UW Computer Security Research and Course Blog

Recently, the police department in Quebec, Canada, busted an international hacking network. 16 people that were between the ages of 17 and 26 were arrested and this was the biggest hacking scam in Canadian history according to the police. These hackers collaborated online to attack and took control about one millions computer all over the world that didn’t have firewall or anti-virus software. Because of that, they injected Trojans or worms in those computers. The investigators mentioned that the hackers profited about 45 million dollars.
(Read on …)

Summary:
Automated Teller Machines (ATMs) have been around since the late 1930s. Nowadays they can be found all over the place. The common and accepted use of these machines is to draw money from your bank account in a convenient and accurate manner. To do this, we typically insert a bank card into the machine with a magnetic strip encoded with our account information such as our name, our account number, a special PIN, and maybe another number or two for security depending on the card. Once we input our card, we must communicate with the machine through the display and keyboard interfaces. These are the only means of communication for normal transactions.

However, what are some of the other aspects of ATMs? The money is typically held in armored, metal drums these days with only one entry-exit point. Video footage of ATM use is recorded also these days in the event something does happen, so authorities will have more information at their disposable to react. Messages to and from Data Bank Centers are relayed via a network in order to confirm account details. The machine’s innards are encapsulated with layers of physical security such as an outer casing, the armored drum mentioned for the money, locks, and a series of sensors such as magnetic, seismic, and thermal.

Assets:

•   The cash every ATM holds. I would have to venture to say this is the most common asset sought after by thieves of ATMs.
• ATM components such as card reader, CPU, sensors, etc. These could be valuable to study in order to better mount an attack on an ATM.

Potential Adversaries/Threats:

• The common thief. Anyone who robs banks, gas stations, etc would seem likely to be the type to try to attack an ATM. Every once in a while you hear about a thief tethering their truck to an ATM in hopes they can carry it away with the truck. This is just one example of my “common thief.”
• The manufacturers of ATMs and/or the persons who restock the ATMs. These individuals have an inside edge over others when it comes to having information about the ATM’s design and access to the innards of the machine. Though, the person restocking the machine probably wouldn’t stock the machine and then try to steal from it. They might, however, sell information about how to get inside the machine.

Weaknesses:

• Stolen or duplicated bank cards. If a thief can obtain a real or duped bank card, they are one step away from your withdrawing money from your account. They would also need your PIN, and this might be discovered through observing you punch it in, or through the banks records somehow.
• The owners manual gives away default passwords and methods for putting the machine into certain modes of operation. For example, this actually happened and can be read about at http://blog.wired.com/27bstroke6/2006/09/atm_hack_uncove.html?entry_id=1560245
• The network communication lines could be tapped and signals might be altered. A confirmation message from the Data Bank Center might be altered to up the amount withdrawn from the ATM, but not recorded on your account.
• The ATM is only metal and machinery. It can be destroyed and/or carted off with enough force. Then at a later time, it can be dismantled without worry of time if it were successfully carted off. This is known as Ram-raiding: http://en.wikipedia.org/wiki/Ram-raiding

Potential Defenses:

• As another physical layer of security, the ATM could sit on top of a vault in the ground where the money would be held. This way, if someone stole the ATM, they would not steal the money, and it would just be harder to get to overall.
• Sensors could be put into place to detect if someone is tampering with the innards of the machine in an unauthorized manner, and if so, a self-destruct mechanism of the core parts could be initiated (fry the parts?).
• Instead of a bank card to initiate a transaction, the ATM could require a fingerprint also or retinal scan.

Risks and other issues:

Out of the two assets above, I would say the money in the ATM is the item at most risk. This is due to the value of the asset compared to anything else the ATM is composed of. Cash is the most liquid of all forms of payment, and it cannot be traced easily. These properties make the asset highly attractive. Next, considering the threats and adversaries, I believe the employees who restock the machine have the least risk of being caught. This is because they have access to the machine at certain times. It would be obvious if they stole the money before restocking the machine, but accessing the machine afterwards might be feasible to make it appear as if someone else did the bad deed. Next, I would think the manufacturers of the machines would have the next least risk. They have knowledge of the system, and from the article above, it can be seen if you have only the owners manual, you can steal from someATMs . It would make sense then that people unaffiliated with the machines like criminals would have the most risk. They must break the security of the machine from scratch which is more difficult than if they had inside information. Finally, from the weaknesses above, I would think the last weakness, ram-raiding, is the approach to be most taken. This is because it seems quick with numbers of people on your side, it can be done without revealing your identity, and you have an escape vehicle on hand. The bank card approach seems tricky since once you have stolensomeone’s card, they can just cancel it, and in the interval of time when they haven’t canceled, you need to get to an ATM with knowledge of their PIN to draw money.

