Current Events: One more botnet-related legal fray

By oterod at 8:52 pm on March 13, 2009Comments Off on Current Events: One more botnet-related legal fray

As part of an “expose’” on cyber crime, BBC’s “Click” team took it upon themselves to hire a botnet. With the stated goal of demonstrating the power of “cyber criminals” in today’s world, the journalists purchased the use of ~22,000 compromised machines. As part of their demonstration, they directed massive amounts of spam to two specific test addresses, and finally, used their botnet to bring down a security firm’s backup website via DDoS. The DDoS attack was done with permission from the “victim” company (Prevx).

Now the BBC group is in a spot of legal trouble as their use of a botnet could potentially implicate them in the violation of the UK’s Computer Misuse Act. While BBC claimed that their use of the botnet was purely academic, and therefore not criminal, they did take control of non-consenting citizens’ home PCs. More importantly, in purchasing the use of a botnet, reportedly at somewhere between $300-$400 per machine, the news network essentially funneled a few million dollars into the hands of cybercriminals. And all so that they could demonstrate what many papers and news articles before them already had.

The journalists, at surface level, did a good job of keeping things academic and avoiding any sort of cybercrime. They spammed their own test e-mail accounts. They DDoS’d a prepared and willing target. They also put warning documentation on the infected machines, at experiment’s conclusion, explaining to their users that they had been infected, and how to best avoid future infections. Ultimately, however, by mere involvement with and commandeering of hijacked personal machines – and especially thanks to funding the true criminal party – they did indeed commit some level of criminal act. To what degree they are held responsible is now a matter for the British courts to decide.

This is just one more occurrence in a string of botnet-related legal issues. A similar issue plagued German malware researchers with the means to potentially dissolve the Storm worm’s botnet(s) (see http://cubist.cs.washington.edu/Security/2009/01/11/storm-worm-cracked-but-defenses-may-not-fly/). It seems that academicians of all types are running into a fundamental problem with this particular security threat: there is no way to legally study it “in the wild.” The moment a researcher connects to a botnet, takes control of it, or otherwise interacts with it, he or she risks legal consequences. Whether or not any charges stick is a different matter, and quite frankly, it will take some time before reasonable precedents clarify the legal “consensus,” but regardless these issues represent a significant impediment to progress in anti-botnet research.

Filed under: Current Events,Ethics,Policy,Privacy,ResearchComments Off on Current Events: One more botnet-related legal fray

Current Event: California Politician Wants All Satellite Imagery of Schools, Churches, and Government Buildings to Be ‘Blurred’

By vincez at 8:47 pm on | 2 Comments

A politician in California, Assemblyman Joel Anderson, has just proposed legislation to be drafted that would require Google’s map application to blur satellite imagery of all schools, churches, and government buildings. The Assemblyman’s proposal would require not just Google, but all satellite-based imaging software to blur these locations under the law.

(Read on …)

Filed under: Current Events2 Comments »

How to break into a vault with 10 layers of security

By lidor7 at 8:39 pm on Comments Off on How to break into a vault with 10 layers of security

In 2003, Leonardo Notarbartolo and a team of Italian thieves broke into the Antwerp Diamond Center and made off with $100 million worth of  diamonds, jewelry and other valuables.  The vault was protected by 10 layers of security including a combination lock, Doppler radar,  infrared heat detectors, and more.  For six years, he has refused to speak with any journalists regarding the crime until now.

Wired magazine has published an article detailing Notarbartolo’s story and how him and his team were able to circumvent all the various  security measures.  It was interesting to see that despite having 10 different high-tech security measures, when each problem was  considered individually, the exploit seemed simple yet ingenious.

For example, the infrared heat detector could be momentarily insulated using a thin layer of hairspray, buying enough time to physically  deactivate the detector.  Polyester shields could also insulate heat signatures, giving balcony access to the team.  Even though a forged  key was made, it turned out to be unnecessary because the guards simply kept it in a nearby supply room.

The question is, how could something like this have been prevented?  As I mentioned, when each individual security measure was considered,  each work-around seemed possible.  Considering all 10 security measures would be a daunting task.  What was interesting to note was that  each security layer protects the vault from becoming compromised, but there didn’t seem to be any specific countermeasures for preventing  someone from tampering with the security devices.  Considering how each security measure could be defeated and how security measures might  complement each other (i.e. protect each layer from tampering) would be a good way to prevent future break-ins.

Also, the thieves were able to break in because they were able to defeat predictable electronic devices.  Prior to the heist, they  gathered detailed information about the vault’s technologies, and they duplicated the vault and all its devices in order to simulate the  heist.  Once working details were confirmed, the same technology could be cracked consistently over and over.  At night, the security was  entrusted entirely to technology — no guard stood by at night to protect the vault.  Posting a guard would add a layer of uncertainty  that increases the risk of attempting a heist.

