Rice University logo
 
Top blue bar image
A graduate seminar: current topics in computer security
 

Archive for the ‘Articles’ Category


“Red October” Crypto App

December 6th, 2013 by Tanmay

Many attempts are made to secure a system from external attacks, but insider attacks are more harmful. Edward Snowden is the best example of that. ‘According to recent Verizon report, insider threat accounts for around 14% of data breaches in 2013’

To avoid this insider attack by rouge employees, CloudFlare has released an open source encryption software with “two-man-rule-style” encryption and decryption method called “Red October”.

As name suggests, it will need authorization from 2 persons simultaneously to get access to sensitive data. The basic idea is explained in this diagram.

 

To download the project visit: https://github.com/cloudflare/redoctober

To read more visit: http://thehackernews.com/2013/12/red-october-crypto-app-encryption-decryption.html

NSA spied 125 billion calls in just one month

October 24th, 2013 by dws5

According to a number of news reports, NSA has been collecting 125 billion calls in just one month.

As you can see from the heat map, most of the calls originated from the middle east. So the number of calls that the NSA collected are

Pakistan: 12.76 Billion
Afghanistan: 21.98 Billion
India: 6.28 billion
Iraq: 7.8 billion
Saudi Arabia: 7.8 billion
United States: 3 Billion
Egypt: 1.9 Billion
Iran: 1.73 Billion
Jordan: 1.6 Billion
Germany: 361 Million
France: 70.2 Million
Spain: 61 Million
Italy: 46 Million
Netherlands: 1.8 Million
The rest of the world: Lots and Lots

Total: 124.8 billion.

They were able to capture so much data because phone call, email or chat will take the cheapest path, not the physically most direct path. Much of the world’s communication flow through US.

One intriguing thing I noticed is that how they were able to have enough computing power to process those immense data considering that the budget is only $20M per year. (Were they using EC2 for free?)

Reference

[1] http://cryptome.org/2013/10/nsa-125b-calls.htm

[2] http://cryptome.org/2013/10/nsa-prism-13-1021.pdf

TOR Stinks…

October 18th, 2013 by Tanmay

On October 04, 2013 Edward Snowden leaked a new classified NSA document “TOR Stinks”.

What is TOR?

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. TOR can be used in research projects (as we are using to measure censorship across various countries. Or can be used by attackers/ terrorists to hide their identity.)

NSA wants to see the users of TOR, monitor the traffic etc. As the TOR nodes are spread across the whole world, it is really hard for them to trace down everyone. But they used 3 main ideas to achieve their goal.

  1. Tracking cookies of users
  2. Vulnerabilities from Firefox browser
  3. Running own hostile (spying) TOR nodes

Even though above ideas sound nice, they cannot solve the problems as this works on a very small fraction of TOR users.  They have their own spying nodes, but those are very few and hence the success rate is limited.

The above limitations led them to think in another direction. They thought of “Exploitation Strategy”. The strategy mainly makes the use of TOR worse and eventually it will refrain the users from using TOR.  One of the strategy is adding TOR nodes that will respond very slowly. Users will be annoyed by the experience and will stop using TOR. Although this is an evil idea, but I think this can prove effective for them to minimize the number of TOR users.

 

References:

https://www.torproject.org/

http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document

http://thehackernews.com/2013/10/nsa-using-browser-cookies-to-track-tor.html

Using WordPress? Be Careful…

September 26th, 2013 by Tanmay

It was in news that, in the past of a massive cyber-attack coordinated with a huge botnet against millions of websites based on the popular CMS WordPress, around 100000 servers were successful compromised fueling the malicious architecture used for the attack. Thousands of WordPress based websites have been hacked to compose a global scale botnet that is performing powerful DDOS attacks.

The news was reported by CloudFlare and HostGator that on April alerted the WordPress community on the ongoing massive attack launched against WordPress blogs all over the Internet, the alert was related to a massive brute-force dictionary-based attack conducted to expose the password for the ‘admin’ account of every WordPress site.

In August, 2013 researchers at Arbor Networks have discovered a botnet dubbed Fort Disco that was used to compromise more than 6000 websites based on popular CMSs such as WordPress, Joomla and Datalife Engine.

Case Study:

Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity management, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber-security expert with over 20 years’ experience in the field, he is Certified Ethical Hacker at EC Council in London. His colleagues at TheHackerNews received a DDOS attack logs report from ‘Steven Veldkamp‘ that highlights that the victim’s website was under heavy DDoS attack recently, originated from numerous compromised WordPress based websites. It is highly probably that the ongoing attack is linked to the events occurred in April that allowed attackers to take control of a high number of vulnerable WordPress Hosts.

