Professional cycling, however, is a very different story. Combining the commercialism of motorsport racing with athletic demands exceeding almost any other sport, the pressure on riders to perform is tremendous. Good performance not only makes careers, but it pleases sponsors and significantly impacts their economic standing. Sponsoring a winning Tour de France team brings in tremendous revenue for a company in Europe. Continuous defeat, on the other hand, can have devastating consequences. As such, riders must reach for the leader board not only to meet their own expectations of success and competition, but simply to remain employed.

For years, dopers and anti-doping agencies have played much the same cat-and-mouse game that security researchers play with crackers. Riders use performance enhancers; researchers create tests to detect them; riders find new drugs to use, and so on and so forth. Doping was present in cycling long ago already, but it was the 1998 expulsion of the entire Festina team from that year’s Tour de France that signaled the beginning of the “doping era.” Since that year, every “grand tour” (the class defined by the Tour de France, the Giro d’Italia, and the Vuelta a España) has been plagued by expulsions, positive tests, litigations and scandals. In order to restore honor and fairness to the sport, many are crusading against the use of performance enhancing drugs. Until recently, the fervor of athlete and corporate lust for success seemed unbeatable.

According to an article by Juliet Macur in the February 28^th, 2009 edition of the New York Times, the anti-doping community has developed a new methodology for detecting cheating. Rather than attempting to detect traces of illicit chemicals in riders’ bloodstreams, drug testers are attempting to develop a “biological passport” for each rider. By comparing a rider’s current blood work against earlier tests, it is now possible to detect telltale signs of substance abuse via the changes observed in that rider’s blood. Legal action has already been brought against several riders with this biological passport as evidence.

Assets

• Riders don’t want to suffer in the ranks as a result of their competition using performance enhancing drugs
• Sponsors and team owners don’t want the cheating of other riders to reduce the acclaim, visibility, or overall performance of their respective teams.
• Race officials and fans want to see respectable racing, not battle-of-the-druggies. Cycling has been tainted in recent years by the proliferation of doping scandals.
• Every non-adversary wants final rankings to be representative of rider athleticism and effort.

Potential Adversaries

• Riders whose competitive spirit may drive them to seek “help” in order to win.
• Riders who suffer from excessive pressure from sponsors to perform.
• Sponsors, team owners, or team managers wishing for more team/product/brand visibility thanks to front-running riders.
• Doctors and researchers developing new doping methods.

Potential Weaknesses:

• Though I don’t claim to understand the biology, and while I can’t imagine that an attack this simple would be possible against the “latest and greatest” in anti-doping technology, I see one fundamental flaw in this approach. If detection of substance abuse relies on change between two test dates, the test is vulnerable to a rider who is never tested prior to adopting a doping habit. Because blood may not change once routine doping is adopted, there might not be a difference between old tests and current tests either.

Potential Defenses:

• In addition to using these “biological passports,” parallel research should continue into discovery and detection of new doping techniques. These detection methods should be applied in addition to any delta-comparison between bloodtests.
• If it is possible, attempt to correlate blood of dopers, as well as the blood of likely non-dopers (very poor performers, amateurs, etc.). It may be feasible to derive a model that can detect riders for whom an accurate “clean” sample is unavailable.

]]> http://cubist.cs.washington.edu/Security/2009/03/13/security-review-new-weapons-in-the-fight-against-doping/feed/ 0 http://cubist.cs.washington.edu/Security/2009/03/13/current-events-one-more-botnet-related-legal-fray/ http://cubist.cs.washington.edu/Security/2009/03/13/current-events-one-more-botnet-related-legal-fray/#comments Sat, 14 Mar 2009 04:52:13 +0000 oterod http://cubist.cs.washington.edu/Security/?p=1265 As part of an “expose’” on cyber crime, BBC’s “Click” team took it upon themselves to hire a botnet. With the stated goal of demonstrating the power of “cyber criminals” in today’s world, the journalists purchased the use of ~22,000 compromised machines. As part of their demonstration, they directed massive amounts of spam to two specific test addresses, and finally, used their botnet to bring down a security firm’s backup website via DDoS. The DDoS attack was done with permission from the “victim” company (Prevx).

