UW Computer Security Research and Course Blog

BitTorrent has been popularly used for transferring files illegally because it reduces a vast amount of networking bandwidth that would have been required. The way it works is that users can connect to each other directly to send and receive files. The tracker generally does not have any information about the contents of file being transferred because the users directly connect one-to-one. There’s no one server that serve all users. Also, the uploading and downloading process happen at the same time, allowing it to use the bandwidth efficiently.

Because of the speed and no cost transfer, BitTorrent protocol has been used by people to transfer files, such as movies, music, and softwares illegally.

It is hard to prevent the development of such smart protocol. People have all sort of things in mind to develop. The creator of BitTorrent apparently has a creative mind to create such protocol that use bandwidth efficiently, and allow people to share files with one another, rather than downloading from a central server.

Illegal file sharing can negatively affect a lot of people. The entertainment industry will be at lost because people wouldn’t go out to the store to buy a CD. The consumers will download those files almost instantly and for free, without caring about the consequences of their illegal download. As a result entertainment industries are losing profits, and soon, they would collapse. In the long run, the companies will lose incentive to create/improve new products and, in the worst case, the consumers may not be able to enjoy such entertainment anymore.

To prevent the illegal file sharing issues, the government can enforce copyright laws stringently. The consequences of illegal downloads may be enforced through campaigns. A more recent technique is found, that is to sniff illegal file transfers . This tool can detect such transfers and keeps a record of the transfer as an evidence. The nice thing is that the tool works silently; it will not slow down the network traffic.

In another of a long line of high-profile security breaches both in and out of the government recently, the Federal Aviation Administration has announced that in the course of a breach of their computer system, over 45,000 employee names – and presumably, personal information – were compromised. The systems were thankfully not connected to the air traffic control system or other critical operations systems.

The FAA is said to be following up with potentially affected individuals one by one.

Similarly, healthcare giant Kaiser Permanente reported on Sunday that nearly 30,000 employee names, addresses, Social Security numbers, and dates of birth were stolen. The breach was a chance discovery – the files containing the data were found in the possession of one Mia Garza, who was arrested on unrelated counts of stolen property and fraud. It is unclear how she came to possess the data, and thus it is entirely possible that copies of it are still in the hands of malicious people. As she was arrested on December 23rd of last year, it has clearly been quite some time since the breach occurred.

According to Kaiser, existing security policy included restricted access to sensitive information by ACL and encryption of data on electronic devices, including cell phones – both measures that sound wise. It is still entirely possible that the issue was policy not in fact being followed – Kaiser does not know what caused to the loss of data.

Due to the lack of detail surrounding both of these events, they serve simply as a reminder of how broadly security breaches can affect people on a personal scale. In just a few weeks, companies and government agencies ranging from the above to RBS WorldPay – an event in which 1.5 million people’s financial information and 1.1 million Social Security numbers were stolen – Heartland Payment, which processes over four billion payments a year, and even security specialists Kaspersky have all suffered high-profile data breaches.

Hopefully all these attacks will remind other organizations to take a long, hard look at their security systems.

“Facebook is slowly tearing down the wall around its silo and is starting to expose more of its data to the outside” (From Facebook Opens Up: Lets Developers Access Status Updates, Notes, Links, and Videos). Now Facebook allows the third-party developers to have access to users’ private data, such as status updates and notes. This is intended to make both developers more flexible in making and using applications. Moreover, Facebook wants to make more and more people use Facebook by join the OpenID foundation. However, weaknesses and potential security problems are found by doing this update for Facebook’s API.

Assets and security goals

• Since the Facebook joined the OpenID foundation, people who posses OpenID (one account, one password, multiple sites login) account will also have Facebook account. Thus, more and more people will join Facebook and use Facebook for networking.
• The developers’ application should be verified before release it to public and allow people to use it. Moreover, there should be stricter terms and conditions on registration for developer, such as phone number validation or email validation, so that they will not misuse users’ private information (pictures, videos…etc)

(Read on …)

I noticed that the Denver airport has upgraded its power stands to include USB ports that presumably give power to recharge devices like cell phones, iPhones, and iPods. What I wonder is how I know that’s all that’s going on. I know that, at least for my old iPod shuffle and one of my cell phones, some of these devices don’t authenticate the computers they plug into, but simply appear as R/W flash drives. What’s to stop a malicious version of this kiosk from

• taking inventory of my files?
• figuring out who I am and tracking me?
• installing autorun software (like a virus) onto my device?
• copying my contacts, my email, my cell phone pictures, my mp3s, etc?
• <your idea here>?

