UW Computer Security Research and Course Blog

The Telegraph, a famous daily newspaper in the UK, was hacked into by a Romanian hacking group last week. The group exposed a weakness in the way the website queried its database for property searches and was able to obtain around 700,000 subscriber email addresses and passwords in plaintext via a SQL injection attack. The Telegraph took down the site and is in the process of rewriting the code to fix the problem, and is telling subscribers to change their passwords for that site and other sites.

It is unknown exactly what exact SQL injection string was used to gain access to the database of user emails and passwords, but SQL injection attacks are not terribly difficult attacks to defend against. Considering the email addresses and passwords were stored in plaintext, and considering the wide range of methods to protect code from SQL injection, it is likely this attack was only possible because the coders of the website were careless and did not think much about security risks when designing the website.
(Read on …)

At the recent Black Hat security conference, independent hacker Moxie Marlinspike gave a speech about his new tool sslstrip and the techniques that it uses to subvert SSL on a network (a write up can be found at http://www.itpro.co.uk/609932/website-danger-as-hacker-breaks-ssl-encryption and the tool and a video of the presentation can be found at http://www.thoughtcrime.org/software/sslstrip/). The presentation talked about techniques to subvert SSL directly through browser flaws using CA constraints in addition to talking about his tool, sslstrip, which can be used to perform a man-in-the-middle attack to view all network traffic of a user.

(Read on …)

Original article: http://arstechnica.com/security/news/2009/02/airforce-engineers-develop-bittorrent-sniffer.ars

The Air Force Institute of Technology has a new method for passive BitTorrent tracking. The system attempts to read the header of BitTorrent packets, and compare the hash in the packet to a known set of bad hashes. If a bad hash is matched, then the system logs it for future investigation. The system uses programmable FPGAs, and sniffing capacity tops out at 100Mbps.

Recent developments in traffic shaping / packet analysis have been largely spurred by large ISPs’ desire to limit user’s consumption of high-bandwidth services such as BitTorrent. Complaints towards users of BitTorrent include high bandwidth usage, as well as accusations of illegally sharing copyrighted material.

However, packet inspection at any level raises a number of privacy concerns, as systems at the ISP level would definitively be reading the data that flows through their network from an end user’s machine. This can either be malicious or not — it really depends on how ISPs use it. It seems like ISPs are highly motivated to keep traffic down so that they can keep their networks from becoming congested. However, no ISP customer can ever exceed the maximum amount of bandwidth that they are advertised to get. It seems like the ISPs are not being forthcoming about the real amount of bandwidth that they want customers to use.

Bandwidth isn’t the only issue, with litigation being handed out to file sharers. It’s in the ISP’s best interest to stay out of any legal issues they can, which also provides a good motivator for packet shaping BitTorrent traffic. However, given millions of motivated BitTorrent users versus companies with relatively limited resources, they are fighting an uphill battle that will not end up in their favor. This Air Force sniffing technology can’t detect encrypted BitTorrent packets, which compromise 25% of the BT traffic out there. As well, with projects such as OneSwarm, people can set up much more anonymous sharing networks between friends. The only way for corporations to survive file sharing is to adapt, like the Norwegian state broadcasting company did when it started offering its broadcasts as full, unencrypted downloads on its own hosted BitTorrent tracker.

I am, at the moment of writing this, sitting in Cafe Solstice on the Ave. There are probably about a dozen computers in here, and judging from my neighbor’s screen, 4 of them are running iTunes with the “sharing” feature (via Apple’s Digital Audio Access Protocal – DAAP) turned on, which allows them to stream audio files off eachothers computers, but not to download them. What’s to stop these young coffee-drinkers from forming their own small-scale (illegal) filesharing network? DAAP’s authentication mechanisms, which have grown increasingly more secure with successive versions of iTunes, has yet to be broken in it’s latest form.

Previous authentication protocals integrated into DAAP used either an MD5 hash or a custom hashing algorithm to encrypt the streaming music. Both methods were later cracked, leading to programs such as OurTunes, which allowed listeners on the network to save the mp3s made available over DAAP to their hard drives. Programs like this were extremely popular on large public networks like those at universities.

