Security Review: Brain Electrical Oscillation Signature Profiling in Criminal Trials

Posted on November 19, 2008 by eland

In September of 2008, a 24-year-old woman in Maharashtra, India, was found guilty of murdering her fiancé. Her trial set a (troubling) legal precedent because brain electrical oscillation signature (BEOS) testing was cited as major evidence in her conviction. This controversial method involves placing electrodes on the head of the accused and analyzing visual recognition signals to prove whether or not someone has prior recollection of a crime.

Continue reading

Posted in Security Reviews | Comments Off on Security Review: Brain Electrical Oscillation Signature Profiling in Criminal Trials

Pacemaker and Implantable Defibrillator Security Paper at Oakland

Posted on May 26, 2008 by Tadayoshi Kohno

University of Washington CSE PhD student Dan Halperin et al.‘s paper on the security and privacy for pacemakers and implantable defibrillators just received the Best Paper Award at the annual IEEE Symposium on Security and Privacy (a.k.a. the “Oakland” conference).

Dan and the rest of the team from UW, UMass Amherst, and Harvard Medical School found that an implantable cardioverter defibrillator can leak private information and can allow unauthorized parties to modify settings that control, among other things, shock therapies.  

You can read Dan’s full paper and the FAQ, as well as his earlier work on the topic of medical device security.  You can also read summaries of Dan’s work in The New York Times, the Wall Street Journal, Reuters, and the Associated Press.  Bruce Schneier also provides excellent commentary.

Congratulations Dan!

Posted in Announcements, Current Events, Research, Security Reviews | 1 Comment

Phalanx attains Slashdot fame!

Posted on April 22, 2008 by alpers

I’m not sure if many people read this blog, but I recently noticed that the UW project Phalanx (slides, paper, and poster available from Colin Dixon’s site, recently featured on Slashdot) brought up the idea of countering botnets by setting up neutral (‘white-hat’ was tossed around in the /. comments) botnets to negate the adverse effects.

Any thoughts on this? It’s a curiously fun conceptualization, but could this potentially be just digging a bigger grave for the internet?

Posted in Current Events, Integrity | Tagged , | 3 Comments

In-Flight Web Page Modifications

Posted on April 20, 2008 by creis

Our research group (Charlie Reis, Yoshi Kohno, and Steve Gribble from UW CSE, and Nick Weaver from ICSI) has just presented a measurement study showing that many users are receiving web pages that have been modified in-flight.  The pages are changed between the web server and the user’s browser, either by ISPs injecting advertisements, enterprise firewalls injecting script code, or client-side proxies that block popups and ads.  These changes are often unwanted by either publishers or users, and they can also be dangerous: we found that several types of changes introduced bugs and security vulnerabilities into otherwise safe and functional pages.

To study this, we measured how often our own web page, http://vancouver.cs.washington.edu, was modified when users visited it.  A piece of JavaScript code that we call a “web tripwire” detected such modifications, allowing us to record the change and notify the user.  Our study found that about 1% of the 50,000 visitors to our page received a modified version.  While 70% of these changes were caused by client-side proxies, we did see many changes caused by ISPs and firewalls as well.

For more information on our study and our results, you can read our analysis at Detecting In-Flight Page Changes with Web Tripwires, as well as our recent NSDI 2008 paper (PDF).  Our results have also been covered recently in the news media here, here, and here.

If you would like to add a web tripwire to your own page, we have an open source toolkit that you can download and host on your web server.  We also have a web tripwire service that is hosted by our server, which you can add to your page with a single line of JavaScript code.

Posted in Current Events, Integrity, Research | 1 Comment

Happy Spring Break!

Posted on March 25, 2008 by Tadayoshi Kohno

Have a great spring break everyone!

To readers of this blog: Please expect low activity for a while. The University of Washington is on the quarter system, and our quarter just ended. Everyone in the class is, of course, encouraged to still contribute articles to this blog. And we’ll continue using this blog (or more sophisticated forum environments) in future courses.  Stay tuned for more information 🙂 .

Posted in Announcements, Security Reviews | 1 Comment

Security Review: IMA

Posted on March 20, 2008 by patriw

The IMA is a rather public place where students, faculty, and spouses can take fitness classes, lift weights, or use an expansive cardio room.

The assests include fitness machines, sports equipement, and simply the space, which when occupied by a unwelcome visitor, makes it unusable to a valid ima-goer. In addition, there is wifi access, as well as internet ready terminals. Continue reading

Posted in Miscellaneous | 3 Comments

Security Review: Husky Union Building

Posted on March 18, 2008 by esoteric

The Husky Union Building is the center of life on campus. It is home to the Associated Students of the University of Washington, hundreds of student clubs and organizations, the university bookstore, food vendors, university employee payroll and accounting, information services, games area, campus-wide lost & found, US Bank, bike shop, hair salon, newsstand, event services, and many more departments.

Continue reading

Posted in Miscellaneous, Physical Security, Security Reviews | Tagged , , | 7 Comments

Security Review: Wireless Home Automation Systems

Posted on March 17, 2008 by chernyak

Summary:Home automation systems in general attempt to enable home owners to have a “smart” house. Instead of light switches you have integrated panels that control everything from your lights, to your shades, to your entertainment system, climate control, alarm system, motorized locks, etc. Some specific examples of such systems like those offered by Control4 use wireless communications between the panels and devices they control. Some also have integration with cell phone applications. One of the selling points for these systems is that they improve security.

Continue reading

Posted in Physical Security, Privacy, Security Reviews | 4 Comments

Ethics…?

Posted on March 17, 2008 by robert

This blog post on freedom-to-tinker came up in my feed reader today: http://www.freedom-to-tinker.com/?p=1265

The post is an e-mail from a company that makes e-voting machines that is threatening legal action if their voting machine is analyzed and the results published.

What does everyone think of this?

Posted in Ethics | 8 Comments

Security Review: “Smart Guns”

Posted on March 16, 2008 by Trip Volpe

Overview

This is a security review of “Smart Guns,” a general class of locking/use prevention mechanisms for firearms that rely on biometrics or other authentication indicators (such as “smart” chips embedded in the gun and in rings or other tokens worn by the intended user) to identify a person who is authorized to use the firearm, while preventing unauthorized persons from discharging the weapon. The Wikipedia article has some further broad overview information regarding the subject.

Continue reading

Posted in Availability, Physical Security, Policy, Security Reviews | 18 Comments