UW Computer Security Research and Course Blog

A move over scanning the keyboard with infra-red cameras for heat signatures, listening to keystrokes and simple shoulder surfing.

Say hello to hacking through thin air or electromagnetic waves, rather. Apparently, all keyboards generate unique electromagnetic waves for every single key pressed and these are really easy to pick up even with some inexpensive antennae. Of course, a lot of this is only possible under ideal conditions where there isn’t much interference from other devices. Here are some videos that demonstrate the attack –

Edit: Looks like embedding is disabled here. Please visit the links below for the videos

Sources :

Computer world

Ecole Polytechnique Federale de Lausanne

As part of an “expose’” on cyber crime, BBC’s “Click” team took it upon themselves to hire a botnet. With the stated goal of demonstrating the power of “cyber criminals” in today’s world, the journalists purchased the use of ~22,000 compromised machines. As part of their demonstration, they directed massive amounts of spam to two specific test addresses, and finally, used their botnet to bring down a security firm’s backup website via DDoS. The DDoS attack was done with permission from the “victim” company (Prevx).

Now the BBC group is in a spot of legal trouble as their use of a botnet could potentially implicate them in the violation of the UK’s Computer Misuse Act. While BBC claimed that their use of the botnet was purely academic, and therefore not criminal, they did take control of non-consenting citizens’ home PCs. More importantly, in purchasing the use of a botnet, reportedly at somewhere between $300-$400 per machine, the news network essentially funneled a few million dollars into the hands of cybercriminals. And all so that they could demonstrate what many papers and news articles before them already had.

The journalists, at surface level, did a good job of keeping things academic and avoiding any sort of cybercrime. They spammed their own test e-mail accounts. They DDoS’d a prepared and willing target. They also put warning documentation on the infected machines, at experiment’s conclusion, explaining to their users that they had been infected, and how to best avoid future infections. Ultimately, however, by mere involvement with and commandeering of hijacked personal machines – and especially thanks to funding the true criminal party – they did indeed commit some level of criminal act. To what degree they are held responsible is now a matter for the British courts to decide.

This is just one more occurrence in a string of botnet-related legal issues. A similar issue plagued German malware researchers with the means to potentially dissolve the Storm worm’s botnet(s) (see http://cubist.cs.washington.edu/Security/2009/01/11/storm-worm-cracked-but-defenses-may-not-fly/). It seems that academicians of all types are running into a fundamental problem with this particular security threat: there is no way to legally study it “in the wild.” The moment a researcher connects to a botnet, takes control of it, or otherwise interacts with it, he or she risks legal consequences. Whether or not any charges stick is a different matter, and quite frankly, it will take some time before reasonable precedents clarify the legal “consensus,” but regardless these issues represent a significant impediment to progress in anti-botnet research.

One of the interesting topics brought up by Microsoft Research India during their Change talk last week was that of mobile banking in the developing world. Managing and distributing money can be a tricky proposition in the developing world – often, people end up entrusting their money to drivers to transfer around the city or country.

Mobile banking through cell phones has proven to be an extremely cost-effective way to avoid these kinds of headaches. Through both downloadable software and text message interfaces, it is possible to efficiently transfer and manage money without the existence of local branches to handle the transaction, with minimal fees and far less obvious physical risk. However, this method has resulted in its own set of idiosyncrasies that would not likely exist with similar systems elsewhere.

Afraid of doing something wrong, many people in these developing areas are reluctant to actually carry out their own banking. Thus, a whole class of middlemen have arisen specifically for mobile banking. People will bring their mobile phones into these middlemen’s stores and tell the store owners what they want done, and the middlemen will then go do it for them. This interesting use case leads to quite a few security implications.

Assets and Security Goals

• Customers’ money is of course important. The reasons should be fairly obvious – we of course want to protect it from being stolen.
• Customers’ financial records are also important – financial histories are private, with some exceptions, and they should stay that way. Knowing how much money someone has may put them at risk for a real-life robbery, for instance, or knowing their stock portfolio could cause other problems.

Adversaries and Threats

• Malicious third parties who would like to steal the customers’ money, perhaps by listening to the airwaves, or physically stealing the phone. A lot can be done with just a few seconds with a phone given a text messaging interface.
• The middlemen have an extraordinary amount of power given what they have been entrusted with by the end-users. And, since their clients won’t have it any other way, banks have been forced to actually work with these middlemen, including them in the system. A store owner could easily pull off an “Office Space” type scheme, stealing miniscule amounts of money from each customer.

