UW Computer Security Research and Course Blog

I want to start a discussion about the new sliding door we just got. I talked to Karl and he explained how the door works. It seems that the sliding door has two sensors, radar and infrared. The radar sensor can detect movements that are a further away from the door and the infrared can detect the closer movements. Obviously, the once movements are detected, the door will open. Also, for emergency, the two metal frames on each side of the door can be open like a door. During nighttime, the door will only open automatically when someone is leaving the building. Otherwise, a card key access is needed to get into the building. Here are a couple ideas for an adversary to try to get into the building.
(Read on …)

They’re out there…Some of us use them everyday…Especially college students living away from home…We can’t avoid them, unless we want to be stinky…

Yes I’m talking about coin-operated laundries…

Coin-operated washing facilities provide an interesting security problem, since the users only maintain a single asset, their clothes. The owners and operators of the facility are at most risk since they have to protect against people stealing money or gaining free use.

(Read on …)

This security review is intentionally left incomplete. It is simply a topic that I think would be interesting for us as a group to explore. If you can add to the discussion, please do, even if it’s simply to propose an idea, or to shoot one down.

Washington State Ferries have been using the Wave2Go system for over a year now. The old system required passengers to remain in a holding area after they had bought their tickets from one of three booths. Many patients would wait to buy their tickets just before the ferry would board, causing long lines right before departure and occasionally delaying ferries.

Wave2Go allows clients to buy tickets from multiple kiosks in addition to the three ticket booths. Alternatively, you can purchase tickets ahead of time online and then print them out. (Read on …)

Well-known security researcher and commentator Ed Felton and colleagues at Princeton report on a technique for breaking many whole-disk encryption schemes, including the most common ones. The attack is based upon scanning RAM for encryption keys, and is even (reported to be) effective on a machine that has been recently powered down.

(Read on …)

ASIMO is a robot that resembles a human that is created by Honda Motor Company. It was created at the Wako Fundamental Technical Research Center in Japan. The current version of this robot is version eleven. This robot, which is about four feet tall, looks like an astronaut wearing a backpack and it can walk and run on two feet. In addition, there are various features that ASIMO can perform. For example, it can recognize moving objects, postures and gestures, and environments. Therefore, it can react under various situations. In addition, ASIMO has facial recognition capabilities and distinguish sounds. It can also find information such as weather report by connecting to the Internet or greet and guide visitors given that they are valid visitors in the user’s network. Assuming ASIMO robots will be able to work as security guards in the future, here is the security review for the robot.
(Read on …)

This comic should make more sense after today’s lecture.

Anyone who has travelled within the past 6 years has experienced the excruciating joy of going through modern airport security. For most domestic flights your checked bags go through one set of security procedures, and your person and carry on items go through another. I will be focusing on the personal/carry on side of airport security. (Read on …)

At its essence CyberLocks are like mechanical locks++, enabling you to bring intelligent electronic access control to even the padlock level. CyberLock cylinders, which cannot be picked and maintain an audit trail of usage, can replace virtually any traditional lock (e.g. for doors, cabinets, padlocks, server racks, etc.) without any wiring. However, with the introduction of these additional features comes also the increased potential for new vulnerabilities and attacks. The following is an overview of the typical CyberLocks usage scenario that I will review (see this video for a clear and concise overview of the system (after which you may be able to skip to the Assets section of this review)).

(Read on …)

According to Scientific American, the US Navy is considering to deploy a new technology, Deep Siren, to improve communication to and from submerged submarines. As of now, submarines have to be no deeper than 60 feet and towing a floating antenna behind them before they can communicate with the outside world. This makes the submarines far less agile and much easier to detect. The Deep Siren System will theoretically allow subs to communicate at any depth and speed.
(Read on …)

Adding to the current furor of news surrounding the issue of electronic voting machines, an egregious mistake by American voting machine producer Diebold (now known as Premier Election Systems) has lead to heightened doubts concerning the integrity of electronic voting.

Diebold has a history of security mishaps dating back to 2003, when they posted the source code for their voting software on a public FTP site. The availability of this code led to the discovery of an exploit in 2004 that would allow for the manipulation of votes as they are tabulated at a central location.

In the company’s most recent debacle, the first major issue of note is that the same physical key can be used to open the locks on all of the touch-screen voting machines that Diebold produces. Secondly, Diebold unwittingly posted a picture of this key on their website on a page that described how replacement keys can be ordered by official account holders. Ross Kinard of sploitcast.com was able to construct several keys based on this image that proved to successfully unlock a test voting machine.

The implication of this security breach is that it is now much easier for an adversary to gain physical access to the innards of a voting machine and attack it by modifying the software via a flash drive or by altering the hardware. This could result in misappropriated votes or denial of service attacks where people’s votes are rendered useless.

Many policy makers are lobbying to make a return to paper ballots, which arguably have fewer undetectable vulnerabilities, but are more tedious to deal with. It is unclear whether electronic voting machines will continue to be used in future or not, but serious changes need to be made before they become even remotely secure. In addition, companies like Diebold/Premier rely on their reputations, and they must earn and maintain the trust of the public in order to be successful.

Youtube video of a homemade key opening the lock on a Diebold electronic voting machine:

http://youtube.com/watch?v=UfGvSJA20-Y