UW Computer Security Research and Course Blog

Intel healthcare: SOA Expressway for Health Care

http://www.intel.com/healthcare/ps/soa/index.htm?iid=health+lhn_soa

Intel has created a scalable, easy to deploy health care network with the hopes of enabling sharing and collaboration of health care information. Intel Health Care network is build upon common components such as J2EE and the .Net framework, relying upon a High-performance XML Engine for data transmission. It is a “codeless” system, which means the network can be deployed and managed without the need for software development assistance. Once fully deployed this network promises great cost and efficiency gains, as healthcare and patient information can be shard much more easily. However the creation of a new system which will handle large amounts of sensitive patient and drug information brings about many interesting security questions.

Assets:

· Patient Information – it is of utmost importance to protect all sensitive patient information, including condition and treatment as well as address and billing information.

· Drug information – Many hospitals have strict regulatory policies on the management of drugs, outlining proper administration and inventory practices. The integrity (and sometimes secrecy) of information regarding the status of the pharmaceuticals in the organization must be maintained.

Adversaries:

· Doctors and hospital workers – The primary users of the system will be the various hospital staff. They will have the most interaction with the system as they will use it on a daily basis. Hospital staff utilizing the network will require a certain amount of authority (within the system) in order to properly operate it. This presents a potential threat, as they will have direct access to patient and drug information, as well as the authority to modify this information.

· Network maintenance technicians – The system is designed to be stand-alone on a day-to-day basis. There will be instances when the system will require a certain amount of routine technical maintenance. The people performing this maintenance will be very familiar with the internal workings of the system and will have full access to the system. This poses a threat, as it could potentially compromise patient information.

· Patients – If patients are given a chance to interact with the system, it may be possible that they can in some way compromise the system to extract confidential information, or falsify information.

Potential Weaknesses:

· Information Storage – If sensitive information is stored on accessible and/or unencrypted hard drives, it becomes increasingly easy to tamper with those components (the disks) in the interest of obtaining or modifying confidential information.

· Information Interception over Transmission – When sensitive information is shared between multiple nodes (a network), there must some kind of transmission mechanism. Such a mechanism could be a weakness if it does not properly protect the integrity and confidentiality of the data being transmitted. Also if the mechanism is not robust or reliable, this could result in the loss of important patient information, vital to patient care.

Defenses:

· Required authentication – all persons who will have any interaction with the system should have a strong means of identifying and authenticating themselves as valid users. All users should be limited in their actions and given just enough authority to perform the needed task.

· All information (both patient and otherwise) should be stored on encrypted hard drives which are protected physically.

· Any transmission of information should be done through an encrypted channel.

Risks:

The risks associated with this system are of grave consequences, as they involve sensitive and personal information for many patients. The risk of information leakage/compromise is present not only when the system is accessed/operated by hospital staff, but is also inherent in the fact that much sensitive information is stored and transmitted over potentially unsafe mediums.

Conclusion:

The Intel SOA Expressway for Health Care is a very promising technology which unites health care services and provides access to a great breadth of information. It is important to handle this information with great care and a sense of responsibility, as the information is oftentimes sensitive private. Intel is doing this by utilizing industry standard security practices, such as XML and web Security.

Within the next two years Verisign has promised that it will support DNS Security extensions across all of the domains that are top-level. DNSSEC provides measures that allow for primarily the authentication of the origin of DNS data and also provides a means to check the integrity of the data that is being sent. This prevents hackers from misleading web traffic to spoof sites and the problem that arose in the discovery of the Kaminsky Bug.

DNSSEC has already been deployed in other countries (Sweden, Bulgaria, Brazil) and .gov and .org, both domains operated by the United States government will begin using it later this year. The reason this is so important is the majority of business domains, both .net and .com are among the most likely to benefit from these changes and currently are waiting for the thirteen root zone server clusters to switch over to the new security standard. Verisign controls two of these server clusters themself.
(Read on …)

Hackers are targeting a zero-day vulnerability affecting Adobe Reader and Acrobat with malicious PDF files. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. Hackers have been spreading malicious PDF files containing the Pidief Trojan. If a person opens the file, the Trojan attempts to exploit an unpatched processing error in Adobe Acrobat Reader 8 and 9, which results in a buffer overflow.

The bug is due to an error in the parsing of certain structures in PDF files. If exploited successfully, the bug could allow a hacker to take complete control of a vulnerable system. “In parsing a specially-crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location, The attacks, found in the field, use the infamous heap spray method via JavaScript to achieve control of code execution.” blogged McAfee researcher Geok Meng Ong.

In the meantime, security researchers at the Shadowserver Foundation recommend users consider disabling JavaScript. Symantec also recommended Adobe users keep their antivirus up-to-date. “While we continue to investigate this issue, customers are advised to follow best practices and only open email attachments from people they trust,” blogged Symantec researcher Patrick Fitzgerald. “Enabling DEP (Data Execution Prevention) for Adobe Reader will also help prevent this type of attack.”

