UW Computer Security Research and Course Blog

News article here, covered on Slashdot here.

Google, with the cooperation of the Cleveland Clinic, is beginning a project to record medical history and other health-related data for patients. The stated goal is to provide patients with a way to access and manage their own health data, as well as to work towards a “more efficient and effective national health care system.”

While a common database of this information could indeed be useful for patients and healthcare providers, it raises some privacy and security issues. (Read on …)

Last week, when a Kuwait-based Gmail user tried logging in, he was denied access to his own account, and instead was granted access to over 30 accounts that did not belong to him. He was able to peek into other people’s private information and personal emails, including one that contained “keycodes for some embassy gate”. This incident that occurred during the last weekend was fixed on the following Wednesday.

A Google spokesman who confirmed the issue said that the problem occurred due to a caching issue experienced by the ISP in that region. However, another user in Sri Lanka reported a similar issue with his Gmail account.

The same user who faced problems with his Gmail account wrote to CNN that he had no problems with his other accounts such as Hotmail. Though Google confirmed that the issue was caused by the ISP, I think it is also Google’s responsibility to enforce security measures which will prevent such minor issues outside itself from compromising its users’ accounts.

Fortunately, in this case, the issue was not widespread. If it were, one can only imagine how much damage it can potentially cause.

Sources:

http://www.techtree.com/India/News/Is_Someone_Reading_Your_Gmail_Right_Now/551-87047-643.html

http://www.news.com/8301-10784_3-9875714-7.html?tag=newsmap

They’re out there…Some of us use them everyday…Especially college students living away from home…We can’t avoid them, unless we want to be stinky…

Yes I’m talking about coin-operated laundries…

Coin-operated washing facilities provide an interesting security problem, since the users only maintain a single asset, their clothes. The owners and operators of the facility are at most risk since they have to protect against people stealing money or gaining free use.

(Read on …)

This security review is intentionally left incomplete. It is simply a topic that I think would be interesting for us as a group to explore. If you can add to the discussion, please do, even if it’s simply to propose an idea, or to shoot one down.

Washington State Ferries have been using the Wave2Go system for over a year now. The old system required passengers to remain in a holding area after they had bought their tickets from one of three booths. Many patients would wait to buy their tickets just before the ferry would board, causing long lines right before departure and occasionally delaying ferries.

Wave2Go allows clients to buy tickets from multiple kiosks in addition to the three ticket booths. Alternatively, you can purchase tickets ahead of time online and then print them out. (Read on …)

Called The Reynard project, it is a series of plans for the U.S. Intelligence to monitor more internet traffic, most notably, data mining from several major MMORPGs, including WoW. The goal being to eventually create a system that can “automatically detecting suspicious behavior and actions in the virtual world.” Games often have things like bombs and assassinations in them, and it seems like the potential for a very high false positive rate is there. It kinda makes me wonder if custom UIs will have an option to use some sort of encryption with their in-game chat for those who are really bothered by big brother being over their shoulder.

Source:

http://blog.wired.com/27bstroke6/2008/02/nations-spies-w.html

http://www.joystiq.com/2008/02/23/wired-national-intelligence-seeking-terrorists-in-wow/

Summary

The past week has seen a renewed interest on the part of the security community in the reliability of hard disk encryption. With the recent revelation that data on encrypted drives is vulnerable to unauthorized access via memory manipulation, the technology has come under new scrutiny, and the integrity of existing disk encryption technologies is being questioned. While this blog has explored both the recent security breach and specific encryption tools (cold-boot attacks , Truecrypt security review), this security review will take a broad look at the security principles behind disk encryption and vendor-independent weaknesses and strengths of the technology.

(Read on …)

Security researchers have announced the development of a ultra-fast method of cracking wireless GSM encryption in 30 minutes or less.  The 64-bit encryption algorithm was cracked in theory over 10 years ago, but the development of new technology has exploited the vulnerability on a timescale that poses a serious threat.  GSM is used by many mobile companies worldwide, including T-Mobile and AT&T in the United States.  With a GSM wireless frequency receiver and the proper resources, hackers will be able to eavesdrop on phone conversations and text messages at will.  Fortunately, the technology is currently not cheap.  The developers are charging $1,000 for a solution that cracks GSM in 30 minutes, and $100,000 for a solution that cracks it in 30 seconds.  Still, the potential for privacy invasion in the future is tremendously daunting.

Who else is ready to switch to Verizon or Sprint?

Source:  http://www.informationweek.com/story/showArticle.jhtml?articleID=206800800&cid=RSSfeed_IWK_All

The government has decided to continue wiretapping phones with assistance from phone companies. These companies are also pushing a bill for immunity from lawsuits for participating in the tapping. What is the line at which informational surveillance pushes too far into privacy? Should immunity be granted?

 
Articles:

http://yro.slashdot.org/yro/08/02/24/135225.shtml
http://www.reuters.com/article/newsOne/idUSN2229053420080224

Recently, the police department in Quebec, Canada, busted an international hacking network. 16 people that were between the ages of 17 and 26 were arrested and this was the biggest hacking scam in Canadian history according to the police. These hackers collaborated online to attack and took control about one millions computer all over the world that didn’t have firewall or anti-virus software. Because of that, they injected Trojans or worms in those computers. The investigators mentioned that the hackers profited about 45 million dollars.
(Read on …)