UW Computer Security Research and Course Blog

I didn’t pay much attention to the event mentioned earlier about Conficker virus, until this new event related to that event arose – after all, is it such a rare occasion being infected by a virus.
To remind you, it is estimated that there were over 10 million computers infected with the worm, which utilizied a bug in Windows OS to infect unprotected computers, including those in government and military organizations. Creators can start issuing commands to this network of hijacked computers by simply registering one of the domain names from its big list.
So, Microsoft decided to offer $250k reward for the information on authors of the Conficker virus. Since this is the one of those rare occasions Microsoft offered a reward, it convinced me of the severity of the problem.
These rewards showed to work in the past, one of the most famous cases being sentencing a writer of the Sasser in Germany.  Microsoft happens to play a good balance between stick and carrots politics in an attempt to achieve security for its products, moving more towards carrots lately (such as organizing BlueHat conference for outside security professionals, for example).
Although there is a trend in countries, such as, say, Russia to implement harsher sentencing for cybercrimes, for many countries, complexities associated with getting the reward, or reach sentencing remains to be a big obstacle to those willing to turn in creators of the viruses.
Looking at the bigger picture, offering bounties utilize trustfulness of a hacker, who shared his adventures with his colleagues, hoping they will keep it secret. But seems like there could occur an inverse relation – with more bounty given out less effective it will become. However, it is still interesting to see how some virus creators elaborately cover their tracks technologically, but fail to realize severity of risk of a human factor from their standpoints. Let’s see whether it works this time.

The HomeLink Universal Transceiver is a device that, like a universal remote, can record the output of a wide variety of garage door openers and home automation control systems and emulate the output for future use. When used as advertised, the HomeLink system simply replays signals that you could have produced anyway, but from a central source. However, since the HomeLink device basically allows replay attacks, there are security implications if the device is to be used by someone with sinister intentions.

Community gate openers and garage door openers are, by their very design, long-range communication devices. If the signal the opener emits cannot be detected a good distance away, the devuce is not doing its job. Therefore, it follows that the HomeLink device could record garage door opener signals while passing by a car that is using a garage door opener. With access to many types of garage doors after being in the proximity of the door opening, a world of possibilities opens up.

(Read on …)

An add-on is a simple plugin that you use, say for firefox, to let you do your work more easily. This also lets you customize the browser in ways that do not affect the productivity of other people. Add-ons are becoming a major part of the browser functionality but sans the scrutiny that goes into developing a browser.

Assets and Security Goal:

* Assets: Your browser, everything that you use it for and your cookies. Uh, not the ones you eat. and privacy.
* Security Goal: Protect your privacy at all cost and your cookies and your intimate browsing secrets!

Adversaries and Threats:

* Unauthorized publishers: This is the dreaded group of publishers that are able to make an add-on for your browser and pass it off as being legitimate and harmless. This is much easier than you think since most add-ons are unverified or rather community verified and it might take a while to find an exploit.

Weaknesses:

* Counterfeit add-ons are the biggest risk – a majority of the add-ons are through unverified authors.
* Deceived by community rating. Since the rating for the plugins is done by the community, an obscure/malicious add-on can be easily made to look like a legitimate one through a community of attackers/ an attacker with a community of profiles.
* Unauthorized plugins from third party websites.

Defenses:

* Other legitimate users – These are probably the best and most formidable defense when it comes to validating add-ons. However, this also a delayed defense since ‘enough’ users will have had to use the add-on for someone to finally detect a malicious exploit.
* Firewall – Your firewall is also your second line of defense when preventing backdoor access through the malicious add-on
* Antivirus software – An up-to-date virus definition file should help the software detect a malicious plugin. However, this also assumes that the attacker used a known exploit/trojan/virus to inject into the add-on.
* Security updates from the browser, OS – These can help patch the exploits that are currently in place.

Risks:
The risk of being duped means to lose a significant amount of personal information that is stored in the browser. With the shift of browser towards acting like an OS with features to save passwords,sessions, etc, there is an unbelievable amount of personal information that can be stolen through a malicious add-on. The add-on can also redirect to malicious websites that involve elaborate phishing scams leading to the loss of information and money. Such attacks give the hacker a complete control of your online portfolio which can be held for ransom and also misused, causing personal damage.

Conclusion:
Overall, although there are inherent risks to open source projects like a community browser, a large part of the attacks are easily mitigated due to the sheer number of users that pass through such an add-on. There also seems to be significant,active and unofficial community that monitors the plugins for malicious intent. One way to decrease the probability of such an attack would involve letting a significant time pass from the release of the plugin to the installation for it to be tested by active community members. Filtering the installation of add-ons also becomes an important but often impossible task in a corporate environment where the risks are especially high. Add-ons(unsigned) are definitely a double edged sword that need to be dealt with care.

The FBI is investigating an ATM scam that has occurred within a 30 minute period on November 8^th. About 130 different ATM machines have been accessed to withdraw a total of about $9 million dollars. The scam hit 49 cities worldwide, including Moscow, Chicago, New York, Hong Kong and Montreal.

The FBI says that the operation was very well coordinated, and at this time no suspects have been identified.

The description of the attack follows. First, the computer system of the payment processing company called RBS WorldPay was hacked.

“One service of the company is the ability for employers to pay their employees with the money going directly to a card, called payroll cards, a lot like a debit card that can be used in any ATM.”  The hacker was able to access the system and steal all the information needed to create the duplicates of the ATM cards. (Read on …)

How many of you have received letters from your banks about a ‘revised’ privacy policy? Have you even bothered to read through this revised policy information? And the .000001% percent of you that have, have you ever found anything objectionable and done anything about it?

Welcome to the new joke called ‘Privacy’. No, I’m not talking about the most intimate information that you already have on facebook (which by the way, facebook now owns and has the rights to share). I’m talking about the numerous merchants/banks/credit companies that you do business with but never really cared about what they do/could do with your information. When you read phrases like ‘shared with affiliates’ and ‘shared with third parties’, have you wondered what the difference between these two are? And besides, have you wondered why on earth, banks would need to share your information with other people in the first place?

Most of us Almost all of us never think twice about how our information is freely passed around(for money of course) in the open market for ‘agencies’ to analyze. Such information is then sold by VISA to other marketing companies for ‘market analysis’ and ad campaign management. I have a friend who works for VISA and he was able to pull up every purchase I’ve ever made on the credit card and all he needed was my credit card number which is easily available (how many of you shred your old credit cards?).

And guess what!!?? you have no control over who they share it with because well, first of all, you never really read their privacy document. Even if you read it when you got the credit card, you never really read it the numerous times that they sent you the revised privacy policy. Now again, to the .00001% that read the document every time, you have no control over how VISA decides who their affiliates/partners and third parties are.

Concerned yet? Privacy in the current state is nothing but a big joke.

The only viable solution seems to be a universal privacy declaration/document issued by the government that the companies can be held responsible to. As much as we all hate a big brother state, trusting a bunch of greedy banks/credit companies/vendors is much worse.

According to MSNBC (http://www.msnbc.msn.com/id/29017452/), Monster.com along with USAJobs.com (which monster’s parent company runs) was breached, resulting in the theft of user ID’s, passwords, email addresses, names and phone numbers.  The number of records stolen was not disclosed, nor were any details concerning how the thief obtained access to their databases.

(Read on …)

Ever considered ‘recycling’ your computer without thoroughly wiping your hard drive first? Don’t. A recent study suggests that up to 40% of hard drives that end up on eBay and aren’t explicitly marked as erased may contain easily recoverable data from previous owners.

(Read on …)