UW Computer Security Research and Course Blog

A website created for the Transportation Security Administration for the purpose of allowing travelers to resolve watch-list or screening problems was found to be inadequately secured, causing travelers to inadvertently transmit sensitive personal information in the clear. Most of the website was entirely unencrypted, and the few parts that were secured used self-signed certificates, making it impossible for end users’ software to corroborate the validity of the encryption.

This lack of security resulted from a failure to take appropriate security precautions by the company contracted to create the site. What should have happened here, and what should happen for all websites that handle sensitive data, is oversight by people competent in the area of computer security. Some of the basic aspects of oversight could probably be automated by software crawling the internet.

The broader issue at hand is that most people are largely unaware of how insecure the vast majority of internet communication is. Because of this they are willing to transmit sensitive data like credit card and social security numbers via email, im, or other (typically) insecure methods, without regard to the security implications.

The TSA website that was created insecurely should be revamped with proper security mechanisms put in place. In the medium-term, audits should be mandated for governmental websites to make sure that there are no fundamental failings in the set ups. In the long-term future we should create policies and foster a culture of people that clearly recognize the importance of privacy and the risks of communicating private data insecurely. source: http://arstechnica.com/news.ars/post/20080113-tsa-security-flaws-exposed-users-to-risk-of-identity-theft.html

SECURITY REVIEW: Retail Entrance/Exit Alarm Gates

Most of us have been to a retail store of some kind and encountered someone setting off the obnoxious alarm of security gates that line the doors while exiting or entering the building. Such security systems have become increasingly common in businesses of all sorts as a way to protect their most valuable assets. While a somewhat useful feature as security, this system can also prove to be annoying to both customers and employees alike.

The basic idea of this system is that you have gates that will detect and react (usually with a loud beeping) if one of a set of smaller electronic devices that have not been deactivated passes through them. These smaller electronic devices are discretely packaged in to particularly valuable pieces of merchandise or assets, so that when these assets pass through the gates without being cleared by employees (and thus deactivated), the electronic device implanted on the asset will set off the alarm, alerting those around that an unauthorized asset has passed through the gates (assumedly leaving the building). There is of course also another aspect of the system that must be in place, and that is employees of the company (or some other person who can do something about a theft) must be within hearing/reacting distance from the gates/doors at the time that the alarms are set off. Otherwise the alarm going off would serve no purpose to protect the assets of the company.

There are many security goals to be considered here. The main and most obvious of these of course is that if a valuable asset if being carried out the door, the business would in some way be alerted of this event, and would be given the opportunity to react to the theft, and thus protect their assets. This security goal of course can only be realized if the asset in question indeed has an electronic security device on it, and that the staff indeed is alerted by the system (such as if an employee is close enough to the door to hear the alarm). Another very important, but less obvious security goal is to deter people from attempting to steal anything in the first place. Usually when these alarms go off, they are quite loud, and can be heard by the customers in the building. The customers can also observe that these security gates are in place easily when they first enter the building. It is also difficult to determine which pieces of merchandise are specifically protected by the system (have an electronic device on them). These three facts act as general deterrents for people to even try to steal in the first place, thereby creating some measure of security without even necessarily apprehending an attacker.

Of the many possible attackers, the most common and obvious are probably the customers that frequent these stores, and the employees that work there. Customers that are in the store obviously must be interested in the assets contained in the store, otherwise they wouldn’t be there, and thus must have a motivation to obtain the assets. If the customer could obtain these assets without paying, this would be all the more beneficial for them. There are also the employees of the company, who usually have some interest in the product or assets of the company that they work for. The employees are also in the store with the assets, as well as coming and going quite often. Not to mention the fact that the employees are usually a vital component of this system (they are usually the ones actually being alerted by and reacting to the alarm). Thus they are also in a good position to be an effective attacker of this system.

One main weakness of the system is that the gates to some extent can only detect the electronic device if it takes certain paths on it’s way out the door, mainly in between the two gates. Although it would perhaps be less subtle and more noticeable if someone were to leave the store while lifting what they were carrying above or around the gates in some way, it is still feasible that there could be some path by which the asset could be carried past the gates such that the gates would not actually detect the electronic security device located on the asset. Another weakness is the dependence on people or employees around the store for the system to work. In order for the system to be worth anything, employees must be not only reachable by the alarm, but also in a position to react in such a way as to prevent the theft. Thus it could be the case that the alarm isn’t heard, and thus does nothing to protect the assets, or even if heard, employees might be too far away from the doors to be able to react to the alarm in a helpful way.

A way to strengthen the defense against the first of the weaknesses would be to make the gates detect an electronic device that passes even near it within as much distance as it would take to span the entire doorway. This way the electronic device on the asset wouldn’t need to actually pass through the gates themselves, but would set the alarm off if it even gets close enough to the gates to get through the doors at all. And a defense against the second issue would simply be to have an employee whose job is to sit by the door, within hearing distance of the gates, and with a course of action by which they are able to react to any and all alarms set off.

While this system is great as a general model of security that can be both well known and somewhat affective as a security precaution, as well as a deterrent against even attempts at theft. As with all security systems, the actual effectiveness of this system depends largely on it’s specific implementation, and can never be made to be completely invulnerable. Also, this system is only applicable to businesses that need to protect material goods that usually are smaller in size. So this system is only useful to a very specific subset of business types. If set up with diligence and properly maintained however, this system can provide valuable protection of the assets of many companies.

