Professional cycling, however, is a very different story. Combining the commercialism of motorsport racing with athletic demands exceeding almost any other sport, the pressure on riders to perform is tremendous. Good performance not only makes careers, but it pleases sponsors and significantly impacts their economic standing. Sponsoring a winning Tour de France team brings in tremendous revenue for a company in Europe. Continuous defeat, on the other hand, can have devastating consequences. As such, riders must reach for the leader board not only to meet their own expectations of success and competition, but simply to remain employed.

For years, dopers and anti-doping agencies have played much the same cat-and-mouse game that security researchers play with crackers. Riders use performance enhancers; researchers create tests to detect them; riders find new drugs to use, and so on and so forth. Doping was present in cycling long ago already, but it was the 1998 expulsion of the entire Festina team from that year’s Tour de France that signaled the beginning of the “doping era.” Since that year, every “grand tour” (the class defined by the Tour de France, the Giro d’Italia, and the Vuelta a España) has been plagued by expulsions, positive tests, litigations and scandals. In order to restore honor and fairness to the sport, many are crusading against the use of performance enhancing drugs. Until recently, the fervor of athlete and corporate lust for success seemed unbeatable.

According to an article by Juliet Macur in the February 28^th, 2009 edition of the New York Times, the anti-doping community has developed a new methodology for detecting cheating. Rather than attempting to detect traces of illicit chemicals in riders’ bloodstreams, drug testers are attempting to develop a “biological passport” for each rider. By comparing a rider’s current blood work against earlier tests, it is now possible to detect telltale signs of substance abuse via the changes observed in that rider’s blood. Legal action has already been brought against several riders with this biological passport as evidence.

Assets

• Riders don’t want to suffer in the ranks as a result of their competition using performance enhancing drugs
• Sponsors and team owners don’t want the cheating of other riders to reduce the acclaim, visibility, or overall performance of their respective teams.
• Race officials and fans want to see respectable racing, not battle-of-the-druggies. Cycling has been tainted in recent years by the proliferation of doping scandals.
• Every non-adversary wants final rankings to be representative of rider athleticism and effort.

Potential Adversaries

• Riders whose competitive spirit may drive them to seek “help” in order to win.
• Riders who suffer from excessive pressure from sponsors to perform.
• Sponsors, team owners, or team managers wishing for more team/product/brand visibility thanks to front-running riders.
• Doctors and researchers developing new doping methods.

Potential Weaknesses:

• Though I don’t claim to understand the biology, and while I can’t imagine that an attack this simple would be possible against the “latest and greatest” in anti-doping technology, I see one fundamental flaw in this approach. If detection of substance abuse relies on change between two test dates, the test is vulnerable to a rider who is never tested prior to adopting a doping habit. Because blood may not change once routine doping is adopted, there might not be a difference between old tests and current tests either.

Potential Defenses:

• In addition to using these “biological passports,” parallel research should continue into discovery and detection of new doping techniques. These detection methods should be applied in addition to any delta-comparison between bloodtests.
• If it is possible, attempt to correlate blood of dopers, as well as the blood of likely non-dopers (very poor performers, amateurs, etc.). It may be feasible to derive a model that can detect riders for whom an accurate “clean” sample is unavailable.

]]> http://cubist.cs.washington.edu/Security/2009/03/13/security-review-new-weapons-in-the-fight-against-doping/feed/ 0 http://cubist.cs.washington.edu/Security/2009/03/13/current-events-one-more-botnet-related-legal-fray/ http://cubist.cs.washington.edu/Security/2009/03/13/current-events-one-more-botnet-related-legal-fray/#comments Sat, 14 Mar 2009 04:52:13 +0000 oterod http://cubist.cs.washington.edu/Security/?p=1265 As part of an “expose’” on cyber crime, BBC’s “Click” team took it upon themselves to hire a botnet. With the stated goal of demonstrating the power of “cyber criminals” in today’s world, the journalists purchased the use of ~22,000 compromised machines. As part of their demonstration, they directed massive amounts of spam to two specific test addresses, and finally, used their botnet to bring down a security firm’s backup website via DDoS. The DDoS attack was done with permission from the “victim” company (Prevx).

