UW Computer Security Research and Course Blog

Researchers at Duke University Medical Center have successfully used a monkey to control a robot. By putting the monkey on a treadmill and implanting electrodes into its brain, the movement of the robot in Japan matched the movements of the monkey in the U.S. The movement of the robot continued after the treadmill stopped, supposedly as the monkey was still thinking about walking. This research is motivated by the desire to help those severely paralyzed be able to walk again. Researchers hope to create robotic limbs that respond to users’ thoughts.

(Read on …)

Given the iPhone’s myriad vulnerabilities and the unrest spawned by their high-profile discovery and exploitation, perhaps the security aspects of new Apple products, such as the Time Capsule, merit our consideration. The Time Capsule is a sleek wireless hard drive that doubles as a 802.11n Wi-Fi base station. Through the Time Machine application in OS X Leopard, the Time Capsule enables automated backup from multiple Macs to its 500GB or 1TB hard drive. Security features include WPA, WEP, MAC address filtering, and a NAT firewall. However, the amount of configuration needed for these security features is not specified on Apple’s website, and the emphasis is on a easy setup (“a matter of a few clicks”).

(Read on …)

An article in InformationWeek yesterday exposes the details of what McAfee’s ScanAlert product actually means by “Hacker Safe”. The ScanAlert product issues certifications that websites are safe from attack. However XSSed.com, a website dedicated to exposing Cross-Site Scripting attacks, gave InformationWeek a listing of 60+ Hacker Safe websites with open XSS vulnerabilities. In response to the accusations, ScanAlert representatives assert that ScanAlert certification does not consider XSS vulnerabilities as dangerous. The reason being the XSS attacks are entirely ‘client side’, meaning they do not allow the hacker access to the server, data, or customer information.

(Read on …)

In one of the more interesting stories to come out of the telecom industry in recent weeks, the New York Times is reporting that AT&T is currently in the testing phases of developing a network filter that will monitor their networks for copyrighted content. The company is reportedly in talks with content owners such as NBC Universal regarding incentives for the company to filter copyrighted material.

(Read on …)

According to vnunet.com, Microsoft recently announced they are actively investigating a potetially serious security flaw that targets Microsoft Excel 2003 users. Apparently, attackers can place malicious code in the Excel document header that executes upon opening the document. Upon excecution, the attacker gains access to the user’s machine under the permissions of the current user.

(Read on …)

According to a report Tuesday from the Government Accountability
Office, sensitive taxpayer data housed at the IRS is critically
vulnerable to security threats. The report is a follow up from March
2006 where the security problems were initially discovered. The new
report indicates that 70% of the issues discovered in March remain.

(Read on …)

Security software vendor F-Secure has recently reported the first known “scareware” scam targeting Mac users. The software known as MacSweeper (www.macsweeper.com) poses as legitimate security software that “discovers” numerous fake problems and threats, which can only be solved by purchasing their $40 product. A senior security specialist at F-Secure shared two ways he determined the illegitimacy of MacSweeper: running their provided scan showed vulnerabilities in Mac-specific folders even when run on Windows machines and the company’s “About Us” section was taken directly from Symantec Corp.’s website. The website itself however is very professionally done and it is difficult for casual users to notice its phony nature.

(Read on …)

Summary:

The physical system I am reviewing is the prototypical home security system. These systems are used to provide an increased sense of security (compared to only door and window locks), and provide a guarantee against more professional break-in attempts. By professional, I am mean to define the skill with which an adversary would enter and exit without leaving evidence behind. A professional would be able to enter and exit undetected. Such a system would have window and door sensors, as well as disaster monitoring and reporting to a central office. Each sensor is attached to a door or window, and is able to detect if it has been opened. If the system is armed and the sensors or disaster systems are activated, a siren will sound and the central monitoring office would be notified.

(Read on …)

Reports of three photo frames that came infected with a Trojan Horse were received by the Internet Storm Center this Christmas.  The photo frames made by Advanced Design Systems were bought from different Sam’s Club stores.”It propagates to any connected device by copying a script, a com file and an autorun file,” one consumer reported to the ISC. “It hides all systems files and itself while completely eliminating the user admin ability to show hidden files. It creates processes that negate any attempt to go to anti virus and anti spam web sites.  It prevents the remote installation of any antivirus components” (Robert Lemos, Security Focus).

 Both Advanced Design Systems and Sam’s Club representatives could not be reached for comment by Security Focus, but it is suspected that the malware could have come in the manufacturing plant or from frames that were put back on shelves after being infected and returned to the stores.  Often stores do not have very stringent policies on returns and will not know that an electronic has been compromised.  Manufacturing plants can introduce a virus through an infected computer in the plant or perhaps an insider.  Some manufacturers have made efforts to stem this rising trend by making sure all equipment and computers are not attached to any outside network.

This is not the first time that consumer electronics have been infected with malware and viruses.  Anything with on-board memory has the potential to be infected including MP3 players, USB drives, hard drives, and even musical sunglasses.

Some examples of past incidents due to mistakes in manufacturing processes include a hard drive from Seagate in October 2007 and Apple’s iPods in 2006.  The Seagate hard drives had a Trojan horse program that stole account identification and passwords for a Chinese online game.   They had been infected at the manufacturing plant in China because of a computer at the plant that was infected.  The iPods had a Windows virus sneak on board the hard drive.

It is not known whether this most recent attack was a mishap or intentional, but certainly there is a possibility of intentional attacks on consumer electronics.  With the proliferation of personal electronics, this will be an increasing problem in the coming years.

 Lemos, Robert. “Malware Hitches a Ride on Digital Devices,” Security Focus, Jan. 9 2008. http://www.securityfocus.com/news/11499.

A website created for the Transportation Security Administration for the purpose of allowing travelers to resolve watch-list or screening problems was found to be inadequately secured, causing travelers to inadvertently transmit sensitive personal information in the clear. Most of the website was entirely unencrypted, and the few parts that were secured used self-signed certificates, making it impossible for end users’ software to corroborate the validity of the encryption.

This lack of security resulted from a failure to take appropriate security precautions by the company contracted to create the site. What should have happened here, and what should happen for all websites that handle sensitive data, is oversight by people competent in the area of computer security. Some of the basic aspects of oversight could probably be automated by software crawling the internet.

The broader issue at hand is that most people are largely unaware of how insecure the vast majority of internet communication is. Because of this they are willing to transmit sensitive data like credit card and social security numbers via email, im, or other (typically) insecure methods, without regard to the security implications.

The TSA website that was created insecurely should be revamped with proper security mechanisms put in place. In the medium-term, audits should be mandated for governmental websites to make sure that there are no fundamental failings in the set ups. In the long-term future we should create policies and foster a culture of people that clearly recognize the importance of privacy and the risks of communicating private data insecurely. source: http://arstechnica.com/news.ars/post/20080113-tsa-security-flaws-exposed-users-to-risk-of-identity-theft.html