UW Computer Security Research and Course Blog

The use of performance enhancing drugs and medical techniques is a serious problem in every sport, but no sport is as notorious for doping scandals as is professional cycling. While Olympic athletes, baseball players, and body builders are often caught boosting, the effect of their “cheating” on the sport, society, and economy is minimal. Marion Jones, for instance, a five-medal winner in Sydney’s 2000 summer Olympics, was retroactively indicted on drug charges and agreed to forfeit her awards. While the revelation shocked many, Jones relinquished her medals and life went on.

Professional cycling, however, is a very different story. Combining the commercialism of motorsport racing with athletic demands exceeding almost any other sport, the pressure on riders to perform is tremendous. Good performance not only makes careers, but it pleases sponsors and significantly impacts their economic standing. Sponsoring a winning Tour de France team brings in tremendous revenue for a company in Europe. Continuous defeat, on the other hand, can have devastating consequences. As such, riders must reach for the leader board not only to meet their own expectations of success and competition, but simply to remain employed.

(Read on …)

The Technology

The technology being evaluated is the Helios Online Voting Booth, usable at http://www.heliosvoting.org and outlined in the 2008 Usenix Secuirty paper available at the same site. The election system does not create novel cryptographic tools or algorithms, rather it provides a protocol for using existing cryptography to make an election that is universally verifiable and provides ballot casting assurance as well as voter secrecy. (Read on …)

Computer scientists at the Harvard School of Engineering and Applied Sciences recently deployed the first “practical, Web-based, secure, verifiable voting system.” After testing through 2008 and early 2009, the system, dubbed “Helios,” was used for the university presidential elections at the Belgian Université Catholique de Louvain (UCL) in the first week of March 2009. The system uses asymmetric cryptography and mixnets to provide anonymity, ballot integrity, and open, public verifiability. The system is designed to be used to what they call “low-coercion” elections, because they have not provided any way for users to change their vote at another time if the user has been coerced into voting a certain way. But, the system does provide cryptographic auditing that allows any voter to verify that their vote has been correctly recorded, and allows anyone to verify that all recorded votes have been correctly tallied, something standard elections in the USA don’t even guarantee.

(Read on …)

The parking at the University of Washington has always been a deadly game of cat and mouse between driver and parking enforcement. There are limited parking resources on campus, and parking enforcement wants to make sure that they are maximizing their revenue for the spaces they have available. On the flip side, poor students/faculty are trying to get away with parking their cars/motorcycles free of charge.

There are a few assets that parking enforcement wants to protect. One is their revenue stream — making sure that they are receiving money for the parking that is available. Another is the availability of spaces, so that legitimate paying customers won’t be turned away at the door if the lots are oversold. In both cases, the adversary is the driver trying to cheat the system (aka, me).

One weakness of the system stems from having way more parking spots than there are parking enforcement officials. While this can work in an cheater’s favor in general, the longer one spends in the same spot, the more likely they are to be eventually ticketed. This might assume someone illegally parked would stay shorter — but then they have the added overhead of having to move their car frequently. One way that they can combat this is to deploy resources first towards the most high-traffic lots, and then check less frequently at satellite lots.

Another weakness of the system involves procedures for contesting tickets through the parking department. Any ticket can be contested through the office, and last checked, they had an average turnaround of 3-6 months, no doubt due to bureaucratic inefficiencies. If an adversary were to contest a ticket, they wouldn’t have to pay it for months, and would be likely to get it fined. One could also try sending in a longer letter to the department as to why they deserve to not get the ticket, in order to push it to the back of the queue for processing.

In the future, there might be an emphasis on more high-tech solutions (such as cameras) to quickly monitor parking lots and possibly detect cheaters. For the time being, however, there are some vulnerabilities in the parking system that allow attackers to get away with free campus parking undetected.

