Tag Archives: security

Saving players in Sword Art Online

Posted on by fnzna
4

The year is 2022, a highly hyped game called Sword Art Online just released after beta testing. Your son decided to wait in line for the game on release date, and upon getting it, decided to play it right after he came home from getting the game. You feel a bit disturbed since the equipmen that the game requirest, NerveGear, intercepts all body commends from the player while the player is in play, making the player unable to move physically while he is in play. Nevertheless, knowing how long he waited for the game and how much fun he has playing MMORPG, you let him play.

Few hours later, new reports describe  Sword Art Online and  how it is preventing users to log off and if the NerveGear was taken off forcefully, would kill the player right away. Knowing that your son is now basically fighting in game for his life, as his life will end if his hp reduces to 0 in the game, you want to help and save your child but is scared to do so since of the new reports of family member taking off NerveGear and killing the player in the process. Now, using what we know and assuming the technology behind the whole NerveGear and SAO system, lets run some possible methods to save the players without having them to finish all 100 levels in the game.

Don’t worry, dear parents, we are going to save your son

What we know and can deduce from:

We know that the players themselves can’t log out from the game using the menu, and can’t move their bodies (aside from critical actions like breathing and blood-flowing), and if the NerveGear is taken off before the 100 level are completed, the headgear will emit microwaves, frying the player’s brain. We also know that during the beta phase, this was not the case, since the male lead, Kirito, was able to log on and off normally and often enough to be well versed in the game during the beta phase. This added with the fact that he is using the same NerveGear during the incident and during beta testing, it is safe to assume that there are some mechanism inside the NerveGear that enables and disables the brain frying ‘function’. Also to keep track that the helmet is being taken off, there should be some sensors that either keep track of any kind of movement to the NerveGear (ie gyroscope) or a scanner that keeps track of the position of the player’s head.

From the anime, we also know that several people have already died from the incident, some precisely because of their family members/friends taking the helmet off. While this means the death of those players, it also means that some of the headgear is taken off and can be used for examination. This might mean that rest can be easily saved if the investigators can find an easy way to render the helmet useless.

The main purpose of the NerveGear is to display the virtual reality and to receive actions from the player, most likely sending it to the SAO servers. It has a battery of it’s own, and guessing from the anime, if it reaches a certain battery level (because it being disconnected from a power source), it will proceed to fry the player’s brain. On top of that, there might be some other possibilities that the headgear will decide to fry the player’s brain just to make removing it harder. For now, I will assume that the device will also fry if NerveGear cannot connect to the Internet for some time (sorry, people with bad, laggy internet) and that the device is tamperproof, and hence will fry if someone starts messing around with the innards of the gear while the user is still wearing it.

Also, since the only possible method for the player to actually return back to real life alive is to finish the game, and assuming that Akihiko Kayaba is not lying that part, it also means that the NerveGear can take a particular command from the SAO server and deactivate the brain frying function. At the same time, if the server realizes that the player has died in the game, NerveGear will receive a particular command from the server to kill the player.

With all that figured out, let run some possibilities that can save your son:

1) Use tinfoil, or other types of foil that will block RF: This is the most obvious solution, but is quite risky. The idea of this method is to slowly put such sheets between the player and the NerveGear, as much as possible, before removing the gear, in hopes that when the NerveGear does start to fire off brain killing waves, those sheets will prevent it from entering from the player’s brain, and if it did, will not be strong enough to kill the player. The problem with this method is 1) the success of it is based highly dependent on how effective the sheets are against the microwaves 2) if it is even possible to cover the player’s brain fully for it to be protective enough (especially since the NerveGear covers the whole head, making slipping to cover the whole head quite hard) 3) the problem of triggering the microwave because of head movements that might accidentially happen when the protection sheets are placed on before enough are in place to protect the brain. Therefore, while it is possible, it is still highly risky.

2) Use a man-in-the-middle + reply attack: Since the NerveGear can receive a certain command that enables and disables the brain frying function, researchers can try to create that command, send the command using man-in-the-middle and fool the NerveGear that the player has finished the game and will proceed to disable to deadly function. Obviously the researchers can’t just grab the particular command from the author, Akihiko Kayaba himself (or maybe they can), they can try by observing the data that was passed to the NerveGear from the start of November 6, and seeing if they can find when and which command it is that caused the NerveGear to enable the function, then predict the code that can disable the function. If the message is something as simple as “change the trigger”, researchers can just use reply attack and send the same packet and stop the function. Obviously, if the message that enables the function is encrypted (and I won’t be surprised that it is), unless it used a very crappy encryption scheme, creaking it and creating a new message to disable the NerveGear’s death transmission signals will be hard.

