UW Computer Security Research and Course Blog

[Devy Pranowo and Xia (My) Cam]

A report from the Georgia Tech Security Center predicts that botnets were likely to hit mobile phones sometime soon. Botnet <http://en.wikipedia.org/wiki/Botnet> can be delivered to machines through email or instant messages, which now is a feature many smartphones have. Because of the developing cellphone culture all over the world, what’s on cellphones can be great treats for attackers.

There are many reasons why this problem might arise. Cellphones are now essential in people’s lives. Many smartphone is taking over the market because it can do much more than just making voice calls. These phones can take pictures, send text messages, and send emails. Furthermore, now that cellphones can access the internet, people can download applications to run on their phones and might not be aware if they’re installing malicious software. The more prevalent use of cellphones and the more advanced technology adapted on cellphones means there will be more people impacted from unwanted malicious attacks.

At least for now, there is no evidence of attacks aiming at cellular phones, however the loopholes are there. As cellphone technology advances, it’s only matter of time. For now, since technology of cellphone has room for growth, there are opportunities to incorporate better security mechanisms as we develop cellular technologies. Also, it is important to educate user not to open unknown emails or URL that will allow Trojan, viruses, or worms to infect user’s cellphone and thus allow control of cellphone by attackers. The latter is the best way to prevent social engineering attacks.

Cellphone attacks may also relate to a bigger part of personal data security. As cellphones becoming important tools for personal and corporate communications, this is another way for attackers to gain private information. For example, attackers can easily obtain social security number or credit card numbers.
We think the reason there hasn’t been major attacks on cellphone is because there are so many different OS (Java-based Blackberry OS, Mac OS, Windows Mobile OS, etc) running on today’s cellphones, making it harder for attackers to create malicious code for them. But it’s better that some prevention should be done before bad things happen. For instance, cellphone producer should give warnings to user before they do potentially unsafe actions or download information from the Internet. With the warnings, users will be more aware of potential dangers of entering information or accessing data via their cellphones.

Article source:
http://www.networkworld.com/news/2008/101608-report-botnet-spam-attacks-to.html

“Update.  This entry was updated on <January 9, 2009> to reflect a <re-interpretation of the original article>.

After several years that Wii have been launch, hackers found flaws in Wii’s security aspect. According to an article from Nintendo World Report, a tiny processor that was kept as a secret for security reason is discovered by a group of hackers, Team Twiizers. Because the existence of the chip has been discovered, this can cause security problems.

As presented in this video, in order to run the game on Wii, a ticket (key) is needed. The valid keys are all stored in the chip. However, this chip does not only consist of keys, but also controls the turn on bit of the functionality of DVD playback that is turned off by default. These aspects make the hackers feel challenge to break Nintendo’s security system.

(Read on …)

More and more household appliances are being designed with wireless internet capabilities. Being able to control home appliances via a web portal may improve convenience, but it comes at the cost of potential security vulnerabilities. The European home appliance manufacturer Gorenje has supplied information about concept ovens and washing machines that are WiFi-enabled.

(Read on …)

The Husky Union Building is the center of life on campus. It is home to the Associated Students of the University of Washington, hundreds of student clubs and organizations, the university bookstore, food vendors, university employee payroll and accounting, information services, games area, campus-wide lost & found, US Bank, bike shop, hair salon, newsstand, event services, and many more departments.

(Read on …)

Summary:Home automation systems in general attempt to enable home owners to have a “smart” house. Instead of light switches you have integrated panels that control everything from your lights, to your shades, to your entertainment system, climate control, alarm system, motorized locks, etc. Some specific examples of such systems like those offered by Control4 use wireless communications between the panels and devices they control. Some also have integration with cell phone applications. One of the selling points for these systems is that they improve security.

(Read on …)

Overview

This is a security review of “Smart Guns,” a general class of locking/use prevention mechanisms for firearms that rely on biometrics or other authentication indicators (such as “smart” chips embedded in the gun and in rings or other tokens worn by the intended user) to identify a person who is authorized to use the firearm, while preventing unauthorized persons from discharging the weapon. The Wikipedia article has some further broad overview information regarding the subject.

(Read on …)

From The Guardian, and on Slashdot.

Police in the United Kingdom may soon be be able to collect DNA samples from children if they exhibit behaviors that suggest they may commit crimes later in life, at least if Scotland Yard forensics director Gary Pugh has his way.

Pugh cites the importance of identifying future offenders, saying that “the number of unsolved crimes says we are not sampling enough of the right people.” Advocates of such programs, including the Institute for Public Policy Research, claim that most career criminals begin their lives of crime as early as 10 to 13 years old, and suggest that children from 5 to 12 years old should be profiled and sampled if they exhibit certain “risk factors.”

Even these advocates acknowledge that such treatment could have a “stigmatising” effect, but they do not seem to have any problem with gross violations of privacy in the name of improving public safety.  One concern that is not directly addressed in the article is the possibility that the negative attention such sampling and registration involves might even place more obstacles to a child’s chances of leading a normal life, perhaps even increasing the likelihood that they would turn to crime; a self-fulfilling prophecy, in other words.

Of course, an even greater issue that is sidestepped by the focus on children is the question of whether preemptive DNA sampling of any individual, adult or child, should be tolerated in any free society. Whether such programs are effective in reducing crime is not the only issue – the cost to individual liberty must also be considered. In my opinion, at least, personal freedom must always outweigh public safety, but I’m interested in hearing other ideas.

Summary:

As humans we are cursed by the need for a number of basic necessities. Among these include nutritious food, clean air, and of course water. In this brief post I will focus on the later of these.

While the importance of securing our computing systems and infrastructures cannot be stressed enough, the importance of ensuring that everyone has access to clean water far surpasses any other consideration simply because it is essential for our health and well-being. It would indeed be tragic to lose a life savings due to identify theft, but such loss pales in comparison to the health risks involved with contaminated or otherwise unsanitary water. Financial loss can be recovered, while the same cannot be said about the loss of life, life years, or the degraded quality of life in the years that one does have. Unfortunately, while some risks to our water supply seem far fetched and highly unlikely, others are very real and seemingly unavoidable. (Read on …)

My check engine light came on last week, so I called up Michael’s Toyota Dealership and Service Center in Bellevue, WA.  I made an appointment and had my husband bring the car into the shop and take a shuttle to work.  Later in the afternoon, the car is finished and I start walking over to the dealership to pick up my car.  With my mind on a hundred other things, I had left my purse at home!  With no time to go back home before the dealership would close, I decided just to try to get the car and hope it wasn’t going to cost me anything and that I wouldn’t need any ID to pick it up.  I told the Service Center attendant I was there for my car and what my last name was.  She typed it into the computer, found the service number, and called for the car to be brought up to the front.  Everything was covered under warranty, so I climbed into my car and went on my merry way.  So why do I tell you all this?  Because it seems to me that I could have picked up any old car with just a last name. (Read on …)

ATMs are surprisingly easy to hack according to CNET.  From a report on ATMs, up to 90 percent of the ATMs in the U.K. could be at risk for worms, denial-of-service attacks, getting customer data intercepted, and having money stolen from their safes. (Read on …)