SSL PKI is designed to do two things: encrypt data on the wire, and allow web site validation through the use of trusted third party signatures. The former works pretty well, the Debian weak key debacle aside. Unfortunately, the latter seems about as robust and secure as Windows 98. Case in point, https://discovercard.com. As my colleague Mike Walker points out, DiscoverCard.com forces users to enter credentials on a page served over an insecure HTTP connection. In doing so, Discover leaves users with no real way to tell who they are giving their credentials to. This is a perfect example of an implementation specific design flaw that fails open and renders SSL site validation useless.

Unfortunately, Discover Card isn’t the only organization breaking PKI. The pillars of Internet security, our trusted third party Certificate Authorities, have been having a rough time recently. A number of implementation specific flaws at multiple CAs have allowed outsiders to abuse their systems and obtain certificates for which they are not authorized to hold. Sure, these implementation specific flaws can be fixed, but the lasting damage to the trust we have in PKI can’t be undone. Further, the way PKI has been handling these situations seems to further undermine whatever trust remains.

Last summer when I disclosed the details of how I got the live.com certificate to Microsoft, I told them I wasn’t going to do anything bad with it, they said thanks, we shook hands, and that was pretty much the end of it. A few weeks ago, when Sotirov and crew disclosed that they derived their very own key capable of signing certificates that would be trusted by all web browsers, the researchers told Microsoft, Mozilla, etc, that they wouldn’t do anything bad with it. These companies again said thanks, hands were shook, and that was pretty much the end of that.

We rely on WebTrust audits and other mechanisms to ensure that our commercial Certificate Authorities do their job well, and so we can be sure we’re sending our data to the web sites we trust. Unfortunately, when the audits are useless and the Certificate Authorities screw up like they did in the above two scenarios, companies like Microsoft and Mozilla are forced to make a tough call:

Do they
a) Revoke the root CA for which a duplicate signing key was derived by unknown individuals, thus breaking the Internet for many businesses and individual users
or
b) Do nothing and trust that these guys really only have an expired certificate, and didn’t generate one valid for the next couple of years since they so very easily could have.

In the end, the trust that backs PKI is replaced with the trust of a few select individuals at the organizations who manage our root certificate programs (a.k.a the browser vendors). The millions of dollars spent on web trust audits are meaningless. The CAs could have just paid all of their money earmarked for audits to Sotirov and Appelbaum in exchange for their silence, and PKI would lived to fall another day.

Burn your SSL Certificates?

PKI, while good on paper, is hard to implement securely. It has taken almost two decades for us to have web browsers that actually support the one method that PKI has to protect itself from rogue certificates: Certificate Revocation Lists. And it doesn’t really matter, since not everyone is using IE7 or Firefox 3 yet. CRLs, which are essentially blacklists, are completely ineffective when you don’t even know what rogue certificates are actually in existence.

I don’t think trusted third parties are enough. We need technology that puts the ability to make trust decisions back in the hands of end users, rather than trying to make these decisions for them.

So what can we do differently? I’m of the mindset that client side certificate / public key caching, like that of SSH, can drastically improve our ability to make trust decisions when communicating on the Internet. SSH shows us that we can communicate securely without trusted third parties. The next question is how best to apply this to web browsers. Hashes of public keys are not easily consumed by casual Internet users. Another Intrepidus colleague, Aaron Rhodes, brought up the idea of vanity hashes that are actually easily recognizable patterns. This could help, but it would certainly complicate key management.

In an effort to actually try and help make things better, rather than just ranting about how bad PKI is on this blog, I’ve actually been working on a plug-in for Firefox that lets users white list SSL public keys SSH style and alerts the user when they change. It is actually alot harder than it would seem. In my next post, I’ll talk more about this plug-in, and the challenges I’ve faced in getting it working.

-schmoilito

1 comment

The ‘file’ command is a nice tool. It has a database of filetypes and “magic” numbers which correspond to offsets and values within a file and are used to hazard a guess as to what type of file it is. On my system, the /usr/share/file/magic database has 13474 lines in it. Quite a bit of knowledge about filetypes at your fingertips!

To use it simply:

$ file <targetfile>

Example:

$ file /pictures/nice.jpg

/pictures/nice.jpg: JPEG image data, JFIF standard 1.02

or

$ file ./unknown

./unknown: VMS Alpha executable

What happens when dealing with “unknown” file types that may not be accurately described by the “file” command’s knowledge of filetypes? Or, what happens when a file contains many other files within it that we can easily get to? We can attempt to peer inside an unknown container file and find what types of other files it is made of… by sliding along the file and comparing every offset to the magic database.

