Security Review: Network Solutions’ Worldnic Domain Name Hosting Service

Posted on January 30, 2009 by Ryan McElroy

Network Solutions runs one of the largest domain registrars and DNS hosting providers in the world. It currently hosts more than 7.5 million domain names, including many of the most popular web sites on the Internet. The domain name servers hosted at Worldnic translate URLs into IP addresses, so if these servers are not operational, an otherwise functioning web site is effectively down.

With billions of dollars being shifted from retail to e-commerce every year, web site up-time has become mission-critical to many companies. Any sort of web site failure for even extremely small periods of time can directly affect a 21st century company’s bottom line. Network Solutions has the very important task of serving as the gateway between customers’ web browsers and companies’ web sites. As the man in the middle, they are a very clear target for attackers. A malicious user has a clear path to disrupt service without ever having to attack a customer or the company itself. This scenario makes top-level security imperative to Network Solutions and Worldnic. A single successful attack could disrupt millions of transactions across millions of web sites.

Continue reading

Posted in Availability, Security Reviews | Comments Off on Security Review: Network Solutions’ Worldnic Domain Name Hosting Service

New Zealand man accesses US military secrets

Posted on January 30, 2009 by alyssa86

According to an article from New Zealand’s ONE news, one of their citizens, Chris Ogle, recently purchased an iPod from  a thrift shop with detailed information about some of the US soldiers. This information has included social security numbers, information about where they are stationed, as well as current cell phone numbers. Each file had a disclaimer reading that the release of it’s contents were “…prohibited by federal law”. Who ever donated the iPod has obviously broken this disclaimer, if they didn’t want the files to be found they could have destroyed the iPod or better yet erased the files. According to the story, many of the files are dated 2005, but regardless of the year peoples personal information is not necessarily likely to change (i.e. their social security number), in the wrong hands this information could potential harm the soldiers by in the most extreme case giving away locations to military bases or in a more likely case giving someone enough information to commit identity fraud. The man has said that he would be happy to give the iPod back to the US government if asked, which seems to me would be the appropriate response for the government to take to protect the security of their soldiers personal information.

Posted in Miscellaneous | Comments Off on New Zealand man accesses US military secrets

Current Event: OMG, The Real World Is Actually Like the Spy Movies

Posted on January 30, 2009 by justine

Today’s Seattle Times reports of an Oregon ex-CIA agent who had been selling the identities of other CIA agents to the Russians – from his jail cell.  Not only am I surprised that he had already been convicted (in 1996) but managed continue, but also that “the spy wars between Russia and the United States did not stop with the end of the Codl War and the collapse of the Soviet Union in 1991.” (!!!)

The story reveals security problems both on behalf of the government, and on behalf of this former agent, Harod Nicholson. On the government’s behalf, we are reminded that all security is based on some level of trust – and with a large program like the CIA, it is hard to ensure that every agent can be 100% trusted, now matter how hard they are screened. Nicholson clearly should not have been trusted. As for Nicholson, he had been sending secret messages through his son, which his son then physically traded with Russian agents for cash. What tipped the US government to this process? They didn’t figure out exactly what was said in the messages, but the rise in communication between the two, and the son’s frequent international travel tipped them off to the fact that something was going on. Strange messages – like biblical verses – started appearing in their letters. Sometimes, it’s not that the entire message leaks, but external information can tip an outsider to the fact that *something* is going on – and then they can make a pretty good guess as to what.

For us as students, this is a reminder that Security, while not only fun to pretend we are lock-breaker hackers like in the movies, is actually relevant to real lock-breaker hacker secret agents, who are not in the movies, but real. While our only personal exposure to security may be adding a password to our email, or at the most crucial keeping our Social Security Nubmer and Bank Accounts secret, there are reasons that extremely strong security is necessary. For those in the CIA, they don’t worry that someone is trying to decrypt their messages, they know that someone is trying to decrypt their messages. They don’t hypothetically consider trust, and then tell their best friend their passwords – too much is on the line.

