More on Electronic Medical Records

By jap24 at 9:05 pm on February 6, 2009Comments Off on More on Electronic Medical Records

As mentioned earlier in the blog in “Security Review: Electronic Medical Records,” Google has started an electronic medical record database called Google Health.  Today, IBM and Google announced that they have made software to allow PDAs to upload information to health care databases such as Google Health.  Google Health centralizes medical records for its users, by storing records entered manually or aggregating data from other related medical databases; the individual users decide who is authorized to access their records.  The new software can allow doctors to update patient information more quickly, and facilitates information sharing between health care providers.  As well as the obvious applications for sharing information between health care providers, the Computerworld article on this technology suggests that the new software would allow authorized people to keep track of the health of an ill family member more easily, as the doctors add updates to the database more quickly.  From the article, it was not obvious whether or not the software would also allow mobile devices to download records from the databases.

(Read on …)

Filed under: Privacy,Security ReviewsComments Off on More on Electronic Medical Records

Security Review: .tel domain

By eyezac at 9:01 pm on | 1 Comment

According to New Scientist, a UK company called Telnic is introducing a new top-level domain, .tel, with the intention of creating a “phonebook for the internet.” Users will only be able to register contact information, and this information will be accessible directly from DNS servers. In addition, Telnic has made available an API that can be used to extract and process this information. While this might make social networking as well as getting in contact with people easier than ever, it poses the possibility of some serious security risks.

(Read on …)

Filed under: Current Events,Privacy,Security Reviews1 Comment »

Security Review: iPod Touch

By lidor7 at 8:51 pm on Comments Off on Security Review: iPod Touch

The iPhone has already had a security review and is similar to the iPod Touch, but I’m going to focus more on the security when someone has physical access to the device.  There are a number of security measures that are or can be used on the iPod Touch to limit access to certain features.  The iPod Touch, probably similar to the iPhone, contains a lot of personal information as well as access to iTunes and the App Store.

The two main assets of on the iPod Touch are the personal information on the iPod such as photos, emails, contacts, notes, and schedules, and the access to iTunes and the App Store.  The owner of the iPod Touch may have some sensitive photos or emails that should remain secret.  iTunes and App Store accounts are usually linked to a credit card.  The owner wouldn’t want other people to make unauthorized purchases.  The iPod has a lot of functionality, and it’s not always clear what information is sensitive and what isn’t.

The security goal here is to restrict or limit access to sensitive information as well as prevent unauthorized actions such as purchases from happening.  At the same time, all the functionality has to be easy enough to use.

So two potential adversaries could be a nosy or prankster friend or someone who has physically stolen the iPod.  A friend might want to snoop around your personal information or perhaps jokingly purchase an “adult” app or change your wallpaper to David Hasslehoff.  Someone who has stolen your iPod may want to purchase apps and music using your account and credit card.

So the iPod has a few security measures.  Functionality of the iPod can be password protected with a 4-digit number.  When an iPod is locked (which typically can happen when a period of inactivity occurs), it asks for a 4-digit number to unlock the iPod.  This is only the case when the setting is activated.  Also, access to the App Store or iTunes is also password protected, but this time with an iTunes password, which is likely more complicated and can contain letters and numbers from a full keyboard.

Now there are a few ways to exploit these two security features.  Since the iPod Touch is a touch screen device, there are often smudge marks left from oil on fingers.  With a 4-digit password, it can be easy to spot the 4 smudges on the screen that may possibly be the password.  Also, with the iTunes password or any password in general, there may be smudges, but more and with less spacing.  However, as a convenient to the user, password input always shows the last letter that was pressed for a couple seconds.  Normally on a desktop or laptop computer, the password shows up as asterisks.  The iPod does the same eventually, but the last letter entered always shows up readable.  Someone looking over the shoulder can easily decipher the password.  Also, the pressing of each letter with just thumbs is much easier to read than when you have all ten fingers on a keyboard.  Additionally, once the password has been entered, it remains valid for several minutes before requesting the password be inputted again.  This allows an attacker to purchase apps or music right after the user has entered the password and finished with their legitimate purchases.