Potential Weaknesses

• Snooping on peoples’ wireless connections is difficult since the network provides some level of intrinsic security. We’re not experts on this subject, so it’s difficult for us to assess how feasible this approach is in reality.
• Replay attacks are possible, especially if any actions are carried out via text message, and a malicious user manages to take over the phone physically, or duplicate/forge the SIM card.
• Physical access is an imminent problem given the prevalence of these middlemen in transactions. Somehow, even with physical access by users other than the clients there needs to be security and accountability.

Potential Defenses

• For snooping, simply use any of the well-established encryption protocols we discussed this quarter.
• Replay attacks can be guarded against by confirming each action with a code that can only be used once.
• The physical access problem is the most difficult problem to address – and the most interesting. Since third parties are allowed access to the system by the clients, it is difficult to enforce anything in the system if the third party is malicious. One way to defend against third party mischief would be to not carry any actions out immediately, but instead to queue them and then confirm them via text message with the client an indeterminate amount of time in the future, on the order of several hours. This way, hopefully clients will be forced to examine and acknowledge all actions away from the influence of the store owners. Malicious middlemen could counter this by requesting to keep the phone until the transaction is complete, but hopefully clients would grow suspicious of this request before long.

Mobile banking is something that hasn’t quite caught on here like it has in other places of the world. Not only is it useful for banking when branches aren’t nearby, the service has in some places, like Japan, evolved to include payments via cell phone rather than credit card, and other technology-enabled services which have security implications. Ultimately, a lot of these problems are already being worked on in the context of their low-tech equivalents (eg transmitting credit card information, etc), but as we can see with the rural banking case study, there can be a lot of unexpected usages which result in unexpected potential problems.

These unexpected issues are likely where we will see the most interesting security issues in the future.

Clint Tseng and Erik Turnquist

Facebook’s policy on applications have a some people concerened and wondering if application writing should be more restricted.
The latest attacks have involved privacy leaks, and the installation of malware. Over the last week, five seperate security issues have come up. One virus is a variation of “Koobface” which claims that the user must download a plugin to view a video.

Applications on facebook are not vetted, anybody is allowed to write an app and offer it to other people. Viral apps would often hide functionality in innocently looking buttons to spread themselves further or give away private information. Despite Facebook’s efforts to disable applications, the current policy allows it to pop up elsewhere.

Some people have clamored for the application hosting policy to be reviewed. Facebook believes its too early for these conclusions, and that changing the policy would be too drastic of a move.

(Source: nzherald)

(Source: cnet)

In three sequential articles, ComputerWorld traces the sentencing of convicted botnet leader John Schiefer as well as his continued employment at the start-up Mahalo.  Schiefer is an ex-security consultant and is the first botnet leader to be charged under the wiretap statutes.  He entered his guilty plea almost a year ago, but sentencing has been delayed until now.  He will be paying $2,500 in fines, paying nearly $20,000 in restitution, and spending 4 years in prison  Perhaps what is more interesting is that Mahalo’s CEO Jason Calacanis has both allowed Scheifer to continue working during this time and has expressed a desire to offer him a job upon his release from prison.  Calacanis has defended this decision on the basis that he trusts Schiefer and considers him a changed man from the person who committed the earlier crimes.

(Read on …)

An add-on is a simple plugin that you use, say for firefox, to let you do your work more easily. This also lets you customize the browser in ways that do not affect the productivity of other people. Add-ons are becoming a major part of the browser functionality but sans the scrutiny that goes into developing a browser.

Assets and Security Goal:

* Assets: Your browser, everything that you use it for and your cookies. Uh, not the ones you eat. and privacy.
* Security Goal: Protect your privacy at all cost and your cookies and your intimate browsing secrets!

Adversaries and Threats:

* Unauthorized publishers: This is the dreaded group of publishers that are able to make an add-on for your browser and pass it off as being legitimate and harmless. This is much easier than you think since most add-ons are unverified or rather community verified and it might take a while to find an exploit.

Weaknesses:

* Counterfeit add-ons are the biggest risk – a majority of the add-ons are through unverified authors.
* Deceived by community rating. Since the rating for the plugins is done by the community, an obscure/malicious add-on can be easily made to look like a legitimate one through a community of attackers/ an attacker with a community of profiles.
* Unauthorized plugins from third party websites.

