UW Computer Security Research and Course Blog

EDIT: It appears that I goofed with the “more” tag when I first posted this, so I’ve included the rest of the article below.

Since the days of waking up at 5am to watch the Tour de France live with my dad at eight years old, I’ve been a big fan of bikes. I’ve since grown to love riding them, and spent several years as an avid road racer. While I’m somewhat of an anomaly, many of you also rely on cycling for transportation to class, to work, and elsewhere. Unlike cars, which are just slightly harder to steal, bikes are the candy-from-a-baby in the world of theft. One magazine article I read several years ago had a “professional bike thief” (probably a security professional who learned methods of theft in his research) attempt to steal a bike secured by one each of every available bike lock on the market at the time. In public. The result? All but a single lock could be circumvented so quickly that nobody in the area even noticed that it was not unlocked by normal means.

I have to say, I am particularly bitter about bike security. A few years ago I was living in Stevens Court with a few friends. A past summer job at Gregg’s Greenlake Cycles had yielded an absurdly cheap employee purchase of a Lemond Tourmalet, a very nice road bike. I wasn’t using it to commute to school (who locks up a bike like that around the Ave?), but I did have it in our apartment so I could go riding. One day I came home and it had been stolen from my living room. My roommates had left the front windows wide open and the door unlocked. Go go speed racer, go.

(Read on …)

I was lost at first when starting Lab 2, as I had little to no eperience with web programming. After floundering around for a few hours I got a better idea of what we were supposed to be doing and with the  XSS cheat sheet was able to rapidly discover appropriate exploits for each of the filter versions on the mock search engine (except #5, of course).

Once I’d satisfied myself that I could get all the cookies I wanted I immediately launched into a more thorough investigation of the environment I had been working with, and began discovering real vulnerabilities. I was excited by the prospects available and decided to make a security review out of it. I spent the next couple days experimenting, then jumped onto the blog to write my security review only to find that two of my classmates had addressed the same topic the day before. Eriel Thomas addressed the security of the server at yoshoo.cs.washington.edu in his post “Smashing the Lab for Fun and Profit”, whereas David Balatero discussed his success in phishing about a third of the security class (including me… ouch) in “UW CSE Resources”. Just goes to show you that you should always examine links, even from trustworthy and computer savy friends :P.

I nearly despaired at several days’ work gone for naught, but after carefully reading both of the posts I believe that I still have something to contribute. My discussion will focus a bit more on the security of abstract and provide other additional details.

(Read on …)

Exoskeletons look impressive in movies. They look impressive in real life also. Electronics reads brain signals sent to muscles and cause actuators to move, thus ‘amplifying’ human strength. Exoskeletons are close to get mass-produced and available to people around the world. Since there are no datasheets or use instructions publcly available yet, I will briefly mention potential general security implicatons associated these devices, as we will inevitably see them in the market very soon.

It is crucial for manufacturers to ensure safety of the wearer. In addition, it is important to address safety of people other than the wearer who can come into contact with this machinery.
Potential adversaries can be those who wants to harm the person wearing it. Besides that, goal of an adversary can be to cause harm to people other than the wearer, or, in general, cause harm to property.

The following are just a few of potential weaknesses that need to be addressed.
Self-supporting mechanism: since most exoskeletons will support its own weight and are quite powerful, it is potentially possible to control it and cause it walk on its own, possibly with human inside.
Physical access to programmable controllers and circuitry can allow adversary to reprogram or embed own controllers.
Actuators in particular: different people can have different ranges of joint movement. Incorrect range can break wearer’s bones or strain muscles, unless there are secure adjustable physical restrictions. If there are such adjustable physical restrictions they can be changed by adversary.
If attachable to computer or network for service, or reprogramming, most problems associated with securing personal computers and communications apply.

