UW Computer Security Research and Course Blog

I didn’t pay much attention to the event mentioned earlier about Conficker virus, until this new event related to that event arose – after all, is it such a rare occasion being infected by a virus.
To remind you, it is estimated that there were over 10 million computers infected with the worm, which utilizied a bug in Windows OS to infect unprotected computers, including those in government and military organizations. Creators can start issuing commands to this network of hijacked computers by simply registering one of the domain names from its big list.
So, Microsoft decided to offer $250k reward for the information on authors of the Conficker virus. Since this is the one of those rare occasions Microsoft offered a reward, it convinced me of the severity of the problem.
These rewards showed to work in the past, one of the most famous cases being sentencing a writer of the Sasser in Germany.  Microsoft happens to play a good balance between stick and carrots politics in an attempt to achieve security for its products, moving more towards carrots lately (such as organizing BlueHat conference for outside security professionals, for example).
Although there is a trend in countries, such as, say, Russia to implement harsher sentencing for cybercrimes, for many countries, complexities associated with getting the reward, or reach sentencing remains to be a big obstacle to those willing to turn in creators of the viruses.
Looking at the bigger picture, offering bounties utilize trustfulness of a hacker, who shared his adventures with his colleagues, hoping they will keep it secret. But seems like there could occur an inverse relation – with more bounty given out less effective it will become. However, it is still interesting to see how some virus creators elaborately cover their tracks technologically, but fail to realize severity of risk of a human factor from their standpoints. Let’s see whether it works this time.

The FBI is investigating an ATM scam that has occurred within a 30 minute period on November 8^th. About 130 different ATM machines have been accessed to withdraw a total of about $9 million dollars. The scam hit 49 cities worldwide, including Moscow, Chicago, New York, Hong Kong and Montreal.

The FBI says that the operation was very well coordinated, and at this time no suspects have been identified.

The description of the attack follows. First, the computer system of the payment processing company called RBS WorldPay was hacked.

“One service of the company is the ability for employers to pay their employees with the money going directly to a card, called payroll cards, a lot like a debit card that can be used in any ATM.”  The hacker was able to access the system and steal all the information needed to create the duplicates of the ATM cards. (Read on …)

How many of you have received letters from your banks about a ‘revised’ privacy policy? Have you even bothered to read through this revised policy information? And the .000001% percent of you that have, have you ever found anything objectionable and done anything about it?

Welcome to the new joke called ‘Privacy’. No, I’m not talking about the most intimate information that you already have on facebook (which by the way, facebook now owns and has the rights to share). I’m talking about the numerous merchants/banks/credit companies that you do business with but never really cared about what they do/could do with your information. When you read phrases like ‘shared with affiliates’ and ‘shared with third parties’, have you wondered what the difference between these two are? And besides, have you wondered why on earth, banks would need to share your information with other people in the first place?

Most of us Almost all of us never think twice about how our information is freely passed around(for money of course) in the open market for ‘agencies’ to analyze. Such information is then sold by VISA to other marketing companies for ‘market analysis’ and ad campaign management. I have a friend who works for VISA and he was able to pull up every purchase I’ve ever made on the credit card and all he needed was my credit card number which is easily available (how many of you shred your old credit cards?).

And guess what!!?? you have no control over who they share it with because well, first of all, you never really read their privacy document. Even if you read it when you got the credit card, you never really read it the numerous times that they sent you the revised privacy policy. Now again, to the .00001% that read the document every time, you have no control over how VISA decides who their affiliates/partners and third parties are.

Concerned yet? Privacy in the current state is nothing but a big joke.

The only viable solution seems to be a universal privacy declaration/document issued by the government that the companies can be held responsible to. As much as we all hate a big brother state, trusting a bunch of greedy banks/credit companies/vendors is much worse.

According to MSNBC (http://www.msnbc.msn.com/id/29017452/), Monster.com along with USAJobs.com (which monster’s parent company runs) was breached, resulting in the theft of user ID’s, passwords, email addresses, names and phone numbers.  The number of records stolen was not disclosed, nor were any details concerning how the thief obtained access to their databases.

(Read on …)

Ever considered ‘recycling’ your computer without thoroughly wiping your hard drive first? Don’t. A recent study suggests that up to 40% of hard drives that end up on eBay and aren’t explicitly marked as erased may contain easily recoverable data from previous owners.

(Read on …)

The Air Force Institute of Technology recently announced a new technique for “detecting and tracking illegal content transferred using the BitTorrent file-trading protocol.” The authors claim their technique differs from previous attempts, because it is does not change any of the traffic going over the network.

