Dan and the rest of the team from UW, UMass Amherst, and Harvard Medical School found that an implantable cardioverter defibrillator can leak private information and can allow unauthorized parties to modify settings that control, among other things, shock therapies.  

You can read Dan’s full paper and the FAQ, as well as his earlier work on the topic of medical device security.  You can also read summaries of Dan’s work in The New York Times, the Wall Street Journal, Reuters, and the Associated Press.  Bruce Schneier also provides excellent commentary.

Congratulations Dan!

Any thoughts on this? It’s a curiously fun conceptualization, but could this potentially be just digging a bigger grave for the internet?

To study this, we measured how often our own web page, http://vancouver.cs.washington.edu, was modified when users visited it.  A piece of JavaScript code that we call a “web tripwire” detected such modifications, allowing us to record the change and notify the user.  Our study found that about 1% of the 50,000 visitors to our page received a modified version.  While 70% of these changes were caused by client-side proxies, we did see many changes caused by ISPs and firewalls as well.

For more information on our study and our results, you can read our analysis at Detecting In-Flight Page Changes with Web Tripwires, as well as our recent NSDI 2008 paper (PDF).  Our results have also been covered recently in the news media here, here, and here.

If you would like to add a web tripwire to your own page, we have an open source toolkit that you can download and host on your web server.  We also have a web tripwire service that is hosted by our server, which you can add to your page with a single line of JavaScript code.

To readers of this blog: Please expect low activity for a while. The University of Washington is on the quarter system, and our quarter just ended. Everyone in the class is, of course, encouraged to still contribute articles to this blog. And we’ll continue using this blog (or more sophisticated forum environments) in future courses.  Stay tuned for more information .

The assests include fitness machines, sports equipement, and simply the space, which when occupied by a unwelcome visitor, makes it unusable to a valid ima-goer. In addition, there is wifi access, as well as internet ready terminals.Adversaries might include, anyone who wants to take the equipement. Rival school members who want to somehow hinder our sports teams preperations, or even your average joe who wants to work out. We must not let random people get healthy! In addition, the IMA is one of very few places in seattle where regular pick up games of basketball can be found, and we must ensure that the general public doesn’t overwhelm the 10 courts that are provided. Luckly, the security has been sufficient to ensure that only 2 of these courts are ever in use at any given time.

The security that is currently in place includes students who guard a gated entrance. They swipe your card, which says whether your card was issued to someone who should have access to the ima, then the student may or may not due some visual authentication, comparing your face to the face on the card. However, as the gates are waist high, it probably wouldn’t be that hard to simply jump it. However, there are easier ways in. One must only know a valid name-student number combo to receive a one time pass into the IMA. While the form asks for more information, these are all that are ever required. In addition, at the same desk that handles the one time forms, one can also sign a guest in for a one time pass for seven dollars. Steep yes, but if you are looking to untracably enter the premise, asking a random person entering the building to let you be their guest isn’t a bad way to go. Then comes the best way in…locker room pins. One must only have a baby pin with a piece of paper taped on with a locker number to be instantly granted access, no questions asked. These are impossible to authenticate (or at least prohibitively difficult), and can be easily created without leaving your home for supplies. Bingo!

In conclusion, the IMA is wide open for access to anyone who really wants it. However, given that it is run by students who are almost always studying while working, it seems like the state has spoken about its commitment to IMA security. Access points such as the locker room pins exist because they are a convenience to the users, and very little harm can come from having unauthorized persons in the building. There is security on the premise that could respond, should someone try to run away with a collection of weights. Which raises the question, given that it is a state run facility, and it already charges for parking, a virtual must for people not conveniently coming from the UW, why charge at all? The general public could certainly use an additional fitness center…

Needless to say, there are many assets to protect in such a large, public space. Some of the more notable ones include the fully operational branch of US Bank, which resides on the ground floor. Clearly there is a lot of money as well as private records stored in the bank that must be protected. In addition, there is an accounting office on the third floor of the building that maintains records containing personal information about university employees and their jobs. These records must be protected in order to prevent crimes such as identity theft or tampering with payroll documents.

There are many adversaries who might want to break into the HUB. These include bank robbers looking to steal cash from the bank branch or from the multitude of ATMs in the building, identity thieves looking to steal private employee information, malicious employees looking to alter work records for profit, homeless people seeking a warm place to sleep, people attempting to steal items from the lost & found, vandals, etc.

