Current Event : Keyboard hacking (from thin air!)

By kosh at 10:43 pm on March 13, 2009Comments Off on Current Event : Keyboard hacking (from thin air!)

A move over scanning the keyboard with infra-red cameras for heat signatures, listening to keystrokes and simple shoulder surfing.

Say hello to hacking through thin air or electromagnetic waves, rather. Apparently, all keyboards generate unique electromagnetic waves for every single key pressed and these are really easy to pick up even with some inexpensive antennae. Of course, a lot of this is only possible under ideal conditions where there isn’t much interference from other devices. Here are some videos that demonstrate the attack –

Edit: Looks like embedding is disabled here. Please visit the links below for the videos

Sources :

Computer world

Ecole Polytechnique Federale de Lausanne

Filed under: Miscellaneous,PolicyComments Off on Current Event : Keyboard hacking (from thin air!)

Researchers develop security flaw scanner for use during Development

By asekine at 4:27 pm on Comments Off on Researchers develop security flaw scanner for use during Development

http://www.sciencedaily.com/releases/2009/02/090224133010.htm

Summary

Researchers have proposed and started testing a new system for helping to identify potential bugs and security flaws during the development cycle of software development.  It works to help the development team identify and prioritize potential targets and weaknesses, and encourage a wider breadth of understanding for each member of the team.

Assets / Security goals:

  • The goal of this method is to help developers to explore the potential vulnerabilities in a proposed system/feature. This encourages keeping security a priority for the project from the beginning, during the design phase
  • To ensure that all people working on the project understand the potential risks associated with the features that they will be working on, and to ensure the diversity of people’s knowledge is taken advantage of.

Potential adversaries / threats

  • Any adversary that wants to take advantage of this system would have an interest in observing/subverting this process being undergone.
  • Unscrupulous employees could bias the results of this process by drawing attention away from real issues

potential weaknesses

  • this method relies on the knowledge of those involved in the design process. It’s quite possible for these people to lack knowledge of attack methods that could be used against the product being designed, as it’s unlikely for any single team to contain experts in every possible attack method.
  • This method only outlines the potential security threats posed by the features during the design phase. During actual development/implementation, the actual threats and vulnerabilities may change, and these aren’t addressed using this method.

Potential Defenses

  • This procedure should be used in conjunction with other risk and security analysis tools to ensure the broadest range of coverage
  • Evaluations such as this should be repeated at regular intervals with a changing group of participants. The variability would encourage new ideas and provide newly discovered vulnerabilities to be discussed at length.

Given the difficulty of quantifying risks and potential security threats of any new product, this method is a good way to encourage the security mindset from the get go. The effectiveness of this method is entirely dependent on those who participate, but it does encourage the kind of thought necessary to protect systems from attackers.

Filed under: Miscellaneous,Security ReviewsComments Off on Researchers develop security flaw scanner for use during Development

Security Review: UW Parking Enforcement

By ezwelty at 3:32 pm on Comments Off on Security Review: UW Parking Enforcement

The parking at the University of Washington has always been a deadly game of cat and mouse between driver and parking enforcement. There are limited parking resources on campus, and parking enforcement wants to make sure that they are maximizing their revenue for the spaces they have available. On the flip side, poor students/faculty are trying to get away with parking their cars/motorcycles free of charge.

There are a few assets that parking enforcement wants to protect. One is their revenue stream — making sure that they are receiving money for the parking that is available. Another is the availability of spaces, so that legitimate paying customers won’t be turned away at the door if the lots are oversold. In both cases, the adversary is the driver trying to cheat the system (aka, me).

One weakness of the system stems from having way more parking spots than there are parking enforcement officials. While this can work in an cheater’s favor in general, the longer one spends in the same spot, the more likely they are to be eventually ticketed. This might assume someone illegally parked would stay shorter — but then they have the added overhead of having to move their car frequently. One way that they can combat this is to deploy resources first towards the most high-traffic lots, and then check less frequently at satellite lots.