There are several potential ways to prevent these exploits.  If a different, more smudge resistant screen was used, it may be more difficult to detect the password input.  Also, suppressing the last letter of the password showing as an option would be good.  Or even better, don’t show any asterisks so eavesdroppers can’t see how long the password is either.  Additionally, perhaps a biometric scanner using a touch screen may some day be possible.

So the question really is, how much security do you need?  I imagine the information on an iPod Touch isn’t terribly sensitive in most cases.  And with a device like that, it will typically be in close proximity and unlikely to be accessed by an adversary without going unnoticed.  The level of security already implemented seems appropriate for the value and sensitivity of the assets.  However, it would be nice if there was a quick and easy way to password protect certain apps like email or photos with just the 4-digit number.

As technology grows, more and more information and functionality will be implemented in smaller and smaller devices.  As a result, the value of the assets may grow as well.  Blackberries have typically contained much sensitive information.  The recent Blackberry Storm has featured touch screen.  Along with the growing of assets contained in small devices, the security features currently available may become inadequate.  It’s interesting to see more and more fingerprint scanners showing up in laptops.  It seems people are aware that portable devices can contain sensitive information and can be stolen quite easily.  It will be interesting to see what kind of new security measures may be implemented on touch screen devices in the future.

Filed under: Security ReviewsComments Off on Security Review: iPod Touch

Current Events – Infections that begin with windshield fliers

By qwerty at 8:36 pm on Comments Off on Current Events – Infections that begin with windshield fliers

Not all computer malware infections are done completely electronically.  In recent events, cars in Grand Forks, North Dakota were tagged with “windshield fliers” which resembeled a parking ticket, stating they were violating the “standard parking regulations” and that in order to view more about their offense they must visit some URL online.  This seems like quite the extent for one to go in order to infect ones computer, but often enough – it works.

(Read on …)

Filed under: Current Events,Miscellaneous,Physical SecurityComments Off on Current Events – Infections that begin with windshield fliers

Security Review: Ford MyKey and similar systems

By Tim Crossley at 8:11 pm on | 1 Comment

Ford Motor Company has stated that the 2010 Focus Coupe will be equipped with a technology called MyKey. Designed for parents wishing to ensure teenagers practice safe driving, the technology restricts certain actions such as driving too quickly. As currently announced, the system can restrict the vehicle speed to 80 mph, limit the audio speakers to 44% of maximum, and give constant audible alerts if seat belts are not worn. Read about the MyKey system here.

While MyKey is aiming for the parent/teenage child crowd, other products exist which automatically limit vehicle speed based on the current road. Using GPS and a database of known speed limits, these devices either limit the vehicle speed or issue a warning when driving over the limit. In all cases I’ve seen, these devices can be overridden, unlike the Ford MyKey. An example of one of these speed limiters would be the Wisespeed, by Imita.
(Read on …)

Filed under: Physical Security,Privacy,Security Reviews1 Comment »

Microsoft changes Windows 7 UAC after new exploit surfaces

By iva at 8:09 pm on | 1 Comment

Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127392

The User Account Control (UAC) in Microsoft’s Windows 7 has already been compromised. Two programmers have written code, which can alter UAC settings and upon restart of the machine execute arbitrary code with administrative privileges.

The basis of this problem stems from Windows 7’s new UAC default settings. UAC is Windows’ primary security feature, designed to alert the user of changes happening within the system and to request consent before proceeding with certain tasks such as, for example, installing programs. This feature, which was added with the deployment of Vista, has met considerable criticism, particularly in that most users consider it an annoyance. In an effort to alleviate this and reduce such disruptions, Windows 7 has headed down the opposite path. The Windows 7 UAC defaults to a greatly reduced number of pop-ups and allows you to change user permission levels (from regular to administrator) without notification. This becomes a real problem, when the operating system cannot distinguish between the change made by a user and the change made by a program. And therein lies the vulnerability; all a malicious script has to do is enter the system, either in convincing the user to click on (consent to) it, or through some other breach. Once in, the script can silently change its permission level, force a restart, and begin executing whatever code it wants with administrator privileges. As is the case with most security vulnerabilities, this requires the user to consent to this script by downloading or running it, however numerous phishing exploits show the frightening success attackers have had in accomplishing this.

