Current Event: racial profiling no more effective than random screening

Posted on February 6, 2009 by ezwelty

In “Study: racial profiling no more effective than random screen”, ArsTechnica reports on a new study by William Press, who claims that using profiling at security checkpoints such as airports is not effective in catching threats. The ineffectiveness, according to Press, stems from small numbers of screeners being able to only resample a small subset of the total population at any given moment. Screeners, on the average, end up retesting the same innocent individuals that happen to have large correlations with risk profiles.

This event arises from the current security concerns of DHS, and their mandate to catch terrorists at the various entrances to the United States. It seems that the methods employed in profiling are faulty, and need revisiting. As a counter-example to this article, the Israeli airports employ racial profiling to great success in ensuring security, and haven’t had an incident since 1986 — however, they combine these profiling methods with other forms of security measures.

However, there are larger issues in having such broad-sweeping racial profiling in the US. Applying racial targeting to minorities at checkpoints would cause a fair amount of backlash, considering the historical implications. As well, all the racial groups that are on profiling lists also are likely not adversarial threats, and are certainly as legitimate of citizens as people that aren’t on the list. Also, it seems like  relying heavily on profiling means that defeating it is simply a matter of not fitting the current terrorist profile.

While there has been some success stories in racial profiling with regards to border security, the idea leaves a bad taste in my mouth. There are inarguably a number of things that DHS can do to improve security at checkpoints (hire competent TSA employees comes to mind), without going down the dangerous path of racial profiling — profiling that has been shown in this recent study to be mostly ineffective given how it is currently applied.

Original Article: http://arstechnica.com/science/news/2009/02/study-racial-profiling-no-more-effective-than-random-screen.ars

Posted in Current Events, Ethics, Integrity, Physical Security | Comments Off on Current Event: racial profiling no more effective than random screening

Current Event: Xbox Live DDoS Attacks Become Popular

Posted on February 6, 2009 by dannya

Xbox Live DDoS Attacks Become Popular

Cheating in online multiplayer games has always been an issue.  Each genre of game has been plagued with a certain type of hack: Map discovery hacks for RTS games, Aiming hacks in FPS’s, and hacks to force opponents to leave ranked games.  Now, DDoS attacks are being used by some Xbox Live users to kick their opponents from games.

The article “Hackers Use DIY Botnets To DDoS Xbox Gamers” focuses on ready made Botnet solutions which make it easy for a script-kiddie to set up his own botnet.  The programs discussed were BioZombie and HostBooter, and both come with a couple bots but require the user to add more.  These bots can be added willingly (via friends), or the aspiring botnet emperor can trick others into running an executable.  Many places advertise botnet creation services, or zombies for a fee ($2 per bot was a price referenced in the article).  Of course, anyone who successfully spreads their botnet would “find themselves a drone for the original creator.”  This seems like an excellent case of social engineering to spread a botnet.

The new popularity of this kind of exploit is directly caused by the gaming subculture’s lust for vengeance and carelessness in cheating, but an interesting new use of DDoS attacks.  Unfortunately for Xbox Live users, no fix is on the horizon.  If games were all hosted by a central server and there was no peer to peer communication, then a DDoS attack would not be possible because the attacker would not be able to find out the other gamers’s IP addresses.  To stop this exploit from booting gamers, the Xbox game creators will need to change the way games are hosted, although this will mean that they must pay for more hosting.  Positive reactions to this kind of cheat would be to complain to Microsoft about the need to consider the security of online gaming protocols.  If nothing is done, every automated online competitive ladder could be cheated.  Fortunately, this malicious activity would be possible to be tracked and a list of malicious users could be banned.  I remember when Blizzard banned a large number of IP addresses and game serial numbers for maphacking in Warcraft 3.  Hopefully Microsoft and other game developers will take a proactive role as well, or else many people will become frustrated with their online gaming experience.

link:
http://blog.spywareguide.com/2009/02/hackers-use-diy-botnets-to-ddo.html

Posted in Current Events | 1 Comment

Current Event: Rigged Red Lights

Posted on February 6, 2009 by petermil

Summary

In Italy, public officials have been abusing their authority to make more money from the public by making reds come earlier than they are supposed to (a shorter duration yellow than legally allowed).   This means that, since they use cameras to automatically give tickets to people running red lights (see security review of automated traffic cameras for a different look at that aspect of it), they can make money off residents who are given inadequate time to come to a stop, and thus must run a red.