Original article: http://arstechnica.com/security/news/2009/02/airforce-engineers-develop-bittorrent-sniffer.ars

The Air Force Institute of Technology has a new method for passive BitTorrent tracking. The system attempts to read the header of BitTorrent packets, and compare the hash in the packet to a known set of bad hashes. If a bad hash is matched, then the system logs it for future investigation. The system uses programmable FPGAs, and sniffing capacity tops out at 100Mbps.

Recent developments in traffic shaping / packet analysis have been largely spurred by large ISPs’ desire to limit user’s consumption of high-bandwidth services such as BitTorrent. Complaints towards users of BitTorrent include high bandwidth usage, as well as accusations of illegally sharing copyrighted material.

However, packet inspection at any level raises a number of privacy concerns, as systems at the ISP level would definitively be reading the data that flows through their network from an end user’s machine. This can either be malicious or not — it really depends on how ISPs use it. It seems like ISPs are highly motivated to keep traffic down so that they can keep their networks from becoming congested. However, no ISP customer can ever exceed the maximum amount of bandwidth that they are advertised to get. It seems like the ISPs are not being forthcoming about the real amount of bandwidth that they want customers to use.

Bandwidth isn’t the only issue, with litigation being handed out to file sharers. It’s in the ISP’s best interest to stay out of any legal issues they can, which also provides a good motivator for packet shaping BitTorrent traffic. However, given millions of motivated BitTorrent users versus companies with relatively limited resources, they are fighting an uphill battle that will not end up in their favor. This Air Force sniffing technology can’t detect encrypted BitTorrent packets, which compromise 25% of the BT traffic out there. As well, with projects such as OneSwarm, people can set up much more anonymous sharing networks between friends. The only way for corporations to survive file sharing is to adapt, like the Norwegian state broadcasting company did when it started offering its broadcasts as full, unencrypted downloads on its own hosted BitTorrent tracker.

In “Study: racial profiling no more effective than random screen”, ArsTechnica reports on a new study by William Press, who claims that using profiling at security checkpoints such as airports is not effective in catching threats. The ineffectiveness, according to Press, stems from small numbers of screeners being able to only resample a small subset of the total population at any given moment. Screeners, on the average, end up retesting the same innocent individuals that happen to have large correlations with risk profiles.

This event arises from the current security concerns of DHS, and their mandate to catch terrorists at the various entrances to the United States. It seems that the methods employed in profiling are faulty, and need revisiting. As a counter-example to this article, the Israeli airports employ racial profiling to great success in ensuring security, and haven’t had an incident since 1986 — however, they combine these profiling methods with other forms of security measures.

However, there are larger issues in having such broad-sweeping racial profiling in the US. Applying racial targeting to minorities at checkpoints would cause a fair amount of backlash, considering the historical implications. As well, all the racial groups that are on profiling lists also are likely not adversarial threats, and are certainly as legitimate of citizens as people that aren’t on the list. Also, it seems like  relying heavily on profiling means that defeating it is simply a matter of not fitting the current terrorist profile.

While there has been some success stories in racial profiling with regards to border security, the idea leaves a bad taste in my mouth. There are inarguably a number of things that DHS can do to improve security at checkpoints (hire competent TSA employees comes to mind), without going down the dangerous path of racial profiling — profiling that has been shown in this recent study to be mostly ineffective given how it is currently applied.

Original Article: http://arstechnica.com/science/news/2009/02/study-racial-profiling-no-more-effective-than-random-screen.ars

Summary

In Italy, public officials have been abusing their authority to make more money from the public by making reds come earlier than they are supposed to (a shorter duration yellow than legally allowed).   This means that, since they use cameras to automatically give tickets to people running red lights (see security review of automated traffic cameras for a different look at that aspect of it), they can make money off residents who are given inadequate time to come to a stop, and thus must run a red.