Security is a difficult art to perfect mostly because its importance is often easily forgotten by the one that matters the most – the end user. The threat of exploits is most heavily felt when it is too late and is all too easy to ignore by uninformed users. It really can become a hindarence having to repeatedly approve actions you initiated, such as the installation of a popular program. Users are often exposed solely to the obstruction which security measures present and less so with the protection that they offer, as (hopefully) most users don’t have to deal with attacks. This is the problem with which Microsoft is faced. They need to strike a balance, in which they protect the user without taking away from experience (due to frustration with security barriers). Cutting back on UAC pop-ups is perhaps favorable, however should not go so far, as to defeat the purpose of the entire security system, in favor of usability. Changes to a central security setting, such as the user permission level should not go unnoticed. It is certainly an important enough change, which merits user attention in all cases, and furthermore is likely to be performed infrequently enough as to not cause any significant annoyance. It is important that security features be carefully integrated into the system, with the user in mind, such that they are not rendered useless when the user disables them, however at the end of the day their job is to protect, not appease the user.

Filed under: Current Events,Miscellaneous1 Comment »

Security Review: Online Backup

By dannya at 7:51 pm on | 2 Comments

Every day there are more online backup options: Mosy.com, Xdrive, Adrive.  This is a significant security concern that should be more respected.  These online backup solutions offer encrypted data transmission and strong firewalls.  Although companies may say they are 100% secure, this is not a guarantee any organization can reasonable make.  A system can never be completely secure.  A system can only be free of known exploits.  Commonly, large companies have their servers hacked and data stolen.  This happens to companies as large as Comcast, Novell, Citibank, and  Microsoft.  Even if certain online backup solutions are 100% secure, this would not ensure that all other are and will be in the future.  An attacker who gains access to an online backup server would have access to varied and immense data.

Assets &Security Goals:
–Online backups should be as removed from corporate external networks by multiple levels of protection once stored.
–Companies should seriously consider whether it would be okay if their data leaked, and what would be the consequences for customers.

Adversaries and threats:
–Enemies: Any rival to a company or person who uses online backup.
–Experienced Adverseries: Hackers with unreleased exploits to access servers owned by Mozy and other backup solutions.

Potential weaknesses:
–A port scan of all online backup company servers would likely reveal a vulnerability somewhere.
–A dictionary attack could be conducted on Mozy log-ins.

Defenses:
–The provider should remove the data from network access once backed-up.
–Do not use online backup if you require the data to be confidential or it could be used to the advantage of a rival.

Likely online backup will become more ubiquitous as all emerging technologies.  When it becomes more prevalent, this issue will become a strong privacy concern.

Filed under: Security Reviews2 Comments »

Security Review: Amazon Kindle

By cxlt at 6:52 pm on Comments Off on Security Review: Amazon Kindle

Amazon Kindle

With rumors of Amazon revealing their next Kindle on Monday (an honor Engadget, along with other blogs has already done for them), and as a user of the first Kindle, I figured that with its numerous features, communication methods, and potential appeal, it was an appropriate time to do a security review of the system. And as an irrelevant aside, I think the new model is really ugly.

The Kindle is an e-book reader, one of two primary contenders in the market at this point in time (the other being the Sony Reader). Like its competition, it features an E-paper screen, which is ideal for this application due to the fact that it requires no harsh backlight, and requires no power to maintain image – only to change image. In addition to being able to store and display ebooks (in unsecured Mobipocket, plain text, or proprietary Amazon format), the Kindle’s most fascinating feature is its EVDO antenna. Through Sprint, the Kindle provides free data transfer. The primary function here is to provide access to a wireless Amazon store from which users can purchase and download DRM-secured ebooks, but there is also a primitive web browser in the software.

Assets & Security Goals:

  • Preventing users from stealing books is the primary business security concern for Amazon. There is a twofold issue here: there is the potential for users to snoop in on the wireless transmission of the book itself, but there is also the potential of a user to steal the book once it is on the device – hence, there needs to be both wireless security and DRM on the final file.
  • Protecting the privacy of the user is a concern for the users of the device – while there aren’t any explicit laws protecting people’s reading history as there are for television and movies, what a person is reading on the device should still remain private to that user.
  • Providing security for the user while they browse the web is another concern that involves specifically the consumer rather than Amazon – this should be a simple matter of implementing existing security standards for the web.

