comp527

Three hackers were indicted on Friday for a hack of Comcast’s website in May 2008. According to CNN’s article, “The prank took down the cable giant’s homepage and Web mail service for more than five hours and allegedly cost the company over $128,000.” Customers were left without access to webmail and digital voicemail during the outage.

The attackers were able to gain access to the Network Solutions DNS control panel for all of Comcast’s sites and altered the records to point at their own site with a taunting message. Their method? Phone calls.

The hackers were able to call one or more Comcast employees at home and ask them questions which gave them access to “a specific Comcast e-mail account”, according to the indictment. Through the email account, they were able to communicate with Network Solutions and obtain access to the DNS control panel.

It seems that the weak point in the security was less technological and more a human factor. The attackers simply made anonymous phone calls to Comcast employees who answered their questions, and it was this information that enabled them to obtain access. Comcast (and other companies, no doubt) would be wise to further educate its employees on information security.

CNN article: http://www.cnn.com/2009/TECH/11/20/comcast.hacking.charge/index.html
Indictment: http://www.wired.com/images_blogs/threatlevel/2009/11/comcast_indictment.pdf

It has been talked of how a jailborken iPhone has been hacked here and here

But although the problem was publicly advertised so has the manner of using it to hack such iPhones.
The guy from the Netherlands published the source code he used. Was this a good choice?
Since the first incident, several malicious programs have appeared which take advantage of the default root password.

Two of them can be found: here (worm – “harmless yet annoying prank”) and here (a “truly malicious iPhone malware” which extracts personal data)

All of the four papers, i.e., SybilGuard, SybilLimit, SybilInfer and SumUp try to address the Sybil problem, where a malicious user takes on multiple identities and pretends to be multiple, distinct nodes in the distributed systems. Sybil nodes behave in many forms: a common node can obtain many different system identities by registration; several nodes collude with each other to do evil things; and even nodes in botnets may work together, and launch distributed denial-of-service (DDoS) attacks. In my view, the latter two can not be considered as Sybil attack; however, all of three may behave similarly, and even a botnet can register many Sybil nodes in a website.

On the other hand, various Internet services, especially the services which rely on the common customers to vote their quality,  such as digital commercial sites and online social networks are very vulnerable to Sybil attack. Li Jinyang lists two Sybil examples in SumUp, one of which is that students deploy automatic scripts to vote for their schools in Slashdot poll, and the other one is that Sybil accounts work together and vote on the content in Youtube. Yu Haifeng lists a lot of threshold values for the avoidance of Sybil attacks in different systems. In Byzantine fault tolerance system, the value for the ratio of malicious nodes is 1/3; for the security routing in Peer-to-Peer systems, the value is 1/4; for the voting system in Youtube-like systems, the value should be much smaller, depending on the feedback willingness of honest users.

Certainly, if we bind the system identities with the actual social identities, such as the social security numbers or driver license, then the problem should be easily addressed. Lack of widely accepted authorities in the world and the existence of single point of failure make this mechanism not good. Even people may not like to leak their privacy information to all such kinds of Internet services. Puzzles, including computation puzzle, memory puzzle, and even haman-intelligence-related puzzles (CAPTCHAs) are the actual ways to deal with the problem. However, they are proved to be vulnerable in SybilGuard.

The third way to address this problem is though the use of social networks, including the above four paper together, all of which are based on the same assumption that a Sybil nodes can not easily create the trust edges between themselves and the general honest nodes. Certainly, in the real social networks, this assumption works; however, in the Internet social networks, this assumption sometimes is questionable, since there are lots of cases that a general user accept a stranger as their friend. Even some users in the Youtube have thousands of friends, and even they never have a interactions with such friends. As a result, I think the interaction histories should be considered in such mechanisms, and SumUp is good towards this trend.

For SybilGuard and SybilLimit, I should admit that the underling idea is very novel. That is, to find the minimum cut between the Sybil area and the remaining graph. In my view, it is not that the number of attack edges is limited; on the contrary, it is that the number of victim nodes that connects the Sybil nodes are limited.  (1) However, in many systems, their may not exist such a social network, then the problem still be serious. (2)Another thing is that, even there exists some social networks in such system, the graph made of system nodes may not meet the requirements of SybilGuard, i.e., the main honest area should be a large strongly connected components and the number of nodes dominate the at least 80 percentage of the total nodes. To my knowledge, there are some online social networks, who have a number of strongly connected components, and the size of the largest one only dominate 30~40% percent of the total nodes. As a result, if we apply SybilGuard/Sybil Limit to such graph, then the false positive should be very large. Admittedly, the quantity of interactions among nodes in the largest component should be much large than that of the remaining nodes. However, a system also should provide such Sybil-resist service to such isolated nodes, especially considering many of such nodes are just newcomers.  (3) Because the deterministic algorithm of finding the minimum cut that connects the honest area and malicious area is NP-Complete, the author tries to use the “random walk” algorithm to test if a potential node is Sybil node. However, the “random walk” is deterministic, and should be updated if some nodes leave the system. Thus, the overhead due to the “churn” should be considered.  If a node leave the system, then all the random walks along though this node should be rebuilt. Facebook once states that all the content of a user who left the system would be saved in Facebook, and the such routing can not be changed if a node check out. However, we should give some random walks for new registered users. In sum, SybilGuad / SybilLimit can only apply to the snapshot of the graph.