The attack logs from timing 23/Sep/2013:13:03:13 +0200 to 23/Sep/2013:13:02:47 +0200 revealed that just in 26 second attacker was able to perform a powerful DDOS attack from 569 unique compromised WordPress.

The list of sources used by attackers includes blogs of Mercury Science and Policy at MIT, Stevens Institute of Technology and The Pennsylvania State University.

According to statistics proposed by WP WhiteSecurity, from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.

Following is the statistics.

After analysis of Alexa top 1 million sites, 42,106 WordPress websites found in Alexa’s top 1 million websites. Out of which more than 50% are using old versions of WordPress which is vulnerable to attacks. Less than 5% websites upgraded to version 3.6.1 between the 12th and the 15th of September.

I think, if you are using any third party infrastructure, it is always your responsibility to keep it updated and secure. It will not only create problems for you but for the whole internet organization. As many simple hacking tools are freely available over internet also many YouTube videos, websites teach simple attacks, so we should at least be sure to keep our websites strong against such attacks. Owners of WordPress should first update their version to 3.6.1 and keep checking for newer.

Reference: http://securityaffairs.co/wordpress/18081/cyber-crime/wordpress-websites-ddos.html

Trends in Cyber Attacks and Sophistication of Attackers

September 22nd, 2013 by Tanmay

The European Network and Information Security Agency (ENISA) is an agency of the European Union. The objective of ENISA is to improve network and information security in the European Union.

ENISA published a new report titled ENISA Threat Landscape Mid year 2013 that provides an interesting update for the list of top cyber threats.

The ENISA Threat Landscape Mid year 2013 analyses 50 reports, and identifies the trend for main threats to:

•             Infrastructure

•             Mobile devices

•             Social media

•             Cloud services

 

 

The document highlight that cybercrime increasingly using sophisticated techniques for the attacks, the hackers are improving methods to be non-traceable and to make more resistant their malicious structures to take down operated by law enforcement.

I will strongly suggest to see this TED talk by James Lyne: http://www.youtube.com/watch?v=fSErHToV8IU

He tells many of the attacks and the frameworks/ infrastructure attackers use for increasing efficiency of the attacks.

Drive-by download means two things, each concerning the unintended download of computer software from the Internet:

1.            Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).

2.            Any download that happens without a person’s knowledge, often a computer virus, spyware, malware, or crimeware

Drive-by downloads may happen when visiting a website, viewing an e-mail message or by clicking on a deceptive pop-up window: by clicking on the window in the mistaken belief that, for instance, an error report from the computer’ operating system itself is being acknowledged, or that an innocuous advertisement pop-up is being dismissed. In such cases, the “supplier” may claim that the user “consented” to the download, although actually the user was unaware of having started an unwanted or malicious software download. Hackers use different techniques to obfuscate the malicious code, so that antivirus software is unable to recognize it. The code is executed in hidden iframes, and can go undetected.

A drive-by install (or installation) is a similar event. It refers to installation rather than download (though sometimes the two terms are used interchangeably).

We observe that, Drive-by-exploits: browser-based attacks still remain the most reported threats, and Java remains the most exploited software for this kind of threat.

 

Some concluding remarks:

1. Cyber-criminals constantly adapt to advanced techniques. They use methods that make them untraceable and difficult to turn down.

2. As the use of mobile devises and social media is increasing, those are and will be the most targeted platforms of the attackers.

 

References:

1. http://securityaffairs.co/wordpress/

2. http://en.wikipedia.org/wiki/European_Network_and_Information_Security_Agency

3. http://en.wikipedia.org/wiki/Drive-by_download

4. http://www.youtube.com/watch?v=fSErHToV8IU

5. http://securityaffairs.co/wordpress/wp-content/uploads/2013/09/ENISA-Threat-Landscape-Mid-year-2013.jpg

 

Security Analysis: Open Wifi and Cookies

December 8th, 2012 by ksl3

Most popular web services that you visit today require you to login using a username and password. If authenticated, the server saves a cookie on the user’s computer which will be sent along with every subsequent request. This cookie acts as an authentication token that tells the server that the request maker has full access to the current account.

HTTP hijacking, or otherwise known as sidejacking, occurs when an attacker captures a user’s cookies and is able to login as said user with all privileges and accesses intact.

When using an open wireless network, your network traffic is available for everyone to see. This includes cookies. Thus, it’s almost trivially easy for an attacker to steal your cookie on an open wireless network and perform a sidejacking attack.

The only real defense from sidejacking is to force ssl end to end encryption from the moment the user connects to the server. The downside is that this makes each and every network request more expensive and was enforced by very few of the major service providers.

While sidejacking vulnerabilities have always been a major security flaw in open wireles
networks, it didn’t receive much public attention until in 2010 when developer Eric Butler published an infamous firefox app known as firesheep.

