Now required prior to all in-class presentations, please schedule yourself for a one-on-one with Tad Book, your friendly TA, where you’ll do a dry run of your presentation. He’ll give you feedback and help you make your talk better.

You need to do this at least one week prior to your presentation date. I realize our next in-class student presentation is on Friday, so for at least one of you, you’ll need to do this sooner. However, this practice will be part of your grade. If you don’t do the practice, you’ll lose half of the points.

Here is a link to the paper I will be presenting on Wednesday:

A Case of Collusion: A Study of the Interface Between Ad Libraries and their Apps

Looking forward to sharing it with you.

Welcome to the Fall 2013 version of Comp527. This class is a graduate level research seminar. It’s structured with a list of research papers (linked on the left side of this page). Each of you will be responsible for presenting some number of these papers in front of the class. (Based on pre-enrollment, we’ll have roughly as many students as speaking slots, so you’ll be paired up for preparing and giving presentations.) After your talk, you’ll get a copy of the video of you talking, so you can go watch it and be your own worst critic. You will also be responsible for class participation, which includes posts on this very blog with topics of current security interest. The majority of your grade will come from a final project on a topic of your choice.

If you’re planning to attend Comp527, make sure you’re properly registered with the university. Then please fill out our registration form. We’ll soon have a Google Calendar to which you can subscribe. To fully participate in this class, you must have a Rice account, so you can post on this blog, and a Google account, so you can edit yourself into the schedule of talks. (Please fill out our registration form ASAP so we can get this set up.)

If the university is telling you this course is full, then we’ll get that problem fixed. Meanwhile, please show up and do everything.

Security Analysis: Short Messaging System (SMS)

SMS or short message service is a popular, cheap and public service over GSM network and other cellular networks and is based upon Store-and-Forward mechanism; which means messages would be stored in SMSC (Short Message Service Center) until expiration time and would be sent to the receiver whenever he/she becomes available. This system emerged in Europe in 1991 and become prevalent after this breakthrough happened. Using SMSC as a store and forward system and cellular networks as a means of transferring signals, people can send their messages and make sure that their messages have been delivered unlike Alphanumeric paging systems. SMS provides the infrastructure for different services such as electronic mail, mobile banking and stock information. However, it seems it is not enough secure to handle money transferring. Generally, there are two types of security problems related to short message service:

1) Vulnerabilities which are related to the cellular networks and SMS inherit those problems.

2) Vulnerabilities which are specific to this service and has nothing to do with cellular networks.

First set of problems can be applied to all services over GSM. In other words, all signals transmitted over GSM would be prone to attacks. Short message service in GSM uses A5 algorithm to encrypt messages transmitted over radio and in other part of the network messages would be kept unencrypted. Also, there is no integrity check in SMS. Therefore, using man in the middle attacks and fake receiver-sender attackers can change or eliminate messages. Another way to attack SMS is to copy a sim card or obtain Ki and IMSI of the victim to receive all SMS intended for the victim. In this situation if a banking system decides to stupidly provide a means of depositing and withdrawing money from one’s account via sms the attacker can in an easy manner compromise the banking account.

Secondly, the other category of attacks is related to vulnerabilities in the SMS. Since messages in the SMSC are in plain text, storing them may lead to leakage of data. In addition to this problem, fake SMSs can be generated in the Internet. In the roaming process in cellular networks, SMS contents would be transferred over the Internet and could be prone to attacks. Other sort of attack that we can think of is physically accessing a device and stealing information.

In order to have a secure messaging system, we need to provide an end to end system which guaranties integrity and privacy and security. There are some ways to implement security with an end to end approach four of which goes as follow.

