UW Computer Security Research and Course Blog

The U.S. Federal government is planning to spend millions of dollars upgrading the backbone of the internet’s routing system. Specifically the Department of Homeland Security (DHS) is planning to quadruple its budget for improvements (from $600,000 to $2.5 million per year), which supposedly should improve the security of communications on the internet.

By implementing these changes, the DHS hopes that man in the middle attacks as well as the modification of data can be prevented. These upgrades target two major portions of the internet’s infrastructure; the border gateway protocol (BGP), and the domain name system (DNS). For BGP, the updated protocol will be called BGPsec. This adds digital signatures to BGP announcements. Security researchers have claimed that BGP is one of the weakest links of the internet because of its numerous vulnerabilities. Attacks against this protocol can be disastrous because they are often targeted at large portions of the infrastructure and not individual hosts. For DNS, the improved DNSsec will hopefully make it harder for attackers to hijack web traffic because hosts will be able to verify their domain names and IP addresses with digital signatures and public-key encryption.

(Read on …)

Companies such as the Massachusetts-based biotech company, MicroCHIPS, are developing what they call “intelligent implanted devices” for long-term internal patient monitoring and treatment. Patients which would normally require frequent blood tests, monitoring, or drug injections can instead implant a device which is able to deliver doses of drugs on command or at regular intervals as well as monitor the patient and transmit this data to a receiver. These devices tend to be made of titanium and are currently about the size of an Oreo cookie but miniaturization is in the works. They have many potential uses, such as continuous glucose level monitoring for diabetic patients, needle-less, pain-less insulin injections on command, scheduled, decreasing doses of morphine for recovering addicts, scheduled and targeted chemotherapy, and frequent and regular release of anabolic agents to treat osteoporosis. A cause for concern, perhaps, the MicroCHIP device can currently be activated and signaled to release drug doses over a wireless link.

(Read on …)

Everyone knows the bookstore sells books only after a tremendous markup. But does that really mean they can afford to employ lax security?

Consider the situation of the books department: all of the textbooks for every class in the university are housed in a single room smaller than the main Kane lecture hall. Much smaller, actually. About half of the floor space is taken up by racks of books. Under everyday conditions this is fine, because generally less than ten customers are browsing around at a given time. The problem becomes apparent just before the quarter begins, when the book room becomes so crowded that standing in the register line I sometimes think that I’m back in Disneyland, waiting for a ride on Splash Mountain.

Imagine my disappointment when I realize I’m actually in line to empty my wallet in exchange for ten pounds of paper.

All these bodies in such a small area can help to hide a malicious book-snatcher masquerading as a customer. Booknappers need simply gather target books into their backpacks and force their ways upstream around the registers and out of the store. The UW bookstore provides no substantial countermeasures.

(Read on …)

The California based company Proteus has created an edible computer chip designed to mark a new way of monitoring patient drug intake. The process involves two pieces of technology: a small chip containing sensors and a small patch worn by the patient. The chip is attached to a pill, swallowed by the patient, and then activated once it enters the patient’s stomach. Once activated the chip sends signals to the patch. The patch can track data like heart rate, respiratory rate, temperature, and body angle. This data is then automatically uploaded via Bluetooth to an online repository and given a timestamp. Doctors can use this data to monitor whether a patient is correctly taking his or her medication or the effects of the medication from the convenience of their cell phones or personal computer. This product, named Raisin, is currently in clinical trials.

(Read on …)

The Government Accountability Office (GOA) realeased a report last week
stating vulnerabilities in the security system used by the IRS to protect
taxpayer data. The report showed the IRS has number of security issues
in the way that it protect sensitive data.

Some of the major security issues include: the IRS doesn’t encrypt certain
types of sensative data, user IDs and passwords can be easily obtained by
any user on the network, and they don’t enforce strong password rules for
authenticating users.

A lack of an agency-wide security program and no annual review of risk
assessment are the root of many of these issues. As a result, the IRS is
especially vulnerable to attackers with inside information, wich could expose
taxpayer and financial data.

The GOA cited several specific security problems. Among those were the
following: A contractor-maintained website has exposed usernames and passwords;
any authenticated user on the network has access to shared drives containing
sensative data like taxpayer informaiton and social sercutity numbers;
financial information and account data were tranferred from the IRS’s accounting
system without first being encrypted; inadequately logging various security
events at data centers.

The IRS is currently trying to improve it’s security system. They have taken
several steps to do this thus far, including, better controls for authenticating
users, patching critical vulnerabilites quickly, and forming a better plan
for logging critical business processes.

