UW Computer Security Research and Course Blog

It seems that in addition to the recently released biometric IDs in the UK, the California Department of Motor Vehicles seems to have recently tried to set up biometric IDs as well. In an otherwise innocuous vendor contract, the DMV included a proposal to create a new governmental database containing facial and fingerprint data. This situation is apparently worsened in light of the fact that the California legislature has not looked highly upon biometrics in the past, so it seems the DMV may have been trying to bypass the legislature entirely.
(Read on …)

This morning, my power for some reason switched off, crashing something in my router and killing my laptop battery. For the rest of the day, wireless was down at my house and my roommate and I were physically plugging in (I know! Cables!). However, we (illegally?) share our wireless with our neighbors downstairs, and they came up to ask where the webbernets had gone to. Frustrated, I simply hit the reset button on my router and decided to just set it up again. Working through it, I realized that the user interface is a huge hindrance to the average user setting up a secure home network – a situation which I already know leads zillions of people to insecurely transmit sensitive info over the web.

Assets and Security Goals

• The assets at stake here include anything people do over the internet – which today seems to include everything. For me, the most sensitive information I transmit is my online banking, followed up by my student information on MyUW as well as online sales. Also included is a lot of stuff I don’t usually think about needing to secure – but that could be exploited by an attacker – like my email and my Facebook account.
• The goals then are to protect my transmissions from being read, tampered with, or spoofed. I don’t want anyone to know what I am doing on the internet, to change anything I am doing on the internet, or to be able to pretend to be me on the internet. Also, I don’t want anyone to be able to use my internet to do illegal things (except for me)!

Adversaries and Threats

• Identity theft has become a huge issue in recent years, and so the adversary I am most fearful of is someone who would want to steal my identity, money, credit history, etc.
• My roommate works for Amazon.com, and often has to use her work laptop on our wireless connection. Although she uses a VPN with a one-time use RSA token, we’d really like to keep a potential corporate spy as far away from her machine as possible.
• What about my roommate herself? Or those innocent looking neighbors downstairs? Well, I hope I can trust all of these ladies…

Potential Weaknesses

• Without any defense at all, our wireless is wide open. I’ve already seen what can be done with easily downloadable tools online – they even come with GUIs. In fact, in my opinion, these tools  are easier to use than the security setup for my router.
• Even with security, an attacker could discover our passwords either by reading them off the whiteboard in my kitchen, or by sniffing our encrypted packets and trying to guess it.
• If someone could connect to my network and also guess my high-security administrator password, they could also mess with my router to redirect me places I don’t want to go to, or otherwise manipulate my web access.

Defenses

• The most important thing here is having your router set up properly – encrypted with good passwords (and NOT WEP), don’t leave the administrator password to default. However, this is not that easy – I am pretty sure my mom could not figure out to do it, nor my web-savvy teenage sisters. Linksys should have all the most important settings on one primary page – and it should lock people out of the web until they have changed the administration password (or, even better, have a different password for each box and include the pwd in the packaging).
• Having a good password is important. People don’t have enough training in this!
• I often will check my router to see what machines are connected to my wireless – if there is one I don’t recognize I will freak out. But I’ve never seen one 🙂
• It is also important to practice safe web browsing regardless of the wireless setup. Assuming that you are on an unsecure conncection provides one extra layer of security. Https, encryption, all of these things are still necessary.

In sum, I am worried about the world. I had to dig through a long series of menus to find what I needed – and I already knew what I needed. For those who don’t, I’m afraid their information is at risk!

According to the ESET’s 2008 Global Thread Report, there has been a spike in the goals and targets of cyber hackers. Rather than attempting to break into a bank account or deface a website they would go for something more subtle, but if planned properly, highly effective. 

Online gaming is a world wonder, it attracts a very large population of people; specifically the most widely growing genre is the MMORPG (Massive Multiplayer Online Role Playing Games). In such games such as World of Warcraft (WoW) characters accumulate what the article depicted as “virtual assets” which are essentially equivalent to real world items of actual value. The people who are engaging in these games are also required to invest real currency in order to play. 

Hackers are targeting players via social engineering standpoints and leveraging trust as a means of new attacks. They will first find a host character and infect him/her. Once they have control over the character’s account they will infect all those who trust the true identity of the character via URL or malware, sell all the “virtual assets” of the character for a bargain take the money and run to the next victim.

The article wraps up by discussing what can be done from a developer standpoint to enhance the security of the users’ accounts on such games as WoW. They discuss authenticator RSA key generators that must be used in order to log into the account every time. However, they finish off by saying the real flaw is not the software, but it is the human element that is the weakest link in the chain.

