UW Computer Security Research and Course Blog

Many online news agencies are reporting that a Chinese group of hackers have broken Apple’s iTunes Gift Voucher code generator. The original story seems to come from Outdustry, a Chinese music industry website, and tells of $200 gift certificates being sold for as low as $2.60. The same article tells of how the seller freely stated that the certificates were generated via a key generator.

However, the information we have is nowhere near enough to show that the certificate generating algorithm has been cracked. For one, despite the large number of new sites reporting the break, all that I’ve seen can be traced back to Outdustry. Before I saw this story, I had never heard of the site Outdustry, and given that it just looks far more like a blog than a credible news source, I must say I am skeptical of the validity of this story. As for the cheap vouchers, they may or may not have been generated by hackers. Perhaps they were bought with stolen credit card information.

Lastly, there is more to an iTunes gift certificate, or any digital gift certificate, than just a number. The agency in charge of redeeming certificates must validate each one. If the validation was entirely contained within the gift code, then there would be nothing to stop the same certificate being used multiple times. No, no matter how the keys are generated, Apple must have some way of telling used certificates from good certificates.

This raises an interesting point. If we assume that the Chinese certificates have been created by a key generator, and if those certificates work to on the iTunes store, then one of two things happened. Either the keygen created a key already in use, but not yet redeemed, or the default state for a certificate is “valid.” I count the first case as very unlikely, and the second case would be almost criminal in its exploitability.

Overall, I don’t believe any such cracking of the iTunes gift certificate format took place. Stolen money/credit cards could explain the cheap, under the table deals on certificates.

Original Source: Outdustry

Most people renting an apartment use a common drop-box to pay the rent. Most often this is located in an easily accessible common are like the mailboxes or near the manager’s office. The setup to be discussed here is a box with a key lock. The box has a flap that opens with just enough room to slip in a folded check but, presumable, not enough to reach in.

Assets/Security Goals

• The money in the checks
• The personal information and signatures on the checks

Adversaries

• Non residents interested in stealing money or identity
• Residents interested in the same
• Residents interested in forcing neighbors into late fees or the like

Weaknesses

• The checks are left in the box often for days. This means there is a significant amount of time during which the box can be compromised without anyone noticing.
• Common areas are accessible not only by residents, but quite easily by non-residents: guests, or strangers who follow a resident through the main door.
• The key lock is often a very weak lock which is easily picked or broken.
• The box itself is often cheap a flimsy or is fastened together with regular screws. Using a screw driver in the easiest case, or to the extreme a crow bar or brute force.

Potential Defenses/Conclusion
There are several solutions which could alleviate to a large extent these security risks. An overriding weakness of these solutions is that they are relatively expensive compared to the cheap cost of existing drop boxes and the biggest stake holders (the residents paying rent) are not in charge of choosing the solution (the building managers). Nevertheless, I will discuss some possible solutions. There are two basic levels of the solution. Limiting access to the box: general complex security measures like double door entrances, keys on more doors before getting to the drop-box area and the like, as well as only leaving checks out for a shorter period of time (perhaps collecting several times a day during payment periods. Making the drop box more secure: stronger boxes and locks would prevent access to the checks. Moreover, other methods such as direct delivery (in person) to the managers would eliminate most of these vulnerabilities. These solutions either compromise convenience (for example delivering directly to manager means that more coordination is required) or money (for example more expensive boxes or locks).

Apologies for reviewing the same technology. The other Google Voice review just appeared for me, which was after I wrote my own. I did check prior to starting this review, and it wasn’t up then.

Summary:

ComputerWorld had an article about Google Voice.  Google Voice is a new service offered by Google to make people’s phones more usable.  Google Voice will automatically transcribe a user’s voicemail into text form, using speech recognition software.  Because the transcription is done with software, there may be some mistakes in the text versions.  The transcriptions will be made available in the user’s inbox.  The service can also e-mail or SMS the messages to you. If I user desires the service can be turned off.

