UW Computer Security Research and Course Blog

Source:
Cnet

In June 2008 Florida Highway Patrol officer John Wilcox pulled over Ariel Quintana for speeding, who was then discovered to be driving with a suspended license. The officer also suspected Quintana of being in possession of marijuana, but a search of the car revealed nothing. While in custody, Quintana’s phone rang and officers removed the phone without permission and started searching the contents of the device.

While going through the photo album, pictures were discovered of what appeared to be marijuana plants in a grow house. This resulted in a raid of Quintana’s address, which led to the seizure of over $850,000 worth of marijuana plants.

This is not the first case where a personal electronic device was searched without warrant that resulted in further evidence being used against a suspect in custody for an unrelated crime. Given the increasing presence and integration of personal electronics in every aspect of our lives, PDAs and cellphones can provide the most intimate details about their owners. As such, there is debate about whether the owners’ privacy should be protected given the nature of the information they contain, or if they should be considered containers and/or accessories for crimes which police should be able to search for further evidence for use in court, without the need of a warrant. As the article indicates, courts are split on this topic and there is still much debate about how these cases should be handled.

In order to prevent future incidences such as this from occuring again in the future, politicians and courts have to agree upon which circumstances searching digital devices is allowed, if at all.Given the nature of the types of information and data stored on personal devices, laws dealing with them must adapt to take the sensitivity of this information into account. The number of cases such as this will only increase with time, and policies need to be introduced to deal with this increasingly relevant issue. Individuals need to be aware of their rights, especially given the information at stake

source articles:

http://www.tgdaily.com/content/view/41032/144/

http://blogs.zdnet.com/security/?p=2419

GPU (graphical processing units) are usually intended to be dedicated hardware to aid in rendering 2D and 3D images.  However, as their computing and parallel processing abilities have grown to astounding levels, many have begun to think of ways to leverage this into other areas.  Recently, ElcomSoft has released a wireless security auditing software which leverages the GPU to increase the number of passwords which can be brute forced per second — the Nvidia Tesla S1070, according to the tgdaily article, can test up to 52,400 passwords per second.  To put that into perspective a  Core 2 Quad Q6600 can try 1100 per second.  Though is is a legitimate software released by a security auditing firm, it isn’t unreasonable to expect that this kind of password cracking capability will be attempted by skilled attackers.  All of this is part of a larger trend of graphical technologies beginning to emerge as a security concern: graphics drivers often have kernel level operating system access, and plans for software that can use DirectX rendering remotely could be a major headache for preventing malicious graphical content from compromising the system (rumors are that flash 10 could have this capability.  If so, this would add to flash’s history of security concerns).  It isn’t really feasible to prevent more integrated graphics, so as always, careful engineering and threat modeling will be called for.

The Stevens Pass ski resort has recently implemented a new RFID lift tickets access system for all their chair lifts. Although this greatly improves convenience and may shorten lift lines, it is vulnerable to severable attacks which could prevent it from functioning or allow a malicious skier to access the lifts without a proper lift ticket.

(Read on …)

It was discovered last Saturday that an attacker was able to steal thousands of user accounts, passwords, and e-mails from phpBB.com.  phpBB is open source and one of the most popular internet forum packages.  The attack utilized a 0-day-exploit in the PHPList third party application to gain access to the site’s server’s password and configuration files.  Later, the attacker made a blog post stating that (s)he had managed to acquire over 400,000 account details.  To substantiate the claims, the attacker then posted the PHPList email list and the phpBB.com’s user table.

As this was a zero day attack, at the time there was no patch that could have prevented this attack. However, PHPList was patched two weeks after the vulnerability was discovered.  The exploit was first published in mid-January, coinciding with the time in which the attacker had access to the files.  It is likely that the attacker learned the exploit from its publication and used it to attack phpBB.

A number of things could have been done to reduce the impact of this exploit.  First, the publication of the exploit could have been delayed until a patch was developed.  This potentially could have allowed the phpBB.com administrators to close the vulnerability before the attacker discovered that it had existed.  If the administrators had also encrypted user information such as emails and account names, the attacker would not be able to decipher them in any meaningful amount of time.  Finally, the passwords that the attacker was able to glean from the information were from passwords with unsalted MD5 hashes.  Salting the hash would have significantly increased the passwords’ resistance to attacks.  Additionally, using a different hash such as SHA-1 would have increased security.  It has been fairly recently discovered that MD5 suffers from some design flaws that leave it susceptible to collisions.