Luckily, there is a python binding the “magic” database.

# apt-get install python-magic

And a handy example is included in /usr/share/doc/python-magic/examples/example.py.

Excellent. This is just what we need. Our algorithm is simple. Loop over each offset in the file and see what python-magic thinks it is. Interesting offsets can then be identified and extracted for further analysis.

Here’s a quick one-off python script to do just that:

-------------------------- BEGIN magicslide.py
# !/usr/bin/env python

"""

%s <filename>
<filename> will be checked at each  offset to see what the magic offset
database from the "file" command's database thinks it is.

Entries that return 'data' will be filtered because they are boring.

"""

import magic

import os

import sys

def usage():

    sys.stdout.write( __doc__ % os.path.basename(sys.argv[0]))

    sys.exit(0)

def analyze(ms,buffer):

    return ms.buffer(buffer)

def output(offset,s):

    sys.stdout.write("%08x:%s\n" % (offset,s) )

try:

    filename = sys.argv[1]

except:

    usage()

try:

    f = open(filename)

except:

    sys.stderr.write("could not open %s\n" % filename)

    sys.exit(1)

filedata = f.read()

totallen = len(filedata)

buffsize = 4096 # a nice big chunk of file

# load the magic db

ms = magic.open(magic.MAGIC_NONE)

ms.load()

for offset in range(0,totallen):

    end_offset = min(offset+buffsize+1,totallen)

    kind = analyze ( ms, filedata[offset:end_offset] )

    if kind != 'data':

        output( offset, kind )
--------------------------------------- END magicslide.py

Sample output looks like:

0001047c:Hitachi SH big-endian COFF executable, not stripped

00010493:PCX ver. 2.5 image data

000104a8:MIPSEB MIPS-III ECOFF executable not stripped - version 255.26

000104b2:\012- 8086 relocatable (Microsoft)

000104b8:PCX ver. 2.5 image data

000104bd:MPEG ADTS, layer I, v1,  32 kBits, 32 kHz, Monaural

000104c1:MPEG ADTS, layer I, v1, 448 kBits, 32 kHz, Stereo

000104c8:DBase 3 data file

000104cc:LANalyzer capture file

000104e0:PCX ver. 2.5 image data

000104e8:shell archive or script for antique kernel text

000104ef:PCX ver. 2.5 image data

000104f6:MPEG-4 LOAS

00010508:AmigaOS bitmap font

0001050c:PCX ver. 2.5 image data

00010514:shell archive or script for antique kernel text

0001051c:MIPSEB MIPS-III ECOFF executable not stripped - version 0.10

00010522:MPEG-4 LOAS

00010530:Hitachi SH big-endian COFF executable, stripped

00010538:DBase 3 data file

0001053c:PCX ver. 2.5 image data

00010544:shell archive or script for antique kernel text

00010549:MPEG ADTS, layer I, v1,  32 kBits, 32 kHz, Stereo

00010560:DBase 3 data file

Well, it’s still pretty messy and the data may be wrong, but it’s more than we had to go on before for our analysis of this unknown file type. There are obvious false positives here, but things like images such as JPGs, PNGs, etc. can probably be readily identified in the file of interest.

# aa

1 comment

The OpenMoko project ( http://www.openmoko.org ) has “freed” the cell phone. OpenMoko is an open development platform with complete hardware specs (as complete as possible) that runs linux, can be recompiled from scratch from source code, and operates as a normal “unlocked” cellular device. This news isn’t new, but it is the first time I’m writing about it.  The openmoko team actually released their second version of the cellphone hardware earlier this month (called GTA02 but nothing to do with the video game) with some significant new features including WiFi and accelerometers.

If you are like me, then you remember seeing the word “linux” in the hallowed directory listings of ftp.cdrom.com circa 1994 and thinking… hey what’s this new word? A few hours/days later, after borrowing a laptop from the school A/V department, getting comfy trashing the existing operating system fdisk style and loading slackware from a lot of floppy disks, you were greeted by a fully-bootable operating system that measured its speed in BogoMips and could do most of the things the computers in the Sun lab could do  except that you were root (legitimately).

