Facebook Opens Status API

Posted on February 10, 2009 by lisa89

“Facebook is slowly tearing down the wall around its silo and is starting to expose more of its data to the outside” (From Facebook Opens Up: Lets Developers Access Status Updates, Notes, Links, and Videos). Now Facebook allows the third-party developers to have access to users’ private data, such as status updates and notes. This is intended to make both developers more flexible in making and using applications. Moreover, Facebook wants to make more and more people use Facebook by join the OpenID foundation. However, weaknesses and potential security problems are found by doing this update for Facebook’s API.

Assets and security goals

  • Since the Facebook joined the OpenID foundation, people who posses OpenID (one account, one password, multiple sites login) account will also have Facebook account. Thus, more and more people will join Facebook and use Facebook for networking.
  • The developers’ application should be verified before release it to public and allow people to use it. Moreover, there should be stricter terms and conditions on registration for developer, such as phone number validation or email validation, so that they will not misuse users’ private information (pictures, videos…etc)

Continue reading

Posted in Security Reviews | Comments Off on Facebook Opens Status API

USB power in airports

Posted on February 9, 2009 by dhalperi

I noticed that the Denver airport has upgraded its power stands to include USB ports that presumably give power to recharge devices like cell phones, iPhones, and iPods. What I wonder is how I know that’s all that’s going on. I know that, at least for my old iPod shuffle and one of my cell phones, some of these devices don’t authenticate the computers they plug into, but simply appear as R/W flash drives. What’s to stop a malicious version of this kiosk from

  • taking inventory of my files?
  • figuring out who I am and tracking me?
  • installing autorun software (like a virus) onto my device?
  • copying my contacts, my email, my cell phone pictures, my mp3s, etc?
  • <your idea here>?

I don’t know whether this particular power stand does anything more complicated than supplying power and ground to the right two pins, and I suppose that by paying attention (to the screen on a cell phone or the lights on an iPod shuffle) you might be able to tell if serial communication were initiated and something fishy was going on. But that doesn’t provide much comfort; in the end what we need is a good way for portable devices to verify the authenticity of the device to which they connect.

Posted in Physical Security | 4 Comments

Current Event: Kaspersky Hacked

Posted on February 8, 2009 by Ryan McElroy

Kaspersky, an Antivirus vendor and Internet Security Lab, recently fell victim to an internet hacker using an SQL-injection attack. The attack compromised data in all databases accessible to the web server. According to the hacker, “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.”

Discussion on the board where the hacker originally announced the successful attack has mostly been congratulatory, especially after the hacker announced that he would not expose any confidential information he had found (although he may have already done so with the password hashes).

On Slashdot, discussion includes the insightful comment, echoing the advice in the textbook, that blacklisting and escaping isn’t sufficient: “No. Escaping is error-prone as you will invariably fail to escape some special character you don’t know about. The right way to fix SQL injection is to use parametrized queries.”

Timely advice!

Posted in Current Events, Ethics | Comments Off on Current Event: Kaspersky Hacked

Security Review: MMO Gaming

Posted on February 7, 2009 by dravir

 

Most people in our society today are familiar with the concept of MMO gaming.  World of Warcraft, for example, is something most everyone has heard of.  Most MMO games operate under a fairly strict client/server paradigm.  A company that desires to produce an MMO will create a client that handles the graphics processing, user input and output, and perhaps may store some basic per user settings, usually again related to display settings and interface options.  The remainder of the game, including all user character data and user interaction with the online world, is stored and run on company controlled servers.  This assists the company in its endeavor to give the users the experience they intended as well as control various types of cheating.  In addition, users generally cannot play offline – this means that a given user must authenticate with the server in order to access a given character or play with others in the virtual world.

Continue reading

Posted in Security Reviews | 3 Comments

Security Review: The Bike and its Lock

Posted on February 6, 2009 by oterod

EDIT: It appears that I goofed with the “more” tag when I first posted this, so I’ve included the rest of the article below.

Since the days of waking up at 5am to watch the Tour de France live with my dad at eight years old, I’ve been a big fan of bikes. I’ve since grown to love riding them, and spent several years as an avid road racer. While I’m somewhat of an anomaly, many of you also rely on cycling for transportation to class, to work, and elsewhere. Unlike cars, which are just slightly harder to steal, bikes are the candy-from-a-baby in the world of theft. One magazine article I read several years ago had a “professional bike thief” (probably a security professional who learned methods of theft in his research) attempt to steal a bike secured by one each of every available bike lock on the market at the time. In public. The result? All but a single lock could be circumvented so quickly that nobody in the area even noticed that it was not unlocked by normal means.

