UW Computer Security Research and Course Blog

PayPal, along with other services like Ebay, is an online tool used to transfer money that most are familiar with.  Web payment services are a major conveinence, but come with a number of significant risks.  Services like PayPal can allow merchants to support payment over the internet without the necessity of having their own payment infrastructure, at a relatively small fee.  Online shopping and payment for products and services of all kinds is very conveinent for users as well.

(Read on …)

Over the past five years or so, voice over IP has rapidly gained in popularity and use.  It touts cheaper calls for residential users and corporations can save big because additional extensions on a VoIP infrastructure are less costlythan their traditional phone system counterparts.  VoIP uses the same data lines as IP traffic to transmit voice.  As such, it faces many of the same security issues as digital data.

Assets:

• Reliable, time-sensitive communication: No matter how much of our global communication is moving to text-based solutions, telephone calls are still the best way to communicate quickly
• Privacy: Users disussing sensitive information want the content of their conversation to be accessible only to the intended parties.

Adversaries:

• Digital phreakers:  Phreakers in the days of analog phones exploited phones to be able to make free calls.  Similar feats have been accomplished with VoIP systems.
• Company rivals: They might seek to bring down a company’s communications to  reduce their ability to handle business.
• Profiteers: Can hold a company’s communications ransom

(Read on …)

This June, all U.S. television stations must shut off their analog broadcasts, and replace them with digital ones. In order to make the transition less painful, the DTV Coupon Program offers up to two coupons to every U.S. household, good for up to $40 each off the price of a DTV converter box. I recently received mine, and a glance at the magnetic stripe on the back of the card made me wonder what security issues the program might have.

ASSETS

• Consumer privacy / anonymity. If a consumer so chooses, they should be able to purchase a converter box with a coupon anonymously, revealing no personal information to the retailer, as if it were a cash transaction.
• DTV subsidy funds. No one should be able to spend more than their allotted portion of the subsidy funds.

ADVERSARIES / THREATS

• Retailers, who have financial incentive to uniquely identify and track consumers.
• Malicious consumers, who wish to use more than their fair share of the subsidy funds.

POTENTIAL WEAKNESSES / DEFENSES

• It turns out that the magstripe of the cards contains the consumer’s full name, allowing retailers to personally identify them. This is not ever disclosed to the consumer. This could have been avoided by instead encoding a unique, but non-personally-identifiable token instead. A consumer may still be able to use their card anonymously after blanking out or replacing their name on the magstripe, or by using an online retailer like Amazon.com, who doesn’t ask for the name the card was issued under.
• It might be possible for a single card to be used more than once, if two purchases are made using the same card simultaneously. If this is indeed the case, this attack could be prevented by using a two-phase commit to prevent a card from being pre-authorized for use more than once.

CONCLUSION

While there are still serious privacy concerns with the current system, it is not very costly to opt out of the system by paying an extra $40 for a converter box. On the other hand, the system appears to be relatively secure against malicious consumers, with no known attacks against it in the wild.

Google Latitude is yet another product available by the well established makers of the Gmail internet based mail system. Latitude is a web based service, running in sync with a client side application Google Gears, which allows Google to pinpoint your exact coordinates in the world and then in turn display them to their Google Maps for you to see. As is the case with many of Google’s applications, this application functions on many different platforms including Windows, Windows Mobile, Android, iPhone, etc.
Latitude is able to detect your location via any means possible. This includes GPS, Wi-Fi access points and even cell towers. It does this by simply triangulating your position with any of these three resources it can. Once your position has been located this information is uploaded on your latitude account by Google and available to all whom you’ve opted to share your location with. This can pose potential security threats.

(Read on …)

Most people renting an apartment use a common drop-box to pay the rent. Most often this is located in an easily accessible common are like the mailboxes or near the manager’s office. The setup to be discussed here is a box with a key lock. The box has a flap that opens with just enough room to slip in a folded check but, presumable, not enough to reach in.

Assets/Security Goals

• The money in the checks
• The personal information and signatures on the checks

Adversaries

• Non residents interested in stealing money or identity
• Residents interested in the same
• Residents interested in forcing neighbors into late fees or the like

Weaknesses

• The checks are left in the box often for days. This means there is a significant amount of time during which the box can be compromised without anyone noticing.
• Common areas are accessible not only by residents, but quite easily by non-residents: guests, or strangers who follow a resident through the main door.
• The key lock is often a very weak lock which is easily picked or broken.
• The box itself is often cheap a flimsy or is fastened together with regular screws. Using a screw driver in the easiest case, or to the extreme a crow bar or brute force.