Now the BBC group is in a spot of legal trouble as their use of a botnet could potentially implicate them in the violation of the UK’s Computer Misuse Act. While BBC claimed that their use of the botnet was purely academic, and therefore not criminal, they did take control of non-consenting citizens’ home PCs. More importantly, in purchasing the use of a botnet, reportedly at somewhere between $300-$400 per machine, the news network essentially funneled a few million dollars into the hands of cybercriminals. And all so that they could demonstrate what many papers and news articles before them already had.

The journalists, at surface level, did a good job of keeping things academic and avoiding any sort of cybercrime. They spammed their own test e-mail accounts. They DDoS’d a prepared and willing target. They also put warning documentation on the infected machines, at experiment’s conclusion, explaining to their users that they had been infected, and how to best avoid future infections. Ultimately, however, by mere involvement with and commandeering of hijacked personal machines – and especially thanks to funding the true criminal party – they did indeed commit some level of criminal act. To what degree they are held responsible is now a matter for the British courts to decide.

This is just one more occurrence in a string of botnet-related legal issues. A similar issue plagued German malware researchers with the means to potentially dissolve the Storm worm’s botnet(s) (see http://cubist.cs.washington.edu/Security/2009/01/11/storm-worm-cracked-but-defenses-may-not-fly/). It seems that academicians of all types are running into a fundamental problem with this particular security threat: there is no way to legally study it “in the wild.” The moment a researcher connects to a botnet, takes control of it, or otherwise interacts with it, he or she risks legal consequences. Whether or not any charges stick is a different matter, and quite frankly, it will take some time before reasonable precedents clarify the legal “consensus,” but regardless these issues represent a significant impediment to progress in anti-botnet research.

There are a few assets that parking enforcement wants to protect. One is their revenue stream — making sure that they are receiving money for the parking that is available. Another is the availability of spaces, so that legitimate paying customers won’t be turned away at the door if the lots are oversold. In both cases, the adversary is the driver trying to cheat the system (aka, me).

One weakness of the system stems from having way more parking spots than there are parking enforcement officials. While this can work in an cheater’s favor in general, the longer one spends in the same spot, the more likely they are to be eventually ticketed. This might assume someone illegally parked would stay shorter — but then they have the added overhead of having to move their car frequently. One way that they can combat this is to deploy resources first towards the most high-traffic lots, and then check less frequently at satellite lots.

Another weakness of the system involves procedures for contesting tickets through the parking department. Any ticket can be contested through the office, and last checked, they had an average turnaround of 3-6 months, no doubt due to bureaucratic inefficiencies. If an adversary were to contest a ticket, they wouldn’t have to pay it for months, and would be likely to get it fined. One could also try sending in a longer letter to the department as to why they deserve to not get the ticket, in order to push it to the back of the queue for processing.

In the future, there might be an emphasis on more high-tech solutions (such as cameras) to quickly monitor parking lots and possibly detect cheaters. For the time being, however, there are some vulnerabilities in the parking system that allow attackers to get away with free campus parking undetected.

It is unknown exactly what exact SQL injection string was used to gain access to the database of user emails and passwords, but SQL injection attacks are not terribly difficult attacks to defend against. Considering the email addresses and passwords were stored in plaintext, and considering the wide range of methods to protect code from SQL injection, it is likely this attack was only possible because the coders of the website were careless and did not think much about security risks when designing the website.

There are several obvious things the programmers could have done to protect themselves from this attack. For one, it is clear that they did not properly validate user input. It’s not clear exactly how vulnerable the search was – whether the input was completely raw or if it just didn’t catch all possible illegal characters – but certainly they should have had extra precautions to sanitize the input strings. They could have also changed the permissions of the database such that users have the least privileges possible. It is unlikely that a user searching a database of properties needs access to the table with passwords and email addresses. Finally, they could have stored encrypted passwords and email addresses. Encryption doesn’t solve all problems, but it is good practice anyway and is part of the system’s defense-in-depth.