Under the same assumption, George Danezis introduces SybilInfer to address the Sybil problem. The background of SybilInfer is totally the same with SybilGuard/SybilLimit; however, SybilInfer use the statistical way instead of deterministic algorithm to address this problem. There are several differences between SybilInfer and SybilGuard/SybilLimit: (1) the random walk is different. SybilGuad/SybilLimit create the “routing table” for each node, and then the routing is fixed. In addition, the probabilities of walking along all of the outing edges of a node are the same; however, in SybilInfer, this probability of walking an edge is related with the out degrees of an edge’s adjacent nodes.  (2) the algorithms on how to use the random walk path are different. SybilGuard/ SybilLimit uses the the fraction of cross points to make estimation. SubilInfer uses the Bayesian algorithm to compute the probability of a set of nodes being honest. The latter needs a sampling method. (3) Performance: it is stated in the original paper that SybilInfer works much better than SybilGuard/SybilLimit. You can refer the data in the original paper.

SumUp tries to reduce the quantity of votes from Sybil identities in the voting problem in social networks based on the same assumption. SumUp tries to use the “adaptive vote flow aggregation” algorithm to limit the bogus votes to no more than the number of attack edges in the trust network. In fact, SumUp tries to create a tree like the tree created by breadth-first-search algorithm  for each node by pruning some edges in social networks, and then assign the capacity to each edge, which means that the number of votes through the edge can not bigger than that capacity. Then if the distance from the Sybil nodes to this source node is far enough, then all the votes within the distance can be honest not considering the honest nodes’ fake votes. In addition, because the near the edges from the source node, the more capacity that the votes can get through the edge, then the attack edges in the minimum cut between the honest area and the malicious area can get only a small capacity. In addition to that, SumUp uses the vote history to adjust the pruned tree above. The problems with SumUp is that: (1) it can not apply to separated components (2) the overhead for each node can be large enough. (3) the algorithm is very complicated.

I read the above four papers several months ago, and I forgot some details about them. Maybe my description includes some mistakes.

The Jail broken iphone have been hacked again this time in Australia.
This Australian guy used the same technique posted before here, but the previous hacker help the iphone hostage for €5; this time he published the source code for the Hack. It is just people forgetting to change the root password for SSH!!

The problem now, is that the source code is out to the public and there may be more harmful ways pop up to kill all jail broken iphones.

Bottom line: Want to hack … be smart not to be hacked :D

Story link here, and here

A serious “protocol level” vulnerability is reported to be found in SSL. (see here)

According to the website of the company who discovered the vulnerability (link), which they call SSL authentication gap  : “Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching. All SSL libraries will need to be patched.”

It is surprising to know that such a widely used protocol can be vulnerable.

I found an interesting website, when I was seaching for “Google Chrome”. It consists of 40 comics, which describe the ideas behind creating a multi-process browser. Like all Google products, Google Chrome is simple, efficient and minimalist. I highly recommend trying it, if you haven’t used it before.

I think we can all be inspired by these comics while designing our Quiltwork browser.

Here is a remainder that if you want to escape Apple’s security, you’d better know what you’re doing and enforce your own.

A hacker from Netherlands used port scanning to find jailbroken iPhones running SSH and who’s users were careless enough to leave the default root password after jailbreaking their phones. His initial demands for fixing a hacked iPhone were 5 euros and has now published the solution for undoing what he did.

Personal opinion: Those who got their iPhones hacked should have at least said thank you for uncovering how insecure their phones were instead of accepting his apologizes for what he has done.

Ryan Harris, an expert on cable modem hacking who has been selling unlocked cable modems through a small company, is facing criminal charges of wire fraud and computer fraud.
In his defence he claims that: “arresting every firearms dealer, because handguns can be used to commit murder.”

Read more here

A/N: If the fact that one of his programs is called “Coax Thief” puts him in a bad light than a note for all those hacking: Make sure you name all of your software things like “Safe Program Thingy” or “Well Behaved Program”. More importantly, don’t you dare use user or socket messages like: “It’s hacked” or “Hack in place” nor variable or function names with similar connotations!

As if worrying about security on your computer wasn’t enough, your smartphone is increasingly becoming a significant target.

Besides the standard virus and worm attacks via email attachments, one recent attack used the phone’s bluetooth capabilities to spread between other nearby bluetooth-enabled devices.

Research indicates that a significant amount of the problem is that, while many users know to be careful on their home computer, many people feel their phone is more immune to security threats. Not so. The article’s suggestion – “treat your smartphone like a computer, not a telephone.”

Unfortunately, there are many people who don’t treat their home computer security properly, much less their smartphone security. People need to continue to be educated about internet security. If you’re going to fall for a phishing attack on your home computer, you’re probably going to fall for anything on your smartphone. Awareness is key.

News article: http://www.cnn.com/2009/TECH/10/25/smartphone.security/index.html

According to a report from Anti-Phishing Alliance of China (APAC), up to Oct. 22nd, APAC has handled accumulated up to 8342 phishing site domain in China. The top three targets of phishing sites are TengXun(famous for their IM client QQ), TaoBao(biggest online shopping site in China), and ICBC (Industrial and Commercial Bank of China).

Another astonishing figure shows that out of 338 million of internet users in China, there are about 110 million of them have ever encountered a problem of account or password stolen in recent half a year!

It is really a tough task to protect accounts and passwords for general users.

News source: http://www.chinanews.com.cn/it/it-itxw/news/2009/10-26/1931366.shtml