I don’t know whether this particular power stand does anything more complicated than supplying power and ground to the right two pins, and I suppose that by paying attention (to the screen on a cell phone or the lights on an iPod shuffle) you might be able to tell if serial communication were initiated and something fishy was going on. But that doesn’t provide much comfort; in the end what we need is a good way for portable devices to verify the authenticity of the device to which they connect.

Kaspersky, an Antivirus vendor and Internet Security Lab, recently fell victim to an internet hacker using an SQL-injection attack. The attack compromised data in all databases accessible to the web server. According to the hacker, “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.”

Discussion on the board where the hacker originally announced the successful attack has mostly been congratulatory, especially after the hacker announced that he would not expose any confidential information he had found (although he may have already done so with the password hashes).

On Slashdot, discussion includes the insightful comment, echoing the advice in the textbook, that blacklisting and escaping isn’t sufficient: “No. Escaping is error-prone as you will invariably fail to escape some special character you don’t know about. The right way to fix SQL injection is to use parametrized queries.”

Timely advice!

Most people in our society today are familiar with the concept of MMO gaming.  World of Warcraft, for example, is something most everyone has heard of.  Most MMO games operate under a fairly strict client/server paradigm.  A company that desires to produce an MMO will create a client that handles the graphics processing, user input and output, and perhaps may store some basic per user settings, usually again related to display settings and interface options.  The remainder of the game, including all user character data and user interaction with the online world, is stored and run on company controlled servers.  This assists the company in its endeavor to give the users the experience they intended as well as control various types of cheating.  In addition, users generally cannot play offline – this means that a given user must authenticate with the server in order to access a given character or play with others in the virtual world.

(Read on …)

EDIT: It appears that I goofed with the “more” tag when I first posted this, so I’ve included the rest of the article below.

Since the days of waking up at 5am to watch the Tour de France live with my dad at eight years old, I’ve been a big fan of bikes. I’ve since grown to love riding them, and spent several years as an avid road racer. While I’m somewhat of an anomaly, many of you also rely on cycling for transportation to class, to work, and elsewhere. Unlike cars, which are just slightly harder to steal, bikes are the candy-from-a-baby in the world of theft. One magazine article I read several years ago had a “professional bike thief” (probably a security professional who learned methods of theft in his research) attempt to steal a bike secured by one each of every available bike lock on the market at the time. In public. The result? All but a single lock could be circumvented so quickly that nobody in the area even noticed that it was not unlocked by normal means.

I have to say, I am particularly bitter about bike security. A few years ago I was living in Stevens Court with a few friends. A past summer job at Gregg’s Greenlake Cycles had yielded an absurdly cheap employee purchase of a Lemond Tourmalet, a very nice road bike. I wasn’t using it to commute to school (who locks up a bike like that around the Ave?), but I did have it in our apartment so I could go riding. One day I came home and it had been stolen from my living room. My roommates had left the front windows wide open and the door unlocked. Go go speed racer, go.

(Read on …)

I was lost at first when starting Lab 2, as I had little to no eperience with web programming. After floundering around for a few hours I got a better idea of what we were supposed to be doing and with the  XSS cheat sheet was able to rapidly discover appropriate exploits for each of the filter versions on the mock search engine (except #5, of course).

Once I’d satisfied myself that I could get all the cookies I wanted I immediately launched into a more thorough investigation of the environment I had been working with, and began discovering real vulnerabilities. I was excited by the prospects available and decided to make a security review out of it. I spent the next couple days experimenting, then jumped onto the blog to write my security review only to find that two of my classmates had addressed the same topic the day before. Eriel Thomas addressed the security of the server at yoshoo.cs.washington.edu in his post “Smashing the Lab for Fun and Profit”, whereas David Balatero discussed his success in phishing about a third of the security class (including me… ouch) in “UW CSE Resources”. Just goes to show you that you should always examine links, even from trustworthy and computer savy friends :P.

