Take it underground

This post was written because a very good friend of mine asked me to send them a mail about decent reasoning to use Tor, and explore the Onion net, so thank you (you know who you are), and this post will be followed by another more detailed post on the Onion net soon.

Okay, so with all that’s been going on in the world lately, I’m starting to think that we should really start moving things underground, by underground, I mean that we should start encrypting our traffic more, and making use of the means that we have available to us, and helping to support them more as a security community.

The things in the world that I’m referring to are not only UK based either, here are a few examples:

Pirate Bay – Guilty Verdict

Mobile Phone Tracking


Directive 2006/24/EC Of The European Parliament And Of The Council

It seems that we are seeing more and more of the worlds governments moving towards an Orwellian culture, and I for one really don’t feel comfortable operating in this way.

You may be asking yourselves at this point, what can we do to stop this, the honest answer is, really not that much right now.
We can however start to move our information systems somewhere else, somewhere more secure, and we can all help others to secure their online habits by setting up Tor relays.

The more relays the Tor network gets, the better it is for everyone involved, if you can’t configure a relay, or just don’t want to, then if at all possible, please dontate to the Tor project here.

So please people, if you value your privacy at all, please help the Tor project out in any way that you can, even if it’s translating articles.

Below are a few links that you may find useful:

Tor Overview



This may seem like a shameless Tor plug, but I can assure you that it’s not, and I am in now way related to the Tor project at this point in time, but I really feel that it’s an extremely worthwhile project, and I plan on getting a lot more involved. This project has come a long way in the 2 years that I’ve been using it, and the more users we get contributing the better the anonymity and speed gets.

Keep it safe and private people.


NetBSD gone Mobile

There is an interesting article about NetBSD becoming the new os on the tmobile sidekick. While NetBSD can run on just about any kind of relevant hardware, running NetBSD on the sidekick and painting a nice GUI (with the help of Danger probably) should be lots of fun. As an end result, could this not rank as the most secure mobile device if nothing else?


So you can fake your SSL Certificate. That don’t impress me much

Attacking MD5 to create a rogue CA that is trusted by most modern browsers is a very cool attack. I have to admit that whenever I read about a practical cryptanalysis attack I feel a bit inferior: probably what a desk officer at the Pentagon feels when they meet a Marines soldier coming back from Iraq. It’s like I’m not a “real” security researcher – I only play with SQL injections and Cross Site Scripting when the real soldiers are in the field breaking algorithms.

I can’t remember many times when our team was impressed as much as they were when Zvi Gutterman gave us a talk about breaking the Linux kernel PRNG. That week, everybody stopped looking for buffer overflows and started reading Donald Knuth instead.

But inferiority complex aside, this hole won’t have much impact. SSL certificates are a great idea, that just doesn’t work. When SSL Certificates started, you only got one after the CA verified your identity. This involved sending them a bunch of documents to prove the company’s identity, and them giving you a surprise phone call to see if the information on the web site really matches the submission you gave them, and perhaps other subtle tests. It took a while to get a certificate and so having one meant “you” could be trusted.

But today, it’s hard to say who “you” are. Companies have many web sites for many different purposes, and it’s very difficult to deny them a certificate based on some logic. But it gets worse: SSL Certificates are so abused, that users don’t really care about them. I had two different banks show me certificates that generated browsers errors. Some valid google URLs still produce SSL warnings. This is apparantly so common firefox had to put a scary warning message on top of their regular, already scary, warning message.

So broken SSL certificates are ignored, and valid SSL certificate mean very little – until Firefox 3.0, you had to click on the little lock on the lower right corner to know who the company is behind the certificate. Now that you know – does that mean anything? Is the Banc of America  the same as the Bank of America? Pretty much, yes. So what about the band of america? They can apply for a valid SSL certificate and it will match the organiations name nicely.

SSL Certificates are long broken, and not because of a clever attack. However, the fact that there is an effective crypto attack against them may help bury this cadaver and perhaps help bring another solution to the surface.


All your (base) stations belong to us

What started off nicely in 1992 and promised the much needed privacy to cordless communication at home, has been brought into a halt a few days ago with the practical approach to eavesdropping on DECT communication.

DECT or Digital Enhanced Cordless Telecommunication is a widely used standard for cordless devices, mainly phones, but not limited to it, several POS or Point of Sale devices as well use the standard to communicate in a cheap and secure manner.

The DECT standard itself was not broken, but rather using a cheap off-the-shelf device that is able to receive (not yet transmit) DECT based data, the researchers have been able to prove that eavesdropping on the communication channel is possible.