Now the BBC group is in a spot of legal trouble as their use of a botnet could potentially implicate them in the violation of the UK’s Computer Misuse Act. While BBC claimed that their use of the botnet was purely academic, and therefore not criminal, they did take control of non-consenting citizens’ home PCs. More importantly, in purchasing the use of a botnet, reportedly at somewhere between $300-$400 per machine, the news network essentially funneled a few million dollars into the hands of cybercriminals. And all so that they could demonstrate what many papers and news articles before them already had.

The journalists, at surface level, did a good job of keeping things academic and avoiding any sort of cybercrime. They spammed their own test e-mail accounts. They DDoS’d a prepared and willing target. They also put warning documentation on the infected machines, at experiment’s conclusion, explaining to their users that they had been infected, and how to best avoid future infections. Ultimately, however, by mere involvement with and commandeering of hijacked personal machines – and especially thanks to funding the true criminal party – they did indeed commit some level of criminal act. To what degree they are held responsible is now a matter for the British courts to decide.

This is just one more occurrence in a string of botnet-related legal issues. A similar issue plagued German malware researchers with the means to potentially dissolve the Storm worm’s botnet(s) (see http://cubist.cs.washington.edu/Security/2009/01/11/storm-worm-cracked-but-defenses-may-not-fly/). It seems that academicians of all types are running into a fundamental problem with this particular security threat: there is no way to legally study it “in the wild.” The moment a researcher connects to a botnet, takes control of it, or otherwise interacts with it, he or she risks legal consequences. Whether or not any charges stick is a different matter, and quite frankly, it will take some time before reasonable precedents clarify the legal “consensus,” but regardless these issues represent a significant impediment to progress in anti-botnet research.

The concern that arises are the issues of privacy and identity theft. The passport RFID tags do not contain any personal or identifying information themselves, but when they are combined with the information gleaned from other RFID tags that an individual may be carrying, it then becomes possible to track an identity. Paget gives an example of how this can be done. By combining RFID readers at a door way or an entrance, it would be possible to read the tags of driver’s licenses and credit cards (both of which *do* contain identifying information) and match them with the passport identification number. Since it was demonstrated that the passport tag could be read at a distance of many feet instead of inches, a person could be tracked using their passport RFID and their identity would be linked using the data from their driver’s license and credit cards.

Paget has posted a video on YouTube that demonstrates how he accomplished this feat. In it, he mentions two security features built into the passport RFID. They are a lock code and a kill code. The lock code is suppose to prevent the identification number in an RFID tag from being altered. The kill code is intended to disable the tag completely. Paget describes how, when read, these codes are transmitted over plaintext allowing anyone to intercept them. Although Paget admits that only the identification number is used in verification, if the lock and kill code are ever used for verification they are easy to capture.

This should come as a serious concern to those receiving passports and the new driver’s license, as this has been a known concern for some time even though few have been bold enough to demonstrate how easy it is to break this system. Paget does not believe that any personal identification documents should ever contain RFID tags and says his ultimate goal of his research is to “see the entire Western Hemisphere Travel Initiative just be scrapped.” Though these RFID tags make it more convenient for travelers and security personnel alike, the convenience comes at a cost.

It will be necessary for the government to address these security problems for the general public to trust the RFID tags. This will likely mean that the data must be encrypted instead of being broadcast over plaintext. It may also mean reducing the range at which the passport RFID tags can be read. However, even if these problems are addressed, this does not fix the problems created by RFID tags in other devices such as driver’s licenses and credit cards. To truly address this problem, it may be necessary to remove RFID tags from cards that do not require them. At a minimum, it will require removing identity information from the cards and encrypting data that must be read.

