comp527

Look here for the new blog. http://comp527.blogs.rice.edu/

I wonder if it’s possible to decide Tor’s relay nodes?

There is a potential usage  of Tor which sets Tor’s exit node into specific country to gain local region rights of viewing contents (such as videos) of some websites.

For example, when you try to watch videos from some websites out of US, you may see “Sorry, it’s not allowed to view this video from your district.” which is really annoying.  (Happening when I try to watch videos from websites in China or South Korea. This should also happen reversely or in other countries. Some people try to use this way to watch Hulu from EU as I peeked from Google.)

But a big issue is the connection speed is slow due to a lot of intermediate relaying nodes used all over the world.

Hence, if there is a way to decide the number of and which relaying nodes will be used, the problem is solved.

Only knew how to set the exit node, didn’t get the answer how to set relaying nodes. Anybody has an answer or feels interested in this trick?

Besides, technical and legal issues can be discussed if anybody is still checking this blog.

This article is worked out by  steve & eric & jimmy(wenyang)

We would like to introduce related work on bot detection in MMORPGs which will not be included in our paper as a special topic to end our project:)

Bots prevention is tricky. A good detection mechanism is a must, it determines the efficiency of bots preventions and the load of consequent verification work. Research in the future on bots detection needs to find a perfect balance between false positives and false negatives. As for bots verification, more efficient should be proposed to make sure no innocent user will suffer.

For Windows users, reboots are an everyday occurrence. Windows update? Reboot. Unexplainable GUI malfunction? Reboot.  Adobe Reader upgrade? It’ll keep badgering you until you reboot or kill it. (Why?!)

In contrast, Linux users generally have to reboot only for kernel upgrades. That works out to roughly one mandatory reboot per month for applying critical security updates. For some, though, even this may be unsatisfactory. Ksplice Uptrack may be just what they’re looking for–it’s a commercial subscription service that patches a running kernel, delivering security updates without requiring the machine to be rebooted . Wikipedia’s article on Ksplice, the underlying technology on which the service is based, succinctly explains how it all works.

Although I’d known about Ksplice for some time, I didn’t seriously consider using it myself until the “64-bit Compatibility Mode Stack Pointer Underflow” vulnerability was reported in September. (Ironically this is the same class of vulnerability (local privilege escalation) that Microsoft is currently trying to blow off, as reported a few posts below.) This bug was notable for several reasons:

1. It affected virtually everyone running a recent 64-bit kernel, not only those with unusual configurations.
2. Attackers had already been exploiting it long before it became public.
3. Major distribution vendors such as Red Hat were dragging their heels and not publishing a patch, while suggesting a workaround that didn’t actually work.
4. Ksplice Uptrack quickly released a fix for it.

Binary patching of running programs is not new. What set Ksplice apart was its automation of much of the process of creating a patch in the first place. Though the tools are still open source, I couldn’t help being somewhat amused at the apparent conflict between Ksplice’s raison d’être and Ksplice Uptrack’s financial interests, which manifests in this vague warning on the latter’s web site:

In contrast, the raw Ksplice utilities, provided below, are not recommended for general use.

Without the appropriate expertise and safety infrastructure, the raw utilities can create subtly incorrect rebootless updates, which can have serious consequences.

Here is a good article to people who is interested in penetration testing.

http://blog.rapid7.com/?p=5513

This article is about VPN pivoting with Metasploit Pro. The best thing is that it gives you very detailed steps of setting the test environment of VPN pivoting which can be a good instruction of the practice for you.

Below is a short description about VPN Pivoting taken from the article.

VPN Pivoting is one of the best but also most elusive features in Metasploit Pro. It enables users to route traffic through an exploited host to a different network. A TUN/TAP adaptor activates on the Metasploit Pro machine, showing no trace of a new network adapter on the exploited host.

Another useful article about VPN Pivoting can be found here.

http://blog.rapid7.com/?p=5447

————————–

VM rocks, doesn’t it?

The FCC is outlining new rules for Internet providers in the United States. The new rules will prevent Internet providers from blocking lawful content. However, ISPs will be allowed to control traffic flow and adjust the flow of traffic to alleviate congestion or harmful traffic. These new rules will allow a new era where service providers are regulating the Internet.

These rules are a slippery slope that jeopardizes the openness we have come to expect from the Internet in the United States. It must be clearly defined for the ISPs what they are allowed to block. There are obvious categories, such as child pornography. However, there is a large gray area for some content.

The sharing of copyright material is unlawful. Should ISPs be responsible for regulating this traffic? It is easy for ISPs to detect file sharing itself, but the content being shared is often obscured. Detecting that the sharing is illegal is not obvious. Furthermore, this responsibility puts pressure on ISPs to cooperate with content owners.