Besides regular ensuring integrity of the system, and bug-free software, here are some key measures that any exoskeleton should have implemented to address security threats. Obviously, any adjustments, including physical should be done with secure authentication of a user. Good shielding can be used to protect from outside electromagnetic fields that might cause system to digress from normal operation.
It is important to detect big jumps of voltage/current in the system and disable the system, as it is done in power wheelchair controls, but as opposed to wheelchair, more attention should be paid to gracefully shutting down, as incorrect disabling can cause person to fall down causing injuries to himself or people around.
It should be easy to escape the suit in case of a danger and there should be multiple disabling mechanisms available to the user.

These devices will have a big impact on society. Should police start carrying EMP guns? Exoskeletons can be of tremendous use  to address people’s health problems, for example, or can become quite threatening in malicious person’s hands. There are obvious differences from existing personal machinery. Extreme flexibility pose big dangers if not addressed properly. Whereas car or wheelchair can be stopped by railing, exoskeleton could climb over it.

For years there have been research going on in neurobiological field with attempts to decode images from the brain activity. In 1999, University of California, Berkley, has been able to reconstruct the video images from cat’s observed brain activity.

However, recently scientists in Japan decided to take the idea to even more advanced level (article). Researchers at the ATR Computational Neuroscience Laboratories succeeded in processing and displaying images directly from the human brain. This sort of visualization has not been achieved before. Researchers’ goal is to apply this technology, and eventually be able to record and replay subjective images that people perceive, such as dreams or memories associated with objects and places.

This sort of decoding is described to be subjective. When people perceive an object, the image is converted into electrical signal that goes to the brain’s visual cortex. To decode such messages, first the subject has to train the device that is used for experiment, and associate object representations with the location and type of brain signal. Later, when such signals are observed, it might be possible to decode them, and this way to visualize the thought of a human.

So far subjects have demonstrated walking in a virtual world with the character controlled by brain waves. Similar gaming head sets are expected to appear on the market soon.

Also, researchers were able to reconstruct the image representation of the letters from the word “neuron” by decoding the brain activity of the subjects (article). To figure out people’s individual brain patterns and to train interpreting devices about 400 different still images were previously shown to the subject.  

Although some people believe that research is still too far from creating a colored quality video from brain signals, researchers continue advancing in the area, and think that technology “could eventually display on a computer screen what people have on their minds”. (Read on …)

It seems that in addition to the recently released biometric IDs in the UK, the California Department of Motor Vehicles seems to have recently tried to set up biometric IDs as well. In an otherwise innocuous vendor contract, the DMV included a proposal to create a new governmental database containing facial and fingerprint data. This situation is apparently worsened in light of the fact that the California legislature has not looked highly upon biometrics in the past, so it seems the DMV may have been trying to bypass the legislature entirely.
(Read on …)

This morning, my power for some reason switched off, crashing something in my router and killing my laptop battery. For the rest of the day, wireless was down at my house and my roommate and I were physically plugging in (I know! Cables!). However, we (illegally?) share our wireless with our neighbors downstairs, and they came up to ask where the webbernets had gone to. Frustrated, I simply hit the reset button on my router and decided to just set it up again. Working through it, I realized that the user interface is a huge hindrance to the average user setting up a secure home network – a situation which I already know leads zillions of people to insecurely transmit sensitive info over the web.

Assets and Security Goals

• The assets at stake here include anything people do over the internet – which today seems to include everything. For me, the most sensitive information I transmit is my online banking, followed up by my student information on MyUW as well as online sales. Also included is a lot of stuff I don’t usually think about needing to secure – but that could be exploited by an attacker – like my email and my Facebook account.
• The goals then are to protect my transmissions from being read, tampered with, or spoofed. I don’t want anyone to know what I am doing on the internet, to change anything I am doing on the internet, or to be able to pretend to be me on the internet. Also, I don’t want anyone to be able to use my internet to do illegal things (except for me)!