So that seems to beg the question, how much should we entrust technology to handle our problems?  From a security stand-point, probably  all technologies are fallible and are likely to fail in some way or another eventually.  At the same, the article brought up the issue of  possible insurance fraud.  There was the possibility that some of the diamond dealers were in on the heist and pulled out their inventory  secretly prior to the heist, collecting on the insurance money while keeping their diamonds.  That suggests that there wasn’t much of a  system for keeping track of where the diamonds were and whether they were really lost in the heist or not.  There needs to be a reliable  system for tracking safety deposit transactions while maintaining privacy.

This also brings up the eternal security question — how much security is sufficient?  You would suppose 10 layers of high-tech devices  would be enough to deter thieves from an attempt.  Does there need to be more security?  Or perhaps the security could be used in a more  efficient and effective way.  Who are the stakeholders?  It seems like the bank, the customers with the safety deposit boxes, and the  insurance companies should have an interest in answering these questions.

Overall, the article told an interesting story, almost as if it were out of a movie.  I highly suggest reading it just for entertainment  at the least.

Filed under: Current EventsComments Off on How to break into a vault with 10 layers of security

Security Review: Web based Remote Access

By sojc701 at 8:36 pm on Comments Off on Security Review: Web based Remote Access

Many operating systems include some sort of remote access solution by default. Windows XP, for example, ship with Microsoft’s Remote Desktop as a simple remote administration interface. Even OpenBSD, the Unix variant which is usually regarded as the most secure operating system available, includes SSH, which, again, is a simple and secure application that allows command-line access over a network connection to the remote computer.

Without the built-in applications, there are other solutions to control clients remotely with web-browsers, such as RemotelyAnywhere and LogMeIn. People can access their computer in which software that provided by these companies is installed on any platform.

These tools provide users convenience, but they bring security concerns as well. To control clients, first users login their account in which the list of all clients is stored. If this system were compromised, it would be easy for attackers to control clients.

(Read on …)

Filed under: Security ReviewsComments Off on Security Review: Web based Remote Access

Cryptography towards a new kind of election?

By Orion at 8:11 pm on Comments Off on Cryptography towards a new kind of election?

Computer scientists at the Harvard School of Engineering and Applied Sciences recently deployed the first “practical, Web-based, secure, verifiable voting system.” After testing through 2008 and early 2009, the system, dubbed “Helios,” was used for the university presidential elections at the Belgian Université Catholique de Louvain (UCL) in the first week of March 2009. The system uses asymmetric cryptography and mixnets to provide anonymity, ballot integrity, and open, public verifiability. The system is designed to be used to what they call “low-coercion” elections, because they have not provided any way for users to change their vote at another time if the user has been coerced into voting a certain way. But, the system does provide cryptographic auditing that allows any voter to verify that their vote has been correctly recorded, and allows anyone to verify that all recorded votes have been correctly tallied, something standard elections in the USA don’t even guarantee.

(Read on …)

Filed under: Current Events,Integrity,PrivacyComments Off on Cryptography towards a new kind of election?

Security Review: PayPal

By beenen34 at 7:47 pm on Comments Off on Security Review: PayPal

PayPal, along with other services like Ebay, is an online tool used to transfer money that most are familiar with.  Web payment services are a major conveinence, but come with a number of significant risks.  Services like PayPal can allow merchants to support payment over the internet without the necessity of having their own payment infrastructure, at a relatively small fee.  Online shopping and payment for products and services of all kinds is very conveinent for users as well.

(Read on …)

Filed under: Security ReviewsComments Off on Security Review: PayPal

Security Review: VoIP Communication

By bensona at 6:49 pm on Comments Off on Security Review: VoIP Communication

Over the past five years or so, voice over IP has rapidly gained in popularity and use.  It touts cheaper calls for residential users and corporations can save big because additional extensions on a VoIP infrastructure are less costlythan their traditional phone system counterparts.  VoIP uses the same data lines as IP traffic to transmit voice.  As such, it faces many of the same security issues as digital data.

Assets:

  • Reliable, time-sensitive communication: No matter how much of our global communication is moving to text-based solutions, telephone calls are still the best way to communicate quickly
  • Privacy: Users disussing sensitive information want the content of their conversation to be accessible only to the intended parties.

Adversaries:

  • Digital phreakers:  Phreakers in the days of analog phones exploited phones to be able to make free calls.  Similar feats have been accomplished with VoIP systems.
  • Company rivals: They might seek to bring down a company’s communications to  reduce their ability to handle business.
  • Profiteers: Can hold a company’s communications ransom

(Read on …)

Filed under: Security ReviewsComments Off on Security Review: VoIP Communication

Security Review: DTV coupon program

By Kevin Wallace at 6:20 pm on Comments Off on Security Review: DTV coupon program

This June, all U.S. television stations must shut off their analog broadcasts, and replace them with digital ones. In order to make the transition less painful, the DTV Coupon Program offers up to two coupons to every U.S. household, good for up to $40 each off the price of a DTV converter box. I recently received mine, and a glance at the magnetic stripe on the back of the card made me wonder what security issues the program might have.