The current version forces the connecting hosts to authenticate through an Apple-controlled Certificate Authority, which can then exchange trusted public keys. This effectively blocks third-party applications (like OurTunes) from participating in iTunes file sharing. Because the official iTunes application does not permit saving the shared files, the mp3 sharing is effectively blocked.

Assets/Security Goals:

* The assets involved are the audio files on the users’ computers. Users themselves, who have the option of turning sharing “off” or “on”, aren’t really the focus of this encryption functionalty; intellectual property owners are worried about rampant copying of their files without recieving compensation for their works. The goal is really to protect copyrighted material from being copying – and along the way, all material is encrypted and blocked from download, regardless of copyright status or the user’s intent.
* Still, it is important to keep in mind the assets on the users computer. Having done a lab on network security, we all now know the risks of a allowing an external computer to provide commonds or access data from a secured machine. It is important to make sure that all files on the computer that are not supposed to be shared are secured from external access, and furthermore, that no one can provide commands to or take control of the machine.

Adversaries/Threats:

* Large scale piracy operations don’t really operate through iTunes. The big threat for mp3 theft is lazy, normal people, unwilling to pay for music if they can get it for free across the network.
* As far as security of other files and the user’s machine, any hacker with malicious intent, who may want to steal the user’s data, or just mess with their computer.

Weaknesses:

* So far, it’s quite difficult to see any weaknesses – this version of encryption has been out for some time and has yet to be broken. Still, while the usage of the CA is theoretically secure, all implementations are written by imperfect humans. It may be that there is a bug somewhere or a potential hack. Perhaps there will be a way to spoof as a valid iTunes client and register with the CA. Perhaps there will be a flaw allowing a third-party machine to spoof as a CA and provide keys to invalid clients. Perhaps by intercepting the packets for key exchanges enough times, hackers will learn about proprietary algorithms being used and find a weakness in that. It’s yet to be seen.

Potential defenses:

* The community trying to break the DAAP encryption is rather public about their efforts – and when a client is released, it will be rather easy to see what flaws they are exploiting. No doubt, Apple is already watching reports as they show up online, and allowing the real hackers to investigate flaws for them – which Apple can rapidly patch through automatic updates.
* Artists obsessed with being paid for every single mp3 they release could just stop releasing CDs and recorded music, or playing music at all. That way their fans will stop trying to steal it.

Evaluation:

DAAP so far has been frustratingly secure! Not only can I not steal mp3s from my neighbors in the coffee shop, but I can’t even listen to their music streaming, because iTunes isn’t available for Linux.

Product Page: http://www.google.com/voice/about

Recently, Google has rolled out another product designed to change the way people use existing technologies. This time, it’s called Google Voice, a replacement/advancement of an existing technology called GrandCentral. Google Voice aims to centralize phone calls and SMS text messages between many different phones, allowing routing of incoming calls to different lines, advanced voicemail boxes, and numerous other features.
Like many Google products, Voice suffers from a fundamental security problem in that personal user data is stored completely outside the user’s realm of control. Call logs, voicemail, contacts: everything is stored on Google’s servers. Google Mail suffers from the same problem: that the end user must place trust in a corporation whose internal procedures are mostly kept secret.
(Read on …)

Democratized DDoS attacks
http://blogs.zdnet.com/security/?p=2859
http://www.sourceconference.com/

Mar 13 2009

At Source Boston 2009 (a conference on advacnted technology and security application practices), security specialist Dr Jose Nazario gave a talk describing how DDoS (Distributed Denial of Service) attacks are becoming more ‘democratized’ or ‘populist’, and no longer just the tools of trained computer attackers.  He  cited various DDoS attacks associated with military campaigns (such as Kosovo or more recently, Georgia) which seemed to be initiated on a wide scale rather than just by a centralized group of attackers
This has arisen due to simplification of the weapon, ie .  Now it could be as simple as a centralized group of protestors or citizen militia distributing a simple script, which could be run on an end user’s machines.  An example given was a simple Microsoft batch pinging script distributed to various complicit parties via a message board.  More sophisticated scripts occur but the essential point is that as it becomes easier to run such attacks on a local machine, it will be easier and easier to intitiate DDoS attacks on a wide scale in this fashion.
The broader issue here is twofold– the weaponization of computer systems, and the possibility that these could be leveraged by non-military, politically oriented groups as a means of protest as well as attack.  The Russian conflict in Georgia most recently brought up broad suspicions of cyber warefare, and many rumors and warnings exist about the potential dangers which could occur.  Even the public is generally aware of the threat, given the existance of movies like Diehard 4 (however inaccurately the threat may be represented)
The speaker concluded by not commenting on the prevalence of such tools in [domestic] political groups.  However it is safe — or unsafe– to assume that as computer integration into daily lives and processes becomes greater and greater, the likelihood of such an attack being publicly launched also increases.

