UW Computer Security Research and Course Blog

The Government Accountability Office (GOA) realeased a report last week
stating vulnerabilities in the security system used by the IRS to protect
taxpayer data. The report showed the IRS has number of security issues
in the way that it protect sensitive data.

Some of the major security issues include: the IRS doesn’t encrypt certain
types of sensative data, user IDs and passwords can be easily obtained by
any user on the network, and they don’t enforce strong password rules for
authenticating users.

A lack of an agency-wide security program and no annual review of risk
assessment are the root of many of these issues. As a result, the IRS is
especially vulnerable to attackers with inside information, wich could expose
taxpayer and financial data.

The GOA cited several specific security problems. Among those were the
following: A contractor-maintained website has exposed usernames and passwords;
any authenticated user on the network has access to shared drives containing
sensative data like taxpayer informaiton and social sercutity numbers;
financial information and account data were tranferred from the IRS’s accounting
system without first being encrypted; inadequately logging various security
events at data centers.

The IRS is currently trying to improve it’s security system. They have taken
several steps to do this thus far, including, better controls for authenticating
users, patching critical vulnerabilites quickly, and forming a better plan
for logging critical business processes.

IRS Commissioner Douglas Shulman responded to GOA report, stating that data
security and privacy are of the utmost importance to the IRS, and said that
they would release a detailed corrective action plan stating how they would
fix the vulnerabilites discovered.

This report by the GOA followed the October release by the general for tax
administration that also criticised the IRS’s security controls. That report
was mostly critical of the security vulnerabilities found in new $1 billion
system called CADE the IRS is rolling out to eventually manage all taxpayer
accounts. They were also critical of the $700 million system called AMS that
is designed to provide faster access to the taxpayer information stored in
the CADE database. The report cited several weaknesses with access control,
system access monitoring, and disaster rocovery involving the CADE and AMS
systems, which pose a direct threat to sensative taxpayer data.

With indentity theft rising each year and more and more security breaches
occurring, keeping sensative data is of the utmost importance. The IRS
databases contains sensative information on almost every American citezen. The
IRS’s lack of security measures to protect the information of taxpayers could
result in a large security breach that could affect millions of Americans.
With such a poor security system in place, it is only a matter of time until
a security breach occurs unless the IRS acts quickly implement an agency-wide
security plan to keep sensative information secure.

The fact that these kinds of vulnerabilties exist in a government system
housing a wealth of sensative data on millions of Americans demonstrates the
much larger issue today. Too few institutions are concerned with protecting the
sensative data within their databases. Security is still an afterthought,
security patches are issued and holes are fixed, rather developing a secure
system from the start. The new CADE and AMS systems the IRS is rolling out
is just another demostration of how systems need to be designed with security
in mind from the start, and that simply is still not happening.

According to the open source programmer Brian Mastenbrook, he has found a security flaw in Safari Rss feeds. He said that Apple’s Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention. The vulnerability affects both Mac and Windows versions of Safari. This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites.

Mastenbrook reports that all users of Mac OS X 10.5 Leopard who have not changed their feed reader application preference from the system default are affected, regardless of whether they use any RSS feeds or use a different web browser (such as Firefox). Users of previous versions of Mac OS X are not affected. Users of Safari on Windows are also affected. Users who have Safari for Windows installed but do not use it for browsing are not affected.

Although the vulnerability has been acknowledged by Apple, Apple has not made information available on when a fix for this issue will be released.

Threrefore, Mastenbrook recommends users not to use the Safari as a default RSS reader.
For Mac users,
1. Open Safari and select Preferences… from the Safari menu.
2. Choose the RSS tab from the top of the Preferences window.
3. Click on the Default RSS reader pop-up and select an application other than Safari.
For Windows users, use a different web browser.

For more information at http://brian.mastenbrook.net/display/27

According to a recent article in USA Today, Lexus will begin including new technology to allow the company to send audio messages to the computers present in their cars. It appears to be similar to an e-mail system, where the user receives messages and can play them at his/her own discretion. This inclusion is simply part of an even larger electronic upgrade to the autos, simply known as Enform for now. While this definitely raises some concerns about how far into our lives marketing messages (i.e. spam) are allowed to be, it’s even more critical to be worried about what sorts of security measures will be implemented in their system.

(Read on …)

Introduction

Today internet is not limited to just desktops and laptops. There has been a flurry of portable devices that can connect to internet and allow for local storage and use of software applications. As users own more than one such web-enabled devices, their data and applications get more and more distributed. Distribution of data also happens when multiple people are collaborating on some work. This need of data sharing and synchronization motivates the existence of a system which lets people manage shared data on various devices and with multiple collaborators.

