Entries Tagged "hacking"

Page 64 of 68

Security and Monoculture

Interesting research.

EDITED TO ADD (8/1): The paper is only viewable by subscribers. Here are some excerpts:

Fortunately, buffer-overflow attacks have a weakness: the intruder must know precisely what part of the computer’s memory to target. In 1996, Forrest realised that these attacks could be foiled by scrambling the way a program uses a computer’s memory. When you launch a program, the operating system normally allocates the same locations in a computer’s random access memory (RAM) each time. Forrest wondered whether she could rewrite the operating system to force the program to use different memory locations that are picked randomly every time, thus flummoxing buffer-overflow attacks.

To test her concept, Forrest experimented with a version of the open-source operating system Linux. She altered the system to force programs to assign data to memory locations at random. Then she subjected the computer to several well-known attacks that used the buffer-overflow technique. None could get through. Instead, they targeted the wrong area of memory. Although part of the software would often crash, Linux would quickly restart it, and get rid of the virus in the process. In rare situations it would crash the entire operating system, a short-lived annoyance, certainly, but not bad considering the intruder had failed to take control of the machine.

Linux computer-security experts quickly picked up on Forrest’s idea. In 2003 Red Hat, the maker of a popular version of Linux, began including memory-space randomisation in its products. “We had several vulnerabilities which we could downgrade in severity,” says Marc J. Cox, a Red Hat security expert.

[…]

Memory scrambling isn’t the only way to add diversity to operating systems. Even more sophisticated techniques are in the works. Forrest has tried altering “instruction sets”, commands that programs use to communicate with a computer’s hardware, such as its processor chip or memory.

Her trick was to replace the “translator” program that interprets these instruction sets with a specially modified one. Every time the computer boots up, Forrest’s software loads into memory and encrypts the instruction sets in the hardware using a randomised encoding key. When a program wants to send a command to the computer, Forrest’s translator decrypts the command on the fly so the computer can understand it.

This produces an elegant form of protection. If an attacker manages to insert malicious code into a running program, that code will also be decrypted by the translator when it is passed to the hardware. However, since the attacker’s code is not encrypted in the first place, the decryption process turns it into digital gibberish so the computer hardware cannot understand it. Since it exists only in the computer’s memory and has not been written to the computer’s hard disc, it will vanish upon reboot.

Forrest has tested the process on several versions of Linux while launching buffer-overflow attacks. None were able to penetrate. As with memory randomisation, the failed attacks would, at worst, temporarily crash part of Linux – a small price to pay. Her translator program was a success. “It seemed like a crazy idea at first,” says Gabriel Barrantes, who worked with Forrest on the project. “But it turned out to be sound.”

[…]

In 2004, a group of researchers led by Hovav Shacham at Stanford University in California tried this trick against a copy of the popular web-server application Apache that was running on Linux, protected with memory randomisation. It took them 216 seconds per attack to break into it. They concluded that this protection is not sufficient to stop the most persistent viruses or a single, dedicated attacker.

Last year, a group of researchers at the University of Virginia, Charlottesville, performed a similar attack on a copy of Linux whose instruction set was protected by randomised encryption. They used a slightly more complex approach, making a series of guesses about different parts of the randomisation key. This time it took over 6 minutes to force a way in: the system was tougher, but hardly invulnerable.

[…]

Knight says that randomising the encryption on the instruction set is a more powerful technique because it can use larger and more complex forms of encryption. The only limitation is that as the encryption becomes more complicated, it takes the computer longer to decrypt each instruction, and this can slow the machine down. Barrantes found that instruction-set randomisation more than doubled the length of time an instruction took to execute. Make the encryption too robust, and computer users could find themselves drumming their fingers as they wait for a web page to load.

So he thinks the best approach is to combine different types of randomisation. Where one fails, another picks up. Last year, he took a variant of Linux and randomised both its memory-space allocation and its instruction sets. In December, he put 100 copies of the software online and hired a computer-security firm to try and penetrate them. The attacks failed. In May, he repeated the experiment but this time he provided the attackers with extra information about the randomised software. Their assault still failed.

The idea was to simulate what would happen if an adversary had a phenomenal amount of money, and secret information from an inside collaborator, says Knight. The results pleased him and, he hopes, will also please DARPA when he presents them to the agency. “We aren’t claiming we can do everything, but for broad classes of attack, these techniques appear to work very well. We have no reason to believe that there would be any change if we were to try to apply this to the real world.”

EDITED TO ADD (8/2): The article is online here.

Posted on August 1, 2006 at 6:26 AMView Comments

Bot Networks

What could you do if you controlled a network of thousands of computers—or, at least, could use the spare processor cycles on those machines? You could perform massively parallel computations: model nuclear explosions or global weather patterns, factor large numbers or find Mersenne primes, or break cryptographic problems.