Defenses:

* Other legitimate users – These are probably the best and most formidable defense when it comes to validating add-ons. However, this also a delayed defense since ‘enough’ users will have had to use the add-on for someone to finally detect a malicious exploit.
* Firewall – Your firewall is also your second line of defense when preventing backdoor access through the malicious add-on
* Antivirus software – An up-to-date virus definition file should help the software detect a malicious plugin. However, this also assumes that the attacker used a known exploit/trojan/virus to inject into the add-on.
* Security updates from the browser, OS – These can help patch the exploits that are currently in place.

Risks:
The risk of being duped means to lose a significant amount of personal information that is stored in the browser. With the shift of browser towards acting like an OS with features to save passwords,sessions, etc, there is an unbelievable amount of personal information that can be stolen through a malicious add-on. The add-on can also redirect to malicious websites that involve elaborate phishing scams leading to the loss of information and money. Such attacks give the hacker a complete control of your online portfolio which can be held for ransom and also misused, causing personal damage.

Conclusion:
Overall, although there are inherent risks to open source projects like a community browser, a large part of the attacks are easily mitigated due to the sheer number of users that pass through such an add-on. There also seems to be significant,active and unofficial community that monitors the plugins for malicious intent. One way to decrease the probability of such an attack would involve letting a significant time pass from the release of the plugin to the installation for it to be tested by active community members. Filtering the installation of add-ons also becomes an important but often impossible task in a corporate environment where the risks are especially high. Add-ons(unsigned) are definitely a double edged sword that need to be dealt with care.

Source:
Cnet

In June 2008 Florida Highway Patrol officer John Wilcox pulled over Ariel Quintana for speeding, who was then discovered to be driving with a suspended license. The officer also suspected Quintana of being in possession of marijuana, but a search of the car revealed nothing. While in custody, Quintana’s phone rang and officers removed the phone without permission and started searching the contents of the device.

While going through the photo album, pictures were discovered of what appeared to be marijuana plants in a grow house. This resulted in a raid of Quintana’s address, which led to the seizure of over $850,000 worth of marijuana plants.

This is not the first case where a personal electronic device was searched without warrant that resulted in further evidence being used against a suspect in custody for an unrelated crime. Given the increasing presence and integration of personal electronics in every aspect of our lives, PDAs and cellphones can provide the most intimate details about their owners. As such, there is debate about whether the owners’ privacy should be protected given the nature of the information they contain, or if they should be considered containers and/or accessories for crimes which police should be able to search for further evidence for use in court, without the need of a warrant. As the article indicates, courts are split on this topic and there is still much debate about how these cases should be handled.

In order to prevent future incidences such as this from occuring again in the future, politicians and courts have to agree upon which circumstances searching digital devices is allowed, if at all.Given the nature of the types of information and data stored on personal devices, laws dealing with them must adapt to take the sensitivity of this information into account. The number of cases such as this will only increase with time, and policies need to be introduced to deal with this increasingly relevant issue. Individuals need to be aware of their rights, especially given the information at stake

As I found on Slashdot, a controversial piece of legislation is being considered that would allow for the collection of DNA from arrested persons. The DNA may be collected prior to the arrested person being charged with a crime, and the arrest can be for crimes as minor as shoplifting. The DNA would be sent to State Patrol and FBI databases, where it would be compared against DNA collected in unsolved crimes. If the person who was arrested is not charged, is not convicted, or has her conviction overthrown, her DNA would be destroyed.

(Read on …)

According to Slashdot, researcher Chris Paget was able to capture many identification numbers from the new passports containing RFID tags while driving around San Francisco. Using $250 of equipment (a RFID reader and an antenna) hooked up to his laptop, Paget was able to read the identification numbers of the passport RFID tags from up to 20 feet away. According Paget, it could be possible to read the tags from hundreds of feet away since they are actual radio signals. It is then “trivial to program” a blank tag with the retrieved identification numbers. It is these numbers that are used in verifying the RFID tag. (Read on …)

According to a New Scientist Article, a company called Biorics wants to control the spread of pandemic disease by dispersing “cough-detecting” microphones throughout airport lounges. The proposed technology would detect coughing passengers and distinguish a common-cold-like cough from one that could be a symptom of a serious and spreadable disease. In 1998, a group of scientists from the Nippon Medical School in Tokyo, Japan showed that they could discriminate between productive and non-productive coughs; where a productive cough is usually accompanied by the expulsion of phlegm (i.e. a sick person’s cough). Biorics used this research to develop a system that theoretically could detect a sick traveler in an airport and stop the spread of a possibly devastating disease.

(Read on …)