T3H Blog

Security Now! Steve Gibson and Leo Laporte this week plow into a recently discovered serious vulnerability in the fundamental SSL protocol that provides virtually all of the Internet’s communications security: SSL – the Secure Sockets Layer. Steve explains exactly how an attacker can inject his or her own data into a new SSL connection and have that data authenticated under an innocent client’s credentials.

This is an excellent podcast that should be listen too by all involved with SSL and/or TLS.

High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-223.mp3

Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-223-lq.mp3

The transcript can be found here: http://www.grc.com/sn/sn-223.htm

SSL and TLS protocols renegotiation vulnerability

Vulnerability exists in SSL and TLS protocols that may allow attackers to execute an arbitrary HTTP transaction. This issue affects SSL version 3.0 and newer and TLS version 1.2, and older versions.

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, and LDAP. Vulnerability in the way SSL and TLS protocols allow renegotiation requests may allow an attacker to inject plaintext into an application protocol stream. This could result in a situation where the attacker may be able to issue commands to the server that appear to be coming from a legitimate source.

According to the PhoneFactor‘s Marsh Ray and Steve Dispensa, and Nasko Oskov of Microsoft :

SSL and TLS renegotiation are vulnerable to an attack in which the attacker forms a TLS connection with the target server, injects content of his choice, and then splices in a new TLS connection from a client. The server treats the client’s initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data.

TLS[RFC5246]allows either the client or the server to initiate renegotiation – a new handshake which establishes new cryptographic parameters. Unfortunately, although the new handshake is carried out over the protected channel established by the original handshake, there is no cryptographic connection between the two. This creates the opportunity for an attack in which the attacker who can intercept a client’s transport layer connection can inject traffic of his own as a prefix to the client’s interaction with the server.

To start the attack, the attacker forms a TLS connection to the server (perhaps in response to an initial intercepted connection from the client). He then sends any traffic of his choice to the server. This may involve multiple requests and responses at the application layer, or may simply be a partial application layer request intended to prefix the client’s data. He then allows the client’s TLS handshake to proceed with the server. The handshake is in the clear to the attacker but encrypted over the attacker’s channel to the server.

Once the handshake has completed, the client communicates with the server over the new channel. The attacker cannot read this traffic, but the server believes that the initial traffic to and from the attacker is the same as that to and from the client.

If certificate-based client authentication is used, the server will believe that the initial traffic corresponds to the authenticated client identity. Even without certificate-based authentication, a variety of attacks may be possible in which the attacker convinces the server to accept data from it as data from the client. For instance, if HTTPS [RFC2818] is in use with HTTP cookies [REF], the attacker may be able to generate a request of his choice validated by the client’s cookie.

This attack can be prevented by cryptographically binding renegotiation handshakes to the enclosing TLS channel, thus allowing the server to differentiate renegotiation from initial negotiation, as well as preventing renegotiations from being spliced in between connections. An attempt by an attacker to inject himself as described above will result in a mismatch of the extension and can thus be detected.

For a list of systems affected systems visit CERT-US

References

http://extendedsubset.com/?p=8
http://www.links.org/?p=780
http://www.links.org/?p=786
http://www.links.org/?p=789
http://blogs.iss.net/archive/sslmitmiscsrf.html
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
https://bugzilla.redhat.com/show_bug.cgi?id=533125
http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00014.html
http://cvs.openssl.org/chngview?cn=18790
http://www.links.org/files/no-renegotiation-2.patch
http://blog.zoller.lu/2009/11/new-sslv3-tls-vulnerability-mitm.html
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt

This is an update to the Leonid Meteor Shower 2009/11/12 post.

The handy Fluxtimator from NASA is a Java applet (unfortunately) that allows you to calculate the expected shower rate for a given date and a given location.

It also allows you to see the difference between staying downtown or moving out into the country side to a dark and clear location. All rates were calculated by taking into account the Moon light, but assume a transparent cloud-less sky and unobstructed field of view.

The best time for me at my location will be around 05:18, expecting a 10.9 shower peak rate – if the skies are clear. My Nikon D70S is ready and equiped with a 55mm fisheye.

However, if the weather does not cooperates I hope to observe the Leonids by car radio.

Here is the basic idea for observing the Leonids on your car radio may sounds strangely really silly, but here how it is possible…

What happens is that the ionized gas in the meteor trails can reflect radio waves in the FM bands from distant transmitters back to earth, so when a meteor appears one can sometimes receive small portions of broadcasts from radio stations up to 2000 km away from the observing site.