Google Voice builds on the technology of GrandCentral, a company that Google bought a few years ago.  This technology allows a user to have a single number for all of their phones.  When this number is dialed, all of the associated phones also ring.  In this way, a user can be contacted regardless of which phone (home, work, cell, etc…).  Google Voice will initially be offered to current users of GrandCentral.

(Read on …)

The apartment complex I live in is comprised of a garage and multiple residential floors. The access points into the building are through the elevator, garage, and a street access door. All three use RFID keycards to restrict the access to only residents. The elevators are activated with the keycard. Once activated a floor button can be pushed and the elevator functions normally. The keycard is also used open the garage gate and outside doors. Once inside a resident would have to use the elevator to reach his or her apartment floor.
(Read on …)

http://www.sciencedaily.com/releases/2009/02/090224133010.htm

Summary

Researchers have proposed and started testing a new system for helping to identify potential bugs and security flaws during the development cycle of software development.  It works to help the development team identify and prioritize potential targets and weaknesses, and encourage a wider breadth of understanding for each member of the team.

Assets / Security goals:

• The goal of this method is to help developers to explore the potential vulnerabilities in a proposed system/feature. This encourages keeping security a priority for the project from the beginning, during the design phase
• To ensure that all people working on the project understand the potential risks associated with the features that they will be working on, and to ensure the diversity of people’s knowledge is taken advantage of.

Potential adversaries / threats

• Any adversary that wants to take advantage of this system would have an interest in observing/subverting this process being undergone.
• Unscrupulous employees could bias the results of this process by drawing attention away from real issues

potential weaknesses

• this method relies on the knowledge of those involved in the design process. It’s quite possible for these people to lack knowledge of attack methods that could be used against the product being designed, as it’s unlikely for any single team to contain experts in every possible attack method.
• This method only outlines the potential security threats posed by the features during the design phase. During actual development/implementation, the actual threats and vulnerabilities may change, and these aren’t addressed using this method.

Potential Defenses

• This procedure should be used in conjunction with other risk and security analysis tools to ensure the broadest range of coverage
• Evaluations such as this should be repeated at regular intervals with a changing group of participants. The variability would encourage new ideas and provide newly discovered vulnerabilities to be discussed at length.

Given the difficulty of quantifying risks and potential security threats of any new product, this method is a good way to encourage the security mindset from the get go. The effectiveness of this method is entirely dependent on those who participate, but it does encourage the kind of thought necessary to protect systems from attackers.

This vulnerability is one of the most profound in computing.  Every computer has a connection from the keyboard to the CPU, and when signals are sent this connection acts as an antenna, transmitting a characteristic wave for each keystroke.  Each key strike actually emits a characteristic sound wave for each key.  Both of these facts have been used to sniff keystrokes from the air.  Even worse, PS2 keyboards have a connection to ground which causes their characteristic waves to be sent out in the power grid as well.  This means that an adversary could eavesdrop by plugging in a device near the victim’s computer.  Theses forms of attacks were first realized by the US government during WWII, but the countermeasures they developed were deemed too difficult to roll-out at the time.

Assets and security goals:
–Goal: Users should be able to type without having people know their keystrokes anywhere in the vicinity or through walls.
–Asset of concern: Assets that users should hold private but are currently vulnerable include papers, financial information, private communications, passwords, and business communications.

Adversaries and threats:
–Other governments are an adversary who could be recording the keystrokes of any government official they can dedicate an antenna to.
–The main threat is that everything you do on your computer being tracked by an unknown third party.

Potential Weaknesses:
–Electromagnetic waves emitted by the keyboard to computer connection cause characteristic waves to be sent with each keystroke.
–Connections to ground propagate characteristic signals of each keystroke in the power grid.

Potential Defenses:
–Shield the keyboard-computer connection with lead.
–The output of all electrical lines should be filtered by some bandpass filter.

