Microsoft announces Excel security flaw

Posted on January 17, 2008 by aodle56

According to vnunet.com, Microsoft recently announced they are actively investigating a potetially serious security flaw that targets Microsoft Excel 2003 users. Apparently, attackers can place malicious code in the Excel document header that executes upon opening the document. Upon excecution, the attacker gains access to the user’s machine under the permissions of the current user.

Continue reading

Posted in Current Events | Comments Off on Microsoft announces Excel security flaw

GOA says “The IRS security still sucks”

Posted on January 17, 2008 by jimg

According to a report Tuesday from the Government Accountability
Office, sensitive taxpayer data housed at the IRS is critically
vulnerable to security threats. The report is a follow up from March
2006 where the security problems were initially discovered. The new
report indicates that 70% of the issues discovered in March remain.

Continue reading

Posted in Current Events, Policy, Privacy | Comments Off on GOA says “The IRS security still sucks”

Mac ‘scareware’ in the wild

Posted on January 15, 2008 by chrislim

Security software vendor F-Secure has recently reported the first known “scareware” scam targeting Mac users. The software known as MacSweeper (www.macsweeper.com) poses as legitimate security software that “discovers” numerous fake problems and threats, which can only be solved by purchasing their $40 product. A senior security specialist at F-Secure shared two ways he determined the illegitimacy of MacSweeper: running their provided scan showed vulnerabilities in Mac-specific folders even when run on Windows machines and the company’s “About Us” section was taken directly from Symantec Corp.’s website. The website itself however is very professionally done and it is difficult for casual users to notice its phony nature.

Continue reading

Posted in Current Events, Ethics, Policy, Privacy | 3 Comments

Home Security Systems

Posted on January 14, 2008 by bsmith86

Summary:

The physical system I am reviewing is the prototypical home security system. These systems are used to provide an increased sense of security (compared to only door and window locks), and provide a guarantee against more professional break-in attempts. By professional, I am mean to define the skill with which an adversary would enter and exit without leaving evidence behind. A professional would be able to enter and exit undetected. Such a system would have window and door sensors, as well as disaster monitoring and reporting to a central office. Each sensor is attached to a door or window, and is able to detect if it has been opened. If the system is armed and the sensors or disaster systems are activated, a siren will sound and the central monitoring office would be notified.

Continue reading

Posted in Physical Security, Security Reviews | 3 Comments

Digital Photo Frames Infected With a Trojan Horse

Posted on January 14, 2008 by jessicaf

Reports of three photo frames that came infected with a Trojan Horse were received by the Internet Storm Center this Christmas.  The photo frames made by Advanced Design Systems were bought from different Sam’s Club stores.”It propagates to any connected device by copying a script, a com file and an autorun file,” one consumer reported to the ISC. “It hides all systems files and itself while completely eliminating the user admin ability to show hidden files. It creates processes that negate any attempt to go to anti virus and anti spam web sites.  It prevents the remote installation of any antivirus components” (Robert Lemos, Security Focus).

 Both Advanced Design Systems and Sam’s Club representatives could not be reached for comment by Security Focus, but it is suspected that the malware could have come in the manufacturing plant or from frames that were put back on shelves after being infected and returned to the stores.  Often stores do not have very stringent policies on returns and will not know that an electronic has been compromised.  Manufacturing plants can introduce a virus through an infected computer in the plant or perhaps an insider.  Some manufacturers have made efforts to stem this rising trend by making sure all equipment and computers are not attached to any outside network.

This is not the first time that consumer electronics have been infected with malware and viruses.  Anything with on-board memory has the potential to be infected including MP3 players, USB drives, hard drives, and even musical sunglasses.

Some examples of past incidents due to mistakes in manufacturing processes include a hard drive from Seagate in October 2007 and Apple’s iPods in 2006.  The Seagate hard drives had a Trojan horse program that stole account identification and passwords for a Chinese online game.   They had been infected at the manufacturing plant in China because of a computer at the plant that was infected.  The iPods had a Windows virus sneak on board the hard drive.

It is not known whether this most recent attack was a mishap or intentional, but certainly there is a possibility of intentional attacks on consumer electronics.  With the proliferation of personal electronics, this will be an increasing problem in the coming years.

 Lemos, Robert. “Malware Hitches a Ride on Digital Devices,” Security Focus, Jan. 9 2008. http://www.securityfocus.com/news/11499.

Posted in Current Events | Tagged , , , , | 4 Comments

TSA Website’s Security Failings

Posted on January 13, 2008 by Justin McOmie

A website created for the Transportation Security Administration for the purpose of allowing travelers to resolve watch-list or screening problems was found to be inadequately secured, causing travelers to inadvertently transmit sensitive personal information in the clear. Most of the website was entirely unencrypted, and the few parts that were secured used self-signed certificates, making it impossible for end users’ software to corroborate the validity of the encryption.