Authors: Heather Underwood & Guy Bordelon

As mobile phones continue to become one of the most popular, universal, and comprehensive computing devices, researchers and mobile phone companies are enthralled with adding more features. As described in a recent article by the New Scientist, the feasibility of including a projector on a mobile phone is becoming a reality. The new projector chip that TI released a few weeks ago dramatically improves upon last year’s low resolution model by adding more mirrors to increase the resolution to 850 by 480 pixels (comparable to a DVD player). This new model also works better in most lighting conditions and can show a 2 hour movie on a single battery charge. Having mobile phone projectors provides many exciting opportunities, but also creates some interesting security challenges. Some of these challenges are not critical security issues, but could cause frustrating or embarrassing situations.

Assets/Security Goals:

• The mobile phone projector would provide easier sharing of presentations, photos, videos, etc.
• Low power consumption would allow for mobile presentations and viewing without having to recharge batteries or be near a power outlet.
• The dual display will allow users to view private information on the little screen on their phone while displaying public information on the projection screen. This security measure will enhance presentations by allowing the user to view notes or comments while displaying slides or have other sorts of private captioning for private viewing while different content is being projected.

Adversaries/Threats:

• An adversary of the mobile phone projector could use the projector and other phone functionality like video to project real-time activity to a group. For instance, voyeurs could capture content from a distance using zoom camera/video features and project the inappropriate content in real time. The content could also be recorded and then displayed at a later time to blackmail or embarrass the victim.
• Another possible threat is theft. If a phone is stolen and the projector has been projecting the same image, say a bank statement, for a very long time or is very often projecting that image, a clever thief could gain information from the image impression on the lens. This would most likely occur on older projector phones where the lens is sufficiently worn.

Weaknesses:

• One possible weakness is that personal and private information could be maliciously projected without the phone owner’s permission. If appropriate checks are not in place, the owner could also accidently display his private information in an inappropriate setting.
• The projector also opens up a new way for people to be incredibly obnoxious. The weakness here is not ensuring the security of people’s privacy and their sanity in public places. Projections of videos and photos in a restaurant or movie theater would be incredibly rude and distracting.
• Another weakness is there is no limitation on the content the projector projects or the context in which it is projected. This weakness may not be readily solved by implementing greater security measures, but could end up relying on a social protocol that may or may not keep discriminating, hateful, or indecent material from being projected everywhere.

Potential defenses:

• One potential defense is to have a password to use the projector so only the owner can access and project the content on their phone. This security measure does not protect against the owner knowingly projecting indecent or private information however.
• The projector should also require a confirmation screen before projecting the selected content. This security measure would hopefully eliminate accidental display of private or indecent information on the projector.
• A solution for reducing the use of the projector in public places, besides signs and glaring looks from other customers, could be sensors (on the phone and at the restaurant) that could detect and essentially disable projection of phone content.

Evaluation:

The main goal of this device is to make accessing and viewing content easier and more available for entertainment and larger scale purposes. The projector was not designed to provide added security to mobile phones and thus there are few security goals, however, because security was not a main concern when developing this device, there are multiple security flaws that were not taken into account. We think this technology will very likely become a standard feature of mobile phones. Teenagers especially will drool over being able to project their Facebook pictures and YouTube videos larger than life in any place they want. We also think that tech-savvy business people will utilize this tool for portable presentations. This device also has many applications in the developing world where power consumption, carrying heavy video equipment and easily watching educational videos is often a problem. There are obviously ethical questions involved with this device in regards to what content is appropriate to project, however, there are many devices that have advanced technology and failed to account for all possible ethical misuses.
Although there may be some technological solutions to the security vulnerabilities presented above, we think if the projector becomes a popular and ubiquitous feature of cell phones, the use of it will ultimately be governed by a social protocol and people being conscious of the content they are showing. The article suggests that requiring additional legislation for projected content could become necessary, but we are of the opinion that requiring legislation to prevent people from being stupid has never and will never work.