Another weakness of the system involves procedures for contesting tickets through the parking department. Any ticket can be contested through the office, and last checked, they had an average turnaround of 3-6 months, no doubt due to bureaucratic inefficiencies. If an adversary were to contest a ticket, they wouldn’t have to pay it for months, and would be likely to get it fined. One could also try sending in a longer letter to the department as to why they deserve to not get the ticket, in order to push it to the back of the queue for processing.

In the future, there might be an emphasis on more high-tech solutions (such as cameras) to quickly monitor parking lots and possibly detect cheaters. For the time being, however, there are some vulnerabilities in the parking system that allow attackers to get away with free campus parking undetected.

Filed under: Ethics,Integrity,Miscellaneous,Security ReviewsComments Off on Security Review: UW Parking Enforcement

Security Review: iTunes DAAP Authentication

By justine at 10:57 am on Comments Off on Security Review: iTunes DAAP Authentication

I am, at the moment of writing this, sitting in Cafe Solstice on the Ave. There are probably about a dozen computers in here, and judging from my neighbor’s screen, 4 of them are running iTunes with the “sharing” feature (via Apple’s Digital Audio Access Protocal – DAAP) turned on, which allows them to stream audio files off eachothers computers, but not to download them. What’s to stop these young coffee-drinkers from forming their own small-scale (illegal) filesharing network? DAAP’s authentication mechanisms, which have grown increasingly more secure with successive versions of iTunes, has yet to be broken in it’s latest form.

Previous authentication protocals integrated into DAAP used either an MD5 hash or a custom hashing algorithm to encrypt the streaming music. Both methods were later cracked, leading to programs such as OurTunes, which allowed listeners on the network to save the mp3s made available over DAAP to their hard drives. Programs like this were extremely popular on large public networks like those at universities.

The current version forces the connecting hosts to authenticate through an Apple-controlled Certificate Authority, which can then exchange trusted public keys. This effectively blocks third-party applications (like OurTunes) from participating in iTunes file sharing. Because the official iTunes application does not permit saving the shared files, the mp3 sharing is effectively blocked.

Assets/Security Goals:

* The assets involved are the audio files on the users’ computers. Users themselves, who have the option of turning sharing “off” or “on”, aren’t really the focus of this encryption functionalty; intellectual property owners are worried about rampant copying of their files without recieving compensation for their works. The goal is really to protect copyrighted material from being copying – and along the way, all material is encrypted and blocked from download, regardless of copyright status or the user’s intent.
* Still, it is important to keep in mind the assets on the users computer. Having done a lab on network security, we all now know the risks of a allowing an external computer to provide commonds or access data from a secured machine. It is important to make sure that all files on the computer that are not supposed to be shared are secured from external access, and furthermore, that no one can provide commands to or take control of the machine.

Adversaries/Threats:

* Large scale piracy operations don’t really operate through iTunes. The big threat for mp3 theft is lazy, normal people, unwilling to pay for music if they can get it for free across the network.
* As far as security of other files and the user’s machine, any hacker with malicious intent, who may want to steal the user’s data, or just mess with their computer.

Weaknesses:

* So far, it’s quite difficult to see any weaknesses – this version of encryption has been out for some time and has yet to be broken. Still, while the usage of the CA is theoretically secure, all implementations are written by imperfect humans. It may be that there is a bug somewhere or a potential hack. Perhaps there will be a way to spoof as a valid iTunes client and register with the CA. Perhaps there will be a flaw allowing a third-party machine to spoof as a CA and provide keys to invalid clients. Perhaps by intercepting the packets for key exchanges enough times, hackers will learn about proprietary algorithms being used and find a weakness in that. It’s yet to be seen.

Potential defenses:

* The community trying to break the DAAP encryption is rather public about their efforts – and when a client is released, it will be rather easy to see what flaws they are exploiting. No doubt, Apple is already watching reports as they show up online, and allowing the real hackers to investigate flaws for them – which Apple can rapidly patch through automatic updates.
* Artists obsessed with being paid for every single mp3 they release could just stop releasing CDs and recorded music, or playing music at all. That way their fans will stop trying to steal it.

