Say hello to hacking through thin air or electromagnetic waves, rather. Apparently, all keyboards generate unique electromagnetic waves for every single key pressed and these are really easy to pick up even with some inexpensive antennae. Of course, a lot of this is only possible under ideal conditions where there isn’t much interference from other devices. Here are some videos that demonstrate the attack -

Edit: Looks like embedding is disabled here. Please visit the links below for the videos

Sources :

Computer world

Ecole Polytechnique Federale de Lausanne

Now the BBC group is in a spot of legal trouble as their use of a botnet could potentially implicate them in the violation of the UK’s Computer Misuse Act. While BBC claimed that their use of the botnet was purely academic, and therefore not criminal, they did take control of non-consenting citizens’ home PCs. More importantly, in purchasing the use of a botnet, reportedly at somewhere between $300-$400 per machine, the news network essentially funneled a few million dollars into the hands of cybercriminals. And all so that they could demonstrate what many papers and news articles before them already had.

The journalists, at surface level, did a good job of keeping things academic and avoiding any sort of cybercrime. They spammed their own test e-mail accounts. They DDoS’d a prepared and willing target. They also put warning documentation on the infected machines, at experiment’s conclusion, explaining to their users that they had been infected, and how to best avoid future infections. Ultimately, however, by mere involvement with and commandeering of hijacked personal machines – and especially thanks to funding the true criminal party – they did indeed commit some level of criminal act. To what degree they are held responsible is now a matter for the British courts to decide.

This is just one more occurrence in a string of botnet-related legal issues. A similar issue plagued German malware researchers with the means to potentially dissolve the Storm worm’s botnet(s) (see http://cubist.cs.washington.edu/Security/2009/01/11/storm-worm-cracked-but-defenses-may-not-fly/). It seems that academicians of all types are running into a fundamental problem with this particular security threat: there is no way to legally study it “in the wild.” The moment a researcher connects to a botnet, takes control of it, or otherwise interacts with it, he or she risks legal consequences. Whether or not any charges stick is a different matter, and quite frankly, it will take some time before reasonable precedents clarify the legal “consensus,” but regardless these issues represent a significant impediment to progress in anti-botnet research.

One of the interesting topics brought up by Microsoft Research India during their Change talk last week was that of mobile banking in the developing world. Managing and distributing money can be a tricky proposition in the developing world – often, people end up entrusting their money to drivers to transfer around the city or country.

Mobile banking through cell phones has proven to be an extremely cost-effective way to avoid these kinds of headaches. Through both downloadable software and text message interfaces, it is possible to efficiently transfer and manage money without the existence of local branches to handle the transaction, with minimal fees and far less obvious physical risk. However, this method has resulted in its own set of idiosyncrasies that would not likely exist with similar systems elsewhere.

Afraid of doing something wrong, many people in these developing areas are reluctant to actually carry out their own banking. Thus, a whole class of middlemen have arisen specifically for mobile banking. People will bring their mobile phones into these middlemen’s stores and tell the store owners what they want done, and the middlemen will then go do it for them. This interesting use case leads to quite a few security implications.

Assets and Security Goals

• Customers’ money is of course important. The reasons should be fairly obvious – we of course want to protect it from being stolen.
• Customers’ financial records are also important – financial histories are private, with some exceptions, and they should stay that way. Knowing how much money someone has may put them at risk for a real-life robbery, for instance, or knowing their stock portfolio could cause other problems.

Adversaries and Threats

• Malicious third parties who would like to steal the customers’ money, perhaps by listening to the airwaves, or physically stealing the phone. A lot can be done with just a few seconds with a phone given a text messaging interface.
• The middlemen have an extraordinary amount of power given what they have been entrusted with by the end-users. And, since their clients won’t have it any other way, banks have been forced to actually work with these middlemen, including them in the system. A store owner could easily pull off an “Office Space” type scheme, stealing miniscule amounts of money from each customer.

Potential Weaknesses

• Snooping on peoples’ wireless connections is difficult since the network provides some level of intrinsic security. We’re not experts on this subject, so it’s difficult for us to assess how feasible this approach is in reality.
• Replay attacks are possible, especially if any actions are carried out via text message, and a malicious user manages to take over the phone physically, or duplicate/forge the SIM card.
• Physical access is an imminent problem given the prevalence of these middlemen in transactions. Somehow, even with physical access by users other than the clients there needs to be security and accountability.

