Rice University logo
 
Top blue bar image
Comp527: Computer Systems Security
A graduate seminar: current topics in computer security
 

Posts Tagged ‘Article’


Distributed denial of service attacks as a commercial service

December 6th, 2012 by Martha

Earlier in the semester, this paper we presented proposed that the botmasters running Torpig operated it as a commercial service. While DDoS was probably only a small subset of the services Torpig’s botmasters offered, this article at TechWeekEurope looks into the whos and whys of commercial DDoS services. It has a couple pictures of advertisements offering DDoS to links of some ridiculous YouTube advertisements, both which are hilarious in a ‘I’m still in high school and think I am the 1337est ever’ sort of way. Most of the evidence feels anecdotal, but it seems likely enough.

So what kinds of people run botnet DDoS services? One interviewed DDoS provider claimed to be 17 and a computer science student, and his behavior (taking down a 1337 hax00r forum for thirty seconds to prove who he was) certainly makes him sound like he’s still in high school. The other interviewees were more careful about just who they were, though, so more professional criminals appear to offer these services as well.

Targets vary. Anonymous protests are often on the news, but ‘hacktivists’ aren’t the only DDoS customers. Gwapo’s DDoS services advertises that “rivals, haters, they are to go down” and “If you want your business competitors to go down”, you should hire them, indicating that individuals want to DDoS smaller websites for petty personal attacks or to take out a business competitor. DDoS dealers can also hold online businesses for ransom – pay up or get taken down. Therefore, just about anyone with an online presence could be a target.

Tags:
Posted in Articles | 1 Comment »

Article: SSL Vulnerabilities Found in Critical Non-Browser Software Packages

October 25th, 2012 by Martha

Michael Mimoso’s article today at Threat Post summarized a recent ACM CCS ’12 paper that examined just how well SSL certificate validation isĀ  implemented in a variety of applications. (Hint: not well.)

From the paper:
“SSL certificate validation is completely broken in many critical software applications and libraries” – so broken that “any SSL connection from any of these programs is insecure against a man-in-the-middle attack” [1].

Much of the affected software the paper-writers found dealt with money – eg Amazon and Paypal. However, the worst bug award goes to Chase’s Android mobile banking app, as even some guy with an evil Wi-Fi access point can steal Chase banking credentials.

The article does an ok job of covering the paper, but it does say some silly things – like “the death knell for SSL is getting louder” [2]. The SSL protocol itself is fine. Even the libraries implementing SSL are fine [1].
Instead, the paper claims that poorly designed developer-facing SSL library APIS are at fault, as they “expose low-level details of the SSL protocol” that confuse developers. Additionally, it ignores the helpful advice section at the end of the paper for developers.

While the paper itself is solid, several readers disagreed that that whole API is at fault.

Comments left on the article’s Slashdot post [3] brought up the fact that many SSL libraries, such as OpenSSL, are poorly documented, and that the whole API might not totally be at fault. Additionally, a comment on the article further highlights that “this isn’t a problem with the SSL API” – instead, it is a “problem with the lack of a standard mechanism” for SSL certificate management – the API “provides hooks for connecting for connecting to a certificate manager instead of providing” one.

More cool stuff related to the paper can be found at Georgiev’s website under Publications here: https://www.cs.utexas.edu/~georgiev/publications.php.

[1] M. Georgiev, R. Anubhai, S. Iyengar, D. Boneh, S. Jana, V. Shamatikov. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. ACM CCS 2012. http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

[2] http://threatpost.com/en_us/blogs/ssl-vulnerabilities-found-critical-non-browser-software-packages-102512

[3] http://it.slashdot.org/story/12/10/25/2020223/ssl-holes-found-in-critical-non-browser-software

Tags: , ,
Posted in Articles | No Comments »