UW Computer Security Research and Course Blog

Microsoft has filed a patent application for a monitoring system that collects data such as heart rate, respiration rate, body temperature, and brain signals and interprets this into the worker’s stress, frustration and productivity levels. Microsoft claims that it will optimize management and production by allowing employers to view current reports of their employees and allowing coworkers to be alerted when their fellow employees need help. Yet the ethical implications are unnerving. A friendly conversation at your workstation could lead to a warning that your productivity was below average. Or if you’re having trouble at home and bring it to work, your coworkers could be notified.

I’m sure Microsoft only has the best intentions for this system, yet it sounds too close to Orwell’s “Thought Police.” Adversaries wouldn’t need to interpret your purchases on amazon or intercept wireless signals beaming your thoughts to a game console, they’d just need to be your coworker and in a company as big as Microsoft, you may find yourself with a lot of adversaries.

Note: While this article is marked in the “Current Event” category because of it’s recent posting in Scientific American and Techdirt, the patent was actually filed June 27, 2006.

Overview: 

Overlake Hospital Birthing Center has put a security system and policies in place to make sure babies are safe there.  First of all, mothers are given a bracelet when they come in that identifies who they are.  This is just the regular hospital bracelet with the name of the doctor on it.  As soon as the baby is born, he is given to the mother.  Babies are never to be taken out of the room without one of the parents except in extreme emergency cases.  The nurses ask the parents for the name of the new child.  Then, four bracelets are printed out – one for the mother, one for the father or birthing coach, one for the baby’s wrist, and one for the baby’s ankle.  Each of these have a matching number that must be checked whenever nurses give the baby back to the parents.

There is also an ankle band put on the baby with a security device.  Every door leading out of the birthing center is equipped with a security mechanism that will sound if a security band is brought within ten feet of the door.  This causes a complete lock down.  Every door is immediately closed and locked.  The band also will sound an alarm if it is cut.

(Read on …)

As I was reading Digg early this morning, I stumbled upon this story that many SQL injection opportunities were uncovered by people hoping to defame the site. Through a simple query to drop entries or the tables themselves, the database was cleared of all custom data, leaving many of the pages on riaa.com devoid of any content. In addition, some variables in the php pages could be exploited to show custom content on the respective pages.

(Read on …)

Covered on The Register, Telegraph.co.uk, and Slashdot.

Earlier this month, a 14-year-old in Poland used a modified TV remote control to directly interfere with rail junction controls in the city of Lodz. He obtained information on the operation of the junctions by trespassing in several train depots. In the end, he used his train remote to alter the switchings on several moving trams, causing some to derail and resulting in numerous passengers receiving minor injuries. The boy has been charged in juvenile court with endangering the public.

The youth’s particular attack on the system was made possible by the use of infrared signals to control track switches, which left them open to outside interference. Additionally, the lack of property security at railway depots allowed the attacker to obtain information about exactly how the switches interpreted their signals, rendering possible the direct manipulation of the switches. (Read on …)

SummaryIn the future, a shopping cart may no longer be just an ordinary shopping cart. It can also be an outlet for advertisement, check-out, and many more. Using the shopping cart, customer can view today’s deal, products’ advertisements, on-sale items, and pay items at the same time without waiting at the check-out line. The newly designed shopping cart is a product of MediaCart, Microsoft, and Wakefern. Microsoft is in charge with providing targeted ads using its Microsoft Atlas technology and the sophisticated shopping cart is created by MediaCart. The current system will be put to test in ShopRite supermarket managed by Wakefern on the East Coast. The shopping carts will be equipped RFID tags to sense where the carts’ location in the supermarket. When a customer walks in a specific aisle, he or she can receive specific advertisement based on the RFID that the console received.An interesting feature that customer might enjoy is the online shopping list. You can list all your shopping item on the website and it will save it for you. Once you are at the supermarket, you will simply swipe in your member’s card and the list will appear. It’s a nice way to save a piece of paper or a post-it-note. At the end, all the data mines from customer will be useful for better advertisement and the supermarket’s improvement.Assets

• Customer information. Every customer who wishes to use this new service has to become a member of the card loyalty program. Thus, their personal information is recorded and should be safeguarded against unnecessary use. In addition, their personal information will also include shopping pattern or other related information for better targeted advertisement.
• Supermarket’s good will and reputation. Since the technology is fairly new, ShopRite will become the first supermarket to pioneer the application of this concept. It can become a major player of the future that gives a new shopping reputation with reliable system and good reputation.