Who Was Hurt By It

Drivers have been economically affected, with 1439 people caught over two months (the fine is 150 Euros, or roughly $190 at current exchange rate).  Prior to that, at most 900 people would have been expected to be caught assuming the maximum number of tickets normally given were given out per day (this means a 50% increase over a value previously considered unrealistic to obtain!).

The public has also suffered a reduced amount of trust in the transparency and honesty of their government–a system which was out of their control and which they were mostly powerless to oppose or investigate was found to have been compromised in such a way that people were labelled as both criminals and charged unfair money.

Who Did It

109 officials are being investigated with regards to it, although the programmer himself is the current person taking most of the blame in the news.  Also involved were: police, local government officials, and the heads of seven different companies. Roughly 300 municipalities and a host of different companies were profiting from this scheme.

What’s Being Done

Currently a criminal case is being pursued against those responsible.  However, this does not really address the problem–the faulty systems are still in use, and ultimately fixing them should be the first priority.  Although the programmer responsible has a lawyer proclaiming his innocence, ultimately a review of the cameras themselves will need to be done.

Long Term View

This adds yet another complaint against automated traffic cameras.  Many object on privacy reasons, but this also adds concerns about faulty software, either maliciously or through incompetence.  Although it is unlikely that Italy will suddenly abandon automated traffic cameras, it may cause them to take a second look at them, at the least, and hopefully be more open in the future.  In all likelihood, however, they will continue to use a closed source solution, and will merely (hopefully) patch this problem.

Finally, this also adds another potential weakness to the list in the security review–corrupt officials who view it as a way of making more money.

Source: http://arstechnica.com/tech-policy/news/2009/02/italian-red-light-cameras-rigged-with-shorter-yellow-lights.ars

See also: http://cubist.cs.washington.edu/Security/2009/02/05/security-review-automated-traffic-enforcement

In early September 2008 during the TechCrunch50 Conference, there we many companies that came forward presenting ideas on how to change the advertising business.  One such company, Adgregate Markets, presented an idea they call the ShopAds widget. This widget can be placed on any website like a normal banner ad, but is instead a fully transactional ad that allows visitors to the site the ad is place on to conduct a business transaction (such as buying and item or ordering a service) without leaving the hosting web page.

This is big news both for host sites that may gain revenue from their ads, as well as the companies trying to sell a product. For host sites, it means their pages are sticky; visitors no longer leave the for a 3rd party site when they see a product they like. Instead, they can just purchase it and continue to view the content. For the company selling the product, it means their returns are much greater than previous click-through counting methods as the results they are in the form of actual sales and revenue.

But what does this mean for the online consumer? Of course, it means they can now make purchases through ads without having to go to another site, but it also means they have to be smarter. Adgregate claims in their press release that “Through ShopAds, Adregate Markets enables consumers to securely purchase products entirely within the confines of the ad unit, without being redirected away from the publisher’s site.” However, a problem arises when a ShopAds widget is placed on a web page that uses HTTP instead of HTTPS. Since the page itself is transmitted HTTP, the content of the page is in plaintext. Additionally there is no way to verify that widget came from any particular location. For example, a malicious router launching a man-in-the-middle attack could replace the widget on a page with their own widget that appears to be legitimate. Visitors to the web page may then interact with it assuming it is the company it says it is. Although ShopAds are flash-based, and thus can establish secure connections, this only has meaning if the source of the ad itself can be verified.

Assets and Security Goals:

• Purchase Orders – The purchase made by a visitor/customer must be accurate when it is received by the merchant company.
• Consumer Identities – Identifying information, such as credit card numbers, should not.
• Merchant Identities – It should be possible for a consumer to know for sure that they are buying from a particular merchant.  In other words, it should not be possible for an adversary to pretend to be a Macy’s ad.

Potential Adversaries or Threats

• Eavesdroppers – It could be possible to collect customer information by sniffing packets
• Copy Cats –  By replacing ShopAds widgets with a malicious flash ad, one could pretend to be a company that they are not.
• Modifiers – By modifying the information being exchanged, it may be possible to alter the purchase order itself (such as the quantity of certain items) or change where it is being shipped to.

