Say hello to hacking through thin air or electromagnetic waves, rather. Apparently, all keyboards generate unique electromagnetic waves for every single key pressed and these are really easy to pick up even with some inexpensive antennae. Of course, a lot of this is only possible under ideal conditions where there isn’t much interference from other devices. Here are some videos that demonstrate the attack -

Edit: Looks like embedding is disabled here. Please visit the links below for the videos

Sources :

Computer world

Ecole Polytechnique Federale de Lausanne

Summary

Researchers have proposed and started testing a new system for helping to identify potential bugs and security flaws during the development cycle of software development.  It works to help the development team identify and prioritize potential targets and weaknesses, and encourage a wider breadth of understanding for each member of the team.

Assets / Security goals:

• The goal of this method is to help developers to explore the potential vulnerabilities in a proposed system/feature. This encourages keeping security a priority for the project from the beginning, during the design phase
• To ensure that all people working on the project understand the potential risks associated with the features that they will be working on, and to ensure the diversity of people’s knowledge is taken advantage of.

Potential adversaries / threats

• Any adversary that wants to take advantage of this system would have an interest in observing/subverting this process being undergone.
• Unscrupulous employees could bias the results of this process by drawing attention away from real issues

potential weaknesses

• this method relies on the knowledge of those involved in the design process. It’s quite possible for these people to lack knowledge of attack methods that could be used against the product being designed, as it’s unlikely for any single team to contain experts in every possible attack method.
• This method only outlines the potential security threats posed by the features during the design phase. During actual development/implementation, the actual threats and vulnerabilities may change, and these aren’t addressed using this method.

Potential Defenses

• This procedure should be used in conjunction with other risk and security analysis tools to ensure the broadest range of coverage
• Evaluations such as this should be repeated at regular intervals with a changing group of participants. The variability would encourage new ideas and provide newly discovered vulnerabilities to be discussed at length.

Given the difficulty of quantifying risks and potential security threats of any new product, this method is a good way to encourage the security mindset from the get go. The effectiveness of this method is entirely dependent on those who participate, but it does encourage the kind of thought necessary to protect systems from attackers.

There are a few assets that parking enforcement wants to protect. One is their revenue stream — making sure that they are receiving money for the parking that is available. Another is the availability of spaces, so that legitimate paying customers won’t be turned away at the door if the lots are oversold. In both cases, the adversary is the driver trying to cheat the system (aka, me).

One weakness of the system stems from having way more parking spots than there are parking enforcement officials. While this can work in an cheater’s favor in general, the longer one spends in the same spot, the more likely they are to be eventually ticketed. This might assume someone illegally parked would stay shorter — but then they have the added overhead of having to move their car frequently. One way that they can combat this is to deploy resources first towards the most high-traffic lots, and then check less frequently at satellite lots.

Another weakness of the system involves procedures for contesting tickets through the parking department. Any ticket can be contested through the office, and last checked, they had an average turnaround of 3-6 months, no doubt due to bureaucratic inefficiencies. If an adversary were to contest a ticket, they wouldn’t have to pay it for months, and would be likely to get it fined. One could also try sending in a longer letter to the department as to why they deserve to not get the ticket, in order to push it to the back of the queue for processing.

In the future, there might be an emphasis on more high-tech solutions (such as cameras) to quickly monitor parking lots and possibly detect cheaters. For the time being, however, there are some vulnerabilities in the parking system that allow attackers to get away with free campus parking undetected.

Previous authentication protocals integrated into DAAP used either an MD5 hash or a custom hashing algorithm to encrypt the streaming music. Both methods were later cracked, leading to programs such as OurTunes, which allowed listeners on the network to save the mp3s made available over DAAP to their hard drives. Programs like this were extremely popular on large public networks like those at universities.

The current version forces the connecting hosts to authenticate through an Apple-controlled Certificate Authority, which can then exchange trusted public keys. This effectively blocks third-party applications (like OurTunes) from participating in iTunes file sharing. Because the official iTunes application does not permit saving the shared files, the mp3 sharing is effectively blocked.

Assets/Security Goals:

* The assets involved are the audio files on the users’ computers. Users themselves, who have the option of turning sharing “off” or “on”, aren’t really the focus of this encryption functionalty; intellectual property owners are worried about rampant copying of their files without recieving compensation for their works. The goal is really to protect copyrighted material from being copying – and along the way, all material is encrypted and blocked from download, regardless of copyright status or the user’s intent.
* Still, it is important to keep in mind the assets on the users computer. Having done a lab on network security, we all now know the risks of a allowing an external computer to provide commonds or access data from a secured machine. It is important to make sure that all files on the computer that are not supposed to be shared are secured from external access, and furthermore, that no one can provide commands to or take control of the machine.

