UW Computer Security Research and Course Blog

The recently released ITunes 8.1 closed two major security gaps from the previous version. According to Apple, until the latest release, maliciously crafted podcasts could cause ITunes to ask user for credentials but send the username and password to a destination other than Apple’s server. Furthermore, a bug in the ITunes DAAP protocol allowed attackers to send messages with specific Content-length fields causing an infinite loop, and thus a denial of service, to Windows users.

Reference: ZDNet

According to an article from Rueters (http://www.reuters.com/article/technologyNews/idUSTRE52B4D820090313?pageNumber=1&virtualBrandChannel=0), Konstantin Goloskokov, a member of a Russian youth movement recently claimed responsibility to organizing a group of fellow supporters and executing a Distributed Denial of Service (DDoS) attack on Estonian internet sites, causing them to crash, approximately 2 years ago. The attack was allegedly in response to the Estonian government’s movement to dismantle a WW2 soviet army monument.

The event brings up the interesting topic of cyber-warfare.  Though Goloskokov claimed that he had no support whatsoever fro m the youth group or the Russian government, and both the group and government deny involvement, it doesn’t seem too unlikely that attacks on internet infrastructure will become a major part of modern warfare (and in many cases, it probably already is).   As the world relies on the internet increasingly more to do its everyday business, an attack on websites used by the government or major corporations in that country could cause significant damages.  In this case, the Estonian web sites were probably very poorly equipped to handle large amounts of traffic, as a group of friends was able to shut them down, but security measures must be put in place because DDoS attacks by large botnets could be much more difficult to handle.

It appears measures could have been made to prevent this attack, as Goloskokov claims that each individual made multiple requests to websites, so checking for an excessive number of connections from a single IP address may have been able to help prevent the attack.  One positive outcome of this attack was that it increased the awareness of NATO, among other agencies, to the threats presented by cyber-warfare, and the necessity of putting measures in place to thwart it.

The Telegraph, a famous daily newspaper in the UK, was hacked into by a Romanian hacking group last week. The group exposed a weakness in the way the website queried its database for property searches and was able to obtain around 700,000 subscriber email addresses and passwords in plaintext via a SQL injection attack. The Telegraph took down the site and is in the process of rewriting the code to fix the problem, and is telling subscribers to change their passwords for that site and other sites.

It is unknown exactly what exact SQL injection string was used to gain access to the database of user emails and passwords, but SQL injection attacks are not terribly difficult attacks to defend against. Considering the email addresses and passwords were stored in plaintext, and considering the wide range of methods to protect code from SQL injection, it is likely this attack was only possible because the coders of the website were careless and did not think much about security risks when designing the website.
(Read on …)

At the recent Black Hat security conference, independent hacker Moxie Marlinspike gave a speech about his new tool sslstrip and the techniques that it uses to subvert SSL on a network (a write up can be found at http://www.itpro.co.uk/609932/website-danger-as-hacker-breaks-ssl-encryption and the tool and a video of the presentation can be found at http://www.thoughtcrime.org/software/sslstrip/). The presentation talked about techniques to subvert SSL directly through browser flaws using CA constraints in addition to talking about his tool, sslstrip, which can be used to perform a man-in-the-middle attack to view all network traffic of a user.

(Read on …)

Original article: http://arstechnica.com/security/news/2009/02/airforce-engineers-develop-bittorrent-sniffer.ars

The Air Force Institute of Technology has a new method for passive BitTorrent tracking. The system attempts to read the header of BitTorrent packets, and compare the hash in the packet to a known set of bad hashes. If a bad hash is matched, then the system logs it for future investigation. The system uses programmable FPGAs, and sniffing capacity tops out at 100Mbps.

Recent developments in traffic shaping / packet analysis have been largely spurred by large ISPs’ desire to limit user’s consumption of high-bandwidth services such as BitTorrent. Complaints towards users of BitTorrent include high bandwidth usage, as well as accusations of illegally sharing copyrighted material.