Who Was Hurt By It

Drivers have been economically affected, with 1439 people caught over two months (the fine is 150 Euros, or roughly $190 at current exchange rate).  Prior to that, at most 900 people would have been expected to be caught assuming the maximum number of tickets normally given were given out per day (this means a 50% increase over a value previously considered unrealistic to obtain!).

The public has also suffered a reduced amount of trust in the transparency and honesty of their government–a system which was out of their control and which they were mostly powerless to oppose or investigate was found to have been compromised in such a way that people were labelled as both criminals and charged unfair money.

Who Did It

109 officials are being investigated with regards to it, although the programmer himself is the current person taking most of the blame in the news.  Also involved were: police, local government officials, and the heads of seven different companies. Roughly 300 municipalities and a host of different companies were profiting from this scheme.

What’s Being Done

Currently a criminal case is being pursued against those responsible.  However, this does not really address the problem–the faulty systems are still in use, and ultimately fixing them should be the first priority.  Although the programmer responsible has a lawyer proclaiming his innocence, ultimately a review of the cameras themselves will need to be done.

Long Term View

This adds yet another complaint against automated traffic cameras.  Many object on privacy reasons, but this also adds concerns about faulty software, either maliciously or through incompetence.  Although it is unlikely that Italy will suddenly abandon automated traffic cameras, it may cause them to take a second look at them, at the least, and hopefully be more open in the future.  In all likelihood, however, they will continue to use a closed source solution, and will merely (hopefully) patch this problem.

Finally, this also adds another potential weakness to the list in the security review–corrupt officials who view it as a way of making more money.

Source: http://arstechnica.com/tech-policy/news/2009/02/italian-red-light-cameras-rigged-with-shorter-yellow-lights.ars

See also: http://cubist.cs.washington.edu/Security/2009/02/05/security-review-automated-traffic-enforcement

Posted in Current Events, Ethics, Integrity | 2 Comments

Current Event: New Hard Drive Encryption Standard Proposed

Posted on February 6, 2009 by Kevin Wallace

The Trusted Computing Group has proposed a new standard for self-encrypting hard drives. Many current hard drives boast encryption features, but some provide little details on the encryption process, and there was previously no single standard among all manufacturers. This new standard would bring greater interoperability between drives from different manufacturers, and its details are publicly available, in accordance with Kerckhoffs’ principle.

This could be seen as a good thing – many existing hardware-based encryption products likely get away with using insecure algorithms, and putting the details out in the open would prevent this from happening. Many, however (including the well-respected Bruce Schneier), disagree on the basis that yet another standard would inevitably have flaws, and that existing software-based systems are good enough. What do you think?

Posted in Current Events | 1 Comment

Security Review: Automated Traffic Enforcement

Posted on February 5, 2009 by alexmeng

Security Review: Automated Traffic Enforcement
Summary:

This security review was motivated on a family member of mine receiving a ticket from this technology: the automated traffic enforcement. This is a fairly new system cities are using to enforce traffic laws. They are using systems that detect when drivers run red lights and speed in certain zones. The purpose of these systems is to reduce traffic infractions in area and overall improve traffic safety. The Stop Red Light Running systems work by taking two photos, a front and back picture, of the vehicle running the red light. The sensors are synchronized with the traffic lights and are able to detect vehicles driving through intersections on red lights. The sensors trigger the cameras that record the day, time and place of the violation. As for the speeding systems, they use photo radar, which measures the speed of the vehicle, and snaps two pictures of the front and back of the vehicle. Once a vehicle is detected as violated, it is sent to traffic enforcement and the traffic infringement is mailed to the owner of the vehicle.  The traffic enforcement expects the delivery of the letter to be reliable such that if you do not submit a payment within the time frame, the vehicle owner will receive a late notice and the ticket fee increases.  Unfortunately, this is what happened to my family member.
Although I agree that this is step in the right direction to improve traffic safety. One question that poses in my mind is how accurate are the infractions? In the case of a vehicle running a red light, it is apparent if the car in the middle of the intersection and the light is red. But for a speeding infraction, how accurate is the system in correctly identifying infractions, meaning does it generate false positives? Also, is it possible for someone to access the traffic enforcement network and speeding systems to generate false speeding infractions?

