Tuesday, December 30, 2008

Dear Internet, I love you

but I don't trust you anymore.

I remember meeting U here in the good ol' days
I would never pick the flower of my favourite protegé
Maybe if I would have
Then U would not treat me this way
U tricked me - but U will not anymore

No, no
I love you, but I don't trust U anymore

It doesn't happen very often that I can quote an appropriate Prince lyric when blogging about Information Security :-)

For the third time this year this year the internet has been broken, this time it's the fact that some Certificate Authorities failed to phase out MD5 signatures from their PKI back when MD5 collisions were proven (2004). Kudos to Mr. Appelbaum and Mr. Sotirov.
You can read all the juicy details here : http://www.phreedom.org/research/rogue-ca/
Great work.


Now where are we ? What can we do ?

Let's list the CA's that are identified as issuing MD5-based certs in 2008 and by default trusted in our browsers :

RapidSSL

FreeSSL
TrustCenter
RSA Data Security
Thawte
Verisign.co.jp

These CA's have promised to move to SHA1 as soon as possible, In the mean while it might
be better not to trust them. That means removing them from the certificate store in your favorite
browser. I did just that on my machines.

In a business environment it's a little bit more complex. Take your time to assess your risk, the game stores in China and Russia probably don't have sufficient stocks of PS3's, so we can assume it will take a while for the first real attack to take place ;-)

An interesting feature in an Active Directory environment might be to control CA certs through Group Policy. You can export root certificates from a trusted machine, or you can download them from the different CA vendors (more cumbersome, yet more secure). The following policy allows you to push out your set of trusted CA's to your install base.
Open Group Policy Management Console
Open a Policy of choice or create a new one
Goto the following policy setting :
Computer Configuration > Windows Settings > Security Settings > Public Key Policies.

And configure as needed.

Ah, but by default, Windows will update the list of trusted CA's itself ... damn that :( Luckily Microsoft has thought about that :-) They're not all bad, you know. This article shows how
to disable this function. The same article lays out how to disable this update feature on stand alone computers. You see, if you want to, you can be in control.

Please note that Firefox keeps it's own certificate store, seperate from Windows/IE. I'm not aware of a possibility to centrally control root certificates in FF. If I stumble upon something I'll post it here in an update.

Now I'm off to go break the internet using a bench of 500 Wii consoles all controled with a Wii Fit board and my Guitar hero guitar. because after all, that is how we roll.

As some wise man said : trust, but verify.

Monday, December 29, 2008

as it stands now this will be my last blog post

Since we have been notified that the internet will break at 3.15pm CET tomorrow. It's nice when the buzz gets at full speed and nobody knows what will happen.

Anyway, Jacob Appelbaum and Alexander Sotirov are presenting 'Making the theoretical possible'
tomorrow at 3.15pm at 25C3.

With a quick count, the internet will be broken 3 times this year. First we had DNS, then Sockstress and tomorrow ... a wild guess would be DNS (again) with a wild bend to abuse SSL weaknesses ... we'll see. BGP ?

If this is goodbye, it's been fun. I love you all, see you on Web 3.0 ;-)


on the risk of inaccurate 'assessments'

I've pondered on a '$security_topic is dead' title for this blogpost, but I managed to steer clear of that one. I personally don't believe that anything (except for Antivirus ;-)) is really dead and my buddhist little toe tells me that if anything is dead, it will most probably live on in another shape or form.

I've been involved in penetration tests, security assessments and audits of different kinds (both regulatory and not) and from both perspectives (as the tester and as the testee). When sitting on the tester chair, I've experienced how hard it is to translate ones findings to a proper report that, without resorting to FUD, accurately assesses the risks the customer is exposed to. On the other hand, I've been frustrated with numerous reports I received that qualified risks as High, Medium, Low and/or Red, Yellow, Green. From a customer perspective, what am I to do with these 'values' ?

While a qualitative assessment is the easiest way to qualify risks, it also completely disconnects us from the business and/or the customer. When making a qualitative assessment we are not taking in account the nature of the business and the processes that our customer actually practices to run his business.
Some practicioners refer to 'best practices' or 'good practices' (marketeers, please take a one-way ticket to a deserted island ?) but still I don't feel that this positively impacts the result of the analysis.

Within the limits of a penetration test, quantitative risk assessment is nearly impossible. First and foremost because you will never* receive accurate numbers within the limited timeframe but again also, and more importantly, because as a technical tester you are completely and utterly disconnected from the business.
Running meaningless numbers through complicated formulas and creating scatter plot
graphs representing risks are probably comparable to trying to kill a deer by
throwing a bullet at it. It does not work.

In short :
a) penetration tests and security assessments are, today, mostly technology oriented.
Yes, we do assessment on the process level too, but not as much and not as thorough.
b) results are often poorly communicated due to lack of connection with the business and/or lack of feedback from the business.
c) customers are not up to par considering risk assessment as a vital part of doing business. Security is still the responsibility of IT.

