UW Computer Security Research and Course Blog

When I recently tried to look up some information about the song L’America by The Doors, I stumbled upon the site songfacts.com (http://www.songfacts.com/detail.php?id=278). At the site, I was immediately greeted by a popup box cheerfully proclaiming “HAI2U”. After having dealt with this extensively in lab 2, I immediately recognized this as an XSS vulnerability that someone had taken advantage of. Looking into the source code, I saw that the javascript alert was the only thing that had been done–luckily not too malicious. Unfortunately, the code was also in a permanent comment on the site so that any visitor to the site is subjected to the attack rather than having to special link. The attack was done with a simple script tag, so obviously little or no filtering is being done. I sent an email off to the site telling them about their vulnerability, what a malicious user could use it for, and how to fix it with a php filter and a link to suitable filter. Although part of me wanted to play around with the security hole a little more (perhaps a real life version of lab 2?), I thought it would be better to try to have them fix the site. I like songfacts because there are some interesting things, so I rather they fix it then have someone else break the site with redirects, cookie stealing, or any other similiar (or even more malicious) things. I just wanted to let everyone know that what we did in lab 2 is most definitely applicable to real life and XSS vulnerabilities are still out there on many different sites.

One other thing I wanted to ask others about is how would you deal with this situation of finding a vulnerability in a website? Would you anonymously report it to the site or offer to help? Or would you try to look into the security hole a little more to see what was there? Perhaps a few people would even want to do some semi malicious things to see what was possible (although I’m sure no one will post that). Also, has anyone else encountered XSS attacks in the wild?

As a side note, please don’t exploit this because the vulnerability is still there on that site. Remember, you signed legally binding and restricting ethics forms!

Update:

After I emailed the website, they took out the offending post and also asked me for more information on fixing this problem. I wrote some more information for them and tried to help clear up this security vulnerability as well as others that may arise from the same issue of user input sanitation. The admin was very glad to have help and offered to send me a t-shirt in return for my help. It looks like being good and helpful paid off.

On another note, I have found XSS vulnerabilities to be way too common on the web. As dangerous as these can be, it seems like site administrators are not well informed about these problems. While just going about normal business on the web, I also found an XSS vulnerability in the Windermere real estate pages. I have emailed that webmaster as well so hopefully they are as receptive to the problems as the first site owner was.

I didn’t pay much attention to the event mentioned earlier about Conficker virus, until this new event related to that event arose – after all, is it such a rare occasion being infected by a virus.
To remind you, it is estimated that there were over 10 million computers infected with the worm, which utilizied a bug in Windows OS to infect unprotected computers, including those in government and military organizations. Creators can start issuing commands to this network of hijacked computers by simply registering one of the domain names from its big list.
So, Microsoft decided to offer $250k reward for the information on authors of the Conficker virus. Since this is the one of those rare occasions Microsoft offered a reward, it convinced me of the severity of the problem.
These rewards showed to work in the past, one of the most famous cases being sentencing a writer of the Sasser in Germany.  Microsoft happens to play a good balance between stick and carrots politics in an attempt to achieve security for its products, moving more towards carrots lately (such as organizing BlueHat conference for outside security professionals, for example).
Although there is a trend in countries, such as, say, Russia to implement harsher sentencing for cybercrimes, for many countries, complexities associated with getting the reward, or reach sentencing remains to be a big obstacle to those willing to turn in creators of the viruses.
Looking at the bigger picture, offering bounties utilize trustfulness of a hacker, who shared his adventures with his colleagues, hoping they will keep it secret. But seems like there could occur an inverse relation – with more bounty given out less effective it will become. However, it is still interesting to see how some virus creators elaborately cover their tracks technologically, but fail to realize severity of risk of a human factor from their standpoints. Let’s see whether it works this time.

All of us feel a certain kind of safety when we are dealing with credit cards, online banking and any other transaction or process which should be secure because we know that our personal information is protected by cryptographic systems. Yes there are occasions where these security measures are circumvented by exploiting other weaknesses in the system or by just stealing private information. However we take comfort in the idea that these cryptographic systems are unbreakable given feasible computing time and resources. However, a recent article talks about the threat of ‘Quantum Computers’ which could potentially compromise the security of these systems used by businesses and banks around the world.

