Online Gaming: Real Money, Real Threats

30 11 2012

by A.J. Holton

Background

Today millions of people across the world are joining together over the Internet to immerse themselves in the virtual world of gaming.  MMORPGs (Massively Multiplayer Online Role Playing Games) are the top guns of the industry, boasting millions of subscribers worldwide.  “New World of Warcraft® expansion sells 2.7 million copies in first week — global subscriber base passes 10 million” (“Alliance and Horde Armies”). This is a game which has been out for 8 years, and it still has many subscribers paying roughly $15 dollars a month for service.  Games like Blizzard’s World of Warcraft are constantly being exploited through cheats and account hacking.  Guild Wars 2 was just released late August 2012 and had problems with account security that day with more than 11,000 accounts being exploited due to malware from adversaries (Parrish). It would seem account hacking is somewhat correlated with third-party account modification. TheGuardian wrote a story on Chinese prisoners who were actually forced to play this game to turn a real profit through illegal sales (Beijing).  So as you can see, there is definitely a market for the willing adversary.  The focus here is on Blizzard as I am most experienced with their company, it is the biggest, and most newsworthy.  However, security applies to all online games, especially those of the MMORPG variety.  What I aim to discuss is the implementation of what is called a Real Money Auction House, but first I must explain the security measures already in place.

Security Measures

Overall, MMORPG security issues have been growing, forcing companies like Blizzard to come up with ways to counteract them.  “The Battle.net Mobile Authenticator is an optional tool that offers Battle.net, the Blizzard game client, account users an additional layer of security to help prevent unauthorized account access” (“Battle.net Authenticator”).  The authentication process was needed to help Blizzard deal with the amount of account compromises going on.  Basically what it does is generate a random number, held by Blizzard and the user, which changes every minute allowing only the user to log in (“Battle.net Authenticator”). Another security measure taken is the use of spyware like Blizzard’s Warden.  This software takes information from your RAM, hard drive, CPU, IP address, OSes, and others “FOR PURPOSES OF IMPROVING THE GAME AND/OR THE SERVICE, AND TO POLICE AND ENFORCE THE PROVISIONS OF ANY BLIZZARD AGREEMENT” (“World of Warcraft Terms of Use”). Obviously the implementation of these security measures is because of the severity of the problem.  We would expect for companies like Blizzard to continue making games safer, but sometimes money is more important in the end.

Real Money Auction House?

Yes, Blizzard’s Diablo III came with a new, experimental RMAH (Real Money Auction House) which allows users to purchase in-game items on the auction house with real currency.  In an auction house users can purchase anything from equipment to collectables.  With this RMAH, you no longer need to spend countless hours collecting materials for in-game currency to purchase items.  All you would have to do is enter your credit card number and your transaction is processed almost instantaneously.  I believe this was a bit too ambitious for Blizzard as security was already compromised frequently.   “This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard”, taken from the Blizzard website September 2012 (“Important Security Update”). Gaining access to Blizzard’s database would offer an adversary hundreds of account passwords and users’ credit card information.  Blizzard gets a cut from the RMAH, meaning when a player makes a sale, Blizzard takes15% off the top of the sale price (“Diablo III Auction House”). I think it almost goes without saying; the RMAH could be a very lucrative business for a skilled adversary to get into.  It would be easy to modify transactions or redirect funds to new accounts.  I can see countless vulnerabilities this new auction house brings to the online gaming world.  Finding ways in code to repeat a transaction, modify the value of items before or after transactions, rerouting money to different accounts, and simple password theft/account fraud are all examples of problems that could arise.  If the problem gets too bad, Blizzard could lose the trusted fan base they have been working so hard to maintain.  There is a story about a player losing $200 dealing with this RMAH, and the FBI even got involved.  They were able to assist and return the user’s money (Usher). This is just one of many problems this implementation has caused already, and the FBI getting involved is nothing to disregard.  We need to take a look at Blizzard’s perspective to better understand their reasoning behind creating a RMAH.

Blizzard’s perspective is totally profit driven in a sense; however this RMAH does offer a service to players.  Instead of players buying and selling items from third parties, which is usually the main culprit behind compromised accounts, they will buy the items from Blizzard (Heartbourne). When looking at it from this perspective, it doesn’t seem so bad.  This would actually help cut down on account hacking and make Blizzard big profits in the end.  I think using the RMAH as a “security device” is brilliant and could really bring about a new age of gaming, if successful.  I have not found sufficient numbers to determine the success of the RMAH in Diablo III, as sadly I think the game died out much too quickly.  If games continue with this trend, the system could be completely compromised by an adversary getting into the company database.  If they do not implement this, there will still be a demand for purchasing items with real money from third parties (possibly leading to user account exploitation).  It is a tough decision, but I would opt for the RMAH because it has a high profit margin for the company and reduces user attacks.  I would put more resources into keeping my company’s systems secure, whereas I do not have as much control over the user’s account.  All in all, there will always be a market for adversaries in the online gaming realm.  Blizzard will remain a key innovator in the industry and it will be exciting to see if other companies start to follow suit. I would like to hear other people’s thoughts and comments on whether a system such as this is a good or bad idea for the future of online gaming.