3) Disable the whole NerveGear itself: Since the death of several gamers, researchers can use the helmet of those gamers and research the inside of the headgear, hopefully finding where the CPU is. Then knowing the location of the CPU, researchers can just destroy the CPU of the device and then proceed to remove the helmet without fear of killing the player. This is possible since any information must be first processed by the CPU before instructions can be handled out. For example, if the battery reaches to a certain level, the sensor will recognize this and will provide the information to the CPU, then finally the CPU will send out instructions to send out death microwaves, without the CPU, the NerveGear would never send out the death microwaves. Without any kind of tamperproof, this process is just a walk in the park, since the researchers can send all the time they want to open up the NerveGear and render the CPU useless by smashing it for example. With tamperproof, speed and precision comes into play, as the CPU must be smashed before information about the headgear being tampered with is received and processed by the CPU. In short, the method is to just destroy the NerveGear enough so that while it can’t do anything, it will also not blow up while the player is still wearing it.

3.1) Shock the NerveGear and fry components. There is a Chinese saying that states “Fight poison with poison”, and since the NerveGear is trying to fry us, we will just use the same tactics on it to fry the NerveGear. If the helmet is not tamperproof, just open the helmet and pour water on the motherboard, which will fry the motherboard and make the whole system useless. If the helmet is tamperproof, just provide more current to the player than it requires, which might end up frying the system also (though I think there are ways the NerveGear can get around that method). So while not guaranteed, it have a high chance of succeeding, especially since the NerveGear itself is a computer. Source: http://www.ehow.com/how_2292999_fry-motherboard.html

4) Stop time, remove helmet, resume time. Now don’t we all wish there is a Homura near us.

I have skipped on the less technical and more law based resolutions (ie suing the company and Akihiko Kayaba for the whole incident, but the company will likely deny any relations to the whole incident and say only Akihiko was behind it [which I obviously don't buy, since the whole system that enables the current state involves so many different parts of the project (NerveGear, menu UI, the servers etc), and for a project as big as SAO, it would have involved many teams on QA, meaning that it would have took several teams to implement the system, several teams of testers to either turn a blind eye of the potential issue and/or having the higher up covering the whole issue during development], and/or trigger Akihiko to just end the lives of all the gamers with a potential red button that he might have programmed.

Out of the four possibilities (the 5th one is just there for jokes), I think I would trust the 3 and 3.1 the most, since they can be done in a more timely matter (less chances to die in game) and can have less risks than the other two. So remember, when you kid does go into such situation, just destroy the darn headgear.

Now, dear readers, what do you think, how efficient the methods that I have stated are, and what are some method that you think would work and save your love ones?

Aniblog Tourney and Ballot Stuffing

Posted on by fnzna
4

lets learn more internet security

Since Aniblog Tourney is happening right now, with round of 16 starting and that my good Twitter friend, krizzlybear is having a match today (or it is yesterday already), being a lazy blogger that I am,  I finally decided to write something about Aniblog Tourney…even though I’m not a part of the Tourney. Obviously, wanting to write something interesting to me, and not just talk about all the drama that is/was happening with the Tourney, I looked at the security behind their voting system.

Earlier in the Tourney, there were some issues with ballot stuffing (Round 2 Match 34, Round 1 Match 23) which caused two blogs be disqualified and prompted the organizers to find a “more secure voting system” (from post Round 3 delayed). As an experiment, I played with both voting system (PollDaddy and vote.willisite) to test their security, obviously using my own created polls for tests.

PollDaddy

Before going into the security, Polldaddy has the advantage of having the poll be inside your own site, something which the organizers of the Tourney took advantage of, I haven’t test if voting directly on the site will have different security than voting directly to Polldaddy yet, since I don’t feel like making a new blog just to test (much more hassle than just creating a poll). But will be using this post to test that.

