Comp527 Final Project Proposal: Rich Text Editor Research

Group: Jun Zheng (jz33) Chao Zhang (cz15)

Category: Thing to go others

Date: Oct 05 2013

Introduction

Rich text, also known as formatted text, as opposed to plain text, has styling information beyond the minimum of semantic elements: colours, styles (boldface, italic), sizes, and special features (such as hyperlinks)[1]. A general rich text editor providing an interface to edit rich text which presents a “What You See is What You Get” (WYSIWYG)[2] tenet, can save the programmer from trivial HTML/CSS tags, attributes, values debugs. Several major browser manufactures provide free rich text editor

service, i.e., Google Forms[3], but not in open source regime. Moreover, several simple open source rich text editors lack of precaution to potential HTML riskes and maliciousness. Then our group’s work is to reseach on existed open source projects of rich text editor, analyze specifically on their possible security issues and try make improvement.

Strategy

First we will research on forms of potential HTML/CSS attacks and harms. Currenct topics are:

1. Invalid, unknown or deprecated(at HTML5) tags;

2. Inline styles;

3. Sandbox;

4. CSS risks

More paper research and thinking is needed at this step.

Second, we shall look into previous contributors and their commits in rich text editors. Currently we will look into source codes from GitHub, a social coding host site for open source programming languages like Javascript, Python, PHP, etc. Our starting source code is on projects “xing/wysihtml5″[4] and “mindmup/bootstrap-wysiwyg”[5]. But later we might move to other projectes. We will make comments on each projects about protection mechanism and potential risks. We might generate limited malicious codes to test tolerance and durability of each projects

Third, we will combine previous inspirations to create our own rich text editor, with functions like converting input to html view and vice versa. Hopefully, our editor will also be capable to convert a risky html file into a safety htm file based on our judge.

References & Links:

[1] http://en.wikipedia.org/wiki/Formatted_text

[2] http://en.wikipedia.org/wiki/WYSIWYG

[3] https://chrome.google.com/webstore/detail/google-forms/jhknlonaankphkkbnmjdlpehkinifeeg

[4] https://github.com/xing/wysihtml5

[5] https://github.com/mindmup/bootstrap-wysiwyg

The Chinese cyberspies behind the widely publicized espionage campaign against The New York Times have added Dropbox and WordPress to their bag of spear-phishing tricks.

The gang, known in security circles as the DNSCalc gang, has been using the Dropbox file-sharing service for roughly the last 12 months as a mechanism for spreading malware, said Rich Barger, chief intelligence officer for Cyber Squared. While the tactic is not unique, it remains under the radar of most companies.

“I wouldn’t say it’s new,” Barger said on Thursday. “It’s just something that folks aren’t really looking at or paying attention to.”

The gang is among 20 Chinese groups identified this year by security firm Mandiant thatlaunch cyberattacks against specific targets to steal information. In this case, the DNSCalc gang was going after intelligence on individuals or governments connected to the Association of Southeast Asian Nations. ASEAN is a non-governmental group that represents the economic interests of ten Southeast Asian countries.

The attackers did not exploit any vulnerabilities in Dropbox or WordPress. Instead, they opened up accounts and used the services as their infrastructure.

The gang uploaded on Dropbox a .ZIP file disguised as belonging to the U.S.-ASEAN Business Council. Messages were then sent to people or agencies that would be interested in the draft of a Council policy paper. The paper, contained in the file, was legitimate, Barger said.

When a recipient unzipped the file, they saw another one that read, “2013 US-ASEAN Business Council Statement of Priorities in the US-ASEAN Commercial Relationship Policy Paper.scr.” Clicking on the file would launch a PDF of the document, while themalware opened a backdoor to the host computer in the background.

Once the door was open, the malware would reach out to a WordPress blog created by the attackers. The blog contained the IP address and port number of a command and control server that the malware would contact to download additional software.

Dropbox is a desirable launchpad for attacks because employees of many companies use the service. “People trust Dropbox,” Barger said.

For companies that have the service on its whitelist, malware moving from Dropbox won’t be detected by a company’s intrusion prevention systems. Also, communications to a WordPress blog would likely go undetected, since it would not be unusual behavior for any employee with access to the Internet.

In general, no single technology can prevent such an attack. “There’s no silver bullet here,” Barger said.

The best prevention is for security pros to share information when their companies are targeted, so others can draw up their own defense, he said.

In The New York Times attack, the hackers penetrated the newspaper’s systems in September 2012 and worked undercover for four months before they were detected.

The attack coincided with an investigative piece the newspaper published on business dealings that reaped several billion dollars for the relatives of Wen Jiabao, China’s prime minister.

As you are hopefully now aware, you are expected to do a dry run of your presentation with me at least a week before your presentation.  (If your presentation is less than a week from now, let me know, and we will work something out.)  I wanted to share with you what we will be doing and what I will expect.

