It took Sid Stamm less than 12 hours to code www.verybigad.com. By all appearances, Stamm's page was exactly the same as the Web site for Carlton Draught which millions visit to watch the company's beer commercial. Visitors to Stamm's page were asked to accept the same security message and the site played the same beer commercial as the original.\nBut, there was one key difference. Stamm's Web site had a gaping security flaw which could have allowed him to corrupt any system that played the video.\nFive days after the launch of the site, the flaw had spread to computer systems on three continents -- receiving hits in Germany, France, England and India. Since it was posted in November, hundreds of people, many of them IU students, have viewed the ad. And this was just the trial run.\nFortunately, Stamm, a computer science graduate student, developed www.verybigad.com to alert computer users to a potential new Internet security vulnerability -- not to exploit them. \nIn order for a Web site to run certain programs on a computer, the user must accept a security certificate. In the case of the beer page and Stamm's site, an executable program runs which plays the commercial. The problem is that an executable program can do any number of things -- from disabling virus protection to installing software which collects banking and credit card information.
The Experiment\nThe project was the brainchild of Informatics Professor Markus Jakobsson. Jakobsson focuses his research on finding new ways for hackers and other criminals of the Internet to exploit unsuspecting computer users and stopping them before they start. \nThe idea for this latest experiment came when Jakobsson's brother sent him a link to the original Carlton Draught Web site, www.bigad.com.au. The Web site asked him to accept a security certificate. When he clicked "yes," the site ran an executable file which played the beer commercial on his computer full screen.\nJakobsson examined the security certificate to make sure it was legitimate, but wondered how many other computer users blindly accept the message without a second thought. \nJakobsson called Stamm, who at the time was an associate instructor for one of Jakobsson's classes, and gave him 12 hours to build a replica of the Carlton site with one key difference. Instead of using a security certificate signed by reputable companies like VeriSign and Thawte, which check out sites applying for certificates to ensure their safety, Stamm self-signed the verification, which anyone can do.
The Problem\nSo far, 200 of the 380 unique visitors to the site have accepted the potentially dangerous certificate. But, Jakobsson stressed that he has not yet fully analyzed the results of the experiment.\n"The reason people trust things like this is that they got it from a friend of theirs so they say 'it must be safe,'" he said.\nThe experiment uses the idea that people circulate links to interesting videos and images they find on the Web to their friends to view. Jakobsson said he worries a hacker could easily find Internet fads and make mirror sites which look like the originals, but have malicious software imbedded in the files. If the hacker makes a replica site fast enough, people will circulate the fake site instead of the original, increasing the number of affected computers exponentially. \nIn the case of the www.verybigad.com experiment, Jakobsson and his colleges distributed the link to an Internet security class and a few friends.\n"What we did here was to push a tiny, tiny snowball down the mountain," he said. "The result was a nuclear missile. It covered the whole world."\nThe Solutions\nAs far as Jakobsson and Stamm know, no hacker has yet tried this trick, which means researchers have time to come up with solutions to the problem before hackers even begin to use it. Jakobsson has three specific recommendations to prevent potential attacks like this one.\nFirst, he said he wants better education about security certificates. Most people, he said, do not know what security certificates do or the potential havoc accepting one could cause on a computer. \nSecond, Jakobsson would like to see programs built into Web browsers, like Internet Explorer, or into operating systems, like Windows, which alert or prevent people from accepting a security certificate that is self-signed. Web sites pay companies like VeriSign to ensure their security certificates are safe for computer users. The problem is that it is difficult for most computer users to tell the difference between a safe, professionally signed certificate and one which is signed by an individual or a fake company.\nThird, Jakobsson said he believes it is important for Internet browsers to make it clearer to users what a security certificate is, what the implications for accepting one can be and whether the certificate is self-signed or signed by a reputable company. \nIn the meantime, Jakobsson and Stamm will be running more experiments like www.verybigad.com to see how vulnerable people actually are to this type of attack.
