We have posted the updates for the last week on :http://twitterview.blogs.rice.edu/2013/11/17/updates-for-week-ending-11172013/

http://www.walb.com/story/23901076/fbi-wants-hacker-who-helped-catch-cheating-lovers

Quite an interesting read. Given the level of paranoia within a lot of people’s relationships, I don’t really blame the college student for trying to sell a product like this. The line of morality is a little blurred, who is in the wrong here? The college student for creating the malware or the people that purchased it to spy on their lovers?

Group: XSS Sanitization

Author: jz33

This week’s discussion is on several possible XSS attacks, and whether Django’s auto-escaping can make

help or not. Please look:

Jun’s Blog on Comp527

See project update at: http://twitterview.blogs.rice.edu/2013/11/10/update-week-ending-111013/

Our reports are moved to:

Jun’s Blog on Comp527

Milestone Report

Timeline :

Before Nov 2nd 2013 – Install CM and decide the milestone proposal

Followed the steps in Installing CyanogenMod to install CM ( version of CM cm-10.2-20131030-nightly-targa ) into the device. To gain root access we used this link.

Nov. 3 – Nov. 9   :  Understand how source code works in Privacy Guard and analysis Apps behavior

Access  the source code to Cyanogenmod through github.  Review the code to understand how the Privacy Guard app works . As a result, prepare a complete analysis of the flow of the code along with list of functionality available by the App.

Nov.10 – Nov.23 :  Code for an App to generate report

Learn the basics of android App development . Develop an App that can be run on a device to produce a log Report on the various permission access requests from the apps running on the device and prepare a report based on the privacy violations . The App will be based on the concept similar to LogCollector .

Nov.24 – Nov.30 : Make the code dynamic for more apps

Make the code more dynamic and test it for a range of different Apps.

Dec. 2-6 : Presentation

After presentation and before Dec. 18, Documentation and Report

Prepare a detailed user manual of how the App works along with features available . Documentation of the code. Write a paper based on the results and Analysis accomplished .

This week we started trying to use TOR to examine Twitter from other countries, but we ran into a few problems. The only country with an exit node we can find is Egypt, and it only has one node. As we would expect, that node has so much traffic that it’s impossible for us to get any requests through.
To remedy the situation, we have set up planetlab accounts and are investigating the nodes in Jordan and Egypt. However, these countries are not the most interesting – their censorship is relatively relaxed when compared with places like Saudi Arabia or the United Arab Emirates, both of which do not have planetlab nodes.
As we posted earlier, we have found companies in both of these countries which offer hosting of computing. We are currently investigating ways to utilize these companies to generate web requests from their respective countries. Some ideas that we have had (and the discussion that followed):
1) We have working code for a proxy server. If we can sftp the executable to one of the hosting companies and run it there, we can just configure our browsers to use that proxy server and generate requests that way. This seems to be the most viable option.
2) We could use the service to host a site for our “startup company”. This site would just be a front – merely a login page where if anyone besides us tries to log in it tells them the site is under construction. For us, it could link to a .php page where we make some calls to one of the php based twitter API’s. We are currently investigating whether or not it’s possible to do via php, but the proxy seems like an easier solution.
3) We could also host a javascript page that does much the same thing, but for this to work we’d have to have people in Saudi or UAE visiting the page for it to make a difference – since javascript is server side we can’t just visit the page ourselves.
4) From the rented computing space, we could just use the wget tool and compare the output to what we get when using it from a computer in the US, however we’re currently unsure how Twitter’s pages are structured – if they’re built using javascript then using wget is kind of a moot point.
One of Rima’s accounts actually got suspended for violating the terms of service at Twitter! We’re currently investigating the reason why. To her knowledge, all she did was the following:
1) Created asaeed216 twitter account using her standard Firefox browser
2) Searched #egypt and the other # we identified and started following interesting people
3) Fired up Tor browser from a Virtual machine and logged to the same account using {US} exit node then {EG} exit node. She was never able to connect to Twitter when she had the exit node as {EG} but did access Twitter on Tor {US}

A security researcher Dragos Ruiu claimed that three years ago he noticed a strange behavior exhibited by one of his Air Mac machines. The machine mysteriously updated its UEFI even after he installed a fresh copy of the OS. Ruiu initially noticed that data was being deleted and added on the infected machine, and when he tried to boot the OS from a CD, the option was disabled. He reported that another BSD machine in his lab showed the same signs of infection.  After three years of investigation he concluded that the machine was infected with a sophisticated and unusual malware.