Most interesting to me as a reader of the paper is that what stopped people from ‘breaking’ it till now, was the lack of hardware, or moreover the lack of cheap hardware, to experiment with, now with the availability (it has been around for a while) of COM-ON-AIR device and its character device (or raw software driver) things have been made a lot easier.

You can read more on this at deDECTed.org


Engineering Elections

Engineering Elections

Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.


Fooling biometric face recognition

CNet has a nice article about a Vietnamese company called BKIS that was able to login to the reporter’s laptop by simply recording him in a video chat and then using the blurry printout to authenticate with the face-recognition software.

I like to make fun of biometric authentication, mainly because it was overhyped in the 90′s as the authentication that will make remembering passwords obsolete. But it’s not useless technology – you just have to know how to use it.

Using a biometric system (this, or another) in a public place with a guard watching is good enough to make it difficult to hack. I imagine even a minimum-wage rentacop will notice when someone looking like Tom Cruise comes up to the biometric system with someone’s eyeballs in his hand. They should even notice if I come with a printout of someone else’s face. The same is true for passwods: a 50-character long password can be practically as strong as a 4 digit PIN if the proper lock out procedures are in place. Likewise, if I can try billions of password combinations per second then the difference between guessing a 8 character password and a 10 character password is just a few hours.


My name is Elvis Presley and here is my RFID passport

The group using name The Hacker’s Choice has managed to clone a biometric passport with name Elvis Presley. Right – The King who died 31 years ago :-)
Demonstration video and some technical information here.


Photos and laptop crypto

The lead article/editorial in Bruce Schneier’s latest CryptoGram (http://www.schneier.com/crypto-gram.html) points out the foolishness in warning people to beware of terrorists taking pictures.  Millions of people take billions of pictures every year for legitimate or innocent reasons, and the major terrorist attacks have not involved terrorists walking around taking photographs of the targets.  It doesn’t make sense to try and protect yourself by raising an alarm about an activity that is probably (*extremely* probably) not a threat.

Rather ironically, the second piece talks about the fact that your laptop may be searched when you fly to another country, and the advisability of laptop encryption.  Leaving aside privacy and legality concerns, Schneier is for encryption.

Now, I don’t fly as much as some, but more than many.  Since I’m a security researcher, I’ve got all kinds of materials on my laptop that would probably raise all kinds of flags.  I’ve got files with “virus,” “malware,” “botnet,” and all kinds of other scary terms in the filenames.  (I’ve got a rather extensive virus zoo in one directory.)  Nobody at immigration has ever turned a hair at these filenames, since nobody at immigration has ever asked to look at my laptop.  (Even the security screeners don’t ask me to turn it on as much as they used to, although they do swab it more.)

I’m not arguing that people shouldn’t encrypt materials on their laptops: it’s probably a good idea for all kinds of reasons.  However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.


Cryptome: NSA has real-time access to Hushmail servers

A frequent source ‘A’ sending updated NSA-Affiliated IP resources to Cryptome’s Web site has reported the following new information:

Certain privacy/full session SSL email hosting services have been purchased/changed operational control by NSA and affiliates within the past few months, through private intermediary entities.

Reportedly the following services are controlled:

Hushmail – based in Canada,
Guardster – based in USA,
SAFe-mail.net – based in Israel.

Link here: NSA Controls SSL Email Hosting Services

Update 22nd Dec: Guardster Team has posted its response on 21st Dec to Cryptome:

We can assure you that we do not cooperate with the NSA or any other government agency anywhere in the world. We invite whomever is making this statement to provide proof, rather than making a baseless accusation.

Response from Safe-mail.net Team (24th Dec) is the following:

1. We never had any contacts, direct or indirect, with the NSA or any other
government agency anywhere in the world.
2. All software we use is in-house development.
3. We have never shared our technology with any other party.

Update 30th Dec: Hushmail Team has posted its response yesterday to Cryptome’s Web site:

Hush Communications Corporation, the company that provides the Hushmail.com email service, is not owned, wholly or in part, by any government agency.

Additionally, ‘More info on industry Windows security software’ has been released:

Zone Alarm, Symantec, MacAfee: All facilitate Microsoft’s NSA-controlled remote admin access via IP/TCP ports 1024 through 1030; ie will allow access without security flag. Unknown whether or not software port forward routing by these same programs will defeat NSA access.

The post released in Cryptome.org on 1st Nov informed about the future updates with details related to this issue and this is the first piece of information.