1) Programming Languages: Thanks to high processing capability of cellphones and available programming languages for cellphones, we can encrypt voice over GSM channels. Therefore it is plausible to encrypt small size packets. For instance, we can take advantage of J2ME and SATSA (Security and Trust Service API) and WMA (Wireless Messaging API) to encrypt SMS sent over GSM.
2) SAT (SIM Application Toolkit): Most of the SIM cards provides a facility for operators to control their users and give them the capability to get information from user keyboards. However we should notice that regarding processing capabilities SIM cards are not as powerful as cellphone devices.
3) JavaCard : In devices with two processing chips we can use this approach.
4) Encryption Processing Unit: Cellphone factories can insert a module in their devices which can add security capabilities to their devices and cannot be changed by users.
It seems the first two approaches mentioned above are more feasible and general can be applied to all cellphones.
References:
M. Toorani, and A.A. Beheshti Shirazi, “Solutions to the GSM Security Weaknesses,”
Proceedings of the 1st IEEE Workshop on Wireless and Mobile Security (WMS’08),
pp.576-581, Cardiff, UK, Sept. 2008.
http://www.alarm.de.
M. Toorani, and A.A. Beheshti Shirazi, “SSMS – A Secure SMS Messaging Protocol for
the M-payment Systems,” Proceedings of the 13th IEEE Symposium on Computers and
Communications (ISCC’08), pp.700-705, Morocco, July 2008.
European Telecommunications Standards Institute, “Digital cellular Telecommunications
system (Phase 2+), Security mechanisms for the SIM Application Toolkit,” GSM 02.48
version 6.0.0 Release 97, April 1998.
A.B. Rekha, B. Umadevi, Y. Solanke, and S.R. Kolli, “End-to-End Security for GSM
Users,” IEEE International Conference on Personal Wireless Communications, pp.434-
437, Jan. 2005.
N.N. Katugampala, K.T. Al-Naimi, S. Villette, and A.M. Kondoz, “Real-time End-to-end
Secure Voice Communications Over GSM Voice Channel,” 13th European Signal
Processing Conference (EUSIPCO’05), Turkey, Sept. 2005.

Google was accused of illegal wiretapping for intercepting emails to Gmail accounts and publishing content-related ads. This lawsuit targets at email users who do not have Gmail accounts and have therefore not signed the company’s acceptance terms. The terms are that Google can intercept your emails and use them for direct marketing purposes. Google scans their emails anyway and thus violates wiretap laws in some states.

Google acknowledged that it routinely scans emails for spam and computer viruses, but said that’s permitted under similar federal wiretap laws. It also argued that selling advertising based on the content of a receive email is a routine business practice permitted under an exception written into the wiretap law. Google notes Yahoo and other email providers sell ads through similar methods. Scanning emails for spam and computer viruses are reasonable, but this is different of sending content-related commercials. Filtering spam and computer viruses is a service that benefits users, while ads may not be that favorable. In addition, a common commercial model does not guarantee its correctness. Other major email providers’ act cannot be Google’s excuse of doing the same thing.

Google lawyer Michael G. Rhodes said “There can be little doubt that selling advertising in order to provide a free service to consumers is a ‘legitimate business goal’. If it were not, then the entire model by which content is provided on the Internet would be illegitimate, as would the business model by which television programming has been provided for free for the last half century.” Obviously, this is a false analogy. Television is a passive media, so the commercials are not audience-selective. Likewise, users select the content on their own will when online surfing. Neither of them scans users’ private information.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, also found Google’s behavior unreasonable, and his word may present thoughts of the general public. He said, “What if you were making a call on your Verizon cellphone, and you were talkin got an Italian restaurant trying to make reservations for Friday and a Verizon agent jumped on the line and said, ‘Oh, how about this place’? You are not supposed to be listening to my communications to try to sell me stuff.”

The U.S. Department of Justice recently arrested 10 suspects from 8 countries who involved in a global botnet ring. This international cyber crime infected over 12 million PCs worldwide, caused more than $850 million losses, and harvested financial information from over 800,000 victims. The attack started from a Butterfly botnet, which spread itself using variants of Yahos. Yahos is a virus that spreads by sending links via social networks or instant messages and launches attack when users click on the malicious link. Yahos targeted Facebook users from 2010 to October 2012, and security systems were able to detect affected accounts and provide tools to remove these threats. Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators, and those affected by the malware.

Yahos  affected Facebook users for two years and caused great economical loss to them. Why didn’t Facebook find out the issue and take actions earlier? This may largely due to the lack of connection between users and Facebook. When a user is attacked, he probably won’t link it to Facebook. Thus Facebook has no knowlege of the attack only until a large number of systems get infected and people report this issue increasingly. Then Facebook needs to figure out the root cause, detect the intrusion, and remove the threats, everything takes time.

International cyber crimes are disastrous. Due to the open nature of Internet, these global botnet operations may affect numerous users in different countries. Does the government has the responsibility of preventing its citizens from these attacks? One may argue that government should be away from supervision and leave users complete freedom. But this can be an effective way to protect the users. If firewalls can be build to filter out sensitive key words, they can be used to filter attacks similarly.

Border Gateway Protocol (BGP) is the de facto inter-domain routing protocol in the Internet. A major limitation of BGP is its failure to adequately address security [1]. Recent security analyses clearly indicate that the Internet routing infrastructure is highly vulnerable, and there have been enormous proposals to solve the BGP vulnerability of all kinds. In this review, we summarize the state-of-the-art solutions to prefix hijacking attacks.

