Current Events: Cyber hackers turn to “virtual assets”

Posted on February 6, 2009 by elenau

According to the ESET’s 2008 Global Thread Report, there has been a spike in the goals and targets of cyber hackers. Rather than attempting to break into a bank account or deface a website they would go for something more subtle, but if planned properly, highly effective. 

Online gaming is a world wonder, it attracts a very large population of people; specifically the most widely growing genre is the MMORPG (Massive Multiplayer Online Role Playing Games). In such games such as World of Warcraft (WoW) characters accumulate what the article depicted as “virtual assets” which are essentially equivalent to real world items of actual value. The people who are engaging in these games are also required to invest real currency in order to play. 

Hackers are targeting players via social engineering standpoints and leveraging trust as a means of new attacks. They will first find a host character and infect him/her. Once they have control over the character’s account they will infect all those who trust the true identity of the character via URL or malware, sell all the “virtual assets” of the character for a bargain take the money and run to the next victim.

The article wraps up by discussing what can be done from a developer standpoint to enhance the security of the users’ accounts on such games as WoW. They discuss authenticator RSA key generators that must be used in order to log into the account every time. However, they finish off by saying the real flaw is not the software, but it is the human element that is the weakest link in the chain.

The event is popular due to the amount of people who socialize and devote hundreds of hours to the addictive game that is WoW. Because the game is such a big hit amongst the gaming community, it has sparked high flames and caused quite a commotion. People fear losing their time and money invested in the game and this is something they cannot afford to lose. 

As was discussed before and is well known today, humans are essentially the weak point in a system. They open up security holes and allow perpetrators to get in and take advantage of the system. One thing that could have been done and still can be, and should be done, is educating the common man about the dangers of the online world. They must understand that the online industry, although highly sophisticated and at some point seemly safe, can still present extremely high risks and dangers.

The broader issue around the event is that people in the gaming world and furthermore the online industry need to be conditioned and educated how to deal with the online world; how to keep themselves safe from online attacks and preventing themselves from being the next victim of such attackers. The real issue here is reinforcing the fact that the online world can be just as dangerous, if not more, than the real world.

Some of the reactions that can be foreseen coming out are uprisings of anger and disdain to the developers of the game for not “properly securing” the game. It seems that because the people who have been victimized have just lost so much, a great deal of animosity would be in their heads. They would not want to even hear that they themselves are the true reason for their own demise. 

In addition, corporations and enterprises that specialize in anti-malware tools would thrive on such an event. They would preach to the public about how their software can help ensure the safety of the user’s system and how the attack that happened to them was a result, not of their own fault, but the fault of the OS or Gaming industry itself.

After a while the fire would most likely die out and the event would be forgotten.

Posted in Current Events | Comments Off on Current Events: Cyber hackers turn to “virtual assets”

Current Event – Facebook the target of scammers

Posted on February 6, 2009 by ericm6

As Facebook becomes more ingrained in people’s public lives, so does the opportunity for people to take advantage of the virtual identities of others.  Recently, a Seattle man, Bryan Rutberg, had his Facebook account used to extort money from his friends, saying that he had been robbed and needed money to get back from London.  Rutberg, however, was safe at home in Seattle.

A person’s Facebook profile is trusted enough that people tend not to question who is on the computer using the account, but we’ve probably all heard stories of friends having their status changed by a roommate while they’re in class.  I personally know someone who’s girlfriend removed some of his friends from his profile without his knowledge.  It seems someone has taken this type of attack and started using it for more insidious purposes.

The biggest thing that could have prevented this particular situation would have been for Rutberg to be more security conscious in his use of Facebook.  The attacker most likely gained access to his account through some sort of malware that Rutberg inadvertently installed on his system.  The best way to prevent this is the same sorts of advice always given out about malware—be wary of untrusted websites and email.

This is especially important as social networking sites become more common for other uses.  If this had happened on LinkedIn, Rutberg might be out of a job, or worse.  People work very hard to protect their identity when it relates to financial assets, but intangible assets such as social and business reputations are at stake as well, and are often not as well protected.