Evaluation:

DAAP so far has been frustratingly secure! Not only can I not steal mp3s from my neighbors in the coffee shop, but I can’t even listen to their music streaming, because iTunes isn’t available for Linux.

Filed under: MiscellaneousComments Off on Security Review: iTunes DAAP Authentication

Security Review: Cell Phone Projectors

By hmu2 at 9:24 am on Comments Off on Security Review: Cell Phone Projectors

Authors: Heather Underwood & Guy Bordelon

As mobile phones continue to become one of the most popular, universal, and comprehensive computing devices, researchers and mobile phone companies are enthralled with adding more features. As described in a recent article by the New Scientist, the feasibility of including a projector on a mobile phone is becoming a reality. The new projector chip that TI released a few weeks ago dramatically improves upon last year’s low resolution model by adding more mirrors to increase the resolution to 850 by 480 pixels (comparable to a DVD player). This new model also works better in most lighting conditions and can show a 2 hour movie on a single battery charge. Having mobile phone projectors provides many exciting opportunities, but also creates some interesting security challenges. Some of these challenges are not critical security issues, but could cause frustrating or embarrassing situations.

Assets/Security Goals:

  • The mobile phone projector would provide easier sharing of presentations, photos, videos, etc.
  • Low power consumption would allow for mobile presentations and viewing without having to recharge batteries or be near a power outlet.
  • The dual display will allow users to view private information on the little screen on their phone while displaying public information on the projection screen. This security measure will enhance presentations by allowing the user to view notes or comments while displaying slides or have other sorts of private captioning for private viewing while different content is being projected.

Adversaries/Threats:

  • An adversary of the mobile phone projector could use the projector and other phone functionality like video to project real-time activity to a group. For instance, voyeurs could capture content from a distance using zoom camera/video features and project the inappropriate content in real time. The content could also be recorded and then displayed at a later time to blackmail or embarrass the victim.
  • Another possible threat is theft. If a phone is stolen and the projector has been projecting the same image, say a bank statement, for a very long time or is very often projecting that image, a clever thief could gain information from the image impression on the lens. This would most likely occur on older projector phones where the lens is sufficiently worn.

Weaknesses:

  • One possible weakness is that personal and private information could be maliciously projected without the phone owner’s permission. If appropriate checks are not in place, the owner could also accidently display his private information in an inappropriate setting.
  • The projector also opens up a new way for people to be incredibly obnoxious. The weakness here is not ensuring the security of people’s privacy and their sanity in public places. Projections of videos and photos in a restaurant or movie theater would be incredibly rude and distracting.
  • Another weakness is there is no limitation on the content the projector projects or the context in which it is projected. This weakness may not be readily solved by implementing greater security measures, but could end up relying on a social protocol that may or may not keep discriminating, hateful, or indecent material from being projected everywhere.

Potential defenses:

  • One potential defense is to have a password to use the projector so only the owner can access and project the content on their phone. This security measure does not protect against the owner knowingly projecting indecent or private information however.
  • The projector should also require a confirmation screen before projecting the selected content. This security measure would hopefully eliminate accidental display of private or indecent information on the projector.
  • A solution for reducing the use of the projector in public places, besides signs and glaring looks from other customers, could be sensors (on the phone and at the restaurant) that could detect and essentially disable projection of phone content.

