At the recent BlackHat Washington conference, a nice presentation was given about new man-in-the-middle techniques for SSL

The presentation starts with a good intro-primer on how SSL certificate validation works, continues with explaining how the old MITMs worked (including the trick with the intermediate CA which is used by most SSL inspection devices) and goes on with how it can be defeated now with stripping https or  providing real valid https connections with ‘just’ a valid wild card certificate and some homo-graphic tricks.

The impact of this is not alarming in my opinion as there were already mitm tricks which worked. Attackers tend to stick to simple things that work before moving on. This is just an addition to the arsenal of tricks to fool a user into thinking his connection is secured. However, this might even trick the more experienced computer users and not only your mom who does a little online banking.

The presentation is worth a read because it gives a nice background on SSL validation, makes you think about website security architecture and makes you a little more paranoid when surfing the web in a public place.

This just shows once more that the cornerstone of SSL is trust. If you can come up with a way to get your malicious stuff to look trustworthy, it’s game over.

Yesterday, I bought a new wireless router for home. I was in the computer store to buy some DVDs and picked it up in more of an impulse. My old router was not performing well so I bought the first draft-n gigabit router I happened to stumble upon after quickly having verified that it was supported by dd-wrt.

Back home, I noticed that I was a little too quick in verifying the dd-wrt support. It will be supported by dd-wrt but currently it is still a work in progress. So I decided to use the stock Belkin firmware for now. However, one minute later, I stumbled upon a major problem in that plan. The little router does not support DHCP reservations which I need in my home network. I could offload DHCP to another small device in my network but I preferred to have the router handle it.

This leaves three options for getting DHCP reservations in the box:

1. cross-compile my own firmware (GPL sources and MIPS toolchain are available for download)
2. modify an existing Belkin firmware image by injecting extras in the image
3. hack into the router and modify  configuration parameters to support DHCP reservations.

I decided to see what’s behind door number 3 and after a an hour or two I found two ways of adding your static DHCP leases to the device.

The first way is by modifying he configuration file of the device. You can backup the running configuration from the GUI and save it to your local PC. That backup file (user.conf) contains all nvram parameters to get the router configured. I noticed that it had quite the same parameters as my old linksys router. Especially the parameter static_dhcp_clients was of interest to me. After looking at the linksys example, I filled it up with my dhcp leases :

static_dhcp_clients=hostname1:192.168.20.2:001AAABBCCDD:1:hostname2:192.168.20.3:009988776655:1

After feeding it back to the GUI (restore configuration), the GUI told me the CRC was incorrect. Some trial & error learned me that the check was a CRC-32 (8 bit) check done over all the parameters. This checksum was put at the end of the file in hex. With this knowledge, I opened up my hex editor, changed the checksum, uploaded the modified configuration and after a reboot of the router, I had static leases working!

The second way I found is even easier. There is a hidden web page in the administration website : http://routerIP/wukongjiuwo.html. This is a diagnostics page which gives you web-form based console access to the device. In the console, the following command followed by a reboot should bring static dhcp leases in the box:

nvram set static_dhcp_clients=hostname1:192.168.20.2:001AAABBCCDD:1:hostname2:192.168.20.3:009988776655:1

If you decide to use some of this ‘wisdom’ on your own router, please do so at your own risk!

First of all: No I am not dead and yes I will continue to blog here. I just took a bit of a ‘blogging sabbatical’ the last couple of months.

That said,  I  (and many others so it seems) downloaded Chrome, Google’s vision of a web browser this week and played around with it for a while. A new browser always means new (or old) vulnerabilities and Chrome does not seem to be an exception to this. Google has a pretty good track record in following up on vulnerabilities so they will hopefully fix them soon.

On the positive side, it seems that Google really thought about security in Chrome by isolating processes for different tabs and enforcing a security model. They explain most of it in a cartoon you can find here.

Although I like the layout, the speed and the software design of Chrome, I will not be moving away from Firefox just yet. Even if all known vulnerabilities were to be fixed, there is one feature in Firefox which I think every browser should have and Chrome hasn’t: a decent password manager.

As a security conscious person, I use different passwords for each website I use on the internet. Unfortunately, I can’t remember all of them, so I store some of them in Firefox. I know I could use a tool like KeePass (and I do) but for most sites I find this overkill. Now what I like about Firefox is that you can specify a master password. Without this master password, you cannot unlock the password file (signons3.txt, passwords, and key3.db, the key, in your profile folder). This even survives a copy of the files. When you copy both files to another computer, you still have to specify the master password before getting access to the stored (encrypted) passwords.

Now back to Chrome. The profile data (in Vista)  seems to be stored in C:\Users\username\AppData\Local\Google\Chrome\User Data\Default. There is an SQLite file called ‘Web Data’ in that folder and this seems to contain the URLs and (obfuscated) saved passwords.  Since there is no master password functionality as there is in firefox, this file can be copied to another computer. Doing this gives the other computer access to all websites were there is a password stored for in the file (yups, I verified this).
This might not seem like a big deal but think about it. Every process running on your computer with the same rights as the user (or more) has access to these password storage files. This includes malware as well…

So I’ll stick to Firefox for now

This just illustrates one of Microsoft’s 10 Immutable Laws of Security:

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

This week, I got my invite for Google App Engine in the mailbox. If you have not heard of it, Google App Engine is a beta product from Google where you can publish your web apps to Google’s massive infrastructure. Currently only Python is supported as a language but Google intends to add other languages in the future.
It seems (I will try when I have more time) really easy to publish your app to their cloud. As an extra advantage, you can use Google’s API for Authentication so you can for example authenticate your users based on their Google Account. For the moment, it is free although some quotas are enforced but I suspect that after the beta period ends, it will be a paying service.

