Terrorists are Invading Your Virtual Worlds

It's a fairly common occurrence, you're sitting around playing some World of Warcraft, you might be grinding for gear in an instance, or maybe just questing your way to level 70, when suddenly you see a suspicious character nearby on the map. His behavior is odd, erratic, shifty perhaps. Initially you think he's a gold farmer, his actions merely scripted by countless hours of repetitive motions, but then another possibility surfaces. Maybe this is a terrorist, clothed in the guise of a Horde character, but behind his beady, computer-animated eyes lies the mind of a madman, silently planning nefarious acts with his guildmate cohorts...

Or at least, that's apparently what some people think.

According to a presentation at the Summer Hard Problems (SHARP) workshop by Dr. Dwight Toavs of the National Defense University, the menacing figure to the left could very well be a terrorist using the virtual landscape of World of Warcraft to meet up with his co-conspirators and plan attacks in the real world.

Have you seen a character matching the description of this known henchman to the left? Then you, too, may have been just pixels away from terrorist activity, and never known about it...

For the past year or so research and interest in virtual worlds has been increasing, with a number of large companies jumping in to the mix. Corporate interest has primarily been about marketing, and potentially about information dissemination, even as an internal tool. This interest in virtual worlds, such as Second Life and World of Warcraft, also increased interest in the military arena as a tactical tool. With games like Second Life, and especially like the Battlefield 2: Project Reality Mod, that model real-world environments, using inexpensive video games as a method of tactical and strategic training seems to be a win-win.

As the interest in virtual worlds has increased, so have the questions about security in these worlds. What if people are using these distributed virtual environments to plan illegal activities, and if it is happening, what is the best way to monitor or stop it? Does the problem sound familiar? It should, it's been the problem since law enforcement realized that there's a massive global distributed information network with no real authentication that anyone can join and use to talk to anyone else.

It's called the Internet, and while it may just be a series of tubes, it's a pretty efficient tool for planning your next event. Whether it's dinner Wednesday night, a party this weekend or a terrorist attack, the Internet is a perfect tool for distributed planning. As the network grows and more resources are added (Google Maps for satellite imagery, Flickr for detailed photos of an area, digitized libraries for documents, etc.) the easier it becomes to plan any activity in great detail.

So what's the difference between virtual worlds as a communication medium for terrorism and all the other previous worries? Novelty, and nothing more. Virtual worlds as a platform for terrorist planning is incredibly unlikely for various reasons. The same worries have come up with every new Internet technology: free webmail, instant messaging, message boards, blogs, and the list goes on. There are a thousand ways to communicate information anonymously over the Internet and, if you've already got a code worked out ahead of time, almost no way to detect a signal within all the noise. Even assuming a government/law enforcement agency could monitor every Internet communication, there's not even a probable way to know that "I passed my test" on someone's Facebook account isn't code for "The attack is to go as planned".

The Case Against Virtual World Terrorism

But that isn't even the best reason. The real reason that terrorists wouldn't use World of Warcraft as a method of planning an attack is that there are better, easier ways to communicate globally and securely, without worry of the government eavesdropping on you. They already exist, are already in use, and we've been developing new and better ways of doing it for the past 50 years.

Modern digital encryption has been advancing by leaps and bounds since World War 2, it's now all over the place, freely available for download and use from various sites on the Internet. Commercial versions of software such as PGP (and free alternatives, such as GPG) provide disk and email encryption for the masses. The advent of public key infrastructure allows completely secure communication, without exchanging any kind of information beforehand, with complete strangers right out of the box. Encryption algorithms are studied by experts for years, in some cases, to try and find weaknesses and create attacks against them.

In some cases, encryption is built transparently into newer applications. Instant messaging clients like Pidgin (available for Linux and Windows) and Adium (for Mac OSX) come with encryption software already installed. In Pidgin's software a single click will request an OTR (Off The Record) session with another user. The software handles the creation and exchange of all keys and, from that point on, your conversation is encrypted and secure. Even more transparent is Adium, which will automatically encrypt your conversations as long as both users have software that handles encryption. You might be encrypting your instant message conversations and never even know.

