For CSE 484 this year, we have switched from the blog format to the forum format. The course website is online at http://www.cs.washington.edu/education/courses/484/10wi/. This year’s forum is online at https://catalysttools.washington.edu/gopost/board/kohno/14597/. We switched from the blog format to the forum format because forums seem to provide a better opportunity for interactive discussions within the course.
Wireless access points are a great technology – allowing a user the convenience of accessing the same wired network without wires. But the vulnerabilites and weak points that they produce can often be overlooked. Most people install these devices to extend their network to laptop or other wireless users, and can be secured if they are installed properly. But what if the installer is malicious? Anyone can buy a wireless access point for around $40 and install it themselves by plugging it into the wall ethernet plug they usually use. If this is on a cooporate network, which is usually a private one in which only employees from within the building can access their network, then installing this WAP opens up this network to anyone within range of the WAP. As noted in another interesting article regarding the subject, a disgruntled employee could install a wireless access point, hide it behind a file cabinet, and leave it there after they leave or get fired. Months later they can come back with their laptop and freely access the coorporate network from the parking lot.
The use of performance enhancing drugs and medical techniques is a serious problem in every sport, but no sport is as notorious for doping scandals as is professional cycling. While Olympic athletes, baseball players, and body builders are often caught boosting, the effect of their “cheating” on the sport, society, and economy is minimal. Marion Jones, for instance, a five-medal winner in Sydney’s 2000 summer Olympics, was retroactively indicted on drug charges and agreed to forfeit her awards. While the revelation shocked many, Jones relinquished her medals and life went on.
Professional cycling, however, is a very different story. Combining the commercialism of motorsport racing with athletic demands exceeding almost any other sport, the pressure on riders to perform is tremendous. Good performance not only makes careers, but it pleases sponsors and significantly impacts their economic standing. Sponsoring a winning Tour de France team brings in tremendous revenue for a company in Europe. Continuous defeat, on the other hand, can have devastating consequences. As such, riders must reach for the leader board not only to meet their own expectations of success and competition, but simply to remain employed.
As part of an “expose’” on cyber crime, BBC’s “Click” team took it upon themselves to hire a botnet. With the stated goal of demonstrating the power of “cyber criminals” in today’s world, the journalists purchased the use of ~22,000 compromised machines. As part of their demonstration, they directed massive amounts of spam to two specific test addresses, and finally, used their botnet to bring down a security firm’s backup website via DDoS. The DDoS attack was done with permission from the “victim” company (Prevx).
Now the BBC group is in a spot of legal trouble as their use of a botnet could potentially implicate them in the violation of the UK’s Computer Misuse Act. While BBC claimed that their use of the botnet was purely academic, and therefore not criminal, they did take control of non-consenting citizens’ home PCs. More importantly, in purchasing the use of a botnet, reportedly at somewhere between $300-$400 per machine, the news network essentially funneled a few million dollars into the hands of cybercriminals. And all so that they could demonstrate what many papers and news articles before them already had.
The journalists, at surface level, did a good job of keeping things academic and avoiding any sort of cybercrime. They spammed their own test e-mail accounts. They DDoS’d a prepared and willing target. They also put warning documentation on the infected machines, at experiment’s conclusion, explaining to their users that they had been infected, and how to best avoid future infections. Ultimately, however, by mere involvement with and commandeering of hijacked personal machines – and especially thanks to funding the true criminal party – they did indeed commit some level of criminal act. To what degree they are held responsible is now a matter for the British courts to decide.
This is just one more occurrence in a string of botnet-related legal issues. A similar issue plagued German malware researchers with the means to potentially dissolve the Storm worm’s botnet(s) (see http://cubist.cs.washington.edu/Security/2009/01/11/storm-worm-cracked-but-defenses-may-not-fly/). It seems that academicians of all types are running into a fundamental problem with this particular security threat: there is no way to legally study it “in the wild.” The moment a researcher connects to a botnet, takes control of it, or otherwise interacts with it, he or she risks legal consequences. Whether or not any charges stick is a different matter, and quite frankly, it will take some time before reasonable precedents clarify the legal “consensus,” but regardless these issues represent a significant impediment to progress in anti-botnet research.