__________

Beijing, Danny Vincent in. “China Used Prisoners in Lucrative Internet Gaming Work.” The Guardian. Guardian News and Media, 25 May 2011. Web. 01 Nov. 2012. <http://www.guardian.co.uk/world/2011/may/25/china-prisoners-internet-gaming-scam&gt;.

Blizzard. ALLIANCE AND HORDE ARMIES GROW WITH LAUNCH OF MISTS OF PANDARIA. Blizzard.com. Blizzard Entertainment, 04 Oct. 2012. Web. 15 Oct. 2012. <http://eu.blizzard.com/en-gb/company/press/pressreleases.html?id=6147208&gt;.

Blizzard. “Battle.net Mobile Authenticator FAQ.” Battle.net. Blizzard Entertainment, n.d. Web. 25 Oct. 2012. <https://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq&gt;.

Blizzard. “Diablo III Auction House”. Blizzard.com Blizzard Entertainment., n.d. Web. 26 Oct. 2012. <https://us.battle.net/support/en/article/diablo-iii-auction-house-general-information&gt;.

Blizzard. “Important Security Update.” Blizzard.com. Blizzard Entertainment, n.d. Web. 26 Oct. 2012. <http://us.blizzard.com/en-us/securityupdate.html&gt;.

Blizzard. “World of Warcraft Terms of Use.” Blizzard.com. Blizzard Entertainment, n.d. Web. 25 Oct. 2012. <http://us.blizzard.com/en-us/company/legal/wow_tou.html&gt;.

Heartbourne. “Diablo III Real Money Auction House: Analysis of Fees, Market Forces, and Strategy.” Lorehound.com. N.p., n.d. Web. 26 Oct. 2012. <http://lorehound.com/news/diablo-iii-real-money-auction-house-analysis-of-fees-market-forces-and-strategy-part-2/&gt;.

Parrish, Kevin. “Guild Wars 2 Accounts Hacked Immediately After Launch.” Tom’s Hardware. Tom’s Hardware, 08 Sept. 2012. Web. 20 Oct. 2012. <http://www.tomshardware.com/news/ArenaNet-Guild-Wars-2-MMOG-PC-Gaming-Hacking,17455.html&gt;.

Usher, William. “Gamer Loses $200 Due To Diablo 3’s RMAH Region Restrictions.” Cinemablend.com. Gaming Blend, n.d. Web. 19 Oct. 2012. <http://www.cinemablend.com/games/Gamer-Loses-200-Due-Diablo-3-RMAH-Region-Restrictions-44123.html&gt;.





Quantam Cryptography

29 11 2012

Cryptography as we know today has evolved over generations and has come a long way from Caesar cipher to modern Ciphers like AES. Modern ciphers are known to be cryptographically strong and some of them have not yet been broken. Stability of these modern ciphers and crypto graphical techniques has not satiated the hunger of modern cryptologist. We keep hearing of new innovations and breakthrough in the field of Cryptology. One such innovation of modern times has been the birth of Quantum Cryptography. First time I heard of “Quantum Cryptography” was when my professor happened to mention about it in my Information Security class. It captured my imagination instantly and I just wrote the words down in my notebook to dig more into it. And as I researched more and more about the topic, my fasciation for it kept growing.

Quantum Cryptography has its roots in physics, using properties of photon to achieve security. Quantum Cryptography is based on Heisenberg Uncertainty Principle which states that it is impossible to determine certain properties such as position of a photon without changing some other properties such as velocity. Since QC (Quantum Cryptography) relies on the characteristics of photon to transmit messages securely through the channel, anyone trying to detect one of the properties of photon to launch an attack will eventually end up disturbing some other properties of the photon, which would be easily detected by receiving party. Once the receiving party observes that some of the properties of the incoming photon have been disturbed, they can be very well sure that an attacker in the middle was trying to eavesdrop on the message and receiving party can drop this message [1].

So the question is how photons are analogous to bits we have in classical cryptography.  Light waves are transmitted as very minute massless particles known as photons. When this light wave composed of photon passes through a filter, depending upon the type of filter used photons will come out of the filter aligned in certain direction. Say for example we have stream of photon passing through a vertical filter (|) the emerging photons will be aligned in vertical direction and this can be noted down as 1 bit. Likewise if we use a horizontal filter (–), photons will be aligned in horizontal direction and we can note this state as 0 bit. Diagonal filter (X) is another filter commonly used to note the state of a photon. This alignment of photon in a particular direction is known as polarization. Thus a sender such as Alice can send stream of photon polarized (effectively a stream of 0’s and 1’s) and receiver Bob can detect these state of photon [2].

This form of communication using photon has been used by cryptographers to exchange secret keys and enable them to send encrypted data on the network. BB84 protocol developed by Bennett and Brassard in the year 1984 is one of most popular Quantum Key Distribution protocol [3]. BB84 protocol uses polarization of light wave to exchange a secure key between Alice and Bob. Alice sends a stream of photon by polarizing them. Bob detects the photons using any of possible filters and notes the stream of 0’s and 1’s based on photon alignment. Finally by using classical channel Bob and Alice can verify which bit’s were received correctly by Bob and whether there was any eavesdropping by Eve. Secret key that they will finally come up will be a subset of bit’s exchanged between the two [4].

