UW Computer Security Research and Course Blog

Ford Motor Company has stated that the 2010 Focus Coupe will be equipped with a technology called MyKey. Designed for parents wishing to ensure teenagers practice safe driving, the technology restricts certain actions such as driving too quickly. As currently announced, the system can restrict the vehicle speed to 80 mph, limit the audio speakers to 44% of maximum, and give constant audible alerts if seat belts are not worn. Read about the MyKey system here.

While MyKey is aiming for the parent/teenage child crowd, other products exist which automatically limit vehicle speed based on the current road. Using GPS and a database of known speed limits, these devices either limit the vehicle speed or issue a warning when driving over the limit. In all cases I’ve seen, these devices can be overridden, unlike the Ford MyKey. An example of one of these speed limiters would be the Wisespeed, by Imita.
(Read on …)

Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127392

The User Account Control (UAC) in Microsoft’s Windows 7 has already been compromised. Two programmers have written code, which can alter UAC settings and upon restart of the machine execute arbitrary code with administrative privileges.

The basis of this problem stems from Windows 7’s new UAC default settings. UAC is Windows’ primary security feature, designed to alert the user of changes happening within the system and to request consent before proceeding with certain tasks such as, for example, installing programs. This feature, which was added with the deployment of Vista, has met considerable criticism, particularly in that most users consider it an annoyance. In an effort to alleviate this and reduce such disruptions, Windows 7 has headed down the opposite path. The Windows 7 UAC defaults to a greatly reduced number of pop-ups and allows you to change user permission levels (from regular to administrator) without notification. This becomes a real problem, when the operating system cannot distinguish between the change made by a user and the change made by a program. And therein lies the vulnerability; all a malicious script has to do is enter the system, either in convincing the user to click on (consent to) it, or through some other breach. Once in, the script can silently change its permission level, force a restart, and begin executing whatever code it wants with administrator privileges. As is the case with most security vulnerabilities, this requires the user to consent to this script by downloading or running it, however numerous phishing exploits show the frightening success attackers have had in accomplishing this.

Security is a difficult art to perfect mostly because its importance is often easily forgotten by the one that matters the most – the end user. The threat of exploits is most heavily felt when it is too late and is all too easy to ignore by uninformed users. It really can become a hindarence having to repeatedly approve actions you initiated, such as the installation of a popular program. Users are often exposed solely to the obstruction which security measures present and less so with the protection that they offer, as (hopefully) most users don’t have to deal with attacks. This is the problem with which Microsoft is faced. They need to strike a balance, in which they protect the user without taking away from experience (due to frustration with security barriers). Cutting back on UAC pop-ups is perhaps favorable, however should not go so far, as to defeat the purpose of the entire security system, in favor of usability. Changes to a central security setting, such as the user permission level should not go unnoticed. It is certainly an important enough change, which merits user attention in all cases, and furthermore is likely to be performed infrequently enough as to not cause any significant annoyance. It is important that security features be carefully integrated into the system, with the user in mind, such that they are not rendered useless when the user disables them, however at the end of the day their job is to protect, not appease the user.

Every day there are more online backup options: Mosy.com, Xdrive, Adrive.  This is a significant security concern that should be more respected.  These online backup solutions offer encrypted data transmission and strong firewalls.  Although companies may say they are 100% secure, this is not a guarantee any organization can reasonable make.  A system can never be completely secure.  A system can only be free of known exploits.  Commonly, large companies have their servers hacked and data stolen.  This happens to companies as large as Comcast, Novell, Citibank, and  Microsoft.  Even if certain online backup solutions are 100% secure, this would not ensure that all other are and will be in the future.  An attacker who gains access to an online backup server would have access to varied and immense data.

Assets &Security Goals:
–Online backups should be as removed from corporate external networks by multiple levels of protection once stored.
–Companies should seriously consider whether it would be okay if their data leaked, and what would be the consequences for customers.

Adversaries and threats:
–Enemies: Any rival to a company or person who uses online backup.
–Experienced Adverseries: Hackers with unreleased exploits to access servers owned by Mozy and other backup solutions.

Potential weaknesses:
–A port scan of all online backup company servers would likely reveal a vulnerability somewhere.
–A dictionary attack could be conducted on Mozy log-ins.

Defenses:
–The provider should remove the data from network access once backed-up.
–Do not use online backup if you require the data to be confidential or it could be used to the advantage of a rival.

Likely online backup will become more ubiquitous as all emerging technologies.  When it becomes more prevalent, this issue will become a strong privacy concern.

With rumors of Amazon revealing their next Kindle on Monday (an honor Engadget, along with other blogs has already done for them), and as a user of the first Kindle, I figured that with its numerous features, communication methods, and potential appeal, it was an appropriate time to do a security review of the system. And as an irrelevant aside, I think the new model is really ugly.

