EYE ON SECURITY

The World of Secure Development.

May 2006

According to a study by security firm Panda Software, cyber-crook's new malware of choice is increasingly targeting online games.

Specifically, cyber-crooks are going after the login details for installing and accessing online games. Similarly, these criminals are trying to rob players of the "virtual assets" obtained in the games, such as virtual money that can be used in the game to buy weapons, powers, etc. Given the effort required by players to obtain these items, there are many people prepared to pay for them as an easy way of reaching higher levels and increasing their reputation. In this way, the virtual economy of the game translates into real profits for the cyber-crook.

With the increasing number of games available online, there is a corresponding increase in the options for those willing to exploit this lucrative by-product of online games. There is now the risk that a whole new business model could be operated by cyber-mafias, stealing virtual assets, of apparently no real value, and selling them for real money to the highest bidder.

The malware that most frequently affects games are Trojans. The Lineage virus steals the login details of a player, allowing another player to relieve him of the virtual money used to buy weapons, privileges or abilities within the game. The different variations of the Legmir virus target players of Legend of Mir, stealing their passwords. Gaobot and its variants, although more widely known for their bot characteristics, also try to get in on the act, stealing the Cd-Keys of several games, and spreading to new potential victims. Similarly, they open a backdoor on infected computers making them vulnerable to future attack. Users of World of Warcraft could be affected by Trj/WoW.

According to Luis Corrons, director of PandaLabs, "the new financial motivation for malware creators and the professionalisation of malware has led us to believe that the sacking of these virtual assets offers potential returns for cyber-crooks that cannot be ignored."

In addition, it is important to consider the damage that this type of malware represents for developers of games, allowing unauthorised users to play freely using stolen login details or CD Keys. Moreover, if companies block access to the key to prevent the fraud, legitimate users will also be blocked with the consequent confusion and annoyance, and generating a negative impression of the company.

One sound piece of advice for players who don't want their details or virtual assets stolen is to ensure that they use legal software, which has the guarantee of being genuine and untampered with by third parties. It is also advisable to be wary of files sent over e-mail or chat sessions, especially those accompanied by messages promising some kind of benefit or profit. In particular, users are advised not to open any attachments unless they are completely sure they have come from a trusted source.

Posted by Jon Erickson at 11:19 AM  Permalink |

Three security experts--Zvi Gutterman (CTO of Safend, a security firm, Benny Pinkas, a member of the Computer Science Department at Haifa University, and Tzachy Reinman, a graduate student in the School of Engineering and Computer Science at Hebrew University of Jerusalem--have discovered several security vulnerabilities in Linux.

The team’s research includes an attack on the Linux random-umber generator (LRNG). The LRNG is the key element behind most security protocols and tools which are part of Linux. Among them are PGP, SSL, Disk and email encryption. Using the attack presented by the research team, an adversary attempting to break into a Linux machine may compute backward outputs of the LRNG and use them to access previous confidential communications.

Gutterman, along with Pinkas and Reinman, used dynamic and static reverse engineering to learn the operation of the LRNG. The team was then able to illustrate flaws in the design of the generator as well as measurements of the actual entropy collected by it.

"Our result shows that open source is not a synonym for secure design; once the LRNG is broken, we can break any future or previous password on that PC," stated Gutterman. "However, open source benefits security by enabling security audits. As we state in our research paper, we feel that the open source community should have a better policy for security sensitive software components. They shouldn’t be treated as other source elements."

Gutterman, Pinkas, and Reinman will present their
research paper entitled "Analysis of the Linux Random Number Generator" at the IEEE Security and Privacy Symposium.

Posted by Jon Erickson at 05:20 PM  Permalink |

According to Kim-Phuong Vu, a lot of users try to remember half a dozen passwords. Which is why the most common password is "password."

That's why Vu, author of the recently published Stimulus-Response Compatibility: Data, Theory, and Application is trying to come up with ways to promote the generation of secure and memorable passwords. One approach she identified involves was writing a sentence that encapsulates the password itself, so that the context of the sentence can provide cues to recall the password. "The problem with this method is that people remember the gist of the sentence and without the specific cues, the password cannot be remembered," Vu says.

Vu, who is a assistant professor in the Psychology Department at California State University, Long Beach, goes on to say that the average password is easy to crack, but access to biographical data makes guessing that much easier with favorites being birthdays and children’s names. "My colleagues and I use an easily obtained cracking device called LC4 to crack passwords," she said. "It sources a dictionary to try words and combinations of words. It often cracks a password without knowing anything about the user. My research says that 60 percent of passwords can be cracked within a few hours, and some in less time than that."

Proactive password protection demands a requirement of upper or lowercase letters, numbers, special characters, and the like. Users generate a private password from these elements. The idea is that using these mechanisms makes cracking a password that much harder but her research has found a big trade-off between memorability and security. "The easier to remember a password is, the easier it is to crack," she said. "The ones that are harder to crack are the ones that are hard to recall and there’s the problem."

The key to future password security is price. The cheaper the security, the more likely it is to be used. "Voice recognition is improving all the time but it is not ready yet," she said. "The government can afford high-fidelity systems but everyday users cannot."

