Phalanx attains Slashdot fame!

By alpers at 1:40 pm on April 22, 2008 | 3 Comments

I’m not sure if many people read this blog, but I recently noticed that the UW project Phalanx (slides, paper, and poster available from Colin Dixon’s site, recently featured on Slashdot) brought up the idea of countering botnets by setting up neutral (‘white-hat’ was tossed around in the /. comments) botnets to negate the adverse effects.

Any thoughts on this? It’s a curiously fun conceptualization, but could this potentially be just digging a bigger grave for the internet?

Filed under: Current Events,Integrity3 Comments »

In-Flight Web Page Modifications

By creis at 5:29 pm on April 20, 2008 | 1 Comment

Our research group (Charlie Reis, Yoshi Kohno, and Steve Gribble from UW CSE, and Nick Weaver from ICSI) has just presented a measurement study showing that many users are receiving web pages that have been modified in-flight.  The pages are changed between the web server and the user’s browser, either by ISPs injecting advertisements, enterprise firewalls injecting script code, or client-side proxies that block popups and ads.  These changes are often unwanted by either publishers or users, and they can also be dangerous: we found that several types of changes introduced bugs and security vulnerabilities into otherwise safe and functional pages.

To study this, we measured how often our own web page, http://vancouver.cs.washington.edu, was modified when users visited it.  A piece of JavaScript code that we call a “web tripwire” detected such modifications, allowing us to record the change and notify the user.  Our study found that about 1% of the 50,000 visitors to our page received a modified version.  While 70% of these changes were caused by client-side proxies, we did see many changes caused by ISPs and firewalls as well.

For more information on our study and our results, you can read our analysis at Detecting In-Flight Page Changes with Web Tripwires, as well as our recent NSDI 2008 paper (PDF).  Our results have also been covered recently in the news media here, here, and here.

If you would like to add a web tripwire to your own page, we have an open source toolkit that you can download and host on your web server.  We also have a web tripwire service that is hosted by our server, which you can add to your page with a single line of JavaScript code.

Filed under: Current Events,Integrity,Research1 Comment »

Security Review: The Human Heart

By chrislim at 10:59 pm on March 16, 2008 | 6 Comments

As our professor has continually emphasized throughout the quarter, one of the primary aims of our course has been to go beyond technical details of current computer security in order to learn the security mindset. This new way of thinking enables us to analyze security issues in the future regardless of particular directions that technology may take. It also enables us to examine the security of less technical entities like physical locks, parking meters, etc. As I was considering some of these less technical systems, I began to realize the pervasive implications of applying the security mindset to broader aspects of life and so began my examination of the human heart.

Recently, Governor Eliot Spitzer of New York was revealed to have been involved with a prostitution ring despite his façade of crusading against white collar crime. As a result, his reputation was tarnished, his career ended and his family has been deeply hurt. Although this is just another note in the continual drumbeat of tragedies we hear about in the news, the frequency of these incidents, clearly demonstrate that each of us is vulnerable to fall in similar ways. How can we defend our lives (and hearts) against being deceived into compromising our integrity and falling into these common pitfalls?

A second observation motivating this study comes from the fact that insiders are often the adversaries who cause the most damage and harm because they are trusted and by nature must have access to the assets we desire to protect. Human beings are often the weakest component of any security system. This review of the human heart will hopefully provide insight into ways to protect the integrity of trusted insiders as well as our own hearts in relation to the people who trust us.

Finally, defending the human heart has significant ramifications in every aspect of physical/computer security. Much of the violence that takes place on campuses (e.g. shootings, assault, etc.) have at their root a compromised heart (e.g. someone who has been continually hurt and lashes out in despair to cause pain to others after he/she has received so much). Many of the adversaries in computer security scenarios are motivated by financial gain, prestige, and other related incentives, which are deceptive and violate the worth and personhood of the people they attack. If people’s hearts were able to be defended, many of the human adversaries that we encounter in typical security reviews might in fact become allies; the ideas in this post are tools that can provide another layer of defense in depth.

(Read on …)

Filed under: Ethics,Integrity,Miscellaneous,Security Reviews6 Comments »

Collaborative Current Event: Counterfeit Cisco Network Hardware Imported From China Seized

By Max Aller at 10:41 pm on March 2, 2008 | 5 Comments

http://www.thestandard.com/news/2008/02/29/us-canadian-agencies-seize-counterfeit-cisco-gear

USA and Canadian law enforcement has seized US$78 million worth of Cisco routers, switches, and network cards in 400 seizures since the coordinated operation between the two nations was launched in 2005. The reason for the seizures is “illegal importation and sale of counterfeit network hardware”. Personally, I’m a little confused as to how network hardware can be imported legally, but apparently there are laws governing it. (If you’re wondering what “counterfeit” network hardware is, I’d imagine it’s the sale of previously illegally imported hardware). The involved agencies are the U.S. FBI’s Cyber Division, U.S. Immigration and Customs Enforcement, U.S. Customs and Border Protection, the Royal Canadian Mounted Police, and apparently, to some extent, the U.S. Department of Justice.

