Windows Mobile Bluetooth Security Vulnerability

By zhaoz at 1:18 am on January 30, 2009 | 2 Comments

A recent vulnerability discovered in the Windows Mobile Bluetooth server allows access to all files. This vulnerability is a simple directory traversing problem, simply using “../” or “..\\” allows for traversal outside
of the directory. Users of Windows Mobile 6 and the Bluetooth OBEX-FTP server are vulnerable. Most Windows Mobile 6 devices come with the default stack.

Windows Mobile 6 is the current generation of Windows Mobile produced by Microsoft.

This is a fairly serious vulnerability since attackers could copy or upload arbitrary files to any directory on the device. Possibly avenues could include viruses, loggers, and trojans. However, the issue is mitigated by the fact
that (as with most bluetooth devices) the device must be paired before any communications can transpire. This usually requires the consent of the owner.

Since parent directory traversal issues are well known and implemented in almost any server (e.g. web servers), it is surprising that such a vulnerability was able to pass through testing. Although it is required that the owner give consent to any pairing, it is unlikely that the owner would like to give arbitrary access to all files on his device. A security review should have found this issue, since file server and directory traversal tend to go hand in hand.

Hopefully, this vulnerability would be addressed soon and give enough of a kick to Microsoft to look into any other vulnerabilities that Mobile 6 platform may have. This is not the only security issue to have been found on the bluetooth stack. A denial of service vulnerabiilty was found in the way Bluetooth device names were advertised, allowing attackers to reboot the device remotely.


Filed under: Miscellaneous2 Comments »

Security Review: Fingerprint Scanners

By devynp at 10:42 pm on January 29, 2009 | 4 Comments

Fingerprint identification is the oldest biometric method. Everybody has a set of unique fingerprints, formed by the ridges and valleys on the skin. Fingerprints have been used in many fields, such as crime scene investigation and criminal database to identify people. In terms of technology, biometrics are used as an authentication method, alone or in combination of other techniques, such as password or another biometric forms.

A fingerprint scanner collects, prints, and creates images that can then be analyzed and compared to images already on record. Optical and capacitance are the two major scanners used on the market to collect and analyze fingerprints. An optical scanner works like a digital camera where it collects data on the light reflected off of one’s fingerprints. The lightness/darkness of the reflection is created by ridges and valleys on the skin. A capacitance scanner also creates an image of one’s print; however, it uses electrical current and conductivity to mark the light/darkness area of the print.

After an image collection, a fingerprint scanner system compares specific features of the print (or minutiae), such as angle of certain ridge/valley, location of circles, etc. To get a match, the system doesn’t need to find every pattern in both the sample and the record, it just needs enough matches, and threshold varies.
(Read on …)

Filed under: Security Reviews4 Comments »

Security Review: Lexus “Talking” GPS

By millsea0 at 8:53 pm on January 27, 2009 | 3 Comments

With the increasing role that technology is playing in our lives, it was inevitable that we’d reach the point where we too could enjoy the luxury of a talking car, such as the infamous KITT from Knight Rider. The convenience of having a talking GPS unit that can suggest places to go is a bit of a luxury, but also a step into another form of auditory spam they mention in the USA today article .

Lexus is currently adding this feature to new automobiles that in addition to allowing the company to send messages to the driver, will also be able to suggest places that the driver might want to travel. As if drivers today did not already have enough distractions with cell phones and other technology that is able to interface with your car, this unit seem to be leaning towards more of a frivolous luxury than something of use.

If not endowed with the proper security, the device would seem to be the prime target of an attack. Simply transmit new directions or send a new audio file for it to play and you not only have an easy way to send a driver to the middle of nowhere, but to also provide a loud distraction that can send a driver into a panic during rush hour. Other automakers need to decide if we really need further distractions in our cars before rolling out the new technology. (Read on …)

Filed under: Security Reviews3 Comments »

Verizon VoIP House Phone Hub

By lisa89 at 4:37 pm on | 2 Comments

Nowadays, traditional phone service is not widely used. As stated in an article from, “VoIP phones are growing in popularity — and 20 to 25 percent of customers are canceling home phone service.” In order to maintain Verizon’s customers and compete with other companies like the table television companies, Verizon launches VoIP house phone hub that provides many special features.

This VoIP phone requires a router to plug into it. VoIP house phone handset can connect to its hub which offers applications such as navigation. The hub has constant Web connection; in the meantime, it is capable of browsing local traffic, weather reports, and online calendaring.

Assets and security goals

  • The first asset is to make it easier for busy family to manage their schedule. As stated in the summary, VoIP is capable for navigating, managing schedule, viewing weather, current traffic, and also works as usual phone.
  • (Read on …)
Filed under: Security Reviews2 Comments »

Data Breach at Heartland

By sunetrad at 1:14 pm on January 26, 2009 | 4 Comments

A New Jersey based payment card processing company- Heartland Payment System Inc. admitted last week to a data breach into their system. In what may result as one of the largest compromises in payment card information, Heartland disclosed that intruders had hacked into their systems and planted malware that they had then used to steal debit and credit card data.
What the folks over at Heartland remain unaware of is how the attackers launched the attack or how long the malware has been in their systems.

This is a grave matter for this company and its 250000 business customers for which it processes around a 100 million transactions every month. This is being compared to the attack on TJX in 2007 when around forty five million cards were compromised. So how successful were the attackers in getting the data they wanted in this case? According to reports from Heartland, the intruders were able to capture card account numbers, expiration dates and in some cases, the customers’ names as well. The malware installed on the system allowed them to sniff on unencrypted data as the transactions were being processed in Heartland’s system.

