UW Computer Security Research and Course Blog

According to yahoo!News, the statistics of 28,000 passwords that are recently stolen from a popular US website that is posted in physorg.com  “16 percent took a first name as a password … 14 percent relied on the easiest keyboard combinations to remember such as ‘1234’ ….” People tend to use passwords that are easy to remember such as names, their favorite words, etc. Since most people have many accounts, in order to manage their log in passwords, they intend to chose easy remember password.

One way to prevent people from using weak password is for them to have a built-in password checker when the users register new account or wanted to change their passwords(like the one that is posted here).  There should a requirement for the password length and combination. A secure password has to be at least 8 characters long and it “should include a combination of uppercase and lowercase letters, numbers, and symbols.” Moreover, it would be helpful if there are short side note on how to create secure password.

The attacker can compromise people’s accounts using these easy-to-remember passwords and they have about 40 percent chance to get it correct. Other than that, users tend to write their passwords down on their notes or PC. By doing this, attackers can easily get access to users’ computers and get their passwords.

If people think that their account for a website is not that important to them, they won’t even bother to change their passwords to stronger ones. They believe that even though they have weak passwords, their accounts won’t be attacked.  On the other hand, people would probably change their weak passwords to more complex ones for financial account such as banking account or private account like Gmail.

Kaspersky, an Antivirus vendor and Internet Security Lab, recently fell victim to an internet hacker using an SQL-injection attack. The attack compromised data in all databases accessible to the web server. According to the hacker, “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.”

Discussion on the board where the hacker originally announced the successful attack has mostly been congratulatory, especially after the hacker announced that he would not expose any confidential information he had found (although he may have already done so with the password hashes).

On Slashdot, discussion includes the insightful comment, echoing the advice in the textbook, that blacklisting and escaping isn’t sufficient: “No. Escaping is error-prone as you will invariably fail to escape some special character you don’t know about. The right way to fix SQL injection is to use parametrized queries.”

Timely advice!

EDIT: It appears that I goofed with the “more” tag when I first posted this, so I’ve included the rest of the article below.

Since the days of waking up at 5am to watch the Tour de France live with my dad at eight years old, I’ve been a big fan of bikes. I’ve since grown to love riding them, and spent several years as an avid road racer. While I’m somewhat of an anomaly, many of you also rely on cycling for transportation to class, to work, and elsewhere. Unlike cars, which are just slightly harder to steal, bikes are the candy-from-a-baby in the world of theft. One magazine article I read several years ago had a “professional bike thief” (probably a security professional who learned methods of theft in his research) attempt to steal a bike secured by one each of every available bike lock on the market at the time. In public. The result? All but a single lock could be circumvented so quickly that nobody in the area even noticed that it was not unlocked by normal means.

I have to say, I am particularly bitter about bike security. A few years ago I was living in Stevens Court with a few friends. A past summer job at Gregg’s Greenlake Cycles had yielded an absurdly cheap employee purchase of a Lemond Tourmalet, a very nice road bike. I wasn’t using it to commute to school (who locks up a bike like that around the Ave?), but I did have it in our apartment so I could go riding. One day I came home and it had been stolen from my living room. My roommates had left the front windows wide open and the door unlocked. Go go speed racer, go.

(Read on …)

Google has released a new product called ‘Latitude’. It is an extension based on the extremely popular Google Maps web application that allows users to track the exact location of friends and family members using the GPS signal in their mobile phones. This product has already launched, and even with the received criticism Google is standing behind its new product.

(Read on …)

In “Study: racial profiling no more effective than random screen”, ArsTechnica reports on a new study by William Press, who claims that using profiling at security checkpoints such as airports is not effective in catching threats. The ineffectiveness, according to Press, stems from small numbers of screeners being able to only resample a small subset of the total population at any given moment. Screeners, on the average, end up retesting the same innocent individuals that happen to have large correlations with risk profiles.

This event arises from the current security concerns of DHS, and their mandate to catch terrorists at the various entrances to the United States. It seems that the methods employed in profiling are faulty, and need revisiting. As a counter-example to this article, the Israeli airports employ racial profiling to great success in ensuring security, and haven’t had an incident since 1986 — however, they combine these profiling methods with other forms of security measures.

