Security Review: HomeLink Universal Transceiver

By vincez at 10:45 pm on February 13, 2009Comments Off on Security Review: HomeLink Universal Transceiver

The HomeLink Universal Transceiver is a device that, like a universal remote, can record the output of a wide variety of garage door openers and home automation control systems and emulate the output for future use. When used as advertised, the HomeLink system simply replays signals that you could have produced anyway, but from a central source. However, since the HomeLink device basically allows replay attacks, there are security implications if the device is to be used by someone with sinister intentions.

Community gate openers and garage door openers are, by their very design, long-range communication devices. If the signal the opener emits cannot be detected a good distance away, the devuce is not doing its job. Therefore, it follows that the HomeLink device could record garage door opener signals while passing by a car that is using a garage door opener. With access to many types of garage doors after being in the proximity of the door opening, a world of possibilities opens up.

(Read on …)

Filed under: Physical Security,Security ReviewsComments Off on Security Review: HomeLink Universal Transceiver

Security Review : Add-ons

By kosh at 9:14 pm on | 1 Comment

An add-on is a simple plugin that you use, say for firefox, to let you do your work more easily. This also lets you customize the browser in ways that do not affect the productivity of other people. Add-ons are becoming a major part of the browser functionality but sans the scrutiny that goes into developing a browser.

Assets and Security Goal:

* Assets: Your browser, everything that you use it for and your cookies. Uh, not the ones you eat. and privacy.
* Security Goal: Protect your privacy at all cost and your cookies and your intimate browsing secrets!

Adversaries and Threats:

* Unauthorized publishers: This is the dreaded group of publishers that are able to make an add-on for your browser and pass it off as being legitimate and harmless. This is much easier than you think since most add-ons are unverified or rather community verified and it might take a while to find an exploit.

Weaknesses:

* Counterfeit add-ons are the biggest risk – a majority of the add-ons are through unverified authors.
* Deceived by community rating. Since the rating for the plugins is done by the community, an obscure/malicious add-on can be easily made to look like a legitimate one through a community of attackers/ an attacker with a community of profiles.
* Unauthorized plugins from third party websites.

Defenses:

* Other legitimate users – These are probably the best and most formidable defense when it comes to validating add-ons. However, this also a delayed defense since ‘enough’ users will have had to use the add-on for someone to finally detect a malicious exploit.
* Firewall – Your firewall is also your second line of defense when preventing backdoor access through the malicious add-on
* Antivirus software – An up-to-date virus definition file should help the software detect a malicious plugin. However, this also assumes that the attacker used a known exploit/trojan/virus to inject into the add-on.
* Security updates from the browser, OS – These can help patch the exploits that are currently in place.

Risks:
The risk of being duped means to lose a significant amount of personal information that is stored in the browser. With the shift of browser towards acting like an OS with features to save passwords,sessions, etc, there is an unbelievable amount of personal information that can be stolen through a malicious add-on. The add-on can also redirect to malicious websites that involve elaborate phishing scams leading to the loss of information and money. Such attacks give the hacker a complete control of your online portfolio which can be held for ransom and also misused, causing personal damage.

Conclusion:
Overall, although there are inherent risks to open source projects like a community browser, a large part of the attacks are easily mitigated due to the sheer number of users that pass through such an add-on. There also seems to be significant,active and unofficial community that monitors the plugins for malicious intent. One way to decrease the probability of such an attack would involve letting a significant time pass from the release of the plugin to the installation for it to be tested by active community members. Filtering the installation of add-ons also becomes an important but often impossible task in a corporate environment where the risks are especially high. Add-ons(unsigned) are definitely a double edged sword that need to be dealt with care.

Filed under: Policy,Security Reviews1 Comment »

Current Events: $9 million ATM scam

By elenau at 7:58 pm on | 6 Comments

 

The FBI is investigating an ATM scam that has occurred within a 30 minute period on November 8th. About 130 different ATM machines have been accessed to withdraw a total of about $9 million dollars. The scam hit 49 cities worldwide, including Moscow, Chicago, New York, Hong Kong and Montreal.

The FBI says that the operation was very well coordinated, and at this time no suspects have been identified.

The description of the attack follows. First, the computer system of the payment processing company called RBS WorldPay was hacked.

“One service of the company is the ability for employers to pay their employees with the money going directly to a card, called payroll cards, a lot like a debit card that can be used in any ATM.”  The hacker was able to access the system and steal all the information needed to create the duplicates of the ATM cards. (Read on …)

Filed under: Current Events,Privacy6 Comments »

Current Event : Privacy is a joke

By kosh at 6:19 pm on | 3 Comments

How many of you have received letters from your banks about a ‘revised’ privacy policy? Have you even bothered to read through this revised policy information? And the .000001% percent of you that have, have you ever found anything objectionable and done anything about it?

Welcome to the new joke called ‘Privacy’. No, I’m not talking about the most intimate information that you already have on facebook (which by the way, facebook now owns and has the rights to share). I’m talking about the numerous merchants/banks/credit companies that you do business with but never really cared about what they do/could do with your information. When you read phrases like ‘shared with affiliates’ and ‘shared with third parties’, have you wondered what the difference between these two are? And besides, have you wondered why on earth, banks would need to share your information with other people in the first place?

Most of us Almost all of us never think twice about how our information is freely passed around(for money of course) in the open market for ‘agencies’ to analyze. Such information is then sold by VISA to other marketing companies for ‘market analysis’ and ad campaign management. I have a friend who works for VISA and he was able to pull up every purchase I’ve ever made on the credit card and all he needed was my credit card number which is easily available (how many of you shred your old credit cards?).