This startlingly simple fact gives many amateur observers the ability to do serious, world class science for a relatively low cost. Of course, like many startlingly simple ideas, the Devil is in the details, and serious research must take account of many factors. You can learn more than you want to know at the International Meteor Organisation (IMO) page on meteor radio reflection.

What you need is quite simple, a halfway decent Yagi antenna, a FM radio with digital tuning, and something to record the signal. These days people hook up their computers to the radios and perform computerized analysis. Again, if you want serious data, there is lots of things to be taken into consideration, and a serious bit of software to sort the grain from the chaff, so to speak.

Radio observation of meteors has many advantages, overcast skies and twilight don’t interfere, and it’s a lot easier to observe meteors from the city. If you want full details of how to build one of these set-ups, see the fantastic detailed resources a the International Meteor Organisation pages on radio observation of meteor.

It’s a bit late for people to set up a proper system to observe the Leonids, but the Geminids in December and the Delta Quadrantids in January are good candidates. And then again, the Leonids are probably going to be so overwhelming that you would need a seriously computerized system to get any real data out of the peak shower.

But what about the car radio? These days most people have a car radio with FM and digital frequency selection. Not altogether surprisingly, this rough and ready system works.

First, here’s a list of things you need.

1. An FM radio transmitter below the horizon, between 600-2000 Km away (preferably 600-800 Km)
2. Said FM transmitter to transmit with at least 30 kilowatts of power
3. Transmission frequency to be between 30-150 MHz (preferably 40-80 MHz)
4. An FM car radio with digital frequency setting.

You need digital tuning to tune to a frequency that you cannot hear and therefore cannot tune into by ear.

All you have to do is back your car down the driveway, put up your aerial, dial up a station that’s 600-2000km away and listen to the static. When a meteor hits the atmosphere it ionises a bit of air which then can reflect the distant radio station down to your aerial. In tests done by Bruce, this very basic method actually works just fine. The sound a meteor makes is a really sudden whoosh, much like it looks. It also works quite well during the day, so is ideal for following the Leonids after sunrise.

If you are really handy with electronics you can attach a Yagi antenna to the car aerial input feed for better reception.

For best results the station should be in line with the meteor shower, but stations off to one side will work. The Leonids will be coming from the north east, but the shower should be so strong that stations anywhere from north to east will be alright.

Finding the right FM stations may be a bit of a problem, but you can find lists of Radio Stations in Japan and around Asia.

List of radio stations in Japan

List of radio stations in Asia

Ham radio operators can also help. If you are in a remote area, a call to your local radio station might be a good idea. (VE7VPC)

The ACTA treaty being negotiated in secret amount to nothing less than to legitimize the governments of Australia, Canada, the European Union, Japan, Mexico, New Zealand, South Korea, Switzerland, and the United States eavesdropping on their citizens’ Internet activities (just like China, but different!). Obama administration even when as far as declaring that ACTA was a ‘National Security’ issue. (BTW, I love the Bushama transformation pictures – who is the great political satirist that created this?)

If ratified, ACTA would criminalize peer-to-peer file sharing, subject iPods to border searches, and allow ISPs to monitor their customers’ communications. There is a real danger that it would not take long for ISPs to outsource the voluminous monitoring task to the United States National Security Agency (NSA), the British Government Communications Headquarters (GCHQ), the Australian Defence Signals Directorate (DSD) and New Zealand’s Government Communications Security Bureau (GCSB), Canada’s Communications Security Establishment (CSE), and other like agencies – or simple of governments to mandate their security agency to undertake the task.

Such treaty should be negotiated in the clear, with plenty of opportunities for citizens to review and comment intelligently – and should not be able to supersede existing national copyright laws. More importantly no treaty should allow for one privileges to be suspended on the say so of some commercial greedy hacks like Recording Industry Association of America (RIAA).

Like David Kravets of Wired wrote ACTA threaty is policy laundering at its finest.

See the University of Ottawa’s law professor, Dr Michael Geist’s “The ACTA Timeline (or Everything You Need To Know About ACTA But Your Government Won’t Tell You)” and other related posts on his blog.

