[SecurityRatty] tag: cert

CERT Warns About Phalanx Attacks Against Linux Servers

Wed, 27 Aug 2008 12:03:19 +0000

The US Computer Emergency Readiness Team (CERT) is warning about attacks in the wild against Linux systems with compromised SSH keys. The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as [...]

Military trolling at Black Hat

Tue, 12 Aug 2008 13:35:23 +0000

Forgot to post this yesterday. I was in the military and I came out OK.

clipped from www.internetnews.com

Hackers: Uncle Sam Wants You

UPDATED: At Black Hat, agencies including the FBI, US-CERT, and the military make the pitch for assisting in the U.S.’s fight against cybercrime and cyberwar.

New blog, and thoughts on Firefox 3 self-signed cert behavior

Tue, 12 Aug 2008 11:21:00 +0000

We launched a new blog to share some thoughts about the security practices at my employer.

The blog is here: http://www.thesecuritypractice.com/.

The basic introduction and purpose can be found here: http://www.thesecuritypractice.com/the_security_practice/who-are-we.html

And, a post about Firefox-3.0's handling of self-signed certificates can be found here.

This was in reaction to a piece published on Risks a bit ago - "Firefox 3's Step Backwards For Self-Signed Certificates".

An insecurity in OpenID, not many dead

Fri, 08 Aug 2008 21:33:39 +0000

Back in May it was realised that, thanks to an ill-advised change to some random number generation code, for over 18 months Debian systems had been generating crypto keys chosen from a set of 32,768 possibilities, rather than from billions and billions. Initial interest centred around the weakness of SSH keys, but in practice lots of different applications were at risk (see long list here).

In particular, SSL certificates (as used to identify https websites) might contain one of these weak keys — and so it would be possible for an attacker to successfully impersonate a secure website. Of course the attacker would need to persuade you to mistakenly visit their site — but it just so happens that one of the more devastating attacks on DNS has recently been discovered; so that’s not as unlikely as it must have seemed back in May.

Anyway, my old friend Ben Laurie (who is with Google these days) and I have been trawling the Internet to determine how many certificates there are containing these weak keys — and there’s a lot: around 1.5% of the certs we’ve examined.

But more of that another day! because earlier this week, Ben spotted that one of the weak certs was for Sun’s “OpenID” website, and that two more OpenID sites were weak as well (by weak we mean that a database lookup could reveal the private key!)

OpenID, for those who are unfamiliar with it, is a scheme for allowing you to prove your identity to site A (viz: provide your user name and password) and then use that identity on site B. There’s a queue of people offering the first bit, but rather less offering the second : because it means you rely on someone else’s due diligence in knowing who their users are — where “who” is a hard sort of thing to get your head around in an online environment.

The problem that Ben and I have identified (advisory here), is that an attacker can poison a DNS cache so it serves up the wrong IP address for openid.sun.com. Then, even if the victim is really cautious and uses https and checks the cert, their credentials can be phished. Thereafter, anyone who trusts Sun as an identity provider could be very disappointed. There’s other attacks as well, but you’ve probably got the general idea by now.

In principle Sun should make a replacement certificate and that should be it (and so they have — read Robin Wilton’s comments here). Except that they need to put the old certificate onto a Certificate Revocation List (CRL) because otherwise it will still be trusted from now until it expires (a fair while off). Sadly, many web browsers, and most of the OpenID codebases haven’t bothered with CRLs (or they don’t enable their checking by default so it’s as if it wasn’t there for most users).

One has to conclude that Sun (and the other two providers) should not be trusted by anyone for quite a while to come. But does that matter ? Since OpenID didn’t promise all that much anyway, does a serious flaw (which does require a certain amount of work to construct an attack) make any difference? At present this looks like the modern equivalent of a small earthquake in Chile.

'The' DNS Issue of 2008

Wed, 09 Jul 2008 22:54:02 +0000

It’s been a day since the public announcement, so by now you’ve probably heard about the DNS issue. The bug was found earlier this year, but the discoverer (Dan Kaminsky) and team worked fervently with leaders of the technology industry to create patches for all platforms before the big announcement. And- kudos to them all for keeping zipped lips until the problem could be contained (despite all the heckling and harassing).

You can find out a little more right now- I’m including some links below for you to read more.

If you don’t know what DNS is or why you care, see the bottom of this post for a little background info.