IRS Commissioner Douglas Shulman responded to GOA report, stating that data
security and privacy are of the utmost importance to the IRS, and said that
they would release a detailed corrective action plan stating how they would
fix the vulnerabilites discovered.

This report by the GOA followed the October release by the general for tax
administration that also criticised the IRS’s security controls. That report
was mostly critical of the security vulnerabilities found in new $1 billion
system called CADE the IRS is rolling out to eventually manage all taxpayer
accounts. They were also critical of the $700 million system called AMS that
is designed to provide faster access to the taxpayer information stored in
the CADE database. The report cited several weaknesses with access control,
system access monitoring, and disaster rocovery involving the CADE and AMS
systems, which pose a direct threat to sensative taxpayer data.

With indentity theft rising each year and more and more security breaches
occurring, keeping sensative data is of the utmost importance. The IRS
databases contains sensative information on almost every American citezen. The
IRS’s lack of security measures to protect the information of taxpayers could
result in a large security breach that could affect millions of Americans.
With such a poor security system in place, it is only a matter of time until
a security breach occurs unless the IRS acts quickly implement an agency-wide
security plan to keep sensative information secure.

The fact that these kinds of vulnerabilties exist in a government system
housing a wealth of sensative data on millions of Americans demonstrates the
much larger issue today. Too few institutions are concerned with protecting the
sensative data within their databases. Security is still an afterthought,
security patches are issued and holes are fixed, rather developing a secure
system from the start. The new CADE and AMS systems the IRS is rolling out
is just another demostration of how systems need to be designed with security
in mind from the start, and that simply is still not happening.

The security review on the EU passports reminded me of this one:  As of October 2006, all US passports will contain RFID chips in them, which, when read reveal all the information that is printed on the passport itself, as well as a digital photo of the passport holder.  This brings up a privacy issue since basically we will now all be holding passports that can be read without our consent.  When using an RFID system, in which data can be read off of the small computer chip inside the passport – only by being in proximity to a reader.  This means that an adversary can do what is called ‘skimming’ in which they can intercept the transmission between the reader and the passport – obtaining all the passport’s data, undetected.  This is very similar to ‘packet sniffing’ on the internet.  Just as one can sit in a coffee shop and read your gmail without you knowing, eavesdroppers can now sit at the airport and read your passport without you knowing.  (Read on …)

Back in April 2008, a South Korean woman who was banned from entering Japan for 5 years slipped through security at airports using a fake password and some special tape.  The immigration control system in Japan features a state-of-the-art biometrics fingerprint scan.  Each person is scanned, and their fingerprints are cross-checked with a database containing fingerprints of fugitives and foreigners with deportation records.  However, the system, which cost $40+ million USD to implement all over Japan, was defeated using special tape on her fingers.

This security vulnerability came into light when the South Korean woman was spotted in Nagano, Japan in August 2008.  She was questioned before being deported, revealing that a South Korean broker supplied her with a fake passport and special tape to trick the fingerprint scanners.  It is believed that many other foreigners have entered the country in the same fashion.

It’s interesting to note that the fingerprint scanner was an additional security measure on top of checking passports.  The details of the exploit aren’t mentioned in the article, but it may have been the case that the new fingerprint scanners were heavily relied upon to establish identity, and the passports may not have been as closely scrutinized.  Preventive measures may have included a closer inspection of passports as a well as someone to stand by the fingerprint scanner to verify there’s no “tape” or any trickery going on.  Of course, ideally a state-of-the-art fingerprint scanner wouldn’t be tricked by some sort of tape.  But without recovering some of the special tape, it may be difficult to design against such an attack.  Additionally, the problem with security with hardware is that it’s difficult to fix.  You can’t just patch it like you can with software.  The biometric scanners cost over $40 million USD, and upgrading them all would be very costly.

What’s interesting about this particular use of a fingerprint scanner that makes it easy to circumvent in this fashion is that rather than establishing an identity to grant access, it establishes identity to deny access.  Creating a random fingerprint that doesn’t match a fugitive is much easier than creating a specific fingerprint that matches someone with priviledged access.

It’s not clear how the Japanese have reacted to this incident, but I’m sure if such an event occured in the US, there would be a lot of outcry about what a waste of money it was to implement such systems if they can be so easily circumvented.  The question now is, how does one address the issue without spending millions more?

The straight-forward and costly answer is to redesign all the fingerprint scanners.  This would require some of the tape in order to test against.  This is probably a very costly route.  Another option is to disregard the security issue and go after the source, the South Korean broker that supplied the tape — a route that the Japanese will probably pursue regardless.  Yet another option is to place other security measures to either strengthen the rest of the immigration process (after all, the fake passport defeats the system as well) or to monitor the fingerprint devices more carefully.  Likely airports will implement the latter option, since it is relatively cheap and may satisfy the public.  However, in general, the public’s trust and belief in high-tech security measures such as biometrics may be somewhat shaken.

