UW Computer Security Research and Course Blog

Summary

The past week has seen a renewed interest on the part of the security community in the reliability of hard disk encryption. With the recent revelation that data on encrypted drives is vulnerable to unauthorized access via memory manipulation, the technology has come under new scrutiny, and the integrity of existing disk encryption technologies is being questioned. While this blog has explored both the recent security breach and specific encryption tools (cold-boot attacks , Truecrypt security review), this security review will take a broad look at the security principles behind disk encryption and vendor-independent weaknesses and strengths of the technology.

(Read on …)

Security researchers have announced the development of a ultra-fast method of cracking wireless GSM encryption in 30 minutes or less.  The 64-bit encryption algorithm was cracked in theory over 10 years ago, but the development of new technology has exploited the vulnerability on a timescale that poses a serious threat.  GSM is used by many mobile companies worldwide, including T-Mobile and AT&T in the United States.  With a GSM wireless frequency receiver and the proper resources, hackers will be able to eavesdrop on phone conversations and text messages at will.  Fortunately, the technology is currently not cheap.  The developers are charging $1,000 for a solution that cracks GSM in 30 minutes, and $100,000 for a solution that cracks it in 30 seconds.  Still, the potential for privacy invasion in the future is tremendously daunting.

Who else is ready to switch to Verizon or Sprint?

Source:  http://www.informationweek.com/story/showArticle.jhtml?articleID=206800800&cid=RSSfeed_IWK_All

The government has decided to continue wiretapping phones with assistance from phone companies. These companies are also pushing a bill for immunity from lawsuits for participating in the tapping. What is the line at which informational surveillance pushes too far into privacy? Should immunity be granted?

 
Articles:

http://yro.slashdot.org/yro/08/02/24/135225.shtml
http://www.reuters.com/article/newsOne/idUSN2229053420080224

Recently, the police department in Quebec, Canada, busted an international hacking network. 16 people that were between the ages of 17 and 26 were arrested and this was the biggest hacking scam in Canadian history according to the police. These hackers collaborated online to attack and took control about one millions computer all over the world that didn’t have firewall or anti-virus software. Because of that, they injected Trojans or worms in those computers. The investigators mentioned that the hackers profited about 45 million dollars.
(Read on …)

Well-known security researcher and commentator Ed Felton and colleagues at Princeton report on a technique for breaking many whole-disk encryption schemes, including the most common ones. The attack is based upon scanning RAM for encryption keys, and is even (reported to be) effective on a machine that has been recently powered down.

(Read on …)

Spy satellites will be used by local law enforcement to enforce the laws against United States citizens. Should this make us feel safer or more scared of our government?

On the one hand I expect any government to use the most sophisticated equipment it has available in the pursuit of law enforcement, but on the other, the more sophisticated the equipment gets the more difficult it will be for proper oversight to exist, and the tendency is increased (perhaps inadvertantly) that the tools will be used for nefarious purposes.

A lack of oversight has the potential to lead to disastrous results. The brouhaha that occurred over the warrantless wiretapping could be just a hint of what’s to come if programs such as this gain more ground.
When news of this type comes out I get an ominous feeling of “ickiness” about the fact that we have less and less implicit privacy (that being the general privacy to do things like walk outside into your fenced yard without risk of wanton surveillance). But at the same time I have a hard time determining where exactly the line is being crossed.

Can someone help determine where (if at all) a problem exists? Does it lie in the fact that the Federal government is using instruments of national security for issues that should be locally controlled? The Slashdot comments section has a lot of alarmist comments (including the ubiquitous “omg 1984” kind), but I’m not certain how a line is being crossed.

Source: http://yro.slashdot.org/article.pl?sid=08/02/13/2331224&from=rss

Summary:
The International Olympic Committee will be granting Olympic athletes the right to blog at this year’s summer games in China, and there will be a few interesting restrictions placed on what they can say. In addition to the standard laws all bloggers have to conform to (copyright, etc) the athletes are prohibited from posting photographs of events, and from writing about other athletes, as well as from writing about anything that “may compromise the security, staging and organization of the games”. I’m going to examine the motives of the committee in putting these restrictions in place as they may pertain to security, ignoring issues like intellectual property for now.

(Read on …)

Amazon’s Simple Storage Service (S3) experienced an outage on the morning of February 15th, causing inaccessible content in the thousands of websites that rely on S3 for data storage. According to Amazon’s official explanation, the outage was due to a significantly increased volume of authenticated calls from multiple users. From the security perspective, this leads to more questions than answers.

(Read on …)

ASIMO is a robot that resembles a human that is created by Honda Motor Company. It was created at the Wako Fundamental Technical Research Center in Japan. The current version of this robot is version eleven. This robot, which is about four feet tall, looks like an astronaut wearing a backpack and it can walk and run on two feet. In addition, there are various features that ASIMO can perform. For example, it can recognize moving objects, postures and gestures, and environments. Therefore, it can react under various situations. In addition, ASIMO has facial recognition capabilities and distinguish sounds. It can also find information such as weather report by connecting to the Internet or greet and guide visitors given that they are valid visitors in the user’s network. Assuming ASIMO robots will be able to work as security guards in the future, here is the security review for the robot.
(Read on …)

Given all the Microsoft-bashing that takes place among Linux-users, I’m surprised that no one has posted an article (that I’ve seen, at least) that clearly has an anti-Microsoft bias. Despite the bias of the following article, it makes a valid argument that Microsoft should adopt some C-variant that is more safe with regards to buffer-overflows, which are still the “bread and butter” (according to the article) of malware-authors.  The author definitely overestimates the amount of time required by a user to maintain a reasonably secure and patched system. That said, the author makes a valid point: it is the algorithm, not the language, that dictates the overall speed of an OS – hence a “safe” language would be a better choice. Unix worked fine on hardware 20+ years ago, so there is no reason Windows should not be both secure and speedy on today’s hardware.  Windows/ze-bashers, indulge.