Facebook is already taking action to make users aware when their account may be compromised, such as sending emails to the current contact email when changing or adding a new contact email.  More could be done to protect users’ identities on social networking sites, but this would more than likely simply get in the way of users of the sites.  The best reaction to this kind of event is to make users aware of it, so they are more careful with what they do on social networking sites.

Posted in Current Events | Comments Off on Current Event – Facebook the target of scammers

Security Review: Online Advertisers

Posted on February 6, 2009 by petermil

Online advertisement is the lifeblood of the internet.  Without it, sites such as Facebook, Myspace, Google, etc. would go out of business. Approximately a year ago, Google alone reached over 1.1 billion unique users in a month(see 1)–and they had only 35% of the market at that point; this does not however imply that advertisers were reaching 3.14 billion users, as most top advertisers would reach the same users [note that Google also owns the #2, doubleclick].

With most major sites tied to the success of advertisers, there comes a tradeoff between appeasing advertisers and appeasing users.  The sites which appease advertisers impose interstitials, spyware, and popups.  By doing so, they increase the revenue advertisers are willing to pay, and they hope that their content is sufficiently interesting that users will wade through the ads regardless.  Other sites attempt to appease the users, and keep ads as unintrusive as possible, hoping that they will get more users due to the superior user experience, and that users will investigate ads because they care about the funding of the site and out of genuine interest in the ad.  The advertisers we are interested in here are the first category.

Security Goals

  • Advertisement should not harm the user passively (example: user opens page, spyware automatically installed)
  • Advertisement should not harm the user actively (i.e., the user clicks the ad and something bad happens)
  • Advertisement should not hijack space against the desire of the site owner (example (from 2): picture)

Adversaries and Threats

  • Malicious advertisers

Typically, these advertisers will be interested in installing adware/spyware/malware on a user’s computer.  This software will generally be responsible for browser hijacks, unexplained popup ads, and sometimes even credit card/identity theft.  A malicious advertiser is defined here as someone who commits these acts against the wish of the vendor and publisher.  Typically such an advertiser can only get away with such acts until the vendor or publisher is notified and takes actions to remedy it.

  • Malicious publishers

This is where a publisher deliberately puts spyware, or other harmful software, on their site with the goal of infecting their users.  They will expect to get a cut of whatever money is made due to such actions.  This can be very difficult to predict, as a site may be benevolent until it runs into financial difficulties, or the user gets tired and wants to move on, but not before maximizing profits.

  • Malicious vendors

This is less of an issue for those going with major vendors such as AdWords, but if a publisher chooses to use a small-scale advertising site, then they may run into a vendor who voluntarily uses such tactics as described above.

  • Malicious Third Parties

Here, a third party is anyone not involved in the advertisement process.  A virus writer who sends out e-mails with a virus which infects people with malware which hijacks google.com when the user tries to search would be an example of a third party.

Potential Weaknesses

  • Most sites give a limited amount of ability for users to provide feedback about advertisement–if an advertiser is infecting people with malware, it may take some time for it to be known and remedied.  In the meantime, countless users may be infected.
  • Browser holes are common.  By utilizing one of these holes, a user may be silently infected.
  • Ads can be difficult to reproduce.  They are randomly rotated, so merely linking to a page on which one got infected gives no guarantee that the investigator will see the same ad which caused the infection, leading him/her to believe it was a false report.
  • Third parties are good at infecting people.  This can be shown by how many people get viruses through merely opening attachments, for example.
  • Publishers are not very accountable for their actions.  Generally speaking, the worst that will happen to a publisher is that he/she will lose the userbase of the site.  Legal action is nearly unheard of, and so there is little at stake for the publisher who merely wants to make a quick buck and move on.

Defenses

  • Ensure that browsers/operating systems are up to date.  A fully updated user is rarely the user who gets targeted–most infections are due to vulnerabilities for which a patch already exists (not all, obviously).
  • Use an adblocking extension which prevents content from loading off known advertising domains.
  • Use firewalls/anti-virus.
  • Allow users to complain directly to the vendor about ads instead of requiring the publisher to do so (obviously, this step only works for malicious advertisers, not malicious publishers/vendors).
  • Only allow pre-screened (by the publisher) ads to appear. Unfortunately, this may severely limit the strength of the advertising, and requires a benevolent vendor/observant publisher.

