Last week USENIX held its 20th Security Symposium in San Francisco, and I attended a number of interesting and inspiring presentations.
On Monday during the WOOT 11 workshop Chris Kanich from UCSD gave a talk that was closely related to our own BrowserCheck work here at Qualys, but used some very creative means to gain access to test subjects. He and his fellow researchers, Stephen Checkoway and Keaton Mowery, used Amazon’s Mechanical Turk crowdsourcing service to advertise a task and then fingerprint the security of the browsers used by the interested workers.
Amazon’s Mechanical Turk is a “crowdsourcing” marketplace for tasks that are best solved with or even require human intelligence. An example might be the identification and labeling of an image, the translation of a foreign text or the categorization of a website. These tasks are called HITs (Human Intelligence Tasks) and are coded by the HIT requestor as webpages. They are labeled with both an expected duration for each HIT (often less than a minute) and also the offered pay for each HIT (often in the cents range). The workers (“turkers”) use normal web browsers to navigate the site and select HITs that they feel competent to complete. At the end of a paycycle, Amazon’s payment system charges requestors and pays turkers.
Once the HIT is executed, the turker is offered another task, slightly more complex (download and run a script) and better paid (between 5 and 15 cents). The script to execute has roughly the same purpose - record the security status of the workstation in use.
The results mirror very closely our data from BrowserCheck - over 80% of all participating turkers have at least one vulnerable plugin that could be used to take over the machine:
“Up to date” percentages that are in such a low range make me question whether we (the internet´s users as a whole) would not be better off if PC manufacturers refrained from including commercial AV packages in their standard builds for consumers. Future versions of our BrowserCheck initiative will add an “AV updated” check and we will see if we can confirm this tendency in both the end user version (https://browsercheck.qualys.com) and also for the users of the Business Edition (www.qualys.com/browser).
BTW, the real purpose of the research was to determine if Amazon’s Mechanical Turk can provide an efficient way to install malware on machines, i.e. to see if a botnet could be constructed that way. Answer: it depends. Read the full paper “Putting Out a HIT: Crowdsourcing Malware Installs” itself for a detailed answer to the question and more insight into this fascinating experiment.