By exploiting any of these vulnerabilities above, an individual is definitely participating in an unethical act. Taking the money in an ATM is a classic example of stealing. As a society, we have agreed that stealing is wrong, so this does not need anymore explanation.

Conclusion:

Ever since ATMs were first introduced, criminals have sought to rob them. It is a serious deal, and the level of protection on ATMs these days shows just how serious organizations are to protect the assets inside. Nowadays, the security systems are probably “good enough”, and we should be more worried about user and design error. After a system is at a certain level of security, it might be too costly to go much further, and perhaps responding to acts against the ATM is a better course of action at that point. Design error should be a major cause for concern though. As the article linked above shows, if default passwords and operation modes are left available to anyone with the ATM manual, then things can go very wrong.

A Romanian bank teller was arrested for illegally transferring $3.2M into two bank accounts by using his director’s password.  There is no detail in the article to describe how the teller acquired the director’s password but this could have been done in a myriad of different ways including shoulder surfing, brute force guessing, or social engineering.  In this case, the adversary was a trusted employee and may not have been considered a threat.

http://www.msnbc.msn.com/id/23027131/

This is a great example of how adversaries can be anywhere and even the most secure systems are only as secure as the people who administer them.  All the technology we use to secure communications, systems, and data is virtually worthless when someone can acquire the necessary credentials to bypass all that.

It is important to remember that there is more to security than just encryption and buffer overflows.  Policy and user education is an equally important aspect.

In a recent article on Computerworld, it was reported that a former system administrator of Medco planted a logic bomb which was intended to cripple the company’s network. Medco deals with prescribing drugs and various other heath services. Due to the nature of this attack, the well-being of customers of Medco were put at risk. Fortunately, the logic bomb did not succeed, and it is reported that the first wave of the attack failed due to buggy code, and subsequent waves were detected and prevented before they could trigger. The former system administrator will now serve 30 months and has to pay $81,200 in damages.

It is mentioned that upcoming layoffs could have triggered the system administrator (Lin) to commit this offense. Medco had just been restructured, and layoffs had taken place, but Lin did not lose his job. However, there were more layoffs to come, so perhaps in anticipation, Lin planted the logic bomb. It is difficult to say if there could have been anything done to prevent this offense. Since Lin was a system administrator, it is difficult to stop or deter a person of this position if they are willing to commit such a serious offense. I think the best a company could do is respond to actions taken by employees by checking their work, but enforcing a system like this would be too pricey and time consuming to be plausible.

As mentioned before, the impact of this event, if it were successful, could have been very serious. People’s lives could have been lost due to lack of prescription drugs, and others could have been damaged for life potentially. One very difficult question to answer is, what should we do with people like Lin? What kind of punishment is suitable for the crime? Even though it was not successful, the intent to harm was always present. After Lin completes his sentence, should he be trusted to work with a company’s computer systems? Who knows if Lin will have learned his lesson, or if he will be even more upset and “out to get the world.” I would think it is safe to say that a company will never hire Lin to work on their computer systems with this kind of event on his record.

Microsoft has filed a patent application for a monitoring system that collects data such as heart rate, respiration rate, body temperature, and brain signals and interprets this into the worker’s stress, frustration and productivity levels. Microsoft claims that it will optimize management and production by allowing employers to view current reports of their employees and allowing coworkers to be alerted when their fellow employees need help. Yet the ethical implications are unnerving. A friendly conversation at your workstation could lead to a warning that your productivity was below average. Or if you’re having trouble at home and bring it to work, your coworkers could be notified.

I’m sure Microsoft only has the best intentions for this system, yet it sounds too close to Orwell’s “Thought Police.” Adversaries wouldn’t need to interpret your purchases on amazon or intercept wireless signals beaming your thoughts to a game console, they’d just need to be your coworker and in a company as big as Microsoft, you may find yourself with a lot of adversaries.

