UW Computer Security Research and Course Blog

According to the open source programmer Brian Mastenbrook, he has found a security flaw in Safari Rss feeds. He said that Apple’s Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention. The vulnerability affects both Mac and Windows versions of Safari. This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites.

Mastenbrook reports that all users of Mac OS X 10.5 Leopard who have not changed their feed reader application preference from the system default are affected, regardless of whether they use any RSS feeds or use a different web browser (such as Firefox). Users of previous versions of Mac OS X are not affected. Users of Safari on Windows are also affected. Users who have Safari for Windows installed but do not use it for browsing are not affected.

Although the vulnerability has been acknowledged by Apple, Apple has not made information available on when a fix for this issue will be released.

Threrefore, Mastenbrook recommends users not to use the Safari as a default RSS reader.
For Mac users,
1. Open Safari and select Preferences… from the Safari menu.
2. Choose the RSS tab from the top of the Preferences window.
3. Click on the Default RSS reader pop-up and select an application other than Safari.
For Windows users, use a different web browser.

For more information at http://brian.mastenbrook.net/display/27

The Storm worm, noticed for the first time on January 17th, 2007, is one of the more notorious worms of the last few years. Targetted initially towards individual Windows machines, victims were often infected after receiving a bait e-mail with a particularly intriguing subject line, originally on the topic of a nasty European windstorm. The malicious attachment, when opened, would begin sending data to predetermined locations, as well as potentially installing additional malware.

The two most important side-effects of the worm were assumed control of the victim machine for botnetting, as well as the application of a root kit. What made Storm particularly effective as a botnet client was the use of peer-to-peer technology, rather than a strict client-server model. While “primitive” botnets could be attacked by targetting the centralized server, Storm created a P2P network of hosts, each of which was only ever “aware” of a small subset of the total botnet. While “command servers” did exert control over the botnet, they existed in numbers, and hosts were given means to find new command servers as they came online. This made it especially hard to know of the botnet’s size and member machines, let alone take it down. Despite attempts by Microsoft to use its Malicious Software Removal Tool to cleanse infected nodes, estimates suggest remaining infected nodes are still plentiful.

In results published on January 9th, German researchers at Bonn University and RWTH Aechen University show analysis which could, if applied properly, lead to any remaining botnets’ demise. By disassembling the drone client program used by infected nodes, the researchers were able to discover the protocol used for inter-client and client-server communication. They then built their own client and hooked it into an isolated test botnet. Experiments with this client showed that drones in the botnet asked each other about command servers, much in the same way that a DNS query might travel. By creating their own bootleg command server, and using their false drone client to deceitfully route real drones to the new server, they found that they could assume control over some aspects of the infected nodes. This would allow them to remotely install and run cleanup software, potentially allowing systematic cleanup of an entire botnet.

“What’s the holdup?” you might ask. The problem is that this cleanup would violate German information safety laws. Not only would it invade victim machines in the same way that the worm itself has, but it could also cause all kinds of data corruption and other collateral damage as part of the cleanup process. The legal repercussions of invasion of privacy and potential tampering with data are severe. While the cost of allowing Storm-backed botnets to exist is immense — with respect to spam alone, Symantec clocked the e-mail spam-output rate of one infected node at around 360 messages per minute — the practical and ethical cost of cleanup is high enough that its unclear to the German researchers which is worse.

It seems to me as though another approach could prove less problematic. If non-Storm-controlled drones can enter the network as demonstrated by this research, they could be used to identify, rather than automatically fix, targeted nodes. With the support of some well-recognized anti-virus or computer security agency, an opt-in cleanup program could make owners of infected nodes aware of the risks of cleanup before granting access to their machines or installing cleanup software themselves. The public approval of a well-known name in the field would give credibility to the cleanup effort, and perhaps could provide an open infrastructure for individual opt-in.

At the very least, this research allows security professionals and indivual Windows users to take anti-Storm defense into their own hands. Whether it can be used to extinguish remaining Storm-related activity remains to be seen, especially now that Storm’s developers have a chance to react. It appears that the current drone protocol doesn’t require server authentication; were that to be put in place, the researcher’s spoof-server approach would no longer work. The makers of the worm have shown an eagerness and a capability to react quickly and successfully to possible anti-Storm technologies, and could no doubt “fix” this “problem” too fast for it to be useful.

It will be interesting to see how this situation plays out. Hopefully, it will be for the better.

In mid-2007, Facebook launched a free development platform that allows independent designers to create applications that integrate with core features of Facebook. Since then, over 33,000 applications have been made, the most popular of the applications having over 16 million monthly active users. Facebook applications are intended to be opt-in modular extensions of Facebook for which users can voluntarily register. Facebook itself is composed of a collection of applications; many of the features people perceive as emblematic of Facebook (e.g. the Wall, Photos, and Events, to name a few) are actually “applications” in this design scheme, and they are provided by Facebook by default when one registers for the website.

(Read on …)

[Devy Pranowo and Xia (My) Cam]

A report from the Georgia Tech Security Center predicts that botnets were likely to hit mobile phones sometime soon. Botnet <http://en.wikipedia.org/wiki/Botnet> can be delivered to machines through email or instant messages, which now is a feature many smartphones have. Because of the developing cellphone culture all over the world, what’s on cellphones can be great treats for attackers.

There are many reasons why this problem might arise. Cellphones are now essential in people’s lives. Many smartphone is taking over the market because it can do much more than just making voice calls. These phones can take pictures, send text messages, and send emails. Furthermore, now that cellphones can access the internet, people can download applications to run on their phones and might not be aware if they’re installing malicious software. The more prevalent use of cellphones and the more advanced technology adapted on cellphones means there will be more people impacted from unwanted malicious attacks.