Potential Weaknesses

• HTTP Pages – Pages using HTTP cannot guarantee the origin of the content displayed on the page, including the ShopAds widget, and would be vulnerable to man-in-the-middle attacks.  Additionally, information is sent over plaintext.
• HTTPS Pages – Even on an HTTPS page, you would have to trust the hosting (publishing) website you were visiting.  HTTPS only verifies that the site is who they say they are. So, visiting https://www.evil.com and conducting a business transaction through one of their evil ads is still dangerous.
• ShopAds Widget – If the widget does not take advantage of  the features in flash to establish secure connections, information may be sent over plaintext.

Potential Defenses

• HTTPS Pages – HTTPS pages can at least guarantee that the page is who they say they are and that the data is not sent over plaintext.  If a customer trusts the hosting/publishing site, and they trust the company who owns the ad, they could trust the transaction.  However, this would require every page with a ShopAds widget to use HTTPS…
• Flash Security – Make sure to take advantage of features to establish secure connections to prevent transaction information from being transmitted in plaintext, even if the widget is properly placed on a trusted HTTP page that has not been maliciously modified.
• Ad/Merchant Verification – Having the potential for a consumer to verify that the ad belongs to a particular consumer would help guarantee online shoppers do not buy from copy-cats.  Ideally, this would be done in the widget as well so as to keep to the nature of this new technology.

The largest problem here is that consumers may have no idea about the threats posed by these types of ads.  Many customers may not even know why HTTPS is important, let alone how it affects the security of shopping through an ad. Furthermore, it is unlikely that every page that will be sporting the ShopAds widgets will start using HTTPS, so shoppers will learn to have trust in these very dangerous situations. Even if the publishing site can be trusted, if the widget is not on an HTTPS page, it cannot be trusted.

If the ShopAds widget is to become the next best thing in advertisement and online shopping, these security concerns will have to be addressed.  In the same way that an online banker would not (hopefully!) enter their bank account number and password on an insecure page, neither should an online shopper provide their credit card or other identifying information.  It will also be necessary for shoppers to be more aware of where and how they are making purchases.  To help out visitors to the site, some of the responsibility may rest with the publishing website to make sure the ads they are providing do not compromise the identities of its visitors.  If this does catch on, it may become necessary in the future for browsers to be able to verify the origin of chunks of content, such as the ShopAds widget, to guarantee the security of its users.

According to this article, the English version of Wikipedia may be implementing a system called “flagged revisions” to the editing software, which would require that edits would have to be approved (“flagged”) by a “trusted” user (see the Wikipedia page on flagged revisions here). Edits that have not yet been approved could be viewed by users on request, but the default version of a page would exclude any changes that have not yet been approved. Trusted users’ edits are automatically approved. There could be long wait times for edits to be approved; this system has already been implemented in the German Wikipedia version, and edits there have taken as long as three weeks to be approved. (Read on …)

Here at the University of Washington CSE Department we often have events called Tech Talks, where guest companies come in and give a demonstration of their technologies and expertise. Tech talks are usually interesting, and the visiting companies usually bring free company-branded “swag” and often have raffles for bigger, more exciting prizes. But what usually draws hungry CS students (this one, anyway) is the free food that the company inevitably brings. I’ve never won anything.

Last night we had a tech talk given by Palantir Technologies, a very promising-looking company that aims to transform the way people work with large data sets by making it easier to discover and visualizing trends and connections in the ever-accumulating mountains of data generated by our modern technological culture. They had a great sales pitch, a fascinating presentation, tons of free swag (hyperbole here, but it was really a lot), and quality free frood from Taco del Mar. And at the end of the evening they planned to raffle off an iPod touch. Not everyone stayed for the whole event, but as it wound down the time for the raffle finally came.

(Read on …)