To the new readers: Cryptome: NSA has access to Windows Mobile smartphones


And the winner is …

Researchers from the Netherlands have predicted that the next president will be Paris HiltonOprah WinfreyAl Gore… well actually they don’t know, but what they do know is that they can created PDFs, or any other file format that allows storing random bits inside of it without affecting it, that all share the same MD5 value 3D515DEAD7AA16560ABA3E9DF05CBC80.

More details on the research can be found at their Predicting the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 paper.


Tor – a onion which discloses your military and embassy secrets

If someone missed this:

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise reporting about very interesting finding of Swedish IT security consultant Dan Egerstad.

The original blog entry here: Time to reveal…


Month of PHP Bugs exploits are gone – or are they?

Mr. Stefan Esser of Hardened-PHP Project has informed that exploit codes of Month of PHP Bugs are not part of his Web site any more.

The reason for this is a new law in germany that is official since today. This new law renders the creation and distribution of software illegal that could be used by someone to break into a computer system or could be used to prepare a break in.

This list includes PoC exploits too, sees Mr. Esser.
But we know that The Internet remembers many things.


Gozi Trojan analysis

SecureWorks have posted analysis of another Trojan that used to to steal SSL/TLS encrypted data transfered from the victimized PC.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

  • Steals SSL data using advanced Winsock2 functionality
  • State-of-the-art, modularized Trojan code
  • Spread through IE browser exploits
  • Undetected for weeks, months by many AV vendors
  • Customized server/database code to collect sensitive data
  • Customer interface for on-line purchases of stolen data
  • Accounts compromised by stealing data primarily from infected home PCs
  • Accounts at top financial, retail, health care, and government services affected
  • Data’s black market value at least $2 million

Full article is here.


Smarter and Smarter

Websense has posted a nice malware analysis showing how easy security software can be bypassed by malicious software.

Before performing it’s primary objective, this malware first disarms any antivirus or firewall it can:

The file is packed with a custom packer/protector, which we had never encountered before. Here is a brief description of the packer and what it does to prevent analysis.

The protected application doesn’t run in a Virtual Machine (default configuration). Once this problem is fixed, it generates 1372 (!) exceptions in the loader to thwart debuggers, tracers, emulators, and so forth.

There is a CRC to prevent patching of the protection code; therefore, the protector will never call the original entry point if the code has been patched, or if a software breakpoint is found in the routine.

One of the first things the malware does is to scan for security applications in memory. It uses a few different techniques, including looking for Windows Name, Process Name

It kills several antivirus products, if they are found in memory, as well as some firewall products.

Lowers the computer sound volume, in order to prevent the users from hearing a warning sound generated by antivirus programs.

Full analysis is here.


When size doesn’t matter

Is a longer password a better one? Most people will answer this with an unconditional “yes”. In fact, we’ve successfully conditioned our users to choose long and complex passwords and in some cases force them to do that using password enforcement policies. It came to a point where even a web site that helps me search for a cheap airline fare (where the most sensitive information in my account is the latest list of searches I did) forces me to a password scheme that look like it came from the NSA Orange Book.

My bank, on the other hand, lets me choose a four number password without complaining. Are they missing something? Shouldn’t they be forcing me to an eight-character-minimum-one-digit-one-letter password like just about everyone else on the internet? No. In fact, I think my bank is one of the few sites that actually did the threat analysis and understands the problem at hand.

Many of you have seen the following picture:


Putting a strong security measure in the wrong place doesn’t help security; in fact, it usually weakens it, as our users find ways to circumvent it altogether. The fact that I have dozens of different passwords that are impossible to remember means that my browser remembers everything for me. In fact, most of my passwords are easy to discover: they are stored in my browser, in my digital wallet and handwritten in notes on my desk. All you need is to gain access to one of these and you can pretty much impersonate me on the web – but you won’t gain access to my bank account – because that password is easy enough to remember and I never needed to write it down or store it.

Wait, am I telling you that a short, simple password is a good thing? Yes, that’s exactly what I’m saying. Lets analyze the threat: The web site is trying to protect me against someone who does not know my password and needs to perform a brute-force attack in order to guess it. But if we assume my username has 10 tries to get the right password before it’s locked for 24 hours (this is a mild assumption, usually we have less tries and we get locked for a longer time), a simple 4 letter password will take 62 years to crack on the average. Even a 4 digit PIN will take more than a full year to guess – that is, assuming the bank doesn’t view the logs to see something strange has been happening (thousands of wrong password attempts in a row). There is no feasible way for an attacker to brute force even the most trivial passwords (with the exception of ’1234′, everyone’s favorite luggage combination) since after a handful of passwords the attack will be flagged; we have actually solved the brute force problem completely, and yet some sites still force me to use long and complex passwords for a problem that should have been fixed elsewhere .