Adversaries/Threats:

* Large scale piracy operations don’t really operate through iTunes. The big threat for mp3 theft is lazy, normal people, unwilling to pay for music if they can get it for free across the network.
* As far as security of other files and the user’s machine, any hacker with malicious intent, who may want to steal the user’s data, or just mess with their computer.

Weaknesses:

* So far, it’s quite difficult to see any weaknesses – this version of encryption has been out for some time and has yet to be broken. Still, while the usage of the CA is theoretically secure, all implementations are written by imperfect humans. It may be that there is a bug somewhere or a potential hack. Perhaps there will be a way to spoof as a valid iTunes client and register with the CA. Perhaps there will be a flaw allowing a third-party machine to spoof as a CA and provide keys to invalid clients. Perhaps by intercepting the packets for key exchanges enough times, hackers will learn about proprietary algorithms being used and find a weakness in that. It’s yet to be seen.

Potential defenses:

* The community trying to break the DAAP encryption is rather public about their efforts – and when a client is released, it will be rather easy to see what flaws they are exploiting. No doubt, Apple is already watching reports as they show up online, and allowing the real hackers to investigate flaws for them – which Apple can rapidly patch through automatic updates.
* Artists obsessed with being paid for every single mp3 they release could just stop releasing CDs and recorded music, or playing music at all. That way their fans will stop trying to steal it.

Evaluation:

DAAP so far has been frustratingly secure! Not only can I not steal mp3s from my neighbors in the coffee shop, but I can’t even listen to their music streaming, because iTunes isn’t available for Linux.

As mobile phones continue to become one of the most popular, universal, and comprehensive computing devices, researchers and mobile phone companies are enthralled with adding more features. As described in a recent article by the New Scientist, the feasibility of including a projector on a mobile phone is becoming a reality. The new projector chip that TI released a few weeks ago dramatically improves upon last year’s low resolution model by adding more mirrors to increase the resolution to 850 by 480 pixels (comparable to a DVD player). This new model also works better in most lighting conditions and can show a 2 hour movie on a single battery charge. Having mobile phone projectors provides many exciting opportunities, but also creates some interesting security challenges. Some of these challenges are not critical security issues, but could cause frustrating or embarrassing situations.

Assets/Security Goals:

• The mobile phone projector would provide easier sharing of presentations, photos, videos, etc.
• Low power consumption would allow for mobile presentations and viewing without having to recharge batteries or be near a power outlet.
• The dual display will allow users to view private information on the little screen on their phone while displaying public information on the projection screen. This security measure will enhance presentations by allowing the user to view notes or comments while displaying slides or have other sorts of private captioning for private viewing while different content is being projected.

Adversaries/Threats:

• An adversary of the mobile phone projector could use the projector and other phone functionality like video to project real-time activity to a group. For instance, voyeurs could capture content from a distance using zoom camera/video features and project the inappropriate content in real time. The content could also be recorded and then displayed at a later time to blackmail or embarrass the victim.
• Another possible threat is theft. If a phone is stolen and the projector has been projecting the same image, say a bank statement, for a very long time or is very often projecting that image, a clever thief could gain information from the image impression on the lens. This would most likely occur on older projector phones where the lens is sufficiently worn.

Weaknesses:

• One possible weakness is that personal and private information could be maliciously projected without the phone owner’s permission. If appropriate checks are not in place, the owner could also accidently display his private information in an inappropriate setting.
• The projector also opens up a new way for people to be incredibly obnoxious. The weakness here is not ensuring the security of people’s privacy and their sanity in public places. Projections of videos and photos in a restaurant or movie theater would be incredibly rude and distracting.
• Another weakness is there is no limitation on the content the projector projects or the context in which it is projected. This weakness may not be readily solved by implementing greater security measures, but could end up relying on a social protocol that may or may not keep discriminating, hateful, or indecent material from being projected everywhere.

Potential defenses:

• One potential defense is to have a password to use the projector so only the owner can access and project the content on their phone. This security measure does not protect against the owner knowingly projecting indecent or private information however.
• The projector should also require a confirmation screen before projecting the selected content. This security measure would hopefully eliminate accidental display of private or indecent information on the projector.
• A solution for reducing the use of the projector in public places, besides signs and glaring looks from other customers, could be sensors (on the phone and at the restaurant) that could detect and essentially disable projection of phone content.