However, there are larger issues in having such broad-sweeping racial profiling in the US. Applying racial targeting to minorities at checkpoints would cause a fair amount of backlash, considering the historical implications. As well, all the racial groups that are on profiling lists also are likely not adversarial threats, and are certainly as legitimate of citizens as people that aren’t on the list. Also, it seems like  relying heavily on profiling means that defeating it is simply a matter of not fitting the current terrorist profile.

While there has been some success stories in racial profiling with regards to border security, the idea leaves a bad taste in my mouth. There are inarguably a number of things that DHS can do to improve security at checkpoints (hire competent TSA employees comes to mind), without going down the dangerous path of racial profiling — profiling that has been shown in this recent study to be mostly ineffective given how it is currently applied.

Original Article: http://arstechnica.com/science/news/2009/02/study-racial-profiling-no-more-effective-than-random-screen.ars

Summary

In Italy, public officials have been abusing their authority to make more money from the public by making reds come earlier than they are supposed to (a shorter duration yellow than legally allowed).   This means that, since they use cameras to automatically give tickets to people running red lights (see security review of automated traffic cameras for a different look at that aspect of it), they can make money off residents who are given inadequate time to come to a stop, and thus must run a red.

Who Was Hurt By It

Drivers have been economically affected, with 1439 people caught over two months (the fine is 150 Euros, or roughly $190 at current exchange rate).  Prior to that, at most 900 people would have been expected to be caught assuming the maximum number of tickets normally given were given out per day (this means a 50% increase over a value previously considered unrealistic to obtain!).

The public has also suffered a reduced amount of trust in the transparency and honesty of their government–a system which was out of their control and which they were mostly powerless to oppose or investigate was found to have been compromised in such a way that people were labelled as both criminals and charged unfair money.

Who Did It

109 officials are being investigated with regards to it, although the programmer himself is the current person taking most of the blame in the news.  Also involved were: police, local government officials, and the heads of seven different companies. Roughly 300 municipalities and a host of different companies were profiting from this scheme.

What’s Being Done

Currently a criminal case is being pursued against those responsible.  However, this does not really address the problem–the faulty systems are still in use, and ultimately fixing them should be the first priority.  Although the programmer responsible has a lawyer proclaiming his innocence, ultimately a review of the cameras themselves will need to be done.

Long Term View

This adds yet another complaint against automated traffic cameras.  Many object on privacy reasons, but this also adds concerns about faulty software, either maliciously or through incompetence.  Although it is unlikely that Italy will suddenly abandon automated traffic cameras, it may cause them to take a second look at them, at the least, and hopefully be more open in the future.  In all likelihood, however, they will continue to use a closed source solution, and will merely (hopefully) patch this problem.

Finally, this also adds another potential weakness to the list in the security review–corrupt officials who view it as a way of making more money.

Source: http://arstechnica.com/tech-policy/news/2009/02/italian-red-light-cameras-rigged-with-shorter-yellow-lights.ars

See also: http://cubist.cs.washington.edu/Security/2009/02/05/security-review-automated-traffic-enforcement

As an undergraduate student in the computer science department, there are a number of computing resources available for use. A number of these resources are through the web browser, and have private, personal information associated with them (for instance, MyCSE).

Experimental Attack

Since we were recently doing XSS attacks in our lab, I decided to experiment with them in a more real setting by sending a fake email to the cse484 mailing list, to see how many students/TAs clicked:

Hey, I’m trying to set up my web server for lab 2, but I think I’m having DNS issues with the subdomain I set up not propagating. Can anyone check this page (http://security.30tonpress.com) and see if they get an OK page?

Thanks,
David

That URL then loaded a fake DNS success page, as well as version 1 of my Yoshoo exploit in a small FRAME at the bottom of the page. Surprisingly, 19 people in the class clicked the phish link. Since class mailing lists are generally not thought of as being adversarial places, students are much more likely to click links that are posted to it — especially if there’s a halfway-decent cover story to back. This makes an adversary’s life much easier.

There are a number of reasons that someone might try to exploit XSS attacks on CSE resources. For example, malicious students that want to cause havoc and chaos for others in their class by modifying what they have turned in. Or, someone might want to gain access to all the personal information that the CSE department has on another student.

Weakness #1 – Yoshoo Lab 2

The first attack is on Lab 2 for CSE484, which involves using any captured Yoshoo authtokens to change a student’s grades back to zeroes for part 1-5. This will cause them to lose points on the lab come grading time, lowering the average score on the lab, and boosting the attacker’s score with respect to the grading curve.

