DDoS
Augmented Reality Security Considerations
This post had originally been titled "The Top Augmented Security Threats"....on what grounds do I have to make such claims? These technologies and ideas are new. As such, aggressively speculating on potential future dangers (with no idea how real they are) is dangerous. In writing this blog, I hope to spark new thoughts and build upon the ideas of others. What I do not want is to over-sensationalize the threats I discuss. Many of them are simply conceptual and interesting to think about, but to no extent do I wish to peddle fear off on to others for my own personal gain. ::cough:: 60 minutes ::cough:: As this blog matures, I hope to promote worthy dialogue and keep fear mongering out of proximity. That said..
With augmented reality systems on the rise it has become important to focus on the corresponding security threats users may face. Fundamentally, the AR paradigm allows users to interface with a more intelligent planet. Our mobile devices now provide a gateway to context specific knowledge and information. This knowledge rich virtual layer permits individuals to more intelligently maneuver and manipulate our contemporary surroundings.
Context hacking and location manipulation: As we become more dependent on these mobile devices to provide information relevant to our surrounding environment, a trust relationship is born. We as users come to trust that the information we receive is valid and credible. Applications such as Layer, show users what is in proximity to them by displaying real time digital information on top of reality through the mobile phone's camera. Much of the real time digital information that we find in such applications is user submitted data. What is to prevent malicious users from targeting specific locations and submitting false information? Attackers could target specific locations, manipulate the environment's digital context, and more effectively facilitate attacks such as spear phishing and social engineering. Attackers can easily leverage the power of social context to stack the deck in their favor. Take it one step further. What if attackers target a specific business or organization? By hacking context and manipulating location, attackers can desecrate an organization's reputation. Attackers could even go so far as to depreciate the value of a home simply by means of context hacking and location manipulation. As can be seen in the new Twitter API for location based trends these attacks really are not that far away.
Location Based DDoS'ing: AR systems and location go hand in hand. It is the location based information, in many cases, that makes an AR system worth using. The ubiquitous networking of objects and the Internet of things implies networks and their hosts will become somewhat presence aware. Users will come to rely upon systems and networks with presence that are location specific. Attackers may choose to DDoS location specific targets particular to a mission. However, this idea is not intrinsically new. AR systems simply have the potential to amplify such threats.
Physical Threat: Continuing on with the importance of location, physical threats become more relevant. Users with mobile devices, acting as sensors, promote the dissemination of location relevant information. As such, an individual targeting another individual in physical space (instead of virtual space) could conceivably do so more effectively.
Spam: Spam, sigh, the problem we were to have solved back in 2006. Spam will be just as relevant to AR systems as it is today with email. This virtual layer will likely become littered in spam. Advertisements will be everywhere. Users themselves may become the advertisements.... similar to something like this. Will users simply learn to tone them out as they do with advertisements on the Web? Probably. However, the market and dirty money to disseminate spam will still be there.
Mobile Metadata Mining: I posted about this a few days ago. Is it a threat? I suppose. Is it something that should keep me up at night? Absolutely not. The metadata associated with output from mobile devices will eventually allow us to do some pretty incredible things....that is of course, if it becomes standardized. Until then, mobile metadata mining will simply be the mass acquisition of dissimilar data. The differences in format and semantics will only permit a group or individuals mining the data to do so much. If some kind of standard to recognize the who, what, where, when does come to exist, look out. Intelligence gathering will grow to new levels.
Delicious
Digg
TechnoratiSecurity Visualizations of Complex Systems in Virtual Environments
A few weeks ago I was fortunate to attend a talk concerning the utility of virtual and synthetic worlds. One idea mentioned was the concept of using virtual environments as a means of which to visualize and interact with complex systems. From a security perspective, complex systems and the amalgamation of varying components often result in many unforeseen security issues. Systems interacting with, and depending upon one another in ways they were not originally designed will leave holes in the fabric (a fun platitude for security folks to chew on once more). Unfortunately, no revolutionary solution for devising uniform, comprehensively secure systems from their genesis are coming any time soon. So what can the security community do to compliment these manifold systems?