Unfortunately, not too much further can be done about responding to these kinds of attacks.  Administrators may be more wise about encrypting identifiable information, but given that this is already known, it seems that administrators in general have not yet learned that lesson.  Legally, it is already against the law to intrude into other people’s systems.  When it is very hard to detect and identify an attacker, law does not prove to be an adequate deterrent.  Users may become more increasingly aware that their identifiable information can be stolen if they share it with other parties, but ultimately they can’t avoid doing that indefinitely (or it may prove to be too inconvenient to avoid interaction).  Encrypting user information would do well to mitigate the damage of information leakages, but given the way most organizations have failed to do so thus far and are continually leaking information, this may take additional education and maybe even legislation.

link:
http://www.securityfocus.com/brief/902
http://www.heise-online.co.uk/security/phpBB-hacked-400-000-account-details-intercepted–/news/112567
http://www.phpbb.com/index.php

According to an article, Toshiba is producing PC’s that come with not only fingerprint readers but facial recognition software. The software uses a webcam built into the PC in order to identify the user. This software is designed so only the user can use their own computer and so that if the user would like to save passwords they can feel secure by only unlocking their passwords via the fingerprinting or facial analysis. While I can see how this might seem extremely convenient and much more secure than when people just autosave their passwords (sometimes the biggest security flaw is our own laziness), it seems to me that this software could present security issues both in the sense of Denial of Service as well as with false authentication. The article also seems aware of these flaws stating, “It is important to note that both fingerprint and face-recognition technologies are not foolproof–there are a number of known, low-tech means of circumventing them.”

Assets and Security Goals

• The main goal of the facial recognition software is to provide security. You are the only person who should be able to use your machine since it will uniquely recognize your face.
• The main asset is the ease and practicality provided because a user no longer has to type in their passwords or even really remember them.

Adversaries and Threats

• Someone who might want access to your personal information or files could potentially use a photograph of you and hold it to the camera depending on the sensitivity of the software
• Another possible adversary could be family members, again depending on the sensitivity of the software if a family member (such as a sibling or better yet a twin) wanted to use your computer they might have similar enough features to beat the cameras.

Potential Weaknesses

• Social networking sites could present a weakness if the software had a low enough sensitivity thrushold that an adversary would really only need a photograph.
• Many of the other weaknesses involve the opposite problem if the software is too sensitive a user might be denied service because of a haircut, surgery or injury, or aging (although it is likely that a user wouldn’t have a computer so long that they would look dramatically different from aging, it is still a possibility.

Defenses

• Having both the fingerprint analysis and the facial recognition software makes the PC somewhat more secure than using just one or the other.
• The software would have to be fairly sensitive in order to prevent a photograph from being used but it could also update the image that it recognizes after each successful recognition in that way it code avoid not recognizing a user due to age. 

It seems likely that the sensitivity could reach a good balance so that it could recognize the difference between a picture and a human being, however in the cases where too humans look indistinguishably similar to the human eye (such as a twin) I doubt a camera will ever be able to tell the difference. Considering the likelihood that a user has a malicious twin,  I doubt this is much of a concern.

Since the overall goal of the software appears to be to make the user more secure and the more secondary goal is to make life a little easier, I think the software would be more useful if it used the software to either allow or disallow you to enter a password. In that way it would actually provide another layer of security as opposed to a potential hole.

A recent article from silicon.com details the recent issuance of £4.7 billion worth of ID cards containing biometric and biographical data to people of the UK. Critics of the plan are quickly pointing out that with no readers in place, the new cards are no more useful than traditional photo ID. The UK government has also stated that it has no concrete plans to implement the readers, but instead will allow individual organizations to purchase and implement them on their own. This raises a number of issues and questions about government efficiency versus individual choice versus comprehensive security. One thing is for sure – without any readers in place, this schema gives no extra security and is essentially a waste of money.

(Read on …)

In “Study: racial profiling no more effective than random screen”, ArsTechnica reports on a new study by William Press, who claims that using profiling at security checkpoints such as airports is not effective in catching threats. The ineffectiveness, according to Press, stems from small numbers of screeners being able to only resample a small subset of the total population at any given moment. Screeners, on the average, end up retesting the same innocent individuals that happen to have large correlations with risk profiles.

This event arises from the current security concerns of DHS, and their mandate to catch terrorists at the various entrances to the United States. It seems that the methods employed in profiling are faulty, and need revisiting. As a counter-example to this article, the Israeli airports employ racial profiling to great success in ensuring security, and haven’t had an incident since 1986 — however, they combine these profiling methods with other forms of security measures.

However, there are larger issues in having such broad-sweeping racial profiling in the US. Applying racial targeting to minorities at checkpoints would cause a fair amount of backlash, considering the historical implications. As well, all the racial groups that are on profiling lists also are likely not adversarial threats, and are certainly as legitimate of citizens as people that aren’t on the list. Also, it seems like  relying heavily on profiling means that defeating it is simply a matter of not fitting the current terrorist profile.

While there has been some success stories in racial profiling with regards to border security, the idea leaves a bad taste in my mouth. There are inarguably a number of things that DHS can do to improve security at checkpoints (hire competent TSA employees comes to mind), without going down the dangerous path of racial profiling — profiling that has been shown in this recent study to be mostly ineffective given how it is currently applied.