However, packet inspection at any level raises a number of privacy concerns, as systems at the ISP level would definitively be reading the data that flows through their network from an end user’s machine. This can either be malicious or not — it really depends on how ISPs use it. It seems like ISPs are highly motivated to keep traffic down so that they can keep their networks from becoming congested. However, no ISP customer can ever exceed the maximum amount of bandwidth that they are advertised to get. It seems like the ISPs are not being forthcoming about the real amount of bandwidth that they want customers to use.

Bandwidth isn’t the only issue, with litigation being handed out to file sharers. It’s in the ISP’s best interest to stay out of any legal issues they can, which also provides a good motivator for packet shaping BitTorrent traffic. However, given millions of motivated BitTorrent users versus companies with relatively limited resources, they are fighting an uphill battle that will not end up in their favor. This Air Force sniffing technology can’t detect encrypted BitTorrent packets, which compromise 25% of the BT traffic out there. As well, with projects such as OneSwarm, people can set up much more anonymous sharing networks between friends. The only way for corporations to survive file sharing is to adapt, like the Norwegian state broadcasting company did when it started offering its broadcasts as full, unencrypted downloads on its own hosted BitTorrent tracker.

Democratized DDoS attacks
http://blogs.zdnet.com/security/?p=2859
http://www.sourceconference.com/

Mar 13 2009

At Source Boston 2009 (a conference on advacnted technology and security application practices), security specialist Dr Jose Nazario gave a talk describing how DDoS (Distributed Denial of Service) attacks are becoming more ‘democratized’ or ‘populist’, and no longer just the tools of trained computer attackers.  He  cited various DDoS attacks associated with military campaigns (such as Kosovo or more recently, Georgia) which seemed to be initiated on a wide scale rather than just by a centralized group of attackers
This has arisen due to simplification of the weapon, ie .  Now it could be as simple as a centralized group of protestors or citizen militia distributing a simple script, which could be run on an end user’s machines.  An example given was a simple Microsoft batch pinging script distributed to various complicit parties via a message board.  More sophisticated scripts occur but the essential point is that as it becomes easier to run such attacks on a local machine, it will be easier and easier to intitiate DDoS attacks on a wide scale in this fashion.
The broader issue here is twofold– the weaponization of computer systems, and the possibility that these could be leveraged by non-military, politically oriented groups as a means of protest as well as attack.  The Russian conflict in Georgia most recently brought up broad suspicions of cyber warefare, and many rumors and warnings exist about the potential dangers which could occur.  Even the public is generally aware of the threat, given the existance of movies like Diehard 4 (however inaccurately the threat may be represented)
The speaker concluded by not commenting on the prevalence of such tools in [domestic] political groups.  However it is safe — or unsafe– to assume that as computer integration into daily lives and processes becomes greater and greater, the likelihood of such an attack being publicly launched also increases.

Photo programs that could organize, recognize, and cluster people’s photos are neat because it allows the user to search for pictures. The face recognition technology has also been used to identify people. The way the system works is that the computer will find the faces on the pictures, then search for objects in the pictures that look like eyes, a nose, etc. Apple and Google also developed their own photo programs that are nifty; the programs are capable of matching different pictures and find ones with the same person in it.

According to the Technology Review article, these programs does its job pretty well; for example, the Apple program can learn as the user tells it which matching are right and which are wrong. Scarily, Google’s program, Picasa, which has pictures stored on Google database, will cluster the pictures according to the faces, let the users tag those clusters with names and allow them to further match it to the corresponding people’s email addresses. It is a little bit unsettling that “before [we] know it, Google is asking [us] to identify all those other faces in [the] photographs” fulfilling its corporate mission “to organize the world’s information and make it universally accessible and useful” while that is not what we want from a photo-sharing website.