Firesheep automated sidejacking attacks. If connected to an open wireless network, it would automatically capture any cookies sent through the air. It also contained a list of configurations for popular web services like facebook and google. When a cookie of a corresponding service was detected, the users name and picture would be displayed on the sidebar. Clicking on the name would take you to the users account.

After the release of firesheep, major websites like google and facebook enforced SSL only connections and enabled the secure attribute on their authentication cookies that mandated these cookies could only be sent over https.

I was curious to see that now, over two years after firesheep, exactly was the state of sidejacking protection is in major web services. Many of my friends use Rice Visitors as their default form of wireless without batting an eye. Even among my more tech inclined friends who knew the dangers of using open wireless, they wasn’t much alarm at using
open wireless. Were they safe?

I examine the top 10 sites on the web as according to their ranking on Alexa.

1. Google:
Https only. In addition, copying cookies verbatim didn’t lend to successful sidejacking attack.

I logged in to the same gmail account on a different browser and found that there were two cookies with different values in my two gmail sessions.

GX
GMAIL_AT

These cookies both had a random seeming alphanumeric value. Deleting GMAIL_AT didn’t seem to affect anything but deleting GX logged me out of my account. My guess is that GX is some sort of distinct session based value that google uses to thwart sidejacking attempts.

2. Facebook:
Https only. Authentication cookies (c_user) are https only.

Visiting the website using http reveals the locale of the user via non secure cookies. The attacker, if accessing the same wireless network as the victim, should already have access to this information so it doesn’t seem to be much of a vulnerability.

3. Youtube:
Http access only. Confirmed sidejacking. I suppose that adding the extra latency of SSL on top of the world’s largest online streaming video site is not something google decides is feasible at the moment.

4. Yahoo:
Http access only. Confirmed sidejacking.

5. Baidu:
Http access only. Confirmed sidejacking.

6. Wikipedia:
Http access. Optional https available. Confirmed sidejacking.

7. Windows Live:
Https only. Got this warning when logging in via Http.

“””
As long as you’re just reading and writing email, signing in with “https” gives you extra security. But this extra security disappears if you check your calendar, edit a contact, or go to another site.For the most secure connection, we strongly recommend that you change your settings to always use HTTPS.
“””

In addition, it doesn’t seem that the cookies in live have the “secure” setting set to true. That means if a user is logged in and visits live.com over HTTP, their cookies will still be sent over the clear before being redirected to HTTPS.

8. Amazon
Http access only . Confirmed sidejacking.

At first this seems like a glaring security hole. Amazon is the world’s largest online retailer and as of 2011, was processing $17.43 billion worth of items annually (source: http://phx.corporate-ir.net/phoe…).

Amazon asks for user password when

asks you for confirmation before making a purchase. Confirmation is also
necessary to do anything privacy related, whether it’ll be changing
account information or looking at past orders. j

9. QQ
Http access only. Confirmed sidejacking.

10. Twitter
Https only. Authentication cookies (auth_token) are https only.

 


Distributed denial of service attacks as a commercial service

December 6th, 2012 by Martha

Earlier in the semester, this paper we presented proposed that the botmasters running Torpig operated it as a commercial service. While DDoS was probably only a small subset of the services Torpig’s botmasters offered, this article at TechWeekEurope looks into the whos and whys of commercial DDoS services. It has a couple pictures of advertisements offering DDoS to links of some ridiculous YouTube advertisements, both which are hilarious in a ‘I’m still in high school and think I am the 1337est ever’ sort of way. Most of the evidence feels anecdotal, but it seems likely enough.

So what kinds of people run botnet DDoS services? One interviewed DDoS provider claimed to be 17 and a computer science student, and his behavior (taking down a 1337 hax00r forum for thirty seconds to prove who he was) certainly makes him sound like he’s still in high school. The other interviewees were more careful about just who they were, though, so more professional criminals appear to offer these services as well.

Targets vary. Anonymous protests are often on the news, but ‘hacktivists’ aren’t the only DDoS customers. Gwapo’s DDoS services advertises that “rivals, haters, they are to go down” and “If you want your business competitors to go down”, you should hire them, indicating that individuals want to DDoS smaller websites for petty personal attacks or to take out a business competitor. DDoS dealers can also hold online businesses for ransom – pay up or get taken down. Therefore, just about anyone with an online presence could be a target.

Build a Remote RFID Card Reader

December 6th, 2012 by Martha

Back in May, this post at Hackaday linked to a relatively easy to build RFID reader.
It looks like it would be somewhat inexpensive (less than $100) to build.

The trend towards putting RFID chips in credit and debit cards is a little disturbing, as its fairly easy and relatively cheap for an attacker to build even a simple longer range RFID reader. While this reader doesn’t read more than a foot away and doesn’t deal with the sort of encryption that should be on your debit cards (ha), its totally possible that an actual attacker could come up with something better.