This event brings to light several interesting issues. For one, the group who found the bug is a “self-confessed ethical hacker group” called Hackersblog. When they found the bug, they reported it on their blog instead of privately disclosing it to The Telegraph. This is because they feel that everyone (clients included) has the right to know about security vulnerabilities. It does bring up ethical issues, however – no work of code is be perfect, so it’s highly likely that there are going to be security holes somewhere. Does Hackersblog have the right to reveal this information to the public? And is it even a good idea to have a group of “ethical” hackers? (About the group and statement on philosophy)

It is also important to realize how dangerous a leak like this is. Even though getting access to the emails and passwords for newspaper subscriptions does not seem like a very important issue, one must keep in mind that most users have the same password for everything. The article cites that 61% of people use the same password for a variety of websites, so a password leak anywhere can lead to disastrous problems.

Obviously The Telegraph should fix these bugs, but it should also think about how to incorporate more secure practices into all parts of their system. Had they been designing their system with a security mindset all along, it is unlikely such an attack would be possible.

The Air Force Institute of Technology has a new method for passive BitTorrent tracking. The system attempts to read the header of BitTorrent packets, and compare the hash in the packet to a known set of bad hashes. If a bad hash is matched, then the system logs it for future investigation. The system uses programmable FPGAs, and sniffing capacity tops out at 100Mbps.

Recent developments in traffic shaping / packet analysis have been largely spurred by large ISPs’ desire to limit user’s consumption of high-bandwidth services such as BitTorrent. Complaints towards users of BitTorrent include high bandwidth usage, as well as accusations of illegally sharing copyrighted material.

However, packet inspection at any level raises a number of privacy concerns, as systems at the ISP level would definitively be reading the data that flows through their network from an end user’s machine. This can either be malicious or not — it really depends on how ISPs use it. It seems like ISPs are highly motivated to keep traffic down so that they can keep their networks from becoming congested. However, no ISP customer can ever exceed the maximum amount of bandwidth that they are advertised to get. It seems like the ISPs are not being forthcoming about the real amount of bandwidth that they want customers to use.

Bandwidth isn’t the only issue, with litigation being handed out to file sharers. It’s in the ISP’s best interest to stay out of any legal issues they can, which also provides a good motivator for packet shaping BitTorrent traffic. However, given millions of motivated BitTorrent users versus companies with relatively limited resources, they are fighting an uphill battle that will not end up in their favor. This Air Force sniffing technology can’t detect encrypted BitTorrent packets, which compromise 25% of the BT traffic out there. As well, with projects such as OneSwarm, people can set up much more anonymous sharing networks between friends. The only way for corporations to survive file sharing is to adapt, like the Norwegian state broadcasting company did when it started offering its broadcasts as full, unencrypted downloads on its own hosted BitTorrent tracker.

Click’s ability to acquire the botnet makes clear the increasing ease with which malicious users are able to raise computer armies to do their evil bidding. While the article doesn’t directly say how the botnet was acquired, it asserts that 1,000 computers may be sold for around $400.  Their “chatroom visit” likely mirrored a real-world back alley deal.

Although Click’s intentions were pure, their means were questionable and only furthered the problems botnets raise.  They encouraged botnet creators to continue their work, proving that there is an expanding market for their product.  Even though they only sent spam to their own accounts, they still burdened the servers along the way, wasting bandwidth.  Finally, to deliver their warning message to users, they either had to identify the users, comprimising their privacy, or make changes to their machines.

I hope that Click’s use of a malicious service will make people aware of these attacks and inform them how to prevent subversion of their computers.  BBC should be reprimanded by the government because their actions come close to breaking the statutes in UK’s Computer Misuse Act.