Popularity of Quantum Cryptography

Quantum Cryptography has already found commercial use and a number of companies are selling QC products. Companies like ID Quantique and MagiQ Technologies are already in this business [5][6]. In Geneva, Switzerland in the year 2007, votes were cast during parliamentary elections using secret key exchanged using Quantum Key Distribution.  This was one of the first public uses of Quantum Cryptography [7]. Apart from this, a lot of popular research is undergoing in this field in various institutions around the world. Los Alamos National Lab researchers claim to make smart phones secure using quantum cryptography [8].

Weakness/Limitations of Quantum Cryptography

Although Quantum Cryptography promises to be more secure than its Classical counterpart but it still has some weaknesses.  As the technology is getting more popular and finding more commercial uses, it is becoming a target for attackers. One of the popular attacks on quantum cryptography in recent times has been the side-channel attack [9]. Apart from certain weakness there are certain limitations associated with this model. Both the receiver and sender needs to have end to end fiber channel between them. Also quantum cryptography focuses more on providing confidentiality and integrity once authenticity has been achieved using classical methods. There is no guarantee of availability i.e. protection against DOS attacks. One major weakness with Quantum Cryptography is failure to detect even secure exchanges due to noise or interference in the transmission medium [10].

Though Quantum Cryptography offers a promise to provide more secure connections than Classical Cryptography but it still has a long way to go before it becomes a real threat to Classical Cryptography. The technology is still in its infancy and a lot of research is still needed to make it more accessible and deployable in organizations. This is not just a competition between Quantum and Classical Cryptography but a competition between Physics and Math. Whatever is the outcome of this competition, ultimate winner will be the organizations looking for more secure means of communications. Finally, I can say that the rate at which Quantum Cryptography is being adopted it’s still a long way before it becomes as pervasive as Classical.

____________

  1. Vittorio, Salvatore. “Quantum Cryptography: Privacy Through Uncertainty”. ProQuest  – Discovery Guides. October 2002. Web. 22 October 2012. <http://www.csa.com/discoveryguides/crypt/overview.php&gt;.
  2. See 1
  3. Bennet, Charles and Brassard Gilles. “Quantum Cryptography: Public Key Distribution and Coin Tossing.” Internation Conference on Computer, Systems and Signal Processing. Bangalore, India: IEEE, 1984.
  4. See 3
  5. MagiQ Home Page. N.p, n.d. Web.  28 October 2012. <http://www.magiqtech.com/MagiQ/Home.html&gt;.
  6. Quantum Cryptography. N.p, n.d. Web. 28 October 2012. <http://swissquantum.idquantique.com/?-Quantum-Cryptography-&gt;.
  7. Josh, Clark. “”How Quantum Cryptography Works”. howstuffworks. ” n.d. Web 24 October 2012. <http://science.howstuffworks.com/science-vs-myth/everyday-myths/quantum-cryptology.htm&gt;.
  8.  Michael, O’Connell. “”Scientists use quantum cryptography to create ‘un-crackable’ phone security”.” federalnewsradio .  23 January 2012. Web. 27 October 2012. <http://www.federalnewsradio.com/241/2717409/Scientists-use-quantum-cryptography-to-create-un-crackable-phone-security&gt;.
  9. Lee, Chris. “”Quantum cryptography: yesterday, today, and tomorrow”.” arstechnica .  17 September 2012.Web. 27 October 2012. <http://arstechnica.com/security/2012/09/quantum-cryptography-yesterday-today-and-tomorrow/3/&gt;.
  10. 10. See 1




Inferences on Non-Sensitive Data

28 11 2012

Before there was technology, just by your name itself, at least, 2 things can be infer about you – your gender and your race. For example, the name, Muhammad Hafiz, tells that the person is male and he is either Asian or Arab. But for me to make such inference, I would have to have cultural knowledge about the origin of the name and where it is most commonly used and etc.

With face-recognition technology, an anonymous person on the street can be identified by their name. In an experiment, picture of a subject was taken onsite and then it was uploaded to a cloud-computing cluster. The picture was then compared with searchable Facebook profile pictures to find a match and afterwards subject is asked to confirm their picture in the result set. A ratio of 1:3 out of 93 subjects has acknowledged their picture [1].

Sensitive data is defined as “any data that must be kept secure” [2]. Thus, name and face are considered as non-sensitive data. This is because you cannot possibly keep your name secure; people need to call by your name to make a conversation and a letter or parcel needs a name for someone to claim that it belongs to them. As for your face, unless you wear a mask all the time or your are wearing a “burqa”, a clothing that covers your face and shows only your eyes, there is no way you can keep it secure too.

When we talk about privacy and security, the concern is mostly on sensitive data. Examples of sensitive data are birth date, SSN and geo-location. Birth date and SSN are kept protected so that attacker cannot steal your identity, while you would want to keep your location protected because you do not want people to find out where you are and infer what your are doing at the location. However, there are increasing examples of how non-sensitive data can betray your privacy and thus leads to the disclosure of your sensitive data.