So now we’ve had Linux for a while, its used all over the place and is a system that people seem to have gotten pretty comfortable with.  This level of ease and comfort is now available in the form of “the device you take with you everywhere” …your cellphone is now just a little linux box.  Why is this cool?  Because now I can talk to my friends, and ssh into my server from my cell phone (or vice versa).  Oh yeah, and do all that other stuff that Linux does, like run Apache, FTP, NFS, torrent, or scan your systems with Nessus (theoretically).

The OpenMoko project has already suffered/gained from the normal Linux way of things and there are a few different distributions available.  Developers being the way they are have splintered off from the official OpenMoko distribution and created their own distros already.  One in particular, an “Underground” distro has even gone so far as to scrap X11 for windowing and use the framebuffer directly.  The wheel gets reinvented once again.  Hopefully this time with built-in battery powered spinners.

There are numerous ways this little toy could be used for security testers. Since it has both WiFi and can use the GSM networks (AT&T and T-Mobile work ok in the states), this would make a nice little remote access device.  All you need to do is leave it in the proximity of a location with WiFi then dial in (pppd) from across the world or anywhere cellular data connections can go (if you don’t like the idea of being in physical proximity of your targets or aren’t good at talking to beefy security guards who wonder why your laptop is beeping.) Alternatively, since it has USB, plug into a corporate computer, then dial in from the cellular side and route through newly-befriended corporate system. The possibilities here are numerous. GPS-activated, bluetooth aware, motiondetecting wifi gprs connection machine…

All in all, a cool device.  Stay tuned for fun stuff to do with it.

- theOtherAaron

2 comments

Most vulnerability scanners will allow you to configure an exception list. If an organization has an internal vulnerability scanning program in place they are probably aware of a few troublesome systems that don’t respond well to poking and prodding.  (That ancient VAX, those Dell DRACs, that crazy plotter, etc…)

It’s not uncommon to be asked by a client to “Avoid this list of systems during the Pentest…” But what if you have some nice custom tools that don’t have the ability to honor an exception list?  What if you have some tools that you point to an NT Domain and not an IP list?

On the surface the simplest solution would be to “just configure the firewall to block outbound to x.x.x.y….”  The problem is windows personal firewalls don’t make it easy to do that. In fact, most of these firewalls will break the scanning tools you’re trying to use. 

I’ve found that Peer Guardian 2 does an awesome job at fixing this problem.  Peer Guardian is mostly used by peer-to-peer users but you can easily make a custom “block list” that will prevent your computer from hitting IPs on your client’s exclusion list.  You can run Peer Guardian and not worry about it mucking up those funky packets that youre trying to send.

-higB

No comments

A lot of web applications use port 80 and 443, but don’t necessarily speak HTTP or live inside a web browser. Many of these web apps utilize rich content and compiled code, such as Flash/ActiveX/Java, that have the ability to open their own TCP sockets to remote servers, by-passing the browser’s network stack and any HTTP proxy the browser is configured to use.

All the JVMs I’ve used do let you specify a proxy for an applet to use, but in my experience, this process is sometimes a little clumsy. On top of that, this only helps if the applet is speaking HTTP, or some other known protocol for which a proxy exists.

Putting browser based applications aside for a moment, fat client applications (including those on mobile devices) will utilize port 80/443 as a sure-fire way through the firewall, even if they aren’t using a standard protocol like HTTP or SOAP/WS-Security.

WireShark, tcpdump, and other network sniffers can be helpful in these situations where you can’t get application data easily routed through a proxy. However, the ability to replay or modify data on the fly between the client/server is still a challenge. Add SSL encryption to the scenario, and typically you are S.O.L.

What we need is a socket based TCP proxy with SSL support. Such a proxy would capture traffic at the network layer, identify common protocols and accumulate requests/responses for MITMing, but also stream proprietary protocols while providing a mechanism for altering/fuzzing data on the fly.

Tools like WebScarab/Paros/Burp are great at what they do. But as soon as an application strays from a common protocol (security through obscurity anyone?) these tools lose some of their value.

I already have a proof-of-concept tool that has been invaluable to us in some recent pen-testing. Now, the plan is to tighten up the loose ends, add some features, and make it available for others to use.

I’d definitely be interested to hear what anyone has to say about such a tool. Do you think it would help you? Is there already something similar out there? Leave your comments below.