Adversaries & Threats

  • People who would like to pirate content are again the primary thread to Amazon’s business on the Kindle. Protecting the ebook files in transit and storage should stop them from stealing Amazon ebooks, though given the Kindle’s capability of reading generic unsecured Mobipocket files, people could just as easily pirate those and drop them on the device over USB.
  • People who would like to steal users’ information are easier to defend against. They may want to steal credit card information as transactions occur, or find out what a user is reading. If the victim has sensitive material, such as corporate documents and manuals, or manuscripts for unpublished books, these may be a target.
  • People who want to cause hard to the user, either by purchasing books on their device without permission, or cause them to lose the books they currently have. These people don’t have as much work to do as the previous, as it is easier to cause harm than it is to steal information.

Potential weaknesses

  • Theft – should an attacker gain physical control over the device, there is virtually nothing that could be done to stop him/her from purchasing items on the tab of the actual user, accessing any pages with the web browser that may have saved passwords or cookies, and learning what the user has been reading – including reading sensitive material as described earlier.
  • The display is perhaps a surprising point of attack. However, as a user of the first Kindle, I have noticed that at times when the unit shuts off and blanks its screen, a trace amount of ink is left visible, enough so that display text is still visible. Given that the display works on the principle of magnetically charging droplets of ink, it might be that with magnetically sensitive instruments it would be possible to learn even more of what a display has shown. Given that sensitive documents or manuscripts may have been read on the device prior to its shutoff, and especially that it contains a web browser which could be used to browse sensitive material such as bank accounts, not to mention that passwords are inputted similarly to cell phones – with the last character inputted remaining visible until the next is typed – this could be a serious attack vector if enough study is put into the physics of the display.
  • The obvious vector of breaking whatever security is on the DRM’d files (after all, the method and key for decrypting them must be on the device somewhere if it’s able to display the books) would be an easy approach to breaking the security of the platform in general. Attacking the wireless transmission itself would likely be much more difficult since it’s probably based on well-established cryptographic algorithms, but breaking DRM is certainly not without a very large precedent.

Potential defenses

  • Passwords more prominently used throughout the device would mitigate the theft concern almost entirely (assuming, of course, chosen passwords are secure). Were the device to require passwords to power on or access certain user-determined books on the device depending on their sensitivity (the latter using encryption on the file rather than just an operating system refusal to open the file given that it could be retrieved by USB), much of the concern of the device falling into an adversary’s hands is mitigated. Potentially along with a remote kill-switch like that implemented on enterprise cell phones, the threat of the device being stolen would be greatly reduced.
  • More screen blanking would help the display issue greatly – at least with the immediate and definite problem of trace ink. The device typically flashes the entire screen to black and then white to clear the screen, and I’m assuming that a few more rounds of this would reduce the amount of material left on-screen afterwards. Since the rest of the threat is primarily speculation on my part, I’m not sure as to what the defense would be.
  • The ability to update the DRM of files remotely could be one way that Amazon could use to secure the files. It’s security by obscurity, but constantly changing the DRM scheme could be one way of preventing the attack from figuring out how to crack the protected books. I’m not skilled enough in cryptography to know if there’s a way the device could possibly secure the books given that the decryption method and key are both stored on the device itself, without external authentication (the EVDO antenna may be turned off, and DRM’d files are still accessible in remote regions).

Most of my analysis is based on what Amazon wishes the Kindle would be – a general purpose reading device integral to the lives of those who use it – rather than what it is now – a largely novelty gadget which, while well-executed, is too expensive to be a reasonable purchase for all but the most fanatic book fans and extreme road warriors. Scenarios such as heavy duty web browsing (unlikely due to the slow response of the screen and slow transfer over EVDO), storage of anything other than books (such as the confidential material I listed above), and other such ubiquitous uses of the device are not a reality at this point.