I nearly despaired at several days’ work gone for naught, but after carefully reading both of the posts I believe that I still have something to contribute. My discussion will focus a bit more on the security of abstract and provide other additional details.

(Read on …)

Exoskeletons look impressive in movies. They look impressive in real life also. Electronics reads brain signals sent to muscles and cause actuators to move, thus ‘amplifying’ human strength. Exoskeletons are close to get mass-produced and available to people around the world. Since there are no datasheets or use instructions publcly available yet, I will briefly mention potential general security implicatons associated these devices, as we will inevitably see them in the market very soon.

It is crucial for manufacturers to ensure safety of the wearer. In addition, it is important to address safety of people other than the wearer who can come into contact with this machinery.
Potential adversaries can be those who wants to harm the person wearing it. Besides that, goal of an adversary can be to cause harm to people other than the wearer, or, in general, cause harm to property.

The following are just a few of potential weaknesses that need to be addressed.
Self-supporting mechanism: since most exoskeletons will support its own weight and are quite powerful, it is potentially possible to control it and cause it walk on its own, possibly with human inside.
Physical access to programmable controllers and circuitry can allow adversary to reprogram or embed own controllers.
Actuators in particular: different people can have different ranges of joint movement. Incorrect range can break wearer’s bones or strain muscles, unless there are secure adjustable physical restrictions. If there are such adjustable physical restrictions they can be changed by adversary.
If attachable to computer or network for service, or reprogramming, most problems associated with securing personal computers and communications apply.

Besides regular ensuring integrity of the system, and bug-free software, here are some key measures that any exoskeleton should have implemented to address security threats. Obviously, any adjustments, including physical should be done with secure authentication of a user. Good shielding can be used to protect from outside electromagnetic fields that might cause system to digress from normal operation.
It is important to detect big jumps of voltage/current in the system and disable the system, as it is done in power wheelchair controls, but as opposed to wheelchair, more attention should be paid to gracefully shutting down, as incorrect disabling can cause person to fall down causing injuries to himself or people around.
It should be easy to escape the suit in case of a danger and there should be multiple disabling mechanisms available to the user.

These devices will have a big impact on society. Should police start carrying EMP guns? Exoskeletons can be of tremendous use  to address people’s health problems, for example, or can become quite threatening in malicious person’s hands. There are obvious differences from existing personal machinery. Extreme flexibility pose big dangers if not addressed properly. Whereas car or wheelchair can be stopped by railing, exoskeleton could climb over it.

For years there have been research going on in neurobiological field with attempts to decode images from the brain activity. In 1999, University of California, Berkley, has been able to reconstruct the video images from cat’s observed brain activity.

However, recently scientists in Japan decided to take the idea to even more advanced level (article). Researchers at the ATR Computational Neuroscience Laboratories succeeded in processing and displaying images directly from the human brain. This sort of visualization has not been achieved before. Researchers’ goal is to apply this technology, and eventually be able to record and replay subjective images that people perceive, such as dreams or memories associated with objects and places.

This sort of decoding is described to be subjective. When people perceive an object, the image is converted into electrical signal that goes to the brain’s visual cortex. To decode such messages, first the subject has to train the device that is used for experiment, and associate object representations with the location and type of brain signal. Later, when such signals are observed, it might be possible to decode them, and this way to visualize the thought of a human.

So far subjects have demonstrated walking in a virtual world with the character controlled by brain waves. Similar gaming head sets are expected to appear on the market soon.

Also, researchers were able to reconstruct the image representation of the letters from the word “neuron” by decoding the brain activity of the subjects (article). To figure out people’s individual brain patterns and to train interpreting devices about 400 different still images were previously shown to the subject.  

Although some people believe that research is still too far from creating a colored quality video from brain signals, researchers continue advancing in the area, and think that technology “could eventually display on a computer screen what people have on their minds”. (Read on …)