For CSE 484 this year, we have switched from the blog format to the forum format. The course website is online at http://www.cs.washington.edu/education/courses/484/10wi/. This year’s forum is online at https://catalysttools.washington.edu/gopost/board/kohno/14597/. We switched from the blog format to the forum format because forums seem to provide a better opportunity for interactive discussions within the course.
Wireless access points are a great technology – allowing a user the convenience of accessing the same wired network without wires. But the vulnerabilites and weak points that they produce can often be overlooked. Most people install these devices to extend their network to laptop or other wireless users, and can be secured if they are installed properly. But what if the installer is malicious? Anyone can buy a wireless access point for around $40 and install it themselves by plugging it into the wall ethernet plug they usually use. If this is on a cooporate network, which is usually a private one in which only employees from within the building can access their network, then installing this WAP opens up this network to anyone within range of the WAP. As noted in another interesting article regarding the subject, a disgruntled employee could install a wireless access point, hide it behind a file cabinet, and leave it there after they leave or get fired. Months later they can come back with their laptop and freely access the coorporate network from the parking lot.
A move over scanning the keyboard with infra-red cameras for heat signatures, listening to keystrokes and simple shoulder surfing.
Say hello to hacking through thin air or electromagnetic waves, rather. Apparently, all keyboards generate unique electromagnetic waves for every single key pressed and these are really easy to pick up even with some inexpensive antennae. Of course, a lot of this is only possible under ideal conditions where there isn’t much interference from other devices. Here are some videos that demonstrate the attack –
Edit: Looks like embedding is disabled here. Please visit the links below for the videos
Chicken coops form the heart of many urban farmers’ livelihoods. Providing sustenance directly through eggs, indirectly through fertilization of soil, and supplementing any waste management system through the digestion of otherwise unusable organic matter, the occupants of these structures play a vital role in small-scale subsistence living. Yet with such a range of assets come an array of risks and vulnerabilities. Especially as the technology underlying these systems becomes more advanced, it is essential to evaluate the implications for the their security–and the security of the urban farmer’s way of life.
Google has been scanning whole books and archiving them since at least 2004. More recently, it settled a lawsuit that will allow it to legally copy copyrighted books and making them available online. Google allows users to search their book archive at Google Book Search, and view samples or in some cases entire books. While the ability to look at fragments of the more restricted books is only useful as advertising for luring in potential readers , the fact that some books are posted whole online is significant for the flow of information throughout the world. As this online library expands, it could aid education and help distribute ideas worldwide.
The use of performance enhancing drugs and medical techniques is a serious problem in every sport, but no sport is as notorious for doping scandals as is professional cycling. While Olympic athletes, baseball players, and body builders are often caught boosting, the effect of their “cheating” on the sport, society, and economy is minimal. Marion Jones, for instance, a five-medal winner in Sydney’s 2000 summer Olympics, was retroactively indicted on drug charges and agreed to forfeit her awards. While the revelation shocked many, Jones relinquished her medals and life went on.
Professional cycling, however, is a very different story. Combining the commercialism of motorsport racing with athletic demands exceeding almost any other sport, the pressure on riders to perform is tremendous. Good performance not only makes careers, but it pleases sponsors and significantly impacts their economic standing. Sponsoring a winning Tour de France team brings in tremendous revenue for a company in Europe. Continuous defeat, on the other hand, can have devastating consequences. As such, riders must reach for the leader board not only to meet their own expectations of success and competition, but simply to remain employed.
The technology being evaluated is the Helios Online Voting Booth, usable at http://www.heliosvoting.org and outlined in the 2008 Usenix Secuirty paper available at the same site. The election system does not create novel cryptographic tools or algorithms, rather it provides a protocol for using existing cryptography to make an election that is universally verifiable and provides ballot casting assurance as well as voter secrecy. (Read on …)
For the last couple of years, I have done my taxes online. Compared to doing them by hand on paper, the online method takes far less time to fill out. However, it also brings with it the host of security risks associated with entering sensitive data over the internet. To successfully file your tax return, the online system must take your social security number, as well as all your personal and financial information. (Read on …)
“The Eye-Fi Card stores photos & videos like a normal memory card. When you turn your camera on within range of a configured Wi-Fi network, it wirelessly transfers your photos & videos. To your computer. Or to your favorite photo sharing web site. Or both.”
The Eye-Fi card is an SD memory card used with cameras, capable of connecting to wi-fi networks and uploading to sharing sites like Flickr, Picasa, etc. It’s also capable of specifying privacy levels for each upload. All these configurations can be set using their software on a registered computer on the same network. Photos can be uploaded as you take them as long as you are connected to the network.