The event is popular due to the amount of people who socialize and devote hundreds of hours to the addictive game that is WoW. Because the game is such a big hit amongst the gaming community, it has sparked high flames and caused quite a commotion. People fear losing their time and money invested in the game and this is something they cannot afford to lose. 

As was discussed before and is well known today, humans are essentially the weak point in a system. They open up security holes and allow perpetrators to get in and take advantage of the system. One thing that could have been done and still can be, and should be done, is educating the common man about the dangers of the online world. They must understand that the online industry, although highly sophisticated and at some point seemly safe, can still present extremely high risks and dangers.

The broader issue around the event is that people in the gaming world and furthermore the online industry need to be conditioned and educated how to deal with the online world; how to keep themselves safe from online attacks and preventing themselves from being the next victim of such attackers. The real issue here is reinforcing the fact that the online world can be just as dangerous, if not more, than the real world.

Some of the reactions that can be foreseen coming out are uprisings of anger and disdain to the developers of the game for not “properly securing” the game. It seems that because the people who have been victimized have just lost so much, a great deal of animosity would be in their heads. They would not want to even hear that they themselves are the true reason for their own demise. 

In addition, corporations and enterprises that specialize in anti-malware tools would thrive on such an event. They would preach to the public about how their software can help ensure the safety of the user’s system and how the attack that happened to them was a result, not of their own fault, but the fault of the OS or Gaming industry itself.

After a while the fire would most likely die out and the event would be forgotten.

As Facebook becomes more ingrained in people’s public lives, so does the opportunity for people to take advantage of the virtual identities of others.  Recently, a Seattle man, Bryan Rutberg, had his Facebook account used to extort money from his friends, saying that he had been robbed and needed money to get back from London.  Rutberg, however, was safe at home in Seattle.

A person’s Facebook profile is trusted enough that people tend not to question who is on the computer using the account, but we’ve probably all heard stories of friends having their status changed by a roommate while they’re in class.  I personally know someone who’s girlfriend removed some of his friends from his profile without his knowledge.  It seems someone has taken this type of attack and started using it for more insidious purposes.

The biggest thing that could have prevented this particular situation would have been for Rutberg to be more security conscious in his use of Facebook.  The attacker most likely gained access to his account through some sort of malware that Rutberg inadvertently installed on his system.  The best way to prevent this is the same sorts of advice always given out about malware—be wary of untrusted websites and email.

This is especially important as social networking sites become more common for other uses.  If this had happened on LinkedIn, Rutberg might be out of a job, or worse.  People work very hard to protect their identity when it relates to financial assets, but intangible assets such as social and business reputations are at stake as well, and are often not as well protected.

Facebook is already taking action to make users aware when their account may be compromised, such as sending emails to the current contact email when changing or adding a new contact email.  More could be done to protect users’ identities on social networking sites, but this would more than likely simply get in the way of users of the sites.  The best reaction to this kind of event is to make users aware of it, so they are more careful with what they do on social networking sites.

Online advertisement is the lifeblood of the internet.  Without it, sites such as Facebook, Myspace, Google, etc. would go out of business. Approximately a year ago, Google alone reached over 1.1 billion unique users in a month(see 1)–and they had only 35% of the market at that point; this does not however imply that advertisers were reaching 3.14 billion users, as most top advertisers would reach the same users [note that Google also owns the #2, doubleclick].

With most major sites tied to the success of advertisers, there comes a tradeoff between appeasing advertisers and appeasing users.  The sites which appease advertisers impose interstitials, spyware, and popups.  By doing so, they increase the revenue advertisers are willing to pay, and they hope that their content is sufficiently interesting that users will wade through the ads regardless.  Other sites attempt to appease the users, and keep ads as unintrusive as possible, hoping that they will get more users due to the superior user experience, and that users will investigate ads because they care about the funding of the site and out of genuine interest in the ad.  The advertisers we are interested in here are the first category.

Security Goals

• Advertisement should not harm the user passively (example: user opens page, spyware automatically installed)
• Advertisement should not harm the user actively (i.e., the user clicks the ad and something bad happens)
• Advertisement should not hijack space against the desire of the site owner (example (from 2): picture)

Adversaries and Threats

• Malicious advertisers

Typically, these advertisers will be interested in installing adware/spyware/malware on a user’s computer.  This software will generally be responsible for browser hijacks, unexplained popup ads, and sometimes even credit card/identity theft.  A malicious advertiser is defined here as someone who commits these acts against the wish of the vendor and publisher.  Typically such an advertiser can only get away with such acts until the vendor or publisher is notified and takes actions to remedy it.

• Malicious publishers

This is where a publisher deliberately puts spyware, or other harmful software, on their site with the goal of infecting their users.  They will expect to get a cut of whatever money is made due to such actions.  This can be very difficult to predict, as a site may be benevolent until it runs into financial difficulties, or the user gets tired and wants to move on, but not before maximizing profits.

