UW Computer Security Research and Course Blog

Not all computer malware infections are done completely electronically.  In recent events, cars in Grand Forks, North Dakota were tagged with “windshield fliers” which resembeled a parking ticket, stating they were violating the “standard parking regulations” and that in order to view more about their offense they must visit some URL online.  This seems like quite the extent for one to go in order to infect ones computer, but often enough – it works.

(Read on …)

Ford Motor Company has stated that the 2010 Focus Coupe will be equipped with a technology called MyKey. Designed for parents wishing to ensure teenagers practice safe driving, the technology restricts certain actions such as driving too quickly. As currently announced, the system can restrict the vehicle speed to 80 mph, limit the audio speakers to 44% of maximum, and give constant audible alerts if seat belts are not worn. Read about the MyKey system here.

While MyKey is aiming for the parent/teenage child crowd, other products exist which automatically limit vehicle speed based on the current road. Using GPS and a database of known speed limits, these devices either limit the vehicle speed or issue a warning when driving over the limit. In all cases I’ve seen, these devices can be overridden, unlike the Ford MyKey. An example of one of these speed limiters would be the Wisespeed, by Imita.
(Read on …)

With rumors of Amazon revealing their next Kindle on Monday (an honor Engadget, along with other blogs has already done for them), and as a user of the first Kindle, I figured that with its numerous features, communication methods, and potential appeal, it was an appropriate time to do a security review of the system. And as an irrelevant aside, I think the new model is really ugly.

The Kindle is an e-book reader, one of two primary contenders in the market at this point in time (the other being the Sony Reader). Like its competition, it features an E-paper screen, which is ideal for this application due to the fact that it requires no harsh backlight, and requires no power to maintain image – only to change image. In addition to being able to store and display ebooks (in unsecured Mobipocket, plain text, or proprietary Amazon format), the Kindle’s most fascinating feature is its EVDO antenna. Through Sprint, the Kindle provides free data transfer. The primary function here is to provide access to a wireless Amazon store from which users can purchase and download DRM-secured ebooks, but there is also a primitive web browser in the software.

Assets & Security Goals:

• Preventing users from stealing books is the primary business security concern for Amazon. There is a twofold issue here: there is the potential for users to snoop in on the wireless transmission of the book itself, but there is also the potential of a user to steal the book once it is on the device – hence, there needs to be both wireless security and DRM on the final file.
• Protecting the privacy of the user is a concern for the users of the device – while there aren’t any explicit laws protecting people’s reading history as there are for television and movies, what a person is reading on the device should still remain private to that user.
• Providing security for the user while they browse the web is another concern that involves specifically the consumer rather than Amazon – this should be a simple matter of implementing existing security standards for the web.

Adversaries & Threats

• People who would like to pirate content are again the primary thread to Amazon’s business on the Kindle. Protecting the ebook files in transit and storage should stop them from stealing Amazon ebooks, though given the Kindle’s capability of reading generic unsecured Mobipocket files, people could just as easily pirate those and drop them on the device over USB.
• People who would like to steal users’ information are easier to defend against. They may want to steal credit card information as transactions occur, or find out what a user is reading. If the victim has sensitive material, such as corporate documents and manuals, or manuscripts for unpublished books, these may be a target.
• People who want to cause hard to the user, either by purchasing books on their device without permission, or cause them to lose the books they currently have. These people don’t have as much work to do as the previous, as it is easier to cause harm than it is to steal information.

Potential weaknesses

• Theft – should an attacker gain physical control over the device, there is virtually nothing that could be done to stop him/her from purchasing items on the tab of the actual user, accessing any pages with the web browser that may have saved passwords or cookies, and learning what the user has been reading – including reading sensitive material as described earlier.
• The display is perhaps a surprising point of attack. However, as a user of the first Kindle, I have noticed that at times when the unit shuts off and blanks its screen, a trace amount of ink is left visible, enough so that display text is still visible. Given that the display works on the principle of magnetically charging droplets of ink, it might be that with magnetically sensitive instruments it would be possible to learn even more of what a display has shown. Given that sensitive documents or manuscripts may have been read on the device prior to its shutoff, and especially that it contains a web browser which could be used to browse sensitive material such as bank accounts, not to mention that passwords are inputted similarly to cell phones – with the last character inputted remaining visible until the next is typed – this could be a serious attack vector if enough study is put into the physics of the display.
• The obvious vector of breaking whatever security is on the DRM’d files (after all, the method and key for decrypting them must be on the device somewhere if it’s able to display the books) would be an easy approach to breaking the security of the platform in general. Attacking the wireless transmission itself would likely be much more difficult since it’s probably based on well-established cryptographic algorithms, but breaking DRM is certainly not without a very large precedent.