Adobe acknowledged the zero-day in an advisory to customers calling it critical. It confirmed the flaw in Adobe Reader 9 and Acrobat 9 as well as Adobe Reader and Acrobat 8.1.3 and earlier versions. Adobe officials say a fix for the issue will be available for Adobe Reader and Adobe Acrobat in the coming weeks.

When I recently tried to look up some information about the song L’America by The Doors, I stumbled upon the site songfacts.com (http://www.songfacts.com/detail.php?id=278). At the site, I was immediately greeted by a popup box cheerfully proclaiming “HAI2U”. After having dealt with this extensively in lab 2, I immediately recognized this as an XSS vulnerability that someone had taken advantage of. Looking into the source code, I saw that the javascript alert was the only thing that had been done–luckily not too malicious. Unfortunately, the code was also in a permanent comment on the site so that any visitor to the site is subjected to the attack rather than having to special link. The attack was done with a simple script tag, so obviously little or no filtering is being done. I sent an email off to the site telling them about their vulnerability, what a malicious user could use it for, and how to fix it with a php filter and a link to suitable filter. Although part of me wanted to play around with the security hole a little more (perhaps a real life version of lab 2?), I thought it would be better to try to have them fix the site. I like songfacts because there are some interesting things, so I rather they fix it then have someone else break the site with redirects, cookie stealing, or any other similiar (or even more malicious) things. I just wanted to let everyone know that what we did in lab 2 is most definitely applicable to real life and XSS vulnerabilities are still out there on many different sites.

One other thing I wanted to ask others about is how would you deal with this situation of finding a vulnerability in a website? Would you anonymously report it to the site or offer to help? Or would you try to look into the security hole a little more to see what was there? Perhaps a few people would even want to do some semi malicious things to see what was possible (although I’m sure no one will post that). Also, has anyone else encountered XSS attacks in the wild?

As a side note, please don’t exploit this because the vulnerability is still there on that site. Remember, you signed legally binding and restricting ethics forms!

Update:

After I emailed the website, they took out the offending post and also asked me for more information on fixing this problem. I wrote some more information for them and tried to help clear up this security vulnerability as well as others that may arise from the same issue of user input sanitation. The admin was very glad to have help and offered to send me a t-shirt in return for my help. It looks like being good and helpful paid off.

On another note, I have found XSS vulnerabilities to be way too common on the web. As dangerous as these can be, it seems like site administrators are not well informed about these problems. While just going about normal business on the web, I also found an XSS vulnerability in the Windermere real estate pages. I have emailed that webmaster as well so hopefully they are as receptive to the problems as the first site owner was.

Self-scanning checkout, also called “self-checkout” is an automated process that enables shoppers to scan, bag, and pay for their purchases without human assistance. A typical self-scanning checkout lane looks like a traditional checkout lane except that the shopper interacts with a computer’s user interface (UI) instead of with a store employee. Instructions are given to guide shoppers to complete the checkout process. Typically, the customer scan each item or manually enter its identification code and bag it. The weight observed in the bagging area is verified against previously stored information to ensure that the correct item is bagged, allowing the customer to proceed only if the observed and expected weights match. After scanning and bagging, customer may choose method of payment: debit card, credit card, or cash. There is normally an attendant watching over several self checkout machines, to provide assistance, prevent theft through exploitation of the machines’ weaknesses, and to enforce payment. Attendant assistance is also required for the purchase of age-restricted items.

(Read on …)

Over 2.5 Million dollars was stolen from the State of Utah’s Treasury, according to a recent article in the Salt Lake Tribute.  According to the article, an attacker obtained a vendor number for the University of Utah’s construction department, then submitted paperwork with a forged signature from the director changing the departments back account to a new Bank of America account located in Texas (The article uses the word “signature” but I can’t seem to find if it was digital or hand-written, I am assuming hand-written given the context).  The attacker apparently set up this account using intermediaries who may not have known its purpose.  With the account in place, and the paperwork filed, the attacker began submitting invoices on the State of Utah’s website on behalf of the University department, such that deposits were made, summing to nearly $2.5 million, into the fraudulent account.  Fortunately the account was frozen before $1.8 million dollars were transfered, resulting in a net loss of $700,000. (Read on …)

According to a recent article from Business Week, a photo-sharing site, YoBusted.com, has crossed the line between maintaining personal privacy and extortion. This site allows users to post incriminating pictures of friends without proof that his or her permission to use the photos has been given. The “busted” friend can remove the photos, but only after paying a fee to become a member of the YoBusted site. According to the article, at least four people found photos on the site that had been taken from their Facebook profiles and posted on YoBusted without their permission and inaccurately tagged with their names (thus wrongly accusing them of participating in the activities depicted in the photos). Facebook has alerted the FBI against this site claiming that posting the pictures was a violation of Facebook’s terms of service and that the site is unlawfully requiring payment for picture removal. YoBusted claims that it provides many services (not just removing pictures) that justify charging a fee to use their site and that in order to maintain the attractiveness of the site, will remove photos under their discretion without charging a fee.