Assets & Security Goals

  • Drivers’ Info, we do not want the driver’s information stored in the DMV to read by parties other than the person who made the infraction. If this is not secure, privacy can become an issue.
  • Tickets, we do not want the system to distribute false tickets based on false information.  If this is not accurate, the system can be recognized as not usable.
  • Streets, we want to drivers to abide to traffic laws in all areas such that it does not endanger the safety of other drivers and pedestrians. We want to ensure traffic safety overall.

Potential Adversaries & Threats

  • Malicious users – A user can obtain unauthorized access to the system and begin printing out false tickets, having information from the DMV sent out to vehicle’s owner and intercept that parcel to read information about the vehicle’s owner.
  • Unauthorized car users – A person who has unauthorized access to another person’s car can force tickets upon the vehicle’s owner by break the law at known automatic traffic enforcement sites. This is because there isn’t a form of verification from this system. It only uses the infraction and vehicle, not driver.

Potential Weaknesses

  • Weak passwords or mis configuration of the automatic traffic enforcement may exist such that they are known and malicious users are able to obtain this information to gain unauthorized access.
  • Eavesdroppers can intercept the ticket notification through the mail to read sensitive information in the parcel.
  • A hijacker/malicious driver can obtain unauthorized access to a car and perform these infractions. However, the system will always send tickets to the vehicle’s owner address. Therefore, a malicious user can “rack up” many tickets for a vehicle’s owner despite the vehicle’s owner not performing the infraction

Potential Defenses

  • Strengthen aspects of the system to prevent unauthorized access to the ticketing system.
  • Determine a new method to notify a vehicle owner of the infraction they have made.
  • Redesigned the system to include verification of the driver performing the infraction such that it does not default to the vehicle owner.

Conclusions
Despite some of this system’s weaknesses, there has been a noticeable improvement on traffic infractions and traffic collisions due to running red lights and speeding. It was stated that in New York City, crashes that were caused by running red lights were reduced by 70%. As a result of this, it improved traffic safety. Before this system was created, traffic infractions were cited only if an officer on duty was able to spot it, either with their own vision if it was someone running a red light or with their radar gun. With this new system, this allows officers to improve their public safety coverage and focus on things other than traffic enforcement.  Furthermore, the system acts as a deterrent as well because drivers are well aware that if they do speed or run red light they will be caught. Prior to the system, many people are aware of the laws and aware of the consequences but weight it against the notion if they are caught performing the act. Most of the time, drivers believe they won’t be caught because they bank on the fact cops are not at specific areas for 24 hours a day, 7 days a week. With this automatic system, it allows this 24/7 coverage. The next steps for this system would to be reducing false positives and ensuring delivery of tickets. This is because delivery is never guarantee to be reliable.

Posted in Security Reviews | 2 Comments

Smashing the Lab for Fun and Profit

Posted on February 5, 2009 by erielt

Since many people are probably busy working on or wrapping up lab 2, I thought it would be a good time to post a security review based on some interesting findings that I discovered in the course of completing the lab. My search began with version 5. When I began attempting version 5, I became increasingly frustrated to the point where I believed that version 5 was completely secure from cross site scripting and the only way to break it for extra credit was to break the server itself. So that’s what I attempted.
Continue reading

Posted in Security Reviews | 1 Comment

Current Event: Malicious Parking Tickets

Posted on February 5, 2009 by Tim Crossley

According to a post on the Internet Storm Center (ISC), some malware writers have turned to leaving false parking tickets in order to lure victims into running malicious programs. The parking tickets contained a URL where one could see a picture of the supposed offense. Upon arrival to the site, users were prompted to download a toolbar in order to view their particular picture(s). Link here.