I guess I’m finally convinced that security really really is valuable.

Posted in Miscellaneous | 1 Comment

Security Professional Works as Botmaster

Posted on January 30, 2009 by erielt

Security Professional John Schiefer has continued to work in the computer security field for 15 months while he has been waiting to be sentenced for being a botmaster of a 250,000 bot herd (http://www.theregister.co.uk/2009/01/23/botmaster_sentencing_kerfuffle/). This Los Angeles based security consultant has been awaiting sentencing since pleading guilty in November of 2007. Since then, Schiefer has stated that he has been working as a professional in the security field as well as a network engineer for an internet startup. The prosecutors have requested the minimum 60-month sentence, followed by five years of supervised release. Luckily, everyone in this class has signed an ethics form so nothing like this will happen.

Continue reading

Posted in Current Events, Ethics | 2 Comments

Security Review: Advertisements That Watch You

Posted on January 30, 2009 by eapter

The Associated Press reports that there is a growing chance that, while watching an advertisement on a video screen in a public place, the advertisement may also be watching you.  Following a trend of increasingly prevalent automatic public monitoring, from security cameras to red-light cameras, advertisements may now attempt to identify the people watching them.  This is done with small cameras that can be embedded either in or around the advertising video screen.  The output from the cameras is feed into software which attempts to identify certain characteristics about the watcher.  This includes both personal characteristics such as age, gender, and ethnicity and behavioral characteristics such as the amount of time spent watching the advertisement.

Continue reading

Posted in Miscellaneous | 5 Comments

Personal Networks of the Future: The MAGNET project

Posted on January 30, 2009 by asekine

With the improvement of wireless technologies and a decrease in their cost, more and more devices come with network connectivity built in. From Wifi to Bluetooth to 3G, more and more devices are becoming wireless capable. A recent article from ScienceDaily (continued here and here) discusses how many of our personal belongings will be interacting wirelessly, and the technologies being developed in order to cope with such a massive increase. There is a predicted 7 trillion devices for 7 billion people by 2017 that will be connected on personal networks. Given many of the problems of wireless security that we are faced with today, the chance for potential problems is a serious concern.

The article discusses the MAGNET, a European research project aimed at seamlessly managing personal networks (PN). The goal is to make maintaining one’s PN easy and convenient to use, while trying to still be secure. It is hoped that bringing new devices into the network should be done in a user friendly way, to avoid many of the connection nuances that annoy consumers today.

Assets and Security Goals

  • If everyone’s lives are as fully connected as conjectured, then all forms of privacy and personal security could be at stake. The PN is used to keep your entire life connected, whether it be to keep personal finances and work in order, or to monitor heart rate and other bodily functions.
  • Maintaining availability and reliability of electronic devices. Devices could stop functioning properly if dependencies are built upon the functionality of the PN being intact

Potential Adversaries and Threats

  • Adversaries outside the personal network If so many devices are communicating wirelessly, the amount of traffic in the air at once is potentially staggering. Any adversaries who wish to learn about an individual could monitor this communication and learn about the user.
  • Adversaries within the personal network. If an adversary were able to gain access to a device within the PN, it may be possible to gain access to other devices in a network.
  • Advertisers/Marketers It may be possible for a manufacturer to construct a device which monitors a user’s PN to learn about their habits. This information gathering could be used to make very targeted ads depending on the devices in their PN and the communications they make.
  • Device manufacturers Device manufacturers could be adversaries themselves, and embed malicious behavior in their devices. Maybe one manufacturer’s device could attack a competitor’s device on the same network.

Potential Weaknesses

  • Professor Liljana Gavrilovska, Technical Manager of the MAGNET Beyond project, stated that, “We have a user-centric approach with the overall objective to design, develop, demonstrate and validate the concept of a flexible PN that supports resource-efficient, robust, ubiquitous personal services in a secure, heterogeneous networking environment for mobile users.” By maintaining a user-centric approach it’s possibly that many assumptions have to be made about the types of devices and the accessprivileges given on a PN. Specific customization of individual devices on a PN may be difficult given how transparent this process is trying to be made to the user
  • Trust between devices could be a weakness in a network. Enforcement and access rights that devices have within the network would have to be specified to ensure devices can’t take actions that aren’t necessary for their function.