-Schmoilito

3 comments

On Friday afternoon, I headed off to the airport for a trip to Chicago to visit a friend. I should have checked the flight status, because it turns out my flight was canceled. All other flights to Chicago were on time, and full. The über-helpful lady at Continental advised me to wait on stand-by. The end result was that I had to wait until 6AM Saturday for a flight to Detroit and a connection to Chicago. Damn. <sarcasm>On the bright side, my bag made it to Chicago by 11PM that night.</sarcasm>

I went home to sleep, and set my alarms for a 4AM wake up to make it back to the airport for my 6AM flight. I assumed I would get there in reasonable time, since I didn’t have to check in or check any bags. Unfortunately, I also didn’t pay any attention to the four S’s on my new boarding pass. At 5:50AM I was being molested by Boris, one of the TSA’s human pen-testers at Newark Liberty. Lucky me, I was selected for additional screening because I had made changes to my itinerary. Lady luck continued to shine on me since Boris, at 250+LB’s, is a gentle giant.

I don’t think my writing thus far as conveyed the anger and frustration I felt during this whole ordeal. And when I realized I had to endure additional security screening, my blood had begun to boil. However, at some point during my personal security assessment, my mind drifted into my happy place, and I had a moment of clarity.

Who else is more deserving of a more in depth security review then someone who is already pissed off at your airline, and could possibly snap with the next minor inconvenience or crying baby?

Any passenger traveling on an air plane is considered a threat. As individual passenger scenarios fluctuate, so does the individual passengers threat potential. In my particular situation, it was up to the airline to indicate to the TSA that I require additional screening, and they did this via the “SSSS” on my boarding pass.

Inside me there is a glimmer of hope that TSA folks have some ability to identify behavior patterns in people that could indicate an elevated threat potential in real time (like when I’m waiting inline to get screened). However, they most likely rely heavily on their technology/tools (metal detectors, xray machines, that crazy air blast thing, etc) for such dynamic analysis.

It’s really no different then a highly-skilled pen-tester being given a large number of applications to test in a very short period of time. In this case, the pen-tester would rely heavily on tools. There is no shortage of content on the Internet discussing the quality of such tools, so I’m not gonna go there in this post. However, I must ask the question, how good of an assessment can you perform on a web app using only the tools available on the market today?

What all this reminds me is that security in I.T. is no different then security in every other aspect of life. Threats are dynamic, and constantly in flux. Countermeasures deployed to protect us from threats must also be dynamic, and able to keep up with an ever changing threat landscape. If our tactics are static, threats will eventually go un-noticed, and we will get pwned.

At least, that’s what Boris softly whispered in my ear…

-Schmoilito

1 comment

Someone beat us to the shmooball launcher.  It’s probably for the best since we were going to order parts from this company. We heard ambulances only take 180 seconds to get to the hotel.

The presentations were very hit or miss this year, with unfortunately a bit more of the latter.  I felt a lot of presentations would have fit a shorter turbo style time slot better than the hour long time slots.  For example, the ‘baffle’ application for wireless AP finger printing looks like a very cool first generation tool. Easy to use, hack around with, well researched, and makes pretty graphs. Score. Unfortunately they dragged out the presentation with the whole history of tcp finger printing and made us wonder what the students were IM’ing about as they sat on the stage trying not to look too embarrassed or bored.

Mad props go out to Brad Antoniewicz and Joshua Wright. Not only for releasing a cool tool for wireless PEAP/TLS client credential pwnage (FreeRADIUS – Wireless Pwnage Edition), but for fun presentation skillz and shmooball dodging.  Find the video for this one. It was probably my favorite talk of the con (not sure if the camera man caught the start of the talk though).

The guys at Vigilar also rocked with a new and improved version of VoIP Hopper; complete with practical usage scenarios and some good demos with a standard VoIP phone.  They showed how to get on to the corporate network bypassing vlans setup for the VoIP traffic. I could think of a number of locations I’ve been at where it would be handy to have this tool with me.

Our very own Jaime and Aaron got a lot of people thinking with their forced internet condom. They’re moving the web hosting provider, but there’s some good data about what ports ISPs are blocking over at portscan.us (and you can help add to the project as well).

I unfortunately missed h1kari’s (David Hulton) GSM talk due to train delays, but the word at the hotel bar was that it was one of the most techincal and interesting talks of the con.  His GSM rainbow tables may make things very interesting when the FPGAs complete in three months (anyone get a link to where that will be?).  Speaking of FPGAs, I’m proposing the FDA needs to start looking into these things since they’re basically giving every geek I know an erection that is lasting way longer than 4 hours.