This idea of using virtual environments to visualize complex systems is very powerful, especially from a security perspective. Visualization would provide security engineers (network admins, application developers, etc) to see, dynamically, how systems are working and interacting. For instance, if a Web server begins to see heightened traffic rates, perhaps a visual image of the Web server (a blue server box or something to make it uniquely distinguishable) would expand to raise a red flag of a potential DDoS attack. Perhaps, a visualization of a complex system would allow admins to see what different protocols (lines w/ different colors?) are being used for disparate systems to communicate. Maybe, with regards to the "cloud", visual representations for depicting VM segmentation and resource allocation could be used to symbolize data leaks between VMs, exposure to the host and hypervisor. The potential ways to use system visualizations via a virtual environment are endless. The next question is, how can one trust the visualizations one is seeing? But that's for another day...
What about the ease of which users would be able to interact with their infrastructure? No more manually grep'ing through log files and modifying systems via command line and shell scripts. It'd be much easier to visually see a comprehensive view of one's infrastructure and be able to make modifications with a few mouse clicks. Instead of interacting with complex systems by means of such complex methodology, we should be working to interact with them in more simplistic, intuitive ways.
Today, every systems engineer devises many system and network diagrams before deployment and implementation. But these forms of documentation are static. We need to begin implementing living visualizations that dynamically interact with our living systems.
DDoS’ing Second Life Sims to fend off business competitors
A sim, or simulation server, is a Second Life architecture component that “simulates” a 256x256 meter region in Second Life’s metaverse. Sim servers handle most of the critical processing power necessary to maintain perpetually consistent object and terrain height-map state. They utilize an involved physics engine, Havok, which performs visibility calculations on both objects and map terrain. Upon completion, the sim server processes the results and transmits them to the client via UDP.
Second Life real estate consumers essentially purchase their own sim server, or island, hosted in the Linden Labs’ cloud. As we know, many Second Life land owners develop upon their islands and operate their own virtual businesses. Many such virtual businesses have been successful and seen significant profit gains. All such virtual undertakings rely heavily on Linden Lab’s infrastructure and require their sim servers to be fully operational at all times.
If I am a business owner in Second Life I am most likely looking for opportunities to gain the upper hand on my competitors. I could perhaps spend tedious amounts of time conducting market research, perform user poling and reviews, hire outside consulting, etc. All of which are costly, time-consuming, extremely boring and still do not ensure the right business decisions will be made to overtake my competitors.
Why not instead outsource my dirty work, contract cyber criminals to leverage a massive botnet, and DDoS my competitor’s sim servers back to the Stone Age?? This will render them unusable and perhaps even take them offline. Instead of hours and hours of market research and business study I’ll simply wipe them off the map. After taking down my competitors and monopolizing the market, consumers will be forced to seek out my virtual goods and services. My business’s name will become omnipresent and ubiquitously recognized throughout Second Life thus giving me a significant market advantage over my competitors once their sim servers come back online. That’s the vision anyway.
The obvious question is what can be done to combat these DDoS attacks? Currently, Second Life land owners are at the mercy of Linden Labs. They rely on Linden Labs to maintain and operate their individual sims securely. This is essentially the primary security issue concerning cloud computing. Consumers rely on cloud providers to secure their infrastructure.
From a Linden Labs infrastructure perspective, it would be interesting to see sim locations in the infrastructure dynamically rotate and still maintain a perpetual virtual state. The cluster representative server, or space server, would essentially orchestrate the dynamic changes while the data servers in parallel, perform the necessary corresponding data processing. This type of dynamically orchestrated architecture would give the various sim servers ephemeral IP addresses and make them more difficult to target with DDoS attacks. This dynamic architecture is conceptually similar to the way in which attackers use DNS fast flux to obfuscate phishing and malware delivery sites.
DDoS attacks against sim servers in the virtual context can be used in countless ways to make money just as they can in today’s two-dimensional web. As virtual worlds and a three-dimensional Web become more relevant it will become imperative for world providers to account for DDoS attacks and build their infrastructures accordingly.