• Malicious vendors

This is less of an issue for those going with major vendors such as AdWords, but if a publisher chooses to use a small-scale advertising site, then they may run into a vendor who voluntarily uses such tactics as described above.

• Malicious Third Parties

Here, a third party is anyone not involved in the advertisement process.  A virus writer who sends out e-mails with a virus which infects people with malware which hijacks google.com when the user tries to search would be an example of a third party.

Potential Weaknesses

• Most sites give a limited amount of ability for users to provide feedback about advertisement–if an advertiser is infecting people with malware, it may take some time for it to be known and remedied.  In the meantime, countless users may be infected.
• Browser holes are common.  By utilizing one of these holes, a user may be silently infected.
• Ads can be difficult to reproduce.  They are randomly rotated, so merely linking to a page on which one got infected gives no guarantee that the investigator will see the same ad which caused the infection, leading him/her to believe it was a false report.
• Third parties are good at infecting people.  This can be shown by how many people get viruses through merely opening attachments, for example.
• Publishers are not very accountable for their actions.  Generally speaking, the worst that will happen to a publisher is that he/she will lose the userbase of the site.  Legal action is nearly unheard of, and so there is little at stake for the publisher who merely wants to make a quick buck and move on.

Defenses

• Ensure that browsers/operating systems are up to date.  A fully updated user is rarely the user who gets targeted–most infections are due to vulnerabilities for which a patch already exists (not all, obviously).
• Use an adblocking extension which prevents content from loading off known advertising domains.
• Use firewalls/anti-virus.
• Allow users to complain directly to the vendor about ads instead of requiring the publisher to do so (obviously, this step only works for malicious advertisers, not malicious publishers/vendors).
• Only allow pre-screened (by the publisher) ads to appear. Unfortunately, this may severely limit the strength of the advertising, and requires a benevolent vendor/observant publisher.

The Future

With the current major browsers, most security threats can be blocked by fully updating them and using intelligent browsing habits.  The main risk is for those who either a) trust the publisher too much or b) are not careful users (the kind of people who see a download for a “toolbar required to display the content” and decide to download it, then end up infected).

It seems unlikely that online advertising will significantly change in the future.  There will be new technologies which can be exploited and new vulnerabilities, but online advertising is here to stay as the future of the internet.  Despite the backing-off of many advertisers with the weakening economy, advertising still remains a strong industry overall.  Major companies such as Google are relatively restricted ethically, due to their ease of accountability and need to maintain a reasonable public image.  Smaller vendors will remain the primary risk, due to their lack of concern about public relations and potential for lack of adequate staffing (leading to malicious advertisers having a long run).

Terms Used:

interstitial – a page (almost always advertising) which appears instead of the expected content.  The user is usually automatically forwarded after a certain amount of time, or he/she can click on a link which leads to the expected page.

publisher – the site on which the ad is served.  So, if an ad appears on mysite.com, then mysite.com is the publisher.

vendor – the company responsible for connecting advertiser and publisher.  Google Adwords is a major vendor.

Sources:

1: Attributor

2: Ben Edelman

According to an article on Gamasutra online game hacking spiked in 2008.  It was noted that it usually wasn’t the games themselves being directly attacked, rather attackers would use social engineering or other techniques to install malware, such as keyloggers, that would steal the user’s account information.  Once the attacker can log into the the victim’s account, they can then use their position of trust to send malicious links to friends of the victim, furthering their malicious goals.  The attacker could also steal the victim’s virtual assets and sell them for real money.  For example, in Blizzard’s World of Warcraft, despite it being against the EULA, there is a large real world market for in game gold and items.  Because it is generally not the games themselves being attacked, it is hard for game developers to prevent this.  However, Blizzard is setting a good example by allowing users to purchase RSA key generators as an extra line of defense (though you would think that with all the money they are sucking from their players they would be able to include this at no extra cost).  These authenticators generate unique keys at the press of a button, a new one of which is required at each logon.  With this extra layer of defense, even if the attacker logs the victim’s password and authenticator key, the next time they log on the authenticator key will be different, preventing the attacker from successfully logging on.  More details on the Blizzard Authenticator can be found at Blizzard’s site here.

As mentioned earlier in the blog in “Security Review: Electronic Medical Records,” Google has started an electronic medical record database called Google Health.  Today, IBM and Google announced that they have made software to allow PDAs to upload information to health care databases such as Google Health.  Google Health centralizes medical records for its users, by storing records entered manually or aggregating data from other related medical databases; the individual users decide who is authorized to access their records.  The new software can allow doctors to update patient information more quickly, and facilitates information sharing between health care providers.  As well as the obvious applications for sharing information between health care providers, the Computerworld article on this technology suggests that the new software would allow authorized people to keep track of the health of an ill family member more easily, as the doctors add updates to the database more quickly.  From the article, it was not obvious whether or not the software would also allow mobile devices to download records from the databases.