But what does it all mean? There are methods of secure communication that are considerably easier, and allow you to leave no trace of communication behind. These methods are free and readily available. If your goal was to have secure communications, what possible reason would you have for opting for a less secure, more complicated solution, such as planning an attack on a public server, run by an American corporation, where you have no idea who might be listening? To make it even worse, World of Warcraft requires a subscription fee, which means that somewhere there is a financial trail to follow. Sure you might use a stolen credit card, or pay cash for a one-time use credit card, but that still generates a trail for someone to follow. Why take the risk?

Comparison

There are 2 methods that could easily be used for secure communications, so let's compare them and see how they stack up to using a virtual world for the same thing. For this comparison, let's say that two parties want to have a private conversation and also transfer files to one another (possibly some maps) and they don't want anyone to be able to read their conversation or know the contents of their files.

Method 1: Encrypted IM (using Pidgin's OTR or Adium)

Pros:

• Encryption is done using PKI, so no exchange of keys is needed
• Supports encrypting communication and files
• Software is free, all you need is an Internet connection
• No way of determining the content of the conversation from listening to the traffic

Cons:

• Government may be able to crack the encryption (no way to know for sure)
• A rootkit on your computer will reveal your conversation

Ease of Use: Falling Down Stairs

Any method that uses encryption has the potential that a government agency may have a backdoor in the algorithm, or may have the ability to crack the encryption. It seems fairly unlikely that it's possible, but to be fair, there's no real way to know. Of course, your only other options are writing your own encryption algorithm that you know doesn't have a backdoor (you don't have enough PhDs to do this) or transmitting without encryption.

Method 2: Encrypted Email with PGP or GPG

Pros:

• Encryption is done using PKI
• Supports encrypting communication and files
• Software is free and integrates with mail client
• No way of determining the content of the conversation from listening to traffic

Cons:

• A rootkit on your computer can reveal your conversation
• PKI key exchange is handled more manually, which makes it slightly more difficult

Ease of Use: Making microwavable popcorn (in some cases the microwave will have a short in the wire, though)

Same comment as above, with regards to encryption. And, as a side note, a rootkit installed on a computer will reveal half of the conversation (all the things that you type) but wouldn't, necessarily, reveal the entire conversation.

Method 3: World of Warcraft

Pros:

• Large player base may make it difficult to track individual actions or conversations

Cons:

• All communication is sent in cleartext
• You have no idea what happens to those conversations once they hit the owner's servers
• You must have codewords agreed on before getting into the world (so you can pass messages without being flagged by other players or admins)
• You have no idea who else is listening to your conversations
• There is no support for sending files of any kind, so all other information has to be sent outside the game
• Requires monthly payment, which might create a financial trail to follow

Ease of Use: Boiling an Egg (slight learning curve)
Addictiveness of Communication Medium: Crack mixed with Black Tar Heroin cut with lines of Ecstacy

There are so many gaps in knowledge about communicating in a virtual world I wouldn't communicate about a kid's soccer game on WoW because I have no idea who might be listening in, let alone something actually important. Plus, as you can see from the comparison, the overall addictiveness of WoW really dilutes it's usefulness as a serious communication tool. You can't be out destroying things if your guild is doing another run this weekend and you really need that epic armor!

But, in short, terrorists are, by definition, individuals that are attempting to break the law and cause harm to individuals. It is in their best interest to keep their communications as private, and deniable, as possible. It goes completely against those principles to use a public game to try and communicate about an illegal activity.

Return to your games, citizens, you're safe from terrorists there.

New Theme

So I haven't died, or forgotten that there's a blog here that I'm supposed to be maintaining, but it's been a bit busy of late.

We're planning a demo in the DC area of a cyber exercise for some military and industry folks for the middle of next week. We added some new features to our Scorebot, including some very cool real traffic generation features. Working on adding some more cool things to our ICE II games at SANS Las Vegas at the end of this month. We got interviewed by Pauldotcom last night about ICE II for the upcoming podcast, as well. I also got accepted to grad school (starting at Drexel University in the Spring), so it's been fun getting all that squared away.

So, in short, it's busy but don't worry, I hope to have some decent posts for next week (in between preparing for the demo, if I can). I was getting a little tired of the old blog theme, so I decided to change it up. I'm not totally sold on this blue gradient look, so if you have any feelings one way or the other let me know.

(If you get these updates via email or feed reader, then you'll have no idea what I'm talking about.)