Writers of malware often have to contend with the question of how to make users visit a particular site, or run some untrusted code. Spam emails, submitting links on popular social websites, and inserting malicious programs into data downloaded from peer to peer applications are all common practice. Savvy users know the danger of running untrusted programs, especially when appearing from a dubious source. The trick, then, is for the malware writers to make the source appear legitimate. By using a physical medium (paper, as opposed to a link or an email), potential victims were more likely to trust the website. In addition, many of the supposed parking violators likely felt wrongfully accused, and wished to dispute, or at least view, the evidence against them. And in trying to obtain that evidence, they allowed a malicious program to install itself on their computer.

This tactic also puts the writers or distributors of the malware at some risk. In most cases, locating the original person or people behind malicious software is very difficult. Because of the nature of the internet, anyone could release malware from anywhere in the world. But, when these distributors placed their false parking tickets on cars, they also told authorities where they were. Instead of being perhaps some anonymous author in who knows what country, the distributors of these parking tickets (or some accomplice) physically had to be in Grand Forks, North Dakota on the days the tickets were given out. Law enforcement agencies now have a chance of catching the perpetrators, and charging them.

Preventative measures against this sort of attack are difficult. As always, the key is to not run untrusted software, and to be aware of the dangers. But just what does untrusted mean? Nobody expects an attack to come from a parking ticket. Awareness in this case would have helped as well. When this website began asking to install a special toolbar so you can view pictures, you should get suspicious. Some problems, such as social engineering, are just too difficult with technology alone. Being informed about risks, about methods of attacks, and about trusted information systems will go much farther than any malware detection/prevention software, and is more likely to keep up with the times, as well.

Link to article.

Posted in Current Events, Physical Security | Comments Off on Current Event: Malicious Parking Tickets

Security Review: ShopAds from Adgregate Markets

Posted on February 5, 2009 by rctucker

In early September 2008 during the TechCrunch50 Conference, there we many companies that came forward presenting ideas on how to change the advertising business.  One such company, Adgregate Markets, presented an idea they call the ShopAds widget. This widget can be placed on any website like a normal banner ad, but is instead a fully transactional ad that allows visitors to the site the ad is place on to conduct a business transaction (such as buying and item or ordering a service) without leaving the hosting web page.

This is big news both for host sites that may gain revenue from their ads, as well as the companies trying to sell a product. For host sites, it means their pages are sticky; visitors no longer leave the for a 3rd party site when they see a product they like. Instead, they can just purchase it and continue to view the content. For the company selling the product, it means their returns are much greater than previous click-through counting methods as the results they are in the form of actual sales and revenue.

But what does this mean for the online consumer? Of course, it means they can now make purchases through ads without having to go to another site, but it also means they have to be smarter. Adgregate claims in their press release that “Through ShopAds, Adregate Markets enables consumers to securely purchase products entirely within the confines of the ad unit, without being redirected away from the publisher’s site.” However, a problem arises when a ShopAds widget is placed on a web page that uses HTTP instead of HTTPS. Since the page itself is transmitted HTTP, the content of the page is in plaintext. Additionally there is no way to verify that widget came from any particular location. For example, a malicious router launching a man-in-the-middle attack could replace the widget on a page with their own widget that appears to be legitimate. Visitors to the web page may then interact with it assuming it is the company it says it is. Although ShopAds are flash-based, and thus can establish secure connections, this only has meaning if the source of the ad itself can be verified.

Assets and Security Goals:

  • Purchase Orders – The purchase made by a visitor/customer must be accurate when it is received by the merchant company.
  • Consumer Identities – Identifying information, such as credit card numbers, should not.
  • Merchant Identities – It should be possible for a consumer to know for sure that they are buying from a particular merchant.  In other words, it should not be possible for an adversary to pretend to be a Macy’s ad.