(Read on …)

According to New Scientist, a UK company called Telnic is introducing a new top-level domain, .tel, with the intention of creating a “phonebook for the internet.” Users will only be able to register contact information, and this information will be accessible directly from DNS servers. In addition, Telnic has made available an API that can be used to extract and process this information. While this might make social networking as well as getting in contact with people easier than ever, it poses the possibility of some serious security risks.

(Read on …)

The iPhone has already had a security review and is similar to the iPod Touch, but I’m going to focus more on the security when someone has physical access to the device.  There are a number of security measures that are or can be used on the iPod Touch to limit access to certain features.  The iPod Touch, probably similar to the iPhone, contains a lot of personal information as well as access to iTunes and the App Store.

The two main assets of on the iPod Touch are the personal information on the iPod such as photos, emails, contacts, notes, and schedules, and the access to iTunes and the App Store.  The owner of the iPod Touch may have some sensitive photos or emails that should remain secret.  iTunes and App Store accounts are usually linked to a credit card.  The owner wouldn’t want other people to make unauthorized purchases.  The iPod has a lot of functionality, and it’s not always clear what information is sensitive and what isn’t.

The security goal here is to restrict or limit access to sensitive information as well as prevent unauthorized actions such as purchases from happening.  At the same time, all the functionality has to be easy enough to use.

So two potential adversaries could be a nosy or prankster friend or someone who has physically stolen the iPod.  A friend might want to snoop around your personal information or perhaps jokingly purchase an “adult” app or change your wallpaper to David Hasslehoff.  Someone who has stolen your iPod may want to purchase apps and music using your account and credit card.

So the iPod has a few security measures.  Functionality of the iPod can be password protected with a 4-digit number.  When an iPod is locked (which typically can happen when a period of inactivity occurs), it asks for a 4-digit number to unlock the iPod.  This is only the case when the setting is activated.  Also, access to the App Store or iTunes is also password protected, but this time with an iTunes password, which is likely more complicated and can contain letters and numbers from a full keyboard.

Now there are a few ways to exploit these two security features.  Since the iPod Touch is a touch screen device, there are often smudge marks left from oil on fingers.  With a 4-digit password, it can be easy to spot the 4 smudges on the screen that may possibly be the password.  Also, with the iTunes password or any password in general, there may be smudges, but more and with less spacing.  However, as a convenient to the user, password input always shows the last letter that was pressed for a couple seconds.  Normally on a desktop or laptop computer, the password shows up as asterisks.  The iPod does the same eventually, but the last letter entered always shows up readable.  Someone looking over the shoulder can easily decipher the password.  Also, the pressing of each letter with just thumbs is much easier to read than when you have all ten fingers on a keyboard.  Additionally, once the password has been entered, it remains valid for several minutes before requesting the password be inputted again.  This allows an attacker to purchase apps or music right after the user has entered the password and finished with their legitimate purchases.

There are several potential ways to prevent these exploits.  If a different, more smudge resistant screen was used, it may be more difficult to detect the password input.  Also, suppressing the last letter of the password showing as an option would be good.  Or even better, don’t show any asterisks so eavesdroppers can’t see how long the password is either.  Additionally, perhaps a biometric scanner using a touch screen may some day be possible.

So the question really is, how much security do you need?  I imagine the information on an iPod Touch isn’t terribly sensitive in most cases.  And with a device like that, it will typically be in close proximity and unlikely to be accessed by an adversary without going unnoticed.  The level of security already implemented seems appropriate for the value and sensitivity of the assets.  However, it would be nice if there was a quick and easy way to password protect certain apps like email or photos with just the 4-digit number.

As technology grows, more and more information and functionality will be implemented in smaller and smaller devices.  As a result, the value of the assets may grow as well.  Blackberries have typically contained much sensitive information.  The recent Blackberry Storm has featured touch screen.  Along with the growing of assets contained in small devices, the security features currently available may become inadequate.  It’s interesting to see more and more fingerprint scanners showing up in laptops.  It seems people are aware that portable devices can contain sensitive information and can be stolen quite easily.  It will be interesting to see what kind of new security measures may be implemented on touch screen devices in the future.

Not all computer malware infections are done completely electronically.  In recent events, cars in Grand Forks, North Dakota were tagged with “windshield fliers” which resembeled a parking ticket, stating they were violating the “standard parking regulations” and that in order to view more about their offense they must visit some URL online.  This seems like quite the extent for one to go in order to infect ones computer, but often enough – it works.

(Read on …)