UW Computer Security Research and Course Blog

The use of performance enhancing drugs and medical techniques is a serious problem in every sport, but no sport is as notorious for doping scandals as is professional cycling. While Olympic athletes, baseball players, and body builders are often caught boosting, the effect of their “cheating” on the sport, society, and economy is minimal. Marion Jones, for instance, a five-medal winner in Sydney’s 2000 summer Olympics, was retroactively indicted on drug charges and agreed to forfeit her awards. While the revelation shocked many, Jones relinquished her medals and life went on.

Professional cycling, however, is a very different story. Combining the commercialism of motorsport racing with athletic demands exceeding almost any other sport, the pressure on riders to perform is tremendous. Good performance not only makes careers, but it pleases sponsors and significantly impacts their economic standing. Sponsoring a winning Tour de France team brings in tremendous revenue for a company in Europe. Continuous defeat, on the other hand, can have devastating consequences. As such, riders must reach for the leader board not only to meet their own expectations of success and competition, but simply to remain employed.

(Read on …)

As part of an “expose’” on cyber crime, BBC’s “Click” team took it upon themselves to hire a botnet. With the stated goal of demonstrating the power of “cyber criminals” in today’s world, the journalists purchased the use of ~22,000 compromised machines. As part of their demonstration, they directed massive amounts of spam to two specific test addresses, and finally, used their botnet to bring down a security firm’s backup website via DDoS. The DDoS attack was done with permission from the “victim” company (Prevx).

Now the BBC group is in a spot of legal trouble as their use of a botnet could potentially implicate them in the violation of the UK’s Computer Misuse Act. While BBC claimed that their use of the botnet was purely academic, and therefore not criminal, they did take control of non-consenting citizens’ home PCs. More importantly, in purchasing the use of a botnet, reportedly at somewhere between $300-$400 per machine, the news network essentially funneled a few million dollars into the hands of cybercriminals. And all so that they could demonstrate what many papers and news articles before them already had.

The journalists, at surface level, did a good job of keeping things academic and avoiding any sort of cybercrime. They spammed their own test e-mail accounts. They DDoS’d a prepared and willing target. They also put warning documentation on the infected machines, at experiment’s conclusion, explaining to their users that they had been infected, and how to best avoid future infections. Ultimately, however, by mere involvement with and commandeering of hijacked personal machines – and especially thanks to funding the true criminal party – they did indeed commit some level of criminal act. To what degree they are held responsible is now a matter for the British courts to decide.

This is just one more occurrence in a string of botnet-related legal issues. A similar issue plagued German malware researchers with the means to potentially dissolve the Storm worm’s botnet(s) (see http://cubist.cs.washington.edu/Security/2009/01/11/storm-worm-cracked-but-defenses-may-not-fly/). It seems that academicians of all types are running into a fundamental problem with this particular security threat: there is no way to legally study it “in the wild.” The moment a researcher connects to a botnet, takes control of it, or otherwise interacts with it, he or she risks legal consequences. Whether or not any charges stick is a different matter, and quite frankly, it will take some time before reasonable precedents clarify the legal “consensus,” but regardless these issues represent a significant impediment to progress in anti-botnet research.

According to Slashdot, researcher Chris Paget was able to capture many identification numbers from the new passports containing RFID tags while driving around San Francisco. Using $250 of equipment (a RFID reader and an antenna) hooked up to his laptop, Paget was able to read the identification numbers of the passport RFID tags from up to 20 feet away. According Paget, it could be possible to read the tags from hundreds of feet away since they are actual radio signals. It is then “trivial to program” a blank tag with the retrieved identification numbers. It is these numbers that are used in verifying the RFID tag. (Read on …)

With the improvement of wireless technologies and a decrease in their cost, more and more devices come with network connectivity built in. From Wifi to Bluetooth to 3G, more and more devices are becoming wireless capable. A recent article from ScienceDaily (continued here and here) discusses how many of our personal belongings will be interacting wirelessly, and the technologies being developed in order to cope with such a massive increase. There is a predicted 7 trillion devices for 7 billion people by 2017 that will be connected on personal networks. Given many of the problems of wireless security that we are faced with today, the chance for potential problems is a serious concern.

The article discusses the MAGNET, a European research project aimed at seamlessly managing personal networks (PN). The goal is to make maintaining one’s PN easy and convenient to use, while trying to still be secure. It is hoped that bringing new devices into the network should be done in a user friendly way, to avoid many of the connection nuances that annoy consumers today.