Evaluation:

The main goal of this device is to make accessing and viewing content easier and more available for entertainment and larger scale purposes. The projector was not designed to provide added security to mobile phones and thus there are few security goals, however, because security was not a main concern when developing this device, there are multiple security flaws that were not taken into account. We think this technology will very likely become a standard feature of mobile phones. Teenagers especially will drool over being able to project their Facebook pictures and YouTube videos larger than life in any place they want. We also think that tech-savvy business people will utilize this tool for portable presentations. This device also has many applications in the developing world where power consumption, carrying heavy video equipment and easily watching educational videos is often a problem. There are obviously ethical questions involved with this device in regards to what content is appropriate to project, however, there are many devices that have advanced technology and failed to account for all possible ethical misuses.
Although there may be some technological solutions to the security vulnerabilities presented above, we think if the projector becomes a popular and ubiquitous feature of cell phones, the use of it will ultimately be governed by a social protocol and people being conscious of the content they are showing. The article suggests that requiring additional legislation for projected content could become necessary, but we are of the opinion that requiring legislation to prevent people from being stupid has never and will never work.

Filed under: MiscellaneousComments Off on Security Review: Cell Phone Projectors

Current Event: Google’s new behavioral based ads v.s. Privacy

By alexmeng at 6:49 am on Comments Off on Current Event: Google’s new behavioral based ads v.s. Privacy

Recently, Google released a new way for it to perform interest-based advertising to its users. It utilizes its users’ behavior to send them targeted ads. The question that arises is how do they obtain the users’ behavior?

Google saves previous search requests and page views.

This new information that Google collects abouts its users raised new privacy concerns given that Google already has lots of information on many users, especially if they use Google’s e-mail service, Gmail, which archives all messages sent to the account unless deleted. Privacy advocates are worried Google having too much information about its users. Some are concerned about Google’s retention policy on user data as they keep it for 9 months while Yahoo holds it for 90 days.

The purpose of this new advertising is to generate more meaningful ads based on behavior, however, that also means receiving ads to items that you are not necessarily searching for at the moment. For example, if your search history was composed of searching for laptops, and you are a site unrelated to technology, you can receive an add for laptops given your past search history.

Privacy advocates are worried sensitive information can be pulled from monitoring behavioral information. Google rebutles stating they do not intend to use it for other purposes and users can delete interest categories at will.

Ultimately, the underlying question is how much respect does a company have it for its users’s data. Will the company use the opportuntistically or in the best interest of the user?

Given Google’s current standing in the public, and their motto: “Don’t be evil”, I believe there won’t be too much pushback on this issue from users, just as long there isn’t any break news that Google solds all its information to telemarketers. This new advertising model is just another venue for Google to collect revenue.

Alex Meng, Jon Fung

Filed under: MiscellaneousComments Off on Current Event: Google’s new behavioral based ads v.s. Privacy

Second most dangerous virus?

By petermil at 2:36 am on Comments Off on Second most dangerous virus?

Romanian firm SOFTWIN has released an update to their BitDefender security suite claiming to have created a vaccination for Conficker.

So what is Conficker?

Fast Stats:
Release Date: October 2008
Target Platform: Windows >= Windows 2000 (including Windows 7 Beta)
Exploited Program: Windows Server
Exploit Type: Buffer overflow
Worm Spread: 15,000,000+ PCs
Actions: Disable Windows Update, Security Center, Error Reporting, and Defender.  Connects to a server to receive further instructions.

More Detail:

Part of what makes this worm particularly insidious is how it connects to someplace online to get further instructions.  This means that it can actively change to address new desires and problems, as well as communicate with its peers. Microsoft even went so far as to create a specific group to combat this worm, as well as offering a $250000 reward for the capture of the author.

The title of the article comes from the fact that it is ranked second to the SQL Slammer worm of 2003.  It has spread to government machines in the UK and Germany (and quite possibly other nations, as well).  With so much of the world relying upon computerization these days, viruses sure can be a scary thing!

Source:  http://www.computerworld.com.au/article/279991/romanians_find_cure_conficker
Additional Source: Wikipedia

Filed under: Current Events,MiscellaneousComments Off on Second most dangerous virus?

Current Event: Speculation about Upcoming Pwn2Own Hacking Contest

By justine at 7:02 pm on March 6, 2009Comments Off on Current Event: Speculation about Upcoming Pwn2Own Hacking Contest

A recent article from Ars Technica, modded to high popularity on Digg, reports that last year’s Pwn2Own winner is predicting that Safari will be the first browser to crash in this months”s contest.