A politician in California, Assemblyman Joel Anderson, has just proposed legislation to be drafted that would require Google’s map application to blur satellite imagery of all schools, churches, and government buildings. The Assemblyman’s proposal would require not just Google, but all satellite-based imaging software to blur these locations under the law.
In 2003, Leonardo Notarbartolo and a team of Italian thieves broke into the Antwerp Diamond Center and made off with $100 million worth of diamonds, jewelry and other valuables. The vault was protected by 10 layers of security including a combination lock, Doppler radar, infrared heat detectors, and more. For six years, he has refused to speak with any journalists regarding the crime until now.
Wired magazine has published an article detailing Notarbartolo’s story and how him and his team were able to circumvent all the various security measures. It was interesting to see that despite having 10 different high-tech security measures, when each problem was considered individually, the exploit seemed simple yet ingenious.
For example, the infrared heat detector could be momentarily insulated using a thin layer of hairspray, buying enough time to physically deactivate the detector. Polyester shields could also insulate heat signatures, giving balcony access to the team. Even though a forged key was made, it turned out to be unnecessary because the guards simply kept it in a nearby supply room.
The question is, how could something like this have been prevented? As I mentioned, when each individual security measure was considered, each work-around seemed possible. Considering all 10 security measures would be a daunting task. What was interesting to note was that each security layer protects the vault from becoming compromised, but there didn’t seem to be any specific countermeasures for preventing someone from tampering with the security devices. Considering how each security measure could be defeated and how security measures might complement each other (i.e. protect each layer from tampering) would be a good way to prevent future break-ins.
Also, the thieves were able to break in because they were able to defeat predictable electronic devices. Prior to the heist, they gathered detailed information about the vault’s technologies, and they duplicated the vault and all its devices in order to simulate the heist. Once working details were confirmed, the same technology could be cracked consistently over and over. At night, the security was entrusted entirely to technology — no guard stood by at night to protect the vault. Posting a guard would add a layer of uncertainty that increases the risk of attempting a heist.
So that seems to beg the question, how much should we entrust technology to handle our problems? From a security stand-point, probably all technologies are fallible and are likely to fail in some way or another eventually. At the same, the article brought up the issue of possible insurance fraud. There was the possibility that some of the diamond dealers were in on the heist and pulled out their inventory secretly prior to the heist, collecting on the insurance money while keeping their diamonds. That suggests that there wasn’t much of a system for keeping track of where the diamonds were and whether they were really lost in the heist or not. There needs to be a reliable system for tracking safety deposit transactions while maintaining privacy.
This also brings up the eternal security question — how much security is sufficient? You would suppose 10 layers of high-tech devices would be enough to deter thieves from an attempt. Does there need to be more security? Or perhaps the security could be used in a more efficient and effective way. Who are the stakeholders? It seems like the bank, the customers with the safety deposit boxes, and the insurance companies should have an interest in answering these questions.
Overall, the article told an interesting story, almost as if it were out of a movie. I highly suggest reading it just for entertainment at the least.
Computer scientists at the Harvard School of Engineering and Applied Sciences recently deployed the first “practical, Web-based, secure, verifiable voting system.” After testing through 2008 and early 2009, the system, dubbed “Helios,” was used for the university presidential elections at the Belgian Université Catholique de Louvain (UCL) in the first week of March 2009. The system uses asymmetric cryptography and mixnets to provide anonymity, ballot integrity, and open, public verifiability. The system is designed to be used to what they call “low-coercion” elections, because they have not provided any way for users to change their vote at another time if the user has been coerced into voting a certain way. But, the system does provide cryptographic auditing that allows any voter to verify that their vote has been correctly recorded, and allows anyone to verify that all recorded votes have been correctly tallied, something standard elections in the USA don’t even guarantee.
A common method for infection of many operating systems is a malicious executable file–either sent in an email or downloaded otherwise–that the user simply double clicks without thinking. Because most users are so used to the concept of double click to open
they may not in fact realize that they could be executing arbitrary code (especially with a default setting to hide file extensions) or that arbitrary code even running with low permissions, can still be incredibly dangerous.
A big selling point of security on many Linux or Unix systems is the distinction of Execute permissions. A downloaded file will not have the execute bit set. This means that, within a window manager, double-clicking will only attempt to read the file so the desktop system may ask what you want to do with it. Only by either explicitly telling this prompt to execute or by editing the permissions of the file from the command line can you execute this file. In either case this is an explicit action that the user must think about.