Assets and Security Goals

• If everyone’s lives are as fully connected as conjectured, then all forms of privacy and personal security could be at stake. The PN is used to keep your entire life connected, whether it be to keep personal finances and work in order, or to monitor heart rate and other bodily functions.
• Maintaining availability and reliability of electronic devices. Devices could stop functioning properly if dependencies are built upon the functionality of the PN being intact

Potential Adversaries and Threats

• Adversaries outside the personal network If so many devices are communicating wirelessly, the amount of traffic in the air at once is potentially staggering. Any adversaries who wish to learn about an individual could monitor this communication and learn about the user.
• Adversaries within the personal network. If an adversary were able to gain access to a device within the PN, it may be possible to gain access to other devices in a network.
• Advertisers/Marketers It may be possible for a manufacturer to construct a device which monitors a user’s PN to learn about their habits. This information gathering could be used to make very targeted ads depending on the devices in their PN and the communications they make.
• Device manufacturers Device manufacturers could be adversaries themselves, and embed malicious behavior in their devices. Maybe one manufacturer’s device could attack a competitor’s device on the same network.

Potential Weaknesses

• Professor Liljana Gavrilovska, Technical Manager of the MAGNET Beyond project, stated that, “We have a user-centric approach with the overall objective to design, develop, demonstrate and validate the concept of a flexible PN that supports resource-efficient, robust, ubiquitous personal services in a secure, heterogeneous networking environment for mobile users.” By maintaining a user-centric approach it’s possibly that many assumptions have to be made about the types of devices and the accessprivileges given on a PN. Specific customization of individual devices on a PN may be difficult given how transparent this process is trying to be made to the user
• Trust between devices could be a weakness in a network. Enforcement and access rights that devices have within the network would have to be specified to ensure devices can’t take actions that aren’t necessary for their function.

Potential Defenses

• Ensure that all users are aware of the risks associated with this technology before using it. It’s apparent even today that many users aren’t concerned with security, given how many home networks are left vulnerable and exposed.
• Enforce a kind of standards policy on manufacturers to ensure that the devices they produce conform to security standards, and do not exhibit any undesired behavior that is not related to their dedicated tasks.

Given the recent trends and developments in personal devices, it’s inevitable that our devices will be communicating on a massive scale. The MAGNET project is responding to the need for a well defined standard for these technologies to cooperate. There is a lot at stake, and adversaries have every reason to target user’s PNs for personal gain. Efforts are being made to ensure that this technology is safe and secure for users to depend on, but these measures should be scrutinized in order to ensure personal privacy and safety.

The Storm worm, noticed for the first time on January 17th, 2007, is one of the more notorious worms of the last few years. Targetted initially towards individual Windows machines, victims were often infected after receiving a bait e-mail with a particularly intriguing subject line, originally on the topic of a nasty European windstorm. The malicious attachment, when opened, would begin sending data to predetermined locations, as well as potentially installing additional malware.

The two most important side-effects of the worm were assumed control of the victim machine for botnetting, as well as the application of a root kit. What made Storm particularly effective as a botnet client was the use of peer-to-peer technology, rather than a strict client-server model. While “primitive” botnets could be attacked by targetting the centralized server, Storm created a P2P network of hosts, each of which was only ever “aware” of a small subset of the total botnet. While “command servers” did exert control over the botnet, they existed in numbers, and hosts were given means to find new command servers as they came online. This made it especially hard to know of the botnet’s size and member machines, let alone take it down. Despite attempts by Microsoft to use its Malicious Software Removal Tool to cleanse infected nodes, estimates suggest remaining infected nodes are still plentiful.

In results published on January 9th, German researchers at Bonn University and RWTH Aechen University show analysis which could, if applied properly, lead to any remaining botnets’ demise. By disassembling the drone client program used by infected nodes, the researchers were able to discover the protocol used for inter-client and client-server communication. They then built their own client and hooked it into an isolated test botnet. Experiments with this client showed that drones in the botnet asked each other about command servers, much in the same way that a DNS query might travel. By creating their own bootleg command server, and using their false drone client to deceitfully route real drones to the new server, they found that they could assume control over some aspects of the infected nodes. This would allow them to remotely install and run cleanup software, potentially allowing systematic cleanup of an entire botnet.

“What’s the holdup?” you might ask. The problem is that this cleanup would violate German information safety laws. Not only would it invade victim machines in the same way that the worm itself has, but it could also cause all kinds of data corruption and other collateral damage as part of the cleanup process. The legal repercussions of invasion of privacy and potential tampering with data are severe. While the cost of allowing Storm-backed botnets to exist is immense — with respect to spam alone, Symantec clocked the e-mail spam-output rate of one infected node at around 360 messages per minute — the practical and ethical cost of cleanup is high enough that its unclear to the German researchers which is worse.