The Husky Union Building has many weaknesses. First, it has many entrances and exits that must be monitored. There are countless doors that must be manually locked and unlocked at the proper times, and if just one of them is overlooked, an adversary can gain access to most of the building. This is analogous to having a lot of unfiltered ports open on a computer; the more potential entry points there are, the greater the risk. In addition, there are many windows on the ground floor that are accessible from the outside. This can be especially problematic during the summer, when people open their windows and sometimes forget to lock them when they leave. Another weakness the building has is that it is a very public place where lots of people work, so it can be hard to identify someone who shouldn’t be there, even after hours. The HUB doesn’t have a building-wide security system, and many staffmembers have keys to the building, so it’s not uncommon to see someone walking around inside, even late at night.

The HUB does have some defenses against adversaries. Every night, there is a trusted student employee, called a Student Building Manager (SBM), who walks around and makes sure everything is in order. The SBM is in the building as late as 12:30am on some nights, and has keys to every room in the building so he/she can check up on things. The SBM has a radio, and can call the nearby UW Police at the first sign of trouble. In addition, there are safes at various locations in the building that are used to store valuables, such as money and records. These safes, which are already in locked rooms, are an example of a defense-in-depth approach that was chosen by the building administration.

Despite these defenses, the HUB is definitely still at risk. The Student Building Managers, for example, keep their building keys on their personal key chains so that they can get in and out of the building after hours when they need to. It would be trivial for an adversary to steal one of these keys from a student and use it to gain entry. In addition, the system relies on trusting the SBMs, and although they are experienced staff who have shown responsibility and have perfect track records, they are still susceptible to malice and could do a lot of intentional harm. In addition, one of these students could forget to lock a door properly and unintentionally allow someone to gain access.

In conclusion, the HUB is a large entity that cannot easily be protected.  There are rudimentary security measures in place to deter casual adversaries, but in truth it wouldn’t be too hard for an outsider to gain access.  The university should consider installing a more robust security system in the building, or at least set up some kind of surveillance.  It also wouldn’t hurt to have a security officer walking around on each floor, rather than one student employee who leaves at midnight.

Assets

- The security of your home.

- The proper and desired functionality of your home automation

Adversaries

- Any malicious individuals wanting to gain access to your home by exploiting home automation.

- Vandals or pranksters who wish to disrupt the functioning of your home automation system

Weaknesses:

- Information is communicated wirelessly from control panels in your home to the devices they control. These can be security cameras, motorized locks, an alarm system, or even something benign like climate control. As far as information is available, the communication is done over z-wave which is a publicly described protocol for appliance networking. This means that the devices in the home will be susceptible to outside interference and signals. (Z-wave uses something called ‘home codes’ which is a 32 bit sig that all the devices are marked with to make sure they only communicate with devices with the same ‘home code.’ However it is noted in the specification that an attacker could easily forge the home code and join the network of z-wave devices). Even if some sort of crypto is used on top, if it is not done properly it will be susceptible to replay, man in the middle, and all the other classic forms of attack.

- Furthermore, the cell phone application can take one of two forms. It is either a web application that a user with a data-enabled mobile device can use (and thus has to be considered for security as any web app would - except in this case alarm systems and security camera feeds are involved), or it is an application somehow attempting to authenticate via the use of cell phone. In the latter case, the only identifying information conceivable is that stored on the SIM card - but as we have already seen, we can clone these!

Defenses:

- Real security with good crypto MUST be used for appliance networks. Luckily this problem has been long solved in computer networks

- I question the validity of making resources as sensitive as security camera feeds available via web applications that are visible on the internet - chances are there is a security flaw somewhere and an attacker can see in your house.

Risk Analysis:

I think the risks here are quite real. Individuals with such expensive integrated home automation systems probably have very nice houses, and these systems can in fact give potential adversaries more avenues for attack.

Conclusion:

I am not trying to say these systems are “bad.” I think the idea is extremely cool, but to boast about how they improve security seems strange when they have potentially only weakened it.

The post is an e-mail from a company that makes e-voting machines that is threatening legal action if their voting machine is analyzed and the results published.

What does everyone think of this?

This is a security review of “Smart Guns,” a general class of locking/use prevention mechanisms for firearms that rely on biometrics or other authentication indicators (such as “smart” chips embedded in the gun and in rings or other tokens worn by the intended user) to identify a person who is authorized to use the firearm, while preventing unauthorized persons from discharging the weapon. The Wikipedia article has some further broad overview information regarding the subject.