The mainstream media is picking up on the ACTA issue with a growing number of stories, all of which criticize the secret approach. New articles include:

• Australia’s Sydney Morning Herald masthead editorial – Regulating the Net in the Dark
• Washington Post – Copyright Overreach Takes a World Tour
• Irish Times – Secret Agreement May Have Poisonous Effect on the Net
• San Francisco Chronicle – Knock it off: Global treaty against media piracy won’t work in Asia

The reaction to revelations about the Internet provisions of the Anti-Counterfeiting Trade Agreement continue. Notable articles include:

• Canada: Still-murky copyright treaty could change web as we use it
• New Zealand: New Zealand should not sign international piracy agreement
• Australia: ISPs Focus of Piracy Talks
• Australia: Fighting Piracy – three strikes and you’re out?
• Spain: La negociación secreta de un acuerdo mundial sobre el ‘copyright’ alarma a los internautas
• United States: Obama’s Hollywood Sellout
• United States: New Anti-Counterfeiting Trade Agreement Looks to take DMCA Globally

The latest version of Sun’s Java Runtime Environment (JRE) has multiple vulnerabilities and no updates available.(It was just patched a few days ago!)

Sun has acknowledged multiple problems. There is enough disclosed information regarding these new vulnerabilities for exploits to be created. Unfortunately the only workaround is to disable JavaScript to prevent the JRE components from being exploited until Sun issues a fix (patch). At this point there’s notices all over the various security sites, talking about a zero-day problem that have been acknowledged and are being exploited, but for which there’s yet no patch.

It is best to disable or remove JRE, soonest.

When it rains, it pours!

Adobe had identified a critical vulnerability in Shockwave Player 11.5.0.596 and earlier versions. This vulnerability allowed an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe provided a solution for the reported vulnerability and recommended that users update their installations to version 11.5.2.602. Again the best “fix” is for users to disable their  Adobe Shockwave Player; better yet, just remove it.

This follows on the heels of the Flash vulnerabilities (or see my earlier post).

These pervasive plug-in and add-ons that are turning out to be insecure, and the serious vulnerability recently discovered with SSL, are jeopardizing confidence building in Cloud Computing, to say the least. These vulnerabilities are slowing down a paradigm shift in productivity advancement through Software as a Service (SaaS), and its variation Platform as a Service (PaaS), and potential with the Infrastructure as a Service (IaaS).

When will they teach these programmers that SECURITY IS A PROCESS, NOT AN ADD-ON PRODUCT!

A good read on the subject is Bruce Schneier’s Computer Security: Will We Ever Learn?

The U.S.-China Economic and Security Review Commission recently commissioned the Northrop Grumman Corporation to produce this document as an investigation into the capability of the People’s Republic of China to conduct cyberwar and computer network exploitation on U.S. systems. See here Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation

The government of the People’s Republic of China (PRC) is a decade into a sweeping military modernization program that has fundamentally transformed its ability to fight high tech wars. The Chinese military, using increasingly networked forces capable of communicating across service arms and among all echelons of command, is pushing beyond its traditional missions focused on Taiwan and toward a more regional defence posture. This modernization effort, known as informationization, is guided by the doctrine of fighting ‘Local War Under Informationized (xinxihua) Conditions,’ which refers to the China’s People’s Liberation Army ongoing effort to develop a fully networked architecture capable of coordinating military operations on land, in air, at sea, in space and across the electromagnetic spectrum.

The study contends that the Chinese, long reported to be stoking a massive military build up, has also made computer warfare a priority. The Chinese government is said to view such cyber prowess as critical for victory in future conflicts – similar to the priority on offensive cyber abilities stressed by some U.S. officials.

Potential Chinese targets in the U.S., according to the report, would likely include Pentagon networks and databases to disrupt command and control communications, and possibly corrupt encrypted data. The report notes, however, that penetrating such classified systems would be time consuming and difficult.

Following the Russian example, China is engaging in the debate of defining cyber warfare, in part through the Shanghai Cooperation Organization, in order to have a hand in the shaping of a legal framework and rules of engagement related to this new warfare. The PLA is pursuing a comprehensive transformation from a mass army designed for protracted wars of attrition on its territory to one capable of fighting and winning short duration, high intensity conflicts along its periphery against high-tech adversaries – an approach that China refers to as preparing for “local wars under conditions of informationization” (China’s National Defense 2006).