Pwn2Own, in Vancouver BC, is part of the CanSecWest security conference. It challenges hackers to find and exploit vulnerabilities in popular web browsers including Safari, Firefox, Google Chrome, Internet Explorer, and Opera; on popular platforms including Windows, Mac OS, and mobile phones. The first person to hack each machine gets to take it home.The article highlights two interesting facets of security research:

  • Encouraging “breaking” something makes it more secure. The Pwn2Own competition is motivated, not by malevolence, but by a desire to actually improve the software. This can be confusing to those outside the security community, who often see any attempt to hack as malicious – often creating disturbing headlines about well-meaning hackers being prosecuted legally. By providing a competition encouraging such behavior, the Pwn2Own competition is actually helping web browser developers to make their products more secure.
  • “Perceptions” of security are extremely important. This article was modded up extremely high on Digg – and why? Because some hacker “feels like” Safari is less secure. Talking about actual bugs and exploits are not interesting/understandable to readers but they do care, in general terms, about whether a browser is more or less secure, even though they don’t know what exactly that means.

The implications of browser security are increasingly important as the browser wars continue, and as web-based applications are coming to dominate computing. With more and more people storing more of the information and performing more transactions online, the assets involved in securing online actions are extremely important. Furthermore, as 4 popular browsers are in competition, their relative security features are a major distinction for prospective users.

In about two weeks, the competition will take place right near our own school – sending hackers into a frenzy, and developers in a frenzy to fix the holes.

Filed under: MiscellaneousComments Off on Current Event: Speculation about Upcoming Pwn2Own Hacking Contest

Dementia patients may benefit from new technology – or will they?

By qwerty at 12:48 pm on Comments Off on Dementia patients may benefit from new technology – or will they?

New technology arising from the UK is focusing on helping the elderly through technology.  In particular, they are creating devices which can help dementia patients be able to live on their own for longer.  Typically, when people start suffering from dementia, or experiencing memory loss, it is vital that someone be appointed to watch over them to be sure they don’t unknowingly do something harmful or forget to do something vital.  This could involve a family member living with them and watching after them 24/7, or moving to an inpatient center or nursing home, under the supervision of a nurse.  Engineers at Bath University beleive that computers can solve this problem, and help the family member or nurse, allowing the individual to stay at home longer.

The new technology involves a system integrated into the user’s home which has functions such as monitoring actions, speaking to you, turning off appliances, contacting help when needed, and even emailing a status to family members or caretakers.  The system can remind you to turn off appilances or shut off the water if you forgot to, and can even turn them off itself if the user fails to comply.  If the user unexpectedly gets up in the middle of the night, the system will turn the light on for you, and, if you are gone for long enough, will start talking to you and letting you know that “it seems a little late – don’t you think you should be getting back to bed?”

(Read on …)

Filed under: Miscellaneous,Security ReviewsComments Off on Dementia patients may benefit from new technology – or will they?

Current Event: Someone in Tehran Knows Something About the Presidential Helicopter

By eyezac at 2:08 pm on March 2, 2009Comments Off on Current Event: Someone in Tehran Knows Something About the Presidential Helicopter

According to Slashdot, NBC News and msnbc.com report that Tiversa, a Pennsylvania-based security company, recently found extensive information about Marine One, the president’s helicopter, on a computer with a Tehran IP address. This information included “engineering and communications” specifications, as well as “entire blueprints and avionics package,” and “sensitive financial information about the cost of the helicopter.” The leak appears to have originated on one of the computers of a defense contractor in Maryland. An employee reportedly downloaded a file-sharing program onto a computer containing the sensitive information, not realizing that this would allow others around the world access to the computer’s hard drive. (Read on …)

Filed under: MiscellaneousComments Off on Current Event: Someone in Tehran Knows Something About the Presidential Helicopter
Next Page »