To counter this attack, wrap your RFID cards or the inside of your wallet with aluminum foil. That should make it harder for a long distance reader to read.

Security analysis – Remote car key

December 1st, 2012 by wh3

Recently I lost my car key and with it goes my “remote entry” fob. Only then did I realize how inconvenient it is for me to having to plug in the physical key to open the door or the trunk every time. Therefore, I did a bit research online and found that I can purchase a new remote entry unit for only $70 on amazon and “program” it for the car myself(which involve procedures like turning on and off ignition for 3 times in 10 seconds and etc). While this is easy and convenient, I began to question the security of these devices–how hard it is for someone else to hack this device and get into my car?

I then did some research online, here’s how a remote key works in the early days: the transmitter in the key fob sends out signals containing unique identifying code to the car for verification. If the car verifies that the code is correct, it opens the door/starts the engine. As the unique code is fixed, hackers can “capture” the code the transmitter sends and simply re-transmit to open the car.

Modern remote controllers are a lot more complex and robust: They use something called a rolling code(normally 40-bit) to provide security. Both the transmitter and the receiver use the same pseudo-random number generator. When the transmitter sends a 40-bit code, it uses the pseudo-random generator to pick a new code. On the other end, when the receiver receives a valid code, it uses the same pseudo-random generator to pick a new one. In this way, the receiver only opens the door if it receives the code it expects. Capturing the old code will no longer work as the old code is no longer valid.

While some remote key manufacturer claim that attacks to such remote controllers only exists in theory and are hardly practical. The paper “Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars” presented at 2011 Network and Distributed System Security Symposium demonstrated relay attack on such system. Here’s my quick understanding of how the relay attack works: The mechanism for the Passive Keyless Entry System is that the car will periodically send signals to the key. As the signal is very weak, it can only be picked up by the key when the key is very close to the car. The relay attacks works by placing an antenna near the car and the other one near to the key. The antenna picks up the signal the car sends out and relay it to the other antenna that is close to the key, which tricks the system into thinking that the key is within short distance from the car. Here’s a scenario proposed by the paper.

In this Parking Lot scenario, the attackers can install their relay setup in an underground parking, placing one relay antenna close to the passage point (a corridor, a payment machine, an elevator). When the user parks and leaves his car, the Passive Keyless Entry System will lock the car. The user then exits the parking confident that his car is locked (feedback form the car is often provided to the owner with indicator lights or horn). Once the car is out of user’s sight, the attackers can place the second antenna to the door handle. The signals will now be relayed between the passage point and the car. When the car owner passes in front of this second antenna with his key in the pocket, the key will receive the signals from the car and will send the open command to the car. As this message is sent over UHF it will reach the car even if the car is within a hundred meters 10. The car will therefore unlock. Once that the attacker has access to the car, the signals from within the car are relayed and the key will now believe it is inside the car and emit the allow start message. The car can now be started and driven. When the attacker drives away with the car, the relay will no longer be active. The car may detect the missing key; however, for safety reasons, the car will not stop, but continue running. Similarly, the car might detect a missing key for several other reasons including if the key battery is depleted. Some car models will not notify the user if the key is not found when the car is on course, while some will emit a warning beep. None of the evaluated cars stopped the engine if the key was not detected after the engine had been started.

There are two restrictions on this attack: 1) the car antenna must be really close(30 cm) to the car. 2) The key antenna should be within 8 meters from the key.  As we can see from the scenario, these two requirements are not that hard to satisfy. Moreover, all the equipments used in the relay attack can be build under $1000, making it very feasible. The authors test this approach on 10 different cars by different manufacturers and all of them proved to be vulnerable to such attack.

It looks like that the remote car keys are not that safe. The only good news is that none of the police agencies had ever heard of an instance of an automobile theft being accomplished through such high tech techniques. Rather than spending all the trouble to set up the equipments, the thieves prefer to simply smash the windows.

Relevant links:
http://auto.howstuffworks.com/remote-entry.htm
http://www.snopes.com/autos/techno/lockcode.asp
http://eprint.iacr.org/2010/332.pdf

Printing Troubles

November 29th, 2012 by ksl3

Article

This article talks about research from Columbia University that reveals security hole presented by network printers.

While before these were rare machines used solely in enterprise, they are more and more becoming a common installation in every home, office and public institution.

Through the use of firmware updates, attackers can install and do arbitrary code execution via security holes in network printers.

While most people regard printers as dumb devices, an more accurate description would be a server on the local network.

This article goes to show that anything that is connected to the internet and has access to some sort of privileged information or permission can and should be considered a security thread.