Potential Adversaries or Threats

  • Eavesdroppers – It could be possible to collect customer information by sniffing packets
  • Copy Cats –  By replacing ShopAds widgets with a malicious flash ad, one could pretend to be a company that they are not.
  • Modifiers – By modifying the information being exchanged, it may be possible to alter the purchase order itself (such as the quantity of certain items) or change where it is being shipped to.

Potential Weaknesses

  • HTTP Pages – Pages using HTTP cannot guarantee the origin of the content displayed on the page, including the ShopAds widget, and would be vulnerable to man-in-the-middle attacks.  Additionally, information is sent over plaintext.
  • HTTPS Pages – Even on an HTTPS page, you would have to trust the hosting (publishing) website you were visiting.  HTTPS only verifies that the site is who they say they are. So, visiting https://www.evil.com and conducting a business transaction through one of their evil ads is still dangerous.
  • ShopAds Widget – If the widget does not take advantage of  the features in flash to establish secure connections, information may be sent over plaintext.

Potential Defenses

  • HTTPS Pages – HTTPS pages can at least guarantee that the page is who they say they are and that the data is not sent over plaintext.  If a customer trusts the hosting/publishing site, and they trust the company who owns the ad, they could trust the transaction.  However, this would require every page with a ShopAds widget to use HTTPS…
  • Flash Security – Make sure to take advantage of features to establish secure connections to prevent transaction information from being transmitted in plaintext, even if the widget is properly placed on a trusted HTTP page that has not been maliciously modified.
  • Ad/Merchant Verification – Having the potential for a consumer to verify that the ad belongs to a particular consumer would help guarantee online shoppers do not buy from copy-cats.  Ideally, this would be done in the widget as well so as to keep to the nature of this new technology.

The largest problem here is that consumers may have no idea about the threats posed by these types of ads.  Many customers may not even know why HTTPS is important, let alone how it affects the security of shopping through an ad. Furthermore, it is unlikely that every page that will be sporting the ShopAds widgets will start using HTTPS, so shoppers will learn to have trust in these very dangerous situations. Even if the publishing site can be trusted, if the widget is not on an HTTPS page, it cannot be trusted.

If the ShopAds widget is to become the next best thing in advertisement and online shopping, these security concerns will have to be addressed.  In the same way that an online banker would not (hopefully!) enter their bank account number and password on an insecure page, neither should an online shopper provide their credit card or other identifying information.  It will also be necessary for shoppers to be more aware of where and how they are making purchases.  To help out visitors to the site, some of the responsibility may rest with the publishing website to make sure the ads they are providing do not compromise the identities of its visitors.  If this does catch on, it may become necessary in the future for browsers to be able to verify the origin of chunks of content, such as the ShopAds widget, to guarantee the security of its users.

Posted in Integrity, Privacy, Security Reviews | 3 Comments

Security Review: RFID Tags are safe to use?

Posted on February 5, 2009 by sojc701

In Current Event: WarCloning Passport RFID Tags, The recent experiment was introduced, which was done by researcher Chris Paget. According to the article, Paget could scan passport RFID tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners.

The RFID tags contain no personally identifiable information, but rather what amounts to a record pointer to a secure Department of Homeland Security database. But because the pointer is a unique number, the American Civil Liberties Union and other civil libertarians warn the cards are still susceptible to abuse, especially if their RFID tags can be read. The tags could also be correlated to other signals, such as electronic toll-booth payment systems or RFID-based credit cards, to track the detailed movements of their holders.
Continue reading

Posted in Security Reviews | 1 Comment

Arrested in Washington? Give us your DNA!

Posted on February 5, 2009 by eapter

As I found on Slashdot, a controversial piece of legislation is being considered that would allow for the collection of DNA from arrested persons. The DNA may be collected prior to the arrested person being charged with a crime, and the arrest can be for crimes as minor as shoplifting. The DNA would be sent to State Patrol and FBI databases, where it would be compared against DNA collected in unsolved crimes. If the person who was arrested is not charged, is not convicted, or has her conviction overthrown, her DNA would be destroyed.

Continue reading

Posted in Current Events, Miscellaneous, Policy | Tagged , , | 2 Comments