The photo recognition system starts to be used after the September 11 attack. Obviously this is done to help screen out terrorists at security checkpoints, such as airports and federal facilities. This can be helpful for the airport security officers to concentrate more on other details of the passengers, rather than on their face. The question now is whether this system has high enough accuracy to identify people by their face, regardless of their other facial features, such as beards or wigs.

One obvious concern with widely available face recognition is privacy. Due to real-name tagging and the fact that email addresses are unique, Google’s Picasa is able to create a global database linking people’s email addresses, names and photos recognized as a particular person together. This is not a new privacy issues; having facial recognition tools adds to the information that is exposed on the web.

One simple way to minimize the exposure or potential violation of your own privacy is to not use these tools. Although, unfortunately, like all new tools which exposes more information about us on the web, there will be hype regarding privacy management. This should be no different.

Source: http://www.technologyreview.com/computing/22234/page1/

Xia Cam and Devy Pranowo

In an effort to make the public aware of the threat of botnets, the BBC comes very close to violating the UK’s Computer Misuse Act.  The BCC technology program Click acquired a botnet of about 22,000 computers and used them to send spam to BBC-owned e-mail accounts.  They also mounted a DDoS attack on a site owned by security company PrevX (with their permission, of course).  Click acquired the botnet after “visiting chatrooms on the internet.”  Before giving up control of the zombie machines, Click advised owners of vulnerable machines on how to make their systems more secure. (Read on …)

Romanian firm SOFTWIN has released an update to their BitDefender security suite claiming to have created a vaccination for Conficker.

So what is Conficker?

Fast Stats:
Release Date: October 2008
Target Platform: Windows >= Windows 2000 (including Windows 7 Beta)
Exploited Program: Windows Server
Exploit Type: Buffer overflow
Worm Spread: 15,000,000+ PCs
Actions: Disable Windows Update, Security Center, Error Reporting, and Defender.  Connects to a server to receive further instructions.

More Detail:

Part of what makes this worm particularly insidious is how it connects to someplace online to get further instructions.  This means that it can actively change to address new desires and problems, as well as communicate with its peers. Microsoft even went so far as to create a specific group to combat this worm, as well as offering a $250000 reward for the capture of the author.

The title of the article comes from the fact that it is ranked second to the SQL Slammer worm of 2003.  It has spread to government machines in the UK and Germany (and quite possibly other nations, as well).  With so much of the world relying upon computerization these days, viruses sure can be a scary thing!

Source:  http://www.computerworld.com.au/article/279991/romanians_find_cure_conficker
Additional Source: Wikipedia

At the end of February, a distributed denial of service attack on Time Warner Cable’s DNS Servers severely impacted subscribers connections for over a week.  The problems were supposedly localized to Southern California, according to TWC.  Although DDoS attacks are commonly conducted on major ISPs, this attack had more impact and was harder to control.  Recently a new DNS DDoS attack technique was discovered which can cause more powerful DoS attacks, DNS Amplification.

“This new tactic uses a very short query, asking simply the name servers for the ‘.’ domain [a single dot],” said Don Jackson, director of threat intelligence at network security provider SecureWorks. “This domain is the root server domain, so the answer is large [or long]. A list of all the root domain name servers is sent back in response.”  If the source IP is spoofed to a target’s adddress, the target will receive all the responses from the DNS Servers and likely be brought down.

According to an Arbor Networks study, DDoS attacks doubled in bandwidth from 2007 to 2008.  Given the new DNS Amplification DDoS attack and the rate of DDoS growth, soon even major ISPs may be vulnerable to attack.

As a way to mitigate DNS server problems, users can switch to use OpenDNS which queries other DNS servers than the local ISP’s DNS servers.

articles:
http://www.scmagazineus.com/NewstyleofDNSamplificationcanyieldpowerfulDDoSattacks/article/126839/
http://arstechnica.com/security/news/2009/02/time-warner-cable-blames-ddos-attack-for-spotty-service.ars
http://news.cnet.com/8301-1009_3-10093699-83.html?part=rss