First, we will spend some time discussing the paper.  I will be looking to see how well you understand it, and can offer some clarifications if there are areas where you have questions.

Secondly, we will run through your slides.  I will not ask you to make the entire presentation, but ask you to explain the logic behind it (what are you trying to do – what is the structure,) and then ask you to walk through your slides one by one and explain to me how you are going to give the lecture.

If you have any questions, let me know.  My e-mail is tbook at rice.

1. http://arstechnica.com/tech-policy/2013/09/fbi-admits-what-we-all-suspected-it-compromised-freedom-hostings-tor-servers/

2. http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/

On September 12, 2013, an FBI official announced that the agency gained control over a server owned by Freedom Hosting (FH), which operates over Tor anonymity network.

Tor provides anonymity for its users for a good cause. For example, human rights activists may use the network to practice online freedom of speech. However, Tor was found to attract malicious users who need to conceal their identity.

In the case of FH, it was reported to the FBI that FH was allowing hosting child pornography, a federal felony in the United States. The FBI decided to investigate. As part of its plan, malware was used to track down the identity of their target. The FBI attack exploited a Firefox bug to embed arbitrary JavaScript code in iframe to collect users’ data to reveal the identity of the targeted Tor user. The embedded code collects the victim’s MAC address and Windows hostname, and sends it to a Command-and-Control (C&C) server.

On August 4, other benign sites hosted by FH reported receiving error messages with embedded hidden code containing IP addresses. These messages were traced back to the Verizon data center in Northern VA. The servers were used as the malware’s C&C. The packets were sent over HTTP, which made it easier for the researchers to analyze (good for us!!).  The exploit targeted Firefox 17 ESR.  17 ESR is the version of Firefox that enables the Tor Browser Bundle.

One independent researcher made an interesting observation. Due to the lack of sophistication of the JavaScript code and its functionality, it is very likely this exploit was crafted by the Government (interesting!)

I believe that although the FBI was trying to track down the identity of a pedophile, they also invaded the privacy of other non-suspect users and served Malware using public ISP provider’s infrastructure, is this lawful?

If you read Dan’s post, you know that you are now required to practice with me before your presentation. I will generally be available for an hour after class, but please e-mail me (tbook at rice) to schedule a time. I can help you with the technical details of your presentations and make some suggestions for improvements. You may still want to make use of Rice’s resources to work on your presentation skills.

Now required prior to all in-class presentations, please schedule yourself for a one-on-one with Tad Book, your friendly TA, where you’ll do a dry run of your presentation. He’ll give you feedback and help you make your talk better.

You need to do this at least one week prior to your presentation date. I realize our next in-class student presentation is on Friday, so for at least one of you, you’ll need to do this sooner. However, this practice will be part of your grade. If you don’t do the practice, you’ll lose half of the points.

Here is a link to the paper I will be presenting on Wednesday:

A Case of Collusion: A Study of the Interface Between Ad Libraries and their Apps

Looking forward to sharing it with you.

Welcome to the Fall 2013 version of Comp527. This class is a graduate level research seminar. It’s structured with a list of research papers (linked on the left side of this page). Each of you will be responsible for presenting some number of these papers in front of the class. (Based on pre-enrollment, we’ll have roughly as many students as speaking slots, so you’ll be paired up for preparing and giving presentations.) After your talk, you’ll get a copy of the video of you talking, so you can go watch it and be your own worst critic. You will also be responsible for class participation, which includes posts on this very blog with topics of current security interest. The majority of your grade will come from a final project on a topic of your choice.

If you’re planning to attend Comp527, make sure you’re properly registered with the university. Then please fill out our registration form. We’ll soon have a Google Calendar to which you can subscribe. To fully participate in this class, you must have a Rice account, so you can post on this blog, and a Google account, so you can edit yourself into the schedule of talks. (Please fill out our registration form ASAP so we can get this set up.)

If the university is telling you this course is full, then we’ll get that problem fixed. Meanwhile, please show up and do everything.

Security Analysis: Short Messaging System (SMS)

SMS or short message service is a popular, cheap and public service over GSM network and other cellular networks and is based upon Store-and-Forward mechanism; which means messages would be stored in SMSC (Short Message Service Center) until expiration time and would be sent to the receiver whenever he/she becomes available. This system emerged in Europe in 1991 and become prevalent after this breakthrough happened. Using SMSC as a store and forward system and cellular networks as a means of transferring signals, people can send their messages and make sure that their messages have been delivered unlike Alphanumeric paging systems. SMS provides the infrastructure for different services such as electronic mail, mobile banking and stock information. However, it seems it is not enough secure to handle money transferring. Generally, there are two types of security problems related to short message service:

1) Vulnerabilities which are related to the cellular networks and SMS inherit those problems.

2) Vulnerabilities which are specific to this service and has nothing to do with cellular networks.