So as I was creating a poll through Polldaddy, I found out that they gave me three options to prevent ballot stuffing. To test out each options, I created the following two polls:

blocks by ip and cookie https://polldaddy.com/poll/6345023/

blocks by cookie only https://polldaddy.com/poll/6345042/

(the first option is obviously lacking in having any method to block people from voting multiple times)

Having access to two laptops, I tried to vote on both polls with two laptops and different browsers on the laptops. As expected, since both laptop are on the same local network, and hence have the same IP address to Polldaddy, the first poll only counted my vote once in total, while the second poll counted my voted all three times (1 try on one laptop, 2 tries on another laptop, using different web browser for the two tried).

Lastly, most importantly as seen on how the ballot stuffing incidents in Aniblog Tourney was done by proxies, I try to vote again on the first poll using a Tor enabled browser (Tor is a system that make it possible for online anonymity by having your data sent through several proxies before reaching to the destination), and load and behold, the vote passed. This shows evidence that any proxy can be used to bypass the check that Polldaddy had in place to prevent multiple voting, hence a vulnerability. Having seen this, the organizers switched to vote.willisite for better security.

vote.willisite

The site is still in alpha mode, and the page to create the poll was way less elegant. Noneoftheless, I created the following poll for testing:

http://vote.willisite.com/en/poll/46

Did the same test as the ones I did for the PollDaddy polls, and like the more secure poll, it only accepted my first vote. Then just for kicks, I used my phone and voted, which unsurprisingly, went through, since my phone was using mobile data, not using the same LAN as the two laptops and therefore having a different IP. I also tested with creating another account to vote on the laptop, which failed since it is still using the same IP as my first vote, meaning that it is not possible to just make multiple accounts to vote on the same IP.Finally, I tried to vote using Tor, and instead of going through I received the following message:

Your vote was rejected because you seem to be using a proxy. Click here to add your IP to the whitelist.

Woh. Honestly, having the ability to detect proxy is pretty nifty. From my knowledge of how the network and Tor works, I don’t think the poll server can detect directly if the incoming traffic is proxy or not, since it should just look as standardized as any other incoming traffic, with the originating IP address not to me, but to the proxy server between me and the poll server (or in the case of Tor, the exit node, the final node which my traffic is sent before it goes to the destination). So I’m guessing that there is some kind of proxy list (ie this) that the server is comparing the IP from to determine if the originating IP is a proxy server or not. Obviously this is a cat and mouse type of competition, as the IP list would only contain known proxies, but would still allow unknown proxies to pass through. In worse case, an attacker write a virus, infect a multitude of computers, and use each of the computers to vote; to vote.willisite’s eyes, they will all be legitimate votes, since that all came from different IP and not of them are known proxies). Fortunately, since the target audiences are anime fans who reads aniblogs, while being more tech savvy than the average joe, most (hopefully) don’t have the knowledge/time/etc.. to create multiple proxies or make a virus to infect others just to vote on Aniblog Tourney (or if they do, might not even worth the effort to do it). In short, having the ability to see if a certain traffic has gone through a proxy is pretty much effective in preventing the issues that came up before and might come up later (don’t take my word for it, as I have stated, while harder, there are still ways to ballot stuff).

Some security methods

During this experiment, I have seen several methods that prevents ballot stuffing, they are cookie check, ip check, proxy check. Along with some some other methods that I just thought in my head, I will compare the related issues with it.

Cookie check, that is checking if there exist a cookie that shows the user have voted already, as seen previously, does nothing to stop people from using a different browser, let alone a different device to vote with the same IP. In a age where most of us having access to more than one device (laptop, tablet, phone etc..), and not to mention that all modern browsers lets you wipe out your cookies, this method is ineffective.

IP check, as seen with the Polldaddy poll, without proxy check added, voters can just use proxies to bypass and proceed to ballot stuff. On the other side, this added security will prevent any one from the same LAN as some that have voted already to vote. For example, if there are two anime fans sharing the same internet, they can only vote once. The former problem is fixed with the addition of proxy check, but than it might have the unintended consequence of blocking any legitimate votes that must go through Tor. This isn’t an issue for Aniblog Tourney, but for a more global poll that might negatively impact China or any other controlled countries, this would be an issue. Also even with both checks, it still does not prevent any user from just moving to a different IP to vote, as we can just move to our phone and use our mobile data (which I did and passed), vote in the office, vote while drinking coffee, vote while in a friend’s house (also since most votes will be using residential internet, from time to time their IP address would change, which by sheer luck, it might change during the voting time); they all would go through (unless someone voted from there already) since they are all from different (non-proxy) IP [this is a potential issue with the current implementation of Aniblog Tourney's voting system].