However, many distributions of Linux use a standardized .desktop [1] file format. These files are often used as menu items or program launcher shortcuts: they have an Exec parameter that can take an arbitrary command string to run when clicked.
[Desktop Entry] Encoding=UTF-8 Type=Application Terminal=false Exec=bash -c "touch ~/haxxored" Name=Write to an arbitrary file.
A desktop file that creates the file haxxored
in the user’s home directory
Users and developers of these distributions have recently been arguing for re-evaluation of this specification for that very reason: they allow arbitrary code execution without the need for an executable bit set on the file.
This opens up the same vulnerability in Linux systems that had previously been avoided. An inexperienced user used to double click to open
might download a .desktop file and try to open it. Even a more experienced user might not realize this issue and (expecting the previously mentioned behavior of simply reading the contents of the file) click on it to see the contents.
Even more troubling is the behavior of these Desktop files when used in the menuing system for many distributions: important system applications often have menu entries in /usr/share/applications. However, menu entries with the same name in ~/.local/share (the user’s local directory) with the same Name option will override the system one! A malicious script (perhaps even started by the exploit above) could shadow the desktop entry from one of the important system applications such as the Synaptic Package Manager. Users are used to typing their passwords at the gksu prompt when clicking on Synaptic so they would do so; now a malicious script has root access to the user’s machine.
The biggest part of a solution to this problem would be requiring that .desktop files simply have execute permission set. On installation of a normal program this would be a trivial addition, but downloaded .desktop files would not be run. In case of some other malicious script gaining user access, normal users should not be able to override root owned .desktop files (like Synaptic).
These solutions are extremely simple, but they have not been implemented yet due to the desire for compatibility between
different distributions. It may take time for these changes to be made.
[1] Desktop File Specification: http://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html
Many online news agencies are reporting that a Chinese group of hackers have broken Apple’s iTunes Gift Voucher code generator. The original story seems to come from Outdustry, a Chinese music industry website, and tells of $200 gift certificates being sold for as low as $2.60. The same article tells of how the seller freely stated that the certificates were generated via a key generator.
However, the information we have is nowhere near enough to show that the certificate generating algorithm has been cracked. For one, despite the large number of new sites reporting the break, all that I’ve seen can be traced back to Outdustry. Before I saw this story, I had never heard of the site Outdustry, and given that it just looks far more like a blog than a credible news source, I must say I am skeptical of the validity of this story. As for the cheap vouchers, they may or may not have been generated by hackers. Perhaps they were bought with stolen credit card information.
Lastly, there is more to an iTunes gift certificate, or any digital gift certificate, than just a number. The agency in charge of redeeming certificates must validate each one. If the validation was entirely contained within the gift code, then there would be nothing to stop the same certificate being used multiple times. No, no matter how the keys are generated, Apple must have some way of telling used certificates from good certificates.
This raises an interesting point. If we assume that the Chinese certificates have been created by a key generator, and if those certificates work to on the iTunes store, then one of two things happened. Either the keygen created a key already in use, but not yet redeemed, or the default state for a certificate is “valid.” I count the first case as very unlikely, and the second case would be almost criminal in its exploitability.
Overall, I don’t believe any such cracking of the iTunes gift certificate format took place. Stolen money/credit cards could explain the cheap, under the table deals on certificates.
Original Source: Outdustry
Apologies for reviewing the same technology. The other Google Voice review just appeared for me, which was after I wrote my own. I did check prior to starting this review, and it wasn’t up then.
Summary:
ComputerWorld had an article about Google Voice. Google Voice is a new service offered by Google to make people’s phones more usable. Google Voice will automatically transcribe a user’s voicemail into text form, using speech recognition software. Because the transcription is done with software, there may be some mistakes in the text versions. The transcriptions will be made available in the user’s inbox. The service can also e-mail or SMS the messages to you. If I user desires the service can be turned off.
Google Voice builds on the technology of GrandCentral, a company that Google bought a few years ago. This technology allows a user to have a single number for all of their phones. When this number is dialed, all of the associated phones also ring. In this way, a user can be contacted regardless of which phone (home, work, cell, etc…). Google Voice will initially be offered to current users of GrandCentral.