BBC Article

Computer Misuse Act

• Assets

1. The wearer of this device should be able to restrict access to the data he/she collects.  This is important to protect not only the privacy, but potentially the security of the user.
2. Others in contact with the wearer should have their own privacy concerns, given  they may or may not know they are being filmed and that the footage could even be streamed online in real time.

• Adversaries

1. An adversary may wish to steal private footage the user is filming.  The architect of this system is a filmmaker, so the footage could have potential value as an art-form.  One could easily imagine several other scenarios, however, where the images being filmed are of a sensitive nature.  Video of a user typing in his or her password onto a bank’s website, or entering his or her pin number into an ATM machine could be quite valuable to an attacker.
2. An adversary could also use footage to cause direct harm to the user.  If the user decides to stream the video footage he or she collects online, an attacker could use this information to find the person’s precise location, and cause physical harm.

• Weaknesses

1. The footage has to be wirelessly transmitted from the camera to another location where it is collected.  This stream could potentially be sniffed and/or corrupted in flight.
2. Rather than attack the footage in transit, an adversary could break into the remote location where the data is stored and steal and/or corrupt the hard-disk on which the data is stored.

• Defenses

1. The stream could be encrypted and signed to prevent tamering with, however this presents a large problem given the size/weight restrictions of the device within the eye-socket.  Most likely the camera within the eye would have to operate with an extremely weak signal that only could be received by another component on the users body.  That larger component, located on a belt or backpack, could be responsible for encrypting the stream, and sending it larger distances.  This current plan uses this implementation, for space not security reasons, but it may not include the encryption step.
2. The user should also be careful to physically secure the remote machine location (locking doors and what-not), as well as encrypting the hard drive.

While to this point I have focused mainly on issues regarding tampering or theft of the data-stream, the elephant in the room remains the larger privacy issue surronding hidden cameras prevading our daily lives.  If this camera becomes so life-like as to be indisguishable from an actual eye, a possibility all the more likely give Moore’s law, a conversation one might think is private could be stored and transmitted to millions.  One could argue users of this system should be ethically obligated to inform others they are wearing a camera, however others might claim having a prosthetic eye is a physical handicap, and the privacy of that condition should be protected.  Spence himself claims he will turn the device off on private occasions, but why should he be trusted, and how can that trust be enforced?

To those who fear a world of eye-spies filming their every movement, my response would be that hidden cameras are by no means new.  Making a camera look as real as a human eye may be a large step forward, but eye-implants or no eye-implants, if people fervently care about keeping their private lives private they should tread lightly in public places.

Article:  http://blog.wired.com/gadgets/2008/12/eye-spy-filmmak.html

Clearly, Schiefer’s sentencing is a consequence of pleading guilty to the charges against him.  When he originally obtained his job at Mahalo, his employers were not aware of his criminal activities.  They learned of these crimes months after his hiring.  However, Calacanis decided not to fire him at that time and stands by that decision: “I consider myself a fairly decent judge of character, and after spending months with John, I’m convinced he was an angry stupid kid when he launched his botnet attack.”  Regardless of the accuracy of Calacanis’s  assessment, Schiefer is able to keep his job because he gained the trust of his coworkers and employer.  In their eyes, he became a person (John Schiefer) instead of a nebulous concept (botnet leader).  This speaks to the importance of trust within our society.

Though Calacanis claims that Mahalo’s hiring process is quite rigorous, it seems that a simple background check would have been sufficient to bring Schiefer’s past to light (assuming he had already been identified by authorities at the time of hiring).  If this wasn’t done, then Mahalo failed at ensuring the integrity of their hires.  If this was done and there was no information, than Mahalo can hardly be held accountable for the original oversight.  Another interesting aspect of this case is that Calacanis claims this has affected his perspective on hiring felons.  Where previously he said most felons would not have made it to the interview process, his experience with Schiefer has given him some faith in the rehabilitation process and prompted him to rethink his position.