Adversaries and Threats

• Identity theft has become a huge issue in recent years, and so the adversary I am most fearful of is someone who would want to steal my identity, money, credit history, etc.
• My roommate works for Amazon.com, and often has to use her work laptop on our wireless connection. Although she uses a VPN with a one-time use RSA token, we’d really like to keep a potential corporate spy as far away from her machine as possible.
• What about my roommate herself? Or those innocent looking neighbors downstairs? Well, I hope I can trust all of these ladies…

Potential Weaknesses

• Without any defense at all, our wireless is wide open. I’ve already seen what can be done with easily downloadable tools online – they even come with GUIs. In fact, in my opinion, these tools  are easier to use than the security setup for my router.
• Even with security, an attacker could discover our passwords either by reading them off the whiteboard in my kitchen, or by sniffing our encrypted packets and trying to guess it.
• If someone could connect to my network and also guess my high-security administrator password, they could also mess with my router to redirect me places I don’t want to go to, or otherwise manipulate my web access.

Defenses

• The most important thing here is having your router set up properly – encrypted with good passwords (and NOT WEP), don’t leave the administrator password to default. However, this is not that easy – I am pretty sure my mom could not figure out to do it, nor my web-savvy teenage sisters. Linksys should have all the most important settings on one primary page – and it should lock people out of the web until they have changed the administration password (or, even better, have a different password for each box and include the pwd in the packaging).
• Having a good password is important. People don’t have enough training in this!
• I often will check my router to see what machines are connected to my wireless – if there is one I don’t recognize I will freak out. But I’ve never seen one 🙂
• It is also important to practice safe web browsing regardless of the wireless setup. Assuming that you are on an unsecure conncection provides one extra layer of security. Https, encryption, all of these things are still necessary.

In sum, I am worried about the world. I had to dig through a long series of menus to find what I needed – and I already knew what I needed. For those who don’t, I’m afraid their information is at risk!

According to the ESET’s 2008 Global Thread Report, there has been a spike in the goals and targets of cyber hackers. Rather than attempting to break into a bank account or deface a website they would go for something more subtle, but if planned properly, highly effective. 

Online gaming is a world wonder, it attracts a very large population of people; specifically the most widely growing genre is the MMORPG (Massive Multiplayer Online Role Playing Games). In such games such as World of Warcraft (WoW) characters accumulate what the article depicted as “virtual assets” which are essentially equivalent to real world items of actual value. The people who are engaging in these games are also required to invest real currency in order to play. 

Hackers are targeting players via social engineering standpoints and leveraging trust as a means of new attacks. They will first find a host character and infect him/her. Once they have control over the character’s account they will infect all those who trust the true identity of the character via URL or malware, sell all the “virtual assets” of the character for a bargain take the money and run to the next victim.

The article wraps up by discussing what can be done from a developer standpoint to enhance the security of the users’ accounts on such games as WoW. They discuss authenticator RSA key generators that must be used in order to log into the account every time. However, they finish off by saying the real flaw is not the software, but it is the human element that is the weakest link in the chain.

The event is popular due to the amount of people who socialize and devote hundreds of hours to the addictive game that is WoW. Because the game is such a big hit amongst the gaming community, it has sparked high flames and caused quite a commotion. People fear losing their time and money invested in the game and this is something they cannot afford to lose. 

As was discussed before and is well known today, humans are essentially the weak point in a system. They open up security holes and allow perpetrators to get in and take advantage of the system. One thing that could have been done and still can be, and should be done, is educating the common man about the dangers of the online world. They must understand that the online industry, although highly sophisticated and at some point seemly safe, can still present extremely high risks and dangers.

The broader issue around the event is that people in the gaming world and furthermore the online industry need to be conditioned and educated how to deal with the online world; how to keep themselves safe from online attacks and preventing themselves from being the next victim of such attackers. The real issue here is reinforcing the fact that the online world can be just as dangerous, if not more, than the real world.

Some of the reactions that can be foreseen coming out are uprisings of anger and disdain to the developers of the game for not “properly securing” the game. It seems that because the people who have been victimized have just lost so much, a great deal of animosity would be in their heads. They would not want to even hear that they themselves are the true reason for their own demise. 