Google is not the first to offer these kind of services. Amazon currently already has a stable cloud platform. They even go further by offering a real computing platform instead of ‘just’ the web application framework.
The advantages of Cloud Computing for businesses are obvious. You get instant scalability and high availability for your application and you pay only for how much you use it without investing heavily in your own hosting infrastructure.

However, security is more than availability alone. There are obvious concerns about the confidentiality and integrity of your data while it lives in the cloud. Is your data private in the cloud? Could it become corrupt? The answers are that you don’t know and that you trust the cloud provider.

Potential vulnerabilities should also be a concern. Google has disabled most of the ‘unsafe’ functions in Python but there are bound to be bugs (and security vulnerabilities) in the applications that developers push to the cloud. Will these affect other applications? Again, you trust the provider.

Or what about abuse of the cloud as such. I noticed Google offers a mail API to send out e-mail. Google is quite a trusty sender of mail so this would be ideal for spammers to abuse. Imagine littering the cloud with web apps which can send e-mail and writing a front-end spam app which sends round-robin spam to all these apps, who deliver mail through the trusted Google smtp engine.

Will these and other security concerns stop the trend to Cloud Computing? I don’t think so. As with all new technologies, there are concerns but when there is a business driver (cheap high availability) you might be able to slow it down but it will not disappear. This is something which not only goes for IT but for most technologies.
The real challenge will not be to list all possible risks to scare people but will be to think about how we will handle this technology securely and how security can be embedded in the cloud. Interesting times I think.

It is interesting to see how we perceive our privacy on the Internet. When we see a third party publish personal information about us on the Internet without our permission, we tend to feel violated in our privacy. However, when we publish the same information on our LinkedIn, Facebook, Twitter, … profiles ourselves, we seem to have forgotten all about our privacy.

Take Twitter for example. If someone else would publish where you were and what you were doing on a website, you would definitely feel violated in your privacy but when you do it yourself most of us don’t seem to think twice and even allow everyone one to follow our twitter feed.

The other way around is a valid paradox as well. I know of companies who wanted to block access to LinkedIn and Facebook to prevent information leakage but soon after realized that these websites were used as a business tool by their users and managers to manage their professional network or to prospect potential customers.

Pdp from hacker think tank GNUCITIZEN also warned about some of the dangers of social networks. (and now runs his own social network … )

I am not saying here that these social networks are a bad thing but I think that users of those networks will need to keep in mind what information they want to ‘leak’ about themselves on those networks. Once more it boils down to user awareness and how to handle this technology.

Since it is ‘Lazy Sunday’ today, instead of background reading on the subject, some background videos:

• Privacy and Social Networks
• Facebook Killed the Private Life
• Does what happens in the Facebook stay in the Facebook? (for the really paranoid among us)

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Special Actions for Responding to Different Types of Incidents
• Incident Record Keeping
• Incident Follow-Up

I am not going to explain each step of the process as this would take this article too far. I would just like to stress that there is more to it than just eradicating the problem.

The reason why I am stressing on this, is that in most cases, people who are infected with some kind of malware tend to think of only one thing: get the thing removed from their system and carry on. It is interesting to see that most people don’t really care what the purpose of the malware was! And some companies do so too.

Let’s say you were infected with some kind of banking trojan, wouldn’t you want to make sure that your bank account isn’t missing a few euros? And if it was a password stealing malware, wouldn’t it be a good idea to change that password you use at every site you visit?

I am not saying that you should start going through the complete incident handling process every time your non-IT savvy friend’s PCs are infected with the latest spyware but at least keep the incident handling process somewhere in the back of your mind. If it is only one kind of malware, investigate and inform your friend what the malware’s purpose was and what he or she should do with that information. If it is a whole zoo of malware living on your friend’s system, I would not only flatten & rebuild the system but would also give some generic advice on what he/she should do now after the mass infection. This would include basic housekeeping like change passwords, keep an eye on his accounts, etc. I also would give some advice on how to prevent infection in the future and explain how he/she might likely have been infected.

Off course, your non-savvy friend might not understand or even be frightened and you might think that their ignorance is your bliss but I am convinced that without spreading a little awareness, you are fighting a fire with a very limited supply of water.

They consist of only 1 XML and 1 HTML file in general and can contain JavaScript, vbscript, wmi scripts,… (everything basically). This should make you think because XSS, XSRF and all kinds of web exploits can potentially work in your sidebar if the right precautions have not been made!

Vista’s UAC warns you when you install a gadget or when the gadget isn’t signed but how many users would click yes to install ‘that cool gadget which also happens to contain a little bit of malicious code’? Most likely all of them.

There are even more attack vectors for the Vista Gadget API and I found an interesting paper which discusses these and also shows which precautions Microsoft made: http://www.portcullis-security.com/uplds/Next_Generation_malware.pdf

It is not too long and goes not too deep but gives the reader enough info and links to investigate further if wanted. The portcullis-security.com website also has a nice download section which contains a lot of interesting tools.