And for more geek porn,  let me suggest the Solid State Drives Data Recovery Comparison to Hard Drives presentation.  Scott Moulton makes powerpoint look a commadore 64 next to his smoothly timed 3D graphics.  His guy also rocks for having them online for everyone to get jealous of… oh and teach us that deleting or wiping flash based drives is completely useless because of the wear-levelling process done by the controllers on these things. (and yes, I did sit there thinking of all the times I’ve futilely done PGP wipes of data on my flash drives). The good news though is that the recovery of that data sounds pretty damn hard at this time.  Also in good news, we can now write off a few power tools from home depot as business expenses since you’ll want a hammer now to “wipe” those drives.

A number of us caught the phishing talk by Syn Phishus. I think we’ll have a full follow-up post on that (but just to clear one rumor we heard, no, he does not work for or have anything to do with phishme.com). He obviously agrees with us that mock phishing exercises need to be done… but I’d say our approachs to this differ greatly.

-b3nn

2 comments

I was adding a little special sauce to Phishme.com this past week and thought this might be fun to share. We have a few different ways a user can craft their phishing links. If he/she chooses the IP address option, then there is also the choice of encoding options. This lets you mask the IP address in an attempt to trick the user into thinking part of the sub directory is perhaps the host name. Or as in the case with my mom… she thinks it is just the phone number so the computer knows where to call. And it’s hard to blame her when you see a decimal encoded IP address.

http://2130706433/somecompany.com

The team over at Marshal has put together a good walk through of the encoding so you can follow along. If you would like to view the javascript, you can find it here. This may not work on all browsers, but it holds up pretty well on your corporate windows boxes with IE or Firefox. Want to test it out? Just put in an IP address below and click on the link it generates.

-b3nn

Decimal Octal Hex Hex with Dot

No comments

If you’ve been noticing a little silence on the blog recently, it’s been because a lot of the ranting has been going into developing what we think is a great anti-phishing user awareness tool. Take a peek at our main site at www.PhishMe.com

Conducting ethical phishing attacks has never been easier. User awareness will be improved, enforced, and for the first time for many users, easy to measure and trend over time. You can sign up for the mailing list right now that will let you know when the full blown service is launched. We will be offering free trial accounts that will allow you to get a taste of the features and test out if a few of your users will bite.

Another key feature of PhishMe is the built in templates to make your job of crafting phishing attacks simple yet effective and modern. How do you think your employees would respond to a message about a “virus outbreak”. Will they just follow the instruction in an email without verifying any of the information? What about a message to update their HealthCare information on a new third party site? The number of people that fall victim to these types of attacks will make you wonder why hackers even bother with anything that isn’t social engineering.

There is more to come in the future but for now, check out www.PhishMe.com

-b3nn

No comments

As a security consultant with exposure to many large enterprises I admit I’m biased to RSA SecurID tokens. During penetration tests, our company has cracked tens of thousands of passwords. When I’m standing in front of a customer explaining why their password policies failed, they want to believe that changing this policy will help them. Secretly I know that humans will defeat the spirit of any password policy and that the best approach is to take the responsibility of password composition away from the end user. (When you stare at thousands of clear text passwords you develop a cynicism.)

August2007, you’ve been a good password, but it’s time I move on to owning enterprises with September2007.

The other day a friend asked me if there are any other products like SecurID he should be evaluating for his company as part of their plan to introduce two-factor authentication. Apart from SecurID the only other device that left me thinking “Hey this thing works” is Vasco’s Digipass. Any two factor system worth its weight in salt should provide authentication hooks to the popular services. If you plan to use the solution with custom web applications, you may need to dig a little deeper…maybe a lot deeper. Most solutions have hook-in APIs, but it takes some effort to piece it all together.

If you are evaluating two factor authentication devices make a list of the top services you need authentication for:

• Network devices
• Windows authentication
• Unix authentication
• VPN users
• Wireless user authentication

If a solution can cover 80% of your authentication needs and is cost effective, go with it. 80% coverage is 80% better than letting humans pick passwords; chances are with a little effort and creativity you can put something together to rein in the residual 20%. If you don’t have a two-factor solution, evaluate Vasco with the others.

-higB

4 comments