Potential Defenses

  • Ensure that all users are aware of the risks associated with this technology before using it. It’s apparent even today that many users aren’t concerned with security, given how many home networks are left vulnerable and exposed.
  • Enforce a kind of standards policy on manufacturers to ensure that the devices they produce conform to security standards, and do not exhibit any undesired behavior that is not related to their dedicated tasks.

Given the recent trends and developments in personal devices, it’s inevitable that our devices will be communicating on a massive scale. The MAGNET project is responding to the need for a well defined standard for these technologies to cooperate. There is a lot at stake, and adversaries have every reason to target user’s PNs for personal gain. Efforts are being made to ensure that this technology is safe and secure for users to depend on, but these measures should be scrutinized in order to ensure personal privacy and safety.

Posted in Privacy, Research, Security Reviews | Tagged | 1 Comment

Security Review: Pandemic Prevention

Posted on January 30, 2009 by hmu2

According to a New Scientist Article, a company called Biorics wants to control the spread of pandemic disease by dispersing “cough-detecting” microphones throughout airport lounges. The proposed technology would detect coughing passengers and distinguish a common-cold-like cough from one that could be a symptom of a serious and spreadable disease. In 1998, a group of scientists from the Nippon Medical School in Tokyo, Japan showed that they could discriminate between productive and non-productive coughs; where a productive cough is usually accompanied by the expulsion of phlegm (i.e. a sick person’s cough). Biorics used this research to develop a system that theoretically could detect a sick traveler in an airport and stop the spread of a possibly devastating disease.

Continue reading

Posted in Ethics, Miscellaneous, Policy, Security Reviews | Tagged | 2 Comments

Current Events: President Obama (‘s Web Site) Under Attack!

Posted on January 30, 2009 by zacf

Barack Obama’s online community, which began during the 2008 campaign as a way to bring people into the political process, has been the target of recent attacks, according to an article in PCWorld.

The site (login required) allows registered users to create their own blogs, and many attackers have taken advantage of that capability by posting images designed to trick viewers into downloading Trojan horses. For example, one attack involves tricking users into clicking an image to view a movie. If they click, they are told they need to download a codec. That “codec” is actually a Trojan horse.

Of course, this type of attack is not new. But the fact that they are happening on a web site controlled by the President of the United States is, and it raises interesting questions about who controls a site’s content, what causes a user to trust blog content, and how attackers can reach the most victims.

Naïve users who read blogs on barackobama.com might trust what they are seeing more because they trust the President. But while the site’s operators have an interest in maintaining the trustworthiness of their site, and are actively searching for and eliminating attacks, they cannot always keep up.

Attackers can also take advantage of the President’s strong reputation to reach more victims. As with any malicious web page, posting links to them on other sites increases the malicious page’s search ranking. But this effect is magnified by the popularity of the President’s site itself, which improves the search ranking of every page on it.

In the early days of the world-wide web, the notions of content-provision and site-operation were synonymous. If the operators of a site were trustworthy, then short of a redirection attack, the content of that site could also be trusted. But these notions have been split by the advent of online community sites that allows users to contribute their own content. Now, to provide a safe experience for its users, a site must not only do no harm itself, but must successfully control what other users can post. It may take some time for naïve users to realize that.

This new requirement is further complicated by the fact that the better a site operator’s reputation is, the more traffic it will have, and the more users will be inclined to trust what they see on it. That gives attackers an incentive to attack the sites with the best reputation, where they can do the most harm.

Operators wishing to maintain the reputations of their sites have two options: detection and removal, and stronger warnings to their users. Strong warnings may be undesirable for the site operator because they are essentially telling their users that their site is unsafe. That means they will need to strengthen their detection and removal, possibly requiring that postings be approved before they are made public, if they are going to keep their site safe enough to stake their reputations on.