The main difficulty with the shielding of electromagnetic radiation is that it requires a thick metal to encase the machine, which is costly, bulky, and inconvenient.  New ways need to be researched to shield, filter, and mask the emissions of computers.  Recently, the research team of Ecole Polytechnique announced they have uncovered ways to sniff keystrokes from 20 meters away with 95 percent accuracy using an antenna, oscilloscope, analog-to-digital converter, and a PC.  They plan to present a talk about the research at the upcoming CanSecWest conference, so this vulnerability may become more ubiquitous in the near future.  Paranoid people be afraid!

http://www.nsa.gov/public_info/_files/cryptologic_spectrum/tempest.pdf
http://www.itworld.com/security/64193/researchers-find-ways-sniff-keystrokes-thin-air

The recently released ITunes 8.1 closed two major security gaps from the previous version. According to Apple, until the latest release, maliciously crafted podcasts could cause ITunes to ask user for credentials but send the username and password to a destination other than Apple’s server. Furthermore, a bug in the ITunes DAAP protocol allowed attackers to send messages with specific Content-length fields causing an infinite loop, and thus a denial of service, to Windows users.

Reference: ZDNet

Final exams are just around the corner (or in some cases may already have been taken if they’re in-class ones)!  I figured I’d write a security review about the system of final exams.

Assets and Goals:

• Pre-knowledge of questions
• After the fact, knowledge of other people’s grades
• During the test, forbidden knowledge
• During the test, having unauthorized person take test

Adversaries:

• Students are primarily the only adversaries.  Sabotage by rival professors seems rather unlikely ;).
• Others may be interested for whatever reason in learning the score of a particular student on an exam.

Weaknesses:

• Examinations may be handled by multiple locations prior to the test
• Professors may be lax about security
• Too-large class-sizes may overwhelm proctors from preventing cheating
• Lack of careful ID checking

Potential Defenses:

• Provide one centralized location for professors to print out / copy their exams in advance, so that they do not run the risk of someone listening to network traffic or grabbing a copy off the copier.
• Ensure professors are familiar with security procedures to prevent students from sneaking into their offices.
• Ensure professors are given an adequate number of proctors to prevent cheating (plainclothes proctors, i.e., proctors who pretend they are students also taking the exam, can also be particularly effective as, although they cannot patrol such a large area, other students may be less wary about them noticing cheating)
• Have proctors check IDs of all students taking exams (I think I’ve had my ID checked a single time in 4 years, and many of those classes have been large lecture classes like Chem 142 where it’s doubtful the instructor recognized me)

Discussion and Conclusion:

There are many different types of cheating which students can do during an exam.  First of all, we need to consider what allowance the exam has for outside notes.

Particularly vulnerable to this is a class which is book only–I think I’ve only ever had one of those, but it’s extremely weak by default, as students can easily write in the margins of specific pages and as long as they are not stupidly blatant will not be caught.  Solution: make everyone randomly swap books at the start of class.  Weakness: time-consuming and difficult to ensure everyone gets their book back.  Conclusion: book only exams are annoying to make work properly, better to allow book + notes or neither.

Book + notes only is much easier to patrol.  Essentially the only sources disallowed are electronic sources or other people.  In this case, a sufficient number of proctors need to be around in order to ensure that students do not use cellphones (laptops are a little blatant for this). Solution: proctor numbers.  Conclusion: relatively easy

Book + notes + internet is quite difficult, as the laptop use must be monitored to prevent people from simply feeding the questions to a friend sitting at a computer at home who has already taken the class.  As security people, of course, we know that you could monitor network traffic, but this is not very easy and requires specialist knowledge that most professors and proctors are going to lack.  Easier is to just patrol the laptops, and require them all to sit in one location, at the front of the room.  A few plainclothes proctors sitting near / behind them can be a great help here, as alt-tabbing when an obvious proctor is coming is quite easy, but they won’t know the person behind them “taking the exam” is watching their screen.  Solution: plainclothes proctors.  Conclusion: riskier, but doable

