New SSL MITM at BlackHat DC
At the recent BlackHat Washington conference, a nice presentation was given about new man-in-the-middle techniques for SSL
The presentation starts with a good intro-primer on how SSL certificate validation works, continues with explaining how the old MITMs worked (including the trick with the intermediate CA which is used by most SSL inspection devices) and goes on with how it can be defeated now with stripping https or providing real valid https connections with ‘just’ a valid wild card certificate and some homo-graphic tricks.
The impact of this is not alarming in my opinion as there were already mitm tricks which worked. Attackers tend to stick to simple things that work before moving on. This is just an addition to the arsenal of tricks to fool a user into thinking his connection is secured. However, this might even trick the more experienced computer users and not only your mom who does a little online banking.
The presentation is worth a read because it gives a nice background on SSL validation, makes you think about website security architecture and makes you a little more paranoid when surfing the web in a public place.
This just shows once more that the cornerstone of SSL is trust. If you can come up with a way to get your malicious stuff to look trustworthy, it’s game over.
Getting DHCP reservations into a Belkin N1 Vision router
Yesterday, I bought a new wireless router for home. I was in the computer store to buy some DVDs and picked it up in more of an impulse. My old router was not performing well so I bought the first draft-n gigabit router I happened to stumble upon after quickly having verified that it was supported by dd-wrt.
Back home, I noticed that I was a little too quick in verifying the dd-wrt support. It will be supported by dd-wrt but currently it is still a work in progress. So I decided to use the stock Belkin firmware for now. However, one minute later, I stumbled upon a major problem in that plan. The little router does not support DHCP reservations which I need in my home network. I could offload DHCP to another small device in my network but I preferred to have the router handle it.
This leaves three options for getting DHCP reservations in the box:
- cross-compile my own firmware (GPL sources and MIPS toolchain are available for download)
- modify an existing Belkin firmware image by injecting extras in the image
- hack into the router and modify configuration parameters to support DHCP reservations.
I decided to see what’s behind door number 3 and after a an hour or two I found two ways of adding your static DHCP leases to the device.
The first way is by modifying he configuration file of the device. You can backup the running configuration from the GUI and save it to your local PC. That backup file (user.conf) contains all nvram parameters to get the router configured. I noticed that it had quite the same parameters as my old linksys router. Especially the parameter static_dhcp_clients was of interest to me. After looking at the linksys example, I filled it up with my dhcp leases :
static_dhcp_clients=hostname1:192.168.20.2:001AAABBCCDD:1:hostname2:192.168.20.3:009988776655:1
After feeding it back to the GUI (restore configuration), the GUI told me the CRC was incorrect. Some trial & error learned me that the check was a CRC-32 (8 bit) check done over all the parameters. This checksum was put at the end of the file in hex. With this knowledge, I opened up my hex editor, changed the checksum, uploaded the modified configuration and after a reboot of the router, I had static leases working!
The second way I found is even easier. There is a hidden web page in the administration website : http://routerIP/wukongjiuwo.html. This is a diagnostics page which gives you web-form based console access to the device. In the console, the following command followed by a reboot should bring static dhcp leases in the box:
nvram set static_dhcp_clients=hostname1:192.168.20.2:001AAABBCCDD:1:hostname2:192.168.20.3:009988776655:1
If you decide to use some of this ‘wisdom’ on your own router, please do so at your own risk!
Backup <> Encryption
Quick Post. I just read that laptops were stolen from one of our Belgian ministries. According to the ministry, the data was safe because it was backed up to a central server. That server was not comprimised and all sensitive data was stored there. I sure hope they also thought about encrypting the laptop hard drives and/or used some kind of DLP system to prevent data to be copied locally on the laptops. If not, the central backup won’t guarantee that no sensitive data was stolen. Availability in the form of backups is just covering one letter of the CIA (Confidentiality, Integrity, Availability) Triad which forms the core of Information Security.
Chrome
First of all: No I am not dead and yes I will continue to blog here. I just took a bit of a ‘blogging sabbatical’ the last couple of months.
That said, I (and many others so it seems) downloaded Chrome, Google’s vision of a web browser this week and played around with it for a while. A new browser always means new (or old) vulnerabilities and Chrome does not seem to be an exception to this. Google has a pretty good track record in following up on vulnerabilities so they will hopefully fix them soon.
