UW Computer Security Research and Course Blog

The U.S. Federal government is planning to spend millions of dollars upgrading the backbone of the internet’s routing system. Specifically the Department of Homeland Security (DHS) is planning to quadruple its budget for improvements (from $600,000 to $2.5 million per year), which supposedly should improve the security of communications on the internet.

By implementing these changes, the DHS hopes that man in the middle attacks as well as the modification of data can be prevented. These upgrades target two major portions of the internet’s infrastructure; the border gateway protocol (BGP), and the domain name system (DNS). For BGP, the updated protocol will be called BGPsec. This adds digital signatures to BGP announcements. Security researchers have claimed that BGP is one of the weakest links of the internet because of its numerous vulnerabilities. Attacks against this protocol can be disastrous because they are often targeted at large portions of the infrastructure and not individual hosts. For DNS, the improved DNSsec will hopefully make it harder for attackers to hijack web traffic because hosts will be able to verify their domain names and IP addresses with digital signatures and public-key encryption.

(Read on …)

A worm known as Downadup, or also Conficker by some security companies, is spreading rampantly by exploiting a bug found – and patched – months ago in Windows machines.  F-Secure believes that the worm has already compromised 35 million machines total.

Though Microsoft had deemed the security flaw important enough to issue a rare emergency update for it back in October, it has responded fairly quickly to this latest surge by the worm by adding detection for it to its malware removal tool on Tuesday.

Though Microsoft’s code has often been criticized for its alarming rate of security flaws, it is difficult to do so in this instance given this rapid response, and researchers from F-Secure and Symantec agree; the issue in this case is customers that have failed to apply the patch.

Though hackers have yet to turn the network into a botnet, the infrastructer is in place for it to do so.  Every day, the worm uses a very complex algorithm to generate hundreds of domains that it would query for instructions from its masters, only any one of which the hackers would have to register to control the botnet.  By contrast, as with the Srizbi botnet last year, security firms have to register every single one of those domains in order to wrest control away from the hackers.  FireEye, a security company, tried to do this for a while, but it soon became too expensive to do, and the hackers regained control of their network.

This incident raises questions as to whether customers should be allowed to choose whether or not to install updates anymore.  Apart from corporate customers who have to worry about the compatibility of their custom software, the time has perhaps come for security updates to be force-fed to consumers, particularly those who disable updates without realizing the full implications of that decision.

[source: link]

The Storm worm, noticed for the first time on January 17th, 2007, is one of the more notorious worms of the last few years. Targetted initially towards individual Windows machines, victims were often infected after receiving a bait e-mail with a particularly intriguing subject line, originally on the topic of a nasty European windstorm. The malicious attachment, when opened, would begin sending data to predetermined locations, as well as potentially installing additional malware.

The two most important side-effects of the worm were assumed control of the victim machine for botnetting, as well as the application of a root kit. What made Storm particularly effective as a botnet client was the use of peer-to-peer technology, rather than a strict client-server model. While “primitive” botnets could be attacked by targetting the centralized server, Storm created a P2P network of hosts, each of which was only ever “aware” of a small subset of the total botnet. While “command servers” did exert control over the botnet, they existed in numbers, and hosts were given means to find new command servers as they came online. This made it especially hard to know of the botnet’s size and member machines, let alone take it down. Despite attempts by Microsoft to use its Malicious Software Removal Tool to cleanse infected nodes, estimates suggest remaining infected nodes are still plentiful.

In results published on January 9th, German researchers at Bonn University and RWTH Aechen University show analysis which could, if applied properly, lead to any remaining botnets’ demise. By disassembling the drone client program used by infected nodes, the researchers were able to discover the protocol used for inter-client and client-server communication. They then built their own client and hooked it into an isolated test botnet. Experiments with this client showed that drones in the botnet asked each other about command servers, much in the same way that a DNS query might travel. By creating their own bootleg command server, and using their false drone client to deceitfully route real drones to the new server, they found that they could assume control over some aspects of the infected nodes. This would allow them to remotely install and run cleanup software, potentially allowing systematic cleanup of an entire botnet.

“What’s the holdup?” you might ask. The problem is that this cleanup would violate German information safety laws. Not only would it invade victim machines in the same way that the worm itself has, but it could also cause all kinds of data corruption and other collateral damage as part of the cleanup process. The legal repercussions of invasion of privacy and potential tampering with data are severe. While the cost of allowing Storm-backed botnets to exist is immense — with respect to spam alone, Symantec clocked the e-mail spam-output rate of one infected node at around 360 messages per minute — the practical and ethical cost of cleanup is high enough that its unclear to the German researchers which is worse.

It seems to me as though another approach could prove less problematic. If non-Storm-controlled drones can enter the network as demonstrated by this research, they could be used to identify, rather than automatically fix, targeted nodes. With the support of some well-recognized anti-virus or computer security agency, an opt-in cleanup program could make owners of infected nodes aware of the risks of cleanup before granting access to their machines or installing cleanup software themselves. The public approval of a well-known name in the field would give credibility to the cleanup effort, and perhaps could provide an open infrastructure for individual opt-in.

