Tuesday, February 27, 2007

tax deduction

I started my long journey through this year's very confusing tax situation today. I've got small amounts of income from a decent number of sources, most of which are as an independent contractor, so my work for this year's tax returns jumped threefold. I'm tempted to go to a tax place, but I think I would do just as well on my own (though it would take longer), and I'm too cheap and poor to pay for a CPA.

Anyhow, as I was crunching the numbers, I came across the realization that the 2006 1040 form does not have a line for Tuition and Fees, like the 2005 form did! As a student who makes very little money and has to pay a good chunk of it back into the university for non-remittable fees (roughly 8% of my stipend), I was a bit put out. This was great in the last many years, because I didn't have to itemize my deductions to get the break.

After some digging, I came across IRS publication 970 that describes this deduction MANY times before finally explaining how to take the deduction. For all the other U.S. grad students out there, here's how you do it:

  • Put a T next to the box for line 35. The instructions say to put it on the dotted line, but my copy of form 1040 doesn't have said line.
  • Enter the deduction in the box for line 35.

This is pretty janky. Is it just me, or does this seem like kind of a last-minute "oh crap, we shafted the students, better do something" situation? This thought is further backed up by this tax law change brief that I later found. It mentions how the Tuition and Fees deduction expired, but has been "extended" until 2007.

It's also important to note that there's a cap on how much you can deduct of up to $4000 depending on your gross income. This may or may not be new this year (I don't know).

Monday, February 26, 2007

router attack by analogy

One of the elements of drive-by pharming attacks (or really any attack that attempts to break into your home's router) is router profiling. Basically, once the IP of your router is discovered (say 192.168.0.1), the malicious script attempts to identify what type of router it may be. This can be done in many ways, including image profiling. In essence, some routers will serve images without requiring an administrator to be authenticated, which is really bad. Additionally, http-auth credentials usually remain until a browser window is closed (if you don't often close your browser, you might want to do that now) and will be used by default when accessing pages from a protected resource. This way, even if a password is required, it has previously been entered by the user and can now be used to get into the router.

Anyhow, using this lack of need for password, a script can attempt to load a few images known to be served by different routers, one at a time. If the loads fail, it tries another one. Here's some code that does this:
<img src="http://192.168.0.1/logo.gif" 
onerror="tryNextImage();">

This image tag would be generated and appended to a document by JavaScript, and then when it fails, a new one is plopped in. When one succeeds (you can set an onload event for the image), the router has been profiled, and the default username/password for it can be pulled from a list.

It can sometimes be difficult to access these images on the routers without a password (not all will provide a logo without the user first logging in). It is surely possible to do that on some routers, but not all. So instead of a linear discovery approach (one step at a time), like what an investigating scientist usually does, an attacker can take another approach too: flood the router with configuration change attempts, hoping one works.

Analogy:

The two methods can be considered in this analogy: Say you are flying somewhere with five of your friends who each speak a different foreign language. When you get there, you need to tell the taxi driver who meets you where to take you. You don't know what country you're in, so you don't know which language/friend to use.

A first method is careful: you look at what he's wearing, the car he's driving, and maybe look inside his pockets for an ID or money. Once you've deduced based on this evidence where you are, you can try giving the driver directions in the language that is your best guess. If that doesn't work you can, one at a time, try speaking to the driver in a different language, but if you've done your research you will be right the first time. This is like the one-step-at-a-time approach that you mention. The problem with this is that the driver may not let you see his pockets' contents, so you might need to resort to guessing.

Alternatively, the six of you can all just walk up and start telling him where to go in different languages all at once. He will be a little confused at first, but will respond to one of you, the one speaking the language he recognizes, and that person can tell him where to go. This is the flood approach. It's messy, but you don't have to coordinate your friends and poke around in his car (where he may not let you go).

To take this back to the technology, lets say for example that ten router models make up a good portion of the market. An attacker can take advantage of this. Instead of "profiling" the router (as discussed in the tech report) he can simply try sending the configuration request for one of the ten most popular. If it fails, the code tries again with another request. This keeps going until it works or all requests have been tried. Additionally, all ten might be attempted at once.

Both methods (linear discovery and multiple requests in parallel) are possible, yet the parallel-flooding attempt seems scarier since it requires less investigative work (and much simpler programming) to work.

To boil this down, the drive-by pharming attack is not a completely specified problem. There are many ways to attack home routers from the inside, and many techniques can be used based on the types of targets an attacker may be interested in.


On a lighter note, here are some fun blog comments from Slashdot regarding drive-by pharming:
1) Drive by pharm,
2) Stop. Park.
3) Milk cows.
4) Feed chickens.
5) Slop pigs.
6) Stack hay.
7) Profit.

(Link)

We'll chase off the Pharmers with our phlaming torches and pitchphorks!
(Link)

(Previously: drive-by pharming)

Friday, February 16, 2007

drive-by pharming

If you have not set a hard-to-guess password on your broadband router, do it now. There's a way attackers can compromise your router from the inside using simple JavaScript.

The basic idea is this: you visit a malicious website and it distracts you. While you're distracted (playing a game, reading news, etc), it runs JavaScript code to scan your internal network and identify the IP address of your router. Once discovered, the malicious script can send "reconfiguration requests" to the router to attempt setting the DNS server your network uses. If successful, all DNS queries can be directed through an attacker's server, thus Pharming you. For technical details, please see our tech report, but in brief this attack is not complex.

The solution: make your router's admin password hard to guess.

I recently developed this with Zulfikar Ramzan from Symantec, who forwarded to my advisor (Markus) an interesting Black Hat talk by Jeremiah Grossman. Markus in turn forwarded to me and that's when it struck me that we could similarly mount a pharming attack without playing man-in-the-middle - all it takes is a tweak of the router's DNS server setting, and a whole home network is pharmed. Coupled with the idea that roughly 50% of broadband routers still use the default password, this attack affects a whole lot of people.