To fix the problem of voting through different IP’s, the voting system can require each voter to login before voting, so mapping each vote not to a location, but to a user. Yet, this just shifts the problem to how to prevent people from signing up multiple times (read: restricting one account to one email doesn’t work, as people can easily get an email nowadays). On the other side, the time needed to sign up and login will surly turn some potential votes away. Lastly, you can restrict the sign up problem by having each user to provide some government issued identification, while being highly efficient in preventing multiple sign ups (barring people having fake ID’s, which is an issue not only to online voting but to many other things), would open another can of worms called privacy. For Aniblog Tourney, this would be overkill, but it might be something that would be implemented if something like the presidential election were to take place online.

In the end, there is still the issue of having the votes move to another IP address to vote, and so mapping each vote to an user is advantageous,  but then it is again hard to prevent one person from making multiple users, coming back to the same issue. So I guess in the end, the best we can do is to trust that each vote is honest with their votes and is not bent on taking advantage of the vulnerability in the system.

Continue reading

Prove to me that you’re really my nephew

Posted on by fnzna
2

part of SZS ch28 pg1

Computer Security is important, especially in an age where we do banking online, use Facebook and Twitter and for some of us, interact using the Internet more than in real life. First, let’s define what security is. In the class I took, one definition for security is CIA, Confidentiality, Integrity and Availability. Confidentiality states that only the people who have authority to access the data can access the data, preventing any unwanted third party from knowing the secret. Integrity states that the secret data that you see is the correct one when you request and see it, ensuring that the data is not tampered with when it is transported to you. And availability states that when you request the secure data, it is available for you. While all three are important, let’s mostly focus on confidentiality.1

So with confidentiality, only the authorized parties can have access to the object in question, but the main problem is that how do we know if someone is 1) a member of the authorized parties 2) the person is really the person that he/she said that he/she is. To do this, we need to both identify and authorize the person, to know the identity of and to know if the person is really the identity that he/she put forward as. In a simple website example, putting your username would be a form of identification, and putting your password would be authorization, as the password should only be known between the website and the person who registered as the given username. Obviously this is easier in real life than through the Internet, since in real life, the person, say Bob, doing the authorizing can physically see the person, say Alice, and can easily use a series of information for authorization (speech, look, body actions), especially if Bob have prior interactions with Alice. The amount of information that Bob can use to authorize Alice would most likely be a lot less if they had interacted through the Internet. 2

So….how does this have to do with anime? Well, in chapter 28 of Sayonara Zetsubou Sensei, Zetsubou-sensei just deals with the issue of authorization. Chapter 27, we see the entrance of Majiru, of which he was brought to Zetsubou-sensei’s classroom. Zetsubou, having not seen Majiru since birth, and to start the issue of chapter 28, questions if the Majiru in front of him is the real Majiru (and not just some kid masquerading as Majiru), of which he then generalizes the issue and ask the whole class for each of their authorization, or proof of who they say they are.

At page 6, Zetsubou outlines the definition of what is needed for authorization, something that “only the real you would know”, let’s see how efficient Zetsubou is in getting proper authorization from his students.

A curly hair is fine also (pg13)

First he asked Chiri for authorization, of which Usui suggested her to reveal her breast size for authorizing. While breast size is a private information and hence wouldn’t be known by most people, the fact that most health record of Chiri would have such information, and hence anyone that have access to such health record can know such information, and that if someone is pro enough, he/she can guess Chiri cup size with a small margin of error. Since there is a small set of people that can know Chiri’s cup size without being Chiri, strictly speaking, her breast size is not the best way to proof her identity. Obviously knowing that cup size is not good enough for proof, Chiri showed that her hair is not naturally straight, but really curly, to which Zetsubou laughs off as interesting and authorizes Chiri.3 …Now really, not only is her curly hair not arguably an information that only she would know (surly her parents [which she might have killed off already] and her elementary school classmates would know [assuming that if any of them are still alive…Harumi is her friend since elementary school right?...so Harumi could pretend to be Chiri using that information]), but that Zetsubou-sensei has no way to prove that the information is something that is true to the real Chiri. Using the same example with Alice and Bob, Bob request something that only Alice (not even Bob) would know, but this does not stop Mallory coming in to tell Bob something is that only Mallory would know. Since Bob cannot know what this information is beforehand, and if he is like Zetsubou-sensei, he would just accept Mallory as Alice (which ends up breaking the whole idea of authorization). By this alone, we see that using Zetsubou’s method is totally useless for proper authorization, and hence I suggest that the information used to decide proof one’s identity should be shared by both parties (and only the two parties).

