UW Computer Security Research and Course Blog

“Update.  This entry was updated on <January 9, 2009> to reflect a <re-interpretation of the original article>.

After several years that Wii have been launch, hackers found flaws in Wii’s security aspect. According to an article from Nintendo World Report, a tiny processor that was kept as a secret for security reason is discovered by a group of hackers, Team Twiizers. Because the existence of the chip has been discovered, this can cause security problems.

As presented in this video, in order to run the game on Wii, a ticket (key) is needed. The valid keys are all stored in the chip. However, this chip does not only consist of keys, but also controls the turn on bit of the functionality of DVD playback that is turned off by default. These aspects make the hackers feel challenge to break Nintendo’s security system.

(Read on …)

The Security and Privacy Code of Ethics is a contract that every CSE484 student is required to sign, on penalty of a zero grade in the course. It places restrictions on the manner in which students may use knowledge gained in the course, and on the transfer of such knowledge. While it appears to be a good faith attempt by the University to prevent their students from engaging in malicious activities, it has several failings, and raises ethical issues.

(Read on …)

According to articles from BBC and TheRegister back in November of 2008, three London hospitals fell victim to the Mytob Worm.  Originating from early 2005, this worm spreads itself through email and prevents removal by disabling any attempts to retrieve virus update definition files.  The hospitals needed to shutdown their systems for three days to ensure proper eradication of the virus.  An efficient emergency procedure was executed promptly, minimizing impact.  Hospital directors claimed the hospital was not targeted and reassured patient records were not compromised.
(Read on …)

InformationWeek recently published an article based on data from the Identity
Theft Resource Center (a non-profit organization which aims to understand and
prevent identity theft), that shows an increase of 47% in the number of reported
data breaches in 2008. The business sector reported the most breaches, followed
by the educational, government, health and financial sectors. It’s interesting
to note that in 2007, government institutions were at the top of the list,
reporting the highest number of break-ins, but have since moved to third place.
This may suggest government and military organizations are taking more
proactive steps in protecting their information.

When the Internet first came about, data security wasn’t considered a
concern; it was established to enable collaborative work over long distances.
However, with today’s Internet, it is no longer a valid assumption that everyone
has good intentions. Despite this, people still refuse to take any measures to
protect their data. The article states that only 2.8% of the breaches had
encryption in use, and only 8.5% had any sort of password protection. It’s no
wonder there were so many break-ins.

Organizations need to recognize that the Internet is a dangerous place. It is
no longer the friendly environment that it was when it was first established.
Institutions should actively take steps towards protecting their data. This
would include password protecting all accounts, and encrypting sensitive data.
Further, users of these systems should be educated about general security
practices, such as what constitutes a “good” password or why company laptops
shouldn’t be brought home. Until actions such as these are taken, data breaches
will continue to occur.

These sorts of incidents give rise to a number of privacy and safety concerns.
For instance, a data breach at on online retailer could leak customer’s credit
card information; a break-in at the DMV could reveal names, photos and
addresses; private medical information can be gleaned from hospital computers;
or military secrets stolen from an insecure server.

These organizations need to be encouraged to be more conscious of security
issues. Individuals who were harmed by data-breaches should hold the institutions
accountable. For example, if it was a business that didn’t password protect
their customer database, customers should refuse to purchase products from them
until they revamp their security. Until they see repercussions for their lax
attitude towards security, institutions will have little incentive to change.

According to a recent article in USA Today, Lexus will begin including new technology to allow the company to send audio messages to the computers present in their cars. It appears to be similar to an e-mail system, where the user receives messages and can play them at his/her own discretion. This inclusion is simply part of an even larger electronic upgrade to the autos, simply known as Enform for now. While this definitely raises some concerns about how far into our lives marketing messages (i.e. spam) are allowed to be, it’s even more critical to be worried about what sorts of security measures will be implemented in their system.

(Read on …)

Recently, an article on The Wall Street Journal describes how Apple Inc.’s iPhone 3G was unlocked by a group of independent programmers called iPhone Dev Team. Apple has partnerships with wireless networks around the world that allows iPhones to work exclusively on carriers. An unlocked phone allows users to use any network carrier. The group released “yellowsnOw,” a free piece of software that can be used to unlock iPhone 3Gs. Several users claimed that they have successfully unlocked their iPhones 3Gs and were able to work on unauthorized wireless networks.

(Read on …)