The laws of Quantum Physics say that a subatomic particle can exist in two states at the same time before you look at it. Similarly in a Quantum computer, a bit can be both zero and one at the same time. A string of eight bits can therefore represent all numbers between 0 to 255 at the same time. Scientists say that a Quantum computer can solve a problem in months that would take conventional computers millions of years. For example, public key encryption which is widely used on the Internet creates codes by multiplying two prime numbers together. What makes the code hard to break is that working backward from the product of the two primes is extremely hard. A Quantum computer would be able to solve this problem in a feasible amount of time because it will be able to look at multiple solutions at the same time.

In the article, Professor Oded Regev of the Tel Aviv University’s school of Computer Science stresses the importance of the development of a new cryptographic system that will be able to maintain its integrity even when Quantum Computers will be available. Several reasons for this are the security of bank and financial information, medical records, and digital signatures that would become visible if an attacker hacked into this RSA encrypted data. The article predicts that Quantum computers will be a reality in the coming decade which would make it easy to crack the RSA cryptosystem. Hence the article emphasizes the need to start thinking of systems that could replace RSA.

http://www.sciencedaily.com/releases/2009/02/090205110609.htm

The Air Force Institute of Technology recently announced a new technique for “detecting and tracking illegal content transferred using the BitTorrent file-trading protocol.” The authors claim their technique differs from previous attempts, because it is does not change any of the traffic going over the network.

The tool examines the first 32 bits of the file’s header to identify BitTorrent traffic on the network. Once a connection has been identified as a BitTorrent transfer, the file’s hash is compared against a blacklist of known “contraband files.” These blacklisted files are described as “pirated movies, music, or software, and even child pornography.” Rather than disrupting the transfer, this tool simply logs the network addresses involved, presumably for later prosecution.
(Read on …)

Exoskeletons look impressive in movies. They look impressive in real life also. Electronics reads brain signals sent to muscles and cause actuators to move, thus ‘amplifying’ human strength. Exoskeletons are close to get mass-produced and available to people around the world. Since there are no datasheets or use instructions publcly available yet, I will briefly mention potential general security implicatons associated these devices, as we will inevitably see them in the market very soon.

It is crucial for manufacturers to ensure safety of the wearer. In addition, it is important to address safety of people other than the wearer who can come into contact with this machinery.
Potential adversaries can be those who wants to harm the person wearing it. Besides that, goal of an adversary can be to cause harm to people other than the wearer, or, in general, cause harm to property.

The following are just a few of potential weaknesses that need to be addressed.
Self-supporting mechanism: since most exoskeletons will support its own weight and are quite powerful, it is potentially possible to control it and cause it walk on its own, possibly with human inside.
Physical access to programmable controllers and circuitry can allow adversary to reprogram or embed own controllers.
Actuators in particular: different people can have different ranges of joint movement. Incorrect range can break wearer’s bones or strain muscles, unless there are secure adjustable physical restrictions. If there are such adjustable physical restrictions they can be changed by adversary.
If attachable to computer or network for service, or reprogramming, most problems associated with securing personal computers and communications apply.

Besides regular ensuring integrity of the system, and bug-free software, here are some key measures that any exoskeleton should have implemented to address security threats. Obviously, any adjustments, including physical should be done with secure authentication of a user. Good shielding can be used to protect from outside electromagnetic fields that might cause system to digress from normal operation.
It is important to detect big jumps of voltage/current in the system and disable the system, as it is done in power wheelchair controls, but as opposed to wheelchair, more attention should be paid to gracefully shutting down, as incorrect disabling can cause person to fall down causing injuries to himself or people around.
It should be easy to escape the suit in case of a danger and there should be multiple disabling mechanisms available to the user.

These devices will have a big impact on society. Should police start carrying EMP guns? Exoskeletons can be of tremendous use  to address people’s health problems, for example, or can become quite threatening in malicious person’s hands. There are obvious differences from existing personal machinery. Extreme flexibility pose big dangers if not addressed properly. Whereas car or wheelchair can be stopped by railing, exoskeleton could climb over it.

This morning, my power for some reason switched off, crashing something in my router and killing my laptop battery. For the rest of the day, wireless was down at my house and my roommate and I were physically plugging in (I know! Cables!). However, we (illegally?) share our wireless with our neighbors downstairs, and they came up to ask where the webbernets had gone to. Frustrated, I simply hit the reset button on my router and decided to just set it up again. Working through it, I realized that the user interface is a huge hindrance to the average user setting up a secure home network – a situation which I already know leads zillions of people to insecurely transmit sensitive info over the web.