Arsenic and Updates

So it's a typical morning at the office. You come in to work, get your coffee, turn on your computer and wait for it to boot up. Your computer comes up, you install some updates your computer says are necessary, then you open your favorite email client and start sifting through the emails that have started to stack up. Or, at least, it was a normal day, because somewhere in those tasks your computer just got owned and now has a trojan installed, and you are none the wiser.

So where was it? Well, using a new tool released by an Argentinian security company, Infobyte Security Research, called evilgrade (a play on upgrade), you just got owned by updating your software. Evilgrade is not a direct attack, in and of itself, it works in conjunction with other man-in-the-middle style attacks, such as ARP spoofing and DNS cache poisoning or DHCP spoofing. But Evilgrade does the heavy lifting for you.

How Does It Work?

I was working for the college that I attended during the fun that was the Blaster worm. Even more fun, was that Blaster really started to hit hard on move-in weekend. Move-in weekend is the time when everybody takes 35 minutes to jam all their stuff into their room so they can go catch up with their friends, and one of the first things they do is hook up their computers. Incoming freshmen, more than any other, want to hook up their computers. For one, they frequently have a brand new computer they want to unbox, and for another, they have heard the myth of the campus network for years and are now ready to try it out. Blazing fast speeds, all the files you could dream of, a paradise of wonderful free information and glorious data for the taking.

Our campus, for primarily political reasons, didn't have any kind of network access control. Everybody (save a few individuals for administrative reasons) was allowed to access the network, no software installs, no questions asked. You plug in, you get on the network. About 3 weeks before move-in weekend Blaster started to hit companies hard, and the support staff started to get nervous. Some people thought that the Blaster thing wouldn't hit us very hard (that could never happen here!), so forcing users to install software was denied. The only thing that was allowed, in riot-police fashion, was that each dorm was separated into its own VLAN. So a single Blaster infection wouldn't take down the entire residential network, only the one building it was in. Which means that a single user now takes down a building, instead of a campus.

10 dorms means we needed 10 users. 10 users that took their computers home after the Spring semester, and hadn't patched during the 3 months of summer. 10 users that bought their new computer before new Windows machines started shipping with the patch (about a month before move-in) and hadn't patched since they bought it. Yeah, we got those 10 users. Working that weekend was like watching a plague take over a small city, and in typical zombie metaphor, all we could do was close the gates and watch the computers devour one another (for further reference see Doomsday, I Am Legend, Resident Evil: Apocalypse).

Ummm...what?

No, stick with me, the story is relevant, I swear.

I learned a lot about patching Windows machines over the next month.  The solution, in case you're curious, was to kick every user off the network and have a staff member go around to every machine with the patches and verify that the patch was installed before the user was allowed on the network. Labs were kept open so that students could still check email and do work while they waited for the staff to make the rotations to their dorm. But what I learned is that you can't install patches on a Windows system unless the Cryptographic Service is running. This was relevant because some of the systems had become so trashed that vital services, like the Cryptography Service wouldn't start. Without that service Windows can't verify whether a patch you want to install is real or fake, and it therefore won't let you install a patch without it.

When I first realized this, I wondered whether it was common practice to digitally sign updates in that way. Turns out it isn't. And that's what Evilgrade takes advantage of.

So...How's it Really Work?

Right. The update process is really pretty simple. Most software packages that have an online update feature keep a file on their servers with the current versions of their software. When your software checks for a new version it looks something like this:

1. Download current version file from online server
2. Check the version number in the file and see if it's greater than the current version
3. If it is, tell the user there is an update to download
4. If not, do nothing

So, if you can control the file that is returned to the client, you can trick it into believing that there is always an update. The client, trusting this information, downloads and installs whatever file is referenced, which in the malicious case is now a trojan.

Is this really a problem, though? Here are the applications that are supported in this initial release of Evilgrade:

• Java plugin
• Winzip
• Winamp
• MacOS
• Openoffice
• iTunes
• Linkedin Toolbar
• DAP [Download Accelerator Plus]
• Notepad++
• Speedbit

Even Mac OS, which actually does use code signing, is vulnerable to this tool due to another vulnerability made public last year.

Ramifications

So how had is it really? Well, there are a couple reasons why a tool like this is bad.

• Current DNS craziness.

Dan Kaminsky's new DNS attack (being released more completely at Blackhat) has been talked about for the past 3 weeks or so on any number of security sites and news. The attack allows for easier DNS cache poisoning attacks, and now there's a tool that leverages this to make updating your system actually infect your system.

