Reflections on Brilliant Digital: Single Points of 0wnership
nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.
Reflections on Brilliant Digital:
.75TB, RAID-5, hot swappable, turnkey storage appliance. It is even cheaper when built from components.
Single Points of Internet 0wnership
by
Nicholas Weaver
nweaver@cs.berkeley.edu
Any attacker who can control 100,000 machines is a major force on the internet, while someone with a million or more is currently unstoppable: able to launch massively diffuse DDOS attacks, perform needle in a hayfield searches, and commit all sorts of other mayhem. We already understand how worms could be used to gain control of so many machines. Yet the recent revelation that Brilliant Digital Media has bundled a small trojan with KaZaA has underscored another means by which an attacker could gain control of so many machines: poorly secured automatic updaters. If an attacker can distribute his own code as an update, he can take control of millions of machines.
Brilliant Digital plans to create Altnet, a distributed, "secure" network of clients to harness the unused storage, bandwidth, and computation residing on the machines of users across the country, in a manner which prevents the clients from altering or even reading the information. An entertaining if horribly flawed business model [1], except for the means they have selected to build their network.
Brilliant Digital bundled an officially allowed, small trojan program with KaZaA which periodically connects back to their servers and downloads an update (eventually the Altnet P2P software). This trojan is now incredibly widespread: during the week of March 25th, KaZaA and the bundled trojan were downloaded 2.6 million times from CNet alone!
With such a massive misunderstanding of security in their proposed business model, one has to wonder whether their already implemented security in their trojan is any better. There are a few questions which someone could disassemble the binary to answer:
Are the server addresses hardcoded or is DNS lookup used? If DNS lookups is used, the attacker only needs to hijack the DNS name, not take over the update server, to present a fake server to the rest of the world.
Does the distributed trojan use SSL to authenticate the server or simply go by name or IP address? If there is no authentication, then it is very straightforward for the attacker to masquerade as the server without attacking the server itself.
Is there any additional code signing, beyond authenticating the server, when downloading a new module? If there is no additional code signing, only control of the server is required. If there is code signing, an attack on Brilliant Digital's internal network is probably necessary in order to obtain the private keys.
Is there any notice to the user on the part of the trojan, or will it only be contained within the larger Altnet program? Users are so conditioned to click "OK" that even a user message is probably not a significant barrier for an attacker, especially if the attacker can create the message.
How secure are Brilliant Digital's servers and internal networks? For they now represent a single, critical target on the internet: Any attacker who can take control of the server and successfully push a program out to the already distributed trojan can now control many millions of machines.
There are plenty of other potential targets, beyond the obvious windowsupdate.microsoft.com. Everquest claims over 300,000 active players, with over 90,000 simultaneous users. Blizzard had 1,000,000 customers in the first 3 weeks of Diablo II's release connecting to Battlenet (their matchmaker and automatic update system). An attack which compromises and coops the automatic update system for such a game could easily get the 100,000 to 1M vulnerable machines in a short period of time.
Any program which connects back to the server to gain updates should be scrutinized very heavily, for as program becomes widespread, the update server and mechanisms become highly attractive targets for attack. Each new program with an automatic update feature is a new point where an attacker can gain control of a huge number of machines.
This is worse when update protocols don't authenticate the downloaded code. Such protocols are highly vulnerable to attack, as an attacker only needs to gain control of the update server. If the protocol doesn't even authenticate the server, then a DNS hijacking may be sufficient!
As for Brilliant Digital, their horribly flawed business plan shows a grave misunderstanding of security, which must not be repeated by others in the future. Since their proposed business can't possibly work, they should both protect themselves from legal liability, as well as the rest of the internet from the results of a single attack, by producing a program on their update server which removes all traces of their trojan.
[1] Their model is full of flaws. Secure, secret storage on distributed machines is possible but generally useless: the real advantage of distributed storage is gained by distributed searching, which requires decrypting the data for most meaningful searches. At the same time, disk is getting cheaper: $13,000 buys a 3u high,
Secure, secret computation, where the clients don't gain information about the task they are performing, is effectively intractable except for very specific problems. To believe that untrusted clients could not gain information about the problems being completed is a ridiculous notion.
Finally, their model of distributed content serving is laughable since the HTTP protocols do not support file authentication. There is nothing which prevents a misbehaving client from only serving banner advertisements which say "Brilliant Digital and Doubleclick Can Bite My Shiny Metal Ass".
As such, all three proposed usages: Secure and secret storage, secure and secret computation, and secure content delivery, are all inherently flawed.
We do not live in the 21st century. We live in the 20 second century.
How? If I never touch Kazaa (that means, never install it), this article doesn't tell me how it can affect me. In fact, the article doesn't seem to say anything we haven't already heard in Slashdot before, about attacks through the use of DNS redirects or man-in-the-middle, etc. But how does it affect me, when I haven't installed the program?
Okay, now this is total FUD. You're telling me that if they get hacked, the entire Internet is at the mercy of the hackers. Why is that?
Get off my launchpad!
Some domains will get banned, and some sites will go down. The Internet carries on. Packets still get through.
Yes, Trojans are bad. Hijackable Trojans are worse. Enough good reason to avoid them without hysteria.