(Read on …)

Filed under: Current Events,Integrity,Policy5 Comments »

16 hackers got arrested in Quebec recently

By felixctc at 12:49 am on February 24, 2008 | 2 Comments

Recently, the police department in Quebec, Canada, busted an international hacking network. 16 people that were between the ages of 17 and 26 were arrested and this was the biggest hacking scam in Canadian history according to the police. These hackers collaborated online to attack and took control about one millions computer all over the world that didn’t have firewall or anti-virus software. Because of that, they injected Trojans or worms in those computers. The investigators mentioned that the hackers profited about 45 million dollars.
(Read on …)

Filed under: Current Events,Ethics,Integrity2 Comments »

Security Review: IE7 Protected Mode

By cbhacking at 12:57 am on February 11, 2008Comments Off on Security Review: IE7 Protected Mode

The latest version (7) of Microsoft’s Internet Explorer web browser, like their latest Windows (Vista) operating system, is supposed to be the most secure version in the product’s history. A complete security review of either IE7 or Vista is outside the scope of this post, but there is one very interesting security feature found at the intersection of the two, called “Protected Mode.” Presented as a feature intended to limit the possible damage even if every other security feature in IE7 fails, Protected Mode limits the browser’s ability to modify the system in case of an attack while preserving the ability to execute other tasks, such as downloading files and allowing helper programs, plug-ins, and the user to interact with the browser much as before. (Read on …)

Filed under: Integrity,Privacy,Security ReviewsComments Off on Security Review: IE7 Protected Mode

Security Review: Deep Siren

By Chad at 10:33 pm on February 10, 2008Comments Off on Security Review: Deep Siren

According to Scientific American, the US Navy is considering to deploy a new technology, Deep Siren, to improve communication to and from submerged submarines. As of now, submarines have to be no deeper than 60 feet and towing a floating antenna behind them before they can communicate with the outside world. This makes the submarines far less agile and much easier to detect. The Deep Siren System will theoretically allow subs to communicate at any depth and speed.
(Read on …)

Filed under: Integrity,Physical Security,Privacy,Security ReviewsComments Off on Security Review: Deep Siren

Security Review: Mac OS X Dashboard Widgets

By jimg at 6:28 pm on | 1 Comment

The Mac OS X Dashboard is a platform for developing small applications, or Widgets, that can be accessed and hidden quickly at any time within the OS. Common widgets tasks include simple calendars, calculators, games, weather tracking, and system monitoring. There are thousands of user created widgets available for download through apple.com and other sites. Widgets are built using standard web technologies such as CSS, HTML and Javascript. However, they also contain hooks into the local system, allowing them file system access, access to compiled C code, and shell command access. These hooks are facilitated by the operating system running the widget instances and create a plethora of security concerns. (Read on …)

Filed under: Integrity,Privacy,Security Reviews1 Comment »

Diebold/Premier Voting Machine Key Copied

By esoteric at 4:26 pm on February 7, 2008 | 3 Comments

Adding to the current furor of news surrounding the issue of electronic voting machines, an egregious mistake by American voting machine producer Diebold (now known as Premier Election Systems) has lead to heightened doubts concerning the integrity of electronic voting.

Diebold has a history of security mishaps dating back to 2003, when they posted the source code for their voting software on a public FTP site. The availability of this code led to the discovery of an exploit in 2004 that would allow for the manipulation of votes as they are tabulated at a central location.

In the company’s most recent debacle, the first major issue of note is that the same physical key can be used to open the locks on all of the touch-screen voting machines that Diebold produces. Secondly, Diebold unwittingly posted a picture of this key on their website on a page that described how replacement keys can be ordered by official account holders. Ross Kinard of sploitcast.com was able to construct several keys based on this image that proved to successfully unlock a test voting machine.

The implication of this security breach is that it is now much easier for an adversary to gain physical access to the innards of a voting machine and attack it by modifying the software via a flash drive or by altering the hardware. This could result in misappropriated votes or denial of service attacks where people’s votes are rendered useless.

Many policy makers are lobbying to make a return to paper ballots, which arguably have fewer undetectable vulnerabilities, but are more tedious to deal with. It is unclear whether electronic voting machines will continue to be used in future or not, but serious changes need to be made before they become even remotely secure. In addition, companies like Diebold/Premier rely on their reputations, and they must earn and maintain the trust of the public in order to be successful.

Youtube video of a homemade key opening the lock on a Diebold electronic voting machine:

http://youtube.com/watch?v=UfGvSJA20-Y

Filed under: Current Events,Integrity,Physical Security3 Comments »

Maryland abandons e-voting machines for paper ballots

By cbhacking at 1:03 am on January 22, 2008 | 3 Comments

The state of Maryland has decided, after spending $65 million on electronic voting machines made by Premier (formerly known as Diebold) Election Systems, to spend another $20 million on optical-scan machines that read paper ballots. The reason for this incredible expenditure of taxpayer money, which the state will be paying off until at least 2014? Security concerns about the purely computerized voting machines. (Read on …)

Filed under: Current Events,Integrity,Physical Security,Policy3 Comments »
« Previous PageNext Page »