The assets include the card, photos, and the website account information/access. The card is expensive and can contain sensitive and private photos. As mentioned, the photos being uploaded can be private. The website account information/access is also valuable because you don’t want your password and account compromised. Knowing the password could compromise your accounts on other sites. Also you don’t want unauthorized photos uploaded or unauthorized actions on your account.
Adversaries may include anyone who is interested in potentially private photos and malicious adversaries who want to take control of or exploit your website accounts. Adversaries could gain access to these assets through a number of ways. Since the Eye-Fi card communicates via wireless, if the messages were unencrypted and the protocol reverse engineered, it’s conceivable that messages could be spoofed, tricking the configured computer on the network to conduct unauthorized actions like uploading different photos to the photo sharing website accounts. Photos could also be intercepted through the network. Also, depending on the protocol, if account information is being transmitted back and forth between the Eye-Fi card and the configured computer, these messages could be intercepted and account information such as passwords could be read. The product description seemed to suggest that the card could be configured wirelessly. If this were the case, then a malicious user could spoof the configuration messages and reconfigure the card.
A good defense perhaps would be to require configuration of the card to happen only while the card if physically plugged into the configured computer. At this point, the computer and the Eye-Fi card could easily exchange symmetric keys in order to encrypt exchanged messages. This also prevents a malicious person from spoofing configuration messages. The account information should be kept on the configured computer and shouldn’t be transmitted across the network. Since I’m not familiar with the details of the protocol, it’s possible that Eye-Fi already employs some or all of these security measures.
Requiring that the Eye-Fi card is physically connected to the configured computer is an extra inconvenience in order to enforce more security. The entire idea behind the card is to make the photo uploading process easier and more convenient and enforcing this kind of security is likely not a priority. Additionally, if the network you’re on is one you own and you already require a key to access the network, then Eye-Fi use is probably already secure from adversaries outside of your network.
However, it’s interesting to consider that as technology evolves, wireless will become more and more commonplace, and companies will likely continue to push convenience as a priority. And often this convenience will come with the cost of security. As it is, wireless already has its fair share of security issues but hasn’t become a mainstream concern. With more users using wireless and more assets becoming accessible via wireless, more and more adversaries may find it worth their while to exploit wifi weaknesses.
Big Hollywood parties have big time guest lists, so it’s no wonder that many people want to be there. These include both (mostly) benign fans and some people of the less benign variety. Hence, security at these events is a big deal. In 2000, the event’s security made national headlines when the oscar statues were stolen by a shipping company employee. More recently, Scott Weiss has been trying to crash all variety of big Hollywood parties, including the Grammy’s, the Golden Globes, and the Oscars, producing a documentary on the topic.
Assets and Security Goals:
- The safety of attendees. The guest lists of these events contains lots of famous names that could be the target of attacks on their personal safety.
- The timeliness of the event. These events are usually televised live, with lots of advertising revenue depending on the event showing on time. Failing to do so would cause significant losses to many parties involved.
- The exclusivity of the event. Failing to prevent the general public form obtaining access to the even would dilute the exclusivity and mysticism of the even, making the event feel less important overall
- Personal enemies. The guests are often famous, meaning they’ve made a name for themselves, generally meaning they’ve also made a few enemies, who may want to harm them.
- Paparazzi. These pseudo journalists will do anything to capture or make a story about some celebrity, often at the epense of that person’s reputation and possibly safety.
- Overzealous fans. These fans can go overboard in their attempts to meet the Hollywood star in question, possibly causing safety issues for that person.
- Given the large guest lists generally include many lesser-known celebrities and their entourage, security personnel generally don’t know everyone on the guest list, so it’s possible to impersonate one of these people given the right fake credentials.
- While electronic keycards are common, there is quite often an entrance without the capability to verify these that’s used by service personnel, making the system trivial to bypass.
- As always, the human element applies, in that if a person acts like they belong at the event, no one tends to question that fact, once they’re inside. Moreover, Weiss has found that security personnel will often back down from asking question is you claim to be in a hurry, not wanting to make themselves a target of the guests anger.
- The electronic keycard system could be expanded to be at every entrance, making passes much more difficult to duplicate.
- Better training and protection from retribution for security personnel could help prevent the specific human weaknesses exploited by Weiss and company.
In conclusion, while the parties are generally secure from a large scale perspective, becoming totally secure for such a large even will be extremely difficult and possibly be at the cost of usability of the system. The celebrities generally don’t want to be bothered with security, so the system will likely have backdoors built in to allow them easy access in, which could make any of these upgrades moot anyways.