The Future

With the current major browsers, most security threats can be blocked by fully updating them and using intelligent browsing habits.  The main risk is for those who either a) trust the publisher too much or b) are not careful users (the kind of people who see a download for a “toolbar required to display the content” and decide to download it, then end up infected).

It seems unlikely that online advertising will significantly change in the future.  There will be new technologies which can be exploited and new vulnerabilities, but online advertising is here to stay as the future of the internet.  Despite the backing-off of many advertisers with the weakening economy, advertising still remains a strong industry overall.  Major companies such as Google are relatively restricted ethically, due to their ease of accountability and need to maintain a reasonable public image.  Smaller vendors will remain the primary risk, due to their lack of concern about public relations and potential for lack of adequate staffing (leading to malicious advertisers having a long run).

Terms Used:

interstitial – a page (almost always advertising) which appears instead of the expected content.  The user is usually automatically forwarded after a certain amount of time, or he/she can click on a link which leads to the expected page.

publisher the site on which the ad is served.  So, if an ad appears on mysite.com, then mysite.com is the publisher.

vendorthe company responsible for connecting advertiser and publisher.  Google Adwords is a major vendor.

Sources:

1: Attributor

2: Ben Edelman

Posted in Security Reviews | Comments Off on Security Review: Online Advertisers

Current Event: Spike in Online Game hacking

Posted on February 6, 2009 by couvb

According to an article on Gamasutra online game hacking spiked in 2008.  It was noted that it usually wasn’t the games themselves being directly attacked, rather attackers would use social engineering or other techniques to install malware, such as keyloggers, that would steal the user’s account information.  Once the attacker can log into the the victim’s account, they can then use their position of trust to send malicious links to friends of the victim, furthering their malicious goals.  The attacker could also steal the victim’s virtual assets and sell them for real money.  For example, in Blizzard’s World of Warcraft, despite it being against the EULA, there is a large real world market for in game gold and items.  Because it is generally not the games themselves being attacked, it is hard for game developers to prevent this.  However, Blizzard is setting a good example by allowing users to purchase RSA key generators as an extra line of defense (though you would think that with all the money they are sucking from their players they would be able to include this at no extra cost).  These authenticators generate unique keys at the press of a button, a new one of which is required at each logon.  With this extra layer of defense, even if the attacker logs the victim’s password and authenticator key, the next time they log on the authenticator key will be different, preventing the attacker from successfully logging on.  More details on the Blizzard Authenticator can be found at Blizzard’s site here.

Posted in Current Events, Miscellaneous | Comments Off on Current Event: Spike in Online Game hacking

More on Electronic Medical Records

Posted on February 6, 2009 by jap24

As mentioned earlier in the blog in “Security Review: Electronic Medical Records,” Google has started an electronic medical record database called Google Health.  Today, IBM and Google announced that they have made software to allow PDAs to upload information to health care databases such as Google Health.  Google Health centralizes medical records for its users, by storing records entered manually or aggregating data from other related medical databases; the individual users decide who is authorized to access their records.  The new software can allow doctors to update patient information more quickly, and facilitates information sharing between health care providers.  As well as the obvious applications for sharing information between health care providers, the Computerworld article on this technology suggests that the new software would allow authorized people to keep track of the health of an ill family member more easily, as the doctors add updates to the database more quickly.  From the article, it was not obvious whether or not the software would also allow mobile devices to download records from the databases.

Continue reading

Posted in Privacy, Security Reviews | Tagged | Comments Off on More on Electronic Medical Records

Security Review: .tel domain

Posted on February 6, 2009 by eyezac

According to New Scientist, a UK company called Telnic is introducing a new top-level domain, .tel, with the intention of creating a “phonebook for the internet.” Users will only be able to register contact information, and this information will be accessible directly from DNS servers. In addition, Telnic has made available an API that can be used to extract and process this information. While this might make social networking as well as getting in contact with people easier than ever, it poses the possibility of some serious security risks.