Potential Defenses

• For snooping, simply use any of the well-established encryption protocols we discussed this quarter.
• Replay attacks can be guarded against by confirming each action with a code that can only be used once.
• The physical access problem is the most difficult problem to address – and the most interesting. Since third parties are allowed access to the system by the clients, it is difficult to enforce anything in the system if the third party is malicious. One way to defend against third party mischief would be to not carry any actions out immediately, but instead to queue them and then confirm them via text message with the client an indeterminate amount of time in the future, on the order of several hours. This way, hopefully clients will be forced to examine and acknowledge all actions away from the influence of the store owners. Malicious middlemen could counter this by requesting to keep the phone until the transaction is complete, but hopefully clients would grow suspicious of this request before long.

Mobile banking is something that hasn’t quite caught on here like it has in other places of the world. Not only is it useful for banking when branches aren’t nearby, the service has in some places, like Japan, evolved to include payments via cell phone rather than credit card, and other technology-enabled services which have security implications. Ultimately, a lot of these problems are already being worked on in the context of their low-tech equivalents (eg transmitting credit card information, etc), but as we can see with the rural banking case study, there can be a lot of unexpected usages which result in unexpected potential problems.

These unexpected issues are likely where we will see the most interesting security issues in the future.

Clint Tseng and Erik Turnquist

Applications on facebook are not vetted, anybody is allowed to write an app and offer it to other people. Viral apps would often hide functionality in innocently looking buttons to spread themselves further or give away private information. Despite Facebook’s efforts to disable applications, the current policy allows it to pop up elsewhere.

Some people have clamored for the application hosting policy to be reviewed. Facebook believes its too early for these conclusions, and that changing the policy would be too drastic of a move.

(Source: nzherald)

(Source: cnet)

Clearly, Schiefer’s sentencing is a consequence of pleading guilty to the charges against him.  When he originally obtained his job at Mahalo, his employers were not aware of his criminal activities.  They learned of these crimes months after his hiring.  However, Calacanis decided not to fire him at that time and stands by that decision: “I consider myself a fairly decent judge of character, and after spending months with John, I’m convinced he was an angry stupid kid when he launched his botnet attack.”  Regardless of the accuracy of Calacanis’s  assessment, Schiefer is able to keep his job because he gained the trust of his coworkers and employer.  In their eyes, he became a person (John Schiefer) instead of a nebulous concept (botnet leader).  This speaks to the importance of trust within our society.

Though Calacanis claims that Mahalo’s hiring process is quite rigorous, it seems that a simple background check would have been sufficient to bring Schiefer’s past to light (assuming he had already been identified by authorities at the time of hiring).  If this wasn’t done, then Mahalo failed at ensuring the integrity of their hires.  If this was done and there was no information, than Mahalo can hardly be held accountable for the original oversight.  Another interesting aspect of this case is that Calacanis claims this has affected his perspective on hiring felons.  Where previously he said most felons would not have made it to the interview process, his experience with Schiefer has given him some faith in the rehabilitation process and prompted him to rethink his position.

This event brings out important issues about security, trust, and rehabilitation.  No one doubts that Schiefer committed the crimes to which he pled guilty.  What is an issue is that he is continuing to work in the industry that made his original crimes possible.  Even if he continues to be closely supervised, this will give Schiefer ample opportunity to perform more attacks in the future.  However, much of the justification of our country’s penal system is the idea that, after serving one’s time, a person can become rehabilitated.  This allows a person to re-integrate with society and make something of himself.  Certainly Schiefer is being given that opportunity, but there is significant security risk in the process.

Because of the two conflicting ideas of security and rehabilitation, I expect that different people will have different opinions on this matter.  Furthermore, I suspect that despite disagreeing on the proper course of action, many people would agree that they are “good” judges of character.  I think that if they met Schiefer they, like Calacanis would have a firm opinion of the proper course of action, whichever course of action they happen to support.

Assets and Security Goal:

* Assets: Your browser, everything that you use it for and your cookies. Uh, not the ones you eat. and privacy.
* Security Goal: Protect your privacy at all cost and your cookies and your intimate browsing secrets!

Adversaries and Threats:

* Unauthorized publishers: This is the dreaded group of publishers that are able to make an add-on for your browser and pass it off as being legitimate and harmless. This is much easier than you think since most add-ons are unverified or rather community verified and it might take a while to find an exploit.

Weaknesses:

* Counterfeit add-ons are the biggest risk – a majority of the add-ons are through unverified authors.
* Deceived by community rating. Since the rating for the plugins is done by the community, an obscure/malicious add-on can be easily made to look like a legitimate one through a community of attackers/ an attacker with a community of profiles.
* Unauthorized plugins from third party websites.

