Forwarded from: Christian Wright <email@example.com> http://www.ddj.com/news/fullstory.cgi?id=5887 Shannon Cochran 2002-05-20 Udi Manber, chief scientist at Yahoo!, apprised security researchers at the IEEE's Symposium on Security and Privacy about attacks likely to become commonplace in the emerging era of large-scale, distributed web services. "The kind of attacks that we're seeing are not a traditional security attack," he warned. The threat to web services is not about something like root access; it's more about repeated violations and exploitations of the service - small cheats and hacks that are individually insignificant, but a huge problem in the aggregate. Spam is an example of this kind of hack. A web-based e-mail service does not suffer if one of its accounts is used for mass-mailing. When tens of thousands of accounts are abused in this way, the service can be brought to its knees. Manber calls this the "penny jar" effect, likening it to a thief who comes to a cash register and empties the penny dish every five minutes. The pennies are meant to be given away, and each instance of the loss is trivial; but if the theft continues unchecked, the service will be destroyed. And money is far from the only target of attack. Buyer and seller ratings in auction sites are often forged, and so are rankings on game sites. "If you have any kind of rating, people go to all kinds of trouble to get that rating in an illegitimate way," Manber reported. The more services are offered, the more vulnerable the provider becomes. "Someone can steal some money over here, go to Shopping and buy something, then go to Auction and sell it," said Manber. "This really happened." Internationalization is a further weakness, because patches must be distributed over multiple systems around the world. Even one overlooked server leaves the provider vulnerable; but in a world of web services, the integrity of the network isn't nearly as valuable as the time and effort that skilled employees spend combating abuse. "I'm not even worried sometimes about the machines I buy," Manber clarified. "I'm worried about the time...There are more of them [attackers] than there are of me. They have a lot more time." Interactivity poses a new set of risks. "Whenever we get content from users, it's a problem," said Manber. Advertisers will attempt to sneak their content into forums like the Personals, or go to the trouble of creating an informative site, only to change the content to advertising after the site is accepted into Yahoo's directory. Or they may add Yahoo redirects to their own sites in order to gain an appearance of legitimacy. Services can also be stolen and resold. Yahoo found that the finance sites were plagued by screen scrapers running every few seconds to grab real-time stock quotes. Manber says that traffic on the finance sites dropped by 80% after the screen-scrapers were blocked. "You provide a premium service, people will sign up for it maybe once, put a proxy server up, steal the information, and bang! Now they provide the service." Some of the exploits are darkly ingenious. During hotly contested auctions, some users will mount password attacks on other bidder's accounts an hour before the end of the auction - not to actually gain access, but merely to trigger a security lockout, thereby ensuring that the legitimate user cannot place last-minute bids. Once Yahoo had to deal with a virus spread through a file download, with the twist that the virus would only become destructive if the file was removed from Yahoo's servers. And on the social engineering front, there's the list of instructions for "hacking a Yahoo account" that direct would-be hax0rs to send the e-mail address of the account they'd like to access, along with a gobbledegook string of code and their own account name and password, to a plausible-sounding address like firstname.lastname@example.org. "I've seen Ph.D. level cleverness," Manber admitted. In response, Yahoo has developed some sneaky countermeasures of its own. But although Manber provided examples of his algorithms, he asked attendees of the conference not to publicize them. The conflict between secrecy and openness is one that, as a former academic researcher, Manber feels keenly. On the one hand, he is fully aware that real progress in security comes through full disclosure and open, shared research. On the other hand, he knows that his company will suffer real and immediate damage if hackers learn the details of his methods. "The kind of countermeasures that we're doing are pretty weak. If you compare it to cryptography we're a hundred years behind," he said. "Feedback is always a major issue for us. I always think about 'Should I do this? Will I tell them what I'm doing?...I'd rather see what they're doing. The way you win an arms race is not by building bigger and bigger weapons. Sometimes the best move is not to play the game.'" One amusing example Manber gave is in the field of rate limiting — Yahoo's attempt to throttle the rate at which users can sign up for new accounts. Although successful techniques to weed out bots have been developed — like asking users to retype a random word displayed in an image designed to be impossible for OCR to process — Manber has found that people are still registering for massive numbers of accounts. "As far as I can tell, they're just doing it by hand. They're sitting there all day doing it by hand," he said. So he's considering changing the registration test to a simple arithmetic problem. It won't stop the mass registrations, but he might be able to get the abusers to perform distributed computing tasks for him. Number one on the list of open problems in web services security is the difficulty of differentiating users from bots. Though he called it "imperfect," he acknowledged that one solution would be to require an ID number or a credit card number. If anonymity disappeared from the web, "a lot of the problems would go away," he said. But even more than authentication, Manber wants reverse authentication: "I want a protocol that proves that someone is not a particular person." He also wants obfuscated HTML, which is particularly ironic since, in his days in academia, Manber wrote one of the first screen-scrapers. He wants the ability to detect passive vulnerabilities in a system. And he wants better ways to fight back. "I have huge pipes," he laughed. "It's very easy for me to go after them. Unfortunately, it's not legal." But he dismissed legal solutions altogether, saying that measures like anti-spam legislation are completely ineffective. "This has to be solved technically, not legally," he warned. "If we can't solve these problems, we'll see less and less services." - ISN is currently hosted by Attrition.org To unsubscribe email email@example.com with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue May 21 2002 - 05:07:21 PDT