Continue reading

Posted in Current Events, Privacy, Security Reviews | 1 Comment

Security Review: iPod Touch

Posted on February 6, 2009 by lidor7

The iPhone has already had a security review and is similar to the iPod Touch, but I’m going to focus more on the security when someone has physical access to the device.  There are a number of security measures that are or can be used on the iPod Touch to limit access to certain features.  The iPod Touch, probably similar to the iPhone, contains a lot of personal information as well as access to iTunes and the App Store.

The two main assets of on the iPod Touch are the personal information on the iPod such as photos, emails, contacts, notes, and schedules, and the access to iTunes and the App Store.  The owner of the iPod Touch may have some sensitive photos or emails that should remain secret.  iTunes and App Store accounts are usually linked to a credit card.  The owner wouldn’t want other people to make unauthorized purchases.  The iPod has a lot of functionality, and it’s not always clear what information is sensitive and what isn’t.

The security goal here is to restrict or limit access to sensitive information as well as prevent unauthorized actions such as purchases from happening.  At the same time, all the functionality has to be easy enough to use.

So two potential adversaries could be a nosy or prankster friend or someone who has physically stolen the iPod.  A friend might want to snoop around your personal information or perhaps jokingly purchase an “adult” app or change your wallpaper to David Hasslehoff.  Someone who has stolen your iPod may want to purchase apps and music using your account and credit card.

So the iPod has a few security measures.  Functionality of the iPod can be password protected with a 4-digit number.  When an iPod is locked (which typically can happen when a period of inactivity occurs), it asks for a 4-digit number to unlock the iPod.  This is only the case when the setting is activated.  Also, access to the App Store or iTunes is also password protected, but this time with an iTunes password, which is likely more complicated and can contain letters and numbers from a full keyboard.

Now there are a few ways to exploit these two security features.  Since the iPod Touch is a touch screen device, there are often smudge marks left from oil on fingers.  With a 4-digit password, it can be easy to spot the 4 smudges on the screen that may possibly be the password.  Also, with the iTunes password or any password in general, there may be smudges, but more and with less spacing.  However, as a convenient to the user, password input always shows the last letter that was pressed for a couple seconds.  Normally on a desktop or laptop computer, the password shows up as asterisks.  The iPod does the same eventually, but the last letter entered always shows up readable.  Someone looking over the shoulder can easily decipher the password.  Also, the pressing of each letter with just thumbs is much easier to read than when you have all ten fingers on a keyboard.  Additionally, once the password has been entered, it remains valid for several minutes before requesting the password be inputted again.  This allows an attacker to purchase apps or music right after the user has entered the password and finished with their legitimate purchases.

There are several potential ways to prevent these exploits.  If a different, more smudge resistant screen was used, it may be more difficult to detect the password input.  Also, suppressing the last letter of the password showing as an option would be good.  Or even better, don’t show any asterisks so eavesdroppers can’t see how long the password is either.  Additionally, perhaps a biometric scanner using a touch screen may some day be possible.

So the question really is, how much security do you need?  I imagine the information on an iPod Touch isn’t terribly sensitive in most cases.  And with a device like that, it will typically be in close proximity and unlikely to be accessed by an adversary without going unnoticed.  The level of security already implemented seems appropriate for the value and sensitivity of the assets.  However, it would be nice if there was a quick and easy way to password protect certain apps like email or photos with just the 4-digit number.

As technology grows, more and more information and functionality will be implemented in smaller and smaller devices.  As a result, the value of the assets may grow as well.  Blackberries have typically contained much sensitive information.  The recent Blackberry Storm has featured touch screen.  Along with the growing of assets contained in small devices, the security features currently available may become inadequate.  It’s interesting to see more and more fingerprint scanners showing up in laptops.  It seems people are aware that portable devices can contain sensitive information and can be stolen quite easily.  It will be interesting to see what kind of new security measures may be implemented on touch screen devices in the future.

