UW Computer Security Research and Course Blog

The Storm worm, noticed for the first time on January 17th, 2007, is one of the more notorious worms of the last few years. Targetted initially towards individual Windows machines, victims were often infected after receiving a bait e-mail with a particularly intriguing subject line, originally on the topic of a nasty European windstorm. The malicious attachment, when opened, would begin sending data to predetermined locations, as well as potentially installing additional malware.

The two most important side-effects of the worm were assumed control of the victim machine for botnetting, as well as the application of a root kit. What made Storm particularly effective as a botnet client was the use of peer-to-peer technology, rather than a strict client-server model. While “primitive” botnets could be attacked by targetting the centralized server, Storm created a P2P network of hosts, each of which was only ever “aware” of a small subset of the total botnet. While “command servers” did exert control over the botnet, they existed in numbers, and hosts were given means to find new command servers as they came online. This made it especially hard to know of the botnet’s size and member machines, let alone take it down. Despite attempts by Microsoft to use its Malicious Software Removal Tool to cleanse infected nodes, estimates suggest remaining infected nodes are still plentiful.

In results published on January 9th, German researchers at Bonn University and RWTH Aechen University show analysis which could, if applied properly, lead to any remaining botnets’ demise. By disassembling the drone client program used by infected nodes, the researchers were able to discover the protocol used for inter-client and client-server communication. They then built their own client and hooked it into an isolated test botnet. Experiments with this client showed that drones in the botnet asked each other about command servers, much in the same way that a DNS query might travel. By creating their own bootleg command server, and using their false drone client to deceitfully route real drones to the new server, they found that they could assume control over some aspects of the infected nodes. This would allow them to remotely install and run cleanup software, potentially allowing systematic cleanup of an entire botnet.

“What’s the holdup?” you might ask. The problem is that this cleanup would violate German information safety laws. Not only would it invade victim machines in the same way that the worm itself has, but it could also cause all kinds of data corruption and other collateral damage as part of the cleanup process. The legal repercussions of invasion of privacy and potential tampering with data are severe. While the cost of allowing Storm-backed botnets to exist is immense — with respect to spam alone, Symantec clocked the e-mail spam-output rate of one infected node at around 360 messages per minute — the practical and ethical cost of cleanup is high enough that its unclear to the German researchers which is worse.

It seems to me as though another approach could prove less problematic. If non-Storm-controlled drones can enter the network as demonstrated by this research, they could be used to identify, rather than automatically fix, targeted nodes. With the support of some well-recognized anti-virus or computer security agency, an opt-in cleanup program could make owners of infected nodes aware of the risks of cleanup before granting access to their machines or installing cleanup software themselves. The public approval of a well-known name in the field would give credibility to the cleanup effort, and perhaps could provide an open infrastructure for individual opt-in.

At the very least, this research allows security professionals and indivual Windows users to take anti-Storm defense into their own hands. Whether it can be used to extinguish remaining Storm-related activity remains to be seen, especially now that Storm’s developers have a chance to react. It appears that the current drone protocol doesn’t require server authentication; were that to be put in place, the researcher’s spoof-server approach would no longer work. The makers of the worm have shown an eagerness and a capability to react quickly and successfully to possible anti-Storm technologies, and could no doubt “fix” this “problem” too fast for it to be useful.

It will be interesting to see how this situation plays out. Hopefully, it will be for the better.

“Update.  This entry was updated on <January 9, 2009> to reflect a <re-interpretation of the original article>.

After several years that Wii have been launch, hackers found flaws in Wii’s security aspect. According to an article from Nintendo World Report, a tiny processor that was kept as a secret for security reason is discovered by a group of hackers, Team Twiizers. Because the existence of the chip has been discovered, this can cause security problems.

As presented in this video, in order to run the game on Wii, a ticket (key) is needed. The valid keys are all stored in the chip. However, this chip does not only consist of keys, but also controls the turn on bit of the functionality of DVD playback that is turned off by default. These aspects make the hackers feel challenge to break Nintendo’s security system.

(Read on …)

Summary:Home automation systems in general attempt to enable home owners to have a “smart” house. Instead of light switches you have integrated panels that control everything from your lights, to your shades, to your entertainment system, climate control, alarm system, motorized locks, etc. Some specific examples of such systems like those offered by Control4 use wireless communications between the panels and devices they control. Some also have integration with cell phone applications. One of the selling points for these systems is that they improve security.

(Read on …)

From The Guardian, and on Slashdot.

Police in the United Kingdom may soon be be able to collect DNA samples from children if they exhibit behaviors that suggest they may commit crimes later in life, at least if Scotland Yard forensics director Gary Pugh has his way.

Pugh cites the importance of identifying future offenders, saying that “the number of unsolved crimes says we are not sampling enough of the right people.” Advocates of such programs, including the Institute for Public Policy Research, claim that most career criminals begin their lives of crime as early as 10 to 13 years old, and suggest that children from 5 to 12 years old should be profiled and sampled if they exhibit certain “risk factors.”

Even these advocates acknowledge that such treatment could have a “stigmatising” effect, but they do not seem to have any problem with gross violations of privacy in the name of improving public safety.  One concern that is not directly addressed in the article is the possibility that the negative attention such sampling and registration involves might even place more obstacles to a child’s chances of leading a normal life, perhaps even increasing the likelihood that they would turn to crime; a self-fulfilling prophecy, in other words.

Of course, an even greater issue that is sidestepped by the focus on children is the question of whether preemptive DNA sampling of any individual, adult or child, should be tolerated in any free society. Whether such programs are effective in reducing crime is not the only issue – the cost to individual liberty must also be considered. In my opinion, at least, personal freedom must always outweigh public safety, but I’m interested in hearing other ideas.

Summary

Car GPS navigation systems are handy tool for finding one’s way on the road. With features like local points of interest, address book and SD card backup it would not be surprising if becomes a common everyday item soon. Here is a review for a GPS navigation system similar to the Magellan Maestro 4200:

(Read on …)

I’ve seen a few people on this blog cover various aspects of cellphone security, including the new iphone 3rd party support and GPS tracking, however I haven’t seen anything covering the most basic of cellphone features, voice communication. It seems to me there are just as many, if not more, security implications that arise by the simple act of eavesdropping or account spoofing as there are in the more modern functions of cell phones. (Read on …)

No need to go to great lengths to try to spoof finger print scanners on USB sticks. You can just tell the device that the data is public. Researches discovered this vulnerability in models from 9pay and A-Data fingerprint USB data sticks. The vulnerability lies in a fundamental design flaw: the signal to access the data comes from the PC, and is not computed on board the chip. This means all one has to do is send the correct signal and the stick happily discloses the data. This can be done with a very simple command from an opensource utility. The manufacturers commented admitting they were aware of the vulnerability, but that it was difficult enough that most people wouldn’t figure it out. A fine example of attempted security through obscurity.

(Read on …)

Today the House of Representatives voted on a bill that would amend the FISA Act of 1978, which deals with government wiretapping. The amendments would deny amnesty to telecommunication industries for complying with illegal warrant less wiretaps by the Bush administration but allow those companies to use government classified information in their defense to prove that they did comply with the law (if they indeed did). (Read on …)

A security vulnerability in loginwindow.app on Mac OS X was reported to bugtraq this week. The vulnerability is that the user password is still resident in memory after the system authenticates the user. (Read on …)

While this may not be breaking news, it turns out that Facebook has taken just one more step in not respecting their user’s privacy. 

According to a semi-recent article in the New York Times, Facebook retains user profile information even after the user has requested deletion so that “a user can reactivate at any time and their information will be available again just as they left it”.

(Read on …)