So until all the major DNS hosts update their servers to patch the vulnerability, this tool could be very effective.

• Peace of MInd Issues.

The one thing that all the security pros tell you to do is patch your software. The one thing that people always say as their "catch-all" response is: "Patch your systems, update your antivirus definitions". Even the people who know it's bs frequently still say it. And now there's a tool that completely reverses that. If somebody has access to your internal network, or can poison a DNS server you talk to, updating your computer every day could be what gets you.

Is it really likely that this tool will start infecting people all over the place with poisoned updates? Probably not, but it's a cool concept nonetheless.

Evilgrade is available for download over here. A nice demo video from the author is also available here.

Truecrypt 6

The news is pretty old by now, but since I mentioned the previous version, and the news is still pretty cool I decided I would post about it anyway. Over the July 4th weekend the newest version of the popular personal encryption software, Truecrypt, was released.

The newest version, 6.0a as of this writing, has some serious improvements (especially for Windows users). Truecrypt 6 takes advantage of multi-core processors to do parallelized encryption/decryption computations, so anyone with a newer computer should definitely upgrade to this newest version. But the absolute coolest thing about Truecrypt 6 is a new feature that's been added, and it's straight out of James Bond. I'll let them tell you about it (from the official changelog):

• Ability to create and run an encrypted hidden operating system whose existence is impossible to prove (provided that certain guidelines are followed).  For more information, see the section Hidden Operating System.   (Windows Vista/XP/2008/2003)
           
  For security reasons, when a hidden operating system is running, TrueCrypt ensures that all local unencrypted filesystems and non-hidden TrueCrypt volumes are read-only. (Data is allowed to be written to filesystems within hidden TrueCrypt volumes.)
         
  Note: We recommend that hidden volumes are mounted only when a hidden operating system is running. For more information, see the subsection Security Precautions Pertaining to Hidden Volumes.

What does that mean, exactly? Truecrypt has added the ability to install an encrypted operating system...within an encrypted volume. With the caveat "provided that certain guidelines are followed", this means that you can have a completely hidden operating system within an operating system on your computer. Completely encrypted and impossible to prove that it exists, based on cryptographic principles.

The caveat introduces the one wrinkle in the whole process. An operating system is hidden inside an encrypted drive. Cool. It's impossible to tell what it's inside the encrypted drive (thanks to the encryption), and it's also impossible to even prove that an encrypted drive exists (because encryption appears to be random data, usually). Still cool. But in order to boot an operating system you need to have a boot loader that understands the operating system, and in this case one that also understands how to decrypt the hidden partition. This means that you have to store the unencrypted boot loader on your hard drive somewhere. Uh oh.

Having an unencrypted bootloader on your hard drive would lead to the conclusion that you have an encrypted operating system. Once they know the bootloader is there they can compel you to give up your password (where you are and what the situation is determines how you might be compelled). But either way, you're stuck. If you're in the US, and you refuse to give up your password, you go to jail. If you're refusing to give up your password because there is illegal material on the laptop, then you're in quite a bind.

But don't worry, because Truecrypt, in typical 'Q from James Bond fashion' has got your back. What do you do if your adversary knows you have a password, and they can compel you to give it up? You create a duress password to be used in case of emergency. Where have you heard that before? In any number of spy movies, for example The Bourne Ultimatum. Again, I'll just let the Truecrypt guys explain (from the Hidden Operating Systems section of the documentation):

...to provide a plausible explanation for the presence of the TrueCrypt Boot Loader, the TrueCrypt wizard creates a second encrypted operating system, so-called decoy operating system, during the process of creation of a hidden operating system. A decoy operating system must not contain any sensitive files. Its existence is not secret (it is not installed in a hidden volume). The password for the decoy operating system can be safely revealed to anyone forcing you to disclose your pre-boot authentication password.*

You should use the decoy operating system as frequently as you use your computer. Ideally, you should use it for all activities that do not involve sensitive data. Otherwise, plausible deniability of the hidden operating system might be adversely affected (if you revealed the password for the decoy operating system to an adversary, he could find out that the system is not used very often, which might indicate the existence of a hidden operating system on your computer). Note that you can save data to the decoy system partition anytime without any risk that the hidden volume will get damaged (because the decoy system is not installed in the outer volume —  see below).