Posted in Security Reviews | Tagged | Comments Off on Security Review: iPod Touch

Current Events – Infections that begin with windshield fliers

Posted on February 6, 2009 by qwerty

Not all computer malware infections are done completely electronically.  In recent events, cars in Grand Forks, North Dakota were tagged with “windshield fliers” which resembeled a parking ticket, stating they were violating the “standard parking regulations” and that in order to view more about their offense they must visit some URL online.  This seems like quite the extent for one to go in order to infect ones computer, but often enough – it works.

Continue reading

Posted in Current Events, Miscellaneous, Physical Security | Comments Off on Current Events – Infections that begin with windshield fliers

Security Review: Ford MyKey and similar systems

Posted on February 6, 2009 by Tim Crossley

Ford Motor Company has stated that the 2010 Focus Coupe will be equipped with a technology called MyKey. Designed for parents wishing to ensure teenagers practice safe driving, the technology restricts certain actions such as driving too quickly. As currently announced, the system can restrict the vehicle speed to 80 mph, limit the audio speakers to 44% of maximum, and give constant audible alerts if seat belts are not worn. Read about the MyKey system here.

While MyKey is aiming for the parent/teenage child crowd, other products exist which automatically limit vehicle speed based on the current road. Using GPS and a database of known speed limits, these devices either limit the vehicle speed or issue a warning when driving over the limit. In all cases I’ve seen, these devices can be overridden, unlike the Ford MyKey. An example of one of these speed limiters would be the Wisespeed, by Imita.
Continue reading

Posted in Physical Security, Privacy, Security Reviews | 1 Comment

Microsoft changes Windows 7 UAC after new exploit surfaces

Posted on February 6, 2009 by iva

Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127392

The User Account Control (UAC) in Microsoft’s Windows 7 has already been compromised. Two programmers have written code, which can alter UAC settings and upon restart of the machine execute arbitrary code with administrative privileges.

The basis of this problem stems from Windows 7’s new UAC default settings. UAC is Windows’ primary security feature, designed to alert the user of changes happening within the system and to request consent before proceeding with certain tasks such as, for example, installing programs. This feature, which was added with the deployment of Vista, has met considerable criticism, particularly in that most users consider it an annoyance. In an effort to alleviate this and reduce such disruptions, Windows 7 has headed down the opposite path. The Windows 7 UAC defaults to a greatly reduced number of pop-ups and allows you to change user permission levels (from regular to administrator) without notification. This becomes a real problem, when the operating system cannot distinguish between the change made by a user and the change made by a program. And therein lies the vulnerability; all a malicious script has to do is enter the system, either in convincing the user to click on (consent to) it, or through some other breach. Once in, the script can silently change its permission level, force a restart, and begin executing whatever code it wants with administrator privileges. As is the case with most security vulnerabilities, this requires the user to consent to this script by downloading or running it, however numerous phishing exploits show the frightening success attackers have had in accomplishing this.

Security is a difficult art to perfect mostly because its importance is often easily forgotten by the one that matters the most – the end user. The threat of exploits is most heavily felt when it is too late and is all too easy to ignore by uninformed users. It really can become a hindarence having to repeatedly approve actions you initiated, such as the installation of a popular program. Users are often exposed solely to the obstruction which security measures present and less so with the protection that they offer, as (hopefully) most users don’t have to deal with attacks. This is the problem with which Microsoft is faced. They need to strike a balance, in which they protect the user without taking away from experience (due to frustration with security barriers). Cutting back on UAC pop-ups is perhaps favorable, however should not go so far, as to defeat the purpose of the entire security system, in favor of usability. Changes to a central security setting, such as the user permission level should not go unnoticed. It is certainly an important enough change, which merits user attention in all cases, and furthermore is likely to be performed infrequently enough as to not cause any significant annoyance. It is important that security features be carefully integrated into the system, with the user in mind, such that they are not rendered useless when the user disables them, however at the end of the day their job is to protect, not appease the user.

Posted in Current Events, Miscellaneous | 1 Comment