[ISN] Security In Web Services: An Evolving Threat Model

From: InfoSec News (isnat_private)
Date: Tue May 21 2002 - 02:28:56 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - May 20th 2002"

    Forwarded from: Christian Wright <cwat_private>
    Shannon Cochran
    Udi Manber, chief scientist at Yahoo!, apprised security researchers
    at the IEEE's Symposium on Security and Privacy about attacks likely
    to become commonplace in the emerging era of large-scale, distributed
    web services. "The kind of attacks that we're seeing are not a
    traditional security attack," he warned. The threat to web services is
    not about something like root access; it's more about repeated
    violations and exploitations of the service - small cheats and hacks
    that are individually insignificant, but a huge problem in the
    Spam is an example of this kind of hack. A web-based e-mail service
    does not suffer if one of its accounts is used for mass-mailing. When
    tens of thousands of accounts are abused in this way, the service can
    be brought to its knees. Manber calls this the "penny jar" effect,
    likening it to a thief who comes to a cash register and empties the
    penny dish every five minutes. The pennies are meant to be given away,
    and each instance of the loss is trivial; but if the theft continues
    unchecked, the service will be destroyed.
    And money is far from the only target of attack. Buyer and seller
    ratings in auction sites are often forged, and so are rankings on game
    sites. "If you have any kind of rating, people go to all kinds of
    trouble to get that rating in an illegitimate way," Manber reported.
    The more services are offered, the more vulnerable the provider
    becomes. "Someone can steal some money over here, go to Shopping and
    buy something, then go to Auction and sell it," said Manber. "This
    really happened."
    Internationalization is a further weakness, because patches must be
    distributed over multiple systems around the world. Even one
    overlooked server leaves the provider vulnerable; but in a world of
    web services, the integrity of the network isn't nearly as valuable as
    the time and effort that skilled employees spend combating abuse. "I'm
    not even worried sometimes about the machines I buy," Manber
    clarified. "I'm worried about the time...There are more of them
    [attackers] than there are of me. They have a lot more time."
    Interactivity poses a new set of risks. "Whenever we get content from
    users, it's a problem," said Manber. Advertisers will attempt to sneak
    their content into forums like the Personals, or go to the trouble of
    creating an informative site, only to change the content to
    advertising after the site is accepted into Yahoo's directory. Or they
    may add Yahoo redirects to their own sites in order to gain an
    appearance of legitimacy.
    Services can also be stolen and resold. Yahoo found that the finance
    sites were plagued by screen scrapers running every few seconds to
    grab real-time stock quotes. Manber says that traffic on the finance
    sites dropped by 80% after the screen-scrapers were blocked. "You
    provide a premium service, people will sign up for it maybe once, put
    a proxy server up, steal the information, and bang! Now they provide
    the service."
    Some of the exploits are darkly ingenious. During hotly contested
    auctions, some users will mount password attacks on other bidder's
    accounts an hour before the end of the auction - not to actually gain
    access, but merely to trigger a security lockout, thereby ensuring
    that the legitimate user cannot place last-minute bids. Once Yahoo had
    to deal with a virus spread through a file download, with the twist
    that the virus would only become destructive if the file was removed
    from Yahoo's servers. And on the social engineering front, there's the
    list of instructions for "hacking a Yahoo account" that direct
    would-be hax0rs to send the e-mail address of the account they'd like
    to access, along with a gobbledegook string of code and their own
    account name and password, to a plausible-sounding address like
    "I've seen Ph.D. level cleverness," Manber admitted. In response, 
    Yahoo has developed some sneaky countermeasures of its own. But 
    although Manber provided examples of his algorithms, he asked 
    attendees of the conference not to publicize them. The conflict 
    between secrecy and openness is one that, as a former academic 
    researcher, Manber feels keenly. On the one hand, he is fully aware 
    that real progress in security comes through full disclosure and open, 
    shared research. On the other hand, he knows that his company will 
    suffer real and immediate damage if hackers learn the details of his 
    "The kind of countermeasures that we're doing are pretty weak. If you 
    compare it to cryptography we're a hundred years behind," he said. 
    "Feedback is always a major issue for us. I always think about 'Should 
    I do this? Will I tell them what I'm doing?...I'd rather see what 
    they're doing. The way you win an arms race is not by building bigger 
    and bigger weapons. Sometimes the best move is not to play the game.'" 
    One amusing example Manber gave is in the field of rate limiting  
    Yahoo's attempt to throttle the rate at which users can sign up for 
    new accounts. Although successful techniques to weed out bots have 
    been developed  like asking users to retype a random word displayed 
    in an image designed to be impossible for OCR to process  Manber has 
    found that people are still registering for massive numbers of 
    accounts. "As far as I can tell, they're just doing it by hand. 
    They're sitting there all day doing it by hand," he said. So he's 
    considering changing the registration test to a simple arithmetic 
    problem. It won't stop the mass registrations, but he might be able to 
    get the abusers to perform distributed computing tasks for him. 
    Number one on the list of open problems in web services security is 
    the difficulty of differentiating users from bots. Though he called it 
    "imperfect," he acknowledged that one solution would be to require an 
    ID number or a credit card number. If anonymity disappeared from the 
    web, "a lot of the problems would go away," he said. But even more 
    than authentication, Manber wants reverse authentication: "I want a 
    protocol that proves that someone is not a particular person." 
    He also wants obfuscated HTML, which is particularly ironic since, in 
    his days in academia, Manber wrote one of the first screen-scrapers. 
    He wants the ability to detect passive vulnerabilities in a system. 
    And he wants better ways to fight back. "I have huge pipes," he 
    laughed. "It's very easy for me to go after them. Unfortunately, it's 
    not legal." 
    But he dismissed legal solutions altogether, saying that measures like 
    anti-spam legislation are completely ineffective. "This has to be 
    solved technically, not legally," he warned. "If we can't solve these 
    problems, we'll see less and less services." 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue May 21 2002 - 05:07:21 PDT