All of these are legitimate applications. And you can visit distributed.net and download software that allows you to donate your spare computer cycles to some of these projects. (You can help search for Optimal Golomb Rulers—even if you have no idea what they are.) You’ve got a lot of cycles to spare. There’s no reason that your computer can’t help search for extraterrestrial life as it, for example, sits idly waiting for you to read this essay.

The reason these things work is that they are consensual; none of these projects download software onto your computer without your knowledge. None of these projects control your computer without your consent. But there are lots of software programs that do just that.

The term used for a computer remotely controlled by someone else is a “bot”. A group of computers—thousands or even millions—controlled by someone else is a bot network. Estimates are that millions of computers on the internet today are part of bot networks, and the largest bot networks have over 1.5 million machines.

Initially, bot networks were used for just one thing: denial-of-service attacks. Hackers would use them against each other, fighting hacker feuds in cyberspace by attacking each other’s computers. The first widely publicized use of a distributed intruder tool—technically not a botnet, but practically the same thing—was in February 2000, when Canadian hacker Mafiaboy directed an army of compromised computers to flood CNN.com, Amazon.com, eBay, Dell Computer and other sites with debilitating volumes of traffic. Every newspaper carried that story.

These days, bot networks are more likely to be controlled by criminals than by hackers. The important difference is the motive: profit. Networks are being used to send phishing e-mails and other spam. They’re being used for click fraud. They’re being used as an extortion tool: Pay up or we’ll DDoS you!

Mostly, they’re being used to collect personal data for fraud—commonly called “identity theft.” Modern bot software doesn’t just attack other computers; it attacks its hosts as well. The malware is packed with keystroke loggers to steal passwords and account numbers. In fact, many bots automatically hunt for financial information, and some botnets have been built solely for this purpose—to gather credit card numbers, online banking passwords, PayPal accounts, and so on, from compromised hosts.

Swindlers are also using bot networks for click fraud. Google’s anti-fraud systems are sophisticated enough to detect thousands of clicks by one computer; it’s much harder to determine if a single click by each of thousands of computers is fraud, or just popularity.

And, of course, most bots constantly search for other computers that can be infected and added to the bot network. (A 1.5 million-node bot network was discovered in the Netherlands last year. The command-and-control system was dismantled, but some of the bots are still active, infecting other computers and adding them to this defunct network.)

Modern bot networks are remotely upgradeable, so the operators can add new functionality to the bots at any time, or switch from one bot program to another. Bot authors regularly upgrade their botnets during development, or to evade detection by anti-virus and malware cleanup tools.

One application of bot networks that we haven’t seen all that much of is to launch a fast-spreading worm. (Some believe the Witty worm spread this way.) Much has been written about “flash worms” that can saturate the internet in 15 minutes or less. The situation gets even worse if 10 thousand bots synchronize their watches and release the worm at exactly the same time. Why haven’t we seen more of this? My guess is because there isn’t any profit in it.

There’s no real solution to the botnet problem, because there’s no single problem. There are many different bot networks, controlled in many different ways, consisting of computers infected through many different vulnerabilities. Really, a bot network is nothing more than an attacker taking advantage of 1) one or more software vulnerabilities, and 2) the economies of scale that computer networks bring. It’s the same thing as distributed.net or SETI@home, only the attacker doesn’t ask your permission first.

As long as networked computers have vulnerabilities—and that’ll be for the foreseeable future—there’ll be bot networks. It’s a natural side-effect of a computer network with bugs.

This essay originally appeared on Wired.com.

EDITED TO ADD (7/27): DDOS extortion is a bigger problem than you might think. Right now it’s primarily targeted against fringe industries—online gaming, online gambling, online porn—located offshore, but we’re seeing more and more of against mainstream companies in the U.S. and Europe.

EDITED TO ADD (7/27): Seems that Witty was definitely not seeded from a bot network.

Posted on July 27, 2006 at 6:35 AMView Comments

Hacked MySpace Server Infects a Million Computers with Malware

According to The Washington Post:

An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows….

Clever attack.

EDITED TO ADD (7/27): It wasn’t MySpace that was hacked, but a server belonging to the third-party advertising service that MySpace uses. The ad probably appeared on other websites as well, but MySpace seems to have been the biggest one.

EDITED TO ADD (8/5): Ed Felten comments.

Posted on July 24, 2006 at 6:46 AMView Comments

Paris Bank Hack at Center of National Scandal

From Wired News:

Among the falsified evidence produced by the conspirators before the fraud unraveled were confidential bank records originating with the Clearstream bank in Luxembourg, which were expertly modified to make it appear that some French politicians had secretly established offshore bank accounts to receive bribes. The falsified records were then sent to investigators, with enough authentic account information left in to make them appear credible.

Posted on July 17, 2006 at 6:42 AMView Comments

Identity Theft and Methamphetamines

New trend or scary rumor?

When methamphetamine proliferated more recently, the police and prosecutors at first did not associate it with a rise in other crimes. There were break-ins at mailboxes and people stealing documents from garbage, Mr. Morales said, but those were handled by different parts of the Police Department.