Potential Defenses/Conclusion
There are several solutions which could alleviate to a large extent these security risks. An overriding weakness of these solutions is that they are relatively expensive compared to the cheap cost of existing drop boxes and the biggest stake holders (the residents paying rent) are not in charge of choosing the solution (the building managers). Nevertheless, I will discuss some possible solutions. There are two basic levels of the solution. Limiting access to the box: general complex security measures like double door entrances, keys on more doors before getting to the drop-box area and the like, as well as only leaving checks out for a shorter period of time (perhaps collecting several times a day during payment periods. Making the drop box more secure: stronger boxes and locks would prevent access to the checks. Moreover, other methods such as direct delivery (in person) to the managers would eliminate most of these vulnerabilities. These solutions either compromise convenience (for example delivering directly to manager means that more coordination is required) or money (for example more expensive boxes or locks).

Apologies for reviewing the same technology. The other Google Voice review just appeared for me, which was after I wrote my own. I did check prior to starting this review, and it wasn’t up then.

Summary:

ComputerWorld had an article about Google Voice.  Google Voice is a new service offered by Google to make people’s phones more usable.  Google Voice will automatically transcribe a user’s voicemail into text form, using speech recognition software.  Because the transcription is done with software, there may be some mistakes in the text versions.  The transcriptions will be made available in the user’s inbox.  The service can also e-mail or SMS the messages to you. If I user desires the service can be turned off.

Google Voice builds on the technology of GrandCentral, a company that Google bought a few years ago.  This technology allows a user to have a single number for all of their phones.  When this number is dialed, all of the associated phones also ring.  In this way, a user can be contacted regardless of which phone (home, work, cell, etc…).  Google Voice will initially be offered to current users of GrandCentral.

(Read on …)

The apartment complex I live in is comprised of a garage and multiple residential floors. The access points into the building are through the elevator, garage, and a street access door. All three use RFID keycards to restrict the access to only residents. The elevators are activated with the keycard. Once activated a floor button can be pushed and the elevator functions normally. The keycard is also used open the garage gate and outside doors. Once inside a resident would have to use the elevator to reach his or her apartment floor.
(Read on …)

http://www.sciencedaily.com/releases/2009/02/090224133010.htm

Summary

Researchers have proposed and started testing a new system for helping to identify potential bugs and security flaws during the development cycle of software development.  It works to help the development team identify and prioritize potential targets and weaknesses, and encourage a wider breadth of understanding for each member of the team.

Assets / Security goals:

• The goal of this method is to help developers to explore the potential vulnerabilities in a proposed system/feature. This encourages keeping security a priority for the project from the beginning, during the design phase
• To ensure that all people working on the project understand the potential risks associated with the features that they will be working on, and to ensure the diversity of people’s knowledge is taken advantage of.

Potential adversaries / threats

• Any adversary that wants to take advantage of this system would have an interest in observing/subverting this process being undergone.
• Unscrupulous employees could bias the results of this process by drawing attention away from real issues

potential weaknesses

• this method relies on the knowledge of those involved in the design process. It’s quite possible for these people to lack knowledge of attack methods that could be used against the product being designed, as it’s unlikely for any single team to contain experts in every possible attack method.
• This method only outlines the potential security threats posed by the features during the design phase. During actual development/implementation, the actual threats and vulnerabilities may change, and these aren’t addressed using this method.

Potential Defenses

• This procedure should be used in conjunction with other risk and security analysis tools to ensure the broadest range of coverage
• Evaluations such as this should be repeated at regular intervals with a changing group of participants. The variability would encourage new ideas and provide newly discovered vulnerabilities to be discussed at length.

Given the difficulty of quantifying risks and potential security threats of any new product, this method is a good way to encourage the security mindset from the get go. The effectiveness of this method is entirely dependent on those who participate, but it does encourage the kind of thought necessary to protect systems from attackers.

This vulnerability is one of the most profound in computing.  Every computer has a connection from the keyboard to the CPU, and when signals are sent this connection acts as an antenna, transmitting a characteristic wave for each keystroke.  Each key strike actually emits a characteristic sound wave for each key.  Both of these facts have been used to sniff keystrokes from the air.  Even worse, PS2 keyboards have a connection to ground which causes their characteristic waves to be sent out in the power grid as well.  This means that an adversary could eavesdrop by plugging in a device near the victim’s computer.  Theses forms of attacks were first realized by the US government during WWII, but the countermeasures they developed were deemed too difficult to roll-out at the time.

Assets and security goals:
–Goal: Users should be able to type without having people know their keystrokes anywhere in the vicinity or through walls.
–Asset of concern: Assets that users should hold private but are currently vulnerable include papers, financial information, private communications, passwords, and business communications.

Adversaries and threats:
–Other governments are an adversary who could be recording the keystrokes of any government official they can dedicate an antenna to.
–The main threat is that everything you do on your computer being tracked by an unknown third party.

Potential Weaknesses:
–Electromagnetic waves emitted by the keyboard to computer connection cause characteristic waves to be sent with each keystroke.
–Connections to ground propagate characteristic signals of each keystroke in the power grid.

