UW Computer Security Research and Course Blog

Anybody who has flown on a national airline or had business in a federal, state, or county government building has certainly had the experience of waiting in the queue to be ushered through a beeping metal-detecting portal, separated from bags and other belongings which are whisked through an adjacent X-ray machine. Such devices are usually intended to secure the premises against an outside threat entering with weapons or other dangerous items. (Read on …)

In a recent article on Computerworld, it was reported that a former system administrator of Medco planted a logic bomb which was intended to cripple the company’s network. Medco deals with prescribing drugs and various other heath services. Due to the nature of this attack, the well-being of customers of Medco were put at risk. Fortunately, the logic bomb did not succeed, and it is reported that the first wave of the attack failed due to buggy code, and subsequent waves were detected and prevented before they could trigger. The former system administrator will now serve 30 months and has to pay $81,200 in damages.

It is mentioned that upcoming layoffs could have triggered the system administrator (Lin) to commit this offense. Medco had just been restructured, and layoffs had taken place, but Lin did not lose his job. However, there were more layoffs to come, so perhaps in anticipation, Lin planted the logic bomb. It is difficult to say if there could have been anything done to prevent this offense. Since Lin was a system administrator, it is difficult to stop or deter a person of this position if they are willing to commit such a serious offense. I think the best a company could do is respond to actions taken by employees by checking their work, but enforcing a system like this would be too pricey and time consuming to be plausible.

As mentioned before, the impact of this event, if it were successful, could have been very serious. People’s lives could have been lost due to lack of prescription drugs, and others could have been damaged for life potentially. One very difficult question to answer is, what should we do with people like Lin? What kind of punishment is suitable for the crime? Even though it was not successful, the intent to harm was always present. After Lin completes his sentence, should he be trusted to work with a company’s computer systems? Who knows if Lin will have learned his lesson, or if he will be even more upset and “out to get the world.” I would think it is safe to say that a company will never hire Lin to work on their computer systems with this kind of event on his record.

The state of Maryland has decided, after spending $65 million on electronic voting machines made by Premier (formerly known as Diebold) Election Systems, to spend another $20 million on optical-scan machines that read paper ballots. The reason for this incredible expenditure of taxpayer money, which the state will be paying off until at least 2014? Security concerns about the purely computerized voting machines. (Read on …)

Covered on The Register, Telegraph.co.uk, and Slashdot.

Earlier this month, a 14-year-old in Poland used a modified TV remote control to directly interfere with rail junction controls in the city of Lodz. He obtained information on the operation of the junctions by trespassing in several train depots. In the end, he used his train remote to alter the switchings on several moving trams, causing some to derail and resulting in numerous passengers receiving minor injuries. The boy has been charged in juvenile court with endangering the public.

The youth’s particular attack on the system was made possible by the use of infrared signals to control track switches, which left them open to outside interference. Additionally, the lack of property security at railway depots allowed the attacker to obtain information about exactly how the switches interpreted their signals, rendering possible the direct manipulation of the switches. (Read on …)

According to a report Tuesday from the Government Accountability
Office, sensitive taxpayer data housed at the IRS is critically
vulnerable to security threats. The report is a follow up from March
2006 where the security problems were initially discovered. The new
report indicates that 70% of the issues discovered in March remain.

(Read on …)

Security software vendor F-Secure has recently reported the first known “scareware” scam targeting Mac users. The software known as MacSweeper (www.macsweeper.com) poses as legitimate security software that “discovers” numerous fake problems and threats, which can only be solved by purchasing their $40 product. A senior security specialist at F-Secure shared two ways he determined the illegitimacy of MacSweeper: running their provided scan showed vulnerabilities in Mac-specific folders even when run on Windows machines and the company’s “About Us” section was taken directly from Symantec Corp.’s website. The website itself however is very professionally done and it is difficult for casual users to notice its phony nature.

(Read on …)

I’d like to briefly share with you an interesting article by famed computer security scientist Bruce Schneier that he recently wrote for Wired. In it he argues against securing your wireless network and for having open networks that others can use. To the obvious arguments against having open networks, such as people stealing your bandwidth, using your connection to perform illegal actions, or breaking into your computers, he replies: “…I don’t think it’s much of a risk.” He claims that virtually all potential negative consequences are either highly unlikely or of no significant consequence after all. It’s very interesting to see such a radically different viewpoint on such a seemingly obvious topic from a prominent computer security expert like Mr. Schneier. I encourage you all to check it out. It’s a quick and fun read.

As for myself, I secure my wireless networks for the same reason I lock my doors. Yeah, I’d like to think that I would be doing the good Samaritan thing by keeping my house open to passer-byers urgently needing to use a bathroom, but the risk that they might take something valuable on the way out just seems too real. On that same note, although Mr. Schneier might be right in saying that the risk of legal prosecution due to me keeping my network open is small, any risk to my life and freedom is too much. So that some “people…[be] rescued from connectivity emergencies by open wireless networks in the neighborhood” is not worth life in jail. If someone needs an open network that bad, they can drive the extra half-mile down the street to the coffee shop. Scary enough is the idea that it only takes one malicious user to make your network a conduit for crime. Also, Mr. Schneier argues that one should not rely on a secure network for computer security in general, because as soon as you take your mobile computing devices to a public place, they are no longer under the umbrella of a secure network and are therefore vulnerable. I say that both the network and the computer should be made as secure as possible. This follows the basic computer security principle of overlapping controls. Or perhaps I’m just too paranoid…