Potential defenses

• Passwords more prominently used throughout the device would mitigate the theft concern almost entirely (assuming, of course, chosen passwords are secure). Were the device to require passwords to power on or access certain user-determined books on the device depending on their sensitivity (the latter using encryption on the file rather than just an operating system refusal to open the file given that it could be retrieved by USB), much of the concern of the device falling into an adversary’s hands is mitigated. Potentially along with a remote kill-switch like that implemented on enterprise cell phones, the threat of the device being stolen would be greatly reduced.
• More screen blanking would help the display issue greatly – at least with the immediate and definite problem of trace ink. The device typically flashes the entire screen to black and then white to clear the screen, and I’m assuming that a few more rounds of this would reduce the amount of material left on-screen afterwards. Since the rest of the threat is primarily speculation on my part, I’m not sure as to what the defense would be.
• The ability to update the DRM of files remotely could be one way that Amazon could use to secure the files. It’s security by obscurity, but constantly changing the DRM scheme could be one way of preventing the attack from figuring out how to crack the protected books. I’m not skilled enough in cryptography to know if there’s a way the device could possibly secure the books given that the decryption method and key are both stored on the device itself, without external authentication (the EVDO antenna may be turned off, and DRM’d files are still accessible in remote regions).

Most of my analysis is based on what Amazon wishes the Kindle would be – a general purpose reading device integral to the lives of those who use it – rather than what it is now – a largely novelty gadget which, while well-executed, is too expensive to be a reasonable purchase for all but the most fanatic book fans and extreme road warriors. Scenarios such as heavy duty web browsing (unlikely due to the slow response of the screen and slow transfer over EVDO), storage of anything other than books (such as the confidential material I listed above), and other such ubiquitous uses of the device are not a reality at this point.

However, if Amazon is serious about the device becoming hugely successful in the future, they are all issues that must be addressed soon.

In “Study: racial profiling no more effective than random screen”, ArsTechnica reports on a new study by William Press, who claims that using profiling at security checkpoints such as airports is not effective in catching threats. The ineffectiveness, according to Press, stems from small numbers of screeners being able to only resample a small subset of the total population at any given moment. Screeners, on the average, end up retesting the same innocent individuals that happen to have large correlations with risk profiles.

This event arises from the current security concerns of DHS, and their mandate to catch terrorists at the various entrances to the United States. It seems that the methods employed in profiling are faulty, and need revisiting. As a counter-example to this article, the Israeli airports employ racial profiling to great success in ensuring security, and haven’t had an incident since 1986 — however, they combine these profiling methods with other forms of security measures.

However, there are larger issues in having such broad-sweeping racial profiling in the US. Applying racial targeting to minorities at checkpoints would cause a fair amount of backlash, considering the historical implications. As well, all the racial groups that are on profiling lists also are likely not adversarial threats, and are certainly as legitimate of citizens as people that aren’t on the list. Also, it seems like  relying heavily on profiling means that defeating it is simply a matter of not fitting the current terrorist profile.

While there has been some success stories in racial profiling with regards to border security, the idea leaves a bad taste in my mouth. There are inarguably a number of things that DHS can do to improve security at checkpoints (hire competent TSA employees comes to mind), without going down the dangerous path of racial profiling — profiling that has been shown in this recent study to be mostly ineffective given how it is currently applied.

Original Article: http://arstechnica.com/science/news/2009/02/study-racial-profiling-no-more-effective-than-random-screen.ars

According to a post on the Internet Storm Center (ISC), some malware writers have turned to leaving false parking tickets in order to lure victims into running malicious programs. The parking tickets contained a URL where one could see a picture of the supposed offense. Upon arrival to the site, users were prompted to download a toolbar in order to view their particular picture(s). Link here.

Writers of malware often have to contend with the question of how to make users visit a particular site, or run some untrusted code. Spam emails, submitting links on popular social websites, and inserting malicious programs into data downloaded from peer to peer applications are all common practice. Savvy users know the danger of running untrusted programs, especially when appearing from a dubious source. The trick, then, is for the malware writers to make the source appear legitimate. By using a physical medium (paper, as opposed to a link or an email), potential victims were more likely to trust the website. In addition, many of the supposed parking violators likely felt wrongfully accused, and wished to dispute, or at least view, the evidence against them. And in trying to obtain that evidence, they allowed a malicious program to install itself on their computer.

This tactic also puts the writers or distributors of the malware at some risk. In most cases, locating the original person or people behind malicious software is very difficult. Because of the nature of the internet, anyone could release malware from anywhere in the world. But, when these distributors placed their false parking tickets on cars, they also told authorities where they were. Instead of being perhaps some anonymous author in who knows what country, the distributors of these parking tickets (or some accomplice) physically had to be in Grand Forks, North Dakota on the days the tickets were given out. Law enforcement agencies now have a chance of catching the perpetrators, and charging them.

Preventative measures against this sort of attack are difficult. As always, the key is to not run untrusted software, and to be aware of the dangers. But just what does untrusted mean? Nobody expects an attack to come from a parking ticket. Awareness in this case would have helped as well. When this website began asking to install a special toolbar so you can view pictures, you should get suspicious. Some problems, such as social engineering, are just too difficult with technology alone. Being informed about risks, about methods of attacks, and about trusted information systems will go much farther than any malware detection/prevention software, and is more likely to keep up with the times, as well.