In general cases, an IP prefix should only be originated by a single Autonomous System (AS) [2]. A Multiple Origin AS (MOAS) conflict occurs when a prefix is originated by more than one AS simultaneously. This can occur legitimately. For instance, a multi-homed AS transitions between preferred routes. However, these MOAS conflicts can also directly indicate prefix hijacking. A recent study of MOAS conflicts shows that potential causes included prefixes associated with exchange point addresses that link ASes, multi-homing without BGP or with private AS numbers, and faulty configurations [3].

[4] proposes to enhance BGP using community attributes [5] to distinguish between valid and invalid MOAS conflicts in response to these operational oddities. The set of ASes authorized to announce a given prefix is appended to the community attribute, which can be used to determine if a MOAS conflict is valid. Because the community attribute is optional and transitive, routers can drop this information without causing an error. Because they are not authenticated, the announcements can be forged or altered by malicious routers. However, the authors suggest that forged routes can be detected by flagging prefixes received with multiple, conflicting AS lists.

Intrusion detection mechanisms are used in [6] to identify forged origin announcements and several metrics for bogus announcements identification are also proposed. In this work, the detection criteria arise from the evaluation of common configurations and AS behavior, rather than derived from the BGP specification. Specifically, any departure from normal ownership behavior, such as a new AS begins to announce the address or a new MOAS occurs, is considered to be malicious and thus is flagged. This scheme produces few incorrect alerts. But the prefix ownership lists are pre-computed, requiring rebuilding the network model whenever the network topology changes.

The Prefix Hijacking Alert System (PHAS) [7] makes further extensions to MOAS detection based on prefix ownership. It relies on the assumption that a prefix owner is the only entity that can differentiate between real routing changes and prefix hijacking attack.  It examines routing updates from Route Views [8] and RIPE [9] repositories. If there are changes to the originator of a route, the owner of the prefix is notified through email. The system is incrementally deployable, because a prefix owner only needs to register with the PHAS server. However, the server becomes a single point of failure. If it is compromised, numerous false alarms to prefix owners will be sent out. Moreover,  the  system relies on the validity of entities registering their prefixes, and there is no protection against an adversary making a false registration. To solve this problem, Route Origin Authorizations (ROAs)  provide secure registries for resolving MOAS conflicts [10].

Pretty Good BGP (PGBGP) [11] is another alerting system. It shows misconfigurations and prefix hijacking attacks could be mitigated if routers exercise a certain amount of judgment with the routes in their routing tables. PGBGP maintains states through historical routing data to determine what routes to prefixes are normal. Any incoming routes violating these origins are flagged as suspicious for the time period shown in the data from [12].  The results of this work show that this solution may often protect ASes against hijacking attacks. An administrator deploying this solution must be cognizant of their business relationships and ensure that events causing path changes don’t affect convergence. In addition, sufficiently equipped adversaries can engineer the set of routes the system is forced to accept, in a routing equivalent of the link-cutting attack by Bellovin and Gansner [13].

[14] provides a mechanism for detecting prefix hijacking attacks in real time. The solution is based on fingerprinting techniques for networks and hosts. A number of criteria are used to characterize a particular network prefix, such as operating system of machines within a given prefix, and the identifier field within IP packets, TCP and ICMP timestamps. It takes advertised conflicting origin ASes as potential evidence of a prefix hijacking attack and compare the collected fingerprints against probes set to all origins. Differentiation between fingerprints will provide evidence that updates have been received from different originating machines, and that a newly-advertised prefix with sufficiently different characteristics is not the original network advertising a new path, but rather an adversary attempting to hijack the prefix. This approach relies on a real-time BGP UPDATE monitor, whose availability is critical. If updates are delayed, the ability to collect measures will be compromised. Subsequent work investigates how to optimally place route monitors within the Internet to maximize prefix hijacking detection coverage [15].

The Whisper protocol [16] is designed to validate the initial source of path information. Instead of providing explicit route authentication, it seeks to alert network administrators of potential routing inconsistencies. In its weakest form, a hash chain is used in a similar fashion to the cumulative authentication mechanism described in [17]. A random value is initially assigned to each prefix by the originator, which is repeatedly hashed at each hop as it is propagated from AS to AS. Received paths are validated by receiving routers by comparing received hash values. If the hash values are the same, then they must have come from the same source. Stronger protocols make the initial value more difficult to guess, using heavyweight modular exponentiation. One variant uses a construction similar to RSA [18], where a random initial value is by the AS numbers of the ASes a route traverses. Another variant, using a series of hash constructions, is complicated by the fact that only the route originator can verify the route because of the non-invertibility of secure hash functions.

References

[1] K. Butler, T. Farley, P. McDaniel, and J. Rexford, RexfordA survey of BGP Security Issues and Solutions, in Proc. IEEE, Jan, 2010.