The Kindle is an e-book reader, one of two primary contenders in the market at this point in time (the other being the Sony Reader). Like its competition, it features an E-paper screen, which is ideal for this application due to the fact that it requires no harsh backlight, and requires no power to maintain image – only to change image. In addition to being able to store and display ebooks (in unsecured Mobipocket, plain text, or proprietary Amazon format), the Kindle’s most fascinating feature is its EVDO antenna. Through Sprint, the Kindle provides free data transfer. The primary function here is to provide access to a wireless Amazon store from which users can purchase and download DRM-secured ebooks, but there is also a primitive web browser in the software.

Assets & Security Goals:

• Preventing users from stealing books is the primary business security concern for Amazon. There is a twofold issue here: there is the potential for users to snoop in on the wireless transmission of the book itself, but there is also the potential of a user to steal the book once it is on the device – hence, there needs to be both wireless security and DRM on the final file.
• Protecting the privacy of the user is a concern for the users of the device – while there aren’t any explicit laws protecting people’s reading history as there are for television and movies, what a person is reading on the device should still remain private to that user.
• Providing security for the user while they browse the web is another concern that involves specifically the consumer rather than Amazon – this should be a simple matter of implementing existing security standards for the web.

Adversaries & Threats

• People who would like to pirate content are again the primary thread to Amazon’s business on the Kindle. Protecting the ebook files in transit and storage should stop them from stealing Amazon ebooks, though given the Kindle’s capability of reading generic unsecured Mobipocket files, people could just as easily pirate those and drop them on the device over USB.
• People who would like to steal users’ information are easier to defend against. They may want to steal credit card information as transactions occur, or find out what a user is reading. If the victim has sensitive material, such as corporate documents and manuals, or manuscripts for unpublished books, these may be a target.
• People who want to cause hard to the user, either by purchasing books on their device without permission, or cause them to lose the books they currently have. These people don’t have as much work to do as the previous, as it is easier to cause harm than it is to steal information.

Potential weaknesses

• Theft – should an attacker gain physical control over the device, there is virtually nothing that could be done to stop him/her from purchasing items on the tab of the actual user, accessing any pages with the web browser that may have saved passwords or cookies, and learning what the user has been reading – including reading sensitive material as described earlier.
• The display is perhaps a surprising point of attack. However, as a user of the first Kindle, I have noticed that at times when the unit shuts off and blanks its screen, a trace amount of ink is left visible, enough so that display text is still visible. Given that the display works on the principle of magnetically charging droplets of ink, it might be that with magnetically sensitive instruments it would be possible to learn even more of what a display has shown. Given that sensitive documents or manuscripts may have been read on the device prior to its shutoff, and especially that it contains a web browser which could be used to browse sensitive material such as bank accounts, not to mention that passwords are inputted similarly to cell phones – with the last character inputted remaining visible until the next is typed – this could be a serious attack vector if enough study is put into the physics of the display.
• The obvious vector of breaking whatever security is on the DRM’d files (after all, the method and key for decrypting them must be on the device somewhere if it’s able to display the books) would be an easy approach to breaking the security of the platform in general. Attacking the wireless transmission itself would likely be much more difficult since it’s probably based on well-established cryptographic algorithms, but breaking DRM is certainly not without a very large precedent.

Potential defenses

• Passwords more prominently used throughout the device would mitigate the theft concern almost entirely (assuming, of course, chosen passwords are secure). Were the device to require passwords to power on or access certain user-determined books on the device depending on their sensitivity (the latter using encryption on the file rather than just an operating system refusal to open the file given that it could be retrieved by USB), much of the concern of the device falling into an adversary’s hands is mitigated. Potentially along with a remote kill-switch like that implemented on enterprise cell phones, the threat of the device being stolen would be greatly reduced.
• More screen blanking would help the display issue greatly – at least with the immediate and definite problem of trace ink. The device typically flashes the entire screen to black and then white to clear the screen, and I’m assuming that a few more rounds of this would reduce the amount of material left on-screen afterwards. Since the rest of the threat is primarily speculation on my part, I’m not sure as to what the defense would be.
• The ability to update the DRM of files remotely could be one way that Amazon could use to secure the files. It’s security by obscurity, but constantly changing the DRM scheme could be one way of preventing the attack from figuring out how to crack the protected books. I’m not skilled enough in cryptography to know if there’s a way the device could possibly secure the books given that the decryption method and key are both stored on the device itself, without external authentication (the EVDO antenna may be turned off, and DRM’d files are still accessible in remote regions).

