UW Computer Security Research and Course Blog

The use of performance enhancing drugs and medical techniques is a serious problem in every sport, but no sport is as notorious for doping scandals as is professional cycling. While Olympic athletes, baseball players, and body builders are often caught boosting, the effect of their “cheating” on the sport, society, and economy is minimal. Marion Jones, for instance, a five-medal winner in Sydney’s 2000 summer Olympics, was retroactively indicted on drug charges and agreed to forfeit her awards. While the revelation shocked many, Jones relinquished her medals and life went on.

Professional cycling, however, is a very different story. Combining the commercialism of motorsport racing with athletic demands exceeding almost any other sport, the pressure on riders to perform is tremendous. Good performance not only makes careers, but it pleases sponsors and significantly impacts their economic standing. Sponsoring a winning Tour de France team brings in tremendous revenue for a company in Europe. Continuous defeat, on the other hand, can have devastating consequences. As such, riders must reach for the leader board not only to meet their own expectations of success and competition, but simply to remain employed.

(Read on …)

As part of an “expose’” on cyber crime, BBC’s “Click” team took it upon themselves to hire a botnet. With the stated goal of demonstrating the power of “cyber criminals” in today’s world, the journalists purchased the use of ~22,000 compromised machines. As part of their demonstration, they directed massive amounts of spam to two specific test addresses, and finally, used their botnet to bring down a security firm’s backup website via DDoS. The DDoS attack was done with permission from the “victim” company (Prevx).

Now the BBC group is in a spot of legal trouble as their use of a botnet could potentially implicate them in the violation of the UK’s Computer Misuse Act. While BBC claimed that their use of the botnet was purely academic, and therefore not criminal, they did take control of non-consenting citizens’ home PCs. More importantly, in purchasing the use of a botnet, reportedly at somewhere between $300-$400 per machine, the news network essentially funneled a few million dollars into the hands of cybercriminals. And all so that they could demonstrate what many papers and news articles before them already had.

The journalists, at surface level, did a good job of keeping things academic and avoiding any sort of cybercrime. They spammed their own test e-mail accounts. They DDoS’d a prepared and willing target. They also put warning documentation on the infected machines, at experiment’s conclusion, explaining to their users that they had been infected, and how to best avoid future infections. Ultimately, however, by mere involvement with and commandeering of hijacked personal machines – and especially thanks to funding the true criminal party – they did indeed commit some level of criminal act. To what degree they are held responsible is now a matter for the British courts to decide.

This is just one more occurrence in a string of botnet-related legal issues. A similar issue plagued German malware researchers with the means to potentially dissolve the Storm worm’s botnet(s) (see http://cubist.cs.washington.edu/Security/2009/01/11/storm-worm-cracked-but-defenses-may-not-fly/). It seems that academicians of all types are running into a fundamental problem with this particular security threat: there is no way to legally study it “in the wild.” The moment a researcher connects to a botnet, takes control of it, or otherwise interacts with it, he or she risks legal consequences. Whether or not any charges stick is a different matter, and quite frankly, it will take some time before reasonable precedents clarify the legal “consensus,” but regardless these issues represent a significant impediment to progress in anti-botnet research.

The parking at the University of Washington has always been a deadly game of cat and mouse between driver and parking enforcement. There are limited parking resources on campus, and parking enforcement wants to make sure that they are maximizing their revenue for the spaces they have available. On the flip side, poor students/faculty are trying to get away with parking their cars/motorcycles free of charge.

There are a few assets that parking enforcement wants to protect. One is their revenue stream — making sure that they are receiving money for the parking that is available. Another is the availability of spaces, so that legitimate paying customers won’t be turned away at the door if the lots are oversold. In both cases, the adversary is the driver trying to cheat the system (aka, me).

One weakness of the system stems from having way more parking spots than there are parking enforcement officials. While this can work in an cheater’s favor in general, the longer one spends in the same spot, the more likely they are to be eventually ticketed. This might assume someone illegally parked would stay shorter — but then they have the added overhead of having to move their car frequently. One way that they can combat this is to deploy resources first towards the most high-traffic lots, and then check less frequently at satellite lots.