Note: While this article is marked in the “Current Event” category because of it’s recent posting in Scientific American and Techdirt, the patent was actually filed June 27, 2006.

A recent article concerning user privacy on MySpace made it known there is a serious flaw in the social network’s security. The reported exploit of the bug allows anyone, not just MySpace account holders, to view private profiles and private photo galleries. Ideally, if a user marks their profile and pictures as private, only friends or individuals they allow to view their information should have access. It was mentioned in the article that URLs were modified to circumvent the privacy security installed on MySpace presently; this exploit is similar to Pablo’s demonstration of the duped CNN page using a modified URL.

As the article mentions, one reason this event came about is due to individuals posting on forums asking how to view these private profiles. Even more disturbing, however, is the fact that these individuals on the forums are targeting teens. It is also reported that this bug has been in circulation on forums for months now, and so it would seem likely that MySpace knew of the bug, but was too lazy to do anything about it. If they did not know, then ignorance is no excuse. From the high-level and brief description of the bug in the article, it seems this event and others like it could have been prevented altogether with a better system architecture to begin with. Since anyone is able to modify the MySpace URLs and input a user’s ID to gain access, it would seem MySpace does not check if the exploiter is logged in. If they do check this, then spoofing a user’s account credentials seems all too easy on MySpace.

Due to MySpace being one of the largest, if not the largest, social networking sites on the web, there is a potentially large societal impact due to this bug. Personal photos and information can be stripped from profiles and placed on other sites for who knows what reasons. Clearly this type of event is an invasion of privacy, and should be prevented from occurring as soon as possible. Not only is this type of act against the rules, it is against the wishes of the victims. How should these victims react? They signed up for a service expecting their information to be protected, but they received a vulnerable service which puts their information at risk. Should MySpace have to compensate individuals somehow due to harming their user base? User’s must pay the consequences when breaking the “Terms and Conditions” of a service oriented site, so should this swing the other way?

An article in InformationWeek yesterday exposes the details of what McAfee’s ScanAlert product actually means by “Hacker Safe”. The ScanAlert product issues certifications that websites are safe from attack. However XSSed.com, a website dedicated to exposing Cross-Site Scripting attacks, gave InformationWeek a listing of 60+ Hacker Safe websites with open XSS vulnerabilities. In response to the accusations, ScanAlert representatives assert that ScanAlert certification does not consider XSS vulnerabilities as dangerous. The reason being the XSS attacks are entirely ‘client side’, meaning they do not allow the hacker access to the server, data, or customer information.

(Read on …)

Security software vendor F-Secure has recently reported the first known “scareware” scam targeting Mac users. The software known as MacSweeper (www.macsweeper.com) poses as legitimate security software that “discovers” numerous fake problems and threats, which can only be solved by purchasing their $40 product. A senior security specialist at F-Secure shared two ways he determined the illegitimacy of MacSweeper: running their provided scan showed vulnerabilities in Mac-specific folders even when run on Windows machines and the company’s “About Us” section was taken directly from Symantec Corp.’s website. The website itself however is very professionally done and it is difficult for casual users to notice its phony nature.

(Read on …)

It is shocking to learn that while the University of Washington Housing and Food Services own nine residence halls with a total capacity of nearly 5000 students, the security barring access to individual students’ rooms can be compromised with little more than a little research and a good story. For the first homework assignment, I reviewed the security of the dorms. I thought of ways to get into other residents’ rooms and found that it wouldn’t be as difficult as one might hope. I tried the “attack” on myself, trying to gain access to my own room. It’s not surprising that I got into my room (in fact it’d be more surprising if I couldn’t), yet the attack could be used against others, especially those the adversary knows well.
(Read on …)

This post documents an actual vulnerability exploit I recently witnessed. Details have been changed to protect the stupid.

I happened to be loafing around on IRC yesterday, when an unusual opportunity to observe some pointless cybercrime in action presented itself. One user on a channel I occasionally visit brought the channel’s attention to the website of a state government agency. Because this blog is open to the public and this post concerns a currently extant vulnerability in a public website, I will not identify the particular agency, but I will say that it is an Internet crime database for an entire state, including information about missing children, parole and probation supervision, and a sex offender registry. (Read on …)