On the positive side, it seems that Google really thought about security in Chrome by isolating processes for different tabs and enforcing a security model. They explain most of it in a cartoon you can find here.
Although I like the layout, the speed and the software design of Chrome, I will not be moving away from Firefox just yet. Even if all known vulnerabilities were to be fixed, there is one feature in Firefox which I think every browser should have and Chrome hasn’t: a decent password manager.
As a security conscious person, I use different passwords for each website I use on the internet. Unfortunately, I can’t remember all of them, so I store some of them in Firefox. I know I could use a tool like KeePass (and I do) but for most sites I find this overkill. Now what I like about Firefox is that you can specify a master password. Without this master password, you cannot unlock the password file (signons3.txt, passwords, and key3.db, the key, in your profile folder). This even survives a copy of the files. When you copy both files to another computer, you still have to specify the master password before getting access to the stored (encrypted) passwords.
Now back to Chrome. The profile data (in Vista) seems to be stored in C:\Users\username\AppData\Local\Google\Chrome\User Data\Default. There is an SQLite file called ‘Web Data’ in that folder and this seems to contain the URLs and (obfuscated) saved passwords. Since there is no master password functionality as there is in firefox, this file can be copied to another computer. Doing this gives the other computer access to all websites were there is a password stored for in the file (yups, I verified this).
This might not seem like a big deal but think about it. Every process running on your computer with the same rights as the user (or more) has access to these password storage files. This includes malware as well…
So I’ll stick to Firefox for now 
Belgian Terrorists caught on possession of wiping software?
An article in Datanews (dutch only) today reports on the police arresting four ex-CCC members on two facts:
- They were linked to a terrorist organization in Italy
- They had ‘encoding’ software on their PC’s to securely wipe hard drives. (most likely the reporter meant wiping instead of encoding.)
On the first fact, I can certainly agree but with regards to the second fact, I did not know it was illegal in Belgium to have this kind of software installed on your PC.
I for one have Truecrypt as encryption software and Eraser as DoD compliant erasing software installed on my laptop. Am I a terrorist now?
Physical Access always means p0wned
I blogged about it before but every now and then someone finds a new physical ‘hack’ into windows. Here is an example of a recent hack using backtrack to gain access.
This just illustrates one of Microsoft’s 10 Immutable Laws of Security:
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
Power To The Cloud!
This week, I got my invite for Google App Engine in the mailbox. If you have not heard of it, Google App Engine is a beta product from Google where you can publish your web apps to Google’s massive infrastructure. Currently only Python is supported as a language but Google intends to add other languages in the future.
It seems (I will try when I have more time) really easy to publish your app to their cloud. As an extra advantage, you can use Google’s API for Authentication so you can for example authenticate your users based on their Google Account. For the moment, it is free although some quotas are enforced but I suspect that after the beta period ends, it will be a paying service.
Google is not the first to offer these kind of services. Amazon currently already has a stable cloud platform. They even go further by offering a real computing platform instead of ‘just’ the web application framework.
The advantages of Cloud Computing for businesses are obvious. You get instant scalability and high availability for your application and you pay only for how much you use it without investing heavily in your own hosting infrastructure.
However, security is more than availability alone. There are obvious concerns about the confidentiality and integrity of your data while it lives in the cloud. Is your data private in the cloud? Could it become corrupt? The answers are that you don’t know and that you trust the cloud provider.
Potential vulnerabilities should also be a concern. Google has disabled most of the ‘unsafe’ functions in Python but there are bound to be bugs (and security vulnerabilities) in the applications that developers push to the cloud. Will these affect other applications? Again, you trust the provider.
Or what about abuse of the cloud as such. I noticed Google offers a mail API to send out e-mail. Google is quite a trusty sender of mail so this would be ideal for spammers to abuse. Imagine littering the cloud with web apps which can send e-mail and writing a front-end spam app which sends round-robin spam to all these apps, who deliver mail through the trusted Google smtp engine.
Will these and other security concerns stop the trend to Cloud Computing? I don’t think so. As with all new technologies, there are concerns but when there is a business driver (cheap high availability) you might be able to slow it down but it will not disappear. This is something which not only goes for IT but for most technologies.
The real challenge will not be to list all possible risks to scare people but will be to think about how we will handle this technology securely and how security can be embedded in the cloud. Interesting times I think.
