Defeating anonymity by monitoring clock skew ?

A Cambridge University researcher Steven J Murdoch has a devised a novel attack on online anonymity systems in which he literally takes a computer’s temperature over the internet.

The attack uses a phenomenon called “clock skew” the tendency for the precise clocks in modern computers to drift off of the correct time at slightly different rates, which can be affected by heat.

“When a crystal is manufactured, it has a clock skew, and it’s different for each crystal (throughout its) lifetime,” he explains while discussing his work at the Chaos Communications Congress on Thursday.

Last year UCLA Ph.D. student Tadayoshi Kohno showed that clock skew can be used to identify computers on the internet, by charting the timestamps in a machine’s traffic. But the skew is a fairly weak identifier, providing at best 64 unique fingerprints. A network of a thousand computers would have 16 with an identical clock skew.

The research spawned a variety of theories on how clock skew could be used to attack anonymity online : from detecting daytime hours at a server located in an unknown country, to counting the number of hosts behind a NAT firewall. Murdoch was the first to make an attack work.

His victim is the Onion Router Network (TOR). Tor encrypts a user’s traffic, and bounces it through multiple servers, so the final destination doesn’t know where it came from.

Murdoch set up a Tor network at Cambridge to test his technique, which works like this: If an attacker wants to learn the IP address of a hidden server on the Tor network, he’ll suddenly request something difficult or intensive from that server. The added load will cause it to warm up.

Because temperature affects how fast most electronics operate, warming up the machine causes microscopic changes in clock skew over time. Now the attacker queries computers on the public internet that he suspects of being the Tor server, looking for the shift in skew over the course of hours.

When he finds a computer that has guilty change in its timestamps, he has a match.

“It’s actually quite hard to defend against,” says Murdoch. “(You can) lock the timestamp, but even without explicate timestamps, it’s conceivable.”

That doesn’t mean it’s time to give up on online anonymity: Murdoch points out that other attacks on Tor are currently easier and quicker.

Ironically it might be the most extremely hardened computers that would be most vulnerable to this style of attack. Murdoch theorizes that military computers with precise time reporting should be easier than more casual networks like Tor, in the long run.

Playing with VMWare 6

My favourite virtualisation product VMWare is now in the sixth generation with its public beta available for testing in the holiday season. The product is continously being transformed for being the preferred tool for software engineers and security reasearchers due to its noticable features for ease of development, debugging and tracing.

Integration with Visual Studio for Debugging:

The first beta (build 36983) sports the much acclaimed integration with Microsoft Visual Studio and
Eclipse: when a new program must be tested developers can invoke run
and debug directly inside a virtual machine, always assuring a brand
new, secure and polished environment.

Headless mode:

Virtual machines can now run in background, without the VMware interface running. You can control the running VMs from an icon in the taskbar.

VNC Remote Control

Virtual machine can now be
controlled through VNC instead of using guest OS remote management
tools (no need to install VNC server inside the guest OS)

Cross-Platform Drag-and-Drop:

Files can be copied between host and guest level independently from the installed OSes

Increased RAM support:

Allocable RAM for VM has been increased from 3.6GB to 8GB. No more limits for maximum RAM allocable for all VMs.

New physical hardware support:

Support for USB 2.0 devices, 64bits sound cards and multiple monitors

New OS Support for Guests:

Includes Vista 32 and 64 bit editions i still need to get a hand to.

The beta roadmap defines another future killer feature called Replay. Workstation will be now able to record every moment of the virtual
machine life and reproduce it on demand, like in a VCR. The
revolutionary thing is Replay will not simply record what happens on
the screen, generating a traditional video, but will also record
computations made on VM, allowing developers to exactly verify what
happens during a fault inside virtual hardware for debugging purposes.

This article describes how the whole company offering can simplify development, testing and delivery of new applications),
but the most interesting thing anyway is introduced support for
VMI-paravirtualized Linux: despite company fail in achieving VMI
integration inside kernel, VMware seems to continue on its own way,
probably hoping that showing a completed and working solution will
increase chances to reconsider the approach.
So after introducing such support in an experimental version of Player, the company is distribuiting it mainstream through Workstation.

The beta is available here.

powered by performancing firefox

Top 10 Web Hacks of 2006

RSnake, Robert Auger, and Jeremiah of WhiteHatSecurity collected a list of the new 2006 web hacks. The term “hacks” loosely describe some of the more creative, useful, and interesting techniques/discoveries/compromises.

Top 10

1. Web Browser Intranet Hacking / Port Scanning – (with JavaScript and with HTML-only and the improved model)
2. Internet Explorer 7 “mhtml:” Redirection Information Disclosure
3. Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning
4. Web Browser History Stealing – (with CSS, evil marketing, JS login-detection, and authenticated images)
5. Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3′s)
6. Forging HTTP request headers with Flash
7. Exponential XSS
8. Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)
9. Web Worms – (AdultSpace, MySpace, Xanga)
10. Hacking RSS Feeds

A more comprehensive list can be found here.

First Pakistani victim for Cyber Crime Law

For the first time in Pakistan, the responsible in a “cracking-for-ransom” case was arrested by authorities.

This was the announce made by The Pakistani Federal Investigation Agency (FIA) last week and immediately reported by the Daily Times of Pakistan.As a FIA agent declared, authorities arrested a man named Waqas Abrar for hacking into e-mail systems of the Center for Development and Peace Initiative (CDPI).

Once he got the access to a account, Abrar changed its passwords in order to prevent other accesses to the data and demanded over 40,000 Pakistani Rupees as a ransom to restore the access.

Abar (23) was arrested in an Internet cafe. Police firmly believe that this is not his first experience as cyber criminal. If convicted he will face up to 7 years in prison and a 1-million-rupee fine.

Eeye launches a 0-Day Tracker

E-eye launches a Zero Day tracker site to keep a realtime update to the community over the past and present zero day vulnerabilities with dates, expected patch releases, descriptions and severities and links to further sites (of vendor and the common vulnerability database) for more information.

Blogged with Flock