At least for now, there is no evidence of attacks aiming at cellular phones, however the loopholes are there. As cellphone technology advances, it’s only matter of time. For now, since technology of cellphone has room for growth, there are opportunities to incorporate better security mechanisms as we develop cellular technologies. Also, it is important to educate user not to open unknown emails or URL that will allow Trojan, viruses, or worms to infect user’s cellphone and thus allow control of cellphone by attackers. The latter is the best way to prevent social engineering attacks.

Cellphone attacks may also relate to a bigger part of personal data security. As cellphones becoming important tools for personal and corporate communications, this is another way for attackers to gain private information. For example, attackers can easily obtain social security number or credit card numbers.
We think the reason there hasn’t been major attacks on cellphone is because there are so many different OS (Java-based Blackberry OS, Mac OS, Windows Mobile OS, etc) running on today’s cellphones, making it harder for attackers to create malicious code for them. But it’s better that some prevention should be done before bad things happen. For instance, cellphone producer should give warnings to user before they do potentially unsafe actions or download information from the Internet. With the warnings, users will be more aware of potential dangers of entering information or accessing data via their cellphones.

Article source:
http://www.networkworld.com/news/2008/101608-report-botnet-spam-attacks-to.html

“Update.  This entry was updated on <January 9, 2009> to reflect a <re-interpretation of the original article>.

After several years that Wii have been launch, hackers found flaws in Wii’s security aspect. According to an article from Nintendo World Report, a tiny processor that was kept as a secret for security reason is discovered by a group of hackers, Team Twiizers. Because the existence of the chip has been discovered, this can cause security problems.

As presented in this video, in order to run the game on Wii, a ticket (key) is needed. The valid keys are all stored in the chip. However, this chip does not only consist of keys, but also controls the turn on bit of the functionality of DVD playback that is turned off by default. These aspects make the hackers feel challenge to break Nintendo’s security system.

(Read on …)

The Security and Privacy Code of Ethics is a contract that every CSE484 student is required to sign, on penalty of a zero grade in the course. It places restrictions on the manner in which students may use knowledge gained in the course, and on the transfer of such knowledge. While it appears to be a good faith attempt by the University to prevent their students from engaging in malicious activities, it has several failings, and raises ethical issues.

(Read on …)

According to articles from BBC and TheRegister back in November of 2008, three London hospitals fell victim to the Mytob Worm.  Originating from early 2005, this worm spreads itself through email and prevents removal by disabling any attempts to retrieve virus update definition files.  The hospitals needed to shutdown their systems for three days to ensure proper eradication of the virus.  An efficient emergency procedure was executed promptly, minimizing impact.  Hospital directors claimed the hospital was not targeted and reassured patient records were not compromised.
(Read on …)

InformationWeek recently published an article based on data from the Identity
Theft Resource Center (a non-profit organization which aims to understand and
prevent identity theft), that shows an increase of 47% in the number of reported
data breaches in 2008. The business sector reported the most breaches, followed
by the educational, government, health and financial sectors. It’s interesting
to note that in 2007, government institutions were at the top of the list,
reporting the highest number of break-ins, but have since moved to third place.
This may suggest government and military organizations are taking more
proactive steps in protecting their information.

When the Internet first came about, data security wasn’t considered a
concern; it was established to enable collaborative work over long distances.
However, with today’s Internet, it is no longer a valid assumption that everyone
has good intentions. Despite this, people still refuse to take any measures to
protect their data. The article states that only 2.8% of the breaches had
encryption in use, and only 8.5% had any sort of password protection. It’s no
wonder there were so many break-ins.

Organizations need to recognize that the Internet is a dangerous place. It is
no longer the friendly environment that it was when it was first established.
Institutions should actively take steps towards protecting their data. This
would include password protecting all accounts, and encrypting sensitive data.
Further, users of these systems should be educated about general security
practices, such as what constitutes a “good” password or why company laptops
shouldn’t be brought home. Until actions such as these are taken, data breaches
will continue to occur.

These sorts of incidents give rise to a number of privacy and safety concerns.
For instance, a data breach at on online retailer could leak customer’s credit
card information; a break-in at the DMV could reveal names, photos and
addresses; private medical information can be gleaned from hospital computers;
or military secrets stolen from an insecure server.

These organizations need to be encouraged to be more conscious of security
issues. Individuals who were harmed by data-breaches should hold the institutions
accountable. For example, if it was a business that didn’t password protect
their customer database, customers should refuse to purchase products from them
until they revamp their security. Until they see repercussions for their lax
attitude towards security, institutions will have little incentive to change.

According to a recent article in USA Today, Lexus will begin including new technology to allow the company to send audio messages to the computers present in their cars. It appears to be similar to an e-mail system, where the user receives messages and can play them at his/her own discretion. This inclusion is simply part of an even larger electronic upgrade to the autos, simply known as Enform for now. While this definitely raises some concerns about how far into our lives marketing messages (i.e. spam) are allowed to be, it’s even more critical to be worried about what sorts of security measures will be implemented in their system.

(Read on …)

Recently, an article on The Wall Street Journal describes how Apple Inc.’s iPhone 3G was unlocked by a group of independent programmers called iPhone Dev Team. Apple has partnerships with wireless networks around the world that allows iPhones to work exclusively on carriers. An unlocked phone allows users to use any network carrier. The group released “yellowsnOw,” a free piece of software that can be used to unlock iPhone 3Gs. Several users claimed that they have successfully unlocked their iPhones 3Gs and were able to work on unauthorized wireless networks.

(Read on …)