There will be two pre-boot authentication passwords — one for the hidden system and the other for the decoy system. If you want to start the hidden system, you simply enter the password for the hidden system in the TrueCrypt Boot Loader screen (which appears after you turn on or restart your computer). Likewise, if you want to start the decoy system (for example, when asked to do so by an adversary), you just enter the password for the decoy system in the TrueCrypt Boot Loader screen.

You too can be a super-secret spy, complete with self-detonating laptops, dangerous liaisons and foreign rendezvous setups.

Other Links

• Bruce Schneier and a team of researchers released a paper detailing some information leakage issues they found in Truecrypt's denial file system implementation. Most of the issues regarded automatically linking and saving done by some applications. Truecrypt's team responded that the newest version's hidden operating system feature addresses many of these concerns.

• A step-by-step article on securing your USB thumb drives with Truecrypt 6
  

The Internet: An Inanimate Superhero

I've been talking about writing this post for a few weeks now and have finally gotten around to writing everything down and gathering up all the links (or at least, the ones that I could find) to share.

NOTE: If you got here by way of a search engine, the site discussed below is the White Wolf Security home page.

First, some quick background. About a month and a half ago we had a small glitch with our previous web hosting company. The small glitch was pretty simple, we used one company for the hosting of the website, but we manage our DNS entries independently of the web hosting company. Our web hosting company had a security incident (read: got hacked) and decided to use the incident to move some things around on their network to increase security. Not a problem, networks change all the time. Except, of course, that they didn't let us know ahead of time that maintenance was going to be occurring, and that the IP address of our web server would be changing as well.

The majority of their clients manage their DNS with the hosting company. So for all those customers the transition was seamless, as the hosting company just updated their DNS records. But they didn't have access to our records, so our site went down and we weren't told ahead of time, we only found out (on a Saturday, no less) when somebody checked the site and started to dig into why it wasn't responding. So, in light of that incident, we decided to shift our web hosting to a different provider.

Here's where the fun starts. The pages on the old site were written in ASP.NET, even though there was no dynamic content on the site. The new host uses Apache and supports PHP. So the translation and cleanup from ASP pages to PHP fell to me. But this is not a problem, because there was a well-known "secret" around the office about the old website. I hated it.

Not the site itself: it was very visually appealing (if you remember the site before, most of the graphics haven't changed), but the actual code of the page made me angry every time I had to look at it. The page was made with a ton of nested tables, all over the place, which made everything difficult to edit. The people that designed the site wanted us to send changes to them and have them update the page. This is fine for some businesses, but we like to update our website frequently (especially front page information) and having to wait for a turnaround time from a third party just didn't work for us. The old code also had a bizarre commercial Javascript menu (that wasn't exactly cross-browser friendly), that was impossible to customize because the commercial company had obfuscated all the code before shipping.

All of these things are anathema to me, because I like to tweak code to make it do what I want. So I asked the boss if I could change some things around, since we had to make minor modifications to the site anyway. Should be a fairly simple task, I already have all the graphics and content, I just need to build a new framework to put the content in.

And that's exactly what I did. I know that setup kind of sounds like the opening to a humorous account about how horrible the site redesign went, but it all went smoothly. And it all worked out that way for one simple reason: because I had the Internet. Web design is a popular topic on the Internet, as many would guess, there are a ton of resources out there for the taking, for people of any skill level, and I leveraged as many of these resources as possible to modify the site.

Goals

Based on what I just described I had a few simple goals for this project. These things are all I really wanted to accomplish and I could call the project a success.

1. The old site used a fixed layout, I hated that, so nested tables are out and a liquid layout using primarily CSS is in.
2. The old site had a horribly complex menu. All I want is a simple menu (using HTML lists) that also looks good.
3. At least one thing added solely because I think it looks cool.

Alright, so that last one I might have added after the fact since I added it to the site anyway. But whatever, retroactive goals are still goals (and they're way easier to achieve).

Layout

There are a lot of great sites on the web that provide basic tutorials for creating a liquid layout. But why write your own when others are willing to give away excellent bare bones setups for free? So while searching around for the best way to create a new liquid layout I found Matthew Taylor's Perfect 3-Column Liquid Layout. The great thing about this layout is that Taylor created it to be SEO and mobile device friendly out of the box. No modifications needed, I just have to tweak the settings to my liking and add in my content. The layout is just a basic frame of a page, but it's extremely well done and useful, and that's exactly what I was looking for.