Housing and Food Services (HFS) houses approximately 5100 students in its numerous residence halls and apartment buildings. To accommodate for easy maintenance and locksmith-free lockout calls while the desk is closed all the halls are master keyed and reside on a giant hoop of metal known as the duty ring. Normally to obtain the duty ring a Resident Adviser/Community Advisor (RA/CA) will check out and sign for the keys at the front desk of the residence hall. The clerk at the front desk requests the RA/CAs staff ID, if the picture on the ID matches the person in front of them, they will file the checkout card away and check the RA/CA in for duty in the Odyssey HMS housing system.

By putting this system in place, HFS attempts to protect the following assets.

1. Access to infrastructure. The duty ring not only contains keys to resident’s rooms but also to bathrooms, breaker rooms, network rooms, etc.
2. Access to resident’s rooms. HFS trusts RA/CAs to only unlock doors with the resident present and consenting.
3. HFS needs to have some record of who has the keys at all times to maintain their image as a professional housing organization. I certainly would not feel safe with the knowledge of a loose master key.

Possible attackers of this system could be anyone with the above knowledge of the duty ring checkout system.

1. Thieves: Residents often have laptops that haven’t been physically secured or registered with UWPD. These high ticket items are easy to carry off and very few if any people would find someone carrying a duffel bag full of laptops suspicious.
2. Feuding RA/CAs: Checking out the duty ring under the identity of another RA/CA and disposing of the ring would likely get the victim fired due to the high cost of re-keying everything.
3. Disgruntled RA: Upon leaving HFS a disgruntled RA could checkout all of the duty rings. The cost of re-keying thousands of locks at $70-$80 each would be a major expense for HFS.

The system however is far from perfect and could likely be attacked in the following ways.

1. The staff ID cards consist of a single picture and black text on a red background. Duplicate, altered or fabricated staff ID cards would be difficult/impossible for the desk clerk to discern from real ones. With a little research on a given residence hall, one can determine the names of all the RA/CAs on staff (often on a poster in the lobby), as well as who is scheduled to be on duty for the night. With these fraudulent cards an attacker could check out the duty ring in the names of other staff members to discredit them or obtain all the duty rings in order to force HFS to re-key every door lock.
2. Since the front desk clerk has no need for the physical ID card, new desk clerks often forget to ask for ID verification.
3. Distraction of the front clerk would also allow an attacker with a hook on the end of a 6 foot or longer pole to retrieve the duty ring from they key rack which is left open and unlocked during desk hours. This could include false fire alarms in which case the key cabinet is left unlocked. The gate that is deployed in front of the office is only meant to keep people from going through however the duty ring can still slip through it.

I would like to talk about an article I read in Slashdot today ( http://it.slashdot.org/article.pl?sid=08/01/13/1533243 )on Malware (Trojan horse programs and computer viruses) finding their way onto digital devices like iPods and, more interestingly, digital picture frames. The Slashdot article points to an article from The Register ( http://www.theregister.co.uk/2008/01/11/malware_digital_devices/ ). The article from The Register talks briefly about consumers during the Christmas season who have received digital picture frames have had the problem of malware, which was traced to an infected computer at the factory, attempting to infect computers once the device is connected to the home computer. The malware, which have hidden itself by disallowing the user from showing hidden files and from contacting antispam and antivirus websites, has been reported to the Internet Storm Center, a group that monitors network threats. This problem is not new, as iPods and hardwares have had a small history of manufactures with infected computers infecting shipped devices, and are typically due to small lapses in maintaining secure systems at the factories and are accidental in general.
(Read on …)

It is shocking to learn that while the University of Washington Housing and Food Services own nine residence halls with a total capacity of nearly 5000 students, the security barring access to individual students’ rooms can be compromised with little more than a little research and a good story. For the first homework assignment, I reviewed the security of the dorms. I thought of ways to get into other residents’ rooms and found that it wouldn’t be as difficult as one might hope. I tried the “attack” on myself, trying to gain access to my own room. It’s not surprising that I got into my room (in fact it’d be more surprising if I couldn’t), yet the attack could be used against others, especially those the adversary knows well.
(Read on …)

With many people living off campus, biking is a popular method for getting to class in a timely manner.  Bikes can be quite expensive, however, and riders are usually forced to put them in a public location (for sake of convenience/necessity).  As such, there are some security measures that can be taken to deter thieves from stealing these expensive publicly-displayed commodities.  The most common (and only?) tool used to this end is a bike lock.  For those of you who don’t know, bike locks are basically some loop of metal that has a lock to break the continuity.  The two types I’m familar with are the U-shaped locks (with a bar across the top of the U containing a lock) and, more commonly, the snake of heavy cable that has a lock in the middle somewhere.  With bikes as prevalent as they are, keeping them from getting stolen is a high priority.
(Read on …)

Overview

The blue USPS mailbox, a ubiquitous object on American streets today, is one of the most recognizable security devices currently in use. Despite its many shapes and sizes, its purpose boils down simply to one of protection of privacy, integrity, and access control. Customers who drop off letters or packages in a mailbox expect their mail to be protected from the prying eyes of strangers, safe from theft, and handled only by authorized USPS personnel. Indeed, the promise of security has helped the USPS to remain competitive over the years. (Read on …)

The UK has proposed to embed offenders with RFID chips as part of an expansion of the electronic tagging scheme that would allow British officials to to help enforce home curfews.  This sort of tagging already exists within pets like cats and dogs that have been properly licensed. The RFID tag will contain information about who they are, where they live, and the offending record. The use of this technology will be used to keep certain criminals out of certain hot zones at which a crime may occur, for example, a sex offender, entering a school zone.  (Read on …)

I recently had to get a new passport; one with a computer chip, and a handy brochure touting why it was so great, and how I was protected by “two tier system.”  This post is to analyze these “Biometric Passports,” their current defenses, as well as possible security vulnerabilities and possible repercussions of their use.  Can anyone say people tracking? (Read on …)