In sports, there's a saying that the best offense is a good defense. The same is true for computer security, according to University of Colorado at Boulder researcher John Black.
Black and CU-Boulder graduate student Martin Cochran and undergraduate student Ryan Gardner tested the security of the popular Web-based Internet Chess Club and showed that the site wasn't secure. In fact, they proved users could cheat rather easily.
Internet Chess Club has more than 30,000 members worldwide and claims Madonna, Nicolas Cage, Will Smith and Gary Kasparov as players.
Black says the main lesson is that even really smart people shouldn't try to create their own security systems unless they are experts.
"Unless you have a lot of experience, don't try to invent your own security system, it will just be broken," said Black, an assistant professor of computer science in CU-Boulder's College of Engineering and Applied Science. "Believe me, it's better to leave that job up to the experts."
As the threat of cyberterrorism lurks and with more confidential information being shared on the Web, the significance of secure computer sites and systems continues to grow. Black's group isn't the first to find security flaws in a widely used piece of network software, he said. Other examples include the break of the Netscape browser's random number generator in 1995 and recent flaws exposed in the Diebold electronic voting system, among many others.
Black, who in 2002 received the National Science Foundation's most prestigious award for promising junior faculty, a $324,000 CAREER award, says the only way students and professionals can create good security systems is to learn the typical methods used by hackers.
"There has been an open debate about this topic," said Black. "One side of the argument is that you are helping create the next generation of hackers by offering this type of experience. The other side, which is where I stand, says that you can't be a good defender without knowing the offense.
"For example, I don't think the FBI is creating more terrorists by teaching its people about methods used by terrorists," he said.
To crack the security weaknesses in the Internet Chess Club, Black enlisted the help of two students and received grant support from NSF. While they did successfully "hack" the site, Black and his students suggested simple ways of fixing the security problems and don't plan to release the software they created to do the job, according to Black.
"My objective was just to learn as much as I could," said Gardner, a senior majoring in computer science and mathematics. His involvement in the research was funded through the NSF Research Experience for Undergraduates program that allows students to work with professors on research projects and gain valuable experience. "I definitely understand why a good security system is important," he said.
Black and his students found that with a trivial amount of computation an adversary could easily read all communications on the site. They also discovered simple methods for unscrupulous users to cheat at chess by unfairly gaining time on the clock, an important aspect of the game.
Using what is known as reverse-engineering, they were able to learn exactly how the system works, allowing them to build their own timekeeping mechanism that would give themselves more time during games. However, Black said they never used their advantage to play against any ICC-registered players.
They also built a "sniffer," through which they could record all communication between users and the server.
"This tool, in the wrong hands, would enable an attacker to collect passwords and credit card numbers from the site's users," Black said.
He added that their success in cracking the site's security is far from common.
"The vast majority of companies on the Web are secure," he said. "This place evolved slowly from a small business to a large one. And along the way, security seems to have been neglected."
Black currently teaches the course "Foundations of Computer and Network Security" at CU-Boulder.
Their paper, "How to Cheat at Chess: A Security Analysis of the Internet Chess Club," can be found at the Cryptology ePrint Archive http://eprint.iacr.org/2004/203/. The archive is maintained by the International Association for Cryptologic Research.