Assets

• Accessibility. Ideally, one security goal is for the firearm to be capable of being used in short order by the authorized user.
• Personal safety. The other security goal is that an unauthorized individual should not be able to use the gun to injure or kill the owner or any other person.

Adversaries

• The most obvious potential adversary is a criminal intent on using someone else’s gun to do harm; e.g., a criminal struggling with a police officer or a burglar breaking into someone’s house.
• Another “adversary” could be the small children of the owner of such a firearm; if a child somehow gains access to the firearm, the locking mechanism should be capable of preventing them from discharging the weapon and possibly killing or injuring themselves or others.

Possible Weaknesses

• If the locking system requires a battery to operate, one major problem that could compromise one of the security assets is a dead battery. If the battery is dead and the gun cannot be unlocked, it is useless to its owner, whether that be a police officer in the line of duty, or a civilian trying to defend himself from an attacker.
• If the system relies on biometrics to identify the owner (such as grip style, pulse, or other such indicators), a stressful situation (such as a shootout) might substantially change those indicators in the user, resulting in the owner being unable to use the firearm.
• Further, if the owner of a firearm is killed or injured in a gunfight, a partner, family member, or other ally will be unable to use their weapon against the attackers.

Possible Defenses

• To guard against the “dead battery” problem, one option is to design the lock so that the default (unpowered)  state is unlocked. This prevents the accessibility of the firearm from being compromised, but it also poses a major problem itself: when the battery dies, it is no longer protected against unauthorized use, and it might be possible for an adversary to damage or disable the battery, thus unlocking the firearm. A better solution might be to devise a system that does not require internal power, although this poses a significant technological challenge.
• Situations where an ally might need to use another’s gun to continue a fight arise more often in law enforcement; agencies might be able to employ a system where all officers could be issued tokens (e.g., rings) that would grant access to use all of the department’s issued firearms.

Risks

As with anything involving firearms, the risks are quite substantial:

• If the battery dies or another circumstance renders the gun unusable, the consequences could be quite dire, depending on the situation: if the user is practicing at the range, the result would be an annoying delay while the battery was replaced; if, on the other hand, the user is attempting to defend his or her life against an attacker, the result could easily be serious injury or death.
• On the other side of the issue, if an unauthorized user gains access to a firearm that is not protected (e.g., the firearm was unprotected, or the battery has died and the mechanism defaults to unlocked), they could use it to kill or seriously injure the intended user or others, or in the case of a small child, themselves.

Conclusions

While “Smart Gun” technology proposes to address a good security goal (namely, preventing a bad guy from turning someone’s gun against them), reliability is a major issue. In most of the eventualities when such a locking system becomes important, absolute reliability and speed of access are also critically important for the user. For this reason, many people do not consider the technology to be worthwhile at the present time. Ultimately, a better solution for most people is to employ other methods of keeping the firearm out of undesirable hands in the first place, rather than trying to defend against an adversary who already has physical access.

The big issue at hand is the oncoming breaking of the Internet, which clearly has broad reaching implications, particularly for Google. The search giant has bet its entire business model on the premise that the Internet be categorically unbroken, at least most of the time, and has a vested interest in ensuring the continued heartbeat of the web. This is in contrast with Microsoft, which could deal with an Internet breakage without all that much worry for its bottom line. This fact should alarm anyone with perceptive eyes; perhaps “breaking the Internet” is the first gunshot in a drawn out war of attrition Microsoft has planned.

According to Schmidt, Microsoft’s previous antitrust trial was about breaking interoperable open systems. Thus, we should all be wondering what level of nefariousness currently runs through Microsoft’s veins that it would embark on a conquest to contort the consolidation of Yahoo’s web offerings in someway as to weaponize open systems into a torrent of Internet pain and disruptiveness. One can only grimace at the proverbial ring of power Microsoft will be able to wield when it is able commit such acts as merging its MSN messenger userbase with that of the wildly popular Yahoo Messenger.

The Internet using public should assess the risk for Internet breakage and policy makers should react accordingly. But we should also keep in mind that if a Microsoft Yahoo merger could break the Internet, smaller deals might lead to some sort of fractures or cracks in the Internet. For example, Microsoft recently invested several hundred million dollars into Facebook, which caused observable tremors in the Internet’s various tubes. Caveat emptor.

Source: http://www.portfolio.com/executives/features/2008/03/14/Google-CEO-Eric-Schmidt-Interview