UW Computer Security Research and Course Blog

With everything going wireless now, many people are cutting the cord and getting wireless keyboards and mice. However, not many people stop and think what might happen if these wireless peripherals are compromised. If say someone could spoof the identity of your keyboard and mouse then they could potentially take control of your computer. However, the manufacturers anticipated that so some minimal amount of encryption is put in place. It was recently found here that older Microsoft devices working on the 27Mhz band could be easily compromised. The encryption scheme used in these products XORs the keyboard status with a random byte, resulting in only 256 possible keys… It is easy to see that this could be exploited fairly easily.

Newer products utilizing Bluetooth are more secure but still have vulnerabilities. The frequency hopping used in Bluetooth in conjunction with the packet encryption using the E0 stream cipher provide a sense of security. Attacking the PIN used in pairing has shown to be an effective way of compromising the encryption used in Bluetooth…
(Read on …)

On Thursday, Apple happily unveiled its plan for third party support of native iPhone applications. The plan involves an application development and distribution pipeline including an iPhone SDK, a suite of IDE tools, and a sales and distribution plan through the new iPhone “App Store”. Apple is restricting the distribution of 3rd party applications through their app store by requiring an iPhone developer account. There will be no other supported way to get 3rd party iPhone applications onto the iPhone. Apple has also made the claim that no malicious, pornographic, or software with security vulnerabilities will be distributed through their store.
(Read on …)

Bruce Schneier posted on his blog earlier in the week about a new, free, open source application by the “Cult of the Dead Cow” (cDc) called Goolag Scanner. It essentially automates a technique called Google Hacking, which was pioneered by a hacker going by the handle “Johnny I Hack Stuff”. Google Hacking entails using the massive Google search engine to discover vulnerabilities on a given server or domain by using targeted searches. These searches are aimed at finding back doors, sensitive information accidentally made publicly available, vulnerabilities in server software, and more. The software, along with a friendly voice that guides you through the installation process, comes with 1,500 built-in searches to use out of the box.

(Read on …)

Summary

Most people have probably heard a car alarm go off sometime in their life, and the chances are that it was a false positive are also pretty good. Usually cars that have an alarm have some sort of alarm in place will try to advertise this fact, such as having a small blinking red light to indicate that there is some sort of security in place. Car alarms can trigger on a variety of events. Some of these triggers are vibrations, rotations, contact, pulling of a handle, changes in battery voltage, and sound. When triggered, the car will emit some sort of loud, repetitive, obnoxious sound for many minutes, or until it is turned off using some sort of authentication, usually the clicker of the car. The general idea is that sound attracts attention, so if some set of illegitimate events are happening to someone’s car, other might notice and come to the rescue. One of the most likely people to react to the sound of a car alarm is the owner. However if someone breaks a car’s window, the alarm goes off, and then they run away, the owner still loses. So the alarm really is more of a deterrent than a real physical barrier. (Read on …)

Despite the satirical title, teams of Physicists from the U. of Calgary and the Tokyo Institute of Technology recently published papers (and here) detailing their feat of storing a ‘squeezed vacuum’ by apparently reducing the amplitude of a quantum-mechanically interpreted EM wave to zero. ScienceNow has a more clear detailing (with pictures) than I seem to be able to give, and the /. article may provide further illumination.

The researchers suggest that this technique may be able to be used to facilitate a more secure transmission of secret keys between end hosts in the years to come.

ATMs are surprisingly easy to hack according to CNET.  From a report on ATMs, up to 90 percent of the ATMs in the U.K. could be at risk for worms, denial-of-service attacks, getting customer data intercepted, and having money stolen from their safes. (Read on …)

Researchers at Princeton University have found a very interesting and different approach to bypassing encryption. It has been demonstrated that when dynamic random access memory (DRAM) is frozen to extremely low temperatures, it retains whatever data is currently loaded onto the chip for minutes or even up to hours. On an encrypted system, when a computer is turned on or in use, the data contained on the RAM includes the key to whatever encryption structure is being used on the machine. This means that given physical access to a machine, an attacker can freeze the memory to retain that data that is currently on the RAM, then reboot the machine, and quickly copy the information off of the DRAM before the system has a chance to overwrite this sensitive information. Obviously once a key is obtained, the encryption of the system is useless. Given that DRAM is currently the most widely used type of memory chip in personal computing, the possibility of this sort of attack is cause for great concern. In the research attacks carried out, nothing more was used than multi-purpose duster spray cans turned upside down, which can freeze the RAM to temperatures as low as -60 degrees Fahrenheit, and a simple piece of software that copies the contents of the RAM that can easily be loaded from a network connection or USB device. These attacks worked both on the original compromised machine, or even when the DRAM was taken from the original machine and booted from a separate machine. This method of attack is a serious threat to the strength of such general disk encryption structures as Apple’s FileVault and Microsoft’s BitLocker.

It has been known since the 70’s that memory can retain it’s data for a prolonged period of time when frozen, but Princeton’s research in the area is the first time that this situation has been formally addressed from a security standpoint. It is unclear if or how much this tactic has been used in the past, since this was simply research on a possible attack that could be carried out and not on any particular use of the attack in the real world. However, knowing that it is possible will certainly cause security designers to re-think the structure of their products with this in mind. It seems that since this characteristic of the RAM has been known for so long (30-40 years), this attack possibility would have been forseen and addressed by this point. However, this is just another example of how Security vulnerabilities are always infinite, and there is no end to the strange and creative ways a system can be attacked.