Links:
http://it.slashdot.org/article.pl?sid=09/02/02/2224255
http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/
http://www.youtube.com/watch?v=9isKnDiJNPk
http://darkreading.com/security/privacy/showArticle.jhtml?articleID=213000321
http://www.engadget.com/2009/02/02/video-hacker-war-drives-san-francisco-cloning-rfid-passports/

The article discusses the MAGNET, a European research project aimed at seamlessly managing personal networks (PN). The goal is to make maintaining one’s PN easy and convenient to use, while trying to still be secure. It is hoped that bringing new devices into the network should be done in a user friendly way, to avoid many of the connection nuances that annoy consumers today.

Assets and Security Goals

• If everyone’s lives are as fully connected as conjectured, then all forms of privacy and personal security could be at stake. The PN is used to keep your entire life connected, whether it be to keep personal finances and work in order, or to monitor heart rate and other bodily functions.
• Maintaining availability and reliability of electronic devices. Devices could stop functioning properly if dependencies are built upon the functionality of the PN being intact

Potential Adversaries and Threats

• Adversaries outside the personal network If so many devices are communicating wirelessly, the amount of traffic in the air at once is potentially staggering. Any adversaries who wish to learn about an individual could monitor this communication and learn about the user.
• Adversaries within the personal network. If an adversary were able to gain access to a device within the PN, it may be possible to gain access to other devices in a network.
• Advertisers/Marketers It may be possible for a manufacturer to construct a device which monitors a user’s PN to learn about their habits. This information gathering could be used to make very targeted ads depending on the devices in their PN and the communications they make.
• Device manufacturers Device manufacturers could be adversaries themselves, and embed malicious behavior in their devices. Maybe one manufacturer’s device could attack a competitor’s device on the same network.

Potential Weaknesses

• Professor Liljana Gavrilovska, Technical Manager of the MAGNET Beyond project, stated that, “We have a user-centric approach with the overall objective to design, develop, demonstrate and validate the concept of a flexible PN that supports resource-efficient, robust, ubiquitous personal services in a secure, heterogeneous networking environment for mobile users.” By maintaining a user-centric approach it’s possibly that many assumptions have to be made about the types of devices and the accessprivileges given on a PN. Specific customization of individual devices on a PN may be difficult given how transparent this process is trying to be made to the user
• Trust between devices could be a weakness in a network. Enforcement and access rights that devices have within the network would have to be specified to ensure devices can’t take actions that aren’t necessary for their function.

Potential Defenses

• Ensure that all users are aware of the risks associated with this technology before using it. It’s apparent even today that many users aren’t concerned with security, given how many home networks are left vulnerable and exposed.
• Enforce a kind of standards policy on manufacturers to ensure that the devices they produce conform to security standards, and do not exhibit any undesired behavior that is not related to their dedicated tasks.

Given the recent trends and developments in personal devices, it’s inevitable that our devices will be communicating on a massive scale. The MAGNET project is responding to the need for a well defined standard for these technologies to cooperate. There is a lot at stake, and adversaries have every reason to target user’s PNs for personal gain. Efforts are being made to ensure that this technology is safe and secure for users to depend on, but these measures should be scrutinized in order to ensure personal privacy and safety.

The two most important side-effects of the worm were assumed control of the victim machine for botnetting, as well as the application of a root kit. What made Storm particularly effective as a botnet client was the use of peer-to-peer technology, rather than a strict client-server model. While “primitive” botnets could be attacked by targetting the centralized server, Storm created a P2P network of hosts, each of which was only ever “aware” of a small subset of the total botnet. While “command servers” did exert control over the botnet, they existed in numbers, and hosts were given means to find new command servers as they came online. This made it especially hard to know of the botnet’s size and member machines, let alone take it down. Despite attempts by Microsoft to use its Malicious Software Removal Tool to cleanse infected nodes, estimates suggest remaining infected nodes are still plentiful.

In results published on January 9th, German researchers at Bonn University and RWTH Aechen University show analysis which could, if applied properly, lead to any remaining botnets’ demise. By disassembling the drone client program used by infected nodes, the researchers were able to discover the protocol used for inter-client and client-server communication. They then built their own client and hooked it into an isolated test botnet. Experiments with this client showed that drones in the botnet asked each other about command servers, much in the same way that a DNS query might travel. By creating their own bootleg command server, and using their false drone client to deceitfully route real drones to the new server, they found that they could assume control over some aspects of the infected nodes. This would allow them to remotely install and run cleanup software, potentially allowing systematic cleanup of an entire botnet.