But finally they connected the two. Meth users—awake for days at a time and able to fixate on small details—were looking for checks or credit card numbers, then converting the stolen identities to money, drugs or ingredients to make more methamphetamine. For these drug users, Mr. Morales said, identity theft was the perfect support system.

Supposedly meth users are ideally suited to be computer hackers:

For example, crack cocaine or heroin dealers usually set up in well-defined urban strips run by armed gangs, which stimulates gun traffic and crimes that are suited to densely populated neighborhoods, including mugging, prostitution, carjacking and robbery. Because cocaine creates a rapid craving for more, addicts commit crimes that pay off instantly, even at high risk.

Methamphetamine, by contrast, can be manufactured in small laboratories that move about suburban or rural areas, where addicts are more likely to steal mail from unlocked boxes. Small manufacturers, in turn, use stolen identities to buy ingredients or pay rent without arousing suspicion. And because the drug has a long high, addicts have patience and energy for crimes that take several steps to pay off.

[…]

“Crack users and heroin users are so disorganized and get in these frantic binges, they’re not going to sit still and do anything in an organized way for very long,” Dr. Rawson said. “Meth users, on the other hand, that’s all they have, is time. The drug stimulates the part of the brain that perseverates on things. So you get people perseverating on things, and if you sit down at a computer terminal you can go for hours and hours.”

And there’s the illegal alien tie-in:

“Look at the states that have the highest rates of identity theft—Arizona, Nevada, California, Texas and Colorado,’’ Mr. Morales said. “The two things they all have in common are illegal immigration and meth.”

I have no idea if any of this is actually true. But I do know if the drug user-identity thief connection story has legs, Congress is likely to start paying much closer attention.

Posted on July 12, 2006 at 1:32 PMView Comments

WiFi Driver Attack

In this attack, you can seize control of someone’s computer using his WiFi interface, even if he’s not connected to a network.

The two researchers used an open-source 802.11 hacking tool called LORCON (Loss of Radio Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorized software when they are bombarded with unexpected data.

Using tools like LORCON, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access).

The two researchers declined to disclose the specific details of their attack before the August 2 presentation, but they described it in dramatic terms.

“This would be the digital equivalent of a drive-by shooting,” said Maynor. An attacker could exploit this flaw by simply sitting in a public space and waiting for the right type of machine to come into range.

The victim would not even need to connect to a network for the attack to work.

No details yet. The researchers are presenting their results at BlackHat on August 2.

Posted on July 6, 2006 at 1:52 PMView Comments

Schneier Asks to Be Hacked

Maybe I shouldn’t have said this:

“I have a completely open Wi-Fi network,” Schneier told ZDNet UK. “Firstly, I don’t care if my neighbors are using my network. Secondly, I’ve protected my computers. Thirdly, it’s polite. When people come over they can use it.”

For the record, I have an ultra-secure wireless network that automatically reports all hacking attempts to unsavory men with bitey dogs.

Posted on June 28, 2006 at 1:23 PMView Comments

$1M VoIP Scam

Lots of details.

The basic service that Pena provided is not uncommon. Telecommunications brokers often buy long-distance minutes from carriers—especially VoIP carriers—and then re-sell those minutes directly to customers. They make money by marking up the services they buy from carriers.

Pena sold minutes to customers, but rather than buy the minutes, he instead decided to hack into the Internet phone company networks, and route calls over those networks surreptitiously, say prosecutors. So he had to pay virtually no costs for providing phone service.

Posted on June 13, 2006 at 2:15 PMView Comments

Computer-Controlled Fasteners

It’s a really clever idea: bolts and latches that fasten and unfasten in response to remote computer commands.

What Rudduck developed are fasteners analogous to locks in doors, only in this case messages are sent electronically to engage the parts to lock or unlock. A quick electrical charge triggered remotely by a device or computer may move the part to lock, while another jolt disengages the unit.

Instead of nuts and bolts to hold two things together, these fasteners use hooks, latches and so-called smart materials that can change shape on command.The first commercial applications are intended for aircraft, allowing crews to quickly reshape interiors to maximize payload space. For long flights, the plane may need more high-cost business-class seats, while shorter hauls prefer a more abundant supply of coach seats.

Pretty clever, actually. The whole article is interesting.

But this part scares me:

A potential security breach threat apparently doesn’t exist.

“I wondered what’s to prevent some nut using a garage door opener from pushing the right buttons to make your airplane fall apart,” said Harrison. “But everything is locked down with codes, and the radio signals are scrambled, so this is fully secured against hackers.”

Clearly this Harrison guy knows nothing about computer security.

EDITED TO ADD: Slashdot has a thread on the topic.

Posted on April 3, 2006 at 12:57 PMView Comments

1 62 63 64 65 66 68

Sidebar photo of Bruce Schneier by Joe MacInnis.