Technology Overview

Live Mesh by Microsoft allows users to create a network of their web-enabled devices – mobile phones, laptops, desktops etc, and have synchronized data on all of them. It also allows users to do a remote desktop from any device to the other on this mesh and work on it. Basically the idea is that the user should be able to access his data from anywhere in world. Besides this sync-up between devices, users are also provided with a 5GB space on Microsoft’s servers which they can access anytime through internet. With this product, Microsoft is targeting the consumer market right now and has not focused on a business solution. The users are allowed to add other users to their mesh with accessibility controls to the shared folders. The added users can sync up this data on their devices and work on it. The system allows the owner to view any updates about his mesh as “news” items on the mesh bar. People can give comments about the shared data in the news section thus helping in collaboration. The authentication mechanism for the mesh is based on one’s Windows Live passport.

Stakeholders

Individuals are the biggest the stakeholders since all their shared information is at stake. The information might contain secrets about financial or personal life which should not be shared like credit card numbers, passwords, personal letters etc. Besides individuals, a lot of collaborative groups are direct stakeholders. These groups can range from a group of students collaborating on a project to a corporate team sharing company data. Hence in this case, the whole group is the stakeholder.

Assets/ security goals

The main asset is the data that is being shared between the devices, be it for individuals or for organizations. Loss of important financial details can be dangerous for both. On an individual level, illegal access to photographs or documents can reveal personal information like relationships, problems, habits etc. For the organization, confidential data can include collaborative work on certain projects, information about employees etc.

The security goals can be at three different levels – network, device and user. Data privacy depends a lot on the security of the network protocols used in the communication. This goal is mostly achieved because of the already available secure protocols. Given this big mesh of devices, device authentication mechanism is also important. Also, the device should be secure enough to block any attempts by malware or hackers to break the security and access stored data. The same device may also be used by different users in which case we need a good user authentication mechanism. Currently text passwords are used but more secure means can be thought of.

Potential adversaries/threats

A major threat relates to shared data. This may arise from personal attacks against somebody or a business rivalry. Personal attacks can be from people in your social circle who try to hack your password to corrupt your data or just know secrets about you. These people have limited sources but a big organization has access to a larger computing base and can use that to hack into another organization’s confidential data. Microsoft itself could be a potential adversary since it is controlling and has access to all the data transfer and connections between devices. The Mesh software may decide to contact the server regarding the information being passed on between devices to allow study of device interaction for further research. Another potential threat is from malwares. Given that the devices are now connected in a very intimate way, any malware which gets access to one device can possibly spread at an exponential rate through the mesh. Device theft also presents a threat since the device has the latest copy of data from all other devices. The stolen device could be used to keep on syncing the data (I did not find documentation which said that a device can be blacklisted but I guess this feature is already there). Since there is no authentication for the user to use the data locally, this can be a threat to the data privacy

Potential weaknesses

Dependence on a single password – The access to the whole device mesh for a user is controlled by his Windows Live passport. Hence loss of a single password can lead to loss of entire data on all the machines and the attacker may corrupt or destroy all the data. Given increased attacks on text-password schemes, this can be considered a big weakness.

Unencrypted data – The 5GB web space provided to users to maintain online data on Microsoft servers is protected by access control mechanisms but unencrypted. Any breach of these access controls gives the attacker access to this unprotected data of all users.

Potential defenses

Threats and weaknesses arising from a highly concentrated authenticated system can be improved by building a distributed authentication mechanism. Instead of just one Mesh password allowing access to everything, we can use an authentication on separate devices to access data synced from other machines. Having many passwords can present usability issues so the best way will be to have biometrics-based passwords like a fingerprint or retinal scan. But this will depend a lot on accuracy, robustness and feasibility of any such mechanism. To counter device theft problems, immediate blacklisting devices by users can be allowed. The online web space provided to users can be encrypted and fragmented. This will prevent any data leaks due to access control failures. It was discussed earlier that Microsoft itself could be an adversary. To prevent that data should be encrypted in a way that Microsoft does not know what the data is. It just stores and shares.