Assets and Security Goals

• The assets at stake here include anything people do over the internet – which today seems to include everything. For me, the most sensitive information I transmit is my online banking, followed up by my student information on MyUW as well as online sales. Also included is a lot of stuff I don’t usually think about needing to secure – but that could be exploited by an attacker – like my email and my Facebook account.
• The goals then are to protect my transmissions from being read, tampered with, or spoofed. I don’t want anyone to know what I am doing on the internet, to change anything I am doing on the internet, or to be able to pretend to be me on the internet. Also, I don’t want anyone to be able to use my internet to do illegal things (except for me)!

Adversaries and Threats

• Identity theft has become a huge issue in recent years, and so the adversary I am most fearful of is someone who would want to steal my identity, money, credit history, etc.
• My roommate works for Amazon.com, and often has to use her work laptop on our wireless connection. Although she uses a VPN with a one-time use RSA token, we’d really like to keep a potential corporate spy as far away from her machine as possible.
• What about my roommate herself? Or those innocent looking neighbors downstairs? Well, I hope I can trust all of these ladies…

Potential Weaknesses

• Without any defense at all, our wireless is wide open. I’ve already seen what can be done with easily downloadable tools online – they even come with GUIs. In fact, in my opinion, these tools  are easier to use than the security setup for my router.
• Even with security, an attacker could discover our passwords either by reading them off the whiteboard in my kitchen, or by sniffing our encrypted packets and trying to guess it.
• If someone could connect to my network and also guess my high-security administrator password, they could also mess with my router to redirect me places I don’t want to go to, or otherwise manipulate my web access.

Defenses

• The most important thing here is having your router set up properly – encrypted with good passwords (and NOT WEP), don’t leave the administrator password to default. However, this is not that easy – I am pretty sure my mom could not figure out to do it, nor my web-savvy teenage sisters. Linksys should have all the most important settings on one primary page – and it should lock people out of the web until they have changed the administration password (or, even better, have a different password for each box and include the pwd in the packaging).
• Having a good password is important. People don’t have enough training in this!
• I often will check my router to see what machines are connected to my wireless – if there is one I don’t recognize I will freak out. But I’ve never seen one 🙂
• It is also important to practice safe web browsing regardless of the wireless setup. Assuming that you are on an unsecure conncection provides one extra layer of security. Https, encryption, all of these things are still necessary.

In sum, I am worried about the world. I had to dig through a long series of menus to find what I needed – and I already knew what I needed. For those who don’t, I’m afraid their information is at risk!

According to an article on Gamasutra online game hacking spiked in 2008.  It was noted that it usually wasn’t the games themselves being directly attacked, rather attackers would use social engineering or other techniques to install malware, such as keyloggers, that would steal the user’s account information.  Once the attacker can log into the the victim’s account, they can then use their position of trust to send malicious links to friends of the victim, furthering their malicious goals.  The attacker could also steal the victim’s virtual assets and sell them for real money.  For example, in Blizzard’s World of Warcraft, despite it being against the EULA, there is a large real world market for in game gold and items.  Because it is generally not the games themselves being attacked, it is hard for game developers to prevent this.  However, Blizzard is setting a good example by allowing users to purchase RSA key generators as an extra line of defense (though you would think that with all the money they are sucking from their players they would be able to include this at no extra cost).  These authenticators generate unique keys at the press of a button, a new one of which is required at each logon.  With this extra layer of defense, even if the attacker logs the victim’s password and authenticator key, the next time they log on the authenticator key will be different, preventing the attacker from successfully logging on.  More details on the Blizzard Authenticator can be found at Blizzard’s site here.

Not all computer malware infections are done completely electronically.  In recent events, cars in Grand Forks, North Dakota were tagged with “windshield fliers” which resembeled a parking ticket, stating they were violating the “standard parking regulations” and that in order to view more about their offense they must visit some URL online.  This seems like quite the extent for one to go in order to infect ones computer, but often enough – it works.

(Read on …)

Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127392

The User Account Control (UAC) in Microsoft’s Windows 7 has already been compromised. Two programmers have written code, which can alter UAC settings and upon restart of the machine execute arbitrary code with administrative privileges.