“What’s the holdup?” you might ask. The problem is that this cleanup would violate German information safety laws. Not only would it invade victim machines in the same way that the worm itself has, but it could also cause all kinds of data corruption and other collateral damage as part of the cleanup process. The legal repercussions of invasion of privacy and potential tampering with data are severe. While the cost of allowing Storm-backed botnets to exist is immense — with respect to spam alone, Symantec clocked the e-mail spam-output rate of one infected node at around 360 messages per minute — the practical and ethical cost of cleanup is high enough that its unclear to the German researchers which is worse.

It seems to me as though another approach could prove less problematic. If non-Storm-controlled drones can enter the network as demonstrated by this research, they could be used to identify, rather than automatically fix, targeted nodes. With the support of some well-recognized anti-virus or computer security agency, an opt-in cleanup program could make owners of infected nodes aware of the risks of cleanup before granting access to their machines or installing cleanup software themselves. The public approval of a well-known name in the field would give credibility to the cleanup effort, and perhaps could provide an open infrastructure for individual opt-in.

At the very least, this research allows security professionals and indivual Windows users to take anti-Storm defense into their own hands. Whether it can be used to extinguish remaining Storm-related activity remains to be seen, especially now that Storm’s developers have a chance to react. It appears that the current drone protocol doesn’t require server authentication; were that to be put in place, the researcher’s spoof-server approach would no longer work. The makers of the worm have shown an eagerness and a capability to react quickly and successfully to possible anti-Storm technologies, and could no doubt “fix” this “problem” too fast for it to be useful.

It will be interesting to see how this situation plays out. Hopefully, it will be for the better.

This event is a result of researchers working to verify the security properties of Intel’s vPro hardware-based security system. Hardware is much more difficult to revise than software, if revision is possible at all. This may mean that all current implementations of TXT are essentially obsolete, and may remain so in perpetuity.

This security cloud does have a silver lining, however: TXT is a platform that Digital Rights Management (DRM)-enabled software is likely to use, and by showing that hardware-based security is as fallible as software-based security, this new revealation may guide companies towards less restrictive, more user-friendly approaches to security and intellectual property protection.

Software vendors considering using the TXT system will undoubtedly be turned off by this event. However, it is better to know that something is not totally secure than it is to think that it is secure when it is not, so in the long run, it is better for Intel, despite the current press, that this exploit was discovered early rather than after many software packages depended on the TXT system. Companies such as AMD may also learn that security is a difficult problem and that attempting to “solve it” may be more trouble than it is worth.

Dan and the rest of the team from UW, UMass Amherst, and Harvard Medical School found that an implantable cardioverter defibrillator can leak private information and can allow unauthorized parties to modify settings that control, among other things, shock therapies.  

You can read Dan’s full paper and the FAQ, as well as his earlier work on the topic of medical device security.  You can also read summaries of Dan’s work in The New York Times, the Wall Street Journal, Reuters, and the Associated Press.  Bruce Schneier also provides excellent commentary.

Congratulations Dan!

To study this, we measured how often our own web page, http://vancouver.cs.washington.edu, was modified when users visited it.  A piece of JavaScript code that we call a “web tripwire” detected such modifications, allowing us to record the change and notify the user.  Our study found that about 1% of the 50,000 visitors to our page received a modified version.  While 70% of these changes were caused by client-side proxies, we did see many changes caused by ISPs and firewalls as well.

For more information on our study and our results, you can read our analysis at Detecting In-Flight Page Changes with Web Tripwires, as well as our recent NSDI 2008 paper (PDF).  Our results have also been covered recently in the news media here, here, and here.

If you would like to add a web tripwire to your own page, we have an open source toolkit that you can download and host on your web server.  We also have a web tripwire service that is hosted by our server, which you can add to your page with a single line of JavaScript code.