Security In Web Services: An Evolving Threat Model

[InfoSec News <isn () c4i org>]

Forwarded from: Christian Wright <cw () c4i org>

http://www.ddj.com/news/fullstory.cgi?id=5887

Shannon Cochran
2002-05-20

Udi Manber, chief scientist at Yahoo!, apprised security researchers
at the IEEE's Symposium on Security and Privacy about attacks likely
to become commonplace in the emerging era of large-scale, distributed
web services. "The kind of attacks that we're seeing are not a
traditional security attack," he warned. The threat to web services is
not about something like root access; it's more about repeated
violations and exploitations of the service - small cheats and hacks
that are individually insignificant, but a huge problem in the
aggregate.

Spam is an example of this kind of hack. A web-based e-mail service
does not suffer if one of its accounts is used for mass-mailing. When
tens of thousands of accounts are abused in this way, the service can
be brought to its knees. Manber calls this the "penny jar" effect,
likening it to a thief who comes to a cash register and empties the
penny dish every five minutes. The pennies are meant to be given away,
and each instance of the loss is trivial; but if the theft continues
unchecked, the service will be destroyed.

And money is far from the only target of attack. Buyer and seller
ratings in auction sites are often forged, and so are rankings on game
sites. "If you have any kind of rating, people go to all kinds of
trouble to get that rating in an illegitimate way," Manber reported.

The more services are offered, the more vulnerable the provider
becomes. "Someone can steal some money over here, go to Shopping and
buy something, then go to Auction and sell it," said Manber. "This
really happened."

Internationalization is a further weakness, because patches must be
distributed over multiple systems around the world. Even one
overlooked server leaves the provider vulnerable; but in a world of
web services, the integrity of the network isn't nearly as valuable as
the time and effort that skilled employees spend combating abuse. "I'm
not even worried sometimes about the machines I buy," Manber
clarified. "I'm worried about the time...There are more of them
[attackers] than there are of me. They have a lot more time."

Interactivity poses a new set of risks. "Whenever we get content from
users, it's a problem," said Manber. Advertisers will attempt to sneak
their content into forums like the Personals, or go to the trouble of
creating an informative site, only to change the content to
advertising after the site is accepted into Yahoo's directory. Or they
may add Yahoo redirects to their own sites in order to gain an
appearance of legitimacy.

Services can also be stolen and resold. Yahoo found that the finance
sites were plagued by screen scrapers running every few seconds to
grab real-time stock quotes. Manber says that traffic on the finance
sites dropped by 80% after the screen-scrapers were blocked. "You
provide a premium service, people will sign up for it maybe once, put
a proxy server up, steal the information, and bang! Now they provide
the service."

Some of the exploits are darkly ingenious. During hotly contested
auctions, some users will mount password attacks on other bidder's
accounts an hour before the end of the auction - not to actually gain
access, but merely to trigger a security lockout, thereby ensuring
that the legitimate user cannot place last-minute bids. Once Yahoo had
to deal with a virus spread through a file download, with the twist
that the virus would only become destructive if the file was removed
from Yahoo's servers. And on the social engineering front, there's the
list of instructions for "hacking a Yahoo account" that direct
would-be hax0rs to send the e-mail address of the account they'd like
to access, along with a gobbledegook string of code and their own
account name and password, to a plausible-sounding address like
passbot_return () yahoo com.

"I've seen Ph.D. level cleverness," Manber admitted. In response, 
Yahoo has developed some sneaky countermeasures of its own. But 
although Manber provided examples of his algorithms, he asked 
attendees of the conference not to publicize them. The conflict 
between secrecy and openness is one that, as a former academic 
researcher, Manber feels keenly. On the one hand, he is fully aware 
that real progress in security comes through full disclosure and open, 
shared research. On the other hand, he knows that his company will 
suffer real and immediate damage if hackers learn the details of his 
methods. 

"The kind of countermeasures that we're doing are pretty weak. If you 
compare it to cryptography we're a hundred years behind," he said. 
"Feedback is always a major issue for us. I always think about 'Should 
I do this? Will I tell them what I'm doing?...I'd rather see what 
they're doing. The way you win an arms race is not by building bigger 
and bigger weapons. Sometimes the best move is not to play the game.'" 

One amusing example Manber gave is in the field of rate limiting — 
Yahoo's attempt to throttle the rate at which users can sign up for 
new accounts. Although successful techniques to weed out bots have 
been developed — like asking users to retype a random word displayed 
in an image designed to be impossible for OCR to process — Manber has 
found that people are still registering for massive numbers of 
accounts. "As far as I can tell, they're just doing it by hand. 
They're sitting there all day doing it by hand," he said. So he's 
considering changing the registration test to a simple arithmetic 
problem. It won't stop the mass registrations, but he might be able to 
get the abusers to perform distributed computing tasks for him. 

Number one on the list of open problems in web services security is 
the difficulty of differentiating users from bots. Though he called it 
"imperfect," he acknowledged that one solution would be to require an 
ID number or a credit card number. If anonymity disappeared from the 
web, "a lot of the problems would go away," he said. But even more 
than authentication, Manber wants reverse authentication: "I want a 
protocol that proves that someone is not a particular person." 

He also wants obfuscated HTML, which is particularly ironic since, in 
his days in academia, Manber wrote one of the first screen-scrapers. 
He wants the ability to detect passive vulnerabilities in a system. 
And he wants better ways to fight back. "I have huge pipes," he 
laughed. "It's very easy for me to go after them. Unfortunately, it's 
not legal." 

But he dismissed legal solutions altogether, saying that measures like 
anti-spam legislation are completely ineffective. "This has to be 
solved technically, not legally," he warned. "If we can't solve these 
problems, we'll see less and less services." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.