The tool examines the first 32 bits of the file’s header to identify BitTorrent traffic on the network. Once a connection has been identified as a BitTorrent transfer, the file’s hash is compared against a blacklist of known “contraband files.” These blacklisted files are described as “pirated movies, music, or software, and even child pornography.” Rather than disrupting the transfer, this tool simply logs the network addresses involved, presumably for later prosecution.
(Read on …)

According to a recent article, Mexico plans to start fingerprinting all cell phone users. A new law will give Mexico cell phone providers a year to create a database with their customer’s information including fingerprints. Providers would also have to store information such as text and voice messages and logs of a customer for one year. Currently, anyone can purchase a prepaid cell phone with a certain amount of minutes without any identification. This would change as new and existing cell phone users would have to be fingerprinted and entered into a database that would allow officials to match cell phones and messages to a customer.
(Read on …)

BitTorrent has been popularly used for transferring files illegally because it reduces a vast amount of networking bandwidth that would have been required. The way it works is that users can connect to each other directly to send and receive files. The tracker generally does not have any information about the contents of file being transferred because the users directly connect one-to-one. There’s no one server that serve all users. Also, the uploading and downloading process happen at the same time, allowing it to use the bandwidth efficiently.

Because of the speed and no cost transfer, BitTorrent protocol has been used by people to transfer files, such as movies, music, and softwares illegally.

It is hard to prevent the development of such smart protocol. People have all sort of things in mind to develop. The creator of BitTorrent apparently has a creative mind to create such protocol that use bandwidth efficiently, and allow people to share files with one another, rather than downloading from a central server.

Illegal file sharing can negatively affect a lot of people. The entertainment industry will be at lost because people wouldn’t go out to the store to buy a CD. The consumers will download those files almost instantly and for free, without caring about the consequences of their illegal download. As a result entertainment industries are losing profits, and soon, they would collapse. In the long run, the companies will lose incentive to create/improve new products and, in the worst case, the consumers may not be able to enjoy such entertainment anymore.

To prevent the illegal file sharing issues, the government can enforce copyright laws stringently. The consequences of illegal downloads may be enforced through campaigns. A more recent technique is found, that is to sniff illegal file transfers . This tool can detect such transfers and keeps a record of the transfer as an evidence. The nice thing is that the tool works silently; it will not slow down the network traffic.

In another of a long line of high-profile security breaches both in and out of the government recently, the Federal Aviation Administration has announced that in the course of a breach of their computer system, over 45,000 employee names – and presumably, personal information – were compromised. The systems were thankfully not connected to the air traffic control system or other critical operations systems.

The FAA is said to be following up with potentially affected individuals one by one.

Similarly, healthcare giant Kaiser Permanente reported on Sunday that nearly 30,000 employee names, addresses, Social Security numbers, and dates of birth were stolen. The breach was a chance discovery – the files containing the data were found in the possession of one Mia Garza, who was arrested on unrelated counts of stolen property and fraud. It is unclear how she came to possess the data, and thus it is entirely possible that copies of it are still in the hands of malicious people. As she was arrested on December 23rd of last year, it has clearly been quite some time since the breach occurred.

According to Kaiser, existing security policy included restricted access to sensitive information by ACL and encryption of data on electronic devices, including cell phones – both measures that sound wise. It is still entirely possible that the issue was policy not in fact being followed – Kaiser does not know what caused to the loss of data.

Due to the lack of detail surrounding both of these events, they serve simply as a reminder of how broadly security breaches can affect people on a personal scale. In just a few weeks, companies and government agencies ranging from the above to RBS WorldPay – an event in which 1.5 million people’s financial information and 1.1 million Social Security numbers were stolen – Heartland Payment, which processes over four billion payments a year, and even security specialists Kaspersky have all suffered high-profile data breaches.

Hopefully all these attacks will remind other organizations to take a long, hard look at their security systems.

Kaspersky, an Antivirus vendor and Internet Security Lab, recently fell victim to an internet hacker using an SQL-injection attack. The attack compromised data in all databases accessible to the web server. According to the hacker, “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.”

Discussion on the board where the hacker originally announced the successful attack has mostly been congratulatory, especially after the hacker announced that he would not expose any confidential information he had found (although he may have already done so with the password hashes).

On Slashdot, discussion includes the insightful comment, echoing the advice in the textbook, that blacklisting and escaping isn’t sufficient: “No. Escaping is error-prone as you will invariably fail to escape some special character you don’t know about. The right way to fix SQL injection is to use parametrized queries.”

Timely advice!