So now I have my layout and I began to customize the page. At this point I added in the header information and graphics, and customized the CSS of the page to have our site's colors and styles. This whole process probably took me about 30 minutes or so, to tweak things to the point that I actually wanted them. Not bad so far.

The Menu

I looked everywhere for a pre-built menu that I really liked that also did all the things I wanted, but couldn't quite find one. There are pretty much two options for making modern menus (omitting Flash menus for this discussion): CSS menus and Javascript menus. CSS menus are written purely with HTML and CSS elements, and therefore will work in any modern browser. Javascript menus generally have many more cool functions associated with them, but may not work in older browsers, and won't work if visitors to your site have Javascript turned off. The solution to this is to write CSS menus, then modify them with Javascript, so it works for everyone. But, while there are certainly a ton of free menus available on the web, I couldn't find any I really liked, so I decided to put together my own Javascript menu system.

As you can see on the main site, it's functional and does what I want, and that's all that matters for a project like this one. My Photoshop skills are abysmal, at best, so even though the menu on the site looks like a couple simple gradient images and a hovering arrow, I didn't even make that. A site called the CSS Menu Generator did that part of the work for me, generating the images I needed which I just customized with the information for our site.

After that there was just the task of writing the code to make the nested menu. For that I used a popular Javascript framework called JQuery. I had never used JQuery before this project but, luckily for me, it's extremely easy to pick up. I already knew what I wanted to do, all I needed was to find the right calls in the API to make it happen. Turns out that task was falling-down-stairs easy. All of the cool menu effects on the page are driven by two commands: show() and hide(). Clicking on a link hides the other menus, and shows the proper sub-menu, and that's all there is to it.

That part of the design probably took 60-90 more minutes, if you count searching around to find all the resources.

The Cool Part

Our previous photo gallery was just a bunch of statically linked images, which is awesome if your site is running in 1998, but this is 2008 and all the other kids sites are using Lightbox and all the other cool variants of it. So I decided that, if at no other place, our site would have a cool looking gallery to show off what few pictures we do post. So, again, I got to searching. And, again, there are a ton of free gallery programs out there for the taking. I tried out a couple, but the easiest one to customize that seemed to do what I want is a gallery called minishowcase.

Installing the gallery was extremely simple, configuration was a breeze, and that whole step probably took about 20 minutes.

So, really just counting the work of creating the new layout was from 2-3 hours. The actual time was considerably longer, but that was mostly due to searching for the right solution for what I was trying to do. Of course, the entire transfer process actually took about a week, to convert all the pages and get feedback on everything, but the design process was very straightforward.

Conclusion

There are two reasons for writing this post. First and foremost is as a thanks to all the people that spend their time to write code and projects to distribute for free to the anyone who wants it. Without people making their work freely available, I never could have done this redesign in such a short and easy time.

Second, for some reason this really struck me while I was working on this project. The number of resources available online to complete just about any task is absolutely vast. I've always used the Internet as a resource for coding, to find examples or figure out why something isn't working right, but subconsciously I always thought that there were so many resources available because programming is a very technical task, so there would be a lot of tech resources available. But resources really are available to do just about anything you can think of, and the number of people willing to give away their expertise on all these topics is incredibly amazing.

So, in closing, thanks Internet People, and if we ever form the Singularity we should all get together and hang out and have a drink. I'm buying...whatever it is people drink at that point...

Cool Visual Traceroute Tool

Earlier today I found a link to a pretty cool new web tool. YouGetSignal has created a visual traceroute tool that overlays Google Maps.

There are several visual traceroute tools around already, and you can get the same information manually yourself, but it's still an interesting idea to have the trace on a Google Map. It's also a cool tool from an education perspective: traceroutes are always a little bit ambiguous to people who are just learning networking concepts, this tool makes it pretty easy to show how a single request gets bounced around the world.

The Secret Life of Networked Printers

Quick news up front: the beta site has been transitioned over to our main site now. Thanks to everyone for suggestions and bug reports. I'm still working on the post dealing with the site re-design, but I saw this article today and wanted to post about it in the meantime.

All network security pros know that networked printers are a great source of both good-intentioned fun and malicious resource. For example, when I was working for my college I found it incredibly amusing to wait for people to print to the shared printer, then reprogram the display to insult them when they came to pick up their printing (thanks, Irongeek).

