UW Computer Security Research and Course Blog

A common method for infection of many operating systems is a malicious executable file–either sent in an email or downloaded otherwise–that the user simply double clicks without thinking. Because most users are so used to the concept of double click to open they may not in fact realize that they could be executing arbitrary code (especially with a default setting to hide file extensions) or that arbitrary code even running with low permissions, can still be incredibly dangerous.

A big selling point of security on many Linux or Unix systems is the distinction of Execute permissions. A downloaded file will not have the execute bit set. This means that, within a window manager, double-clicking will only attempt to read the file so the desktop system may ask what you want to do with it. Only by either explicitly telling this prompt to execute or by editing the permissions of the file from the command line can you execute this file. In either case this is an explicit action that the user must think about.

However, many distributions of Linux use a standardized .desktop ^[1] file format. These files are often used as menu items or program launcher shortcuts: they have an Exec parameter that can take an arbitrary command string to run when clicked.

[Desktop Entry]
Encoding=UTF-8
Type=Application
Terminal=false
Exec=bash -c "touch ~/haxxored"
Name=Write to an arbitrary file.

Users and developers of these distributions have recently been arguing for re-evaluation of this specification for that very reason: they allow arbitrary code execution without the need for an executable bit set on the file.

This opens up the same vulnerability in Linux systems that had previously been avoided. An inexperienced user used to double click to open might download a .desktop file and try to open it. Even a more experienced user might not realize this issue and (expecting the previously mentioned behavior of simply reading the contents of the file) click on it to see the contents.

Even more troubling is the behavior of these Desktop files when used in the menuing system for many distributions: important system applications often have menu entries in /usr/share/applications. However, menu entries with the same name in ~/.local/share (the user’s local directory) with the same Name option will override the system one! A malicious script (perhaps even started by the exploit above) could shadow the desktop entry from one of the important system applications such as the Synaptic Package Manager. Users are used to typing their passwords at the gksu prompt when clicking on Synaptic so they would do so; now a malicious script has root access to the user’s machine.

Possible Solution

The biggest part of a solution to this problem would be requiring that .desktop files simply have execute permission set. On installation of a normal program this would be a trivial addition, but downloaded .desktop files would not be run. In case of some other malicious script gaining user access, normal users should not be able to override root owned .desktop files (like Synaptic).

These solutions are extremely simple, but they have not been implemented yet due to the desire for compatibility between
different distributions. It may take time for these changes to be made.

^[1] Desktop File Specification: http://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html

According to this article, the English version of Wikipedia may be implementing a system called “flagged revisions” to the editing software, which would require that edits would have to be approved (“flagged”) by a “trusted” user (see the Wikipedia page on flagged revisions here). Edits that have not yet been approved could be viewed by users on request, but the default version of a page would exclude any changes that have not yet been approved. Trusted users’ edits are automatically approved. There could be long wait times for edits to be approved; this system has already been implemented in the German Wikipedia version, and edits there have taken as long as three weeks to be approved. (Read on …)

Network Solutions runs one of the largest domain registrars and DNS hosting providers in the world. It currently hosts more than 7.5 million domain names, including many of the most popular web sites on the Internet. The domain name servers hosted at Worldnic translate URLs into IP addresses, so if these servers are not operational, an otherwise functioning web site is effectively down.

With billions of dollars being shifted from retail to e-commerce every year, web site up-time has become mission-critical to many companies. Any sort of web site failure for even extremely small periods of time can directly affect a 21st century company’s bottom line. Network Solutions has the very important task of serving as the gateway between customers’ web browsers and companies’ web sites. As the man in the middle, they are a very clear target for attackers. A malicious user has a clear path to disrupt service without ever having to attack a customer or the company itself. This scenario makes top-level security imperative to Network Solutions and Worldnic. A single successful attack could disrupt millions of transactions across millions of web sites.

(Read on …)

Overview

This is a security review of “Smart Guns,” a general class of locking/use prevention mechanisms for firearms that rely on biometrics or other authentication indicators (such as “smart” chips embedded in the gun and in rings or other tokens worn by the intended user) to identify a person who is authorized to use the firearm, while preventing unauthorized persons from discharging the weapon. The Wikipedia article has some further broad overview information regarding the subject.

(Read on …)

Summary

Car GPS navigation systems are handy tool for finding one’s way on the road. With features like local points of interest, address book and SD card backup it would not be surprising if becomes a common everyday item soon. Here is a review for a GPS navigation system similar to the Magellan Maestro 4200:

(Read on …)

Amazon’s Simple Storage Service (S3) experienced an outage on the morning of February 15th, causing inaccessible content in the thousands of websites that rely on S3 for data storage. According to Amazon’s official explanation, the outage was due to a significantly increased volume of authenticated calls from multiple users. From the security perspective, this leads to more questions than answers.

(Read on …)

Since ISPs, most notably Comcast, some time ago began identifying and purposefully destroying or severely throttling BitTorrent connections passing through their networks, the struggles on both sides of the fence have been nothing short of a game of cat and mouse.

(Read on …)

Home monitoring systems like Quiet Care exist to allow independent living for elderly people. The system works by monitoring the person’s daily movements with wireless activity sensors in each room. The information collected from these sensors is gathered at a communicator and then is sent to the Quiet Care server and is analyzed for patterns. If the server detects unusual behavior, it contacts the caregivers of the individual.

(Read on …)

As many of you may have heard, two undersea cables were cut on January 31st severing internet to millions of users in the middle east. At first it was reported that these cables were severed by a ship’s anchor, but it is now being confirmed that this is false. The map of undersea cables and those affected can be found here.

However, in the last few days, two more cables have been cut. An illuminating internet traffic report is here.

The probability of all of these events being random accidents seems vanishingly small. Could this be a new sort of attack intended to black out an entire region? If so – what could the motivations be and who could be behind this? Could this be done for commercial reasons? Could this be a government or terrorist organization about to mount an attack?

Some other enlightening posts can be found here: part I, part II, part III

More than half of the million images that are private photos of MySpace users was stolen and uploaded onto BitTorrent. This is a huge privacy breach to MySpace users. The hacker, “DMaul”, said that he learned the security hole from the WIRED and used the method of attack. This security hole was surfaced last fall and because of this, various adversaries such as possible pedophiles, voyeurs, and advertisements were able to steal these photos. DeMaul ended up seeding these photos and advertised them as “pictures taken exclusively from private profiles”. It turns out that his attack cycles through the accounts by MySpace Friend ID numbers, thus did not target any specific group of people. Although, the attack did not target any specific group, this is a significant breach that affected users who are under 16 because their accounts are automatically set of private and their adversaries are more dangerous. Even though the attack result in leaks of a huge amount of pictures, it seems that MySpace didn’t follow up with the issue properly.

(Read on …)