Example #1: Accelerometer in your mobile device

Accelerometer is what makes the screen on your mobile device to change to landscape or portrait when you tilt it horizontally or vertically. To be more accurate, accelerometer is “a device that can measure the force of acceleration, weather caused by gravity or by movement” [3]. In a paper, accelerometer is known to be able to infer the location of a mobile device. This is done by analyzing the motion signature of the device. The motion signature can tell us whether the person is on public transportation like bus or subway or if the person is near us [4].

Example #2: Loyalty card

In my Economic Analysis class, Professor Lim has mentioned about the benefit of loyalty card to the merchant endorsing it. To the customers, the benefit of using the card is to get discount on items, buying bundled items and collecting reward points. But merchants are actually collecting the information to study about our buying pattern or to measure the price elasticity of the item.

In conclusion, when making privacy policy, there is a need to protect non-sensitive data too because the proliferation of these data knowingly leads the disclosure of sensitive data that we have work hard to secure in the first place.

__________

  1. Acquisti, Alessandro. Privacy in the Age of Augmented Reality. 2012. Web. <http://www.youtube.com/watch?v=Kcz0hUtYVXc>
  2. Glossary. Web. <https://www.securecoding.cert.org/confluence/display/java/BB.%20Glossary>
  3. What does the iPhone accelerometer do? Web. <http://electronics.howstuffworks.com/iphone-accelerometer.htm>
  4. Jun Han, Emmanuel Owusu, Le T. Nguyen, Adrian Perrig, Joy Zhang. ACComplice: Location Inference using Accelerometers on Smartphones. 2012. Web. <http://www.truststc.org/pubs/843/han_ACComplice_comsnets12-1.pdf>




Online Banking Consumer Protection – the More the Better?

27 11 2012

Living as a complete foreigner in the United States for the last couple of months, one of the outstanding differences which gave me cultural curiosity is its banking. Two things were particularly confusing – the paper checks and the online banking. Some may ask “Isn’t their Internet banking super easy?” True, and that is where my confusion arises.  My new bank, and the clerk, never asked me anything about security options except setting up the password and 4-digit PIN. It was shockingly simple and minimal compared to my old bank in my hometown. Later on, when I browsed their site, it was connecting to their SSL server. It had the mind-boggling green box – a safe sign anyway. It was fast, easy, and I was not challenged by any other security questioned except my password and PIN. I could finalize my first month’s rent transfer online without trouble. A while later I happened to lock my account by entering incorrect password three times. Still I could reset my password by phoning the bank and dealing with the automated answering machine.

It contrasts to my previous online banking experience, where some security features are mandated for the banks if they want to provide their customer banking service online. On top of the traditional password for the website and PIN for the account, a personal certificate and a physically distributed passcode are both issued. For example, using desktop or smartphone, I can only start my online banking after presenting my personal certificate signed by the bank (the banks operates like a Certificate Authority). And from that point I can access and see my account details. In process transactions, I need to present the certificate again in a process of digitally signing the transaction order’s confirmation. Before each confirmation, the server will also challenge me with ‘what you have’ passwords. The clients can choose to have an OTP (One Time Password) token after paying about $5. Other than the better security, the OTP usually grants higher daily transaction limit than the Security Card. If the customers don’t want to pay this $5, as an alternative the credit-card-sized Security Card, with a table of challenge number, can be issued for free. On every transaction order, the bank will challenge the client with two different numbers from this table.

From its complexity, some clients including me feel some sense of safety. Do these features imply that my old bank is safer than my new, password only banking? I thought so. Should they urgently adopt OTP, security card, PKI, or Smartcard to increase safety? Maybe.

Whatever security options the banks decide to deploy, their primary goals are confidential channel, authentication of user and server, data integrity and non-repudiation [1]. The bank can claim they have done their part, after providing standardized solutions to protection the end-to-end communication from the eavesdroppers and a good authentication that is enough to differentiate me from dogs of the Internet. Data-integrity and non-repudiation would be the side product of the security solution. In this sense, my new bank did its job by providing SSL connection and password authentication. More security features may redundant – if I can do my part to protect the password.

However, the challenge is in the client side. I am not sure if my computer is 100% secure, and the banks have no way to know whether their clients’ computers are running with banking Trojan or wiretapped by some network penetrator. I can only hope that my communication between the keyboard and the browser is not key-logged, my monitor not screen-logged, my web browser clean, and the SSL properly connected to my bank while I do my banking.

A scary scenario can be written if I don’t assume the safety of my PC, and there is not much my bank can do to save me. Thing can be stolen – password, PIN, my private key along with the certificate, my password to invoke my private key and partial contents from my security code card. This may mean, the expensive banking PKI becomes useless unless even with the bank’s effort to provide better security. Security Card can slow down the exfiltration, although it also can be fully revealed if the Trojan had enough time to collect all the 4 digit numbers in 35 table entries. My OTP may still stand safe.  Studies say that proper use of security card and OTP will minimize the attack vector down to man-in-the-browser or session hijacking attack [1], which is more costly or difficult for the attackers [2].

