Authenticating to a web application is a mutual process. Before a user enters credentials into the application, they validate the web applications credentials: its hostname, content, and SSL certificate (assuming it uses SSL).

Essentially, you validate the web site against what you know to be true (hostname and expected content). The browser validates that a trusted third party signed the web sites public key, and together they vouch for the sites identity by showing you a visual cue.

If the web site passes your personal validation and you decide to provide them, the application will take your credentials and validate them against what it knows to be true: a directory or other repository with user information. If it validates your credentials, it lets you in.

Dan Kaminsky’s DNS flaw makes it possible for attackers to spoof one of the three credentials web servers use to authenticate against users: the host name. The look and feel of a particular web site is already easy to spoof: phishers have been doing this for years. The only remaining credential the web server has that can’t easily be compromised is its SSL certificate, and the signature of a trusted third party (one of the commercial certifcate authorities).

Now that two of the three credentials could be spoofed, I started wondering how hard it would be to spoof the third. If you can get a valid SSL certificate, you can completely steal the identify of a web site. Unfortunately, it is not too dificult, and it is through no technical fault of the SSL protocol.

For me, it required no social engineering, no illicit hacking or ninja skills. In fact, it was kinda scary in its simplicity, and the real fault is in the process of the certificate authority (a big one). Is it that bad? I attempted to get certs for three HUGE Internet sites, and I was successful with one. An interesting application logic problem prevented me from getting another, and the certificate authority basically told me no (over the phone) for the third. The one I did get, however, is a biggie.

I’ll drop the details at the beginning of my SSL VPN talk at BlackHat next week. I won’t divulge them sooner. Not even if Matasano kidnaps me, sends me overseas, and water boards me.

-Schmoilito

The OpenMoko project ( http://www.openmoko.org ) has “freed” the cell phone. OpenMoko is an open development platform with complete hardware specs (as complete as possible) that runs linux, can be recompiled from scratch from source code, and operates as a normal “unlocked” cellular device. This news isn’t new, but it is the first time I’m writing about it.  The openmoko team actually released their second version of the cellphone hardware earlier this month (called GTA02 but nothing to do with the video game) with some significant new features including WiFi and accelerometers.

If you are like me, then you remember seeing the word “linux” in the hallowed directory listings of ftp.cdrom.com circa 1994 and thinking… hey what’s this new word? A few hours/days later, after borrowing a laptop from the school A/V department, getting comfy trashing the existing operating system fdisk style and loading slackware from a lot of floppy disks, you were greeted by a fully-bootable operating system that measured its speed in BogoMips and could do most of the things the computers in the Sun lab could do  except that you were root (legitimately).

So now we’ve had Linux for a while, its used all over the place and is a system that people seem to have gotten pretty comfortable with.  This level of ease and comfort is now available in the form of “the device you take with you everywhere” …your cellphone is now just a little linux box.  Why is this cool?  Because now I can talk to my friends, and ssh into my server from my cell phone (or vice versa).  Oh yeah, and do all that other stuff that Linux does, like run Apache, FTP, NFS, torrent, or scan your systems with Nessus (theoretically).

The OpenMoko project has already suffered/gained from the normal Linux way of things and there are a few different distributions available.  Developers being the way they are have splintered off from the official OpenMoko distribution and created their own distros already.  One in particular, an “Underground” distro has even gone so far as to scrap X11 for windowing and use the framebuffer directly.  The wheel gets reinvented once again.  Hopefully this time with built-in battery powered spinners.

There are numerous ways this little toy could be used for security testers. Since it has both WiFi and can use the GSM networks (AT&T and T-Mobile work ok in the states), this would make a nice little remote access device.  All you need to do is leave it in the proximity of a location with WiFi then dial in (pppd) from across the world or anywhere cellular data connections can go (if you don’t like the idea of being in physical proximity of your targets or aren’t good at talking to beefy security guards who wonder why your laptop is beeping.) Alternatively, since it has USB, plug into a corporate computer, then dial in from the cellular side and route through newly-befriended corporate system. The possibilities here are numerous. GPS-activated, bluetooth aware, motiondetecting wifi gprs connection machine…

All in all, a cool device.  Stay tuned for fun stuff to do with it.

- theOtherAaron