UW Computer Security Research and Course Blog

Summary
“Smart pillbox could be a lifesaver” that is the title on the recent news in MIT in the world. It is design to be used by elderly people so they can properly take their medication. The purpose will be to enforce the prescribe regimen to prevent drug-resistance disease and to prolong life. It might also prevent the unnecessary loss of life due to a miss of daily regiment.
Elderly people are the main target for this device, because they can be in the situation where they need to take a series of medication, like more than ten drugs. This project consists of two systems, uBox for the patient and uPhone for the health care worker. The uBox will alert the patient for his/her daily regiment by flashing lights and sound a buzzer. In addition, it will also record the time and other data which can be retrieved by the health care workers. The uBox has 14 chambers for the medication, each of which will be filled with prescription drug by the health care workers. On the other hand, the uPhone is to let the health care worker to track patient progress and retrieves the related data from the uBox.
However, smart pillbox is not only developed at MIT, University of Wisconsin-Milwaukee also been trying to develop it. The difference lies on their dispenser unit which can communicate with the medical staff via the web. The purpose of the smart pillbox is the same, which is to ensure adherence in taking medication.

(Read on …)

An Insignia digital photo frame has been pulled off the shelves once it was discovered that the units were shipped with trojans. Installed by the (Chinese) manufacturer, the trojan bypasses Windows Firewall and anti-virus software and collects gaming passwords.

We talk about being security conscious and preventing our systems from becoming infected, but it’s a different ballgame when we can’t trust the manufacturer.

More here. http://www.engadget.com/2008/02/15/insignia-photo-frame-virus-much-nastier-than-originally-thought/

Since ISPs, most notably Comcast, some time ago began identifying and purposefully destroying or severely throttling BitTorrent connections passing through their networks, the struggles on both sides of the fence have been nothing short of a game of cat and mouse.

(Read on …)

Researchers from Google and the Georgia Institute of Technology have published a paper indicating the increasing number of attacks from the use of rogue DNS servers (the paper estimates that there are currently about 68,000 of these servers).  (Read on …)

Human beings are often considered one of the weakest links in a security system, and this vulnerability is typified (and exploited) by the proliferation of Valentine’s Day malware (and their associated delivery mechanisms). The first article referenced below describes two recent attacks: one where an e-mail with a Valentine’s Day related subject line links to a malicious program (that remains undetected by many antivirus applications) and another scam that entails an e-greeting with a link to an American Greetings lookalike site. The site then asks users to install an application called “Adobe Flash Player”, which is actually a rootkit. Generally, attackers often steal data (for selling or identity theft) and use compromised machines to send spam, perform DDOS attacks, etc.

There is little that can be done to prevent these kinds of attacks from materializing since the e-mail (and internet) infrastructure is so open and flexible, but there are several controls for mitigating the threats. From a technical perspective, e-mail providers and other organizations can use e-mail filters to prevent the spread of malicious messages. Users can use virus-scanners (though many AV programs failed to detect these recent malware) and many browsers already include anti-phishing warnings. Training users to be wary of unsolicited e-mails and to verify legitimate urls among other safe computing practices is also important.

On a larger scale, it may be helpful to develop a more robust and trustworthy e-mail infrastructure.  With authentication, message sender identities can be verified and this process may assist in the detection and capture of the perpetrators behind the attacks described above.  There are several developing initiatives such as SenderID and DomainKeys, and there may be some synergies with the increasingly popular OpenID system, which can result in a trustworthy e-mail system.

Ultimately, the vulnerabilities of the human heart (security review up-and-coming…), particularly on Valentine’s day, and human curiosity/mistakes can only be controlled by training people to discern true messages (in the general case) and by helping them to find love in the right place (in the Valentine’s day case–and perhaps more generally).  SDG

References:
http://www.securityfocus.com/brief/682
http://sunbeltblog.blogspot.com/2008/02/dangerous-new-fake-american-greetings.html
http://www.sophos.com/pressoffice/news/articles/2008/02/valentine.html

Online Banking – Many banks now provide an online application that will let the bank’s clients manage their funds. This includes both, viewing, as well as transferring funds to arbitrary third parties through a feature called ‘Online Bill Pay.’ Thus, given access to a user’s online banking credentials, an adversary can easily drain the user’s funds.

(Read on …)

This comic should make more sense after today’s lecture.

Anyone who has travelled within the past 6 years has experienced the excruciating joy of going through modern airport security. For most domestic flights your checked bags go through one set of security procedures, and your person and carry on items go through another. I will be focusing on the personal/carry on side of airport security. (Read on …)

The latest version (7) of Microsoft’s Internet Explorer web browser, like their latest Windows (Vista) operating system, is supposed to be the most secure version in the product’s history. A complete security review of either IE7 or Vista is outside the scope of this post, but there is one very interesting security feature found at the intersection of the two, called “Protected Mode.” Presented as a feature intended to limit the possible damage even if every other security feature in IE7 fails, Protected Mode limits the browser’s ability to modify the system in case of an attack while preserving the ability to execute other tasks, such as downloading files and allowing helper programs, plug-ins, and the user to interact with the browser much as before. (Read on …)

While we have access to reasonably priced soda in the ACM lounge or the Benson store, the average person looking for a convenient drink has to shell out between $1.75 and $2 to buy from a pop machine.  But why pay if you don’t have to?  It is obvious that the manufacturers of these machines have put thought into their security: most machines will hardly let you reach in for the drink you bought, let alone reaching up into the machine.  Despite this, it is still possible to manipulate the machines into giving away drinks.  Is their security good enough for most situations?  Is the security too good?  Let’s find out…

(Read on …)