Should we force the banks to take more responsibility on the security of the client’s terminal, by distributing banking plug-in or anti-virus software for the client’s computer connecting their servers? The answer may be controversial, and solution may differ by countries and cases. It may annoy people, because the installation of the plug-in is sometimes not optional [1]. However, no matter how the bank tries to deploy new security supports, such effort can become useless when the users are infected by various kinds of Trojan, carelessly store their private keys in their email boxes, or their security card scanned and stored in the cloud storage.

Given that my new bank does not lose data somewhere else, my new bank’s simple password security is not worse than the one they provide in my hometown. I guess I should just be more careful and vigilant, maybe virtualize one of my desktop for banking only. However, since I can make mistakes and lose my data someday, I would feel safer if my bank promotes the OTP or security card as one of their security options.

__________

[1] Hyoungshick Kim, Jun Ho Huh, Ross Anderson “On the Security of Internet Banking in South Korea” Computing Science Group, Oxford University, CS-RR-10-01

[2] Chris Sanders, “Understanding Man-in-the-Middle Attacks”, http://www.windowsecurity.com/articles/Understanding-Man-in-the-Middle-Attacks-ARP-Part4.html





Cyber Crime and the Underground Economy

16 11 2012

by Anurag Bhatt

On a bulletin board inaccessible without a Tor browser bundle, a user identified only as “admin” asks, “so I want to ddos attack my buddies ip address for just like 20 minutes, enough to keep his internet down for just a little bit. [C]ould he find out, or could I face penalties?” A user calling himself “rolf” replies, “You can’t DDoS someone on your own. bbye.”[1]

This is an example of one of the more innocuous exchanges that take place on these boards far removed from the familiar confined of the Internet that people access every day. Few people are aware that under the reasonably well-protected and censored Internet that they are used to, lies a thriving bazaar of illegal trade, where botnets and stolen Paypal accounts are bartered in the same casual manner that one would adopt when purchasing a bestseller on Amazon.com.

This dark corner of the Internet, called the “deep web” or the “underground,” is not indexed by conventional search engines and cannot be accessed without using Tor, the anonymous browsing software that operates on the principle of onion routing[2]. Items exchanged within the cyber underground are a mishmash of cyber-attack tools, stolen identities, stolen credit card information and in many cases, drugs and child pornography. Noah Shachtman, contributing editor at Wired refers to this underground market as, “South Bronx circa 1999.’’[3] Mr. Shachtman refers to the underground as a “real, serious crime problem” which he estimates leads to tens of billions of dollars in profits for the perpetrators involved. He also blames both state actors and people looking to make a profit for the proliferation of cybercrime, while stating that the reward to risk ratio for cyber criminals is very high, due to the low cost of committing such attacks and the low probability of getting caught.

The Cyber Underground

The Merriam-Webster online dictionary carries this as one of the definitions of “underground” – an unofficial, unsanctioned, or illegal but informal movement or group; especially: a usually avant-garde group or movement that functions outside the establishment. [5] In this context, the cyber underground refers to illicit, informal and often illegal exchanges of information, goods and money which take place through the Internet.

In general, Internet traffic is not difficult to trace due to the inherent nature of the protocols that govern information exchange. The Internet, by design, is not made for anonymity. This has led to a slew of anonymization techniques, of which the most resilient and effective is called Tor.

Tor is an acronym for “The Onion Router.” It operates on the principle of “onion routing,” wherein each packet is sent via a different path and is encrypted by the contents from its last hop. The distributed nature of the paths that the packets take make it nearly impossible to trace them back to individual users[2].

The effectiveness and simplicity of Tor has given rise to a parallel Internet far removed from the conventional Internet that people are accustomed to browsing. Pages within this parallel Internet have the domain extension “.onion” instead of the more familiar “.com”, “.net”, “.edu” and other domains that are commonly found on the conventional Internet. Onion links are also designed to be difficult to remember, with the names often being random combinations of letters and numbers.

Within the underground, many services and goods are traded illegally. These include, but are not restricted to, buying and selling botnet space, stolen bank accounts, Paypal accounts and credit card information, zero-day exploits (extremely valuable exploits, usually in new software, which have not yet been patched), hacking tools, drugs and hitman services.

The Economy of the Underground

For any illegal transaction, the most desirable property of the currency exchanged is that it should be decentralized (not issued by a central authority) and untraceable. Fortunately for cyber criminals and unfortunately for law enforcement agencies, the introduction of the cryptographic currency Bitcoin (BTC) in January 2009 provides these very features. The completely decentralized and P2P nature of Bitcoin makes it difficult to trace Bitcoin transactions, making it the currency of choice throughout the cyber underground. As of 28th October 2012, one BTC is valued at $10.4, which represents a slight drop in value from its average value of $11.63[6].

An example of a thriving underground market is the Silk Road, where illegal drugs are routinely bought and sold through a reputation based system not unlike the one found on eBay[7]. The reputation based system helps to protect buyers from potential scammers. Silk Road only allows transactions to be completed via Bitcoin to protect user anonymity. Another website called The Farmer’s Market was shut down after its administrators were traced via transaction records and months of infiltration by police forces from the United States, Colombia and the Netherlands. This website offered Paypal and Western Union as alternative modes of payment, which are easier to trace and detect[8].