Privacy Paradox
It is interesting to see how we perceive our privacy on the Internet. When we see a third party publish personal information about us on the Internet without our permission, we tend to feel violated in our privacy. However, when we publish the same information on our LinkedIn, Facebook, Twitter, … profiles ourselves, we seem to have forgotten all about our privacy.
Take Twitter for example. If someone else would publish where you were and what you were doing on a website, you would definitely feel violated in your privacy but when you do it yourself most of us don’t seem to think twice and even allow everyone one to follow our twitter feed.
The other way around is a valid paradox as well. I know of companies who wanted to block access to LinkedIn and Facebook to prevent information leakage but soon after realized that these websites were used as a business tool by their users and managers to manage their professional network or to prospect potential customers.
Pdp from hacker think tank GNUCITIZEN also warned about some of the dangers of social networks. (and now runs his own social network … 
)
I am not saying here that these social networks are a bad thing but I think that users of those networks will need to keep in mind what information they want to ‘leak’ about themselves on those networks. Once more it boils down to user awareness and how to handle this technology.
Since it is ‘Lazy Sunday’ today, instead of background reading on the subject, some background videos:
- Privacy and Social Networks
- Facebook Killed the Private Life
- Does what happens in the Facebook stay in the Facebook? (for the really paranoid among us)
Me in ‘Vacature Magazine’
I got interviewed for Vacature Magazine a few weeks ago. They wanted to know more about the IT Security profession. The article was published last weekend. You can read it by clicking on the thumbnail above. (Dutch only, not too technical)
Software (in)Security will never be solved.
I re-read Marcus Ranum six dumbest ideas in computer security. I had already read it in the past but a colleague referred to it and so I re-read the page.
While the cynical ideas of Marcus Ranum certainly have a core of hard truth embedded in them, I don’t agree with all of them. One of the key ideas is that instead of patching and running behind on security issues, a system should be designed to be safe in the first place. The focus should be on good engineering and not on hacking/patching afterwards.
I agree that this is the root cause of all evil. If every programmer/software engineer/architect would design his software/system from the ground up in an absolute secure way thinking about every attack vector we would be better off. For the sake of argument, let’s even assume that these securely designed systems would be usable and don’t fall into the usual security vs usability trade off trap. This would be great, don’t you think?
For clarity, I do believe that programmers need to be educated about the issues and that we do need to raise awareness in order to design better software. However, I don’t believe that the issue will ever be solved. The reason for this is not technical or educational but economical.
When I was studying, my economics professor said that there are a few reasons why a company could go bankrupt and some of the most important ones according to him were : bad management and brilliant engineers. (the course was given to future engineers btw)
While ‘bad management’ (this includes project definiton and planning) is an obvious one, the ‘brilliant engineers’ is not. Imagine a manufacturer who has ‘brilliant engineers’ who have the technical ability to design and manufacture a product that is innovative, feature rich and would last a lifetime before failure. Take a car for example. Imagine they could engineer the perfect car which would not break and require almost no maintenance. The manufacturer would go bankrupt for a few reasons.
First, the unbreakable car would cost the company much more than it could make on sales as the customer would not want to pay more for a car than he did now (maybe a little, since it is a perfect car).
Secondly, for the unbreakable cars that they would sell, the customer would never return as the product is already perfect. (taking car crashes conveniently out of the equation here).
Now, let’s take this knowledge and transfer it to software development. Imagine that a software company employed ‘brilliant developpers’ and that these developers would engineer functional perfect and secure software. It would fail for the same reasons. No one would want to pay more for a perfect OS and the company would only sell its software once as it already was perfect. Although the last might not be true in the software development industry as new feature requirements and demands are constantly changing. This brings in another problem of time-to-market and even more development costs.
I do think however that there are cases where you need to design your software or operating system in such a manner that it is bugfree and that the risk of insecurity is unacceptable. Take the space shuttle for example. You would not want a billion dollar plane being p0wned or fail because it runs an insecure or buggy version of Windows. In these cases where the risk is not acceptable and where the customer is willing to pay the cost, software insecurity will be resolved.
It will always remain a matter of which risk the customer is willing to accept, transfer, reject or compensate for the price and functionality the software is providing.
Just my 2 cents….