But is it possible that your networked printer is out having fun, and downloading movies at night after you go home without your knowledge? Well...probably not...but there's an interesting article over on the New York Times' tech blog discussing a new study released by some researchers at the University of Washington.

The NYTimes article is here. The full study can be viewed at the UWash site here.

Most large (and some small) universities see a constant stream of DMCA takedown notices throughout the academic year. These notices are sent by various Intellectual Property clearinghouse frontends, most notably the MPAA and RIAA. These corporations don't do the research on who is illegally trading files themselves, they pay other companies to do this identification and give them the results. When you download files on the Internet (or via a Bittorrent tracker) you use a unique IP address, which you frequently announce to others participating in the download. This address can be used to trace a connection back to a geographic location, whether it's a regional ISP or a university.

The process from that point depends on a number of things, the main one being the policy of your ISP towards DMCA takedown notices. The RIAA for some time has been filing "John Doe" cases against universities, which they use to force the university in question to give up the identity of the student assigned to that IP address. Then the original organization (e.g. the RIAA in this example) can file a criminal copyright infringement suit against that student. All nice and easy (note: by "nice and easy" I, of course, mean that this is a grossly oversimplified model of the process of tracking down an alleged copyright infringer via their IP address).

Most people know that the IP address is the primary means used to identify people, but it was also commonly believed (well, I kind of hoped it) that the tracking organizations took a couple more steps than just capturing IPs before sending out takedown notices. Apparently that was blatantly incorrect.

From the article:

The paper finds that there is a serious flaw in how these trade groups finger alleged file-sharers. It also suggests that some people might be getting improperly accused of sharing copyrighted content, and could even be purposely framed by other users.

In this case, "serious flaw" refers to the fact that the trade groups mentioned don't do any verification at all that the IP addresses that they're seeing are actually doing anything of an illegal nature. Which logically leads to the next statement. Any time an automated system is used, without verifying the results, it becomes trivially simple to exploit the system to get the results you want. It looks like the paper is mainly focused on spoofing IP addresses.

In two separate studies in August of 2007 and May of this year, the researchers set out to examine who was participating in BitTorrent file-sharing networks and what they were sharing. The researchers introduced software agents into these networks to monitor their traffic. Even though those software agents did not download any files, the researchers say they received over 400 take-down requests accusing them of participating in the downloads.

It kind of seems like the researchers just wanted to do a Bittorrent tracking study, researching who is downloading what, and how much bandwidth is used by Bittorrent, etc. and then they started to get these takedown notices and wanted to see how far they could manipulate the system. The researchers wrote their own Bittorrent client, that connects to trackers and collects information about other people connected to the tracker. No big thing here, this is the way Bittorrent researchers typically go about it.

What probably shocked them, and it's probably because they're coming from a university IP address, is the number of takedowns they got, even though their client didn't actually share anything. Their research client didn't download any parts of the movies in question, and they still got 400 takedown notices.

Congratulations on the due diligence, guys. So if you happen to get a takedown notice in the future, just send back a kindly worded letter informing the questioning agency that your network-enabled toaster and microwave were having a party on the day in question, so they probably downloaded the movie for something to watch.

Perimeter Anomaly Detection via Biologic Agents

I came across a very interesting story about a very different way to do physical security.

I was in a rare meeting this morning (my love of meetings is famous around the office) which I decided to attend because it was an early meeting with a new client. I thought there might be technical details discussed which would be easier to hear first-hand rather than having them relayed by my coworkers.

During this meeting I discovered that the Army keeps a number of veterinarians around for various purposes. For example, apparently after Operation Desert Storm/Shield the Army had their veterinarians go in and administer aid to the cows of local farmers (as well as to zoos). There are also several people who take care of the mules at West Point. And, the most interesting part, the army employed geese as a perimeter alarms.

Seriously, I'm not clever enough to make something like this up. Apparently geese are very sensitive to human presence and will viciously defend their area, especially if it's a breeding area. The Army determined that geese could be more effective than the perimeter alarms they had installed at certain types of facilities. So, from what I understand, the Army kept their fences and motion detectors, but also put small flocks of geese outside their fences and then, I assume, just kept an eye on the geese. Why go high-tech when low-tech is so effective?

Geese: God's motion detectors...

Security by Obscurity or Underground Honeypot?