And guess what!!?? you have no control over who they share it with because well, first of all, you never really read their privacy document. Even if you read it when you got the credit card, you never really read it the numerous times that they sent you the revised privacy policy. Now again, to the .00001% that read the document every time, you have no control over how VISA decides who their affiliates/partners and third parties are.

Concerned yet? Privacy in the current state is nothing but a big joke.

The only viable solution seems to be a universal privacy declaration/document issued by the government that the companies can be held responsible to. As much as we all hate a big brother state, trusting a bunch of greedy banks/credit companies/vendors is much worse.

Filed under: Current Events,Privacy3 Comments »

Current Events: Monster.com data breach

By dravir at 6:12 pm on | 1 Comment

 

According to MSNBC (http://www.msnbc.msn.com/id/29017452/), Monster.com along with USAJobs.com (which monster’s parent company runs) was breached, resulting in the theft of user ID’s, passwords, email addresses, names and phone numbers.  The number of records stolen was not disclosed, nor were any details concerning how the thief obtained access to their databases.

(Read on …)

Filed under: Current Events1 Comment »

Private information ***LIKE NEW***

By Frung at 2:29 am on | 3 Comments

Ever considered ‘recycling’ your computer without thoroughly wiping your hard drive first? Don’t. A recent study suggests that up to 40% of hard drives that end up on eBay and aren’t explicitly marked as erased may contain easily recoverable data from previous owners.

(Read on …)

Filed under: Current Events,Physical Security,Privacy3 Comments »

Current Event: Safety of Encryption from future Quantum Computers

By sunetrad at 11:53 pm on February 12, 2009 | 2 Comments

All of us feel a certain kind of safety when we are dealing with credit cards, online banking and any other transaction or process which should be secure because we know that our personal information is protected by cryptographic systems. Yes there are occasions where these security measures are circumvented by exploiting other weaknesses in the system or by just stealing private information. However we take comfort in the idea that these cryptographic systems are unbreakable given feasible computing time and resources. However, a recent article talks about the threat of ‘Quantum Computers’ which could potentially compromise the security of these systems used by businesses and banks around the world.

The laws of Quantum Physics say that a subatomic particle can exist in two states at the same time before you look at it. Similarly in a Quantum computer, a bit can be both zero and one at the same time. A string of eight bits can therefore represent all numbers between 0 to 255 at the same time. Scientists say that a Quantum computer can solve a problem in months that would take conventional computers millions of years. For example, public key encryption which is widely used on the Internet creates codes by multiplying two prime numbers together. What makes the code hard to break is that working backward from the product of the two primes is extremely hard. A Quantum computer would be able to solve this problem in a feasible amount of time because it will be able to look at multiple solutions at the same time.

In the article, Professor Oded Regev of the Tel Aviv University’s school of Computer Science stresses the importance of the development of a new cryptographic system that will be able to maintain its integrity even when Quantum Computers will be available. Several reasons for this are the security of bank and financial information, medical records, and digital signatures that would become visible if an attacker hacked into this RSA encrypted data. The article predicts that Quantum computers will be a reality in the coming decade which would make it easy to crack the RSA cryptosystem. Hence the article emphasizes the need to start thinking of systems that could replace RSA.

http://www.sciencedaily.com/releases/2009/02/090205110609.htm

Filed under: Miscellaneous2 Comments »

Current Event: Tracking BitTorrent

By nhunt at 10:44 pm on | 5 Comments

The Air Force Institute of Technology recently announced a new technique for “detecting and tracking illegal content transferred using the BitTorrent file-trading protocol.” The authors claim their technique differs from previous attempts, because it is does not change any of the traffic going over the network.

The tool examines the first 32 bits of the file’s header to identify BitTorrent traffic on the network. Once a connection has been identified as a BitTorrent transfer, the file’s hash is compared against a blacklist of known “contraband files.” These blacklisted files are described as “pirated movies, music, or software, and even child pornography.” Rather than disrupting the transfer, this tool simply logs the network addresses involved, presumably for later prosecution.
(Read on …)

Filed under: Current Events,Miscellaneous5 Comments »

Security Review: Poker Game

By Father_Of_1000000 at 7:02 pm on | 2 Comments

A game of poker can be played for fun or money. The game itself uses low tech equipments, and the two main ones are a standard deck of cards and playing chips of different colors to represent different amounts of money. Depends on the type of poker game, the dealer usually shuffles the card and deals out the cards to the players. Then the players would bet chips to play against each other. The goal is to garner as much money (in chips) as you can. I’m going to use the terms chips and money interchangeably.

(Read on …)

Filed under: Physical Security,Security Reviews2 Comments »

Current Event – Mexico Plans to Fingerprint Cell phone Users

By tchan at 6:43 pm on | 3 Comments

According to a recent article, Mexico plans to start fingerprinting all cell phone users. A new law will give Mexico cell phone providers a year to create a database with their customer’s information including fingerprints. Providers would also have to store information such as text and voice messages and logs of a customer for one year. Currently, anyone can purchase a prepaid cell phone with a certain amount of minutes without any identification. This would change as new and existing cell phone users would have to be fingerprinted and entered into a database that would allow officials to match cell phones and messages to a customer.
(Read on …)

Filed under: Current Events,Privacy3 Comments »
« Previous PageNext Page »