Beyond blocking specific content, the FCC wants to allow ISPs to adjust the flow of some traffic to alleviate congestion. This rule would allow for anti-competitive behavior. If Comcast is allowed to slow down certain traffic, they can prevent me from accessing streaming video on demand services like Netflix and Hulu. They would not be specifically blocking it, but slowing down the connection can make the service unusable.

The Internet should be open. My access to services should not be slowed down because of the policies of my Internet provider. While the Internet should not be lawless, it is important to regulate carefully.

As I am sure many of you have heard, Wikileaks has been on the front page in recent days over a slew of diplomatic cables released to the public by it. An article detailing and explaining this latest Wikileaks update can be found here.

The question of whether Wikileaks is a force for the public good or a menace to public security has been analyzed to the point of being tiresome in my opinion. It is undeniable that there is a very real possibility of leaked documents resulting in some form of foreign relations crisis when so much diplomacy relies on secrecy being maintained by all parties involved. At the same time, atrocities have been committed precisely because secrecy prevented any sort of public response to actions committed by their governments.

What bothers me most of all is that the focus of every government has been to attempt to shut down Wikileaks and its founder, Julian Assange, is now on Interpol’s most wanted. Should the focus not be on securing the channels of communication used by our governments? The problem is not that someone is sharing information that should be confidential, but rather that confidential information somehow made it into the public realm at all!

There is an increasing group of people that think that all this uproar is an indication that we should switch to a much more open form of diplomatic relations, that we should do away with the secret meetings, the backdoor negotiations, and so forth. While certainly this sounds like an ideal setup, where all intentions are known, it reminds me of a quote by H. L. Mencken: “An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it is also more nourishing.”

I would very much like such a world to be possible. The problem is that this world only works if everyone plays by the rules. It only takes one cheater, one liar, to then manipulate this open policy and gain an advantage in the often dangerous game of world relations, and it is pretty clear that no government is going to find that state of affairs acceptable. At the same time, ours is a world where an increasing number of our rights, especially with regards to privacy, are being sacrificed in the name of public security.

This whole affair reminds me a lot of our discussion regarding our ethical responsibilities to inform the public or the company of security vulnerabilities discovered in their systems. We talked of minimizing harm as the guiding policy behind our actions. Unfortunately for information of such international scope, how can any one individual make any sort of accurate assessment of the potential harm that might result from sharing this kind of information? Even worse, with companies at least, you are protected by laws that give some measure of security against retribution for leaking information for the safety of the public, but with governments, there is absolutely no such protection. This means that any sensitive information puts you at risk by virtue of you knowing it. What then is the incentive of giving the information back to the owner? Publicity becomes your only shield, and it is a rather weak one.

The problem is one of trust, as it always is in the security world. I am of the opinion that the public has a right to know when their governments are scheming behind their backs, but then, I think governments also need to secure their information in order to advance their goals in the international arena, provided these goals are in line with society’s expectations of their governments. What is the answer then? I don’t know. The very concept of challenging your representatives while they are in power is a hard issue. Perhaps our relationship with our governments needs re-examination. Anyone have any thoughts?

Here’s a link of detail story.

Just to save everyone’s time.

The exploit was disclosed last Wednesday. The bug is in the “win32k.sys” file, a part of the kernel of Windows Vista and Windows 7. With this bug, non-administrator user can execute code that requires administrator privilege. But attackers also need another exploit to execute remote code. However, for a already compromised PC, this bug gives attacker the actual power to do anything they want. Attackers could combine the exploit with other malicious code that takes advantage of another vulnerability on the machine — not necessarily one in Windows, but in any commonly-installed application, such as Adobe Reader, for example — to hijack a PC and bypass UAC.

This totally breaks the Windows UAC security system, and the attack code is PUBLICLY-RELEASED!

It’s not every day that I receive a piece of e-mail whose legitimacy remains indeterminate after more than a casual examination. In fact this is probably the first time–and I am still mystified as to its purpose. Here is the e-mail in question:

Good: I’m a Comcast customer, and it’s addressed to the e-mail that I have registered with them. If this is a phishing attempt, it’s the first time that someone’s gotten both of these details right–and I get a lot of phishing e-mails. Note: I can’t remember if I’ve ever actually signed up for EcoBill.

Bad: The message lacks any identifying information, such as name or account ID. On the other hand, legitimate messages sometimes don’t include that sort of thing, and I haven’t saved any other messages from Comcast for comparison.

Good: The domain name in the URL is www.p.comcast.net, which I picked up instantly. That certainly belongs to Comcast. If it had been, say, www.comcast.com.drevilsevilsite/ecobill, the game would have ended right then.