Evaluation:

The main goal of this device is to make accessing and viewing content easier and more available for entertainment and larger scale purposes. The projector was not designed to provide added security to mobile phones and thus there are few security goals, however, because security was not a main concern when developing this device, there are multiple security flaws that were not taken into account. We think this technology will very likely become a standard feature of mobile phones. Teenagers especially will drool over being able to project their Facebook pictures and YouTube videos larger than life in any place they want. We also think that tech-savvy business people will utilize this tool for portable presentations. This device also has many applications in the developing world where power consumption, carrying heavy video equipment and easily watching educational videos is often a problem. There are obviously ethical questions involved with this device in regards to what content is appropriate to project, however, there are many devices that have advanced technology and failed to account for all possible ethical misuses.
Although there may be some technological solutions to the security vulnerabilities presented above, we think if the projector becomes a popular and ubiquitous feature of cell phones, the use of it will ultimately be governed by a social protocol and people being conscious of the content they are showing. The article suggests that requiring additional legislation for projected content could become necessary, but we are of the opinion that requiring legislation to prevent people from being stupid has never and will never work.

Google saves previous search requests and page views.

This new information that Google collects abouts its users raised new privacy concerns given that Google already has lots of information on many users, especially if they use Google’s e-mail service, Gmail, which archives all messages sent to the account unless deleted. Privacy advocates are worried Google having too much information about its users. Some are concerned about Google’s retention policy on user data as they keep it for 9 months while Yahoo holds it for 90 days.

The purpose of this new advertising is to generate more meaningful ads based on behavior, however, that also means receiving ads to items that you are not necessarily searching for at the moment. For example, if your search history was composed of searching for laptops, and you are a site unrelated to technology, you can receive an add for laptops given your past search history.

Privacy advocates are worried sensitive information can be pulled from monitoring behavioral information. Google rebutles stating they do not intend to use it for other purposes and users can delete interest categories at will.

Ultimately, the underlying question is how much respect does a company have it for its users’s data. Will the company use the opportuntistically or in the best interest of the user?

Given Google’s current standing in the public, and their motto: “Don’t be evil”, I believe there won’t be too much pushback on this issue from users, just as long there isn’t any break news that Google solds all its information to telemarketers. This new advertising model is just another venue for Google to collect revenue.

Alex Meng, Jon Fung

So what is Conficker?

Fast Stats:
Release Date: October 2008
Target Platform: Windows >= Windows 2000 (including Windows 7 Beta)
Exploited Program: Windows Server
Exploit Type: Buffer overflow
Worm Spread: 15,000,000+ PCs
Actions: Disable Windows Update, Security Center, Error Reporting, and Defender.  Connects to a server to receive further instructions.

More Detail:

Part of what makes this worm particularly insidious is how it connects to someplace online to get further instructions.  This means that it can actively change to address new desires and problems, as well as communicate with its peers. Microsoft even went so far as to create a specific group to combat this worm, as well as offering a $250000 reward for the capture of the author.

The title of the article comes from the fact that it is ranked second to the SQL Slammer worm of 2003.  It has spread to government machines in the UK and Germany (and quite possibly other nations, as well).  With so much of the world relying upon computerization these days, viruses sure can be a scary thing!

Source:  http://www.computerworld.com.au/article/279991/romanians_find_cure_conficker
Additional Source: Wikipedia

Pwn2Own, in Vancouver BC, is part of the CanSecWest security conference. It challenges hackers to find and exploit vulnerabilities in popular web browsers including Safari, Firefox, Google Chrome, Internet Explorer, and Opera; on popular platforms including Windows, Mac OS, and mobile phones. The first person to hack each machine gets to take it home.The article highlights two interesting facets of security research:

• Encouraging “breaking” something makes it more secure. The Pwn2Own competition is motivated, not by malevolence, but by a desire to actually improve the software. This can be confusing to those outside the security community, who often see any attempt to hack as malicious – often creating disturbing headlines about well-meaning hackers being prosecuted legally. By providing a competition encouraging such behavior, the Pwn2Own competition is actually helping web browser developers to make their products more secure.
• “Perceptions” of security are extremely important. This article was modded up extremely high on Digg – and why? Because some hacker “feels like” Safari is less secure. Talking about actual bugs and exploits are not interesting/understandable to readers but they do care, in general terms, about whether a browser is more or less secure, even though they don’t know what exactly that means.

The implications of browser security are increasingly important as the browser wars continue, and as web-based applications are coming to dominate computing. With more and more people storing more of the information and performing more transactions online, the assets involved in securing online actions are extremely important. Furthermore, as 4 popular browsers are in competition, their relative security features are a major distinction for prospective users.

In about two weeks, the competition will take place right near our own school – sending hackers into a frenzy, and developers in a frenzy to fix the holes.

The new technology involves a system integrated into the user’s home which has functions such as monitoring actions, speaking to you, turning off appliances, contacting help when needed, and even emailing a status to family members or caretakers.  The system can remind you to turn off appilances or shut off the water if you forgot to, and can even turn them off itself if the user fails to comply.  If the user unexpectedly gets up in the middle of the night, the system will turn the light on for you, and, if you are gone for long enough, will start talking to you and letting you know that “it seems a little late – don’t you think you should be getting back to bed?”