I wasn't sure about this post but I decided it was interesting enough to post, so I'll put it out there and everybody else can be the judge. While stumbling around some social bookmarking sites this weekend I found an interesting site. It looked like any other user who set up a website and left directory indexing enabled, to share files or accidentally. But this site appears to be hosting a number of current warez apps, including Call of Duty 4, Crysis, Adobe CS, Windows Vista and more (see screenshot at left for obfuscated details).

At first I thought this was just a simple misconfiguration. At first glance I thought a home user had set up a web server for his friends to use to get files, and thought that by not telling anyone the secret would be safe between friends (classic Security by Obscurity), and then the secret got out. But after slightly closer inspection that turned out to be not be the case at all.

First, the site isn't just an IP address, it's a domain name (and from the looks of the domain it would probably be pretty valuable). The domain isn't a free redirect (e.g. DynDNS), it's a paid for domain name. Doing a quick nslookup on the domain also reveals that it's not a home user either, the IP traces back to a virtual private server hosting company called Webair. Which means somebody paid for a domain and to rent virtual server space...

So where does that leave us? Files in the directory such as "test.php" and "stats" led me to believe that this might be a new install. The test.php file and stats directory are clearly put there by the VPS hosting company to track your site and to make sure a new hosting setup is correct. So maybe this is just a new site that got hacked: default passwords or a common vulnerability that allowed an automated scanner to get in and let someone set up their warez site on somebody else's dime.

So there we are, it's a warez site hosted on a hacked website. Or is it? Looking at a few comments on the social bookmarking site that led me there I saw some strange comments. There were the obligatory messages from the paranoid crowd ("It's a trap!") but then there were others from people who downloaded the files. According to several commenters the ISO file images stored in the folders aren't real. And those commenters aren't alone in wondering if someone was really silly enough to post warez on a public site and think others might not find out. Thanks to the stats directory on the site I made a couple graphs of the traffic to the site (The site was submitted to the bookmarking site Feb. 8th).

Click here to view graph data.

This also provides interesting information about how much site a social bookmarking site will generate given a very short amount of time. The traffic spike starts to happen within 2 days (the site was submitted on a Friday). Another clue to this whole thing might be the webserver version, "Apache/1.3.37". While that is a valid Apache version, I'm not sure if it's real or a plant put there by someone as a joke (1337 is leet-speak for elite).

Which leaves me with two possibilities that I can think of.

1. The site is a prank/honeypot. The files aren't real (I haven't downloaded any of the warez to test whether they're real or not) and the site is just to see how many people will download random files off the Internet.
2. The site is a viral marketing ploy. The owners are generating a lot of traffic to a real domain, and when the traffic appears to max out they'll put up a real site.

Both of these theories have the same flaw for me, though. Paying for a VPS means you're paying for bandwidth, and the site is legitimately hosting (and serving) hundreds of GBs a day in bandwidth to people. This seems like a huge gamble if the point is just to draw traffic (and there are certainly better ways).

Which basically leaves me stumped about the site. I'm still not really sure. But one thing is for sure, I have a feeling that sometime around March 1st the site will change it's look. Either when the owners capitalize, or when they realize they got hacked and their bandwidth bill comes in from their hosting company. I guess only time will tell.

Truecrypt: Brand New Features, Same Encrypted Flavor

In a previous post on encryption I wrote about why you might want to encrypt your personal data. In that article I mentioned Truecrypt, a free open-source encryption software (available for Windows, Linux and now Mac OSX).

Truecrypt has just released the 5.0 version of their software with some excellent new features. The entire feature list is available on the Truecrypt site here but the highlights are:

• Ability to encrypt a system partition/drive (i.e. a partition/drive where Windows is installed) with pre-boot authentication (anyone who wants to gain access and use the system, read and write files, etc., needs to enter the correct password each time before the system starts).
• Pipelined operations increasing  read/write speed by up to 100%
• XTS mode of operation... XTS is faster and more secure than LRW mode

The big improvement is that Truecrypt now supports system partition encryption, which means your entire partition is encrypted when you power off the computer, and the system will not unencrypt the data and boot until you type in the correct password. PGP has supported this feature for awhile, but it's great to have it in free software like Truecrypt.

Also, doubling of read/write speeds for encryption software isn't too bad an improvement either.

The newest version of Truecrypt can be downloaded here, for those interested.