The BBC Borrows a Botnet

Posted on March 13, 2009 by bensona

In an effort to make the public aware of the threat of botnets, the BBC comes very close to violating the UK’s Computer Misuse Act.  The BCC technology program Click acquired a botnet of about 22,000 computers and used them to send spam to BBC-owned e-mail accounts.  They also mounted a DDoS attack on a site owned by security company PrevX (with their permission, of course).  Click acquired the botnet after “visiting chatrooms on the internet.”  Before giving up control of the zombie machines, Click advised owners of vulnerable machines on how to make their systems more secure. Continue reading

Posted in Current Events, Ethics | Comments Off on The BBC Borrows a Botnet

Security Review – BitTorrent

Posted on March 13, 2009 by jonfung

Summary
BitTorrent is a peer-to-peer communications protocol that has risen in popularity very rapidly.  It is a file-distribution protocol that facilitates transferring large files between peers.  In order to download a certain set of files, a user would typically find a .torrent file which would connect them to a tracker.  This tracker would provide a list of peers that the client can connect to.  BitTorrent’s wild success is due largely to the low cost to the initial content distributors and it’s redundancy.  Peers with complete copies of the files listed in the torrent are known as seeds.  As other peers download from seeds, they acquire parts of the torrent which they inturn upload themselves.  This usually results in increasing numbers of seeds and makes it far easier for other peers to successfully connect and begin downloading.

Given the incredibly low cost for any person to begin distributing content and the low cost of entry for other peers to join in, BitTorrent has become a dominant method of transferring files between computers.  While there are many legitmate uses, BitTorrent has become a very popular and easy way to acquire copyrighted materials.  Previous to BitTorrent, the methods to acquire copyrighted materials were more obscure and less mainstream.

Assets and Goals

  • Content distribution network: BitTorrent provides a content distribution model that is very valuable to it’s user.  It provides a convenient way to transfer files for commercial and personal purposes.  Companies use BitTorrent for content delivery to customers.  Examples include 20th Century Fox, Comedy Central, and Blizzard Entertainment which bases it’s updating software for World of Warcraft.
  • Accurate file transfers: BitTorrent wants to ensure that files received are authentic, accurate, and have not be forged.
  • Privacy: Users may not want others observing the files that they are sharing, or that the fact that they even are sharing files.
  • Optimal Network Usage: BitTorrent wants to maximize the effectiveness of client connections and maximize peer upload rates.  By doing so, it allows other peers to download quicker and begin uploading themselves.

Continue reading

Posted in Security Reviews | Tagged | Comments Off on Security Review – BitTorrent

Second most dangerous virus?

Posted on March 13, 2009 by petermil

Romanian firm SOFTWIN has released an update to their BitDefender security suite claiming to have created a vaccination for Conficker.

So what is Conficker?

Fast Stats:
Release Date: October 2008
Target Platform: Windows >= Windows 2000 (including Windows 7 Beta)
Exploited Program: Windows Server
Exploit Type: Buffer overflow
Worm Spread: 15,000,000+ PCs
Actions: Disable Windows Update, Security Center, Error Reporting, and Defender.  Connects to a server to receive further instructions.

More Detail:

Part of what makes this worm particularly insidious is how it connects to someplace online to get further instructions.  This means that it can actively change to address new desires and problems, as well as communicate with its peers. Microsoft even went so far as to create a specific group to combat this worm, as well as offering a $250000 reward for the capture of the author.

The title of the article comes from the fact that it is ranked second to the SQL Slammer worm of 2003.  It has spread to government machines in the UK and Germany (and quite possibly other nations, as well).  With so much of the world relying upon computerization these days, viruses sure can be a scary thing!

Source:  http://www.computerworld.com.au/article/279991/romanians_find_cure_conficker
Additional Source: Wikipedia

Posted in Current Events, Miscellaneous | Comments Off on Second most dangerous virus?

Security Review: Electronic Voting

Posted on March 12, 2009 by nhunt

Summary

The rise of electronic voting machines in recent years has led to some heated debates as to how secure these machines actually are. Voting is a fundamental right of a democratic society, so ensuring that each citizen’s vote is properly counted and the impunity of the election is upheld is of the utmost importance. In an era where everything is becoming digitalized, voting is just the next step. Electronic voting machines offer some benefits, but they are also susceptible to error and fraud.

Continue reading

Posted in Security Reviews | Comments Off on Security Review: Electronic Voting

Security Review – Mobile Banking in the Developing World

Posted on March 12, 2009 by cxlt

mobile banking

One of the interesting topics brought up by Microsoft Research India during their Change talk last week was that of mobile banking in the developing world. Managing and distributing money can be a tricky proposition in the developing world – often, people end up entrusting their money to drivers to transfer around the city or country.

Mobile banking through cell phones has proven to be an extremely cost-effective way to avoid these kinds of headaches. Through both downloadable software and text message interfaces, it is possible to efficiently transfer and manage money without the existence of local branches to handle the transaction, with minimal fees and far less obvious physical risk. However, this method has resulted in its own set of idiosyncrasies that would not likely exist with similar systems elsewhere.