Photo programs that could organize, recognize, and cluster people’s photos are neat because it allows the user to search for pictures. The face recognition technology has also been used to identify people. The way the system works is that the computer will find the faces on the pictures, then search for objects in the pictures that look like eyes, a nose, etc. Apple and Google also developed their own photo programs that are nifty; the programs are capable of matching different pictures and find ones with the same person in it.

According to the Technology Review article, these programs does its job pretty well; for example, the Apple program can learn as the user tells it which matching are right and which are wrong. Scarily, Google’s program, Picasa, which has pictures stored on Google database, will cluster the pictures according to the faces, let the users tag those clusters with names and allow them to further match it to the corresponding people’s email addresses. It is a little bit unsettling that “before [we] know it, Google is asking [us] to identify all those other faces in [the] photographs” fulfilling its corporate mission “to organize the world’s information and make it universally accessible and useful” while that is not what we want from a photo-sharing website.

The photo recognition system starts to be used after the September 11 attack. Obviously this is done to help screen out terrorists at security checkpoints, such as airports and federal facilities. This can be helpful for the airport security officers to concentrate more on other details of the passengers, rather than on their face. The question now is whether this system has high enough accuracy to identify people by their face, regardless of their other facial features, such as beards or wigs.

One obvious concern with widely available face recognition is privacy. Due to real-name tagging and the fact that email addresses are unique, Google’s Picasa is able to create a global database linking people’s email addresses, names and photos recognized as a particular person together. This is not a new privacy issues; having facial recognition tools adds to the information that is exposed on the web.

One simple way to minimize the exposure or potential violation of your own privacy is to not use these tools. Although, unfortunately, like all new tools which exposes more information about us on the web, there will be hype regarding privacy management. This should be no different.

Source: http://www.technologyreview.com/computing/22234/page1/

Xia Cam and Devy Pranowo

Recently, Google released a new way for it to perform interest-based advertising to its users. It utilizes its users’ behavior to send them targeted ads. The question that arises is how do they obtain the users’ behavior?

Google saves previous search requests and page views.

This new information that Google collects abouts its users raised new privacy concerns given that Google already has lots of information on many users, especially if they use Google’s e-mail service, Gmail, which archives all messages sent to the account unless deleted. Privacy advocates are worried Google having too much information about its users. Some are concerned about Google’s retention policy on user data as they keep it for 9 months while Yahoo holds it for 90 days.

The purpose of this new advertising is to generate more meaningful ads based on behavior, however, that also means receiving ads to items that you are not necessarily searching for at the moment. For example, if your search history was composed of searching for laptops, and you are a site unrelated to technology, you can receive an add for laptops given your past search history.

Privacy advocates are worried sensitive information can be pulled from monitoring behavioral information. Google rebutles stating they do not intend to use it for other purposes and users can delete interest categories at will.

Ultimately, the underlying question is how much respect does a company have it for its users’s data. Will the company use the opportuntistically or in the best interest of the user?

Given Google’s current standing in the public, and their motto: “Don’t be evil”, I believe there won’t be too much pushback on this issue from users, just as long there isn’t any break news that Google solds all its information to telemarketers. This new advertising model is just another venue for Google to collect revenue.

Alex Meng, Jon Fung

In an effort to make the public aware of the threat of botnets, the BBC comes very close to violating the UK’s Computer Misuse Act.  The BCC technology program Click acquired a botnet of about 22,000 computers and used them to send spam to BBC-owned e-mail accounts.  They also mounted a DDoS attack on a site owned by security company PrevX (with their permission, of course).  Click acquired the botnet after “visiting chatrooms on the internet.”  Before giving up control of the zombie machines, Click advised owners of vulnerable machines on how to make their systems more secure. (Read on …)