Link to article.

A recent article on slashdot purports that Google will soon release new software, dubbed ‘Latitude’ enabling users to broadcast their geographic location via Google Maps.  This information can be gathered either from mobile phones, via GPS or local cell phone towers, or from laptop computers, via WIFI access points.  Once the data is uploaded, users can decide with whom to share their location, and to those lucky few their location is shown as an icon with their chosen picture on top of a Google Map display.  The initial release will support Blackberry, Android, and Windows Mobile phones, with likely updates to include iPhones and iPod touches.

Google has long had the ability to locate its users, a function predominantly featured on the iPhone.  What distinguishes ‘Latitude’, however, is the ability to take this information and share it with others.  Location data will thus have to be stored on Google’s servers, in order for others to access that information and display it on their screens.   Obviously this generates numerable privacy concerns, however Google attempts to address these by claiming the feature will be limited in that it will only display information to other people the user chooses, and that it can be easily disabled at any time.  Google also claims that the company will not collect a large database of geographic information, and the only location data stored on the servers will be the most recent location uploaded.
(Read on …)

Issues of stealing physical or intellectual property (physically or electronically) in the context of a malicious company insider are closely interrelated, as some common prevention mechanisms can be adopted for both.

According to the recent article by Mikael Ricknas, cell phone prototypes were stolen from the company by its own employee. As Mikael points out, despite the fact that total cost did not exceed about $90000, there could have been bigger indirect losses if competing companies were made aware of these designs.

As one of my employers at one of the security companies I worked for mentioned, “opportunity” is the key word for why thefts occur. Company employees often have the most of such opportunity. Even employees with good intentions, as mentioned in an article by Alex Johnson, Cybercrooks’ best friend? Experts say it’s you are among the biggest threats to company security.

Depriving company employees of all of such opportunities is an impossible task as long as it has employees, but significatly reducing chances of such breaches from occuring is possible by at least two well-known means. The latter article mentions commonly cited policy of “least privilege” as one of the ways of prevention. Also, electronic monitoring and recording of activities and making employees know of such monitoring, or at least creating an impression of the existence of such monitoring could be another one of the most effective methods for deterring or shifting away such crimes.

Some ethical issues, such as privacy protection, employer-employee trust will, apparently, arise from overusing some of the methods, and companies will always have to find a good balance. Although Sony Ericsson did not appear to disclose much details about the event, it is, undoubtedly, beneficial for society in general that crimes of this type are made public, as it emphasizes the problem, and (in case if arrest followed,) can serve as yet another deterrent.

Here at the University of Washington CSE Department we often have events called Tech Talks, where guest companies come in and give a demonstration of their technologies and expertise. Tech talks are usually interesting, and the visiting companies usually bring free company-branded “swag” and often have raffles for bigger, more exciting prizes. But what usually draws hungry CS students (this one, anyway) is the free food that the company inevitably brings. I’ve never won anything.

Last night we had a tech talk given by Palantir Technologies, a very promising-looking company that aims to transform the way people work with large data sets by making it easier to discover and visualizing trends and connections in the ever-accumulating mountains of data generated by our modern technological culture. They had a great sales pitch, a fascinating presentation, tons of free swag (hyperbole here, but it was really a lot), and quality free frood from Taco del Mar. And at the end of the evening they planned to raffle off an iPod touch. Not everyone stayed for the whole event, but as it wound down the time for the raffle finally came.

(Read on …)

Everyone knows the bookstore sells books only after a tremendous markup. But does that really mean they can afford to employ lax security?

Consider the situation of the books department: all of the textbooks for every class in the university are housed in a single room smaller than the main Kane lecture hall. Much smaller, actually. About half of the floor space is taken up by racks of books. Under everyday conditions this is fine, because generally less than ten customers are browsing around at a given time. The problem becomes apparent just before the quarter begins, when the book room becomes so crowded that standing in the register line I sometimes think that I’m back in Disneyland, waiting for a ride on Splash Mountain.

Imagine my disappointment when I realize I’m actually in line to empty my wallet in exchange for ten pounds of paper.

All these bodies in such a small area can help to hide a malicious book-snatcher masquerading as a customer. Booknappers need simply gather target books into their backpacks and force their ways upstream around the registers and out of the store. The UW bookstore provides no substantial countermeasures.

(Read on …)

The Technology

SIDA (Secure Identification Display Area) badges are identification devices issued to airport personnel, which establish which areas of the airport an employee is authorised to access. Each airport has its own SIDA badge classification system and issuing authority. The badges themselves are printed on standard credit card-sized media, with elements such as the employee name, picture and card expiration date printed on the front, along with a prominent colouration and/or lettering, which indicates the access level of the employee. On the back is a magstripe, used to grant access at SIDA entry points, typically in combination with a PIN. In addition, personnel who need to frequently enter and exit sterile areas may be issued badges that can be used to bypass sterile area security screening procedures.

(Read on …)