I have to say, I am particularly bitter about bike security. A few years ago I was living in Stevens Court with a few friends. A past summer job at Gregg’s Greenlake Cycles had yielded an absurdly cheap employee purchase of a Lemond Tourmalet, a very nice road bike. I wasn’t using it to commute to school (who locks up a bike like that around the Ave?), but I did have it in our apartment so I could go riding. One day I came home and it had been stolen from my living room. My roommates had left the front windows wide open and the door unlocked. Go go speed racer, go.

Continue reading

Posted in Announcements, Ethics, Physical Security, Security Reviews | Tagged , , | 2 Comments

Security Review: Smashing abstract—more on Lab 2

Posted on February 6, 2009 by stemcel

I was lost at first when starting Lab 2, as I had little to no eperience with web programming. After floundering around for a few hours I got a better idea of what we were supposed to be doing and with the  XSS cheat sheet was able to rapidly discover appropriate exploits for each of the filter versions on the mock search engine (except #5, of course).

Once I’d satisfied myself that I could get all the cookies I wanted I immediately launched into a more thorough investigation of the environment I had been working with, and began discovering real vulnerabilities. I was excited by the prospects available and decided to make a security review out of it. I spent the next couple days experimenting, then jumped onto the blog to write my security review only to find that two of my classmates had addressed the same topic the day before. Eriel Thomas addressed the security of the server at yoshoo.cs.washington.edu in his post “Smashing the Lab for Fun and Profit”, whereas David Balatero discussed his success in phishing about a third of the security class (including me… ouch) in “UW CSE Resources”. Just goes to show you that you should always examine links, even from trustworthy and computer savy friends :P.

I nearly despaired at several days’ work gone for naught, but after carefully reading both of the posts I believe that I still have something to contribute. My discussion will focus a bit more on the security of abstract and provide other additional details.

Continue reading

Posted in Security Reviews | Tagged | 1 Comment

Security review: Powered Exoskeletons

Posted on February 6, 2009 by sal

Exoskeletons look impressive in movies. They look impressive in real life also. Electronics reads brain signals sent to muscles and cause actuators to move, thus ‘amplifying’ human strength. Exoskeletons are close to get mass-produced and available to people around the world. Since there are no datasheets or use instructions publcly available yet, I will briefly mention potential general security implicatons associated these devices, as we will inevitably see them in the market very soon.

It is crucial for manufacturers to ensure safety of the wearer. In addition, it is important to address safety of people other than the wearer who can come into contact with this machinery.
Potential adversaries can be those who wants to harm the person wearing it. Besides that, goal of an adversary can be to cause harm to people other than the wearer, or, in general, cause harm to property.

The following are just a few of potential weaknesses that need to be addressed.
Self-supporting mechanism: since most exoskeletons will support its own weight and are quite powerful, it is potentially possible to control it and cause it walk on its own, possibly with human inside.
Physical access to programmable controllers and circuitry can allow adversary to reprogram or embed own controllers.
Actuators in particular: different people can have different ranges of joint movement. Incorrect range can break wearer’s bones or strain muscles, unless there are secure adjustable physical restrictions. If there are such adjustable physical restrictions they can be changed by adversary.
If attachable to computer or network for service, or reprogramming, most problems associated with securing personal computers and communications apply.

Besides regular ensuring integrity of the system, and bug-free software, here are some key measures that any exoskeleton should have implemented to address security threats. Obviously, any adjustments, including physical should be done with secure authentication of a user. Good shielding can be used to protect from outside electromagnetic fields that might cause system to digress from normal operation.
It is important to detect big jumps of voltage/current in the system and disable the system, as it is done in power wheelchair controls, but as opposed to wheelchair, more attention should be paid to gracefully shutting down, as incorrect disabling can cause person to fall down causing injuries to himself or people around.
It should be easy to escape the suit in case of a danger and there should be multiple disabling mechanisms available to the user.

These devices will have a big impact on society. Should police start carrying EMP guns? Exoskeletons can be of tremendous use  to address people’s health problems, for example, or can become quite threatening in malicious person’s hands. There are obvious differences from existing personal machinery. Extreme flexibility pose big dangers if not addressed properly. Whereas car or wheelchair can be stopped by railing, exoskeleton could climb over it.

Posted in Miscellaneous, Security Reviews | Comments Off on Security review: Powered Exoskeletons

Security Review: New Technology Could Display Dreams on Screen

Posted on February 6, 2009 by elenau

For years there have been research going on in neurobiological field with attempts to decode images from the brain activity. In 1999, University of California, Berkley, has been able to reconstruct the video images from cat’s observed brain activity.

However, recently scientists in Japan decided to take the idea to even more advanced level (article). Researchers at the ATR Computational Neuroscience Laboratories succeeded in processing and displaying images directly from the human brain. This sort of visualization has not been achieved before. Researchers’ goal is to apply this technology, and eventually be able to record and replay subjective images that people perceive, such as dreams or memories associated with objects and places.