Afraid of doing something wrong, many people in these developing areas are reluctant to actually carry out their own banking. Thus, a whole class of middlemen have arisen specifically for mobile banking. People will bring their mobile phones into these middlemen’s stores and tell the store owners what they want done, and the middlemen will then go do it for them. This interesting use case leads to quite a few security implications.

Assets and Security Goals

  • Customers’ money is of course important. The reasons should be fairly obvious – we of course want to protect it from being stolen.
  • Customers’ financial records are also important – financial histories are private, with some exceptions, and they should stay that way. Knowing how much money someone has may put them at risk for a real-life robbery, for instance, or knowing their stock portfolio could cause other problems.

Adversaries and Threats

  • Malicious third parties who would like to steal the customers’ money, perhaps by listening to the airwaves, or physically stealing the phone. A lot can be done with just a few seconds with a phone given a text messaging interface.
  • The middlemen have an extraordinary amount of power given what they have been entrusted with by the end-users. And, since their clients won’t have it any other way, banks have been forced to actually work with these middlemen, including them in the system. A store owner could easily pull off an “Office Space” type scheme, stealing miniscule amounts of money from each customer.

Potential Weaknesses

  • Snooping on peoples’ wireless connections is difficult since the network provides some level of intrinsic security. We’re not experts on this subject, so it’s difficult for us to assess how feasible this approach is in reality.
  • Replay attacks are possible, especially if any actions are carried out via text message, and a malicious user manages to take over the phone physically, or duplicate/forge the SIM card.
  • Physical access is an imminent problem given the prevalence of these middlemen in transactions. Somehow, even with physical access by users other than the clients there needs to be security and accountability.

Potential Defenses

  • For snooping, simply use any of the well-established encryption protocols we discussed this quarter.
  • Replay attacks can be guarded against by confirming each action with a code that can only be used once.
  • The physical access problem is the most difficult problem to address – and the most interesting. Since third parties are allowed access to the system by the clients, it is difficult to enforce anything in the system if the third party is malicious. One way to defend against third party mischief would be to not carry any actions out immediately, but instead to queue them and then confirm them via text message with the client an indeterminate amount of time in the future, on the order of several hours. This way, hopefully clients will be forced to examine and acknowledge all actions away from the influence of the store owners. Malicious middlemen could counter this by requesting to keep the phone until the transaction is complete, but hopefully clients would grow suspicious of this request before long.

Mobile banking is something that hasn’t quite caught on here like it has in other places of the world. Not only is it useful for banking when branches aren’t nearby, the service has in some places, like Japan, evolved to include payments via cell phone rather than credit card, and other technology-enabled services which have security implications. Ultimately, a lot of these problems are already being worked on in the context of their low-tech equivalents (eg transmitting credit card information, etc), but as we can see with the rural banking case study, there can be a lot of unexpected usages which result in unexpected potential problems.

These unexpected issues are likely where we will see the most interesting security issues in the future.

Clint Tseng and Erik Turnquist

Posted in Physical Security, Policy, Privacy, Security Reviews | Comments Off on Security Review – Mobile Banking in the Developing World

Security Review: CV2 codes

Posted on March 11, 2009 by zacf

A CV2 code is a three-digit number that is known to the issuing bank and printed on a credit to verify physical possession of the card. Online merchants often require customers to enter the CV2 code along with the rest of their credit card information when making a purchase.

Online merchants can verify that an entered CV2 code is correct for a particular credit card, but they will not be given the code if they don’t have it.

Assets: Money- Issuing banks want to avoid making payments to fraudulent merchants because they will typically not be able to recover those funds from the cardholder. This is because a rise in credit card fraud has led issuers to offer contracts in which the cardholder is not liable for unauthorized charges.

Merchandise- Merchants want to avoid shipping merchandise to customers committing fraud because they will most likely not be paid for it. Just as issuing banks have granted their cardholders a release from unauthorized charges, they have also used their negotiating power to obtain favorable terms from merchants, who must in most cases assume responsibility for fraudulent charges.

Threats: Fraudulent buyers- People who are trying to use a victim’s credit card to buy things for their own use or sale.

Credit card brokers- People who trade in stolen credit card numbers.

Weaknesses: Brevity- A CV2 code is only three digits. That makes it very easy to record or simply memorize any time a person sees the card. That reduces the security from verifying possession to verifying having seen the card. It also potentially exposes the code to a distributed brute-force attack. While an issuing bank would surely notice several queries on the same account, if they were spread out over time and came from different merchant accounts, they might not be detected.

Permanence- A CV2 code does not change as long as the card is in use. That means that once a customer provides a CV2 code to an online merchant or hands the card to a merchant in person, that merchant knows that customer’s CV2 code.

Defenses: One-time codes- Just like issuers offer one-time card numbers, one-time CV2 codes could be used to defend against exploits of the permanence weakness.