Besides the obvious personal security concerns of having embarrassing photos posted online without the individual’s permission, there are larger issues here: anyone can make a website that can provide almost any service they want. YoBusted is an incorporated company using a legally registered domain to provide a service that allows anyone to be the paparazzi and everyone to be the next big tabloid story. This site is the encarnation of a common public desire: gossip, only people are taking it more personally when it’s their face plastered all over a website instead of some big movie star or politician. Quite frankly, I think this site is teaching users a valuable lesson: don’t put embarrassing photos of yourself on the internet and increase the privacy settings on your social networking sites.

I think another big issue highlighted by this controversy is that individuals are no longer in control of their online reputations. It seems that even a person who has never accessed the internet can’t escape some amount of information about themselves being somewhere online. The underlying question is how can people combat something they can’t even detect? Are internet users (and non-internet users for that matter) really expected to constantly surf the web to ensure no one has posted something about them without their permission?

People will most likely react to this site’s attempt to provide a “valuable” service with concern and fear, which will hopefully encourage them to take down embarrassing photos of themselves and increase their privacy settings online.  In the broader social context, maybe this issue will make people think twice before they do something stupid. I doubt it, but for humanity’s sake, I can at least give them the benefit of the doubt.

Note: YoBusted.com is currently “Under Construction”. I’d be interested to know if this is a direct result of Facebook’s accusations and/or other political/social influences.

In the United States, automobiles are everywhere.  Most middle-income families own more than one vehicle, and chances are that everybody knows of at least one person whose vehicle has been broken into or stolen.  Cars, trucks, and SUV’s are very expensive and contain many assets that would interest adversaries.  As technology improves, the ways vehicles are secured continually gets better, but thieves also get smarter.  There will never be a completely secure vehicle.

(Read on …)

According to yahoo!News, the statistics of 28,000 passwords that are recently stolen from a popular US website that is posted in physorg.com  “16 percent took a first name as a password … 14 percent relied on the easiest keyboard combinations to remember such as ‘1234’ ….” People tend to use passwords that are easy to remember such as names, their favorite words, etc. Since most people have many accounts, in order to manage their log in passwords, they intend to chose easy remember password.

One way to prevent people from using weak password is for them to have a built-in password checker when the users register new account or wanted to change their passwords(like the one that is posted here).  There should a requirement for the password length and combination. A secure password has to be at least 8 characters long and it “should include a combination of uppercase and lowercase letters, numbers, and symbols.” Moreover, it would be helpful if there are short side note on how to create secure password.

The attacker can compromise people’s accounts using these easy-to-remember passwords and they have about 40 percent chance to get it correct. Other than that, users tend to write their passwords down on their notes or PC. By doing this, attackers can easily get access to users’ computers and get their passwords.

If people think that their account for a website is not that important to them, they won’t even bother to change their passwords to stronger ones. They believe that even though they have weak passwords, their accounts won’t be attacked.  On the other hand, people would probably change their weak passwords to more complex ones for financial account such as banking account or private account like Gmail.

I didn’t pay much attention to the event mentioned earlier about Conficker virus, until this new event related to that event arose – after all, is it such a rare occasion being infected by a virus.
To remind you, it is estimated that there were over 10 million computers infected with the worm, which utilizied a bug in Windows OS to infect unprotected computers, including those in government and military organizations. Creators can start issuing commands to this network of hijacked computers by simply registering one of the domain names from its big list.
So, Microsoft decided to offer $250k reward for the information on authors of the Conficker virus. Since this is the one of those rare occasions Microsoft offered a reward, it convinced me of the severity of the problem.
These rewards showed to work in the past, one of the most famous cases being sentencing a writer of the Sasser in Germany.  Microsoft happens to play a good balance between stick and carrots politics in an attempt to achieve security for its products, moving more towards carrots lately (such as organizing BlueHat conference for outside security professionals, for example).
Although there is a trend in countries, such as, say, Russia to implement harsher sentencing for cybercrimes, for many countries, complexities associated with getting the reward, or reach sentencing remains to be a big obstacle to those willing to turn in creators of the viruses.
Looking at the bigger picture, offering bounties utilize trustfulness of a hacker, who shared his adventures with his colleagues, hoping they will keep it secret. But seems like there could occur an inverse relation – with more bounty given out less effective it will become. However, it is still interesting to see how some virus creators elaborately cover their tracks technologically, but fail to realize severity of risk of a human factor from their standpoints. Let’s see whether it works this time.