Ruiu started monitoring his network traffic and noticed that small amount of data was transmitted to and from destination addresses IPv6 including machines with IPv6 disabled. As part of his investigation he added additional Windows and Linux machines to his experiment.  He reported that the malware infected all the machine regardless of their OS and model.

The infection vector seemed to be delivered to the boot firmware (BIOS, UEFI) via a USB-rootkit using a rouge USB stick.

The most interesting observation reported by Ruiu was that when he disconnected the machines from the network and unplugged the Ethernet cable and disabled the Wi-Fi, the machines continued to transmit data. Ruiu claimed that the machines used high-frequency transmission to bridge airgaps (machines that are not wired) between microphones and speakers of two machines. According to some researchers, this behavior is theoretically possible. However, it was never confirmed by Ruiu whether the reported behavior was caused by the malware or some other system side effect. In addition, some researchers believe that it is impossible to transmit enough data to perform malware update using the limited bandwidth provided by this airgaping.

Although BIOS based malware is not new, a malware that can infect boot firmware regardless of the manufacturer has never been reported. This level of sophistication would require a polymorphic code with great level of intelligence that can identify the hardware maker to tailor the infection. If this malware is proven to be real then this would be a great technical advancement in malware creation

No malware code has yet been provided by Ruiu to the security community for peer-review and reverse engineering.

http://www.dfinews.com/news/2013/11/badbios-mysterious-malware-jumps-airgaps?et_cid=3578430&et_rid=454848423&location=top#.Ungb8ZTwLp0

http://www.infoworld.com/t/malware/badbios-next-gen-malware-or-digital-myth-230047

Comp527 Final Project Milestone Report (Nov 5 2013)

Detection & Sanitization of XSS

Jun Zheng (jz33) Chao Zhang (cz15)

Rice University

Overview

Our project goes slowly but steadily. For now, we are focusing on 2 aspects simultaneously.

Part I

On one side, our group is researching theories on XSS, that is, definition, significance, and more importantly, how common web frameworks (as currently selected, Django, GWT at least) support sanitization. [1][2] shows that mechanism on different frameworks varies a lot, but generally categories can be recorded according to 1) what language /expression (HTML, CSS, Javascript) is supported; 2) untrusted data separation; 3) auto sanitization abilities (context-insensitive sanitization, context-sensitive sanitization, able to handle nested context, able to handle dynamic context); 4) placement of sanitizers

Part II

One the other side, our group is trying to design tiny web applications based on selected frameworks, in order to observe XSS attack. Current design are basically composed by 3 parts, a  naive victim app (citizen), a randomized attacker (killer), a status estimator (judge). This part goes slowly, because neither of us has experiences on Django /GWT, but expecting result might be interesting that to see our own app is been killed by ourselves.

Reference

[1] Weinberger, J., et al., “A Systematic Analysis of XSS Sanitization in Web Application Frameworks”, Springer-Verlag Berlin Heidelberg 2011

[2] Weinberger, J., et al., “An Empirical Analysis of XSS Sanitization in Web Application Frameworks”, Technical Report No. UCB/EECS-2011-11

Our group also have posted the details of milestone report for the final project, please refer to the link for more information, thank you.

http://xss.blogs.rice.edu/2013/11/04/final-project-milestone-detection-sanitization-of-xss/

Team: Zekai Gao, Chengyang Wu

We have updated the status milestone for our final project on our blogs. Please go to http://cmaccount.blogs.rice.edu/2013/11/03/milestone-of-final-project/ for more information. Thank you.