Merchant-specific codes- A CV2 code could be a function of the credit card account and the merchant account. That would prevent a malicious merchant from obtaining its customers’ codes and using them with other merchants.

Evaluation of risks: CV2 codes do not offer additional security beyond what the card already has. They are printed on the card, and they are often transferred along with the card number and expiration date, so in effect, all they do is make the card number three digits longer.

Conclusion: While CV2 codes don’t do much to help, they don’t hurt either, so a user shouldn’t rely on them, but also should worry about them.

Posted in Security Reviews | Comments Off on Security Review: CV2 codes

DDoS attack on Time Warner Cable’s DNS Servers

Posted on March 10, 2009 by dannya

At the end of February, a distributed denial of service attack on Time Warner Cable’s DNS Servers severely impacted subscribers connections for over a week.  The problems were supposedly localized to Southern California, according to TWC.  Although DDoS attacks are commonly conducted on major ISPs, this attack had more impact and was harder to control.  Recently a new DNS DDoS attack technique was discovered which can cause more powerful DoS attacks, DNS Amplification.

“This new tactic uses a very short query, asking simply the name servers for the ‘.’ domain [a single dot],” said Don Jackson, director of threat intelligence at network security provider SecureWorks. “This domain is the root server domain, so the answer is large [or long]. A list of all the root domain name servers is sent back in response.”  If the source IP is spoofed to a target’s adddress, the target will receive all the responses from the DNS Servers and likely be brought down.

According to an Arbor Networks study, DDoS attacks doubled in bandwidth from 2007 to 2008.  Given the new DNS Amplification DDoS attack and the rate of DDoS growth, soon even major ISPs may be vulnerable to attack.

As a way to mitigate DNS server problems, users can switch to use OpenDNS which queries other DNS servers than the local ISP’s DNS servers.

articles:
http://www.scmagazineus.com/NewstyleofDNSamplificationcanyieldpowerfulDDoSattacks/article/126839/
http://arstechnica.com/security/news/2009/02/time-warner-cable-blames-ddos-attack-for-spotty-service.ars
http://news.cnet.com/8301-1009_3-10093699-83.html?part=rss

Posted in Current Events | Comments Off on DDoS attack on Time Warner Cable’s DNS Servers

Security Review: Virtual Reality Helmet

Posted on March 9, 2009 by seraphim

As technology advances to the point of interacting with and in some cases replacing our bodies’ biological functions, security on these technologies must also advance to ensure the safety of users. The virtual reality helmet being designed by researchers at York and Warwick Universities (found here and here) aims to bring these capabilities into a helmet unit for recreational and training purposes. It will mimic sight, sound, smell, taste, and touch on the face, as well as temperature and humidity, to create the feeling that one is in a faraway locale. That said, the researchers will obviously need to make sure all of these channels are secure to ensure safety when using the helmet.
Continue reading

Posted in Security Reviews | Comments Off on Security Review: Virtual Reality Helmet

Security Review: In-Eye Video Camera

Posted on March 9, 2009 by jimmy

Rob Spence, a Canadian Filmmaker, is currently developing a prototype to equip his prosthetic eye with a built-in, wireless video camera.  The digital system, while not able to transmit information to his brain, will be able to route the signal through a series of increasingly large transmitters to a remote machine, which could potentially stream that data live on the internet.  As Spence explains, “If you lose your eye and have a hole in your head, then why not stick a camera in there?”
Spence hopes to be able to integrate this recorder seamlessly into his existing prosthetic eye, such that a casual observer would not be able to notice its presence (for a stunning picture of how realistic his current eye looks, and how small his current camera is, see the article linked at the bottom of this post).  He plans to have an on/off switch, so the recording feature can be stopped for private events, theater screenings, or bathroom trips.  Spence and his team are currently working to shrink all of the necessary components such that they are small enough and lightweight enough to fit within the space of an eye-socket, without weighing enough to cause disfigurement.

Continue reading

Posted in Ethics, Physical Security, Privacy, Security Reviews | Tagged , , | Comments Off on Security Review: In-Eye Video Camera

Facebook’s lax security

Posted on March 8, 2009 by zhaoz

Facebook’s policy on applications have a some people concerened and wondering if application writing should be more restricted.
The latest attacks have involved privacy leaks, and the installation of malware. Over the last week, five seperate security issues have come up. One virus is a variation of “Koobface” which claims that the user must download a plugin to view a video.

Applications on facebook are not vetted, anybody is allowed to write an app and offer it to other people. Viral apps would often hide functionality in innocently looking buttons to spread themselves further or give away private information. Despite Facebook’s efforts to disable applications, the current policy allows it to pop up elsewhere.

Some people have clamored for the application hosting policy to be reviewed. Facebook believes its too early for these conclusions, and that changing the policy would be too drastic of a move.

(Source: nzherald)

(Source: cnet)

Posted in Current Events, Policy | 1 Comment