaps even increasing the likelihood that they would turn to crime; a self-fulfilling prophecy, in other words.

Of course, an even greater issue that is sidestepped by the focus on children is the question of whether preemptive DNA sampling of any individual, adult or child, should be tolerated in any free society. Whether such programs are effective in reducing crime is not the only issue - the cost to individual liberty must also be considered. In my opinion, at least, personal freedom must always outweigh public safety, but I’m interested in hearing other ideas.

No need to go to great lengths to try to spoof finger print scanners on USB sticks. You can just tell the device that the data is public. Researches discovered this vulnerability in models from 9pay and A-Data fingerprint USB data sticks. The vulnerability lies in a fundamental design flaw: the signal to access the data comes from the PC, and is not computed on board the chip. This means all one has to do is send the correct signal and the stick happily discloses the data. This can be done with a very simple command from an opensource utility. The manufacturers commented admitting they were aware of the vulnerability, but that it was difficult enough that most people wouldn’t figure it out. A fine example of attempted security through obscurity.

(Read on …)

McAfee noticed Wednesday an ongoing attack that modifies web pages to redirect traffic to another site in China. This site then infects PC’s with a Trojan to steal personal information, including usernames/passwords for online banking. According to McAfee, “one gang” alone has infected about 12,000 sites, all over the globe. Apparently there may be different groups, because elsewhere in the article mention is made that hundreds of thousands of web pages have been compromised.

(Read on …)

While the idea of software viruses is by no means new to those who work with computers, a new vector of attack seems to be developing in the form of hardware shipped from the manufacturer that is already infected with malware. In the past few weeks, a set of digital peripherals, particularly USB picture frames and IPods, have been found to contain one or more malicious executables. With such a method of delivery, it seems that the security industry may need to rethink what can and cannot be considered secure.

 http://www.cnn.com/2008/TECH/ptech/03/13/factory.installed.virus.ap/index.html?iref=mpstoryview

  (Read on …)

It was recently announced that last February at least one hacker was able to gain access on one server at Harvard University potentially viewing private information on up to 10,000 grad students and applicants of the Graduate School of Arts and Sciences.

(Read on …)