The basis of this problem stems from Windows 7’s new UAC default settings. UAC is Windows’ primary security feature, designed to alert the user of changes happening within the system and to request consent before proceeding with certain tasks such as, for example, installing programs. This feature, which was added with the deployment of Vista, has met considerable criticism, particularly in that most users consider it an annoyance. In an effort to alleviate this and reduce such disruptions, Windows 7 has headed down the opposite path. The Windows 7 UAC defaults to a greatly reduced number of pop-ups and allows you to change user permission levels (from regular to administrator) without notification. This becomes a real problem, when the operating system cannot distinguish between the change made by a user and the change made by a program. And therein lies the vulnerability; all a malicious script has to do is enter the system, either in convincing the user to click on (consent to) it, or through some other breach. Once in, the script can silently change its permission level, force a restart, and begin executing whatever code it wants with administrator privileges. As is the case with most security vulnerabilities, this requires the user to consent to this script by downloading or running it, however numerous phishing exploits show the frightening success attackers have had in accomplishing this.

Security is a difficult art to perfect mostly because its importance is often easily forgotten by the one that matters the most – the end user. The threat of exploits is most heavily felt when it is too late and is all too easy to ignore by uninformed users. It really can become a hindarence having to repeatedly approve actions you initiated, such as the installation of a popular program. Users are often exposed solely to the obstruction which security measures present and less so with the protection that they offer, as (hopefully) most users don’t have to deal with attacks. This is the problem with which Microsoft is faced. They need to strike a balance, in which they protect the user without taking away from experience (due to frustration with security barriers). Cutting back on UAC pop-ups is perhaps favorable, however should not go so far, as to defeat the purpose of the entire security system, in favor of usability. Changes to a central security setting, such as the user permission level should not go unnoticed. It is certainly an important enough change, which merits user attention in all cases, and furthermore is likely to be performed infrequently enough as to not cause any significant annoyance. It is important that security features be carefully integrated into the system, with the user in mind, such that they are not rendered useless when the user disables them, however at the end of the day their job is to protect, not appease the user.

According to an article, Toshiba is producing PC’s that come with not only fingerprint readers but facial recognition software. The software uses a webcam built into the PC in order to identify the user. This software is designed so only the user can use their own computer and so that if the user would like to save passwords they can feel secure by only unlocking their passwords via the fingerprinting or facial analysis. While I can see how this might seem extremely convenient and much more secure than when people just autosave their passwords (sometimes the biggest security flaw is our own laziness), it seems to me that this software could present security issues both in the sense of Denial of Service as well as with false authentication. The article also seems aware of these flaws stating, “It is important to note that both fingerprint and face-recognition technologies are not foolproof–there are a number of known, low-tech means of circumventing them.”

Assets and Security Goals

• The main goal of the facial recognition software is to provide security. You are the only person who should be able to use your machine since it will uniquely recognize your face.
• The main asset is the ease and practicality provided because a user no longer has to type in their passwords or even really remember them.

Adversaries and Threats

• Someone who might want access to your personal information or files could potentially use a photograph of you and hold it to the camera depending on the sensitivity of the software
• Another possible adversary could be family members, again depending on the sensitivity of the software if a family member (such as a sibling or better yet a twin) wanted to use your computer they might have similar enough features to beat the cameras.

Potential Weaknesses

• Social networking sites could present a weakness if the software had a low enough sensitivity thrushold that an adversary would really only need a photograph.
• Many of the other weaknesses involve the opposite problem if the software is too sensitive a user might be denied service because of a haircut, surgery or injury, or aging (although it is likely that a user wouldn’t have a computer so long that they would look dramatically different from aging, it is still a possibility.

Defenses

• Having both the fingerprint analysis and the facial recognition software makes the PC somewhat more secure than using just one or the other.
• The software would have to be fairly sensitive in order to prevent a photograph from being used but it could also update the image that it recognizes after each successful recognition in that way it code avoid not recognizing a user due to age. 

It seems likely that the sensitivity could reach a good balance so that it could recognize the difference between a picture and a human being, however in the cases where too humans look indistinguishably similar to the human eye (such as a twin) I doubt a camera will ever be able to tell the difference. Considering the likelihood that a user has a malicious twin,  I doubt this is much of a concern.

Since the overall goal of the software appears to be to make the user more secure and the more secondary goal is to make life a little easier, I think the software would be more useful if it used the software to either allow or disallow you to enter a password. In that way it would actually provide another layer of security as opposed to a potential hole.