UW Computer Security Research and Course Blog

A recent article from silicon.com details the recent issuance of £4.7 billion worth of ID cards containing biometric and biographical data to people of the UK. Critics of the plan are quickly pointing out that with no readers in place, the new cards are no more useful than traditional photo ID. The UK government has also stated that it has no concrete plans to implement the readers, but instead will allow individual organizations to purchase and implement them on their own. This raises a number of issues and questions about government efficiency versus individual choice versus comprehensive security. One thing is for sure – without any readers in place, this schema gives no extra security and is essentially a waste of money.

(Read on …)

As I found on Slashdot, a controversial piece of legislation is being considered that would allow for the collection of DNA from arrested persons. The DNA may be collected prior to the arrested person being charged with a crime, and the arrest can be for crimes as minor as shoplifting. The DNA would be sent to State Patrol and FBI databases, where it would be compared against DNA collected in unsolved crimes. If the person who was arrested is not charged, is not convicted, or has her conviction overthrown, her DNA would be destroyed.

(Read on …)

According to an article from New Zealand’s ONE news, one of their citizens, Chris Ogle, recently purchased an iPod from  a thrift shop with detailed information about some of the US soldiers. This information has included social security numbers, information about where they are stationed, as well as current cell phone numbers. Each file had a disclaimer reading that the release of it’s contents were “…prohibited by federal law”. Who ever donated the iPod has obviously broken this disclaimer, if they didn’t want the files to be found they could have destroyed the iPod or better yet erased the files. According to the story, many of the files are dated 2005, but regardless of the year peoples personal information is not necessarily likely to change (i.e. their social security number), in the wrong hands this information could potential harm the soldiers by in the most extreme case giving away locations to military bases or in a more likely case giving someone enough information to commit identity fraud. The man has said that he would be happy to give the iPod back to the US government if asked, which seems to me would be the appropriate response for the government to take to protect the security of their soldiers personal information.

Today’s Seattle Times reports of an Oregon ex-CIA agent who had been selling the identities of other CIA agents to the Russians – from his jail cell.  Not only am I surprised that he had already been convicted (in 1996) but managed continue, but also that “the spy wars between Russia and the United States did not stop with the end of the Codl War and the collapse of the Soviet Union in 1991.” (!!!)

The story reveals security problems both on behalf of the government, and on behalf of this former agent, Harod Nicholson. On the government’s behalf, we are reminded that all security is based on some level of trust – and with a large program like the CIA, it is hard to ensure that every agent can be 100% trusted, now matter how hard they are screened. Nicholson clearly should not have been trusted. As for Nicholson, he had been sending secret messages through his son, which his son then physically traded with Russian agents for cash. What tipped the US government to this process? They didn’t figure out exactly what was said in the messages, but the rise in communication between the two, and the son’s frequent international travel tipped them off to the fact that something was going on. Strange messages – like biblical verses – started appearing in their letters. Sometimes, it’s not that the entire message leaks, but external information can tip an outsider to the fact that *something* is going on – and then they can make a pretty good guess as to what.

For us as students, this is a reminder that Security, while not only fun to pretend we are lock-breaker hackers like in the movies, is actually relevant to real lock-breaker hacker secret agents, who are not in the movies, but real. While our only personal exposure to security may be adding a password to our email, or at the most crucial keeping our Social Security Nubmer and Bank Accounts secret, there are reasons that extremely strong security is necessary. For those in the CIA, they don’t worry that someone is trying to decrypt their messages, they know that someone is trying to decrypt their messages. They don’t hypothetically consider trust, and then tell their best friend their passwords – too much is on the line.

I guess I’m finally convinced that security really really is valuable.

The Associated Press reports that there is a growing chance that, while watching an advertisement on a video screen in a public place, the advertisement may also be watching you.  Following a trend of increasingly prevalent automatic public monitoring, from security cameras to red-light cameras, advertisements may now attempt to identify the people watching them.  This is done with small cameras that can be embedded either in or around the advertising video screen.  The output from the cameras is feed into software which attempts to identify certain characteristics about the watcher.  This includes both personal characteristics such as age, gender, and ethnicity and behavioral characteristics such as the amount of time spent watching the advertisement.