Risk evaluation

The highest probability threats are device thefts and rapid spread of malwares. The former will lead to access to all synced up data and hence asks for a higher security model. On the existing network of desktops, servers and laptops, there are already innumerable malwares. With the rapid increase in the number of portable web-enabled devices connected to each other, rapid spread is more likely. This will amplify the existing malware problems like spam, denial of service attacks etc. Thus, higher security and monitoring mechanisms are required on the devices. Given the reliance of Windows Live passport on strong cryptographic schemes, hacking the password seems less probable but it may happen by people overlooking on shoulders or use of key-loggers etc. This threat has the highest cost because the entire mesh is dependent on this. Thus the risk presented by authentication mechanism is high and needs to be made more secure. Microsoft itself acting as adversary is less probable given that the current product is oriented to consumers with whom the company is not likely to hold rivalry. Hence this risk is now but it will not be the case if organizations are involved instead of individuals. Lastly, the risk presented by consumers storing unencrypted data behind access controls on servers is not high given that the data is not highly sensitive and good access control mechanisms.

Future and bigger picture

Live Mesh is only the start. With myriads of portable devices coming up which can communicate with each other, the need to share and access data from anywhere will always exist. We can visualize a world where the data is not localized and is floating around on the internet between various servers. The access can be through portable devices like smart phones using biometric feature-based authentication. This model raises some important questions. Is the user comfortable with the idea of his data not being stored locally but maybe on a server thousands of miles away? A user study will probably help establish this. Is the system robust enough to allow for servers failing? This will involve crucial distributed computing issues. Lastly, when the users rely on third parties to store and share data for them, they will want the data to remain private from these parties. The user security model should match with the security model of the system.

Conclusion

Live Mesh is a nice system allowing for connecting all one’s devices together and accessing data on any one of them. While the current version is secure enough for individual consumers, it is still not at the level where big organizations will want to use it because of the high stakes involved. The major limitations are a centralized authentication system based on text password and storage on unencrypted data on servers. We have discussed the ways in which these can be improved. For providing a business solution, a lot of new features will have to be added for more security and collaboration and ensuring that Microsoft has no knowledge about the stored and shared data. In all, Live Mesh is a great step towards a future of unified technology at human disposal.

Summary:

This security review is about a technology named Skinware (I learned about this at Grace Hopper; web searches were unable to uncover any real literature – I think it has been sold and, most likely, renamed). Skinware was developed at HP Labs as an alternative drug delivery mechanism.

The basic idea behind Skinware is to facilitate reliable and accurate medication using a programmable chip, some teensy micro-needles, thermal plastic, and some glue that attaches Skinware to you. As a patent, I would wear the Skinware patch (it’s about 1/8” thick) on my body – usually somewhere on my chest, between the shoulder and collarbone. There is a teensy programmable chip in the center of the patch, and this chip controls wires that heat up thermal plastic that is located below reservoirs that contain medications. As the plastic heats up, it expands and pushes the medicine out of the reservoir and into some micro-needles that deliver the meds into your epidermis (the plastic won’t shrink upon cooling). These micro-needles are so small they don’t even go deep enough into your skin to hit any nerves, so this should be a pain-free device.

Skinware is designed to address issues of people who forget (or skip) doses, unintentionally take the wrong dose, or who mix different medications. The chip can be set to release meds in smaller, more continuous doses throughout the day, and can be set to release multiple medications (from different reservoirs) at various times to avoid negative interactions. By being pain-free, people who don’t like needles would presumably not have the same problems with Skinware medications as they may have otherwise. The talk I heard even suggested using bio-feedback approach to medicine delivery, in which a monitoring device would be planted somewhere on your body (e.g. to measure blood sugar in diabetics) and when needed could communicate with the Skinware via bluetooth to instruct it to deliver medications.

Stakeholders:

Since this is a technology designed to make it more likely, easier, and less painful for patients to medicate themselves, an obvious stakeholder in Skinware is the patents themselves.

Other stakeholders include doctors and pharmacies; the idealized method of use for Skinware was that the doctor writes a prescription, which the patient takes to the pharmacy where the Skinware is programmed and the reservoirs are filled. Obviously, having the training for pharmacists and the technology to work with Skinware is crucial under this plan.

Stakeholders for Skinware also include HP Labs (or whatever medical devices company the technology was sold to), since there is intellectual property that they would like to protect and a profit to be made in medical devices. Indirect stakeholders also include the manufacturers of drugs, software, and hardware technology used in Skinware.

Assets and goals:

The drug itself is an asset, and protecting it is a goal, as with most medicines that require a prescription. In this context, protecting it means writing un-hackable software to ensure that the drugs are delivered as the doctor intended.

Another asset is patient privacy, and how to prevent eavesdropping (assuming the existence of biofeedback via bluetooth) is a goal. This could inform other people within range what types of medication the patent is taking, which could have negative consequences for the patient (depending on the medication), or even cause a threat in the sense that people may want to steal the patent’s Skinware for any drugs remaining inside.