PS: The Northrop Grumman’s report relies largely on publicly available information from Chinese hacker web sites, technical articles, and analysis of computer intrusions attributed to the Chinese.

PPS: The US has viewed the internet as a potential tool of warfare since its inception. The US place great reliance on, and dominates with, electronic means in the Kosovo, Iraq, and the Afghanistan conflicts.

Recommended reading: In this paper, Unrestricted Warfare (1999), by the two PLA senior colonels, Qiao Liang and Wang Xiangsui, claims that warfare is no longer strictly a military operation, and that the battlefield no longer has boundaries. See here http://www.terrorism.com/documents/TRC-Analysis/unrestricted.pdf.

An acquaintance signalled the following Kessler International’s article about the poor media sanitation of previous owned mobiles and PDAs.

See here – Is Your Confidential Information Being Sold on eBay?

Very large percentages of mobiles, PDAs, and other hardware with digital media still hold highly sensitive corporate data and embarrassing personal information about their previous owners after they have been disposed off.

The following three NIST guidelines should be mandatory readings for everyone one who owns and eventually disposes of their mobiles and/or PDA, especially 1 and 3.

Guidelines on Cellphone and PDA Security http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf

Guidelines to Cellphone Forensic http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf

Guidelines to Media Sanitation – http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Remember security is a never-ending process that knows no boundary. If you think of security as a product, you will usually regret it.

PS. The same applies to computer hard disk drives and memory – but that is for another post.

Malfeasants can exploit Adobe Flash in browsers when victim visits sites that accept user-generated content; and, there is no simple fix for it.

The attack can occur on Websites that accept user-generated content – anything from Webmail to social networking sites. An attacker takes advantage of the fact that one can load a Flash object as content onto a site and then can execute malware from that site to infect and steal information from visitors who view that content by clicking it.

An attacker could upload malicious code via a Flash file attachment or an image, for instance, and infect any user that clicks on that item to view it. The attack is similar to a cross-site scripting attack.

The only thing close to a “fix” is for the Website to move its user-generated content to a different server, according to Michael Bailey, the senior researcher for Foreground Security who discovered the attack. Facebook already does this, he says, which makes the popular social networking site immune to hosting this type of attack.

For end users, the Firefox browser add-in NoScript provides some protection from this attack, as does Toggle Flash for Internet Explorer. Best is to disable Flash.

To read more about this see here http://www.foregroundsecurity.com/flash-origin-policy-issues.html

Some time ago in my first dissertation, I coined “Innovation is a state of mind that knows neither monopoly nor borders” – later I modified it to read, “Innovation, good or bad, is a state of mind that knows neither monopoly nor borders.” The reason being is that we (as in humans) will always lust for conflicts; as our intellect grew; we fought them on land at first,[1] than invented ships and simply extended our warmongering to sea.[2] Centuries later, we learn to get aloft and soon after start dropping bombs from the sky.[3] When we reach space, it was among the first subject on the agenda: how do we fight and dominate from space.

After waging war in land, sea, air, and space domaines, now politicians, military officers, and even scientists describe cyberspace, the digital world, as the fifth domain of war – the only battlefield created by humans.

What does our crave for warfare say about us?

Further reading see the National Journal Magazine‘s The Cyberwar Plan – A 2007 order by President Bush to launch a cyberattack on insurgents in Iraq played a more important role than is generally recognized in changing the course of the war. The order was a harbinger of things to come: Digital weapons are an increasingly important part of warfare.

[2] The earliest recorded naval battle took place in 1210 BC near Cyprus.

[3] The Austrians against Venice in 1849 launched the very first bombs delivered to their targets by air on unmanned balloons, carrying a single bomb. Before this, the Napoleonic armies used balloons for reconnaissance. The first air-dropped bomb from an airplane was dropped when Lieutenant Giulio Gavotti of the Italian Army dropped four grenades from his Blériot aircraft onto an Ottoman military encampment at the Taguira oasis in Libya on 1 November 1911.

The 2009 Leonid meteor shower peaks on Nov. 17th with a sprinkling of meteors over North America and a possible outburst over Asia. Our side of Earth will be facing the Leonid debris stream at the time of the Nov. 17th outburst. Observers in India, China, and Indonesia are favoured with dark, pre-dawn skies.

Mark your calendar, on the 17th step outside (with the kids is best) and enjoy!