This event brings out important issues about security, trust, and rehabilitation.  No one doubts that Schiefer committed the crimes to which he pled guilty.  What is an issue is that he is continuing to work in the industry that made his original crimes possible.  Even if he continues to be closely supervised, this will give Schiefer ample opportunity to perform more attacks in the future.  However, much of the justification of our country’s penal system is the idea that, after serving one’s time, a person can become rehabilitated.  This allows a person to re-integrate with society and make something of himself.  Certainly Schiefer is being given that opportunity, but there is significant security risk in the process.

Because of the two conflicting ideas of security and rehabilitation, I expect that different people will have different opinions on this matter.  Furthermore, I suspect that despite disagreeing on the proper course of action, many people would agree that they are “good” judges of character.  I think that if they met Schiefer they, like Calacanis would have a firm opinion of the proper course of action, whichever course of action they happen to support.

This arrangement was motivated by economics and facilitated by technology.  Companies can potentially arrange to pay lower wages to employees in the absence of unions.  Blacklisting and avoiding hiring workers who might organize unions or who would take the company to court for violating labor laws would allow a company to lower its expenses.  Databases, hardly new technology, allowed the Consulting Association to maintain easily accessible records on individuals that it could give to client companies.

The current situation might have been prevented by more monitoring from the British government.  According to the BBC, the Consulting Association’s arrangement had been going on for the last 15 years, and there had been complaints for years in the construction industry about blacklisting, but the government hadn’t discovered the problem until a short while ago.  In addition, the Parliament had proposed but failed to pass legislation against blacklisting in particular, and that law might have been a deterrent to the practices in this incident, though, since the Data Protection Act wasn’t enough, it seems doubtful that adding another law would have helped.  Also, companies should have data management policies that do not permit giving away employee data except under special circumstances.  This might prevent a database like the one created by Consulting Association from developing in the first place.  But since they benefited from the arrangement that developed, the companies involved in this case might not have found such a policy to be in line with their interests and avoided having one.

The broader issue in this incident is an individual’s control about information on himself.  Companies that collect information about people, such as companies collecting data about their employees or Internet services collecting data about their customers, can archive that data in their own databases.  Individuals usually have little control over whether or not information about themselves is kept or removed from these databases.  Companies controlling these databases could be tempted to use the collected information in ways that are not in the best interests of the individuals involved, such as turning over the databases to advertisers.  In this case, one of the reasons why Consulting Association’s actions were harmful was that workers had no way of finding out or refuting the assertions made about themselves in the databases.

Hopefully, lawmakers will respond to this case by passing new laws (and actually enforcing them in a timely manner this time) protecting the privacy of individuals.  In addition to laws against blacklisting and increasing monitoring of hiring practices, legislators should consider passing more general laws to help individuals access and remove data about themselves from databases held by others.

Besides the obvious personal security concerns of having embarrassing photos posted online without the individual’s permission, there are larger issues here: anyone can make a website that can provide almost any service they want. YoBusted is an incorporated company using a legally registered domain to provide a service that allows anyone to be the paparazzi and everyone to be the next big tabloid story. This site is the encarnation of a common public desire: gossip, only people are taking it more personally when it’s their face plastered all over a website instead of some big movie star or politician. Quite frankly, I think this site is teaching users a valuable lesson: don’t put embarrassing photos of yourself on the internet and increase the privacy settings on your social networking sites.

I think another big issue highlighted by this controversy is that individuals are no longer in control of their online reputations. It seems that even a person who has never accessed the internet can’t escape some amount of information about themselves being somewhere online. The underlying question is how can people combat something they can’t even detect? Are internet users (and non-internet users for that matter) really expected to constantly surf the web to ensure no one has posted something about them without their permission?

People will most likely react to this site’s attempt to provide a “valuable” service with concern and fear, which will hopefully encourage them to take down embarrassing photos of themselves and increase their privacy settings online.  In the broader social context, maybe this issue will make people think twice before they do something stupid. I doubt it, but for humanity’s sake, I can at least give them the benefit of the doubt.

Note: YoBusted.com is currently “Under Construction”. I’d be interested to know if this is a direct result of Facebook’s accusations and/or other political/social influences.