This sort of decoding is described to be subjective. When people perceive an object, the image is converted into electrical signal that goes to the brain’s visual cortex. To decode such messages, first the subject has to train the device that is used for experiment, and associate object representations with the location and type of brain signal. Later, when such signals are observed, it might be possible to decode them, and this way to visualize the thought of a human.

So far subjects have demonstrated walking in a virtual world with the character controlled by brain waves. Similar gaming head sets are expected to appear on the market soon.

Also, researchers were able to reconstruct the image representation of the letters from the word “neuron” by decoding the brain activity of the subjects (article). To figure out people’s individual brain patterns and to train interpreting devices about 400 different still images were previously shown to the subject.  

Although some people believe that research is still too far from creating a colored quality video from brain signals, researchers continue advancing in the area, and think that technology “could eventually display on a computer screen what people have on their minds”. Continue reading

Posted in Security Reviews | 1 Comment

Current Event: California IDs to have biometrics? The DMV hopes so!

Posted on February 6, 2009 by Orion

It seems that in addition to the recently released biometric IDs in the UK, the California Department of Motor Vehicles seems to have recently tried to set up biometric IDs as well. In an otherwise innocuous vendor contract, the DMV included a proposal to create a new governmental database containing facial and fingerprint data. This situation is apparently worsened in light of the fact that the California legislature has not looked highly upon biometrics in the past, so it seems the DMV may have been trying to bypass the legislature entirely.
Continue reading

Posted in Current Events, Privacy | Comments Off on Current Event: California IDs to have biometrics? The DMV hopes so!

Security Review: My Linksys Router

Posted on February 6, 2009 by justine

This morning, my power for some reason switched off, crashing something in my router and killing my laptop battery. For the rest of the day, wireless was down at my house and my roommate and I were physically plugging in (I know! Cables!). However, we (illegally?) share our wireless with our neighbors downstairs, and they came up to ask where the webbernets had gone to. Frustrated, I simply hit the reset button on my router and decided to just set it up again. Working through it, I realized that the user interface is a huge hindrance to the average user setting up a secure home network – a situation which I already know leads zillions of people to insecurely transmit sensitive info over the web.

Assets and Security Goals

  • The assets at stake here include anything people do over the internet – which today seems to include everything. For me, the most sensitive information I transmit is my online banking, followed up by my student information on MyUW as well as online sales. Also included is a lot of stuff I don’t usually think about needing to secure – but that could be exploited by an attacker – like my email and my Facebook account.
  • The goals then are to protect my transmissions from being read, tampered with, or spoofed. I don’t want anyone to know what I am doing on the internet, to change anything I am doing on the internet, or to be able to pretend to be me on the internet. Also, I don’t want anyone to be able to use my internet to do illegal things (except for me)!

Adversaries and Threats

  • Identity theft has become a huge issue in recent years, and so the adversary I am most fearful of is someone who would want to steal my identity, money, credit history, etc.
  • My roommate works for Amazon.com, and often has to use her work laptop on our wireless connection. Although she uses a VPN with a one-time use RSA token, we’d really like to keep a potential corporate spy as far away from her machine as possible.
  • What about my roommate herself? Or those innocent looking neighbors downstairs? Well, I hope I can trust all of these ladies…

Potential Weaknesses

  • Without any defense at all, our wireless is wide open. I’ve already seen what can be done with easily downloadable tools online – they even come with GUIs. In fact, in my opinion, these tools  are easier to use than the security setup for my router.
  • Even with security, an attacker could discover our passwords either by reading them off the whiteboard in my kitchen, or by sniffing our encrypted packets and trying to guess it.
  • If someone could connect to my network and also guess my high-security administrator password, they could also mess with my router to redirect me places I don’t want to go to, or otherwise manipulate my web access.

Defenses

  • The most important thing here is having your router set up properly – encrypted with good passwords (and NOT WEP), don’t leave the administrator password to default. However, this is not that easy – I am pretty sure my mom could not figure out to do it, nor my web-savvy teenage sisters. Linksys should have all the most important settings on one primary page – and it should lock people out of the web until they have changed the administration password (or, even better, have a different password for each box and include the pwd in the packaging).
  • Having a good password is important. People don’t have enough training in this!
  • I often will check my router to see what machines are connected to my wireless – if there is one I don’t recognize I will freak out. But I’ve never seen one 🙂
  • It is also important to practice safe web browsing regardless of the wireless setup. Assuming that you are on an unsecure conncection provides one extra layer of security. Https, encryption, all of these things are still necessary.

In sum, I am worried about the world. I had to dig through a long series of menus to find what I needed – and I already knew what I needed. For those who don’t, I’m afraid their information is at risk!

Posted in Miscellaneous | Comments Off on Security Review: My Linksys Router