Security Goal

• Customer retention. The system intended for all customer to have a good experience while visiting the supermarket. Therefore, the advertisement or promotion/sale should be related to customer’s need. The customer will build up preference to the store because of the level of convenience and satisfaction. In the end, regular flow customer to the supermarket will ensure the regular flow of capital and open other venue for future investment.
• Faster purchasing process. The new shopping cart system allows customers to bypass the checkout counter. Thus, they do not need to wait in line and waste their precious time. This convenience will give an added value to the supermarket and ensure availability of check out process anywhere and anytime.

Potential Adversaries

• Rivals or competitors. The new system is giving a path for new way of shopping. If the technology attracts people’s attention, then many supermarkets might need to follow the step to stay in-trend. However, some supermarkets might not agree with this method and devise a plan to foil it.
• Disgruntled worker. The new change in the supermarket might spark disapprovals within the company. Since the check-out counter is no longer necessary, then some employee can be let go. This fact can give a reason for desperate employees to get even.

Threats

• RFID transmission. RFID chips will be used all across the supermarket area. A malicious user can view the RFID and perhaps devise a way to change the configuration the RFID or disable it. Then, customer might receive unrelated advertisement, which will reduce customer experience. In addition, malicious might even want to tamper or disable the RFID to make the system useless.
• Database security. All of the advertisements should be stored in some kind of database that relates them to RFID tags. In the case of database tampering, the advertisement might not correlate with the correct advertisement. In worst case, customer will be bombarded with all type of advertisements (ex: adult advertisement).

Potential Weakness

• Database tampering. The database for advertisement will need to be constantly updated for new advertisement. If the data is outdated, then the customer might get confuse. The problem can come for internal where the database could contain customer information. A lack of security can give a malicious user a chance to ruin the database and render the supermarket useless.
• Wireless communication. The system in place relies heavily in wireless communication, starting from the RFID to the method of payment. Customers who need to pay the items can simply swipe their card on the shopping cart. It will then try to complete the transaction. The communication between the shopping carts with the payment server can be interrupted or even intercepted. Not to mention, the shopping cart might also store user information like their card member or recently used credit card.

Potential Defenses

• Firewall and redundancy. All servers that host the supermarkets’ shopping cart should have a robust firewall and redundancy system to serve all customers. The firewall can be used to protect overall system against attacker. Redundancy to accommodate the users with advertisement even some of the servers went down either for maintenance or repair.
• Encryption. In order to protect all wireless communication, encryption is really essential especially when concerning personal information. This means, all communication between the shopping cart and the servers must be encrypted.

RiskInterruption in the RFID transmission is a risk that the supermarket must bear. The RFID has been around for a long and people know the technology quite well. Thus, the possibility for tampering the RFID or change its configuration could be reasonable. Additional protection in the form of shielding of transmission leakage outside the supermarket and the transmission encryption might be needed.Database tampering might be an issue, especially the one that has the content of customer information, advertisements, process payment; and it can talk directly to the shopping cart. A complete and adequate protecting to secure customer data and daily transaction is necessary.ConclusionThe new shopping cart can give better customer satisfaction and better experience if the security permits it. Customers are exposed to risk where their personal information can be breached and exposed to others. Furthermore, they will be bombarded by many advertisements that are targeted to their preferences and habits. In short, the shopping cart will become more interactive to customer preferences in the expense of their information being mined and analyzed. It is a trade off that every customer might need to bear in mind when doing their shopping chore.If this method becomes popular, then we can expect all supermarkets to use this ‘smart’ shopping cart. Thus, the importance of maintaining privacy will invade our daily live when buying grocery.

http://www.securityfocus.com/columnists/461/1

Recently, a freelancer named Federico Biancuzzi published a book with his co-author, Greg Hoglund, about exploiting online games’ vulnerabilities. The article is an interview with Federico. He talked about one of the vulnerabilities in MMORPG is the fact that the server stores states in the client machines to have these client machines do some of the computations. This allows adversaries to be able to hack within their own machines to gain various benefits. This is because virtual assets in games now days hold great values. Federico also mentioned various ways to improve the online game security. One of which was having the game architecture server-side focus.

(Read on …)