Even though this attack is only possible when an attacker has physical access to the machine, this does not mean that it can be written off as unlikely and thus low-impact. This issue is especially important in a world where laptop and mobile computing is becoming the status-quo, causing full disk encryption to be a critical measure in security as physical compromise of personal computers becomes more and more likely. That is why companies like Apple and Microsoft have made large efforts to make sure that there is full disk encryption available on the systems that they produce. Now finding that such systems might not be nearly as secure as was once hoped will have a great impact on these companies, their customers, and the general computing community at large.

It is difficult to say how the industry will respond to this security threat. This is an issue that stems from a combination of hardware and software characteristics of current computing technology. Thus steps could be taken in a variety of directions, such as changing the common DRAM model so that this freezing tactic does not in fact cause the data to remain on the chip, or somehow reworking the full disk encryption model so that the key is not so readily accessible on the chip at any given time (which seems hard since the system needs the key in order to decrypt the data itself). Regardless of the direction the industry goes in response to this threat, the solution will not be easy and will certainly not be instantly carried out, since the characteristics that allow the attack to happen are deeply rooted in how personal computing works today (what type of memory that is used or how encryption schemes are set up). Consequently this could be a legitimate security concern for a long time to come.

CNN got an inside view of the so-called “Chinese cyber militia” when a group of three Chinese hackers agreed to be interviewed. This group of hackers claim that “no site is one hundred percent safe,” and that they’ve even broken into the Pentagon in the past. Should we write off these claims as hallow boasts from a group of fame chasers or is this something more?

First, let us consider who they are. Operating out of an apartment room in China, the group consists of a former computer operator in the People’s Liberation Army, a marketing graduate, and a self-taught programmer. In their cement-floored apartment with almost no furniture, the group leader quote sayings from Sun Tzu, “Know about both yourself and the enemy, and you will be invincible.”

They have been operating a hacking website with over 10,000 registered users, according to article, but CNN “decided to withhold” the address of the site. A quick search on Google leads to a site dedicated to being “Inside the World of Chinese Hackers,” which identifies their site as hack4.com. The front page of the hack4.com features a very comprehensive listing of articles, from discussing US-China relations, to reporting Fortify’s warnings of MySpace and Facebook vulnerabilities, to “Hacker’s Love Letters.” The website also compiles a large collection of downloads, from password crackers, to trojan generators, to overflow attack tools.

The group’s leader makes two bold claims:
1. That the group had successfully broken into the Pentagon network and downloaded information in the past.
2. That the Chinese government secretly pays them.
Of the Pentagon hack, he says, “They would not publicize this… It is very sensitive,” but does not discuss what information they obtained. Given that the Pentagon does report experiencing “multiple intrusions,” many originating from China, the Pentagon-hacking claim may be considered plausible. The second claim is less plausible, as it would require that they did obtain sensitive information and that the government would be willing to allow a group of rogue hackers to perform operations that could have international implications. In any case, no evidence whatsoever is provided to back the claims, so these can only be considered to be speculative.

What primarily distinguishes this group from merely a group of media hogs is (a) that they seem dedicated to hacking full-time and (b) that they have established what appears to be an authoritative site within the Chinese hacking community (if, in fact, they are not the people behind hack4.com, let’s suppose they are). Especially with the lofty goals of “ensuring the free sharing of the spirit of freedom” and “safeguarding China on the basis of our voices,” they do seem to take their work seriously. With about 10,000 users registered to hack4.com and given the existence other similar sites, Chinese hackers are indeed a growing fixture of the security landscape.

David W., Max A., Travis M.

The Onion has posted quite a funny video taking advantage of the many security problems with the Diebold voting machines.

Diebold Accidentally Leaks Results Of 2008 Election Early

There’s been a lot of security-related issues in the news this week (just like every week, actually). I thought I’d fuel the discussions by listing a few of them. I thought I’d also provide some links to topics that 3ric discussed on Friday. Please create new blog entries for the topics you’d like to explore further:

• RFID cards to help prevent underage smoking in Japan: http://www.taspo.jp/english/taspo/Introduction.html
• Homemade robots patrol Atlanta streets: http://hardware.slashdot.org/article.pl?sid=08/03/07/2029236
• Open source robot for household tasks: http://hardware.slashdot.org/article.pl?sid=08/03/07/012207
• Sat-nav dog collar that keeps track of Fido: http://women.timesonline.co.uk/tol/life_and_style/women/the_way_we_live/article3501141.ece
• Video of talk on reverse engineering crypto in an RFID chip: http://www.hackaday.com/2008/01/01/24c3-mifare-crypto1-rfid-completely-broken/
• H1kari’s work on intercepting GSM: http://www.hackaday.com/2008/02/15/shmoocon-2008-intercepting-gsm-traffic/
• Brain scanner can tell what you’re looking at: http://www.wired.com/science/discoveries/news/2008/03/mri_vision
• Attacking Chip & Pin credit card transactions: http://www.usenix.org/events/sec07/tech/drimer.html