Bad: It doesn’t match the text of the link.

Good: The message is generally well-written and seems plausible.

Bad: The word “choose” is misspelled. But sometimes even legitimate e-mails contain mistakes, and I’ve also seen sloppy ones that ended up being real.


At this point I decided to dive into the headers.

Received: from mh.comcast.m0.net (209.11.164.184)
by [redacted] with SMTP; 28 Nov 2010 16:36:10 -0000
Return-Path: <comcast@comcast.delivery.net>
DomainKey-Signature: ....


Nothing after this can be trusted. There is some DKIM stuff which I don’t understand and have no way to verify, but even if that checked out it didn’t matter because the return path and From field show “delivery.net” which is registered to an “Acxiom Corporation.” They seem to be some kind of marketing company. Does Comcast rely on a third party to send some of its e-mails? I don’t know.

The server that directly contacted my mail server was mh.comcast.m0.net (209.11.164.184). Forward and reverse match (a good thing), but both m0.net and the IP range containing 209.11.164.184 belong to Acxiom Corporation as well.

It turns out that www.p.comcast.net resolves to 209.11.136.183, also owned by . . . none other than the mysterious Acxiom Corporation. This comes directly from the nameservers responsible for comcast.net (and comcast.com). Would Comcast allow an evil third party to take over one of its subdomains?

Now, supposing that this e-mail was something other than what it claimed to be, I had to wonder about its purpose. Was it trying to exploit yet another browser/Flash vulnerability by steering me to a malicious site? Did the authors intend to steal my account information? (I can’t imagine how any aspiring crooks could possibly expect to enrich themselves by hijacking someone’s ISP account.) Or did this marketing company simply want to verify that my e-mail address was valid so that it could add me to its spam-to list? (That would easily be the most trouble I’ve seen anyone go through for that, and apparently most spammers don’t care how much of their garbage never hits a valid target.)


Finally, I had to see what was at that URL. I copied only the first few characters, hoping that it wasn’t enough to uniquely identify me.

$ telnet www.p.comcast.net 80
Trying 209.11.136.183...
Connected to www.p.comcast.net.
Escape character is '^]'.
GET /r?2.1.Gy HTTP/1.0
Host: www.p.comcast.net

HTTP/1.1 302 Found
Date: Mon, 29 Nov 2010 19:32:19 GMT
Server: Apache
Location: http://www.comcast.com
P3P: CP=NON DSP COR ADMa DEVa PSAa IVAa IVDa OUR BUS IND UNI COM NAV INT
Content-Length: 60
Connection: close
Content-Type: text/plain; charset=ISO-8859-1

The URL has moved <a href="http://www.comcast.com">here</a>
Connection closed by foreign host.

It was an HTTP redirect to Comcast. If–in addition to my assumption above being correct–the server produced the same response to the complete URL, then there was no opportunity for foul play at all.

The verdict? Either this was the most ludicrously ineffective “bad” e-mail I’ve received to date (or so brilliant it accomplished something in a way that I couldn’t fathom); or Comcast needs to clean up its act and stop sending messages with so many red flags (the procedure it mentioned for enabling EcoBill doesn’t exactly match what’s on their site, either).

During Thanksgiving, I was asked what I was thankful for, and at the time I had no answer. Well, now I’m thankful that this serendipitous occurrence provided me with material to write about!

Virtualization has become more and more popular these days. The main advantages of it being that it can allow multiple OSes to co-exist, can easily be ported and moved, and can provide another layer of security on top of the existing machine.

It’s interesting to see now that people are realizing a new threat model for virtualization and that the security of virtual machines is not something that can be assumed (Article),  Copying and stealing virtual machines are definitely a cause of concern, in addition to more complicated exploits including those that hijack the hypervisor (the virtual machine monitor).  Exploits that hijack the hypervisor and or fool the hypervisor have been a hot topic since the Joanna Rutkowska unveiled the Blue Pill Project in which she showed the injection of code into the Vista x64 kernel allowed for creation of  undetectable “blue pill” malware on machines with virtual machines running on top.

Yet even if the hypervisor is not meddled with, the VM does not provide complete shielding. If the VM is connected through a LAN, virtualization may not be enough to prevent viruses from spreading across the network especially if not configured correctly (See here)

With virtual machines now widely used by corporations, often deploying an image across multiple machines, the security of VMs is now becoming an important topic.  I think all too often virtual machines give us an illusion of an all protective shield, but in reality, while VMs do provide us with some additional security, we must still take the appropriate security measures to protect ourselves from existing threats as well as the new threats that have emerged.