Mark Kahn found out the hard way that even “small” sites will press charges when he hacked into Six Flags’ computer systems. He used a bad form on Six Flags’ job site to submit lots of bogus job applications containing threatening messages. While his stunt did not result in the loss of data, it did annoy some people enough to press charges. What I want to know now, is how well amusement parks’ externally facing websites are separated from the really important computer systems – those that belong to the rides/roller coasters.

I’m speculating here, because I ride coasters a lot, and the newer systems are controlled by general purpose computer systems – I’ve seen the Millennium Force at Cedar Point blue screen, and it was built in 1999/2000. I don’t know if these systems are networked at all, but I could see a business use for it: letting people know what rides were having problems, or just generally monitoring the health of each ride. These computer systems (like many at hospitals) control life or death literally, not just storing someone’s personal data. It’s a lot like the pacemakers that are bluetooth controlled. Do we really want to network these devices?

There are arguments on both sides of the fence, and I can see both sides – it’s easier to monitor and make changes (without having to go through surgery again), as well as “but someone could get killed”. Both sides make great cases (someone could die during surgery too), but the networked (whether bluetooth, wi-fi, RF, etc) devices also present the accidental hazard. What if I want to just play around with the bluetooth protocol and start sending garbage to a device I own (say my cell phone), and someone with a new pacemaker just happens to be sitting across the way at the coffee shop?

To network or not network is probably going to be an eternal question, and the answers are going to be different each time we ask that question. It all depends on what risks we’re willing to accept, and what ones we’re not.

This is really bad and scary news. The F.B.I. Says the Military Had Bogus Computer Gear.

[T]he… sinister specter of an electronic Trojan horse, lurking in the circuitry of a computer or a network router and allowing attackers clandestine access or control, was raised again recently by the F.B.I. and the Pentagon.
The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components.

Cisco routers are everywhere. According to Cisco’s web site, “Cisco is the leading supplier of networking equipment and network management for the Internet.” The likelihood that you received this web page over one or more Cisco routers is extremely high.

Also, what if this wasn’t just counterfeiting?

The F.B.I. is still not certain whether the ring’s actions were for profit or part of a state-sponsored intelligence effort.

It’s one thing if largely used networking components get compromised through a flaw to allow “back door”, privilege escalation, or other nefarious access to data which flows across them. It’s an entirely different thing if these devices were (re-)engineered with villainous intentions. Such additions could be nearly impossible to detect. One more quote from the NY Times story:

The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor by altering the data file on a chip with nearly 1.8 million circuits used in automated manufacturing equipment…
“It’s very difficult to detect and discover these issues,” said Ted Vucurevich, the chief technology officer of Cadence Design Systems, a company that provides design tools for chip makers. Modern integrated circuits have billions of components, he said: “Adding a small number that do particular functions in particular cases is incredibly hard to detect.”

If this doesn’t give you nightmares, it should.

A group of researchers from two universities have proposed a way to prevent chip piracy. The technique uses public key cryptography to lock down circuitry.

In a whitepaper published this month, Jarrod A. Roy and Igor L. Markov (of the University of Michigan) and Farinaz Koushanfar (of Rice University) outline the problem and details of how their proposed technology will help solve the increasing piracy of chip designs.

Markov will present the group’s proposal at the Design Automation and Test in Europe conference, to be held in Germany on March 13, 2008.

It’s a very technical read, but still interesting to see the diversity that public key cryptography can be used for.

DVD Jon has been able to activate an iPhone without activating its phone features so that you can use the iPhone as a wifi-enabled PDA/iPod.

Combined with the fact that users have already found the name and password for two accounts, including root and you have to wonder how long until either:

• a Skype or other VOIP program will be able to run on the iPhone using only its wifi capability
• The iPhone can be truly unlocked and run on any GSM phone network (not just AT&T/Cingular)

Nifty, but the iPod needs to be running Linux to be infected by Linux.Noslo.

Kaspersky Lab has discovered the first virus designed to infect iPod portable media players. The virus, which has been named Podloso, is a proof of concept program which does not pose a real threat.

The virus is a file which can be launched and run on an iPod. It should be stressed that in order for the virus to function, Linux has to be installed on the iPod. If the virus is installed to the iPod by the user, the virus then installs itself to the folder which contains program demo versions. Podloso cannot be launched automatically without user involvement.

Also, the virus has to actually be installed by the user, but just think about all of those other portable devices, cell phones included, where that isn’t the case.

Here [via SANS ].

For example:

Paradise Systems sells a product called Car-Safe, which is designed to protect your valuables while they are being stored/transported in the trunk of your vehicle.

Better yet, carry your laptop with you at all times possible.

Now this is “thinking ahead” about security. Let’s see if the technology makes it though (personally I have high hopes).

Worrying about malicious software may be premature for a technology so young. The first digital electronic computer, ENIAC, went online in 1946 and the first known attacks against computer systems occurred about two decades later. Yet, in all likelihood, such attacks will become a reality, and that’s reason enough to worry now, said USC’s Lidar.

There is no telling what such an attack might look like. Destroying data or circumventing a calculation on a quantum computer is the easiest course. Attackers could operate a rogue computer on the quantum network or corrupt the communications line, he said.

Because some of the greatest advantages of quantum computing are in the area of security, I suspect that it will be on the forefront of quantum research.

From eWeek:

If the plan is perfectly executed, Nicholas Negroponte’s One Laptop Per Child project will deploy 100 million laptops in the first year. In one fell swoop, the nonprofit organization will create the largest computing monoculture in history.
Wary of the security risks associated with a computing monoculture—millions of machines with hardware and software of identical design—OLPC foundation officials are seeking help from the world’s best hackers to review the full specifications of the $100 laptop’s security model.

It’s a good question, and worth some thought. You probably can’t go down the typical anti-virus route depending on constantly updated signatures of common viruses. Yet, you need an updating scheme for when flaws are detected. You need strong controls everywhere from the BIOS to the disk, but you don’t want to hamstring users.

Perhaps a call to the Xbox 360 team at Microsoft would be in order. That’s been out for about a year, and despite the attempts of tons of hackers, people still can’t run unauthorized stuff on there—yet.

Already over 20 million PCs worldwide are equipped with a tiny security chip called the Trusted Platform Module, although it is as yet rarely activated. But once merchants and other online services begin to use it, the TPM will do something never before seen on the Internet: provide virtually fool-proof verification that you are who you say you are.

Source: MSNBC

Wrong. It will prove that your machine is your machine.

Here’s a scenario:
Young person in a coffee shop with a laptop browsing the Web. They get up for a second – then (enter bad-guy), snatch and run. Now “bad-guy or gal” doesn’t need a password to login to your bank account online. Or savings, or Amazon account, etc.

That could be the not-so-distant future for two basic reasons.

1. People don’t use security.
2. Snatch and run is effective in any century.

Not to mention the privacy concerns. I have opened up a can of worms, feel free to add and take.

IBM has announced a combination of encryption technology and services to improve security and privacy.

The centerpiece of the solution is the introduction of the industry’s first fully encrypting data drive… The open-standards-based drive is designed to protect the data in the event that it is lost or stolen, rendering it unreadable to anyone who finds it… It will also provide customers with the ability to share encrypted tapes with their business partners.

The TS1120 Tape Drive utilizes public key cryptography, although it is not clear if it would make use of existing enterprise PKI or not. It seems to use PKI built into the IBM z/OS operating system. Key management is handled by the IBM Encryption Key Manager for Java.

I’m not sure if I should get excited about this or not.

via Jon Erickson’s DDJ Security blog: IBM: First-of-its-kind encryption?