As for the real deal on disclosure- you’ll have to wait for Black Hat in August. I’ll be there, along with other members of the Security Bloggers Network (a (non-exclusive but highly visible and well-respected) security bloggers channel for Black Hat and RSA). I’m sure you’ll see *plenty* of post-Black Hat blogs, tweets and podcasts recapping the story.

Hear the buzz…
Dan Kaminsky’s (discoverers) site
US Cert Vulnerability Note
InformationWeek Article: Security Community Comes Together
Rich Mogull helps spread the word to CIOs
Heise Securiy Blog: Nice overview
Wall Street Journal

What is a DNS Server? DNS are servers throughout the Internet (and inside networks) that resolve domain names (ie www.SecurityUncorked.com) to the IP address of the hosting server. The idea is, if you can trick a DNS server, your request for ESPN.com may just take you to a malicious site where you’ll be immediately infected with a virus, malware or other undesirable creepy Internet-bred monster. They’ve found a bug that could be exploited to do just that.

What do we do? It’s not the end of the world. For now, know that almost all DNS servers need to have a patch installed to protect them from this vulnerability. It’s pretty universal and every manufacturer is on board and offering a patch as of yesterday, July 8th.

# # #

Massive Coordinated Patch Effort To DNS System Flaw

Tue, 08 Jul 2008 13:56:25 +0000

The DNS client and server patch in today's Microsoft monthly patches wasn't just a Microsoft problem. It was part of a coordinated effort to patch numerous DNS servers for a series of problems that are common to DNS implementations. The US-Cert advisory on the problem describes three problems which, research has shown, can be combined into effective spoofing attacks:

VU#484649 - Microsoft Windows DNS Server vulnerable to cache poisoning
VU#252735 - ISC BIND generates cryptographically weak DNS query IDs
VU#927905 - BIND version 8 generates cryptographically weak DNS query identifiers

The advisory lists 101 DNS servers, their status and the date of their last update. For the large majority of the servers the status is "Unknown," but several important ones are listed as Vulnerable and all of these were patched either today or late last week. Among the vulnerable systems, in addition to Microsoft, are Cisco, ISC, Juniper, Red Hat and Sun. Many of the servers whose status is "Unknown" were also patched quite recently, and it's a safe guess that it was for this reason. The advisory credits Dan Kaminsky of IOActive, Paul Vixie of Internet Systems Consortium (ISC) and Daniel J. Bernstein for the research. It also earlier mentions Amit Klein for work he did on one of the constituent attacks. According to CircleID, Kaminsky will reveal details of the attack in 30 days after users and vendors have had a fair shot at patching it.

Massive Patch Effort Coordinated for DNS System Flaw

Tue, 08 Jul 2008 13:56:25 +0000

The DNS client and server patch in the July 8 set of Microsoft monthly patches wasn't just a Microsoft problem. It was part of a coordinated effort to patch numerous DNS servers for a series of problems that are common to DNS implementations. The US-CERT advisory on the subject describes three problems that, research has shown, can be combined into effective spoofing attacks:

VU#484649 - Microsoft Windows DNS Server vulnerable to cache poisoning
VU#252735 - ISC BIND generates cryptographically weak DNS query IDs
VU#927905 - BIND Version 8 generates cryptographically weak DNS query identifiers

The advisory lists 101 DNS servers, their status and the date of their last update. For the large majority of the servers the status is "Unknown," but several important ones are listed as Vulnerable and all of these were patched either today or late last week. Among the companies that have vulnerable systems, in addition to Microsoft, are Cisco, ISC, Juniper, Red Hat and Sun. Many of the servers whose status is "Unknown" were also patched quite recently, and it's a safe guess that it was for this reason. The advisory credits Dan Kaminsky of IOActive, Paul Vixie of ISC (Internet Systems Consortium) and Daniel J. Bernstein for the research. It also earlier mentions Amit Klein for work he did on one of the constituent attacks. According to CircleID, Kaminsky will reveal details of the attack in 30 days after users and vendors have had a fair shot at patching it.