Adversaries and threats:

On adversary is drug dealers/abusers. Assume a drug dealer has a way of obtaining Skinware presumably via some nefarious deed full of some desirable drug. Their goal would be to hack the Skinware to (maybe) deliver all of a particular drug at a single time – delivering a tremendous high, or causing overdose.

Another (not really) adversary would be the novice pharmacist, who could unintentionally misprogram someone’s Skinware. The threat here is that a well-meaning pharmacy worker writes buggy code, and a law-abiding patient ends up with the wrong medications at the wrong times, or in wrong doses.

Weaknesses:

One of the first weaknesses I can think of is its use of heat to release the drugs. Depending on how the technology works, I could imagine applying a hot iron to the back side of your Skinware to force it to release drugs at a particular time.

Another weakness has to do with using biofeedback and bluetooth devices to communicate with the Skinware. Imagine multiple patients with Skinware all in the same room,
where all Skinware is listening to a single patient’s biofeedback. This would be problematic if the biofeedback instructs “Release more of medication A,” and other patents, who may or may not have medication A loaded (or is installed :-P) into their Skinware, end up with a software crash, or if the Skinware guesses and releases medication A’ as a substitute when it isn’t needed.

Defenses:

One thing that could be done to defend against certain types of drug abuse or improper drug interaction would be to have explicit hardware switches that prevent drug release of all the drugs at a single time, or of two particular drugs in unison. If this is possible, then it would prevent the first weakness listed above.

A defense against the bluetooth confusion that involves crossed signals would be to enforce a system that requires authentication before acting on a particular message from a biofeedback device, and using encryption to ensure that eavesdroppers do not have access to the messages being sent.
Risks:

There are several risks that I forsee for this technology, including unintended drug overdoses or drug interactions due to incorrectly programmed or malfunctioning devices. In the unfortunate circumstance that someone does have a bad interaction or overdose, it might be much harder to diagnose what went wrong; in the case of physical pills or injections, the patient or patient’s caregivers can usually tell if too
many pills were taken or if an injection was administered improperly. One reason to use Skinware is that it is supposed to be easy and painless. However, by taking control away from the patient and requiring trust in the pharmacist, the patient is now at risk of mistakes made by the pharmacist, and the pharmacist is at risk of increased liability. In addition, patients may forget to change their Skinware on the appropriate schedule or accidentally wear multiple Skinware patches at one time. Of these problems, the former (forgetting) seems more likely to occur among busy people, while the latter (multi-patch mistakes) seems more likely to occur among the elderly. Both of these problems are also present using pills, but the ease of use may make it easier to forget, since people won’t be thinking about it, and the elderly may have
difficulty understanding how the patches work.

As mentioned earlier in this review, there are privacy risks and “hack-ability” issues associated with communicating via bluetooth, but those issues could be resolved before that component of this product hits the market; if it ever does.

As far as drug abuse issues are concerned, I think that it is unlikely that Skinware will become an attractive target for abuse. While it may not be totally resistant to attacks, it is likely more difficult to obtain Skinware patches, and even if they are obtained, there may not be enough medication inside to make the payoff worth the effort.

Conclusions:

Skinware is designed to improve health care by providing easy to use, pain-free medication delivery in a manner that can be much healthier for the patient. Not only can Skinware accommodate timed releases and smaller, more frequent doses, but it can time these doses in a way that prevents drug mixing and that does not inconvenience the patient.

Alternatively, most risks involved with using Skinware seem somewhat minor. Although pharmacies and doctors will require more training, and patients could be likely to forget or otherwise unintentionally misuse their Skinware, this can happen just as easily with current medications. The drug abuse risk here seems very low or minor when compared to pills or injections (although I’m not at all informed about these things).

The one caveat I have regarding Skinware is the use of bluetooth technology to provide biofeedback or other information about when and how to release medication. Before this component of the technology is released, much care should be taken to ensure the privacy and safety of the patient at all times. Ultimately, I conclude that the benefits of Skinware outweigh the risks, and it would be interesting to see this technology hit the markets and succeed.

The IMA is a rather public place where students, faculty, and spouses can take fitness classes, lift weights, or use an expansive cardio room.

The assests include fitness machines, sports equipement, and simply the space, which when occupied by a unwelcome visitor, makes it unusable to a valid ima-goer. In addition, there is wifi access, as well as internet ready terminals. (Read on …)

The Husky Union Building is the center of life on campus. It is home to the Associated Students of the University of Washington, hundreds of student clubs and organizations, the university bookstore, food vendors, university employee payroll and accounting, information services, games area, campus-wide lost & found, US Bank, bike shop, hair salon, newsstand, event services, and many more departments.