Other services that can be accessed within the underground include the infamous Rent-a-Hacker[9]. On this page, a self-confessed “technical expert” encourages potential customers to send a random number of Bitcoins to his account before he would deign to reply. Services which he claims to offer include DDoS attacks on various websites, social engineering organizations, “ruining” personal lives and economic espionage.

However, Bitcoins themselves are not fully anonymous, and can be traced by sophisticated network analysis attacks. According to Jeff Garzik, a part of Bitcoin’s developer team, “Attempting major illicit transactions with bitcoin, given existing statistical analysis techniques deployed in the field by law enforcement, is pretty damned dumb.”[8]

Conclusion

The extent of the cybercrime problem is thrown into stark relief by 2012 statistics. So far in 2012, U.S. companies have suffered an average damage of $8.9 million from cybercrime and malware[10]. Norton estimates that cybercrime has cost U.S companies a cumulative $110 billion so far this year[11].

The relative anonymity provided by a combination of Tor and Bitcoins makes underground cybercrime extremely difficult to crack down on. One of the few methods which seems to be effective in combatting this menace is systematic infiltration of the trust networks within the online markets.

Based on the ease of hopping onto the Tor network and purchasing Bitcoins, however, it is likely that cybercrime through these illicit, underground channels will continue to proliferate.

_______

[1] DDoS question. Web. Oct. 27 2012. <http://4eiruntyxxbgfv7o.onion/snapbbs/1b133305/showthread.php?&threadid=c9085adba44e9a6a316770ed284e28bf>

[2] Goldschlag, Reed, Syverson. ”Onion Routing for Anonymous and Private Internet Connections.” DTIC. Web. Jan. 1999. Oct. 27 2012 <http://scholar.google.com/scholar_url?hl=en&q=http://www.dtic.mil/dtic/tr/fulltext/u2/a465075.pdf&sa=X&scisig=AAGBfm11GsU9fSUxuiefP2wzcxE08CpU0Q&oi=scholarr>

[3]”Shachtman: Cyber Threats Akin to South Bronx, Not Pearl Harbor.’’ International Peace Institute. Web. May 2012. Oct. 27 2012. <http://www.ipacademy.org/events/panel-discussions/details/355-shachtman-cyber-threats-akin-to-south-bronx-not-pearl-harbor.html>

[4]Bruce Schneier. “Identifying Tor Users Through Insecure Applications.” Schneier on Security. Web. Mar. 2011. Oct. 27 2012. <http://www.schneier.com/blog/archives/2011/03/identifying_tor.html>

[5]”Underground.” Merriam-Webster. Web. Oct. 27 2012. <http://www.merriam-webster.com/dictionary/underground>

[6]”Bitcoin Charts.” Bitcoin Charts. Web. Oct. 2012. Oct. 28 2012. <http://bitcoincharts.com/markets/>

[7]Adrian Chen. “The Underground Website Where You Can Buy Any Drug Imaginable.” Gawker. Web, Jun. 2011. Oct. 28 2012. <http://gawker.com/5805928/the-underground-website-where-you-can-buy-any-drug-imaginable&gt;

[8]Dan Goodin. “Feds shutter online narcotics store that used TOR to hide its tracks.” Arstechnica. Web. Apr. 2012. Oct. 28 2012. <http://arstechnica.com/tech-policy/2012/04/feds-shutter-online-narcotics-store-that-used-tor-to-hide-its-tracks/>

[9]”Rent-a-Hacker.” Web. Oct. 28 2012. http://ugh6gtz44ifx23e7.onion/

[10]Robert Lemos. “Cybercrime Costs Jumped 6 Percent in 2012.” eWeek, Web. Oct. 2012. Oct. 28 2012. <http://www.eweek.com/security/cybercrime-costs-jumped-6-percent-in-2012/>

[11]” 2012 Norton Study: Consumer Cybercrime Estimated at $110 Billion Annually.“ Symantec. Web. Sep. 2012. Oct. 28 2012. <http://www.symantec.com/about/news/release/article.jsp?prid=20120905_02>





Why the U.S. should continue development and increase funding for Internet Anti-Censorship Tools

12 11 2012

by Brian Thompson

Until earlier this week I never would have imagined that the U.S. State Department in conjunction with the Broadcasting Board of Governors, an independent U.S. government agency, of funding development on anti-censorship tools for the Internet [1].  According to an article in The Washington Post, “the United States spends about $30 million a year on Internet freedom, in effect funding an asymmetric proxy war against governments that spend billions to regulate the flow of information” [1]. The current administration is not trying to hide this from the world either; the program and its aims were brought up at a town hall meeting three years ago in Shanghai [1].

This policy and its implementation may alarm you.  According to Defensenews.com, as recently as Sept 21, 2012 “The White House is working with the Department of Homeland Security, FBI and others to develop an executive order to counter cyber security threats” [2].  Could this seemingly innocuous government program be tied to future national counter cyber security rules of engagement?  Based on my experience in the Intelligence field for the military and from what I’ve read it is not and any thoughts to the contrary are pure fantasy.