In addition, corporations and enterprises that specialize in anti-malware tools would thrive on such an event. They would preach to the public about how their software can help ensure the safety of the user’s system and how the attack that happened to them was a result, not of their own fault, but the fault of the OS or Gaming industry itself.

After a while the fire would most likely die out and the event would be forgotten.

As Facebook becomes more ingrained in people’s public lives, so does the opportunity for people to take advantage of the virtual identities of others.  Recently, a Seattle man, Bryan Rutberg, had his Facebook account used to extort money from his friends, saying that he had been robbed and needed money to get back from London.  Rutberg, however, was safe at home in Seattle.

A person’s Facebook profile is trusted enough that people tend not to question who is on the computer using the account, but we’ve probably all heard stories of friends having their status changed by a roommate while they’re in class.  I personally know someone who’s girlfriend removed some of his friends from his profile without his knowledge.  It seems someone has taken this type of attack and started using it for more insidious purposes.

The biggest thing that could have prevented this particular situation would have been for Rutberg to be more security conscious in his use of Facebook.  The attacker most likely gained access to his account through some sort of malware that Rutberg inadvertently installed on his system.  The best way to prevent this is the same sorts of advice always given out about malware—be wary of untrusted websites and email.

This is especially important as social networking sites become more common for other uses.  If this had happened on LinkedIn, Rutberg might be out of a job, or worse.  People work very hard to protect their identity when it relates to financial assets, but intangible assets such as social and business reputations are at stake as well, and are often not as well protected.

Facebook is already taking action to make users aware when their account may be compromised, such as sending emails to the current contact email when changing or adding a new contact email.  More could be done to protect users’ identities on social networking sites, but this would more than likely simply get in the way of users of the sites.  The best reaction to this kind of event is to make users aware of it, so they are more careful with what they do on social networking sites.

Online advertisement is the lifeblood of the internet.  Without it, sites such as Facebook, Myspace, Google, etc. would go out of business. Approximately a year ago, Google alone reached over 1.1 billion unique users in a month(see 1)–and they had only 35% of the market at that point; this does not however imply that advertisers were reaching 3.14 billion users, as most top advertisers would reach the same users [note that Google also owns the #2, doubleclick].

With most major sites tied to the success of advertisers, there comes a tradeoff between appeasing advertisers and appeasing users.  The sites which appease advertisers impose interstitials, spyware, and popups.  By doing so, they increase the revenue advertisers are willing to pay, and they hope that their content is sufficiently interesting that users will wade through the ads regardless.  Other sites attempt to appease the users, and keep ads as unintrusive as possible, hoping that they will get more users due to the superior user experience, and that users will investigate ads because they care about the funding of the site and out of genuine interest in the ad.  The advertisers we are interested in here are the first category.

Security Goals

• Advertisement should not harm the user passively (example: user opens page, spyware automatically installed)
• Advertisement should not harm the user actively (i.e., the user clicks the ad and something bad happens)
• Advertisement should not hijack space against the desire of the site owner (example (from 2): picture)

Adversaries and Threats

• Malicious advertisers

Typically, these advertisers will be interested in installing adware/spyware/malware on a user’s computer.  This software will generally be responsible for browser hijacks, unexplained popup ads, and sometimes even credit card/identity theft.  A malicious advertiser is defined here as someone who commits these acts against the wish of the vendor and publisher.  Typically such an advertiser can only get away with such acts until the vendor or publisher is notified and takes actions to remedy it.

• Malicious publishers

This is where a publisher deliberately puts spyware, or other harmful software, on their site with the goal of infecting their users.  They will expect to get a cut of whatever money is made due to such actions.  This can be very difficult to predict, as a site may be benevolent until it runs into financial difficulties, or the user gets tired and wants to move on, but not before maximizing profits.

• Malicious vendors

This is less of an issue for those going with major vendors such as AdWords, but if a publisher chooses to use a small-scale advertising site, then they may run into a vendor who voluntarily uses such tactics as described above.