First set of problems can be applied to all services over GSM. In other words, all signals transmitted over GSM would be prone to attacks. Short message service in GSM uses A5 algorithm to encrypt messages transmitted over radio and in other part of the network messages would be kept unencrypted. Also, there is no integrity check in SMS. Therefore, using man in the middle attacks and fake receiver-sender attackers can change or eliminate messages. Another way to attack SMS is to copy a sim card or obtain Ki and IMSI of the victim to receive all SMS intended for the victim. In this situation if a banking system decides to stupidly provide a means of depositing and withdrawing money from one’s account via sms the attacker can in an easy manner compromise the banking account.

Secondly, the other category of attacks is related to vulnerabilities in the SMS. Since messages in the SMSC are in plain text, storing them may lead to leakage of data. In addition to this problem, fake SMSs can be generated in the Internet. In the roaming process in cellular networks, SMS contents would be transferred over the Internet and could be prone to attacks. Other sort of attack that we can think of is physically accessing a device and stealing information.

In order to have a secure messaging system, we need to provide an end to end system which guaranties integrity and privacy and security. There are some ways to implement security with an end to end approach four of which goes as follow.

1) Programming Languages: Thanks to high processing capability of cellphones and available programming languages for cellphones, we can encrypt voice over GSM channels. Therefore it is plausible to encrypt small size packets. For instance, we can take advantage of J2ME and SATSA (Security and Trust Service API) and WMA (Wireless Messaging API) to encrypt SMS sent over GSM.
2) SAT (SIM Application Toolkit): Most of the SIM cards provides a facility for operators to control their users and give them the capability to get information from user keyboards. However we should notice that regarding processing capabilities SIM cards are not as powerful as cellphone devices.
3) JavaCard : In devices with two processing chips we can use this approach.
4) Encryption Processing Unit: Cellphone factories can insert a module in their devices which can add security capabilities to their devices and cannot be changed by users.
It seems the first two approaches mentioned above are more feasible and general can be applied to all cellphones.
References:
M. Toorani, and A.A. Beheshti Shirazi, “Solutions to the GSM Security Weaknesses,”
Proceedings of the 1st IEEE Workshop on Wireless and Mobile Security (WMS’08),
pp.576-581, Cardiff, UK, Sept. 2008.
http://www.alarm.de.
M. Toorani, and A.A. Beheshti Shirazi, “SSMS – A Secure SMS Messaging Protocol for
the M-payment Systems,” Proceedings of the 13th IEEE Symposium on Computers and
Communications (ISCC’08), pp.700-705, Morocco, July 2008.
European Telecommunications Standards Institute, “Digital cellular Telecommunications
system (Phase 2+), Security mechanisms for the SIM Application Toolkit,” GSM 02.48
version 6.0.0 Release 97, April 1998.
A.B. Rekha, B. Umadevi, Y. Solanke, and S.R. Kolli, “End-to-End Security for GSM
Users,” IEEE International Conference on Personal Wireless Communications, pp.434-
437, Jan. 2005.
N.N. Katugampala, K.T. Al-Naimi, S. Villette, and A.M. Kondoz, “Real-time End-to-end
Secure Voice Communications Over GSM Voice Channel,” 13th European Signal
Processing Conference (EUSIPCO’05), Turkey, Sept. 2005.

Google was accused of illegal wiretapping for intercepting emails to Gmail accounts and publishing content-related ads. This lawsuit targets at email users who do not have Gmail accounts and have therefore not signed the company’s acceptance terms. The terms are that Google can intercept your emails and use them for direct marketing purposes. Google scans their emails anyway and thus violates wiretap laws in some states.

Google acknowledged that it routinely scans emails for spam and computer viruses, but said that’s permitted under similar federal wiretap laws. It also argued that selling advertising based on the content of a receive email is a routine business practice permitted under an exception written into the wiretap law. Google notes Yahoo and other email providers sell ads through similar methods. Scanning emails for spam and computer viruses are reasonable, but this is different of sending content-related commercials. Filtering spam and computer viruses is a service that benefits users, while ads may not be that favorable. In addition, a common commercial model does not guarantee its correctness. Other major email providers’ act cannot be Google’s excuse of doing the same thing.

Google lawyer Michael G. Rhodes said “There can be little doubt that selling advertising in order to provide a free service to consumers is a ‘legitimate business goal’. If it were not, then the entire model by which content is provided on the Internet would be illegitimate, as would the business model by which television programming has been provided for free for the last half century.” Obviously, this is a false analogy. Television is a passive media, so the commercials are not audience-selective. Likewise, users select the content on their own will when online surfing. Neither of them scans users’ private information.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, also found Google’s behavior unreasonable, and his word may present thoughts of the general public. He said, “What if you were making a call on your Verizon cellphone, and you were talkin got an Italian restaurant trying to make reservations for Friday and a Verizon agent jumped on the line and said, ‘Oh, how about this place’? You are not supposed to be listening to my communications to try to sell me stuff.”