UW Computer Security Research and Course Blog

Despite assurances from MySpace that photos in private profiles can only be seen by people on a user’s friends list, its web architecture has failed to enforce this. Info about a backdoor has been disclosed and made publicly available on message boards for months.

Users under 16 have their profile set to private by default, and according to MySpace, “Only the people you select will be able to view your full profile and photos”. When an unauthorized user tries to click on a photo link of a private profile, the following error message is given: “This profile is set to private. This user must add you as a friend to see his/her profile.” But anyone with some basic skills can plug the target’s public account number, called a “Friend ID,” into a specially crafted URL GET request, resulting in a bypass of this security measure and granting access to those photos… In other words, the link is not available, but it can be build based on trivial data.

Several forums online have started to post a number of MySpace photo links for underage girls. None of the posts appears to have involved with child pornography or other illegal conduct, however this is against the privacy of such private profiles.

More in CNET: http://blogs.cnet.com/8301-13507_1-9858905-18.html

Summary

A CAPTCHA System is a Completely Automatic Public Turing Test to Tell Computers and Humans Apart.

Initially developed by Carnegie Mellon researchers, this system was mean to differentiate between actual people and automated robots when it comes to opening new accounts (email accounts, eBay accounts, bank accounts…). A CAPTCHA is an image made of words and numbers that are shifted, added different fonts, added colors, shades, and slightly blurred but still readable for the human eye, to avoid that spammers open accounts in a automated way.

Dan Hubbard, Vice-president of WebSense, reported recently that Microsoft’s CAPTCHA system used by every Windows Live site has been compromised. It has been reported that bots are obtaining a 35% rate of success, with the capabilities to register hundreds of new users per minute using automated HTTP queries via raw sockets. These ‘virgin’ accounts are used for a short period of time (before getting blacklisted) to send SPAM by email or Virus to ‘recruit’ more botnet zombies. Yahoo CAPTCHA system has been reportedly hacked a few weeks ago as well, by a Russian researcher.

(Read on …)

Home monitoring systems like Quiet Care exist to allow independent living for elderly people. The system works by monitoring the person’s daily movements with wireless activity sensors in each room. The information collected from these sensors is gathered at a communicator and then is sent to the Quiet Care server and is analyzed for patterns. If the server detects unusual behavior, it contacts the caregivers of the individual.

(Read on …)

Summary
In many of today’s college classrooms, especially introductory science classes, the large majority of students often makes it difficult to gauge classroom participation. A solution used in many of the lab science introductory sequences at the University of Washington has been to require each student to purchase a ‘clicker’, a wireless transmitter, using either RF or IR technologies, and have them produce multiple choice answers from a selection of answers shown on a large screen in the front of the class, which are then received and tabulated in realtime by a receiver somewhere in the room.

(Read on …)

At its essence CyberLocks are like mechanical locks++, enabling you to bring intelligent electronic access control to even the padlock level. CyberLock cylinders, which cannot be picked and maintain an audit trail of usage, can replace virtually any traditional lock (e.g. for doors, cabinets, padlocks, server racks, etc.) without any wiring. However, with the introduction of these additional features comes also the increased potential for new vulnerabilities and attacks. The following is an overview of the typical CyberLocks usage scenario that I will review (see this video for a clear and concise overview of the system (after which you may be able to skip to the Assets section of this review)).

(Read on …)

According to an article from Slashdot, a serious weakness in the random number generator provided by OpenBDS has been found. It is apparently also used in several other BSD operating systems. Some of them has released a fix or are planning to release one. However, OpenBSD refuses to fix it, stating that the problem is irrelevant in the real world.

Gradually over the year of 2007, I’ve been turning to Google to help me get through sticky problems with open-ended programming projects. As I’ve moved from Java to actual implementable languages such as Python and C#, I’ve found that more and more of my answer end up at places such as experts-exchange.com. I’m of course ecstatic that my exact problem has been found on the great big interweb; the Google summary shows me part of a solution! Of course, when I actually navigate to the site, I’m greeted with a greatly-reduced page with lots of ‘trial options’ (example). What happened to my content that I just saw highlighted on Google? It’s nowhere to be found.

(Read on …)

Windows systems like many other operating systems hash passwords instead of keeping them clear text in the event an attacker ever gets a hold of authentication data. Microsoft first developed the Lanman (LM) password hashing scheme in Windows for Workgroups 3.1. In order to maintain backward compatibility Microsoft has kept this system enabled by default all the way through Windows XP (Vista still supports LM hashing but is by default disabled). Due to the design of the original LM system it is now feasible for many people to store large sets of precomputed hashes (rainbow tables) and crack complex, non-dictionary, passwords in just a few minutes.

(Read on …)

According to Scientific American, the US Navy is considering to deploy a new technology, Deep Siren, to improve communication to and from submerged submarines. As of now, submarines have to be no deeper than 60 feet and towing a floating antenna behind them before they can communicate with the outside world. This makes the submarines far less agile and much easier to detect. The Deep Siren System will theoretically allow subs to communicate at any depth and speed.
(Read on …)

GM’s OnStar service has been a sucess for several years now. It gives many services to people with GM vehicles. It provides some very powerful features such as GPS tracking, stolen vehicle slowdown, remote unlock and emergency services. However the technology imposes potential for exploitation.

(Read on …)