At the very least, this research allows security professionals and indivual Windows users to take anti-Storm defense into their own hands. Whether it can be used to extinguish remaining Storm-related activity remains to be seen, especially now that Storm’s developers have a chance to react. It appears that the current drone protocol doesn’t require server authentication; were that to be put in place, the researcher’s spoof-server approach would no longer work. The makers of the worm have shown an eagerness and a capability to react quickly and successfully to possible anti-Storm technologies, and could no doubt “fix” this “problem” too fast for it to be useful.

It will be interesting to see how this situation plays out. Hopefully, it will be for the better.

The Security and Privacy Code of Ethics is a contract that every CSE484 student is required to sign, on penalty of a zero grade in the course. It places restrictions on the manner in which students may use knowledge gained in the course, and on the transfer of such knowledge. While it appears to be a good faith attempt by the University to prevent their students from engaging in malicious activities, it has several failings, and raises ethical issues.

(Read on …)

According to a recent article in USA Today, Lexus will begin including new technology to allow the company to send audio messages to the computers present in their cars. It appears to be similar to an e-mail system, where the user receives messages and can play them at his/her own discretion. This inclusion is simply part of an even larger electronic upgrade to the autos, simply known as Enform for now. While this definitely raises some concerns about how far into our lives marketing messages (i.e. spam) are allowed to be, it’s even more critical to be worried about what sorts of security measures will be implemented in their system.

(Read on …)

Overview

This is a security review of “Smart Guns,” a general class of locking/use prevention mechanisms for firearms that rely on biometrics or other authentication indicators (such as “smart” chips embedded in the gun and in rings or other tokens worn by the intended user) to identify a person who is authorized to use the firearm, while preventing unauthorized persons from discharging the weapon. The Wikipedia article has some further broad overview information regarding the subject.

(Read on …)

From The Guardian, and on Slashdot.

Police in the United Kingdom may soon be be able to collect DNA samples from children if they exhibit behaviors that suggest they may commit crimes later in life, at least if Scotland Yard forensics director Gary Pugh has his way.

Pugh cites the importance of identifying future offenders, saying that “the number of unsolved crimes says we are not sampling enough of the right people.” Advocates of such programs, including the Institute for Public Policy Research, claim that most career criminals begin their lives of crime as early as 10 to 13 years old, and suggest that children from 5 to 12 years old should be profiled and sampled if they exhibit certain “risk factors.”

Even these advocates acknowledge that such treatment could have a “stigmatising” effect, but they do not seem to have any problem with gross violations of privacy in the name of improving public safety.  One concern that is not directly addressed in the article is the possibility that the negative attention such sampling and registration involves might even place more obstacles to a child’s chances of leading a normal life, perhaps even increasing the likelihood that they would turn to crime; a self-fulfilling prophecy, in other words.

Of course, an even greater issue that is sidestepped by the focus on children is the question of whether preemptive DNA sampling of any individual, adult or child, should be tolerated in any free society. Whether such programs are effective in reducing crime is not the only issue – the cost to individual liberty must also be considered. In my opinion, at least, personal freedom must always outweigh public safety, but I’m interested in hearing other ideas.

Today the House of Representatives voted on a bill that would amend the FISA Act of 1978, which deals with government wiretapping. The amendments would deny amnesty to telecommunication industries for complying with illegal warrant less wiretaps by the Bush administration but allow those companies to use government classified information in their defense to prove that they did comply with the law (if they indeed did). (Read on …)

Bruce Schneier posted on his blog earlier in the week about a new, free, open source application by the “Cult of the Dead Cow” (cDc) called Goolag Scanner. It essentially automates a technique called Google Hacking, which was pioneered by a hacker going by the handle “Johnny I Hack Stuff”. Google Hacking entails using the massive Google search engine to discover vulnerabilities on a given server or domain by using targeted searches. These searches are aimed at finding back doors, sensitive information accidentally made publicly available, vulnerabilities in server software, and more. The software, along with a friendly voice that guides you through the installation process, comes with 1,500 built-in searches to use out of the box.

(Read on …)

http://www.thestandard.com/news/2008/02/29/us-canadian-agencies-seize-counterfeit-cisco-gear

USA and Canadian law enforcement has seized US$78 million worth of Cisco routers, switches, and network cards in 400 seizures since the coordinated operation between the two nations was launched in 2005. The reason for the seizures is “illegal importation and sale of counterfeit network hardware”. Personally, I’m a little confused as to how network hardware can be imported legally, but apparently there are laws governing it. (If you’re wondering what “counterfeit” network hardware is, I’d imagine it’s the sale of previously illegally imported hardware). The involved agencies are the U.S. FBI’s Cyber Division, U.S. Immigration and Customs Enforcement, U.S. Customs and Border Protection, the Royal Canadian Mounted Police, and apparently, to some extent, the U.S. Department of Justice.

(Read on …)