I think that a message like this coming from the walls at 2:00 AM could be quite startling, and especially confusing for individuals with dementia.  In light of this, the creators suggest that family members record their voice for these type of messages, creating a familiar voice the user can identify clearly.  This could still be quite startling to begin with.

So, to take a look at this new technology in light of security, I think there a a few flags to be thrown when designing an in-house computer system…

First, lets look at the optimal design for this type of system:

• A system like this one should not provide any ambiguity to the user.  Since these users are already in a state of diagnosed disorientation, we want to be sure that no more disorientation is created, and that the user will be able to understand the system and be able to interact with it willingly.
• Talking to the user is one of the hardest things to get right.  The system shouldn’t be too demanding or annoying when talking to the user.  We don’t want to aggravate the user and run their life either.

Now, what kinds of security risks does a system like this present?  We do not know exactly how the system is implemented, but as with any home security system, once an adversary has access to the passcode, it has access to your home, you, and all your things.  Assuming that the system has a passcode for changing administrative things, I’m sure that it would not be any more difficult to crack than a home security system (having worked for a home security company in the past – but that is a whole other security review).  An adversary could be someone who is out to get the homeowner, to steal their belongings, to force them into doing something for them, or even someone who is personally against having old people with dementia in this world… who knows.

Just by reading the article about this new technology, I can come up with a few weaknesses in the sytem – from a usability perspective.  With a system like this – and a patient like this – it is expected that you will want to convince the user that it should obey the system, and that everything that it tells you to do should be taken as beneficial to their saftey and well-being.  Given this – once the user has gained trust in the system, an adversary could easily compromise the system, change the voice recordings to something they wish the user to do, and let the system “tell them” to do it.  For example, in the case of when the user leaves the gas stove on, the adversary could change this voice recording to say something like “have you had your cigarrette today?”, or just confusing them more than they already are.

As with the computer system HAL shown in the 1968 movie “2001: A Space Odyssey”, the system could also be modified to do things against the users needs/desires.  If the system is able to turn off stoves and faucets, this means it is probably pretty easy to make the system turn them on when an adversary choses.

Some mechanisms could be placed to try and protect against these type of threats to the user, and some of them may already be in place.  The article already states that the system is designed to support the heath care providers – not replacing them.  Therefore, the care takers will be kept in the loop and be sent status updates on at least a daily basis.  This way, if the system or the patient starts doing unexpected things, it will be called to the attention of the health care providers and they can take the appropriate actions.

This doesn’t mean that a user can’t change these notifying mechanisms.  Just as in the movies, sometimes you will see the attacker switch the security cameras to be operating on a loop rather than showing live data.  The people viewing the security cameras trust that the data is live, but nothing guarantees it.  So the health care providers should not trust that the data is valid.

Due to this fact, I think it is very important that the security of the administrative interface of the system not be overlooked.  In order to change the settings, at least a secure password should be required.

With a system that helps you live, you want to make sure that it is helping you live a better life and not a worse one.  With dementia patients, they may not be able to tell the difference between the two.  This means that care must be taken when using the system, and the system should be thouroughly tested before being sold to the public.

Bob “Bob-Man” Boback, Tiversa’s CEO, warned that the danger of this type of leak causing harm is neither hypothetical nor trivial; indeed, actively searching for information revealed in this way is a widely-used method of gathering intelligence. Boback said that his company has noticed this behavior in Pakistan, Yemen, Qatar, and China, as well as Iran. Although this is by no means the first time that such a leak has occurred, representative Jason Altmire of Pennsylvania has said that he would address Congress about taking measures to prevent this type of incident from recurring.

There are many different measures that companies could take and are taking to address this type of risk. For instance, if it would not prevent employees from performing necessary functions, companies could stop them from installing applications. But this would only be a partial solution, because inappropriate applications are only one means for data to leak, and there are always ways around such restrictions. As many have stated on this blog before, the bottom line is that companies must have some trust in their employees.

Using a computer at work for a personal activity such as file-sharing shows a lack of professionalism, but it is also a common practice and not likely to disappear. Companies should address this practice directly and ensure that employees know which activities are safe, and which will conflict or interfere with the purposes of their normal occupation. One problem may be that companies simply do not acknowledge the extent to which their employees use office computers for uses not office-related. A policy that recognizes the practice, reducing penalties for safe uses while increasing those for unsafe uses, might help. With this system, employees would be encouraged to remain informed about safe practices without worrying about being penalized indiscriminately. Even with the most well-intentioned employees, however, security breaches will occur. In every case, companies need to assess their own security imperatives and allocate time and resources as appropriate.

Some questions come to mind having to do with this specific case. What are the dangers in letting other countries know the specifications for the president’s helicopter? Does file-sharing create security vulnerabilities even if the shared data is limited to safe regions of the disk? How difficult is it to find information being leaked in this way, and how difficult is it to track the people who are searching for it?