This article can be found in several places: [Sydney Morning Herald] or [Daily Yomiuri Online]

The Technology

SIDA (Secure Identification Display Area) badges are identification devices issued to airport personnel, which establish which areas of the airport an employee is authorised to access. Each airport has its own SIDA badge classification system and issuing authority. The badges themselves are printed on standard credit card-sized media, with elements such as the employee name, picture and card expiration date printed on the front, along with a prominent colouration and/or lettering, which indicates the access level of the employee. On the back is a magstripe, used to grant access at SIDA entry points, typically in combination with a PIN. In addition, personnel who need to frequently enter and exit sterile areas may be issued badges that can be used to bypass sterile area security screening procedures.

(Read on …)

            The EU recently passed a bill to introduce computerized biometric passports which will include people’s fingerprints as well as their photographs. It joined a host of other countries which have taken similar steps towards increasing the security of their citizens’ identities.

Although the bill received tremendous support, there was opposition from some civil liberties groups towards the creation of a database filled with personal identity information. Their technical reasoning was that “Biometric passports are only as safe as the existing paper documents they will replace” and this will only give criminals a clear channel to travel once they have acquired false biometric IDs. Is that really the truth?

            The whole idea for having biometric passports began in the aftermath of the 9/11 attacks where having them would make it harder for the criminals to forge identification documents.

However, it is true that adding extra security to a system to cover some holes can at times expose it to other vulnerabilities. Biometrics takes a person’s identity which is unique and uses that to build a key. But this type of authentication becomes ineffective once attackers are able to impersonate biometric measurements. Let’s say that the user’s fingerprint is the “key’, and the attacker manages to impersonate it. Now we can’t even revoke the key because the user cannot get a new fingerprint. Also biometric authentication has the disadvantages where a number of false positives and negatives are generated. The article gives two examples where two innocent people in different events (a Madrid train bombing and a murder scene in Scotland) were falsely accused because their fingerprints were falsely identified.

            An interesting point is made in the article where it is stated that if the emphasis switches to biometrics then too much use of technology would get rid of the ‘human element’ in the jobs of security guards. They would risk not observing if a person appears nervous or fidgets while passing through security which would otherwise be good signs that a person may be lying or committing something wrong.

            The parliament rejected the proposal for children to carry biometric passports as for one their fingerprints change as they grow older and that makes it a less reliable form of identification. Since the passport based system is fingerprint-based in the EU, people with no hands would not be able to have such a passport and hence the bill will make them apply for a temporary 12 month passport.

            We know that biometric authentication techniques can have disadvantages. So to have a more effective authentication technique, it should be coupled with another technique. This is called “two-factor authentication”. If along with a passport, they ask for some kind of a PIN or password that only the person knows, then the security process would be more effective. Also the article didn’t mention it, but if the biometric passports use Basic Access Control protection or Extended Access Control protection, then that would bring in strong encryption for the private data such as the person’s personal information and biometric measurements stored on the passport.

Article : http://pcworld.idg.com.au/article/273122

A worm known as Downadup, or also Conficker by some security companies, is spreading rampantly by exploiting a bug found – and patched – months ago in Windows machines.  F-Secure believes that the worm has already compromised 35 million machines total.

Though Microsoft had deemed the security flaw important enough to issue a rare emergency update for it back in October, it has responded fairly quickly to this latest surge by the worm by adding detection for it to its malware removal tool on Tuesday.

Though Microsoft’s code has often been criticized for its alarming rate of security flaws, it is difficult to do so in this instance given this rapid response, and researchers from F-Secure and Symantec agree; the issue in this case is customers that have failed to apply the patch.

Though hackers have yet to turn the network into a botnet, the infrastructer is in place for it to do so.  Every day, the worm uses a very complex algorithm to generate hundreds of domains that it would query for instructions from its masters, only any one of which the hackers would have to register to control the botnet.  By contrast, as with the Srizbi botnet last year, security firms have to register every single one of those domains in order to wrest control away from the hackers.  FireEye, a security company, tried to do this for a while, but it soon became too expensive to do, and the hackers regained control of their network.

This incident raises questions as to whether customers should be allowed to choose whether or not to install updates anymore.  Apart from corporate customers who have to worry about the compatibility of their custom software, the time has perhaps come for security updates to be force-fed to consumers, particularly those who disable updates without realizing the full implications of that decision.

[source: link]