UW Computer Security Research and Course Blog

Facebook’s policy on applications have a some people concerened and wondering if application writing should be more restricted.
The latest attacks have involved privacy leaks, and the installation of malware. Over the last week, five seperate security issues have come up. One virus is a variation of “Koobface” which claims that the user must download a plugin to view a video.

Applications on facebook are not vetted, anybody is allowed to write an app and offer it to other people. Viral apps would often hide functionality in innocently looking buttons to spread themselves further or give away private information. Despite Facebook’s efforts to disable applications, the current policy allows it to pop up elsewhere.

Some people have clamored for the application hosting policy to be reviewed. Facebook believes its too early for these conclusions, and that changing the policy would be too drastic of a move.

(Source: nzherald)

(Source: cnet)

In three sequential articles, ComputerWorld traces the sentencing of convicted botnet leader John Schiefer as well as his continued employment at the start-up Mahalo.  Schiefer is an ex-security consultant and is the first botnet leader to be charged under the wiretap statutes.  He entered his guilty plea almost a year ago, but sentencing has been delayed until now.  He will be paying $2,500 in fines, paying nearly $20,000 in restitution, and spending 4 years in prison  Perhaps what is more interesting is that Mahalo’s CEO Jason Calacanis has both allowed Scheifer to continue working during this time and has expressed a desire to offer him a job upon his release from prison.  Calacanis has defended this decision on the basis that he trusts Schiefer and considers him a changed man from the person who committed the earlier crimes.

(Read on …)

Some community colleges in the UK are starting to use facial recognition software to check students into school (article at http://www.cambridge-news.co.uk/cn_news_home/displayarticle.asp?id=396794).  The article focuses on the positive benefits of the new system.  The key benefit is in the time savings of checking the students in.  They also noted that having the data on who is currently at school is helpful in the case of fire drills (or real fires for that matter).

While this technology does make some administrative tasks much simpler and easier to carry out, it is important that steps are taken to keep this data secure.  For example, if an attacker could comprimise the system, they could potentially track/stalk students more effectively.  There is also the issue of false positives and false negatives.  If a malicious person is recognized as a legitimate student, then they might be able to hide the fact that that student is missing, among other possibilities.  On the flip side, if a legitimate student is not recognized, this would likely cause annoyance if they are informed, or could lead to the assumption that they are skipping when in fact they are there.

According to an article at the Guardian, dozens of companies in the UK had been buying personal information about potential employees from a company called the Consulting Association in violation of British data protection laws.  The Data Protection Act made it illegal to collect and distribute private information about individuals without telling them.  The Consulting Association aggregated information from the companies that subscribed to its services, and in return it gave them data on workers trying to get jobs.  The files kept by the Consulting Association included data on union activity and other private details.  Some workers in the British construction industry have claimed for years that companies have been blacklisting union activists, and one worker may have been blacklisted after filing an unfair dismissal case against an employer. This event represents a violation of privacy of employees, and an attempt to stifle organized labor.

(Read on …)

The Tigger.A trojan was first discovered by iDefense, a security intelligence firm, in November 2008. It has proven to be very difficult to detect and remove from the beginning, which has many security researchers wondering if Tigger.A may actually be a new type of trojan. Since its discovery it has infected more than 250,000 Windows machines which were mainly located at major stock and options trading firms including E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade as well as Scottrade.

(Read on …)

Within the next two years Verisign has promised that it will support DNS Security extensions across all of the domains that are top-level. DNSSEC provides measures that allow for primarily the authentication of the origin of DNS data and also provides a means to check the integrity of the data that is being sent. This prevents hackers from misleading web traffic to spoof sites and the problem that arose in the discovery of the Kaminsky Bug.

DNSSEC has already been deployed in other countries (Sweden, Bulgaria, Brazil) and .gov and .org, both domains operated by the United States government will begin using it later this year. The reason this is so important is the majority of business domains, both .net and .com are among the most likely to benefit from these changes and currently are waiting for the thirteen root zone server clusters to switch over to the new security standard. Verisign controls two of these server clusters themself.
(Read on …)

Hackers are targeting a zero-day vulnerability affecting Adobe Reader and Acrobat with malicious PDF files. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. Hackers have been spreading malicious PDF files containing the Pidief Trojan. If a person opens the file, the Trojan attempts to exploit an unpatched processing error in Adobe Acrobat Reader 8 and 9, which results in a buffer overflow.

The bug is due to an error in the parsing of certain structures in PDF files. If exploited successfully, the bug could allow a hacker to take complete control of a vulnerable system. “In parsing a specially-crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location, The attacks, found in the field, use the infamous heap spray method via JavaScript to achieve control of code execution.” blogged McAfee researcher Geok Meng Ong.