• Malicious Third Parties

Here, a third party is anyone not involved in the advertisement process.  A virus writer who sends out e-mails with a virus which infects people with malware which hijacks google.com when the user tries to search would be an example of a third party.

Potential Weaknesses

• Most sites give a limited amount of ability for users to provide feedback about advertisement–if an advertiser is infecting people with malware, it may take some time for it to be known and remedied.  In the meantime, countless users may be infected.
• Browser holes are common.  By utilizing one of these holes, a user may be silently infected.
• Ads can be difficult to reproduce.  They are randomly rotated, so merely linking to a page on which one got infected gives no guarantee that the investigator will see the same ad which caused the infection, leading him/her to believe it was a false report.
• Third parties are good at infecting people.  This can be shown by how many people get viruses through merely opening attachments, for example.
• Publishers are not very accountable for their actions.  Generally speaking, the worst that will happen to a publisher is that he/she will lose the userbase of the site.  Legal action is nearly unheard of, and so there is little at stake for the publisher who merely wants to make a quick buck and move on.

Defenses

• Ensure that browsers/operating systems are up to date.  A fully updated user is rarely the user who gets targeted–most infections are due to vulnerabilities for which a patch already exists (not all, obviously).
• Use an adblocking extension which prevents content from loading off known advertising domains.
• Use firewalls/anti-virus.
• Allow users to complain directly to the vendor about ads instead of requiring the publisher to do so (obviously, this step only works for malicious advertisers, not malicious publishers/vendors).
• Only allow pre-screened (by the publisher) ads to appear. Unfortunately, this may severely limit the strength of the advertising, and requires a benevolent vendor/observant publisher.

The Future

With the current major browsers, most security threats can be blocked by fully updating them and using intelligent browsing habits.  The main risk is for those who either a) trust the publisher too much or b) are not careful users (the kind of people who see a download for a “toolbar required to display the content” and decide to download it, then end up infected).

It seems unlikely that online advertising will significantly change in the future.  There will be new technologies which can be exploited and new vulnerabilities, but online advertising is here to stay as the future of the internet.  Despite the backing-off of many advertisers with the weakening economy, advertising still remains a strong industry overall.  Major companies such as Google are relatively restricted ethically, due to their ease of accountability and need to maintain a reasonable public image.  Smaller vendors will remain the primary risk, due to their lack of concern about public relations and potential for lack of adequate staffing (leading to malicious advertisers having a long run).

Terms Used:

interstitial – a page (almost always advertising) which appears instead of the expected content.  The user is usually automatically forwarded after a certain amount of time, or he/she can click on a link which leads to the expected page.

publisher – the site on which the ad is served.  So, if an ad appears on mysite.com, then mysite.com is the publisher.

vendor – the company responsible for connecting advertiser and publisher.  Google Adwords is a major vendor.

Sources:

1: Attributor

2: Ben Edelman

According to an article on Gamasutra online game hacking spiked in 2008.  It was noted that it usually wasn’t the games themselves being directly attacked, rather attackers would use social engineering or other techniques to install malware, such as keyloggers, that would steal the user’s account information.  Once the attacker can log into the the victim’s account, they can then use their position of trust to send malicious links to friends of the victim, furthering their malicious goals.  The attacker could also steal the victim’s virtual assets and sell them for real money.  For example, in Blizzard’s World of Warcraft, despite it being against the EULA, there is a large real world market for in game gold and items.  Because it is generally not the games themselves being attacked, it is hard for game developers to prevent this.  However, Blizzard is setting a good example by allowing users to purchase RSA key generators as an extra line of defense (though you would think that with all the money they are sucking from their players they would be able to include this at no extra cost).  These authenticators generate unique keys at the press of a button, a new one of which is required at each logon.  With this extra layer of defense, even if the attacker logs the victim’s password and authenticator key, the next time they log on the authenticator key will be different, preventing the attacker from successfully logging on.  More details on the Blizzard Authenticator can be found at Blizzard’s site here.