(Read on …)

In a recent interview with “Condé Nast Portfolio”, Google CEO Eric Schmidt warns us all that a Microsoft-Yahoo merger might “break the internet” due to the consolidation of web-mail, instant messaging, and other services that would follow as a result. This relates to a still on the table 40+ billion dollar offer that Microsoft has proposed to Yahoo. While the deal is not cemented yet, representatives for the respective companies have reportedly had frequent rendezvous at Mayflower conference rooms to “feel things out” before big money exchanges hands.

The big issue at hand is the oncoming breaking of the Internet, which clearly has broad reaching implications, particularly for Google. The search giant has bet its entire business model on the premise that the Internet be categorically unbroken, at least most of the time, and has a vested interest in ensuring the continued heartbeat of the web. This is in contrast with Microsoft, which could deal with an Internet breakage without all that much worry for its bottom line. This fact should alarm anyone with perceptive eyes; perhaps “breaking the Internet” is the first gunshot in a drawn out war of attrition Microsoft has planned.

According to Schmidt, Microsoft’s previous antitrust trial was about breaking interoperable open systems. Thus, we should all be wondering what level of nefariousness currently runs through Microsoft’s veins that it would embark on a conquest to contort the consolidation of Yahoo’s web offerings in someway as to weaponize open systems into a torrent of Internet pain and disruptiveness. One can only grimace at the proverbial ring of power Microsoft will be able to wield when it is able commit such acts as merging its MSN messenger userbase with that of the wildly popular Yahoo Messenger.

The Internet using public should assess the risk for Internet breakage and policy makers should react accordingly. But we should also keep in mind that if a Microsoft Yahoo merger could break the Internet, smaller deals might lead to some sort of fractures or cracks in the Internet. For example, Microsoft recently invested several hundred million dollars into Facebook, which caused observable tremors in the Internet’s various tubes. Caveat emptor.

Source: http://www.portfolio.com/executives/features/2008/03/14/Google-CEO-Eric-Schmidt-Interview

As our professor has continually emphasized throughout the quarter, one of the primary aims of our course has been to go beyond technical details of current computer security in order to learn the security mindset. This new way of thinking enables us to analyze security issues in the future regardless of particular directions that technology may take. It also enables us to examine the security of less technical entities like physical locks, parking meters, etc. As I was considering some of these less technical systems, I began to realize the pervasive implications of applying the security mindset to broader aspects of life and so began my examination of the human heart.

Recently, Governor Eliot Spitzer of New York was revealed to have been involved with a prostitution ring despite his façade of crusading against white collar crime. As a result, his reputation was tarnished, his career ended and his family has been deeply hurt. Although this is just another note in the continual drumbeat of tragedies we hear about in the news, the frequency of these incidents, clearly demonstrate that each of us is vulnerable to fall in similar ways. How can we defend our lives (and hearts) against being deceived into compromising our integrity and falling into these common pitfalls?

A second observation motivating this study comes from the fact that insiders are often the adversaries who cause the most damage and harm because they are trusted and by nature must have access to the assets we desire to protect. Human beings are often the weakest component of any security system. This review of the human heart will hopefully provide insight into ways to protect the integrity of trusted insiders as well as our own hearts in relation to the people who trust us.

Finally, defending the human heart has significant ramifications in every aspect of physical/computer security. Much of the violence that takes place on campuses (e.g. shootings, assault, etc.) have at their root a compromised heart (e.g. someone who has been continually hurt and lashes out in despair to cause pain to others after he/she has received so much). Many of the adversaries in computer security scenarios are motivated by financial gain, prestige, and other related incentives, which are deceptive and violate the worth and personhood of the people they attack. If people’s hearts were able to be defended, many of the human adversaries that we encounter in typical security reviews might in fact become allies; the ideas in this post are tools that can provide another layer of defense in depth.

(Read on …)

I was recently informed about a rather interesting service that is being used in Kenya called M-PESA.   According to their website, “M-PESA provides an affordable, fast, convenient and safe way to transfer money by SMS anywhere in Kenya. Through M-PESA you can:  

At first glance, I thought that the original intent M-PESA was for buying and transferring airtime while financial transactions were just a side affect; however, according to the FAQ M-PESA is intended to be “an innovative mobile payment solution that enables customers to complete simple financial transactions including person to person money transfer. It is aimed at mobile customers who do not have a bank account, either through choice, because they do not have access to a bank or because they do not have sufficient income to justify a bank account.”  (Read on …)