Defenses:

* Other legitimate users – These are probably the best and most formidable defense when it comes to validating add-ons. However, this also a delayed defense since ‘enough’ users will have had to use the add-on for someone to finally detect a malicious exploit.
* Firewall – Your firewall is also your second line of defense when preventing backdoor access through the malicious add-on
* Antivirus software – An up-to-date virus definition file should help the software detect a malicious plugin. However, this also assumes that the attacker used a known exploit/trojan/virus to inject into the add-on.
* Security updates from the browser, OS – These can help patch the exploits that are currently in place.

Risks:
The risk of being duped means to lose a significant amount of personal information that is stored in the browser. With the shift of browser towards acting like an OS with features to save passwords,sessions, etc, there is an unbelievable amount of personal information that can be stolen through a malicious add-on. The add-on can also redirect to malicious websites that involve elaborate phishing scams leading to the loss of information and money. Such attacks give the hacker a complete control of your online portfolio which can be held for ransom and also misused, causing personal damage.

Conclusion:
Overall, although there are inherent risks to open source projects like a community browser, a large part of the attacks are easily mitigated due to the sheer number of users that pass through such an add-on. There also seems to be significant,active and unofficial community that monitors the plugins for malicious intent. One way to decrease the probability of such an attack would involve letting a significant time pass from the release of the plugin to the installation for it to be tested by active community members. Filtering the installation of add-ons also becomes an important but often impossible task in a corporate environment where the risks are especially high. Add-ons(unsigned) are definitely a double edged sword that need to be dealt with care.

In June 2008 Florida Highway Patrol officer John Wilcox pulled over Ariel Quintana for speeding, who was then discovered to be driving with a suspended license. The officer also suspected Quintana of being in possession of marijuana, but a search of the car revealed nothing. While in custody, Quintana’s phone rang and officers removed the phone without permission and started searching the contents of the device.

While going through the photo album, pictures were discovered of what appeared to be marijuana plants in a grow house. This resulted in a raid of Quintana’s address, which led to the seizure of over $850,000 worth of marijuana plants.

This is not the first case where a personal electronic device was searched without warrant that resulted in further evidence being used against a suspect in custody for an unrelated crime. Given the increasing presence and integration of personal electronics in every aspect of our lives, PDAs and cellphones can provide the most intimate details about their owners. As such, there is debate about whether the owners’ privacy should be protected given the nature of the information they contain, or if they should be considered containers and/or accessories for crimes which police should be able to search for further evidence for use in court, without the need of a warrant. As the article indicates, courts are split on this topic and there is still much debate about how these cases should be handled.

In order to prevent future incidences such as this from occuring again in the future, politicians and courts have to agree upon which circumstances searching digital devices is allowed, if at all.Given the nature of the types of information and data stored on personal devices, laws dealing with them must adapt to take the sensitivity of this information into account. The number of cases such as this will only increase with time, and policies need to be introduced to deal with this increasingly relevant issue. Individuals need to be aware of their rights, especially given the information at stake

Proponents argue that collecting DNA upon arrest would increase public safety, and that DNA collection is not intrinsically more invasive than fingerprinting and photographing, both of which are done routinely upon arrest. Opponents counter that DNA collection is more invasive than the other information and that collection of DNA upon arrest inverts the assumption of innocent-until-proven-guilty. Moreover, many people who are arrested are never charged, let alone convicted.

This legislation is being considered in part because it has been adopted in 12 other states. This provides a sort of precedent that may make the law more appealing to some. Similarly, the public is very aware of the existence of DNA evidence (thank you CSI). Combined with the fact that crimes are committed, this prompts some people to advocate for increased public safety, and they view this measure as an appropriate means of achieving this goal.

This legislation is a prime example of two social assets that seem to frequently conflict: 1) individual rights (especially privacy) and 2) safety. It is debatable which one is actually better for security. Preferring an individuals rights does not give the police additional information that they would otherwise lack. This protects the assets of those who are arrested, since they are presumed innocent until proven guilty. However, if this person is going to commit (or has already committed) other crimes the police may lack the information needed to intervene. Preferring safety gives the police additional information, which may allow them to intervene in a timely manner but does not protect the arrested person’s individual rights.

I expect that the response to this issue in the general public will be generally divided, but that most will support the legislation. I suspect that the majority of the people in this class will oppose it. I know that I oppose it. I think that it is a costly, ineffective, and unconstitutional reaction caused by public fear.

The concern that arises are the issues of privacy and identity theft. The passport RFID tags do not contain any personal or identifying information themselves, but when they are combined with the information gleaned from other RFID tags that an individual may be carrying, it then becomes possible to track an identity. Paget gives an example of how this can be done. By combining RFID readers at a door way or an entrance, it would be possible to read the tags of driver’s licenses and credit cards (both of which *do* contain identifying information) and match them with the passport identification number. Since it was demonstrated that the passport tag could be read at a distance of many feet instead of inches, a person could be tracked using their passport RFID and their identity would be linked using the data from their driver’s license and credit cards.