There is a lot at risk with easy-to-crack passwords. A password can be used to guard a bank account and if that goes, so goes the cash. "A password can guard my grades and breaking in to gain access to my files means the whole class gets A's," she said. "If I published corrupted data, my credibility is gone. A company loses money if someone hacks into their system. If a Web site collapses through password security, that is a loss to business. For example, if an airline has a security breach that allows users to change the very rates they charge, they may have to honor those rates. Password security has many implications for the individual and society at large. There are varying degrees of risk. This problem will get more serious as we rely more and more on the Internet."

Vu believes the password is here to stay. "Fingerprints and retina scans are expensive. Password security is affordable and generally accepted by users, even if it is not the securest form of protection," she said. "When you ask the typical user if they are interested in recording their fingerprints or retina, they squirm."

Memory is affected by many things including age and gender but one key is practice. "It is less a matter of not forgetting and more a matter of training yourself to remember, " she said. "Everyone has memory problems, no matter what their age. Memory depends on many factors. For instance, culture has little effect on short-term memory when you take into account factors such as pronunciation rate."

Posted by Jon Erickson at 03:47 PM  Permalink |

The original ILLIAC computer, built by the University of Illinois at Urbana-Champaign in 1952, was the first computer in the world created and owned entirely by an educational institution. It weighed five tons and contained 2800 vacuum tubes.

On May 10, the University will officially launch the Trusted ILLIAC Cluster, which incorporates a 500-processor programmable hardware/software cluster designed and built by researchers at the Information Trust Institute (ITI) and Coordinated Science Laboratory (CSL) at Illinois. It promises to make large-scale computing truly trustworthy, providing an application-specific level of reliability and security in a transparent manner while delivering high performance.

According to CSL Director and ITI Chief Scientist Ravi Iyer, the need for greater security and reliability in computing has intensified as the industry begins to shift to what some have called "utility computing," "on-demand computing," or "adaptive enterprise computing."

"In this new generation, computing is seen as a utility,CC Iyer explained. "Just as you get electricity when you plug in, companies and institutions will be able to 'plug in' to a massive computer system that gives them greater performance."

"Utility computing" means that different companies share the same powerful cluster of processors to get their work done, increasing the need for higher levels of reliability and security. According to Iyer, utility computing will be a cheaper, more efficient way to meet the massive computing-power needs of banking, research, design, and many other commercial applications.

"At the end of the third year, we’ll have a full-fledged system that allows us to begin innovating," Iyer said. "Industry and other research collaborators will also be able to use the system as a testbed to develop a whole new set of ideas." Corporate supporters of Trusted ILLIAC include Hewlett-Packard, Advanced Micro Devices, and Xilinx. Trusted ILLIAC development is also supported by a National Science Foundation Critical Research Infrastructure (CRI) grant.

In addition to being reliable and secure, said Wen-mei Hwu, a professor of electrical and computer engineering and ITI’s Theme Leader for Embedded and Enterprise Computing, the Trusted ILLIAC system will automatically adapt to the computing environment of specific applications.

"It’s like a chameleon," he said. "Trusted ILLIAC will be able to determine how it must configure itself to provide the best performance for an application­the best level of trust. It morphs itself to support that application." Part of the key to this adaptation is sophisticated middleware, which enables the many nodes of the Trusted ILLIAC to communicate with one another in a reliable and secure way, explained ITI Theme Leader in Multimedia and Distributed Systems and computer science professor Klara Nahrstedt.

According to CSL Director and ITI Chief Scientist Ravi Iyerr, the intellectual merit lies in investigating new set of application-aware methods to provide customized levels of trust (specified by the application) and enforced via an integrated approach involving re-programmable hardware, enhanced compiler methods to extract security and reliability properties and supported by a configurable OS and middleware.

"We plan to transform a large Linux based cluster, using augmented hardware (demonstrated via FPGA implementations), smart compilers capable of extracting and programming into hardware, application-specific reliability and security guarantees and supported by an Operating System and Middleware configured to support the application execution," added CSL Director and ITI Chief Scientist Ravi Iyer.

The Trusted ILLIAC research will even result in methods to validate levels of reliability and security, providing the first real way to benchmark the trustworthiness of large-scale computing systems.

Posted by Jon Erickson at 11:17 AM  Permalink |

A working group made up of some of the nation's largest companies, public interest,and consumer advocates has unveiled a set of "best practices" designed to promote respect for consumer privacy in the use RFID.

The document offers guidance for companies that use RFID technology to collect data that can be linked to consumers' personally identifiable information. Drawn largely from widely accepted principles of "fair information practices," the best practices outline how consumers should be notified about RFID data collection, what choice they should have with regard to their own personal information, and how that information should be treated by the companies that collect it.

Organizations contributing to the development of the document include the Center for Democracy and Technology, the American Library Association, Cisco Systems, IBM, Intel, Microsoft, the National Consumers League, VeriSign, and Visa USA, among others.

Posted by Jon Erickson at 11:04 AM  Permalink |