(Read on …)

According to a New Scientist Article, a company called Biorics wants to control the spread of pandemic disease by dispersing “cough-detecting” microphones throughout airport lounges. The proposed technology would detect coughing passengers and distinguish a common-cold-like cough from one that could be a symptom of a serious and spreadable disease. In 1998, a group of scientists from the Nippon Medical School in Tokyo, Japan showed that they could discriminate between productive and non-productive coughs; where a productive cough is usually accompanied by the expulsion of phlegm (i.e. a sick person’s cough). Biorics used this research to develop a system that theoretically could detect a sick traveler in an airport and stop the spread of a possibly devastating disease.

(Read on …)

A recent vulnerability discovered in the Windows Mobile Bluetooth server allows access to all files. This vulnerability is a simple directory traversing problem, simply using “../” or “..\\” allows for traversal outside
of the directory. Users of Windows Mobile 6 and the Bluetooth OBEX-FTP server are vulnerable. Most Windows Mobile 6 devices come with the default stack.

Windows Mobile 6 is the current generation of Windows Mobile produced by Microsoft.

This is a fairly serious vulnerability since attackers could copy or upload arbitrary files to any directory on the device. Possibly avenues could include viruses, loggers, and trojans. However, the issue is mitigated by the fact
that (as with most bluetooth devices) the device must be paired before any communications can transpire. This usually requires the consent of the owner.

Since parent directory traversal issues are well known and implemented in almost any server (e.g. web servers), it is surprising that such a vulnerability was able to pass through testing. Although it is required that the owner give consent to any pairing, it is unlikely that the owner would like to give arbitrary access to all files on his device. A security review should have found this issue, since file server and directory traversal tend to go hand in hand.

Hopefully, this vulnerability would be addressed soon and give enough of a kick to Microsoft to look into any other vulnerabilities that Mobile 6 platform may have. This is not the only security issue to have been found on the bluetooth stack. A denial of service vulnerabiilty was found in the way Bluetooth device names were advertised, allowing attackers to reboot the device remotely.

(Source..)

A New Jersey based payment card processing company- Heartland Payment System Inc. admitted last week to a data breach into their system. In what may result as one of the largest compromises in payment card information, Heartland disclosed that intruders had hacked into their systems and planted malware that they had then used to steal debit and credit card data.
What the folks over at Heartland remain unaware of is how the attackers launched the attack or how long the malware has been in their systems.

This is a grave matter for this company and its 250000 business customers for which it processes around a 100 million transactions every month. This is being compared to the attack on TJX in 2007 when around forty five million cards were compromised. So how successful were the attackers in getting the data they wanted in this case? According to reports from Heartland, the intruders were able to capture card account numbers, expiration dates and in some cases, the customers’ names as well. The malware installed on the system allowed them to sniff on unencrypted data as the transactions were being processed in Heartland’s system.

What the thieves were not able to get their hands on were the Personal Identification numbers (PINs) and the addresses of the card holders. This is generally the information that they need to withdraw funds from the victims’ accounts online or on the phone. Heartland also stated that although this information was not compromised, the attacker could duplicate the data stolen and clone the debit or credit card and then swipe it at any location to extract funds.

Reading about this incident, made me think of all the times I went to Starbucks and used my debit card. I didn’t have to enter my PIN, and the cashier never asked me for my ID or took my signature. All he/she did was swipe my card. Many people do not track their transactions daily and hence a thief could easily get away with small withdrawals like this for a period of time if he was successfully able to clone the card with the stolen data. There is risk involved in this approach like being caught under surveillance but many businesses that do not enforce security measures as mentioned above just steer clear the way for attackers. The “Two factor authentication” technique would definitely be more effective in this case.

What I also found interesting in this article was that Heartland was not able to detect this attack for a long time until it was brought to their notice by Visa and MasterCard who discovered the suspicious activity. This caused the malware to run for a longer time and hence compromise more data. Also, the attackers chose a card processing company instead of a retailer, and this shows that they wanted their attack to be more effective as more transactions would be going through the card processor than its customer.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=spam,_malware_and_vulnerabilities&articleId=332977&taxonomyId=85&intsrc=kc_top

It looks like, after much debate, Obama will be allowed to continue to use a smart phone (From most articles I have read, it seems unclear whether the phone will still be the Blackberry he seemed to like so much, or if it will be a NSA approved smart phone, or a combination of the two).  Much of the debate centered around whether a Blackberry could be made secure enough for the President’s day to day use.  For example, Obama would not want a highly sensitive conversation with the Secretary of Defense to be heard by anyone trying to listen in.  Smart phones can also deal with email and the internet in general, which opens up the possibility of an exploit coming from there.  Smart phones also have GPS receivers, and are in essentially constant contact with cell towers, both providing methods to track the phone. (Read on …)