The next question you might be asking yourself is why are my tax dollars going to subvert foreign governments’ sovereign right to manage their own affairs?  Viewed another way, why does the U.S. government send billions of dollars in aid to foreign countries every year?  According to the global aid organization Oxfam, the U.S. spent $30.2 billion dollars or 0.21% of the 2010 budget in various forms of financial aid to foreign countries [3].

Some strategic reasons why the U.S. sends this aid are national security, national economic interests and, lastly, to demonstrate good moral leadership towards others [3].  To me, these reasons are very logical.  Too many times in the past, our country’s government and others have tried to influence events in other nations through the barrel of a gun.  In today’s world, everybody has a gun and the real power is in the expert use of “soft power.”  According to Harvard Kennedy School Professor Dr. Joseph Nye, who defined the concept as “co-opting people rather than coercing them,” soft power has been a tool of the military and statecraft in various forms for many years [4].  It is through the domain of cyberspace that this type of power can be leveraged for good and more importantly with no bloodshed.

The aim behind developing tools like Tor, Ultrasurf, DynaWeb and Freegate is to increase access to the open and expansive Internet to those living in countries with less restrictive Internet policies.  In the U.S., we take for granted immediate access to news, opinions, facts, art, literature, education and much more wherever we are.  While other countries, such as China, North Korea, and Iran who restrict and manipulate their citizens’ access to this global digital community to the extent that they don’t even know what or who to believe anymore.

Supporting Internet anti-censorship tools helps the United State’s national security policy and promotes public goodwill toward support of anti-censorship tools that breakup the building distrust of the U.S. to outside eyes.  Foreign nationals can see that the U.S. is not a threat to their way of life and that it stands ready to assist in helping their security through partnerships, not invasions.  It can also work internally as well.  By breaking through cracks in the censors, common Chinese citizens can organize and have a better understanding of the crimes their government seeks to suppress.

For example, in China, where the “Great Firewall,” as it is affectionately known, has near total control of the incoming and outgoing Internet traffic of not only its citizens, but all foreign companies that are based there [5].  The main component in China’s strategic control of the Internet inside its borders is called the Golden Shield Project [5].  While the U.S. has a tremendous amount of entry points for the Internet, “China’s Internet was designed with ready-made choke points; these are a tiny collection of fiber-optic cables entering the country at a limited number of points: Beijing, Shanghai, and Guangzhou” [5].

By using monitoring software and hardware on these choke points, the government can then process all traffic via the Golden Shield network, and utilize extensive security techniques such as: DNS Blocking, Connection Resets, URL Keyword blocking and Site Scanning [5].  The final component in this grand strategy of China’s Internet censorship is of a human nature where they employ “at least 10,000 government paid censors and volunteers who search for offensive sites, delete posts and warn netizens of their web behavior.” [5]

From an economic perspective, China’s Great Firewall could possibly infringe on corporations proprietary and copyrighted material and in turn, manipulate the markets by passing sensitive information to state-controlled or backed competitors.  Anti-censorship tools wouldn’t accomplish much in preventing this, but it will go a long ways towards making the government more accountable when their citizens hear about the Communist Party’s anti-competitive ways in the business arena.

Just as security professionals in a modern corporation manage black and white listings through their firewall programs and hardware; China’s government performs the same operations except it is to stifle freedom of speech and dissemination of non-biased state-based news and information.  China’s official policy is that it performs these actions for the protection of its people and the Communist Party of China, but in actuality it oppresses their population by sowing mistrust of the outside world through disinformation of news from inside and outside the country [5,6].

Unfortunately, China is not the only country that distorts, in my mind, the tools that information security professionals use around the world to safeguard personal, physical and digital property.  Many other authoritarian regimes utilize firewalls, IPSs, IDSs and all manner of network attack, defense and exploitation operations to protect their leaders and regimes by sacrificing their people’s freedoms in cyberspace.

It is in the United State’s best interests of national security, national economic interests and good will from the American people to continually fund the development and dissemination of Internet anti-censorship tools.

_________

1 http://www.washingtonpost.com/world/national-security/online-tools-to-skirt-internet-censorship-overwhelmed-by-demand/2012/10/21/390457a2-082d-11e2-858a-5311df86ab04_story.html?wpmk=MK0000200

2 http://www.defensenews.com/article/20120921/C4ISR01/309210002/White-House-DHS-FBI-Drafting-Executive-Order-Cybersecurity

3 http://www.oxfamamerica.org/files/foreign-aid-101-revised-edition.pdf

4 http://www.wordspy.com/words/softpower.asp

5 http://digitrends.proferochina.com/index.php/lp/behind-the-great-firewall-of-china/

6 http://www.wired.com/politics/security/magazine/15-11/ff_chinafirewall?currentPage=all&utm_source=Contextly&utm_medium=RelatedLinks&utm_campaign=Previous

7 http://topics.nytimes.com/topics/news/international/countriesandterritories/china/internet_censorship/index.html





Random Number Generation and Information Security

11 11 2012

by Siwen Zhao

Random Number Generation (RNG) is one of the most critical issues in ensuring information security. Many methods for securing our information need random numbers. For example, random numbers are used in creating keys (e.g. one time pad) for data encryption, generating large primes for asymmetric key exchange and selecting CAPTCHA strings for authentication. Because random numbers are so important in information security, we would always want to develop RNG methods that can generate numbers with greater randomness.