Conclusion :
If we want to create value by providing penetration testing and security assessment services, we should stop selling 5 days, fixed prices 'solutions' providing a detailed report. We should engage with our customer on a very high level so we can first understand the business and then tailor security solutions to their needs by going through shorter iterative cycles solving problems one at a time, raising awareness throughout the business and in the end providing a company with the necessary processes to tackle security processes on their own.

I'm looking forward to be a part of this in 2009.


Sunday, December 21, 2008

I have nothing more to add



As I am sitting here, watching this video, I really can't say much more. At the moments when you are not tied up in projects, deadlines, working for the boss every night and day, please think about the fact that it is all about love, life and people.

From here I extend to all of you a virtual hug and the sincere wish that whatever you do, whatever you plan allows you and yours to grow.

Love.
Peace out.

Wim

Friday, December 19, 2008

Mankind is not an island

Brilliant

Emotional

Genius

Thursday, December 18, 2008

how 800,000 people can still be wrong


This is not a security related post !!!

May I introduce to you, Mr. Yves Leterme, prime minister of our little country. In June 2007 he was elected prime minister with a whopping 800,000 votes behind his name. I'm not going to lay out the history of Belgium in this blogpost, but some of you may know we have a Dutch-speaking part (Flanders) and a French-speaking part (Wallonie). It has been a troubled marriage for the past decades and it came to no surpise Yves won so many votes by touting a far-going federal reform of the country (on the verge of seperatism). That was medio 2007. We are now at the end of 2008 and the following has happened :
1) Mr. Leterme has not been able to form a functioning government in 18 months.
2) Mr. Leterme was not able to deliver on his promise of a federal reform, which he promised would 'benefit' the whole country. Instead his demeanor drove a wedge between the two parts of Belgium and mutual understanding has been far gone since his appearance on the main stage.
3) In 09/2008, 10/2008, the financial crisis hit. Big Belgian banks (Fortis, Dexia) got into trouble and were bailed out by the Belgian government. This was the moment Yves proved himself to be quite the leader, or so he thought. He messed up countless times, lied about the European authorities not being reachable while decisions were being made. Mrs. Kroes proved him wrong on national television. Talking about humiliation.
4) Shareholders took the Belgian government to court over the Fortis deal, because Yves decided to move fast and sell off the left-overs to BNP Paribas without consulting the shareholders. And this is where his amateurism culminates. While the higher courts were deliberating the case. Mr. Letermes minions decided it was time to 'intervene', putting pressure on judges to rule in favor of the government. This was brought out in parliament yesterday and today and in more than 24 hours, the Belgian government has not been able to formulate an answer to its defense or say something sensible about the shit we're in.

All this while the global financial crisis is developing at rapid speed, corporations are struggling to stay afloat and workers are scared senseless about their future. While some say worse than having a disfunctional government is having no government at all, I am not so sure. When we wake up tomorrow morning, Mr. Leterme is no longer a leader, he is an incompetent person grasping to power, while knowing he does not have the ability to make right what he did wrong, nor does he have the power to control the crisis at hand. Mr. Yves Leterme will be a lame duck. Sure we will suffer with no government but at least he won't be able to do further damage.

Mr. Leterme,
While you were cheering when you 'won' the elections, you knew you didn't have it in you, didn't you ? You knew that it all was a big fat lie just to be part of history. Did you think about 'the people' at that time ? Did you think about the fact that your power-hunger would have an impact on 10,000,000 people ? You fucked up, realize it, step down and let us move forward.
Thanks.


Saturday, December 13, 2008

the internet police is here


Out to take on all the internet crooks :-)

Belgian bank accounts compromised

As I'm reading through the Belgian news, there's a report about hackers compromising about a dozen Belgian bank accounts. The bank involved is not named, but it would be one of the bigger banks in Belgium, either Fortis, Dexia or KBC. Belgian law enforcement has started an investigation, no doubt this will die a silent death. What's even more worrysome is that all banks I know, in Belgium, use two-factor authentication. Not unbreakable, but still pretty rigidly implemented.

However, what struck me most is the comment by Febelfin, an organisation grouping Belgian financial institutions. Here's what they said :

"You are safe if you are running a regularly updated antivirus application."

Allow me to disagree, and I don't even want to bring this down to a "AV is dead" post, cuz we all
know we had too much of that lately ;-) However, what amazes me the most is that a professional organisation that (especially in these times, cuz they f'd up mucho lately) dares to come with as lame an advice as this. If you truly care about your customers and their money, I'd expect a little more than this. If you truly care about your customers, come out and tell us how this happened and what your customers can really do to protect themselves (which, in the current situation is close to nothing). If you truly care about your customers, take up your responsibility and disclose.

