Security Review: The Safeway Club Card

Posted on February 10, 2008 by mgklous

This security review is inspired by the story of a firefighter whose Safeway shopping history landed him an arrest for arson in August, 2004. More information on the story here: http://www.computerbytesman.com/privacy/safewaycard.htm

Most people are probably familiar with the concept of a grocery store shopping card. The Safeway Club Card is a membership card that can be used to save money on grocery shopping. Products throughout the grocery store store are marked with special limited-time-only “member prices”, which are slightly reduced prices that can be used by anybody carrying a Safeway Club Card. People without the cards must pay full price, but are often asked at the cashier if they would like to apply for a Safeway Club Card. The Safeway Club Card are “free” to acquire–there is no fee involved, only disclosure of personal information. Continue reading

Posted in Security Reviews | 2 Comments

Security Review: Mac OS X Dashboard Widgets

Posted on February 10, 2008 by jimg

The Mac OS X Dashboard is a platform for developing small applications, or Widgets, that can be accessed and hidden quickly at any time within the OS. Common widgets tasks include simple calendars, calculators, games, weather tracking, and system monitoring. There are thousands of user created widgets available for download through apple.com and other sites. Widgets are built using standard web technologies such as CSS, HTML and Javascript. However, they also contain hooks into the local system, allowing them file system access, access to compiled C code, and shell command access. These hooks are facilitated by the operating system running the widget instances and create a plethora of security concerns. Continue reading

Posted in Integrity, Privacy, Security Reviews | 1 Comment

Security Review: Laptop Locks

Posted on February 10, 2008 by esoteric

Most modern laptops have a slot in them that allows the user to affix a lock to the chassis.  The locks usually come in the form of metal cables with a combination or keyed lock on one end which fits into the side of the laptop.  The mechanism locks around a metal bar inside the computer, which is attached securely to the frame.  While these locking mechanisms do succeed in deterring mild, spontaneous theft, they are definitely not safe to be used in many scenarios.  Continue reading

Posted in Security Reviews | Comments Off on Security Review: Laptop Locks

The online tax system is safe to use. Well, if the government thinks that you’re unimportant, that is.

Posted on February 10, 2008 by davidjsh

Yesterday I was looking through Schneier’s blog and found a link to an interesting article about the UK and online taxes (Article). According to the article in the UK, “Thousands of ‘high profile’ people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk.” This revelation has upset many as reportedly more than three million people use the online computer system to file tax returns. Those barred from using the online system have to submit hard copy forms. The following question has been raised. If the system is not safe for “important” people, why does the government still use the system? Has the government created a class of people that gets preferential treatment?
Continue reading

Posted in Security Reviews | Tagged | 1 Comment

Vista SP1 with altered WGA Strategy, Nag instead of Disable

Posted on February 10, 2008 by robertm2

Adrian Kingsley-Hughes has a new blog posting over at ZDNet reviewing the changes  Microsoft made to its Vista WGA (Windows Genuine Advantage – its authenticity check for pirated software) with the SP1 update.  In a nutshell, it appears Microsoft has decided to be less intrusive and allow a deemed to be pirated copy of Vista to operate more normally, and instead, nag the user with minor annoyances.  For example, before the update, a thought to be pirated version would only be allowed to access Internet Explorer for 60 minutes before being logged out, or able to access documents on the disk only if booted up in Safe Mode.  With the SP1 update, they have replaced these with things such as having the desktop background image changing to black every hour, and a 15-second nag screen at login that you have to wait through.  One of the only logical reasons that I can think of as to why Microsoft would do this is that because the current WGA system wasn’t working and that perhaps they would flag too many legitimate users as having pirated software when they didn’t.  For example, their software keys could have been stolen from the owner whether unintentionally or not.  Seeing as to how easily Pablos was able to steal the key with his USB jump drive in the class demo, it seems like these types of things could be occurring frequently.

Posted in Current Events | Comments Off on Vista SP1 with altered WGA Strategy, Nag instead of Disable

Local Root Exploit for Linux 2.6 Discovered

Posted on February 10, 2008 by Brian

A new vulnerability has been discovered in the 2.6 Linux kernel that allows a local user to obtain a root shell. The bug description was posted within the last 24 hours, and includes exploit code that works on a large number of Linux installations, running kernels version 2.6.17 to 2.6.24.1.

Slashdot article here and bug reports here and here.

Posted in Current Events | 5 Comments

Toshiba’s New Random Number Generator

Posted on February 10, 2008 by dschen

Toshiba has recently unveiled a new IC which is capable of generating 2 megabits/second of random bits. The IC utilizes analog noise generated by electrons trapped on a silicon nitride (SiN) layer of a transistor. The electrons randomly are bound and released from this SiN layer at a very high rate enabling the generation of 2Mb/s of random bits. This analog value is then fed to an analog-digital converter and the resulting output is the random number. Since this IC is so small it can be easily incorporated into even portable devices enhancing the strength of encryption available in portable devices.

Original article here

Posted in Current Events | 2 Comments

Security Review: Smart pillboxes, maybe too smart?

Posted on February 10, 2008 by dschen

Recently an MIT research team has developed a smart pillbox to help combat the problem of patients failing to take their medication at prescribed intervals. This problem of over/underdosing of the drug by the patient accounts for ~10% of hospital visits every year. To combat this problem the MIT research team has developed a smart pillbox, the “uBox” which stores and dispenses two weeks worth of medication and alerts the user to take the medication with an alarm. In addition the box records the exact time that the pills are taken and prewvents over dosing by only dispensing medication once per day. The smart pillbox then also communicates with a second component, dubbed the “uPhone” which can download the patients dosing information and configure the pillbox. The uPhone also records patient data collected by special software including temperature, weight, symptoms and answers to diagnostic questions. This information is then forwarded to a centralized location over the air so doctors can analyze the dosage patterns and overall health of a patient to determine effectiveness of a treatment.

