UW Computer Security Research and Course Blog

Security researchers have announced the development of a ultra-fast method of cracking wireless GSM encryption in 30 minutes or less.  The 64-bit encryption algorithm was cracked in theory over 10 years ago, but the development of new technology has exploited the vulnerability on a timescale that poses a serious threat.  GSM is used by many mobile companies worldwide, including T-Mobile and AT&T in the United States.  With a GSM wireless frequency receiver and the proper resources, hackers will be able to eavesdrop on phone conversations and text messages at will.  Fortunately, the technology is currently not cheap.  The developers are charging $1,000 for a solution that cracks GSM in 30 minutes, and $100,000 for a solution that cracks it in 30 seconds.  Still, the potential for privacy invasion in the future is tremendously daunting.

Who else is ready to switch to Verizon or Sprint?

Source:  http://www.informationweek.com/story/showArticle.jhtml?articleID=206800800&cid=RSSfeed_IWK_All

The government has decided to continue wiretapping phones with assistance from phone companies. These companies are also pushing a bill for immunity from lawsuits for participating in the tapping. What is the line at which informational surveillance pushes too far into privacy? Should immunity be granted?

 
Articles:

http://yro.slashdot.org/yro/08/02/24/135225.shtml
http://www.reuters.com/article/newsOne/idUSN2229053420080224

Spy satellites will be used by local law enforcement to enforce the laws against United States citizens. Should this make us feel safer or more scared of our government?

On the one hand I expect any government to use the most sophisticated equipment it has available in the pursuit of law enforcement, but on the other, the more sophisticated the equipment gets the more difficult it will be for proper oversight to exist, and the tendency is increased (perhaps inadvertantly) that the tools will be used for nefarious purposes.

A lack of oversight has the potential to lead to disastrous results. The brouhaha that occurred over the warrantless wiretapping could be just a hint of what’s to come if programs such as this gain more ground.
When news of this type comes out I get an ominous feeling of “ickiness” about the fact that we have less and less implicit privacy (that being the general privacy to do things like walk outside into your fenced yard without risk of wanton surveillance). But at the same time I have a hard time determining where exactly the line is being crossed.

Can someone help determine where (if at all) a problem exists? Does it lie in the fact that the Federal government is using instruments of national security for issues that should be locally controlled? The Slashdot comments section has a lot of alarmist comments (including the ubiquitous “omg 1984” kind), but I’m not certain how a line is being crossed.

Source: http://yro.slashdot.org/article.pl?sid=08/02/13/2331224&from=rss

Since ISPs, most notably Comcast, some time ago began identifying and purposefully destroying or severely throttling BitTorrent connections passing through their networks, the struggles on both sides of the fence have been nothing short of a game of cat and mouse.

(Read on …)

The latest version (7) of Microsoft’s Internet Explorer web browser, like their latest Windows (Vista) operating system, is supposed to be the most secure version in the product’s history. A complete security review of either IE7 or Vista is outside the scope of this post, but there is one very interesting security feature found at the intersection of the two, called “Protected Mode.” Presented as a feature intended to limit the possible damage even if every other security feature in IE7 fails, Protected Mode limits the browser’s ability to modify the system in case of an attack while preserving the ability to execute other tasks, such as downloading files and allowing helper programs, plug-ins, and the user to interact with the browser much as before. (Read on …)

Home monitoring systems like Quiet Care exist to allow independent living for elderly people. The system works by monitoring the person’s daily movements with wireless activity sensors in each room. The information collected from these sensors is gathered at a communicator and then is sent to the Quiet Care server and is analyzed for patterns. If the server detects unusual behavior, it contacts the caregivers of the individual.

(Read on …)

According to Scientific American, the US Navy is considering to deploy a new technology, Deep Siren, to improve communication to and from submerged submarines. As of now, submarines have to be no deeper than 60 feet and towing a floating antenna behind them before they can communicate with the outside world. This makes the submarines far less agile and much easier to detect. The Deep Siren System will theoretically allow subs to communicate at any depth and speed.
(Read on …)

The other night one of my friend’s asked me about the webcam in her laptop. She was concerned about people gaining access to it and spying on her. Her fears got me to thinking about this problem.

Integrated webcams are becoming the norm in most laptops. The privacy implications of unauthorized access are staggering. A lot of us take changing in the secrecy of our own room for granted, but what if that wasn’t the case? In this security review I look at the possible weaknesses and defenses this class of products has.
(Read on …)

Summary

TrueCrypt is a disk encryption system intended to solve the problem of people being forced to disclose encryption keys or face consequences. It allows a disk partition to be completely encrypted. The most recent version even includes a special bootloader that can be used to have a complete Windows installation inside of an encrypted volume.

One of TrueCrypt’s unique features is the ability to hide another volume inside of the same encrypted partition. The hidden volume is stored at the end of the primary volume, in what looks like random data in the free space of the primary volume.

(Read on …)

The Mac OS X Dashboard is a platform for developing small applications, or Widgets, that can be accessed and hidden quickly at any time within the OS. Common widgets tasks include simple calendars, calculators, games, weather tracking, and system monitoring. There are thousands of user created widgets available for download through apple.com and other sites. Widgets are built using standard web technologies such as CSS, HTML and Javascript. However, they also contain hooks into the local system, allowing them file system access, access to compiled C code, and shell command access. These hooks are facilitated by the operating system running the widget instances and create a plethora of security concerns. (Read on …)