Another weakness of the system involves procedures for contesting tickets through the parking department. Any ticket can be contested through the office, and last checked, they had an average turnaround of 3-6 months, no doubt due to bureaucratic inefficiencies. If an adversary were to contest a ticket, they wouldn’t have to pay it for months, and would be likely to get it fined. One could also try sending in a longer letter to the department as to why they deserve to not get the ticket, in order to push it to the back of the queue for processing.

In the future, there might be an emphasis on more high-tech solutions (such as cameras) to quickly monitor parking lots and possibly detect cheaters. For the time being, however, there are some vulnerabilities in the parking system that allow attackers to get away with free campus parking undetected.

The Telegraph, a famous daily newspaper in the UK, was hacked into by a Romanian hacking group last week. The group exposed a weakness in the way the website queried its database for property searches and was able to obtain around 700,000 subscriber email addresses and passwords in plaintext via a SQL injection attack. The Telegraph took down the site and is in the process of rewriting the code to fix the problem, and is telling subscribers to change their passwords for that site and other sites.

It is unknown exactly what exact SQL injection string was used to gain access to the database of user emails and passwords, but SQL injection attacks are not terribly difficult attacks to defend against. Considering the email addresses and passwords were stored in plaintext, and considering the wide range of methods to protect code from SQL injection, it is likely this attack was only possible because the coders of the website were careless and did not think much about security risks when designing the website.
(Read on …)

Original article: http://arstechnica.com/security/news/2009/02/airforce-engineers-develop-bittorrent-sniffer.ars

The Air Force Institute of Technology has a new method for passive BitTorrent tracking. The system attempts to read the header of BitTorrent packets, and compare the hash in the packet to a known set of bad hashes. If a bad hash is matched, then the system logs it for future investigation. The system uses programmable FPGAs, and sniffing capacity tops out at 100Mbps.

Recent developments in traffic shaping / packet analysis have been largely spurred by large ISPs’ desire to limit user’s consumption of high-bandwidth services such as BitTorrent. Complaints towards users of BitTorrent include high bandwidth usage, as well as accusations of illegally sharing copyrighted material.

However, packet inspection at any level raises a number of privacy concerns, as systems at the ISP level would definitively be reading the data that flows through their network from an end user’s machine. This can either be malicious or not — it really depends on how ISPs use it. It seems like ISPs are highly motivated to keep traffic down so that they can keep their networks from becoming congested. However, no ISP customer can ever exceed the maximum amount of bandwidth that they are advertised to get. It seems like the ISPs are not being forthcoming about the real amount of bandwidth that they want customers to use.

Bandwidth isn’t the only issue, with litigation being handed out to file sharers. It’s in the ISP’s best interest to stay out of any legal issues they can, which also provides a good motivator for packet shaping BitTorrent traffic. However, given millions of motivated BitTorrent users versus companies with relatively limited resources, they are fighting an uphill battle that will not end up in their favor. This Air Force sniffing technology can’t detect encrypted BitTorrent packets, which compromise 25% of the BT traffic out there. As well, with projects such as OneSwarm, people can set up much more anonymous sharing networks between friends. The only way for corporations to survive file sharing is to adapt, like the Norwegian state broadcasting company did when it started offering its broadcasts as full, unencrypted downloads on its own hosted BitTorrent tracker.

In an effort to make the public aware of the threat of botnets, the BBC comes very close to violating the UK’s Computer Misuse Act.  The BCC technology program Click acquired a botnet of about 22,000 computers and used them to send spam to BBC-owned e-mail accounts.  They also mounted a DDoS attack on a site owned by security company PrevX (with their permission, of course).  Click acquired the botnet after “visiting chatrooms on the internet.”  Before giving up control of the zombie machines, Click advised owners of vulnerable machines on how to make their systems more secure. (Read on …)

Rob Spence, a Canadian Filmmaker, is currently developing a prototype to equip his prosthetic eye with a built-in, wireless video camera.  The digital system, while not able to transmit information to his brain, will be able to route the signal through a series of increasingly large transmitters to a remote machine, which could potentially stream that data live on the internet.  As Spence explains, “If you lose your eye and have a hole in your head, then why not stick a camera in there?”
Spence hopes to be able to integrate this recorder seamlessly into his existing prosthetic eye, such that a casual observer would not be able to notice its presence (for a stunning picture of how realistic his current eye looks, and how small his current camera is, see the article linked at the bottom of this post).  He plans to have an on/off switch, so the recording feature can be stopped for private events, theater screenings, or bathroom trips.  Spence and his team are currently working to shrink all of the necessary components such that they are small enough and lightweight enough to fit within the space of an eye-socket, without weighing enough to cause disfigurement.