This lack of security resulted from a failure to take appropriate security precautions by the company contracted to create the site. What should have happened here, and what should happen for all websites that handle sensitive data, is oversight by people competent in the area of computer security. Some of the basic aspects of oversight could probably be automated by software crawling the internet.

The broader issue at hand is that most people are largely unaware of how insecure the vast majority of internet communication is. Because of this they are willing to transmit sensitive data like credit card and social security numbers via email, im, or other (typically) insecure methods, without regard to the security implications.

The TSA website that was created insecurely should be revamped with proper security mechanisms put in place. In the medium-term, audits should be mandated for governmental websites to make sure that there are no fundamental failings in the set ups. In the long-term future we should create policies and foster a culture of people that clearly recognize the importance of privacy and the risks of communicating private data insecurely. source: http://arstechnica.com/news.ars/post/20080113-tsa-security-flaws-exposed-users-to-risk-of-identity-theft.html

Posted in Current Events | Comments Off on TSA Website’s Security Failings

Retail Electronic Sensor Gates

Posted on January 13, 2008 by jerins

SECURITY REVIEW: Retail Entrance/Exit Alarm Gates

Most of us have been to a retail store of some kind and encountered someone setting off the obnoxious alarm of security gates that line the doors while exiting or entering the building. Such security systems have become increasingly common in businesses of all sorts as a way to protect their most valuable assets. While a somewhat useful feature as security, this system can also prove to be annoying to both customers and employees alike.

The basic idea of this system is that you have gates that will detect and react (usually with a loud beeping) if one of a set of smaller electronic devices that have not been deactivated passes through them. These smaller electronic devices are discretely packaged in to particularly valuable pieces of merchandise or assets, so that when these assets pass through the gates without being cleared by employees (and thus deactivated), the electronic device implanted on the asset will set off the alarm, alerting those around that an unauthorized asset has passed through the gates (assumedly leaving the building). There is of course also another aspect of the system that must be in place, and that is employees of the company (or some other person who can do something about a theft) must be within hearing/reacting distance from the gates/doors at the time that the alarms are set off. Otherwise the alarm going off would serve no purpose to protect the assets of the company.

There are many security goals to be considered here. The main and most obvious of these of course is that if a valuable asset if being carried out the door, the business would in some way be alerted of this event, and would be given the opportunity to react to the theft, and thus protect their assets. This security goal of course can only be realized if the asset in question indeed has an electronic security device on it, and that the staff indeed is alerted by the system (such as if an employee is close enough to the door to hear the alarm). Another very important, but less obvious security goal is to deter people from attempting to steal anything in the first place. Usually when these alarms go off, they are quite loud, and can be heard by the customers in the building. The customers can also observe that these security gates are in place easily when they first enter the building. It is also difficult to determine which pieces of merchandise are specifically protected by the system (have an electronic device on them). These three facts act as general deterrents for people to even try to steal in the first place, thereby creating some measure of security without even necessarily apprehending an attacker.

Of the many possible attackers, the most common and obvious are probably the customers that frequent these stores, and the employees that work there. Customers that are in the store obviously must be interested in the assets contained in the store, otherwise they wouldn’t be there, and thus must have a motivation to obtain the assets. If the customer could obtain these assets without paying, this would be all the more beneficial for them. There are also the employees of the company, who usually have some interest in the product or assets of the company that they work for. The employees are also in the store with the assets, as well as coming and going quite often. Not to mention the fact that the employees are usually a vital component of this system (they are usually the ones actually being alerted by and reacting to the alarm). Thus they are also in a good position to be an effective attacker of this system.

One main weakness of the system is that the gates to some extent can only detect the electronic device if it takes certain paths on it’s way out the door, mainly in between the two gates. Although it would perhaps be less subtle and more noticeable if someone were to leave the store while lifting what they were carrying above or around the gates in some way, it is still feasible that there could be some path by which the asset could be carried past the gates such that the gates would not actually detect the electronic security device located on the asset. Another weakness is the dependence on people or employees around the store for the system to work. In order for the system to be worth anything, employees must be not only reachable by the alarm, but also in a position to react in such a way as to prevent the theft. Thus it could be the case that the alarm isn’t heard, and thus does nothing to protect the assets, or even if heard, employees might be too far away from the doors to be able to react to the alarm in a helpful way.

A way to strengthen the defense against the first of the weaknesses would be to make the gates detect an electronic device that passes even near it within as much distance as it would take to span the entire doorway. This way the electronic device on the asset wouldn’t need to actually pass through the gates themselves, but would set the alarm off if it even gets close enough to the gates to get through the doors at all. And a defense against the second issue would simply be to have an employee whose job is to sit by the door, within hearing distance of the gates, and with a course of action by which they are able to react to any and all alarms set off.