Paget has posted a video on YouTube that demonstrates how he accomplished this feat. In it, he mentions two security features built into the passport RFID. They are a lock code and a kill code. The lock code is suppose to prevent the identification number in an RFID tag from being altered. The kill code is intended to disable the tag completely. Paget describes how, when read, these codes are transmitted over plaintext allowing anyone to intercept them. Although Paget admits that only the identification number is used in verification, if the lock and kill code are ever used for verification they are easy to capture.

This should come as a serious concern to those receiving passports and the new driver’s license, as this has been a known concern for some time even though few have been bold enough to demonstrate how easy it is to break this system. Paget does not believe that any personal identification documents should ever contain RFID tags and says his ultimate goal of his research is to “see the entire Western Hemisphere Travel Initiative just be scrapped.” Though these RFID tags make it more convenient for travelers and security personnel alike, the convenience comes at a cost.

It will be necessary for the government to address these security problems for the general public to trust the RFID tags. This will likely mean that the data must be encrypted instead of being broadcast over plaintext. It may also mean reducing the range at which the passport RFID tags can be read. However, even if these problems are addressed, this does not fix the problems created by RFID tags in other devices such as driver’s licenses and credit cards. To truly address this problem, it may be necessary to remove RFID tags from cards that do not require them. At a minimum, it will require removing identity information from the cards and encrypting data that must be read.

Links:
http://it.slashdot.org/article.pl?sid=09/02/02/2224255
http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/
http://www.youtube.com/watch?v=9isKnDiJNPk
http://darkreading.com/security/privacy/showArticle.jhtml?articleID=213000321
http://www.engadget.com/2009/02/02/video-hacker-war-drives-san-francisco-cloning-rfid-passports/

Assets:

• The obvious security goal of this technology is to reduce the spread of potentially pandemic disease by detecting it early. By detecting disease in airport lounges, the international spread of serious illnesses can be mitigated.
• A secondary use of this technology and a possible asset is to detect illnesses in livestock to prevent the spread of animal-borne disease. By detecting animal “coughs” that indicate serious illness, food safety issues and health hazards caused by sick livestock could be avoided.

Threats:

• Third parties (e.g. CIA, NSA, etc.) could get access to conversation/location data.
• Adversaries could infect a specific individual and track him and record his conversations as he travels. Or a group of adversaries could all infect themselves with a non-terminal disease that would give them a distinguishable cough in order to potentially quarantine an entire airport. Stranding hundreds of travelers would not only be costly, but would result in a prime target for large scale terrorist attacks.
• Airport workers who have access to recorded data/control of the microphones would be able to intentionally misinterpret the data to detain a specific individual. A person with access to this data could also record and manipulate conversation and location data.

Weaknesses:

• One potential weakness is filtering microphone data from crowded, noisy areas. Yelling, loud noises, or fake coughing could cause a false positive.
• Another weakness is attempting to contain an infected individual once a disease is identified. Numerous other travelers would have to be quarantined as well in order to actually prevent an outbreak. This seems costly and incredibly inconvenient. Also, this situation could result in many healthy people becoming infected by being quarantined with the infected individual.
• This technology would require constant monitoring of incoming data and numerous employees to track down and quarantine infected individuals. This could be costly.
• One of the biggest weaknesses from a traveler’s point of view is that this technology inflicts yet another way to make traveling slow and inconvenient.

Defenses:

• A simple cough screening (just like taking off your shoes, checking your bags, etc.) could be administered while people go through security. A doctor or health worker would have to be present in order to verify the disease in travelers who test positive.
• By only allowing doctors/health workers (rather than a security guard) to access the data, privacy could be better maintained.
• In order to speed up the quarantine process for possibly infected passenger, a quick test should be developed to confirm/verify illness on site. This would allow healthy but misidentified passengers to be on their way sooner.

Risks:

• People’s privacy could be violated in several ways: medical data could be leaked, conversations could be monitored/recorded, and people’s location could be tracked.
• Even if the above risks were addressed, this system would only be effective if every major airport adopted it, which seems unlikely given the lack of consistency in airport procedures worldwide.
• This technology is not very likely to evolve because it is too invasive and too likely to be abused.

Although this technology is well-intentioned and could be a very powerful tool for preventing the spread of diseases, the potential for abuse and invasion of personal privacy is too great. If this technology was used more overtly, as described in our possible defenses section, it could be more accepted. Implementing this technology for livestock has greater potential, as animals have less concern about their privacy . Preventing the spread of diseases in livestock could also greatly impact the spread of animal-to-human transmittable disease.

Authored By: Heather Underwood & Guy Bordelon