UW Computer Security Research and Course Blog

While we have access to reasonably priced soda in the ACM lounge or the Benson store, the average person looking for a convenient drink has to shell out between $1.75 and $2 to buy from a pop machine.  But why pay if you don’t have to?  It is obvious that the manufacturers of these machines have put thought into their security: most machines will hardly let you reach in for the drink you bought, let alone reaching up into the machine.  Despite this, it is still possible to manipulate the machines into giving away drinks.  Is their security good enough for most situations?  Is the security too good?  Let’s find out…

(Read on …)

Summary

A CAPTCHA System is a Completely Automatic Public Turing Test to Tell Computers and Humans Apart.

Initially developed by Carnegie Mellon researchers, this system was mean to differentiate between actual people and automated robots when it comes to opening new accounts (email accounts, eBay accounts, bank accounts…). A CAPTCHA is an image made of words and numbers that are shifted, added different fonts, added colors, shades, and slightly blurred but still readable for the human eye, to avoid that spammers open accounts in a automated way.

Dan Hubbard, Vice-president of WebSense, reported recently that Microsoft’s CAPTCHA system used by every Windows Live site has been compromised. It has been reported that bots are obtaining a 35% rate of success, with the capabilities to register hundreds of new users per minute using automated HTTP queries via raw sockets. These ‘virgin’ accounts are used for a short period of time (before getting blacklisted) to send SPAM by email or Virus to ‘recruit’ more botnet zombies. Yahoo CAPTCHA system has been reportedly hacked a few weeks ago as well, by a Russian researcher.

(Read on …)

Home monitoring systems like Quiet Care exist to allow independent living for elderly people. The system works by monitoring the person’s daily movements with wireless activity sensors in each room. The information collected from these sensors is gathered at a communicator and then is sent to the Quiet Care server and is analyzed for patterns. If the server detects unusual behavior, it contacts the caregivers of the individual.

(Read on …)

Summary
In many of today’s college classrooms, especially introductory science classes, the large majority of students often makes it difficult to gauge classroom participation. A solution used in many of the lab science introductory sequences at the University of Washington has been to require each student to purchase a ‘clicker’, a wireless transmitter, using either RF or IR technologies, and have them produce multiple choice answers from a selection of answers shown on a large screen in the front of the class, which are then received and tabulated in realtime by a receiver somewhere in the room.

(Read on …)

At its essence CyberLocks are like mechanical locks++, enabling you to bring intelligent electronic access control to even the padlock level. CyberLock cylinders, which cannot be picked and maintain an audit trail of usage, can replace virtually any traditional lock (e.g. for doors, cabinets, padlocks, server racks, etc.) without any wiring. However, with the introduction of these additional features comes also the increased potential for new vulnerabilities and attacks. The following is an overview of the typical CyberLocks usage scenario that I will review (see this video for a clear and concise overview of the system (after which you may be able to skip to the Assets section of this review)).

(Read on …)

Gradually over the year of 2007, I’ve been turning to Google to help me get through sticky problems with open-ended programming projects. As I’ve moved from Java to actual implementable languages such as Python and C#, I’ve found that more and more of my answer end up at places such as experts-exchange.com. I’m of course ecstatic that my exact problem has been found on the great big interweb; the Google summary shows me part of a solution! Of course, when I actually navigate to the site, I’m greeted with a greatly-reduced page with lots of ‘trial options’ (example). What happened to my content that I just saw highlighted on Google? It’s nowhere to be found.

(Read on …)

Windows systems like many other operating systems hash passwords instead of keeping them clear text in the event an attacker ever gets a hold of authentication data. Microsoft first developed the Lanman (LM) password hashing scheme in Windows for Workgroups 3.1. In order to maintain backward compatibility Microsoft has kept this system enabled by default all the way through Windows XP (Vista still supports LM hashing but is by default disabled). Due to the design of the original LM system it is now feasible for many people to store large sets of precomputed hashes (rainbow tables) and crack complex, non-dictionary, passwords in just a few minutes.

(Read on …)

According to Scientific American, the US Navy is considering to deploy a new technology, Deep Siren, to improve communication to and from submerged submarines. As of now, submarines have to be no deeper than 60 feet and towing a floating antenna behind them before they can communicate with the outside world. This makes the submarines far less agile and much easier to detect. The Deep Siren System will theoretically allow subs to communicate at any depth and speed.
(Read on …)

GM’s OnStar service has been a sucess for several years now. It gives many services to people with GM vehicles. It provides some very powerful features such as GPS tracking, stolen vehicle slowdown, remote unlock and emergency services. However the technology imposes potential for exploitation.

(Read on …)

The other night one of my friend’s asked me about the webcam in her laptop. She was concerned about people gaining access to it and spying on her. Her fears got me to thinking about this problem.

Integrated webcams are becoming the norm in most laptops. The privacy implications of unauthorized access are staggering. A lot of us take changing in the secrecy of our own room for granted, but what if that wasn’t the case? In this security review I look at the possible weaknesses and defenses this class of products has.
(Read on …)