What the thieves were not able to get their hands on were the Personal Identification numbers (PINs) and the addresses of the card holders. This is generally the information that they need to withdraw funds from the victims’ accounts online or on the phone. Heartland also stated that although this information was not compromised, the attacker could duplicate the data stolen and clone the debit or credit card and then swipe it at any location to extract funds.

Reading about this incident, made me think of all the times I went to Starbucks and used my debit card. I didn’t have to enter my PIN, and the cashier never asked me for my ID or took my signature. All he/she did was swipe my card. Many people do not track their transactions daily and hence a thief could easily get away with small withdrawals like this for a period of time if he was successfully able to clone the card with the stolen data. There is risk involved in this approach like being caught under surveillance but many businesses that do not enforce security measures as mentioned above just steer clear the way for attackers. The “Two factor authentication” technique would definitely be more effective in this case.

What I also found interesting in this article was that Heartland was not able to detect this attack for a long time until it was brought to their notice by Visa and MasterCard who discovered the suspicious activity. This caused the malware to run for a longer time and hence compromise more data. Also, the attackers chose a card processing company instead of a retailer, and this shows that they wanted their attack to be more effective as more transactions would be going through the card processor than its customer.,_malware_and_vulnerabilities&articleId=332977&taxonomyId=85&intsrc=kc_top

Filed under: Miscellaneous4 Comments »

Obama’s Blackberry Security Review

By couvb at 5:33 pm on January 23, 2009 | 9 Comments

It looks like, after much debate, Obama will be allowed to continue to use a smart phone (From most articles I have read, it seems unclear whether the phone will still be the Blackberry he seemed to like so much, or if it will be a NSA approved smart phone, or a combination of the two).  Much of the debate centered around whether a Blackberry could be made secure enough for the President’s day to day use.  For example, Obama would not want a highly sensitive conversation with the Secretary of Defense to be heard by anyone trying to listen in.  Smart phones can also deal with email and the internet in general, which opens up the possibility of an exploit coming from there.  Smart phones also have GPS receivers, and are in essentially constant contact with cell towers, both providing methods to track the phone. (Read on …)

Filed under: Miscellaneous,Security Reviews9 Comments »


By Frung at 9:58 pm on January 22, 2009 | 12 Comments

It turns out Macs can catch something. Apple’s most recent version of iWork, the counterpart of Microsoft Office, contains a Trojan. Well, almost.

The pirated version that you can download from places such as The Pirate Bay is the one that contains the Trojan. It includes an extra package when installing, and when the user gives the iWork installer administrator privileges, the Trojan package uses them to launch its own installer. After a successful install, the Trojan sends a message back to the mothership and awaits further orders.

(Read on …)

Filed under: Current Events12 Comments »

Security Review: Electronic Medical Records

By nhunt at 6:10 pm on | 7 Comments

Now that computers have reached the mainstream, demand for online services is increasing. Recently, this has come to include access to medical records over the Internet. The existence of products such as Microsoft’s HealthVault and Google’s Google Health demonstrates the demand for this type of service. Even though such services can be used to improve the quality of health care, care must be taken to ensure they don’t create new problems.

(Read on …)

Filed under: Security Reviews7 Comments »

Current events: Sony Ericsson a victim of its own employee

By sal at 10:54 pm on January 16, 2009 | 7 Comments

Issues of stealing physical or intellectual property (physically or electronically) in the context of a malicious company insider are closely interrelated, as some common prevention mechanisms can be adopted for both.

According to the recent article by Mikael Ricknas, cell phone prototypes were stolen from the company by its own employee. As Mikael points out, despite the fact that total cost did not exceed about $90000, there could have been bigger indirect losses if competing companies were made aware of these designs.

As one of my employers at one of the security companies I worked for mentioned, “opportunity” is the key word for why thefts occur. Company employees often have the most of such opportunity. Even employees with good intentions, as mentioned in an article by Alex Johnson, Cybercrooks’ best friend? Experts say it’s you are among the biggest threats to company security.

Depriving company employees of all of such opportunities is an impossible task as long as it has employees, but significatly reducing chances of such breaches from occuring is possible by at least two well-known means. The latter article mentions commonly cited policy of “least privilege” as one of the ways of prevention. Also, electronic monitoring and recording of activities and making employees know of such monitoring, or at least creating an impression of the existence of such monitoring could be another one of the most effective methods for deterring or shifting away such crimes.

Some ethical issues, such as privacy protection, employer-employee trust will, apparently, arise from overusing some of the methods, and companies will always have to find a good balance. Although Sony Ericsson did not appear to disclose much details about the event, it is, undoubtedly, beneficial for society in general that crimes of this type are made public, as it emphasizes the problem, and (in case if arrest followed,) can serve as yet another deterrent.

Filed under: Current Events,Ethics,Physical Security,Privacy7 Comments »

Absent student forfeits raffle

By stemcel at 9:23 pm on | 6 Comments

Here at the University of Washington CSE Department we often have events called Tech Talks, where guest companies come in and give a demonstration of their technologies and expertise. Tech talks are usually interesting, and the visiting companies usually bring free company-branded “swag” and often have raffles for bigger, more exciting prizes. But what usually draws hungry CS students (this one, anyway) is the free food that the company inevitably brings. I’ve never won anything.

Last night we had a tech talk given by Palantir Technologies, a very promising-looking company that aims to transform the way people work with large data sets by making it easier to discover and visualizing trends and connections in the ever-accumulating mountains of data generated by our modern technological culture. They had a great sales pitch, a fascinating presentation, tons of free swag (hyperbole here, but it was really a lot), and quality free frood from Taco del Mar. And at the end of the evening they planned to raffle off an iPod touch. Not everyone stayed for the whole event, but as it wound down the time for the raffle finally came.

(Read on …)

Filed under: Current Events,Ethics,Integrity,Physical Security6 Comments »
« Previous PageNext Page »