Most of my analysis is based on what Amazon wishes the Kindle would be – a general purpose reading device integral to the lives of those who use it – rather than what it is now – a largely novelty gadget which, while well-executed, is too expensive to be a reasonable purchase for all but the most fanatic book fans and extreme road warriors. Scenarios such as heavy duty web browsing (unlikely due to the slow response of the screen and slow transfer over EVDO), storage of anything other than books (such as the confidential material I listed above), and other such ubiquitous uses of the device are not a reality at this point.

However, if Amazon is serious about the device becoming hugely successful in the future, they are all issues that must be addressed soon.

Google has released a new product called ‘Latitude’. It is an extension based on the extremely popular Google Maps web application that allows users to track the exact location of friends and family members using the GPS signal in their mobile phones. This product has already launched, and even with the received criticism Google is standing behind its new product.

(Read on …)

According to an article from Massively, Eve Online experienced an upset in their internal politics this week. “Band of Brothers (aka “BoB”), the self-styled villain alliance in the game,” has been taken down from within their own ranks. Not having played EVE, I can’t comment on the exact details of the event, but it appears the alliance was disbanded by a single, well-placed deserter.  This is one example of a lack of security leading to the loss of a great deal of in-game assets.

The specifics of the situation are not entirely clear to me, but according to massively:

Once assured a place within GoonSwarm, Agamar [the deserter] proceeded to disband the Band of Brothers alliance using his director level access. In addition to shutting down the alliance, he cleaned out his corporation’s ISK reserves and stole their dreadnaught (capital ship) fleet, which became a gift to GoonSwarm.

Other MMOs have a similar situation where player organizations have a single person in charge.  This makes management easy, since only the leader needs to be online to make any changes to the group, but at the same time this creates a single point of failure.  If this leader decides he no longer wants his position, he can simply hand off control to someone else.  If he’s malicious, however, he has the sole power to disband the group and keep any group-controlled assets.  In the case of other MMOs, these are generally not extremely valuable assets, but in Eve Online, they can be immensely valuable in terms of the time required to obtain them.  In particular, with the disband of their alliance, BoB lost sovereignty of its territories, meaning any infrastructure there is useless for the next three months.  Their territories are conquerable, their cyno-jammers that prevent capital ships from entering the territory, and jump bridges that allow smaller ships to move between systems, are all inoperable.  These assets took years to build and aqcuire, and they became inoperable for a few months due to the actions of a single individual.

Since Eve Online alliance comprise thousands of players, it would seem that there should be a more secure system to protect the assets of these groups that relying on a single individual to be in charge of everything.  In a real world setting, bureaucracy prevents any one individual from taking actions that could negatively affect the entire organization, and it would seem something like that is needed in Eve if this situation is something to be avoided in the future.  Then again, maybe it’s just what makes the game what it is.

Assets &Security Goals:

• Maintain control and access to in-game assets, including defenses and manufacturing stations.
• Privacy of communications made on private message boards.

Potential Adversaries & Threats:

• Rival Alliances: the goal of PvP in the game is to conquer territories for your alliance/cop at the expense of other alliances and corps.  In this case, the GoonSwarm’s main goal was to dismantle BoB.
• Malicious Insiders: a disgruntled member of the alliance might wish to cause harm to the alliance before he leaves for greener pastures.

Potential Weaknesses:

• A lack of any sort of bureaucratic system to make changes creates a single point of failure in the leader of the alliance.  If that player deserts, the member corps have no way of preventing him from dealing serious damage.
• Likewise anyone who happened to gain access to that player’s account through insidious means, such as a keylogger, would be able to perform the same actions without any member of the alliance’s consent.

Potential Defenses:

• Extraordinary permissions could be required to enact any sweeping changes to alliances.  In particular, removing a corp from an alliance could require a minimum number of director level players.
• There could be a holding period before a corp can be removed from an alliance, allowing a day or two for other corps in the alliance to respond.

Some sort of balance needs to be struck between the security against malicious actions and the ability of leaders to make the actions at all.  Perhaps this is already balanced in a way that makes the game what it is.  In order to make the politics and metagaming accessible to players and move in time frames of months rather than years, it makes sense that some of these actions would be a little too easy to be entirely secure.

Source:
Cnet

In June 2008 Florida Highway Patrol officer John Wilcox pulled over Ariel Quintana for speeding, who was then discovered to be driving with a suspended license. The officer also suspected Quintana of being in possession of marijuana, but a search of the car revealed nothing. While in custody, Quintana’s phone rang and officers removed the phone without permission and started searching the contents of the device.

While going through the photo album, pictures were discovered of what appeared to be marijuana plants in a grow house. This resulted in a raid of Quintana’s address, which led to the seizure of over $850,000 worth of marijuana plants.