[2] J. Hawkinson and T. Bates, Guidelines for Creation, Selection, and Registration of an Autonomous System (AS), RFC 1930, 1996.

[3] X. Zhao, D. Pei, L. Wang, D. Massey, A. Mankin, S. F. Wu, and L. Zhang, An analysis of BGP multiple origin AS (MOAS) conflicts, in Proc. ACM SIGCOMM Internet Measurement Workshop, 2001,San Francisco, CA, Nov. 2001.

[4] X. Zhao, D. Pei, L. Wang, D. Massey, A. Mankin, S. Wu, and L. Zhang, Detection of invalid routing announcement in the Internet, in IEEE DSN 2002, Washington, DC, Jun. 2002.

[5] R. Chandra, P. Traina, and T. Li, BGP Community Attribute, RFC 1997, Aug. 1996.

[6] C. Kruegel, D. Mutz, W. Robertson, and F. Valeur, Topology-based detection of anomalous BGP messages, in Proc. 6th Symp. Recent Advances in Intrusion Detection (RAID), Sep. 2003, pp. 17–35.

[7] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang, BPHAS: A prefix hijack alert system, in Proc. 15th USENIX Security Symp., Vancouver, BC, Canada, Aug. 2006.

[8] http://www.routeviews.org/

[9] http://www.ripe.net/

[10] G. Huston and G. Michaelson, Validation of Route Origination in BGP Using the Resource Certificate PKI and ROAs,

Internet Draft, Aug. 2009.

[11] J. Karlin, S. Forrest, and J. Rexford, Autonomous security for autonomous systems, Computer Networks, Oct. 2008.

[12] R. Mahajan, D. Wetherall, and T. Anderson, Understanding BGP misconfiguration, in Proc. ACM SIGCOMM 2002, Pittsburgh, PA, Aug. 2002.

[13] S. Bellovin and E. Gansner. (2003, May). Using Link Cuts to Attack Internet Routing. [Online]. Available: http://www.cs. columbia.edu/smb/papers/reroute.pd

[14] X. Hu and Z. M. Mao, Accurate real-time identification of IP prefix hijacking, in Proc. IEEE Symp. Security and Privacy, Oakland, CA, May 2007.

[15] Y. Zhang, Z. Zhang, Z. M. Mao, Y. C. Hu, and B. M. Maggs, On the impact of route monitor selection,[ in Proc. ACM Internet Measurement Conf. (IMC), San Diego, CA, Oct. 2007.

[16] L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. Katz, Listen and Whisper: Security mechanisms for BGP, in Proc. Symp. Networked Systems Design and Implementation (NSDI), San Francisco, CA, Mar. 2004.

[17] Y. Hu, A. Perrig, and D. Johnson, Efficient security mechanisms for routing protocols, in Proc. ISOC Network and Distributed Systems Security Symp. (NDSS), San Diego, CA, Feb. 2003.

[18] R. Rivest, A. Shamir, and L. M. Adelman, BA method for obtaining digital signatures and public-key cryptosystems, Commun. ACM, vol. 21, no. 2, pp. 120–126, Feb. 1978.

Security Analysis: Bring Your Own Device?

I had two very different internships for the past two summers, one at a investment bank technology division and one at a technical company in silicon valley. Despite other differences, one thing I remember was the attitude towards Bring Your Own Device(BYOD). In the bank, most people have their desktops at work, blackberries for checking emails and personal phones for daily uses. Most people don’t even have laptops and working from home was not a very common option. On the other hand, in the tech company, every developer has a laptop preinstalled with VPN, RSA token,  a desktop at work and their personal phone with their working email account connected. People work from home regularly once a week. The two cases are extreme but the trend of BYOD is undeniable since the prevalence of iPhone, iPad and other smartphone/tablet. People like the freedom to have their own devices and the flexibility to use various apps to increase productivity. But for IT department, BYOD is a tempting but still risky policy to adopt.

Risks:
1. Data Loss:
One of the biggest concern of BYOD is data loss protection(DLP). Before smartphone era, people don’t really carry confidential data in their devices and wander around because what they can do with a blackberry is quite limited. But now smartphone especially tablet can do complicated tasks thus increase both the power and the danger of the device. If an employee now dropped his device on a cab and someone else picked it up, it would be harder to protect the confidential data from stolen if the employee doesn’t have the required firmware installed. Another problem is that the security of portable device is relatively weak. For iPhone, many things are related to the unlock password. Once the attacker found out the password either through social engineering or simply brute force, as most people only use 4 digits for their password, could unlock the phone and potentially peak into confidential information or documents. Application like Dropbox, Google Drive or Evernote are convenient and user-friendly but probably too friendly at some point. The separation of working and personal data will be harder thus even lowering the security.