No books/notes/internet is also pretty easy–visibility is key here.  As long as a proctor can see people without too much effort, large areas can be patrolled, as looking at notes will often cause quite a bit of noise.  Additionally, fellow students can easily identify and report the student who is cheating (emphasize the fact that the test is curved so they have a motive to do so 🙂 )

Overall conclusion: exams are rife with weaknesses.  Some professors post grades online using the last digits of student ID #s as the index.  Although these are not going to be unique, with knowledge of which classes a specific student is taking, accessing just a few of these classes will give an extremely high probability of figuring out which student it is.  People glancing quickly at another students paper are another large risk (which can be minimized by ensuring spacious seating/different versions of exams + non-multiple choice).

The lack of security knowledge of many professors means it would be relatively simple to steal into their office during lunch (for example) and grab the graded finals.  Doing this would also cause great chaos if the exams hadn’t been entered into the system yet, obviously, but even apart from that would violate the privacy of students to not have their grades plastered all over the internet.

The parking at the University of Washington has always been a deadly game of cat and mouse between driver and parking enforcement. There are limited parking resources on campus, and parking enforcement wants to make sure that they are maximizing their revenue for the spaces they have available. On the flip side, poor students/faculty are trying to get away with parking their cars/motorcycles free of charge.

There are a few assets that parking enforcement wants to protect. One is their revenue stream — making sure that they are receiving money for the parking that is available. Another is the availability of spaces, so that legitimate paying customers won’t be turned away at the door if the lots are oversold. In both cases, the adversary is the driver trying to cheat the system (aka, me).

One weakness of the system stems from having way more parking spots than there are parking enforcement officials. While this can work in an cheater’s favor in general, the longer one spends in the same spot, the more likely they are to be eventually ticketed. This might assume someone illegally parked would stay shorter — but then they have the added overhead of having to move their car frequently. One way that they can combat this is to deploy resources first towards the most high-traffic lots, and then check less frequently at satellite lots.

Another weakness of the system involves procedures for contesting tickets through the parking department. Any ticket can be contested through the office, and last checked, they had an average turnaround of 3-6 months, no doubt due to bureaucratic inefficiencies. If an adversary were to contest a ticket, they wouldn’t have to pay it for months, and would be likely to get it fined. One could also try sending in a longer letter to the department as to why they deserve to not get the ticket, in order to push it to the back of the queue for processing.

In the future, there might be an emphasis on more high-tech solutions (such as cameras) to quickly monitor parking lots and possibly detect cheaters. For the time being, however, there are some vulnerabilities in the parking system that allow attackers to get away with free campus parking undetected.

According to an article from Rueters (http://www.reuters.com/article/technologyNews/idUSTRE52B4D820090313?pageNumber=1&virtualBrandChannel=0), Konstantin Goloskokov, a member of a Russian youth movement recently claimed responsibility to organizing a group of fellow supporters and executing a Distributed Denial of Service (DDoS) attack on Estonian internet sites, causing them to crash, approximately 2 years ago. The attack was allegedly in response to the Estonian government’s movement to dismantle a WW2 soviet army monument.

The event brings up the interesting topic of cyber-warfare.  Though Goloskokov claimed that he had no support whatsoever fro m the youth group or the Russian government, and both the group and government deny involvement, it doesn’t seem too unlikely that attacks on internet infrastructure will become a major part of modern warfare (and in many cases, it probably already is).   As the world relies on the internet increasingly more to do its everyday business, an attack on websites used by the government or major corporations in that country could cause significant damages.  In this case, the Estonian web sites were probably very poorly equipped to handle large amounts of traffic, as a group of friends was able to shut them down, but security measures must be put in place because DDoS attacks by large botnets could be much more difficult to handle.

It appears measures could have been made to prevent this attack, as Goloskokov claims that each individual made multiple requests to websites, so checking for an excessive number of connections from a single IP address may have been able to help prevent the attack.  One positive outcome of this attack was that it increased the awareness of NATO, among other agencies, to the threats presented by cyber-warfare, and the necessity of putting measures in place to thwart it.