Potential Defenses:
–Shield the keyboard-computer connection with lead.
–The output of all electrical lines should be filtered by some bandpass filter.

The main difficulty with the shielding of electromagnetic radiation is that it requires a thick metal to encase the machine, which is costly, bulky, and inconvenient.  New ways need to be researched to shield, filter, and mask the emissions of computers.  Recently, the research team of Ecole Polytechnique announced they have uncovered ways to sniff keystrokes from 20 meters away with 95 percent accuracy using an antenna, oscilloscope, analog-to-digital converter, and a PC.  They plan to present a talk about the research at the upcoming CanSecWest conference, so this vulnerability may become more ubiquitous in the near future.  Paranoid people be afraid!

http://www.nsa.gov/public_info/_files/cryptologic_spectrum/tempest.pdf
http://www.itworld.com/security/64193/researchers-find-ways-sniff-keystrokes-thin-air

Final exams are just around the corner (or in some cases may already have been taken if they’re in-class ones)!  I figured I’d write a security review about the system of final exams.

Assets and Goals:

• Pre-knowledge of questions
• After the fact, knowledge of other people’s grades
• During the test, forbidden knowledge
• During the test, having unauthorized person take test

Adversaries:

• Students are primarily the only adversaries.  Sabotage by rival professors seems rather unlikely ;).
• Others may be interested for whatever reason in learning the score of a particular student on an exam.

Weaknesses:

• Examinations may be handled by multiple locations prior to the test
• Professors may be lax about security
• Too-large class-sizes may overwhelm proctors from preventing cheating
• Lack of careful ID checking

Potential Defenses:

• Provide one centralized location for professors to print out / copy their exams in advance, so that they do not run the risk of someone listening to network traffic or grabbing a copy off the copier.
• Ensure professors are familiar with security procedures to prevent students from sneaking into their offices.
• Ensure professors are given an adequate number of proctors to prevent cheating (plainclothes proctors, i.e., proctors who pretend they are students also taking the exam, can also be particularly effective as, although they cannot patrol such a large area, other students may be less wary about them noticing cheating)
• Have proctors check IDs of all students taking exams (I think I’ve had my ID checked a single time in 4 years, and many of those classes have been large lecture classes like Chem 142 where it’s doubtful the instructor recognized me)

Discussion and Conclusion:

There are many different types of cheating which students can do during an exam.  First of all, we need to consider what allowance the exam has for outside notes.

Particularly vulnerable to this is a class which is book only–I think I’ve only ever had one of those, but it’s extremely weak by default, as students can easily write in the margins of specific pages and as long as they are not stupidly blatant will not be caught.  Solution: make everyone randomly swap books at the start of class.  Weakness: time-consuming and difficult to ensure everyone gets their book back.  Conclusion: book only exams are annoying to make work properly, better to allow book + notes or neither.

Book + notes only is much easier to patrol.  Essentially the only sources disallowed are electronic sources or other people.  In this case, a sufficient number of proctors need to be around in order to ensure that students do not use cellphones (laptops are a little blatant for this). Solution: proctor numbers.  Conclusion: relatively easy

Book + notes + internet is quite difficult, as the laptop use must be monitored to prevent people from simply feeding the questions to a friend sitting at a computer at home who has already taken the class.  As security people, of course, we know that you could monitor network traffic, but this is not very easy and requires specialist knowledge that most professors and proctors are going to lack.  Easier is to just patrol the laptops, and require them all to sit in one location, at the front of the room.  A few plainclothes proctors sitting near / behind them can be a great help here, as alt-tabbing when an obvious proctor is coming is quite easy, but they won’t know the person behind them “taking the exam” is watching their screen.  Solution: plainclothes proctors.  Conclusion: riskier, but doable

No books/notes/internet is also pretty easy–visibility is key here.  As long as a proctor can see people without too much effort, large areas can be patrolled, as looking at notes will often cause quite a bit of noise.  Additionally, fellow students can easily identify and report the student who is cheating (emphasize the fact that the test is curved so they have a motive to do so 🙂 )

Overall conclusion: exams are rife with weaknesses.  Some professors post grades online using the last digits of student ID #s as the index.  Although these are not going to be unique, with knowledge of which classes a specific student is taking, accessing just a few of these classes will give an extremely high probability of figuring out which student it is.  People glancing quickly at another students paper are another large risk (which can be minimized by ensuring spacious seating/different versions of exams + non-multiple choice).

The lack of security knowledge of many professors means it would be relatively simple to steal into their office during lunch (for example) and grab the graded finals.  Doing this would also cause great chaos if the exams hadn’t been entered into the system yet, obviously, but even apart from that would violate the privacy of students to not have their grades plastered all over the internet.