2. Malware Protection
Tons of apps in either iOS App store or Android Google play store are malicious. Those apps might exploit vulnerabilities in the system or interact with other apps in an uncontrolled way. Sandboxing of the company internal apps is important. There was a paper I read through this class about how malicious apps using ads to do evil things on behalf of other apps. Though it’s unlikely an internal app will have ads, the possibility of different apps sharing some sort of resource can still be a headache for the IT department.

3. Deployment Issue
Even some security methods are implemented, how to make sure it is deployed in every device and functioning well? The device options these days are not limited to just one but at least 3 or 4 popular ones. And operating system like android has serious fragmentation of os versions. The cost is huge but not even that effective. Cloud seems to be a very popular way to do things these days and it solves some problem such as scaling and compatibility but security is still a big concern.

From an survey by HDI, the percentage of BYOD adoption is increasing and employees are definitely happier using their own devices but when asking about the future of BYOD, only 1/3 of the companies who currently don’t have BYOD program are considering adding that in the next 12 months. I think BOYD will be the future eventually because it can potentially be a win-win situation for both companies and employees.

Reference:

https://news.citrixonline.com/wp-content/uploads/2012/04/BYOD-Hot-or-Not.pdf

http://blog.fortinet.com/byoa-brings-new-and-old-challenges-for-it/

http://www.pcpro.co.uk/features/377659/the-truth-about-byod/2

I remember when I travel abroad to Taiwan, credit card wasn’t as prevalent as it is here in the States especially outside of the metropolitan area like Taipei; thus I always need to get cash from some sketchy ATM machines in some sketchy convenience stores. I know it is not safe but I don’t always have an option. Therefore when I see articles like this, I just worry more.

From the article, the common ATM skimmer attack is replaced with a more aggressive attack that direct draws money from the ATM. The ATM being attacked had a security camera connecting via USB and the attacker somehow removed that and replaced it with a folding keyboard. He was then able to take control of the machine since the ATM is believed to use some sort of Microsoft Windows system. After rebooting the system, the attacker could then draw money from the ATM directly. Sounds like movie scene to me but the scary part is that it sounds so easy to do! It is crazy that by plugging in some USB device, the whole ATM can be taken control. Fortunately the police caught him on the spot.

Later in the article, the author talked about other skimmer devices in ATMs in hospital where people are assuming the safety of the cash machines. Apparently the hospital doesn’t hold responsibility but the machine vendor. Those skimmer devices could stay there for weeks before it would be discovered. Here is an article about the details of how a skimmer device work. It really didn’t seem too complicated.

In the end the article suggested people to withdraw money at bank branches, which is what I mostly do if I have to get some quick cash. Even then I am very aware of those machines outside of the bank. It is still possible to have skimmer devices installed there. I feel more comfortable if the machines are in a closed lobby with many security cameras. Where can people really comfortably get cash? That is a tough question.

I came across this article and found it quite interesting. As the holiday season coming, people are planning their trips and booking hotels. I won’t be surprised when a phishing email like this got many people tricked. I have to say nowadays the phisher made more efforts in luring people since people are more aware of the traditional attacks. The email is quite convincing by using popular hotel names like Four Seasons Hotel and had the sender using a seemingly legitimate website like booking.com as well as a standard confirmation format with a confirmation number and receipts as attachment. The tricky part of this email is that even people didn’t reserve any hotel or didn’t happen to plan a trip, they would click on the attachment to make sure that their credit card wasn’t charged. The psychological trick is pretty impressive in my opinion. The article warned people to be aware with any email with attachments out of blue. But even that I can still see a lot of people got caught by this type of emails.

I used to always think phishing is dumb and it won’t ever work but then I realize social engineering is actually more useful than I thought. I remember seeing my facebook friends post things that’s weird but interesting enough that made me want to click. There was one time, one of my good friend post something about weight loss. I was totally gonna click but I gave a second thought and texted her before I did that. She was confused about what I was talking about and shocked about the spam “she” sent out. Sometimes we get curious because the links are too ridiculous. Also there are some vicious facebook apps that lure people to use it and post random stuff on behalf of the users. A popular one is the one tells you the top 10 stockers. Since facebook doesn’t disclose that information, people are always curious and easily lured to apps like that.

Believe it or not, phishing works and works pretty well. Even at rice we got emails to check our accounts and 1 hour later IT sent out email warning us about phishing. Being aware is the best thing we can do but it is not enough. It will always be a battle.