Don’t even get me started on guessing the username: some banks for some reason think that usernames should be complex too.

Why does that happen? People are lazy, and tend to stick with known patterns. Long passwords were good in the 1980s when UNIX had a world-viewable password file encrypted with a weak cypher. But did anyone stop and think if this axiom is still true in this day and age? My bank did. I hope others will follow.


Google, Service Providers and the Future of P2P

in a non-operational nanog discussion about google bandwidth uses, several statements were made. it all started from the following post by mark boolootian:

> cringley has a theory and it involves google, video, and oversubscribed backbones:
> http://www.pbs.org/cringely/pulpit/2007/pulpit_20070119_001510.html

in the discussion, the following statement was made by rodrick brown:

> the following comment has to be one of the most important comments in
> the entire article and its a bit disturbing.
> “right now somewhat more than half of all internet bandwidth is being
> used for bittorrent traffic, which is mainly video. yet if you
> surveyed your neighbors you’d find that few of them are bittorrent
> users. less than 5 percent of all internet users are presently
> consuming more than 50 percent of all bandwidth.”

from there it went down-hill with discussion of the future, with the venice project (streaming p2p for tv), etc. being mentioned. some points were raised about how isps currently fight p2p technologies and may fight these new worlds of functionality, denying what the users want rather than work with them, citing as we have seen above that today, a very small percentage of internet users account for about 50% of all internet traffic. that of course, will increase dramatically in the future — it is where the users want to go.

the isps inhibit this progress, just like in my opinion a bad security “guy” or “gal” would try to prevent functionality from their users as part of their security strategy, rather than work with their users and enable functionality first.

in this discussion, randy bush (who i have had my share of strong disagreements with in the past) said the following, which is admirable:

> the heavy hitters are long known. get over it.
> i won’t bother to cite cho et al. and similar actual measurement
> studies, as doing so seems not to cause people to read them, only to say
> they already did or say how unlike japan north america is. the
> phenomonon is part protocol and part social.
> the question to me is whether isps and end user borders (universities,
> large enterprises, …) will learn to embrace this as opposed to
> fighting it; i.e. find a business model that embraces delivering what
> the customer wants as opposed to winging and warring against it.
> if we do, then the authors of the 2p2 protocols will feel safe in
> improving their customers’ experience by taking advantage of
> localization and proximity, as opposed to focusing on subverting
> perceived fierce opposition by isps and end user border fascists. and
> then, guess what; the traffic will distribute more reasonably and not
> all sum up on the longer glass.

it has been a long time since i bowed before mr. bush’s wisdom, but indeed, i bow now in a very humble fashion.

thing is though, it is equivalent to one or all of the following:
-. eff-like thinking (sticking to the moral high-ground or (at times!) impractical concepts. stuff to live by.
-. (very) forward thinking (not yet possible for people to get behind – by people i mean those who do this daily), likely to encounter much resistence until it becomes mainstream a few years down the road.
-. not connected with what can currently happen to affect change, but rather how things really are which people can not yet accept.

as randy is obviously not much affected when people disagree with him (much the same as me), nor should he be, i am sure he will preach this until it becomes real. with that in mind, if many of us believe this is a philosophical as well as a technological truth — what can be done today to affect this change?

the service providers are not evil — they do this out of operational necessity and business needs. how can this change or shown to be wrong?

some examples may be:
-. working with network gear vendors to create better equipment built to handle this and lighten the load.
-. working on establishing new standards and topologies to enable both vendors and providers to adopt them.
-. presenting case studies after putting our money where our mouth is, and showing how we made it work in a live network.

staying in the philosophical realm is more than respectable, but waiting for fussp-like wide-adoption or for sheep to fly is not going to change the world, much.

for now, the p2p folks who in most cases are not eveel “internet pirates”, are mostly allied whether in name or in practice with illegal activities. the technology isn’t illegal and can be quite good for all of us to save quite a bit of bandwidth rather than waste it (quite a bit of redundancy there!).

so, instead of fighting progress and seeing it [p2p technology] left in the hands of the “pirates” and the privacy folks trying to bypass the firewall of [insert evil regime here], why not utilize it?

how can service providers make use of all this redundancy among their top talkers and remove the privacy advocates and warez freaks from the picture, leaving that front with less technology and legitimacy while helping themselves?

this is a pure example of a problem from the operational front [realm] which can be floated to research and the industry, with smarter solutions than port blocking and qos.

it’s about progress and how change is affected and feared, not about who is evil. it is about who will step up and make a difference, and whether business today is smart enough to lead the road rather than adapt after the avalanche has already fallen.

gadi evron,