While this system is great as a general model of security that can be both well known and somewhat affective as a security precaution, as well as a deterrent against even attempts at theft. As with all security systems, the actual effectiveness of this system depends largely on it’s specific implementation, and can never be made to be completely invulnerable. Also, this system is only applicable to businesses that need to protect material goods that usually are smaller in size. So this system is only useful to a very specific subset of business types. If set up with diligence and properly maintained however, this system can provide valuable protection of the assets of many companies.

Posted in Security Reviews | 3 Comments

Obtaining HFS Master Keys

Posted on January 13, 2008 by nekret

Housing and Food Services (HFS) houses approximately 5100 students in its numerous residence halls and apartment buildings. To accommodate for easy maintenance and locksmith-free lockout calls while the desk is closed all the halls are master keyed and reside on a giant hoop of metal known as the duty ring. Normally to obtain the duty ring a Resident Adviser/Community Advisor (RA/CA) will check out and sign for the keys at the front desk of the residence hall. The clerk at the front desk requests the RA/CAs staff ID, if the picture on the ID matches the person in front of them, they will file the checkout card away and check the RA/CA in for duty in the Odyssey HMS housing system.

By putting this system in place, HFS attempts to protect the following assets.

  1. Access to infrastructure. The duty ring not only contains keys to resident’s rooms but also to bathrooms, breaker rooms, network rooms, etc.
  2. Access to resident’s rooms. HFS trusts RA/CAs to only unlock doors with the resident present and consenting.
  3. HFS needs to have some record of who has the keys at all times to maintain their image as a professional housing organization. I certainly would not feel safe with the knowledge of a loose master key.

Possible attackers of this system could be anyone with the above knowledge of the duty ring checkout system.

  1. Thieves: Residents often have laptops that haven’t been physically secured or registered with UWPD. These high ticket items are easy to carry off and very few if any people would find someone carrying a duffel bag full of laptops suspicious.
  2. Feuding RA/CAs: Checking out the duty ring under the identity of another RA/CA and disposing of the ring would likely get the victim fired due to the high cost of re-keying everything.
  3. Disgruntled RA: Upon leaving HFS a disgruntled RA could checkout all of the duty rings. The cost of re-keying thousands of locks at $70-$80 each would be a major expense for HFS.

The system however is far from perfect and could likely be attacked in the following ways.

  1. The staff ID cards consist of a single picture and black text on a red background. Duplicate, altered or fabricated staff ID cards would be difficult/impossible for the desk clerk to discern from real ones. With a little research on a given residence hall, one can determine the names of all the RA/CAs on staff (often on a poster in the lobby), as well as who is scheduled to be on duty for the night. With these fraudulent cards an attacker could check out the duty ring in the names of other staff members to discredit them or obtain all the duty rings in order to force HFS to re-key every door lock.
  2. Since the front desk clerk has no need for the physical ID card, new desk clerks often forget to ask for ID verification.
  3. Distraction of the front clerk would also allow an attacker with a hook on the end of a 6 foot or longer pole to retrieve the duty ring from they key rack which is left open and unlocked during desk hours. This could include false fire alarms in which case the key cabinet is left unlocked. The gate that is deployed in front of the office is only meant to keep people from going through however the duty ring can still slip through it.
Posted in Physical Security, Security Reviews | 1 Comment

Malware piggybacking on digital devices

Posted on January 13, 2008 by kdp2

I would like to talk about an article I read in Slashdot today ( http://it.slashdot.org/article.pl?sid=08/01/13/1533243 )on Malware (Trojan horse programs and computer viruses) finding their way onto digital devices like iPods and, more interestingly, digital picture frames. The Slashdot article points to an article from The Register ( http://www.theregister.co.uk/2008/01/11/malware_digital_devices/ ). The article from The Register talks briefly about consumers during the Christmas season who have received digital picture frames have had the problem of malware, which was traced to an infected computer at the factory, attempting to infect computers once the device is connected to the home computer. The malware, which have hidden itself by disallowing the user from showing hidden files and from contacting antispam and antivirus websites, has been reported to the Internet Storm Center, a group that monitors network threats. This problem is not new, as iPods and hardwares have had a small history of manufactures with infected computers infecting shipped devices, and are typically due to small lapses in maintaining secure systems at the factories and are accidental in general.
Continue reading

Posted in Current Events | 1 Comment

Social Engineering Your Way Into a Dorm Room

Posted on January 13, 2008 by Chad

It is shocking to learn that while the University of Washington Housing and Food Services own nine residence halls with a total capacity of nearly 5000 students, the security barring access to individual students’ rooms can be compromised with little more than a little research and a good story. For the first homework assignment, I reviewed the security of the dorms. I thought of ways to get into other residents’ rooms and found that it wouldn’t be as difficult as one might hope. I tried the “attack” on myself, trying to gain access to my own room. It’s not surprising that I got into my room (in fact it’d be more surprising if I couldn’t), yet the attack could be used against others, especially those the adversary knows well.
Continue reading

Posted in Ethics, Miscellaneous, Privacy | Tagged , , | 8 Comments