UW Computer Security Research and Course Blog

The other night one of my friend’s asked me about the webcam in her laptop. She was concerned about people gaining access to it and spying on her. Her fears got me to thinking about this problem.

Integrated webcams are becoming the norm in most laptops. The privacy implications of unauthorized access are staggering. A lot of us take changing in the secrecy of our own room for granted, but what if that wasn’t the case? In this security review I look at the possible weaknesses and defenses this class of products has.
(Read on …)

Summary

TrueCrypt is a disk encryption system intended to solve the problem of people being forced to disclose encryption keys or face consequences. It allows a disk partition to be completely encrypted. The most recent version even includes a special bootloader that can be used to have a complete Windows installation inside of an encrypted volume.

One of TrueCrypt’s unique features is the ability to hide another volume inside of the same encrypted partition. The hidden volume is stored at the end of the primary volume, in what looks like random data in the free space of the primary volume.

(Read on …)

http://www.daniweb.com/blogs/entry2060.html

Apparently a company in Russian named Gleg finds security holes in commonly used software and then sells information about the exploitabilities to their ‘clients’ who pay lots of money to get knowledge like this. It sounds like they publicly stated that they have a buffer overflow attack that works against the new version of RealPlayer 11. The vendor that makes RealPlayer has repeatedly asked Gleg for information about the vulnerability, but Gleg apparently refused to disclose any information about the weakness. It is disorienting for me to think of what this Gleg company does as legal, but it does not seem like they are actually breaking any laws in doing this.

The title says it all. According to the article linked below, Customs has been seizing electronics like cell phones and laptops on grounds of “suspected criminal activity.”  Some travelers complained that their devices were taken for more than a week and copied by the agency during that time.  This calls into question the jurisdiction of Customs, who said that it was similar to searching a briefcase and finding hard-copy evidence.  While I understand the necessity of surprise, random searches like this, I think if notifying travelers would have been a better idea to mitigate travel stress.  Many people subjected to this kind of search have complained already, and some have already gone to court in outrage. To help relieve concern and stress, I would suggest to Customs to submit a press release detailing the search procedure, as well as how the data is handled.

The article.

Summary:For this security review, I have chosen to evaluate our very own IMA (Intramural Activities) Building which I am a somewhat frequent visitor to.  The security concepts for the IMA are rather simple: let only those who are authorized into the building since it is a members-only facility.  Enrolled students, current or retired faculty, and the spouses of the members are some of the people eligible for a membership with a quarterly fee.  An employee sits in the lobby and swipes cards as members walk in via a forced path.   (Read on …)

Along with its popularity, Facebook has become the central of personal informations. It records users’ personal information along with their interaction and activities with other users. Privacy setting is used so users can decide who they would like give access to which part of their information.

(Read on …)

This security review is inspired by the story of a firefighter whose Safeway shopping history landed him an arrest for arson in August, 2004. More information on the story here: http://www.computerbytesman.com/privacy/safewaycard.htm

Most people are probably familiar with the concept of a grocery store shopping card. The Safeway Club Card is a membership card that can be used to save money on grocery shopping. Products throughout the grocery store store are marked with special limited-time-only “member prices”, which are slightly reduced prices that can be used by anybody carrying a Safeway Club Card. People without the cards must pay full price, but are often asked at the cashier if they would like to apply for a Safeway Club Card. The Safeway Club Card are “free” to acquire–there is no fee involved, only disclosure of personal information. (Read on …)

The Mac OS X Dashboard is a platform for developing small applications, or Widgets, that can be accessed and hidden quickly at any time within the OS. Common widgets tasks include simple calendars, calculators, games, weather tracking, and system monitoring. There are thousands of user created widgets available for download through apple.com and other sites. Widgets are built using standard web technologies such as CSS, HTML and Javascript. However, they also contain hooks into the local system, allowing them file system access, access to compiled C code, and shell command access. These hooks are facilitated by the operating system running the widget instances and create a plethora of security concerns. (Read on …)

Most modern laptops have a slot in them that allows the user to affix a lock to the chassis.  The locks usually come in the form of metal cables with a combination or keyed lock on one end which fits into the side of the laptop.  The mechanism locks around a metal bar inside the computer, which is attached securely to the frame.  While these locking mechanisms do succeed in deterring mild, spontaneous theft, they are definitely not safe to be used in many scenarios.  (Read on …)

Yesterday I was looking through Schneier’s blog and found a link to an interesting article about the UK and online taxes (Article). According to the article in the UK, “Thousands of ‘high profile’ people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk.” This revelation has upset many as reportedly more than three million people use the online computer system to file tax returns. Those barred from using the online system have to submit hard copy forms. The following question has been raised. If the system is not safe for “important” people, why does the government still use the system? Has the government created a class of people that gets preferential treatment?
(Read on …)