After authorizing Chiri, he asks for Abiru’s authorization, which she declines, and I donno, I guess he accepts her identity precisely because of her decline (as he guess the secret have to do with domestic violence).4 Really now, the lack of information to authorize something, this is something new to me. While, I can guess the Zetsubou is using more of the five senses as data for authorization, the cynical in me is saying that anyone that know Abiru’s rumors can pretend to be like her and be all bandaged up.

Nami passes with giving a normal answer. So normal. Well, I guess it prevents her from being masqueraded by un-normal people, which SZS is full of.5

As for Maria, who we all know got into the class from buying the identity of Sekiutsu Tarou-kun, and hence has been a fake from the very beginning. Instead of asking weird secret information as he did with Chiri, he asked background related information about Tarou-kun, and which Maria was able to correctly answer all of them. The teacher asked Tarou’s permanent resident, middle school, blood type and his father’s name, all of which are information that can easily obtained with a bit of research.6 This shows the lack of security by using publically accessible information as a proof for your identity (and hence the idea of security questions for security is just pure bull).

Finally coming to full circle, the idea of using a secret information for authorization that is not shared between the two parties came back to bite Zetsubou, where his students asked for his authorization. He first tried to show proof by dying, but the students objected, saying the information that they stored related to the teacher is not what he provided (different look, different personality).7 Obviously he didn’t know that is what the students had in mind of him (it is secret), similar to how he didn’t know that Chiri had curly hair, and was not given authorization even though he was really the teacher. The catch is that if the secret is not (partly) shared between the two parties, there is no way that a proper authorization scheme can work (you might end up authorizing the incorrect person or not authorizing the correct person).

For the people that know a bit about security or cryptography you might object saying that it is possible for the same secret to be not shared between the two parties but still have a perfectly working authorization scheme (public key cryptography). Well, yes….but the two parts of the keys are created in such a way that makes it possible. Here I’m saying how it is possible for Mallory to make a completely random secret and will be accepted as Alice.

 

  1. University of Waterloo, CS458 Winter 2012 Slide 1-19
  2. University of Waterloo, CS458 Winter 2012 Slides 3-29-32
  3. Sayonara Zetsubou Sensei, chapter 28, page 6
  4. Sayonara Zetsubou Sensei, chapter 28, page 7
  5. Sayonara Zetsubou Sensei, chapter 28, page 8
  6. Sayonara Zetsubou Sensei, chapter 28, page 9
  7. Sayonara Zetsubou Sensei, chapter 28, page 11

Security Issue: certain picture-sharing site

Posted on by fnzna
3

 

Picture semi related

Since some people on my Twitter timeline was having so much fun finding random pictures on a certain screen-short sharing site, I decided to do a quick look on the site, and man, their security is so lacking.

On their main site, it reads the following: “ Share them with the world or make them private, for your eyes only.” Ya, the whole issue of random people going through the picture sharing website looking for random pictures is a null point if your intentions were to share them to everyone (or everyone with the link), but it is a huge security problem if the uploader intended for it to be private. (Aside: Actually for sites like youtube, you can have your videos unlisted, unsearchable on the site, only accessible with a link, but you can’t really prevent other from sharing the link to people you might not even know after you have shared it, so only accessible by link might not be secure enough). From just testing few random values (and some not as random ones), I found that there are several problem with the system.