Massive Patch Effort Coordinated for DNS System Flaw

Tue, 08 Jul 2008 13:56:25 +0000

VU#484649 - Microsoft Windows DNS Server vulnerable to cache poisoning
VU#252735 - ISC BIND generates cryptographically weak DNS query IDs
VU#927905 - BIND Version 8 generates cryptographically weak DNS query identifiers

The advisory lists 101 DNS servers, their status and the date of their last update. For the large majority of the servers the status is "Unknown," but several important ones are listed as Vulnerable and all of these were patched either today or late last week. Among the companies that have vulnerable systems, in addition to Microsoft, are Cisco, ISC, Juniper, Red Hat and Sun. Many of the servers whose status is "Unknown" were also patched quite recently, and it's a safe guess that it was for this reason. The advisory credits Dan Kaminsky of IOActive, Paul Vixie of ISC (Internet Systems Consortium) and Daniel J. Bernstein for the research. It also earlier mentions Amit Klein for work he did on one of the constituent attacks. According to CircleID, Kaminsky will reveal details of the attack in 30 days after users and vendors have had a fair shot at patching it.

PC Universe is shrinking thanks to McAfee Secure's cluelessness

Fri, 27 Jun 2008 06:11:00 +0000

My web app sec friends know exactly how to push my red buttons. "Heh-heh, send it to Russ, he'll go off." Yep. ;-) Thanks, Rafal. Now I'm all spun up. I was sent two moronic gems this morning; one on the merits of McAfee Secure / Hacker Safe and the 109% sales increase it resulted in for PC Universe, the other an interview with the Internet's single biggest dillweed, Cresta Pillsbury. These articles are both a bit dated, but they equally embrace the premise of "trust" logos as a predominant sales driver, rather than any actual motivation to secure a site and protect consumers.
An example:
"If you’re doing conversion marketing and statistical testing on your website and you haven’t explored trust logos yet, then you’re missing out."
I must be the most naive person in the world; this enrages me. When will the idiots who write this crap get a clue? They've bought right into the hype the snake oil salesmen hoped they would and are now complicit in their failures.
Case in point, as seen in the Internet Retailer piece. By the way, I realize that Internet Retailer and basic web application security practices are completely at odds, but this one deserves direct abuse.
"PC Universe first tested Hacker Safe on its own site in an A/B split test in which half the visitors saw the Hacker Safe seal and half did not. During that test, 7.3% more orders came from Hacker Safe shoppers than from the control group. PC Universe, which operates on the web at PCUniverse.com, is No. 360 in the Internet Retailer Top 500 Guide."
Really? Let's see what McAfee Secure / Hacker Safe has done to actually provide any measurable security benefit.
How about absolutely nothing.
Here's PC Universe's very current, verified McAfee Hacker Safe cert.
Now, here are a few ridiculous examples of reality from the this universe as opposed to the McAfee-twisted alternate universe. Please note, this is the "accountid" variable, and the fact that the marquee is rendered no less than eight times.
1) Marquee
2) XSS Deface
3) Cookie
If you rather just see a video of these vulns, it's here.
PC Universe, rather than lauding your sales increases thanks to some POS logo, try securing your site code. I guarantee you have other issues.
McAfee Secure, once more, you are simply fraudulent to the core.

del.icio.us | digg

Security Certification Rules Could Shake Up IT Mgmt

Thu, 26 Jun 2008 08:33:17 +0000

This seems to a well intentioned but, misguided attempt by the Office of Management and Budget. They are attempting to establish minimum requirements for professional certification for IT workers.

Hmm.

From GCN:

“This is a change we have not faced in the IT security industry before,” he added.

The closest parallel has been in the Defense Department, which anticipated OMB’s reaction in this area. DOD’s Directive 8570 on information assurance, approved in December 2005, requires all of the department’s information assurance workers to obtain an accredited commercial certification in computer security. DOD has approved 13 certifications for the directive.

The DOD requirement already has thrown what one conference attendee called a giant monkey wrench into the IT security manpower market.

“If OMB issues a similar requirement, it’s going to throw the supply and demand curve even more out of balance,” he said.

Datesman agreed, saying it probably would take years for the supply of certified workers to catch up with demand. A CISSP certification requires five years’ experience. “You don’t mint them out of college,” he said.

OK, this is where this trolley leaves the track. I have met CISSP certified folks that I would wager they’d be lucky to fight their way out of a wet paper bag. “Don’t mint them out of college” is a phrase that I’d argue. I would offer that the ISC2 should start auditing certified members. The validity of the CISSP cert is becoming diluted in the eyes of the market.

A picture is worth a thousand words.

It’s great for the mandatory HR tick box but, how many of these folks actually have the ability? Sure they can memorize some flash cards and pass a test but, are they effective? Some, not so much.

On the face of it this is a good idea.

Like all good intentions, they make great paving stones on the road to hell.

Article Link