However, if Amazon is serious about the device becoming hugely successful in the future, they are all issues that must be addressed soon.

Filed under: Physical Security,Privacy,Security ReviewsComments Off on Security Review: Amazon Kindle

Current Event: Google Releases ‘Latitude’

By vincez at 6:19 pm on | 3 Comments

Google has released a new product called ‘Latitude’. It is an extension based on the extremely popular Google Maps web application that allows users to track the exact location of friends and family members using the GPS signal in their mobile phones. This product has already launched, and even with the received criticism Google is standing behind its new product.

(Read on …)

Filed under: Current Events,Ethics3 Comments »

Security Review – Eve Online Alliance

By ericm6 at 4:56 pm on | 1 Comment

According to an article from Massively, Eve Online experienced an upset in their internal politics this week. “Band of Brothers (aka “BoB”), the self-styled villain alliance in the game,” has been taken down from within their own ranks. Not having played EVE, I can’t comment on the exact details of the event, but it appears the alliance was disbanded by a single, well-placed deserter.  This is one example of a lack of security leading to the loss of a great deal of in-game assets.

The specifics of the situation are not entirely clear to me, but according to massively:

Once assured a place within GoonSwarm, Agamar [the deserter] proceeded to disband the Band of Brothers alliance using his director level access. In addition to shutting down the alliance, he cleaned out his corporation’s ISK reserves and stole their dreadnaught (capital ship) fleet, which became a gift to GoonSwarm.

Other MMOs have a similar situation where player organizations have a single person in charge.  This makes management easy, since only the leader needs to be online to make any changes to the group, but at the same time this creates a single point of failure.  If this leader decides he no longer wants his position, he can simply hand off control to someone else.  If he’s malicious, however, he has the sole power to disband the group and keep any group-controlled assets.  In the case of other MMOs, these are generally not extremely valuable assets, but in Eve Online, they can be immensely valuable in terms of the time required to obtain them.  In particular, with the disband of their alliance, BoB lost sovereignty of its territories, meaning any infrastructure there is useless for the next three months.  Their territories are conquerable, their cyno-jammers that prevent capital ships from entering the territory, and jump bridges that allow smaller ships to move between systems, are all inoperable.  These assets took years to build and aqcuire, and they became inoperable for a few months due to the actions of a single individual.

Since Eve Online alliance comprise thousands of players, it would seem that there should be a more secure system to protect the assets of these groups that relying on a single individual to be in charge of everything.  In a real world setting, bureaucracy prevents any one individual from taking actions that could negatively affect the entire organization, and it would seem something like that is needed in Eve if this situation is something to be avoided in the future.  Then again, maybe it’s just what makes the game what it is.

Assets &Security Goals:

  • Maintain control and access to in-game assets, including defenses and manufacturing stations.
  • Privacy of communications made on private message boards.

Potential Adversaries & Threats:

  • Rival Alliances: the goal of PvP in the game is to conquer territories for your alliance/cop at the expense of other alliances and corps.  In this case, the GoonSwarm’s main goal was to dismantle BoB.
  • Malicious Insiders: a disgruntled member of the alliance might wish to cause harm to the alliance before he leaves for greener pastures.

Potential Weaknesses:

  • A lack of any sort of bureaucratic system to make changes creates a single point of failure in the leader of the alliance.  If that player deserts, the member corps have no way of preventing him from dealing serious damage.
  • Likewise anyone who happened to gain access to that player’s account through insidious means, such as a keylogger, would be able to perform the same actions without any member of the alliance’s consent.

Potential Defenses:

  • Extraordinary permissions could be required to enact any sweeping changes to alliances.  In particular, removing a corp from an alliance could require a minimum number of director level players.
  • There could be a holding period before a corp can be removed from an alliance, allowing a day or two for other corps in the alliance to respond.

Some sort of balance needs to be struck between the security against malicious actions and the ability of leaders to make the actions at all.  Perhaps this is already balanced in a way that makes the game what it is.  In order to make the politics and metagaming accessible to players and move in time frames of months rather than years, it makes sense that some of these actions would be a little too easy to be entirely secure.

Filed under: Security Reviews1 Comment »
« Previous PageNext Page »