Assets:

  • Health of the patient, the primary goal of this pillbox is to help increase effectiveness of drug treatments.
  • Patient information, the uBox collects timing data while the uPhone collects other medical information that should be kept private.
  • Medication in the uBox, certain medications are quite expensive.
  • Patient’s privacy, a patient may not want to follow the treatment for some reason.

Potential Adversaries/Threats:

  • Drug companies might want to gain access to this information directly for purposes of increasing sales of a drug.
  • Insurance companies might want to gain access to the information to determine whether or not to insure a particular patient.
  • An enemy might want to harm the patient by over/under dosing the patient.
  • The patient might desire more or less drugs than prescribed.

Weaknesses:

  • The data collected by the uPhone is transmitted over the cell phone to some server, if this information isn’t encrypted before transmission then it could be easily accessed.
  • The programming of the uBox occurs via cell phone, what happens if say the communication protocol were discovered and the uBox could be programmed to do whatever an attacker wanted to do.
  • Collecting data on a cell phone, a very small device puts a large amount of information at risk, if the phone were lost/stolen an attacker could fabricate false information or access the data stored on the phone.
  • While the uBox dispenses the drugs a day at a time, it really doesn’t look like it provides that big of a defense against a physical attack (i.e. screwdriver, hammer, etc)

Potential Defenses:

  • Encryption of all the communications between the uBox, uPhone and server should all be encrypted. By encrypting these communications the data transmitted will be protected as well as the configuration of the uBox since only authorized users could program the uBox.
  • Have the uPhone only forward information to the server, ensure that no data is actually stored on the phone.
  • Strengthen the physical structure of the uBox, although a balance must be achieved between size and strength.

Conclusion:

The uBox/uPhone together look like a promising tool for dealing with drug delivery and effectiveness monitoring for doctors. However many measures must be taken to ensure the integrity and privacy of the data being transmitted between all the components of the system. As medical devices become increasingly connected with one another, the transmission of the data securely becomes the largest security issue being faced today.

Original article here

Posted in Current Events, Security Reviews | 2 Comments

Firefox “View-Source” Vulnerability

Posted on February 9, 2008 by imv

I thought that since most of us use Firefox people might care – apparently the default installation/settings of Firefox’s latest release allow all scripts written on websites to be executed.  I don’t know with what privileges the code executes, but presumably whatever privileges Firefox has. Anyway, it can be disabled via the NoScript plugin (Or just don’t select “view-source”? The article’s not very clear on whether the exploited error was merely in the view-source mechanism, or whether the user must in fact click “view-source”).  Either way, it’s cool that someone discovered the error in a release only several hours old as of this posting.

The original, very brief blog post reporting this can be found here on slashdot.

Posted in Current Events | Comments Off on Firefox “View-Source” Vulnerability

Hackers Declare War On Scientology

Posted on February 9, 2008 by jerins

In the past couple of weeks, a loosely organized group of people have come together to attack the church of Scientology in a variety of technological related ways. The core group that has headed up these attacks calls themselves “Anonymous”, and has called for anyone who agrees with their cause to do everything they can do inhibit the smooth operation of the technological aspects of the church of Scientology. This is only the latest of many causes that have been taken up by Anonymous, and the group’s accusations of the church of Scientology mainly center around misinformation and suppression of dissent, vowing to not stop until they have crippled the church. The attacks that have taken place so far include a wide array of tactics, such as taking down servers (some for days),  bombarding main websites to overload them, creating searches in Google to link the church to negative keywords (cult, dangerous, etc.),  stealing “secret” information from church databases and spreading such information through file-sharing services, and even bombarding the church with all-black faxes in order to waste ink. Anonymous has no leaders or headquarters, but is simply a very large group of amateur internet users, among which there are varied levels of hacking skills, who have united under a common mission.

The group claims to have been watching the activities of the church for some time now, and as the perceived injustices of the church have steadily grown, they finally decided that it was time to act. The story has received media attention due to the shear magnitude of the various technological security issues that have recently taken place in such a short time as a result of it.  It is difficult to say what the church, or anyone else could have done in order to prevent such attacks, as they have come out of nowhere in such great magnitude from so many isolated sources. To some extent, it appears that their databases and web server systems could have been made to be more robust in their security as it seems that those are the two areas where the attackers have had the best and most damaging success. Especially since it seems that most of these attackers (and their tactics) are quite amateur in nature, it seems that the church could have done a better job of securing their system and protecting themselves given the success of the attacks thus far.

One of the interesting aspects of this story is that although many of the attacks being carried out are in fact illegal, many of them are not (or are at least more debatable in their legal standing), such as bombardment of their website, Google track-record, phones and fax machines. It is also an interesting societal situation where a group of people who share a similar cause has been able to use aspects of technology to attack an organization rather than the former means such as picketing or mass meetings. This is a group of people who have never seen or met each other before that have been able to use the internet to accomplish their goals. This introduces the reality of the publics ability to affect the world around them in completely new ways as every aspect of our lives become more and more intertwined with technology.

For many of the more blatantly illegal issues (such as hacking the servers and database), there are most likely ways to trace this activity back to it’s proponents and take reactionry action in that way. However for the other types of attacks being made, there is really little that can be done to regulate where people call, or fax, or browse to on the internet. So it seems that the only way in order to solve these problems is by somehow reaching and changing the minds of the people who are carrying out the attacks. Due to the fact that many of the attackers in this situation are normal people who happen to possess some technological know-how, responding to the issue becomes less an act of locating a particular small group of people and punishing them, and more an issue of reaching and changing the mind of a large group of activists.

Posted in Current Events | 2 Comments