I'm not accepting "protecting the investigation" or "protecting the customers", you and I know the culprits are long gone and/or hiding behind networks and servers hosted in far away lands.

I don't expect to be answered though ... but at least I got to rant ;-)




Wednesday, December 10, 2008

All the praying in the world won't save you.

While watching the news on our local news station tonight, I saw an item on a Belgian
priest that had his Outlook (looked like 2000 to me) crash on him. The result of this event was
the loss of all weddings, baptisms and other church events for the coming weeks and months.
I'm pretty convinced that most parish members won't move to another parish because of this
event, but if this were the hard-working plumber (by brother is one and no his name is not Joe), carpenter this would have hit hard.

Imagine that you have planned your wedding on January 22nd, it is now just another free date. Someone else might book the spot and knowing how bridezillas can behave (let alone groomillas) it ain't gonna be a pretty sight. It might even cost a dime (or two).

God might be everywhere, but he isn't on your harddrive, saving your bytes.

IM spam is not dead yet


it doesn't happen very often. For me about once a month and mostly from the same people :( I guess some just never learn. Todays domain was just.realcoolss.com, a name that resolved to 208.116.34.163, which is an IP address in the block 208.116.0.0/18 owned by FortressITX in New Jersey and the domain name is owned by Jeff Fisher of TST Management Inc in ... Panama.
Based on my originating IP address I'm redirected a Dutch webpage for a subscription service.
No malware involved on first sight.

Spam is international, spam is global and apparently, spam is still ota lucrative. I guess we should consider spam a cloud service.

Wednesday, December 3, 2008

When I read blogs I don't want to be annoyed ...


with so many dependencies !

If you are a blogger and force me (as a reader) to
allow (or temporary allow, or forbid) some or all of these sites to make
visiting your site at least enjoyable, you're wrong.

I love my Noscript, some might argue that it's Noscript that
makes my life difficult. I beg to differ.

I love lean blogs, if you expect people to read your blog, try to keep it lean as well.

kthxbai

PS : if you recognize your blog, go do your job :-)

Monday, December 1, 2008

all your twitter are belong to us

This is a follow up to my post of earlier today, where I noticed that authentication on twitter.com worked no matter what the password safed in FF3 was. I delved a little deeper and came to this
conclusion:

A propietary cookie named auth_token is send with any GET to twitter.com (both http and https).
This cookie contains a hashed value that never changes, not over time, not when you change your password and not when you change machines. Your auth_token will always be the same. I first
checked in IE and FF3 on my Windows XP laptop, then I verified on my Macbook. It's all the same
as a test, I created a auth_token cookie (using the Add n Edit FF3 plugin) on a Fresh Ubuntu linux clone and lo and behold, I was not requested to login, it took me directly to my personal Twitter homepage.

As twitter gains more and more traction in the enterprise, I can only imagine the possibilities ...

Using the https twitter site would be good to mitigate this problem but your company might still use a transparent https proxy, exposing your twitter credential. Twhirl (a twitter client) uses the https variant by default.

What twitter could do is obvious, make the auth_token an expiring cookie (preferably at end of session) and make it unique, by salting it. When somebody much smarter than me finds on which parameters the auth_token is based, twitter is gone.

Update !!
Thanks to @DidierStevens : the auth_token cookie is not created when you do not select the Remember me option. @Security4All also has some interesting tips in the comments.

Update 2
DidierStevens (in the comments) did some follow-up research and if it is a hash (which it seems to be, based on the length either SHA-1 or RIPEMD-160) it is not based on username, name, id or e-mail address. Changing either of these parameters doesn't change the value of the cookie (or invalidate it). Didier, thanks for following up. I will look into this further soon as I am still waiting for feedback from Twitter after reporting this.



Is firefox+twitter+https messing with me ?

first thing in the morning? Coffee, then check on twitter, that is if I can. So I start FF3 and browse to https://www.twitter.com/. Https, because that is how I roll.

Now, for one reason or the other I decide to click on the little lock on the bottom right and check out security on the website and this is what it says to me :




Apparently I've visited this website 64 times today. I'm sorry, but I'm not THAT addicted :)


Moreover, it says I have no passwords saved yet it logged me in automagically, so lets click through on the View Saved Passwords button. I would expect it to be grayed out since there are no passwords saved. Damn, it even has the correct username, how would it otherwise be able to log me in? Indeed. So I click the Show passwords button and it reveals my password. Sorry, let me rephrase that, Firefox reveals A password but not my current password.

WTF ?

I tried this again and again, same behaviour. How can it log me in with a wrong password. At this moment it looks like the culprit is the auth token, which is a cookie saved and set to expire 20 years from now.

I'll have to get back to this since duty calls but FF3+Twitter right now doesn't feel like the right combination. If anybody can and/or wants to shine a light on this behaviour, I'm open to suggestions.