Original Article: http://arstechnica.com/science/news/2009/02/study-racial-profiling-no-more-effective-than-random-screen.ars

Xbox Live DDoS Attacks Become Popular

Cheating in online multiplayer games has always been an issue.  Each genre of game has been plagued with a certain type of hack: Map discovery hacks for RTS games, Aiming hacks in FPS’s, and hacks to force opponents to leave ranked games.  Now, DDoS attacks are being used by some Xbox Live users to kick their opponents from games.

The article “Hackers Use DIY Botnets To DDoS Xbox Gamers” focuses on ready made Botnet solutions which make it easy for a script-kiddie to set up his own botnet.  The programs discussed were BioZombie and HostBooter, and both come with a couple bots but require the user to add more.  These bots can be added willingly (via friends), or the aspiring botnet emperor can trick others into running an executable.  Many places advertise botnet creation services, or zombies for a fee ($2 per bot was a price referenced in the article).  Of course, anyone who successfully spreads their botnet would “find themselves a drone for the original creator.”  This seems like an excellent case of social engineering to spread a botnet.

The new popularity of this kind of exploit is directly caused by the gaming subculture’s lust for vengeance and carelessness in cheating, but an interesting new use of DDoS attacks.  Unfortunately for Xbox Live users, no fix is on the horizon.  If games were all hosted by a central server and there was no peer to peer communication, then a DDoS attack would not be possible because the attacker would not be able to find out the other gamers’s IP addresses.  To stop this exploit from booting gamers, the Xbox game creators will need to change the way games are hosted, although this will mean that they must pay for more hosting.  Positive reactions to this kind of cheat would be to complain to Microsoft about the need to consider the security of online gaming protocols.  If nothing is done, every automated online competitive ladder could be cheated.  Fortunately, this malicious activity would be possible to be tracked and a list of malicious users could be banned.  I remember when Blizzard banned a large number of IP addresses and game serial numbers for maphacking in Warcraft 3.  Hopefully Microsoft and other game developers will take a proactive role as well, or else many people will become frustrated with their online gaming experience.

link:
http://blog.spywareguide.com/2009/02/hackers-use-diy-botnets-to-ddo.html

Summary

In Italy, public officials have been abusing their authority to make more money from the public by making reds come earlier than they are supposed to (a shorter duration yellow than legally allowed).   This means that, since they use cameras to automatically give tickets to people running red lights (see security review of automated traffic cameras for a different look at that aspect of it), they can make money off residents who are given inadequate time to come to a stop, and thus must run a red.

Who Was Hurt By It

Drivers have been economically affected, with 1439 people caught over two months (the fine is 150 Euros, or roughly $190 at current exchange rate).  Prior to that, at most 900 people would have been expected to be caught assuming the maximum number of tickets normally given were given out per day (this means a 50% increase over a value previously considered unrealistic to obtain!).

The public has also suffered a reduced amount of trust in the transparency and honesty of their government–a system which was out of their control and which they were mostly powerless to oppose or investigate was found to have been compromised in such a way that people were labelled as both criminals and charged unfair money.

Who Did It

109 officials are being investigated with regards to it, although the programmer himself is the current person taking most of the blame in the news.  Also involved were: police, local government officials, and the heads of seven different companies. Roughly 300 municipalities and a host of different companies were profiting from this scheme.

What’s Being Done

Currently a criminal case is being pursued against those responsible.  However, this does not really address the problem–the faulty systems are still in use, and ultimately fixing them should be the first priority.  Although the programmer responsible has a lawyer proclaiming his innocence, ultimately a review of the cameras themselves will need to be done.

Long Term View

This adds yet another complaint against automated traffic cameras.  Many object on privacy reasons, but this also adds concerns about faulty software, either maliciously or through incompetence.  Although it is unlikely that Italy will suddenly abandon automated traffic cameras, it may cause them to take a second look at them, at the least, and hopefully be more open in the future.  In all likelihood, however, they will continue to use a closed source solution, and will merely (hopefully) patch this problem.

Finally, this also adds another potential weakness to the list in the security review–corrupt officials who view it as a way of making more money.

Source: http://arstechnica.com/tech-policy/news/2009/02/italian-red-light-cameras-rigged-with-shorter-yellow-lights.ars

See also: http://cubist.cs.washington.edu/Security/2009/02/05/security-review-automated-traffic-enforcement

The Trusted Computing Group has proposed a new standard for self-encrypting hard drives. Many current hard drives boast encryption features, but some provide little details on the encryption process, and there was previously no single standard among all manufacturers. This new standard would bring greater interoperability between drives from different manufacturers, and its details are publicly available, in accordance with Kerckhoffs’ principle.

This could be seen as a good thing – many existing hardware-based encryption products likely get away with using insecure algorithms, and putting the details out in the open would prevent this from happening. Many, however (including the well-respected Bruce Schneier), disagree on the basis that yet another standard would inevitably have flaws, and that existing software-based systems are good enough. What do you think?