This comic should make more sense after today’s lecture.
xkcd comic on key signing parties
Posted in Physical Security
Comments Off on xkcd comic on key signing parties
Security Review: Airport Security
Anyone who has travelled within the past 6 years has experienced the excruciating joy of going through modern airport security. For most domestic flights your checked bags go through one set of security procedures, and your person and carry on items go through another. I will be focusing on the personal/carry on side of airport security. Continue reading
Security Review: IE7 Protected Mode
The latest version (7) of Microsoft’s Internet Explorer web browser, like their latest Windows (Vista) operating system, is supposed to be the most secure version in the product’s history. A complete security review of either IE7 or Vista is outside the scope of this post, but there is one very interesting security feature found at the intersection of the two, called “Protected Mode.” Presented as a feature intended to limit the possible damage even if every other security feature in IE7 fails, Protected Mode limits the browser’s ability to modify the system in case of an attack while preserving the ability to execute other tasks, such as downloading files and allowing helper programs, plug-ins, and the user to interact with the browser much as before. Continue reading
Posted in Integrity, Privacy, Security Reviews
Tagged ie, ie7, internet explorer, protected mode, security review, vista
Comments Off on Security Review: IE7 Protected Mode
Security Review: Pop Machines
While we have access to reasonably priced soda in the ACM lounge or the Benson store, the average person looking for a convenient drink has to shell out between $1.75 and $2 to buy from a pop machine. But why pay if you don’t have to? It is obvious that the manufacturers of these machines have put thought into their security: most machines will hardly let you reach in for the drink you bought, let alone reaching up into the machine. Despite this, it is still possible to manipulate the machines into giving away drinks. Is their security good enough for most situations? Is the security too good? Let’s find out…
Posted in Security Reviews
5 Comments
MySpace Bug Leaks Private Teen Photos
Despite assurances from MySpace that photos in private profiles can only be seen by people on a user’s friends list, its web architecture has failed to enforce this. Info about a backdoor has been disclosed and made publicly available on message boards for months.
Users under 16 have their profile set to private by default, and according to MySpace, “Only the people you select will be able to view your full profile and photos”. When an unauthorized user tries to click on a photo link of a private profile, the following error message is given: “This profile is set to private. This user must add you as a friend to see his/her profile.” But anyone with some basic skills can plug the target’s public account number, called a “Friend ID,” into a specially crafted URL GET request, resulting in a bypass of this security measure and granting access to those photos… In other words, the link is not available, but it can be build based on trivial data.
Several forums online have started to post a number of MySpace photo links for underage girls. None of the posts appears to have involved with child pornography or other illegal conduct, however this is against the privacy of such private profiles.
More in CNET: http://blogs.cnet.com/8301-13507_1-9858905-18.html
Posted in Miscellaneous
Comments Off on MySpace Bug Leaks Private Teen Photos
Security Review: CAPTCHA Systems
Summary
A CAPTCHA System is a Completely Automatic Public Turing Test to Tell Computers and Humans Apart.
Initially developed by Carnegie Mellon researchers, this system was mean to differentiate between actual people and automated robots when it comes to opening new accounts (email accounts, eBay accounts, bank accounts…). A CAPTCHA is an image made of words and numbers that are shifted, added different fonts, added colors, shades, and slightly blurred but still readable for the human eye, to avoid that spammers open accounts in a automated way.
Dan Hubbard, Vice-president of WebSense, reported recently that Microsoft’s CAPTCHA system used by every Windows Live site has been compromised. It has been reported that bots are obtaining a 35% rate of success, with the capabilities to register hundreds of new users per minute using automated HTTP queries via raw sockets. These ‘virgin’ accounts are used for a short period of time (before getting blacklisted) to send SPAM by email or Virus to ‘recruit’ more botnet zombies. Yahoo CAPTCHA system has been reportedly hacked a few weeks ago as well, by a Russian researcher.
Posted in Security Reviews
4 Comments
Security Review: Quiet Care
Home monitoring systems like Quiet Care exist to allow independent living for elderly people. The system works by monitoring the person’s daily movements with wireless activity sensors in each room. The information collected from these sensors is gathered at a communicator and then is sent to the Quiet Care server and is analyzed for patterns. If the server detects unusual behavior, it contacts the caregivers of the individual.
Posted in Availability, Privacy, Security Reviews
5 Comments
Security Review: Wireless Classroom Question / Answer Systems
Summary
In many of today’s college classrooms, especially introductory science classes, the large majority of students often makes it difficult to gauge classroom participation. A solution used in many of the lab science introductory sequences at the University of Washington has been to require each student to purchase a ‘clicker’, a wireless transmitter, using either RF or IR technologies, and have them produce multiple choice answers from a selection of answers shown on a large screen in the front of the class, which are then received and tabulated in realtime by a receiver somewhere in the room.
Posted in Security Reviews
2 Comments
Security Review: CyberLocks
At its essence CyberLocks are like mechanical locks++, enabling you to bring intelligent electronic access control to even the padlock level. CyberLock cylinders, which cannot be picked and maintain an audit trail of usage, can replace virtually any traditional lock (e.g. for doors, cabinets, padlocks, server racks, etc.) without any wiring. However, with the introduction of these additional features comes also the increased potential for new vulnerabilities and attacks. The following is an overview of the typical CyberLocks usage scenario that I will review (see this video for a clear and concise overview of the system (after which you may be able to skip to the Assets section of this review)).
Posted in Physical Security, Security Reviews
2 Comments
OpenBSD Refuses to Fix Pseudo-Random Number Generator Weakness
According to an article from Slashdot, a serious weakness in the random number generator provided by OpenBDS has been found. It is apparently also used in several other BSD operating systems. Some of them has released a fix or are planning to release one. However, OpenBSD refuses to fix it, stating that the problem is irrelevant in the real world.
Posted in Current Events
Comments Off on OpenBSD Refuses to Fix Pseudo-Random Number Generator Weakness