This is not the first case where a personal electronic device was searched without warrant that resulted in further evidence being used against a suspect in custody for an unrelated crime. Given the increasing presence and integration of personal electronics in every aspect of our lives, PDAs and cellphones can provide the most intimate details about their owners. As such, there is debate about whether the owners’ privacy should be protected given the nature of the information they contain, or if they should be considered containers and/or accessories for crimes which police should be able to search for further evidence for use in court, without the need of a warrant. As the article indicates, courts are split on this topic and there is still much debate about how these cases should be handled.

In order to prevent future incidences such as this from occuring again in the future, politicians and courts have to agree upon which circumstances searching digital devices is allowed, if at all.Given the nature of the types of information and data stored on personal devices, laws dealing with them must adapt to take the sensitivity of this information into account. The number of cases such as this will only increase with time, and policies need to be introduced to deal with this increasingly relevant issue. Individuals need to be aware of their rights, especially given the information at stake

source articles:

http://www.tgdaily.com/content/view/41032/144/

http://blogs.zdnet.com/security/?p=2419

GPU (graphical processing units) are usually intended to be dedicated hardware to aid in rendering 2D and 3D images.  However, as their computing and parallel processing abilities have grown to astounding levels, many have begun to think of ways to leverage this into other areas.  Recently, ElcomSoft has released a wireless security auditing software which leverages the GPU to increase the number of passwords which can be brute forced per second — the Nvidia Tesla S1070, according to the tgdaily article, can test up to 52,400 passwords per second.  To put that into perspective a  Core 2 Quad Q6600 can try 1100 per second.  Though is is a legitimate software released by a security auditing firm, it isn’t unreasonable to expect that this kind of password cracking capability will be attempted by skilled attackers.  All of this is part of a larger trend of graphical technologies beginning to emerge as a security concern: graphics drivers often have kernel level operating system access, and plans for software that can use DirectX rendering remotely could be a major headache for preventing malicious graphical content from compromising the system (rumors are that flash 10 could have this capability.  If so, this would add to flash’s history of security concerns).  It isn’t really feasible to prevent more integrated graphics, so as always, careful engineering and threat modeling will be called for.

The Stevens Pass ski resort has recently implemented a new RFID lift tickets access system for all their chair lifts. Although this greatly improves convenience and may shorten lift lines, it is vulnerable to severable attacks which could prevent it from functioning or allow a malicious skier to access the lifts without a proper lift ticket.

(Read on …)

It was discovered last Saturday that an attacker was able to steal thousands of user accounts, passwords, and e-mails from phpBB.com.  phpBB is open source and one of the most popular internet forum packages.  The attack utilized a 0-day-exploit in the PHPList third party application to gain access to the site’s server’s password and configuration files.  Later, the attacker made a blog post stating that (s)he had managed to acquire over 400,000 account details.  To substantiate the claims, the attacker then posted the PHPList email list and the phpBB.com’s user table.

As this was a zero day attack, at the time there was no patch that could have prevented this attack. However, PHPList was patched two weeks after the vulnerability was discovered.  The exploit was first published in mid-January, coinciding with the time in which the attacker had access to the files.  It is likely that the attacker learned the exploit from its publication and used it to attack phpBB.

A number of things could have been done to reduce the impact of this exploit.  First, the publication of the exploit could have been delayed until a patch was developed.  This potentially could have allowed the phpBB.com administrators to close the vulnerability before the attacker discovered that it had existed.  If the administrators had also encrypted user information such as emails and account names, the attacker would not be able to decipher them in any meaningful amount of time.  Finally, the passwords that the attacker was able to glean from the information were from passwords with unsalted MD5 hashes.  Salting the hash would have significantly increased the passwords’ resistance to attacks.  Additionally, using a different hash such as SHA-1 would have increased security.  It has been fairly recently discovered that MD5 suffers from some design flaws that leave it susceptible to collisions.

Unfortunately, not too much further can be done about responding to these kinds of attacks.  Administrators may be more wise about encrypting identifiable information, but given that this is already known, it seems that administrators in general have not yet learned that lesson.  Legally, it is already against the law to intrude into other people’s systems.  When it is very hard to detect and identify an attacker, law does not prove to be an adequate deterrent.  Users may become more increasingly aware that their identifiable information can be stolen if they share it with other parties, but ultimately they can’t avoid doing that indefinitely (or it may prove to be too inconvenient to avoid interaction).  Encrypting user information would do well to mitigate the damage of information leakages, but given the way most organizations have failed to do so thus far and are continually leaking information, this may take additional education and maybe even legislation.

link:
http://www.securityfocus.com/brief/902
http://www.heise-online.co.uk/security/phpBB-hacked-400-000-account-details-intercepted–/news/112567
http://www.phpbb.com/index.php