In the meantime, security researchers at the Shadowserver Foundation recommend users consider disabling JavaScript. Symantec also recommended Adobe users keep their antivirus up-to-date. “While we continue to investigate this issue, customers are advised to follow best practices and only open email attachments from people they trust,” blogged Symantec researcher Patrick Fitzgerald. “Enabling DEP (Data Execution Prevention) for Adobe Reader will also help prevent this type of attack.”

Adobe acknowledged the zero-day in an advisory to customers calling it critical. It confirmed the flaw in Adobe Reader 9 and Acrobat 9 as well as Adobe Reader and Acrobat 8.1.3 and earlier versions. Adobe officials say a fix for the issue will be available for Adobe Reader and Adobe Acrobat in the coming weeks.

Over 2.5 Million dollars was stolen from the State of Utah’s Treasury, according to a recent article in the Salt Lake Tribute.  According to the article, an attacker obtained a vendor number for the University of Utah’s construction department, then submitted paperwork with a forged signature from the director changing the departments back account to a new Bank of America account located in Texas (The article uses the word “signature” but I can’t seem to find if it was digital or hand-written, I am assuming hand-written given the context).  The attacker apparently set up this account using intermediaries who may not have known its purpose.  With the account in place, and the paperwork filed, the attacker began submitting invoices on the State of Utah’s website on behalf of the University department, such that deposits were made, summing to nearly $2.5 million, into the fraudulent account.  Fortunately the account was frozen before $1.8 million dollars were transfered, resulting in a net loss of $700,000. (Read on …)

According to a recent article from Business Week, a photo-sharing site, YoBusted.com, has crossed the line between maintaining personal privacy and extortion. This site allows users to post incriminating pictures of friends without proof that his or her permission to use the photos has been given. The “busted” friend can remove the photos, but only after paying a fee to become a member of the YoBusted site. According to the article, at least four people found photos on the site that had been taken from their Facebook profiles and posted on YoBusted without their permission and inaccurately tagged with their names (thus wrongly accusing them of participating in the activities depicted in the photos). Facebook has alerted the FBI against this site claiming that posting the pictures was a violation of Facebook’s terms of service and that the site is unlawfully requiring payment for picture removal. YoBusted claims that it provides many services (not just removing pictures) that justify charging a fee to use their site and that in order to maintain the attractiveness of the site, will remove photos under their discretion without charging a fee.

Besides the obvious personal security concerns of having embarrassing photos posted online without the individual’s permission, there are larger issues here: anyone can make a website that can provide almost any service they want. YoBusted is an incorporated company using a legally registered domain to provide a service that allows anyone to be the paparazzi and everyone to be the next big tabloid story. This site is the encarnation of a common public desire: gossip, only people are taking it more personally when it’s their face plastered all over a website instead of some big movie star or politician. Quite frankly, I think this site is teaching users a valuable lesson: don’t put embarrassing photos of yourself on the internet and increase the privacy settings on your social networking sites.

I think another big issue highlighted by this controversy is that individuals are no longer in control of their online reputations. It seems that even a person who has never accessed the internet can’t escape some amount of information about themselves being somewhere online. The underlying question is how can people combat something they can’t even detect? Are internet users (and non-internet users for that matter) really expected to constantly surf the web to ensure no one has posted something about them without their permission?

People will most likely react to this site’s attempt to provide a “valuable” service with concern and fear, which will hopefully encourage them to take down embarrassing photos of themselves and increase their privacy settings online.  In the broader social context, maybe this issue will make people think twice before they do something stupid. I doubt it, but for humanity’s sake, I can at least give them the benefit of the doubt.

Note: YoBusted.com is currently “Under Construction”. I’d be interested to know if this is a direct result of Facebook’s accusations and/or other political/social influences.

According to yahoo!News, the statistics of 28,000 passwords that are recently stolen from a popular US website that is posted in physorg.com  “16 percent took a first name as a password … 14 percent relied on the easiest keyboard combinations to remember such as ‘1234’ ….” People tend to use passwords that are easy to remember such as names, their favorite words, etc. Since most people have many accounts, in order to manage their log in passwords, they intend to chose easy remember password.

One way to prevent people from using weak password is for them to have a built-in password checker when the users register new account or wanted to change their passwords(like the one that is posted here).  There should a requirement for the password length and combination. A secure password has to be at least 8 characters long and it “should include a combination of uppercase and lowercase letters, numbers, and symbols.” Moreover, it would be helpful if there are short side note on how to create secure password.

The attacker can compromise people’s accounts using these easy-to-remember passwords and they have about 40 percent chance to get it correct. Other than that, users tend to write their passwords down on their notes or PC. By doing this, attackers can easily get access to users’ computers and get their passwords.

If people think that their account for a website is not that important to them, they won’t even bother to change their passwords to stronger ones. They believe that even though they have weak passwords, their accounts won’t be attacked.  On the other hand, people would probably change their weak passwords to more complex ones for financial account such as banking account or private account like Gmail.