ASSETS

  • Consumer privacy / anonymity. If a consumer so chooses, they should be able to purchase a converter box with a coupon anonymously, revealing no personal information to the retailer, as if it were a cash transaction.
  • DTV subsidy funds. No one should be able to spend more than their allotted portion of the subsidy funds.

ADVERSARIES / THREATS

  • Retailers, who have financial incentive to uniquely identify and track consumers.
  • Malicious consumers, who wish to use more than their fair share of the subsidy funds.

POTENTIAL WEAKNESSES / DEFENSES

  • It turns out that the magstripe of the cards contains the consumer’s full name, allowing retailers to personally identify them. This is not ever disclosed to the consumer. This could have been avoided by instead encoding a unique, but non-personally-identifiable token instead. A consumer may still be able to use their card anonymously after blanking out or replacing their name on the magstripe, or by using an online retailer like Amazon.com, who doesn’t ask for the name the card was issued under.
  • It might be possible for a single card to be used more than once, if two purchases are made using the same card simultaneously. If this is indeed the case, this attack could be prevented by using a two-phase commit to prevent a card from being pre-authorized for use more than once.

CONCLUSION

While there are still serious privacy concerns with the current system, it is not very costly to opt out of the system by paying an extra $40 for a converter box. On the other hand, the system appears to be relatively secure against malicious consumers, with no known attacks against it in the wild.

Filed under: Security ReviewsComments Off on Security Review: DTV coupon program

Security Review: Google Latitude

By elenau at 6:01 pm on Comments Off on Security Review: Google Latitude

Google Latitude is yet another product available by the well established makers of the Gmail internet based mail system. Latitude is a web based service, running in sync with a client side application Google Gears, which allows Google to pinpoint your exact coordinates in the world and then in turn display them to their Google Maps for you to see. As is the case with many of Google’s applications, this application functions on many different platforms including Windows, Windows Mobile, Android, iPhone, etc.
Latitude is able to detect your location via any means possible. This includes GPS, Wi-Fi access points and even cell towers. It does this by simply triangulating your position with any of these three resources it can. Once your position has been located this information is uploaded on your latitude account by Google and available to all whom you’ve opted to share your location with. This can pose potential security threats.

(Read on …)

Filed under: Privacy,Security ReviewsComments Off on Security Review: Google Latitude

Linux Desktop Security Vulnerabilities

By spa at 5:38 pm on Comments Off on Linux Desktop Security Vulnerabilities

A common method for infection of many operating systems is a malicious executable file–either sent in an email or downloaded otherwise–that the user simply double clicks without thinking. Because most users are so used to the concept of double click to open they may not in fact realize that they could be executing arbitrary code (especially with a default setting to hide file extensions) or that arbitrary code even running with low permissions, can still be incredibly dangerous.

A big selling point of security on many Linux or Unix systems is the distinction of Execute permissions. A downloaded file will not have the execute bit set. This means that, within a window manager, double-clicking will only attempt to read the file so the desktop system may ask what you want to do with it. Only by either explicitly telling this prompt to execute or by editing the permissions of the file from the command line can you execute this file. In either case this is an explicit action that the user must think about.

However, many distributions of Linux use a standardized .desktop [1] file format. These files are often used as menu items or program launcher shortcuts: they have an Exec parameter that can take an arbitrary command string to run when clicked.

[Desktop Entry]
Encoding=UTF-8
Type=Application
Terminal=false
Exec=bash -c "touch ~/haxxored"
Name=Write to an arbitrary file.

A desktop file that creates the file haxxored in the user’s home directory

Users and developers of these distributions have recently been arguing for re-evaluation of this specification for that very reason: they allow arbitrary code execution without the need for an executable bit set on the file.

This opens up the same vulnerability in Linux systems that had previously been avoided. An inexperienced user used to double click to open might download a .desktop file and try to open it. Even a more experienced user might not realize this issue and (expecting the previously mentioned behavior of simply reading the contents of the file) click on it to see the contents.

Even more troubling is the behavior of these Desktop files when used in the menuing system for many distributions: important system applications often have menu entries in /usr/share/applications. However, menu entries with the same name in ~/.local/share (the user’s local directory) with the same Name option will override the system one! A malicious script (perhaps even started by the exploit above) could shadow the desktop entry from one of the important system applications such as the Synaptic Package Manager. Users are used to typing their passwords at the gksu prompt when clicking on Synaptic so they would do so; now a malicious script has root access to the user’s machine.

Possible Solution

The biggest part of a solution to this problem would be requiring that .desktop files simply have execute permission set. On installation of a normal program this would be a trivial addition, but downloaded .desktop files would not be run. In case of some other malicious script gaining user access, normal users should not be able to override root owned .desktop files (like Synaptic).

These solutions are extremely simple, but they have not been implemented yet due to the desire for compatibility between
different distributions. It may take time for these changes to be made.

[1] Desktop File Specification: http://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html

Filed under: Availability,Current EventsComments Off on Linux Desktop Security Vulnerabilities
« Previous PageNext Page »