Posted in Current Events | 3 Comments

Ex-Fannie Mae worker charged with planting computer virus

Posted on January 30, 2009 by jimmy

According to the D.C. Examiner, a virus, allegedly planted by an
ex-employee, was recently discovered among Fannie Mae’s 4,000 computer
servers.  The virus would have first disabled the companies’ computer
monitoring systems, then restricted all employee access, begin erasing all of
the companies’ data, and finish by shutting down every machine.  According to
prosecutors, this would have caused millions of dollars worth of damage,
understandably, and halted all of Fannie Mae’s computer operations for at
least a week.
The article is somewhat vague on how or when the virus was found, but
some of the dates connected with the article provide cause for alarm.  The
employee allegedly responsible was fired on October 24th for attempting to
tamper with certain server’s settings.  The virus mentioned in this article,
however, was installed before this date, and set to attack on January 31st.
The article was written two days before this would happen on the 29th, leading
one to believe that the virus was hidden amongst Fannie Mae’s code for at
least several months before being discovered.  The company should be commended
for recognizing a possible insider attack in October when they fired the
employee, however perhaps they could have done more to investigate the actions
of that employee such that this potentially devastating virus could have been
found earlier.
This story, and ones similar, emphasize how crucial it is for
companies to protect themselves from insider attacks.  These precious servers
cannot exist in isolation, however their access and updates need to be
strictly monitored in order to minimize the risk of malicious software being
installed by trusted parties.  Arbiters of these systems could consider
personally approving every update pushed onto a server, and installing a
security system that would only allow these changes to be made, however this
in and of itself presents its own problems.  This solution might not be
feasible for large scale systems, and also one might imagine another slough of
security holes in the new update monitoring system.  At a more fundamental
level, this solution really only moves the burden of trust up the chain of
command, and thus the same insider vulnerabilities arise, albeit for a
smaller and more trusted set of individuals.  The best security from these
forms of attacks may be deterrence, by enacting strict punishments and hard
jail-time for perpetrators of these attacks.  The threat of arson charges
deters disgruntled employees from burning down office buildings, perhaps
similarly draconian laws regarding computer intrusion would better deter
attacks such as these.

Article:  http://www.dcexaminer.com/local/012909-Ex-Fannie_Mae_worker_charged_with_planting_computer_virus.html

Posted in Current Events | Tagged , | 1 Comment

Windows Mobile Bluetooth Security Vulnerability

Posted on January 30, 2009 by zhaoz

A recent vulnerability discovered in the Windows Mobile Bluetooth server allows access to all files. This vulnerability is a simple directory traversing problem, simply using “../” or “..\\” allows for traversal outside
of the directory. Users of Windows Mobile 6 and the Bluetooth OBEX-FTP server are vulnerable. Most Windows Mobile 6 devices come with the default stack.

Windows Mobile 6 is the current generation of Windows Mobile produced by Microsoft.

This is a fairly serious vulnerability since attackers could copy or upload arbitrary files to any directory on the device. Possibly avenues could include viruses, loggers, and trojans. However, the issue is mitigated by the fact
that (as with most bluetooth devices) the device must be paired before any communications can transpire. This usually requires the consent of the owner.

Since parent directory traversal issues are well known and implemented in almost any server (e.g. web servers), it is surprising that such a vulnerability was able to pass through testing. Although it is required that the owner give consent to any pairing, it is unlikely that the owner would like to give arbitrary access to all files on his device. A security review should have found this issue, since file server and directory traversal tend to go hand in hand.

Hopefully, this vulnerability would be addressed soon and give enough of a kick to Microsoft to look into any other vulnerabilities that Mobile 6 platform may have. This is not the only security issue to have been found on the bluetooth stack. A denial of service vulnerabiilty was found in the way Bluetooth device names were advertised, allowing attackers to reboot the device remotely.

(Source..)

Posted in Miscellaneous | 2 Comments