An stolen authtoken can be used to log into someone’s y.um.my account, and upload new phishing URLs. These URLs could then be used to grab authtokens for part 1-5 of the grades DB. An adversary could then easily change the grades with these tokens using the same steps they did for their own project.

Weakness #2 – CSENetIDs

When accessing a protected resource on any *.cs.washington.edu, the CSENetID service is used to authenticate users in the browser. A cookie is then saved on that user’s computer under the domain: *.cs.washington.edu, with the key: csenetid_l. This puts an implicit trust on all subdomains under the cs.washington.edu domain. This means that any malicious phishing page that runs on a subdomain of cs.washington.edu that is set up to capture document.cookie from the browser will pick up the CSENetID token of any user who has recently logged in.

Once an attacker has that token, they can spoof your session. If the CSENetID auth service does any additional IP validation of the machine, the IP of the phished user can be spoofed in order to fool the web server into granting access to the attacker.

Potential Defenses

There are defenses against these attacks that can be implemented on both the server-side and the client-side.

On the server-side, any site that wants to use CSENetID authorization could explicitly talk to an authorization server within their web applications’ code (given a standard module for use with different languages like PHP, Python, etc). This could then set an authtoken cookie only on the CSE subdomain that needs authorization. However, this has two downsides. One is that every subdomain would require a user to log in again. Another is that if the module is not well-designed, some of the burden of providing a high-level of security might be shifted to each individual web application, as opposed to one central module.

On the client-side, there are a number of extensions to Firefox that can make browsing safer. One is NoScript, which only lets JavaScript, Java, and Flash execute on sites you explicitly trust. This way, you can check out a link before deciding to let it run arbitrary code. As well, Google provides a Firefox plugin based on data they have gathered about various phishing sites, that will alert a user when they are about to visit a known XSS site.

Security Professional John Schiefer has continued to work in the computer security field for 15 months while he has been waiting to be sentenced for being a botmaster of a 250,000 bot herd (http://www.theregister.co.uk/2009/01/23/botmaster_sentencing_kerfuffle/). This Los Angeles based security consultant has been awaiting sentencing since pleading guilty in November of 2007. Since then, Schiefer has stated that he has been working as a professional in the security field as well as a network engineer for an internet startup. The prosecutors have requested the minimum 60-month sentence, followed by five years of supervised release. Luckily, everyone in this class has signed an ethics form so nothing like this will happen.

(Read on …)

According to a New Scientist Article, a company called Biorics wants to control the spread of pandemic disease by dispersing “cough-detecting” microphones throughout airport lounges. The proposed technology would detect coughing passengers and distinguish a common-cold-like cough from one that could be a symptom of a serious and spreadable disease. In 1998, a group of scientists from the Nippon Medical School in Tokyo, Japan showed that they could discriminate between productive and non-productive coughs; where a productive cough is usually accompanied by the expulsion of phlegm (i.e. a sick person’s cough). Biorics used this research to develop a system that theoretically could detect a sick traveler in an airport and stop the spread of a possibly devastating disease.

(Read on …)

Issues of stealing physical or intellectual property (physically or electronically) in the context of a malicious company insider are closely interrelated, as some common prevention mechanisms can be adopted for both.

According to the recent article by Mikael Ricknas, cell phone prototypes were stolen from the company by its own employee. As Mikael points out, despite the fact that total cost did not exceed about $90000, there could have been bigger indirect losses if competing companies were made aware of these designs.

As one of my employers at one of the security companies I worked for mentioned, “opportunity” is the key word for why thefts occur. Company employees often have the most of such opportunity. Even employees with good intentions, as mentioned in an article by Alex Johnson, Cybercrooks’ best friend? Experts say it’s you are among the biggest threats to company security.

Depriving company employees of all of such opportunities is an impossible task as long as it has employees, but significatly reducing chances of such breaches from occuring is possible by at least two well-known means. The latter article mentions commonly cited policy of “least privilege” as one of the ways of prevention. Also, electronic monitoring and recording of activities and making employees know of such monitoring, or at least creating an impression of the existence of such monitoring could be another one of the most effective methods for deterring or shifting away such crimes.

Some ethical issues, such as privacy protection, employer-employee trust will, apparently, arise from overusing some of the methods, and companies will always have to find a good balance. Although Sony Ericsson did not appear to disclose much details about the event, it is, undoubtedly, beneficial for society in general that crimes of this type are made public, as it emphasizes the problem, and (in case if arrest followed,) can serve as yet another deterrent.