1) Make it freaking secure if the user desire to do so. Make something like a login system where upon entering the link, either request a login to identity the user and to determine if the user have the proper authorization to see the uploaded picture. Yet, the main problem is that the design of the whole site might need to be changed to accommodate a login system.. Haven’t try the upload program, but I won’t be surprised that it doesn’t check for username when a user uploads a picture, and even if a username check is needed, it might be because of stuff like “to prevent one user from uploading too much stuff in a short period of time”. Even if assume that a username check is in place in the upload program, the ability to mark a picture to be private would take more work than select part of your desktop to be shared and then share with the given link (aka gyazo).

2) The picture ID is way too short. Even without what I have said above, it is possible for people like me to actually find an picture on the site if the ID for each picture is longer than what they have right now. For their site, each picture is saved and then accessed with <sitename>/XXXX where XXXX is 4 character from the set [0...9,A...Z,a...z]. Meaning that there is a maximum of 62^4 possible ID’s which is less than 2^24. First this mean that there is a maximum of 62^4 accessible picture at any time, any new pictures might need to take over some old ID’s, causing those older picture to be inaccessible, second it means that if I do exhaustive search, I am sure that I can find a proper link with at most less than 2^24 steps. While 2^24 steps might sound a lot, this is considered to be simple work for a computer and should be done within seconds if not less. You might say that the website might be able to catch me since I’m doing so much request to their site with the same computer (and hence same IP) and will be able to block me from doing any further requests. Yet the fact is that 2^24 steps is necessary only if there is only 1 picture on the site, and it gets easier and easier as more people use the website to share pictures. For example, if the site if half filled (62^4/2 pictures), I can expect to get at least one correct link after trying two random links. So ironicly, the more popular the site is, the less secure the pictures are.

There seems to be an mistake with my reasoning above, while I have a higher chance to find a picture, I still need ~2^24 steps if I want a certain picture (assuming that I know it exists in the site). The fact is just that an attacker can get a sensitive picture easier and easier as the amount of sensitive pictures increases, it is still difficult if the attacker is trying to find a certain sensitive picture.

3) One issue that I also found is that the ID creation might not necessary be random. According to a forum about people finding through pictures on this site, one limited the search from 0xxx-l000 (anything except for the first character to be l or greater). While I was able to find some proper links where the first digit is greater than l, I found out that I tend to be less successful if my first character is of a higher value (counting in base 65 where a = 10, b = 11 and so on). This leads me to guess that the site doesn’t necessary just generate a value at random, but it have some kind of equation to calculate a correct value (one is not taken). Practically this makes checking if the value is used or not easier, since they are incrementing for any new ID, only ID that are smaller then the new ID is used, so by definition the ID is not used (unless they are already starting to recycle the ID’s, which my observation of less ID with high first character value does not points to). Yet, this is a case where the developers exchanged security for convenience. To add to the result, I was able to find a series of picture successfully by incrementing 2 to the ID everytime, possibly showing the simple nature of the ID generation.

All these wouldn’t be a problem if all the uses are using this site for public sharing only, but since the site itself does describe that if the user desires, it can be kept private (by not sharing the link). This is obviously false, since it is highly likely that someone (malicious or not) can guess and get the link to your picture relatively easy (I did mentioned that the site can block me if I do too many request, but what if the request are coming from many different sources (ie distributed), which is really easy, since the task can be easily divided (I take 0xxx-7xxx and you take 8xxx-cxxx).) And seeing some of the results that my twitter follow have found, some people are really using this site for private pictures….

As for the test: I tested around 26 links, with only 9 not working (and I tried more later….)

Edit: I found out that they also use capitalized letters, making the size of possible ID to be 62^4, which, while more than before, is still a piece of cake to computers. 

Edit 2: 

As otou-san have shown and after actually using their services, it is possible for a user to explicitly mark a picture to be private, prevent anyone except for you to view it, and hence meaning that most of my arguments above is thrown out the window. Good grief, this is what you get for not doing enough research on the subject itself, jumping into conclusions. Yet, still as seen with the presence of some sensitive information that some of my Twitter follows had undercovered, the either all or nothing security model might not be suitable for all users, and that by deafult any pictures uploded is placed to he public folder might be a problem if users don’t actually get around to change the settings of either their account (change default folder to private) or transfer the sensitive picture to private folder (though highly unlikely, the time between a user uploading the picture and the user transferring the picture from public to private folder is still an opportunity for attacker to access those sensitive pictures…..

Now I’m just trying to salvage what is left in my argument. I guess those developers aren’t so insensitive to security after all.