Symantec PR picked up on what we did, and issued a press release today:
(Symantec Press Release)

Read More:
(Zully's Blog Post)
(Tech Report)


Select Media Coverage:
(Google aggregate)
(Info World -- IDG article)
(Forbes)
(Appscout)
(BroadbandReports.com -- amusing comments thread)
(Washington Post Blog)
(Red Herring)
(Computer World)

Update (16-Feb-07 9:30am ET): The story got picked up by Forbes ad the Washington Post, and the Google News index on "Drive-by Pharming" is roughly fifty-something.

My Favorite Headlines:
Researchers highlight a router route to pharming
New Drive-By Attack Taking Over Home Routers
Broadband routers welcome drive-by hackers
Change Your Router Password NOW!

Update (16-Feb-07 10:30am ET): Slashdot picked it up.

Wednesday, February 14, 2007

storm predictions (update)

Yesterday I made some storm predictions... so far, here are the results:

My car will freeze shut and to the ground
Kinda. Well, the car froze shut, but with a big stick I was able to crack a door open and get into the car. The hood and trunk were sealed shut with a think coating of snow/sleet/ice mix (see photo). After chipping away half an inch of corrugated ice, the sun and my defroster melted the rest covering the windows. I still can't use my rear view mirrors, and it is incredibly tricky to get my trunk open (and it won't open all the way). To put gas in the car, I had to chip at the edges with a key, then pry it open with a metal keychain. The car also did not stick to the ground -- at least not after I picked away most of the ice that was attached to the tires. After a loud snapping noise, my car pulled out of its icy mount.

Trees will fall over (they are currently caked with snow/sleet/ice)
Wrong. I did not witness any fallen trees. I saw some branches on the ground today, and the trees were VERY droopy, but I saw no downed trees.

Power lines will sag and some older poles will droop or fall causing outages
Right. On the news tonight, they were reporting that 47 people in the Bloomington area were still without power due to downed lines, and report that many lost power earlier. I didn't see the effects IN town, but I'm sure some of the older poles toppled out of town due to the heavy layer of ice on everything.

When we dip below freezing tonight, the frequency of car accidents will skyrocket (there are too many people here in town who don't know when to avoid driving).
Probably. I didn't see any accidents in town, but I heard emergency sirens every ten minutes or so until I fell asleep. In the morning I saw a med-evac helicopter.

The story is completely different in Lafayette, where Purdue has canceled school for the second day in a row, and major intersections now look narrow due to the five to ten foot snow piles all over the place. The news said they got 16 inches of snow in the last day and a half! Driving through Lafayette, I wouldn't be surprised if it were more. It's still a big mess! I guess there's nowhere to put all that snow...

Tuesday, February 13, 2007

storm predictions

My predictions for the Feb. 13-14 winter storm in Bloomington, IN:

  • My car will freeze shut and to the ground

  • Trees will fall over (they are currently caked with snow/sleet/ice)

  • Power lines will sag and some older poles will droop or fall causing outages

  • When we dip below freezing tonight, the frequency car accidents will skyrocket (there are too many people here in town who don't know when to avoid driving).


I know I sound cynical, but lets see how many of these come true.

Monday, February 12, 2007

bad security assumption

Good assumption:
My domain (DNS) name is not safe from forgery. Bad people might "hijack" it and use it to pretend they are me.


Bad assumption:
If my domain name is hijacked or spoofed, then I lose control of all the subdomains too. This means that if someone else pretends to be sidstamm.com then they will also take control over blog.sidstamm.com, mail.sidstamm.com and ohcrap.sidstamm.com.


Bad: DNS spoofing is done on the record level, and since each subdomain happens to be a different record, an attacker might control one subdomain and let you retain control over the rest.

Consequence of this: The same-origin policy enforced by most browsers says this: scripts served by one host cannot access, execute or change data served by another host. In this case b.a.com and a.com are considered different hosts.

There is one exception to the rule: a website may change its "document.domain" property to a suffix of what it currently might be. For example, a page served by b.a.com may set its domain to a.com AFTER it is served. In this case, b.a.com can play with a.com's data.

Your data is no longer safe, unless you control all of your subdomains. The case used to be simpler: a phisher or pharmer must create a complete duplicate of a site to fool with it. Now, he just creates a parasite frame, and watches you interact with the real thing. Beware of visiting update-security.yourbank.com.

Scary.

(Link to Abe Fettig's explanation)
(Link to Same-Origin Policy info)

Friday, February 09, 2007

despicable rebate service

I bought something a while ago that was half-price after rebate. Anyway, proud of my purchase I promptly filed the rebates and went on my way. One of the rebate checks still has not arrived, so I called the company (Parago) today.

After navigating through an annoying options tree, I finally got a person and he confirmed exactly what their website had said: the rebate is valid and is scheduled for "final processing." Last time I had called, the service rep said that the rebate terms required at least ten weeks for processing. They got it on the 13th of October (which is probably a bad sign since that's a Friday too), and I called on week 9. The rep said to wait, and it should be out shortly, but refused to give me a time frame.

It's week 17, so I called and asked about the ridiculous wait and the guy said that it is scheduled to be mailed on March 14. Okay, so that is more than five months, or nearly 21 weeks. If I don't have the check in hand by March 19, I will begin emitting smoke from my ears.

Rebate Rule #45: Do not believe you will receive a rebate unless there is a maximum bound on the time it will take. "8-12 weeks" is tolerable, but "at least 10 weeks" is not. Due to the fine print, they could legally keep my money as long as they want.

[[ removed stupid rant ]]