It seems to me as though another approach could prove less problematic. If non-Storm-controlled drones can enter the network as demonstrated by this research, they could be used to identify, rather than automatically fix, targeted nodes. With the support of some well-recognized anti-virus or computer security agency, an opt-in cleanup program could make owners of infected nodes aware of the risks of cleanup before granting access to their machines or installing cleanup software themselves. The public approval of a well-known name in the field would give credibility to the cleanup effort, and perhaps could provide an open infrastructure for individual opt-in.

At the very least, this research allows security professionals and indivual Windows users to take anti-Storm defense into their own hands. Whether it can be used to extinguish remaining Storm-related activity remains to be seen, especially now that Storm’s developers have a chance to react. It appears that the current drone protocol doesn’t require server authentication; were that to be put in place, the researcher’s spoof-server approach would no longer work. The makers of the worm have shown an eagerness and a capability to react quickly and successfully to possible anti-Storm technologies, and could no doubt “fix” this “problem” too fast for it to be useful.

It will be interesting to see how this situation plays out. Hopefully, it will be for the better.

From an article in Infoworld via Slashdot, two researchers from Invisible Things Lab have discovered a method to circumvent Intel‘s Trusted eXecution Technology (TXT). The TXT system (PDF), part of Intel’s vPro hardware-assisted security product, is designed to allow software to run while protected against attacks from other software programs. However, the researchers at Invisible Things Lab discovered a two-phase attack that exploits a bug in Intel software in the first phase and then uses a deficiency in the actual TXT specification in the second stage, to successfully attack software designed to use the TXT system. While such software is currently rare, it may become more prevalent as more software aims to increase security.

This event is a result of researchers working to verify the security properties of Intel’s vPro hardware-based security system. Hardware is much more difficult to revise than software, if revision is possible at all. This may mean that all current implementations of TXT are essentially obsolete, and may remain so in perpetuity.

This security cloud does have a silver lining, however: TXT is a platform that Digital Rights Management (DRM)-enabled software is likely to use, and by showing that hardware-based security is as fallible as software-based security, this new revealation may guide companies towards less restrictive, more user-friendly approaches to security and intellectual property protection.

Software vendors considering using the TXT system will undoubtedly be turned off by this event. However, it is better to know that something is not totally secure than it is to think that it is secure when it is not, so in the long run, it is better for Intel, despite the current press, that this exploit was discovered early rather than after many software packages depended on the TXT system. Companies such as AMD may also learn that security is a difficult problem and that attempting to “solve it” may be more trouble than it is worth.

University of Washington CSE PhD student Dan Halperin et al.‘s paper on the security and privacy for pacemakers and implantable defibrillators just received the Best Paper Award at the annual IEEE Symposium on Security and Privacy (a.k.a. the “Oakland” conference).

Dan and the rest of the team from UW, UMass Amherst, and Harvard Medical School found that an implantable cardioverter defibrillator can leak private information and can allow unauthorized parties to modify settings that control, among other things, shock therapies.  

You can read Dan’s full paper and the FAQ, as well as his earlier work on the topic of medical device security.  You can also read summaries of Dan’s work in The New York Times, the Wall Street Journal, Reuters, and the Associated Press.  Bruce Schneier also provides excellent commentary.

Congratulations Dan!

Our research group (Charlie Reis, Yoshi Kohno, and Steve Gribble from UW CSE, and Nick Weaver from ICSI) has just presented a measurement study showing that many users are receiving web pages that have been modified in-flight.  The pages are changed between the web server and the user’s browser, either by ISPs injecting advertisements, enterprise firewalls injecting script code, or client-side proxies that block popups and ads.  These changes are often unwanted by either publishers or users, and they can also be dangerous: we found that several types of changes introduced bugs and security vulnerabilities into otherwise safe and functional pages.

To study this, we measured how often our own web page, http://vancouver.cs.washington.edu, was modified when users visited it.  A piece of JavaScript code that we call a “web tripwire” detected such modifications, allowing us to record the change and notify the user.  Our study found that about 1% of the 50,000 visitors to our page received a modified version.  While 70% of these changes were caused by client-side proxies, we did see many changes caused by ISPs and firewalls as well.

For more information on our study and our results, you can read our analysis at Detecting In-Flight Page Changes with Web Tripwires, as well as our recent NSDI 2008 paper (PDF).  Our results have also been covered recently in the news media here, here, and here.

If you would like to add a web tripwire to your own page, we have an open source toolkit that you can download and host on your web server.  We also have a web tripwire service that is hosted by our server, which you can add to your page with a single line of JavaScript code.