Before discussing the details of RNG, it is important to understand what randomness is. Truly random numbers [1]

  • Are unpredictable, and  [1]
  • Cannot be subsequentially reliably reproduced. [1]

Therefore, only RNG methods that generate random numbers with the two characteristics above can achieve true randomness and are immune to random number attacks.

However, true randomness is very hard to attain, which leaves our information vulnerable to attack once the “random” numbers get cracked. With interests in how we generate random numbers and how the “randomness” can be cracked, I would like to discuss, in the rest of this blog, the major methods of RNG and how they work, some thoughts on what are the pros and cons for each category of methods, and some current issues and developments.

The RNG methods can be categorized based on their random sources. “Random sources can be classified as either true-random or pseudo-random.” (Ellison) [2]We will look at these two categories one by one in the following sections.

True Random Number Generator

True Random Number Generator (TRNG) is also called physical generators [1] where physical devices are at present to be the random sources. The physical actions collected from the devices then will be translated into digital bits with some mathematical functions (calculation of Entropy [2]). Then the outcome will be our random numbers. One of the earliest TRNG would be the use of traditional gambling devices. [3] Nowadays, common sources are decay of radioactive material, quantum mechanics processes, thermal and other types of noise, frequency instability of free-running oscillators [1].

With the early adoption of gambling devices being relatively less random, TRNG with all the modern random sources mentioned above generate numbers with high level of randomness because the particle reactions and the oscillations are very hard to predict or to get the exact same result when redoing the processes. However, all these random resources would need certain environment and space for the physical actions to take place, which is very difficult to implement on computers or other modern computational devices. Moreover, even being used for generating random numbers for computers, these factors could be slow and with ill-defined distributions [2].

One recent development to cover the downsides of physical random number generator is the introduction of Digital Random Number Generator (DRNG) from Intel. Intel declares that this new DRNG includes a high-quality entropy source on the chips [4]. Intel somehow managed to put this secret physical thing on their chips to provide source of entropy and the numbers generated would go directly in to the computing operations in the computer. Therefore, the numbers are physical generated that are highly random, and the generation can be much faster than any other physical sources.

Pseudo Random Number Generator

As the name suggested, Pseudo Random Numbers are not real random numbers, they are computer-generated numbers that appear to be random.  The most commonly used scheme for Pseudo Random Number Generators (PRNGs) is “multiplicative linear congruential”. [5] Function used as shown below, n is a very large prime number, and with carefully selection of a, b and n, we can generate a long sequence of numbers distributed randomly between 0 and n-1. If we make n a huge prime number, the number sequence would look pretty random. However, as random as r is, a, b, n and the initial seed  are not random at all, we have to choose them very carefully to make sure no one crack our random. Take the java random function as an example, if we deliberately give the same seed to the Random method, we would get the same sequence of number. And in many random functions, time or date at the present would be taken as the seed. Therefore, if some attacker has access to the context of when and where, or by who the random number is generated, or the number sequence is really long that it reveals some pattern, the attack may have a good chance of cracking the random.

Therefore, the PRNG is not as random therefore secure as TRNG. However, it does have the advantage of fast computing and easy to be adopted in computers. Also, if we need a really long sequence of random numbers, the physical devices may not have enough states for us to translate them in to so many digits [2]. Therefore, PRNG does better in generating longer sequence of random numbers than TRNG does.

As both TRNG and PRNG have advantages and disadvantages, at the end, it really comes down to where they would be used. It is very important to analyze the requirements before adopting any methods. And this applies not only to the security requirements, but also to business requirements, budgeting requirements, social requirements and all other factors involved. At the same time, we may see more developments on the combination of both TRNG and PRNG that keep the strengths of both TRNG and PRNG and overcome some weakness of each, as we have already seen in Intel’s DRNG mentioned previously.

___________

[1] Šimka, Martin, Miloš Drutarovský, and Viktor Fischer. “Random Numbers in Cryptography” 06 Dec 2006. Keynote.

[2] Ellison, Carl. “Cryptographic Random Numbers.” THE WORLD. P1363 standard. Web. 24 Oct 2012. <http://world.std.com/~cme/P1363/ranno.html&gt;.

[3] Warnock, Tony. “LOS ALAMOS SCIENCE.” LOS ALAMOS SCIENCE. Special Issue, Stanislaw 1909-1984 (1987): 137-141. Web. 22 Oct. 2012. <http://www.fas.org/sgp/othergov/doe/lanl/pubs/00418729.pdf&gt;.

[4] “Intel® Digital Random Number Generator (DRNG) Software Implementation Guide.” Intel. Intel Corporation, 08 Aug 2012. Web. 22 Oct 2012. <http://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide/&gt;.

[5] Roehrig, Stephen, “Program Control” Object-Oriented Programming, 6 Sept 2012. Keynote.