(Read on …)

In three sequential articles, ComputerWorld traces the sentencing of convicted botnet leader John Schiefer as well as his continued employment at the start-up Mahalo.  Schiefer is an ex-security consultant and is the first botnet leader to be charged under the wiretap statutes.  He entered his guilty plea almost a year ago, but sentencing has been delayed until now.  He will be paying $2,500 in fines, paying nearly $20,000 in restitution, and spending 4 years in prison  Perhaps what is more interesting is that Mahalo’s CEO Jason Calacanis has both allowed Scheifer to continue working during this time and has expressed a desire to offer him a job upon his release from prison.  Calacanis has defended this decision on the basis that he trusts Schiefer and considers him a changed man from the person who committed the earlier crimes.

(Read on …)

According to an article at the Guardian, dozens of companies in the UK had been buying personal information about potential employees from a company called the Consulting Association in violation of British data protection laws.  The Data Protection Act made it illegal to collect and distribute private information about individuals without telling them.  The Consulting Association aggregated information from the companies that subscribed to its services, and in return it gave them data on workers trying to get jobs.  The files kept by the Consulting Association included data on union activity and other private details.  Some workers in the British construction industry have claimed for years that companies have been blacklisting union activists, and one worker may have been blacklisted after filing an unfair dismissal case against an employer. This event represents a violation of privacy of employees, and an attempt to stifle organized labor.

(Read on …)

According to a recent article from Business Week, a photo-sharing site, YoBusted.com, has crossed the line between maintaining personal privacy and extortion. This site allows users to post incriminating pictures of friends without proof that his or her permission to use the photos has been given. The “busted” friend can remove the photos, but only after paying a fee to become a member of the YoBusted site. According to the article, at least four people found photos on the site that had been taken from their Facebook profiles and posted on YoBusted without their permission and inaccurately tagged with their names (thus wrongly accusing them of participating in the activities depicted in the photos). Facebook has alerted the FBI against this site claiming that posting the pictures was a violation of Facebook’s terms of service and that the site is unlawfully requiring payment for picture removal. YoBusted claims that it provides many services (not just removing pictures) that justify charging a fee to use their site and that in order to maintain the attractiveness of the site, will remove photos under their discretion without charging a fee.

Besides the obvious personal security concerns of having embarrassing photos posted online without the individual’s permission, there are larger issues here: anyone can make a website that can provide almost any service they want. YoBusted is an incorporated company using a legally registered domain to provide a service that allows anyone to be the paparazzi and everyone to be the next big tabloid story. This site is the encarnation of a common public desire: gossip, only people are taking it more personally when it’s their face plastered all over a website instead of some big movie star or politician. Quite frankly, I think this site is teaching users a valuable lesson: don’t put embarrassing photos of yourself on the internet and increase the privacy settings on your social networking sites.

I think another big issue highlighted by this controversy is that individuals are no longer in control of their online reputations. It seems that even a person who has never accessed the internet can’t escape some amount of information about themselves being somewhere online. The underlying question is how can people combat something they can’t even detect? Are internet users (and non-internet users for that matter) really expected to constantly surf the web to ensure no one has posted something about them without their permission?

People will most likely react to this site’s attempt to provide a “valuable” service with concern and fear, which will hopefully encourage them to take down embarrassing photos of themselves and increase their privacy settings online.  In the broader social context, maybe this issue will make people think twice before they do something stupid. I doubt it, but for humanity’s sake, I can at least give them the benefit of the doubt.

Note: YoBusted.com is currently “Under Construction”. I’d be interested to know if this is a direct result of Facebook’s accusations and/or other political/social influences.