Left image credit (Earth): Danielle Moser of the NASA Meteoroid Environment Office

Right image credit (Leonid meteor at dawn): Simon Filiatrault of Quebec, Canada, photographed in 2002

Google Wave is a new web-based collaboration tool that will provide a personal communications node and collaboration hub for users, while providing an extensible platform for developers. It promisses to be an important web-based platform.

Google Wave will make a play for the social networking marketplace (like Facebook and Twitter) and at the same time for MS SharePoint. Google wants to change (really) the way we communicate via email, instant messaging, voice of IP, and video, with increased opportunity to share our documents and image, for a start – all over the web. Where the web will be the platform of choice to play and work.

Further, Google Wave is open-sourced so to make it easier for the technology being adopted and extended widely. Google expects Google Wave servers to become as ubiquitous as SMTP servers.

Google wants developers to develop full-feature web applications based on Google Wave for the PC with hooks provided by Google Web Elements that make the most of App Engine for Java, HTML 5, and of course further capitalize from Google’s Android, Latitude, and expend the Web Toolkit – so that the move into the cloud appear gradual.

Basically, Waves can consist of any combination conversations (such as email and IM) and documents (collaboration). They provide for rich interaction via text, photos, videos, maps, and more. From a usage standpoint, a Wave is sort of like an email thread except that it can happen in real time (like IM), is always considered live, and participants can jump in and out of the conversation at any time. A playback capability allows participants to “rewind” the wave at any point and review what’s already happened. Edits can be made to any part of the wave at any time, and it’s always possible to see who did what. If you think of how an email thread and an IM conversation might be combined into a single entity, that’s pretty much a wave.

To find out how it works visit Gina Trapani‘s (Smarterware) work in progress The Complete Guide to Google Wave – stay tune to Gina’s living book… We leave in exiting times indeed!

Started twittering yesterday – so no one can accuse me of being long winded anymore…

http://twitter.com/ecapsrebyc

Today I am dealing with a bad case of Clampi (not in my system!). The Trojan that steals financial information from companies that are sent to hackers to defraud their victims has been around since 2007. (You figure that we should have learned something by now.)

It affects Microsoft computers only, at this time. The virus steals data from more than 4,600 websites. It is so far the largest and most professional thieving operations on the Internet.

Unlike computer viruses and worms, most Trojans cannot spread on their own. Technically, Clampi cannot either, but it often downloads a legitimate Microsoft remote control utility called PsExec, which it uses to seek out new hosts on a compromised network.

Here is advice from SecureWorks on how to protect against Clampi.

For Businesses:

Most major anti-virus engines should be able to detect Clampi variants; however, there is always a delay between a new Trojan release and the detection time. Given the prevalence and seriousness of the Clampi, it is recommended that businesses adopt a strategy to isolate workstations where banking/financial transactions are carried out from possible Clampi or other data-stealing Trojan infections.

This may include using a dedicated workstation for accessing financial accounts, which is isolated from the rest of the local network, and the Internet except for the specific financial sites required to be accessed. Since Trojans can also be spread using removable drives, systems should be hardened against auto run-type threats. Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts.

For Home Users:

SecureWorks recommends that home computer users use a computer dedicated only to doing their online banking and bill pay. They should not use that computer to surf the web and send and receive e-mail, since web exploits and malicious e-mail are two of the key malware infection vectors.

My recommendation is to use a unified threat management (UTM) gateway at home and at work. Several companies make effective security gateways such as Astaro, Check Point, Cyberoam, Netgear, Sonicwall, and WatchGuard,

I am using the Check Point UTM-1 Edge appliances, but seriously thinking of reviving one of my older machines with Astaro’s Free Home Use Firewall. It is more flexible security gateway then what I have in place right now, especially with controls of Block List – and cost much less in deploying and maintaining.

The Free Software Foundation (FSF) is working to secure freedom for computer users worldwide by promoting the development and use of free software and documentation.

According to Peter T. Brown, Executive Director at the Free Software Foundation – “The free software movement is one the most successful social movements to emerge in the past 25 years, driven by a worldwide community of ethical programmers dedicated to freedom and sharing. Its impact on our future is growing every day. But the ultimate success of the free software movement depends on teaching our friends, neighbors, and work colleagues to recognize the danger of not having software freedom – a freedom that they have lost, without recognizing it, to proprietary software.”

So why not join the nearest FSF:

• FSF
• FSF Europe
• FSF India
• FSF Latin America