Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

25C3 Day Four

Last day of the conference. Sorry to see it finish, but i’ll try and be back next year if I get the chance. The people here were so great, and I hope to stay in touch with as many as possible.

11:30 CET
Lightening Talks

E-Voting in Österreich
A quick overview of the planned e-voting scheme in Austria. Objections to the system and it’s links to a national ID card were raised.

Consumer B Gone
An overview of automatic locking wheels on shopping carts (yes supermarket ones). After reverse engineering the signal used to lock the wheels as they pass the boundary, they reproduced it. A fun demo using a mobile phone to play an mp3 and lock/unlock the wheel.


Stop Software Patents
A bit of a rant on how software patents are wrong and unlawful. A bit of history on patent law and the debate on changing it to allow patents on software. 24th September is now world stop software patent day.

Details of the LandesBank Berlin data loss that happened earlier this month. 130,000 credit card numbers exposed.

Workflow engine satellites -XML based protocol. An example of an AT&T WFE program was shown with documentation found in the Internet (google FTW). This document shows that the WFE includes a DMZ portion to minimise DMZ issues. This is achieved through simply forwarding the port to the secure network. No IP restrictions are in place, giving an attacker access to the internal LAN.

TBF to Brainf*ck
A quick overview of the esoteric brainf*ck programming language. The TBF is a compiler that compiles code to brainf*uck working code.

Slightly short on talks today due to some no shows. I’d love to have done a quick talk, but due to the circumstances I couldn’t release the details. Still, maybe next year.

12:45 CET
Predictable RNG in the vulnerable Debian OpenSSL package

I’ve seen the Debian PRNG problem discussed a few times, but what the hell. It was that or a talk on genetically modified food. The actual words from the OpenSSL dev team, when asked what effect commenting this line out would make, the reply was “not much”. Interesting review, but nothing to write home about. Demo of the problem were interesting to see.

14:00 CET
Wikileaks vs. The World

Brief overview of what Wikileaks stands for and aims to be. Wikileaks is a proof of concept that it works. Technical challenges – trusting other businesses to provide technology but also protect against possible compromise or censorship. After the congress last year Wikileaks had a major issue with a banks leaked documents. They attacked the only weak point and had the domain name revoked. This was short lived as a group of people helped to force the issue legally and the domain was moved. In the last year Wikileaks have released/hosted leaked Sarah Palin emails, the BNP (British Nationalist Party) member documents, BVOE, and T-systems. Some of the documents may be questionable however wikileaks cannot decide what is and is not relevant, else they will become a sensorship of shorts (which is what they fight against). The BNP documents alone resulted in over 2000 mainstream articles. Threats (mostly legal) have been made to try and force articles to be taken down. Documents on Kenya’s politcal assassinations were also made public (including names). Online archives of major newspapers are censored or removed. The only trusted source is the original printed version. Censorship in online content is all around us, and increasing. Many countries of the world have censorship lists already in place (whether public or private). As the number of media outlets shrink, censorship becomes easier to achieve. What about blogs ? These aren’t the cure to censorship. As individuals a blog owner isn’t able to stand up against legal or political pressure.

The service that wikileaks offers is in my mind invaluable. It’s good to know that somebody is policing the unpolicable. Documents and pictures supressed by governments, companies or other co-called news agencies can be made public through the wikileaks service.

15:15 CET
MD5 Considered Harmful Today “Creating a rogue CA certificte”

The first public exploit of the known weaknesses in MD5. Lots of research done on MD5, culminating in papers in 2004 and 2007 on theoretical attacks against MD5. However CA’s still use MD5 in the signing process. Cluster of 200 PS3’s to create the collision and perform that attack. Attack against all SSL based connections using the vulnerability in MD5 (not in SSL). Certificate revocation is a problem, as was seen with the Debian OpenSSL vulnerability. Some basic overview of how the certificate request process works, and the MD5 hashing process. Original MD5 hash collision was demonstrated in 2004. in 2007 this was improved upon to go beyond the 128 byte limit of the 2004 attack. Process is to create a collision on the “to be signed” section of the certificate. Get the certificate signed and use this on the other certificate using a different identity. Of 30,000 collected certificates, 9,000 of them were signed with MD5. 97% of these were issued by RapidSSL. RapidSSL were also an easy target due to the automated fashion of certificate creation. The time of certificate creation was easily calculated for use with the MD5 collision. Another factor was the certificate serial number (RapidSSL uses sequential numbers). Due to the length of time needed to recreate the MD5 collision (3 days) an estimate of the certificate serial number needs to be made (using statistical analysis and incrementing the number through certificate purchases). The certificate request then needs to be done at the exact time to meet with the time used in the create collision certificate. If the attack is sucessful an intermediary certificate authority was created. From this point you can sign your owns certs and they will be valid. Suceeded in creating the certificate on the 4th attempt. Cost of the certificates was only $657. The private key created in this talk will NOT be released (and was backdated so it expired in Aug 2004 anyway). This said not every software checks the certificate validation date. This certificate is not revocable as the certificate has a blank URL for revocation checking (nice feature). Even if revocation was possible Firefox 2.x and IE6 don’t check for revocation as default. EV (extended validation) certificates are immune to this attack vector as they are not allowed to use MD5 with these certificates. It’s estimated that with some optimisation this attack could be done in 1 day using the Amazon EC2 service at a cost of $2,000. If you disable current CA’s that sign with MD5 then 30% of SSL on the Internet would stop working. In a twist of the normal way things play out, both Microsoft and Mozilla were asked to sign NDA’s. Apparently both signed (although MS took a bit longer than Mozilla).

Breakdown… MD5 is and has been broken for a long time, move on use SHA-1 at least. The effected CA’s have been contacted to make this switch. The question outstanding is “Can we trust CA’s that have used MD5 to sign certificates in the past”. There is always a chance that somebody has already used this attack and we don’t know about it.

Publishing the theory and talking about it in papers wasn’t enough to prevent MD5 from being used. It took a valid, actionable attack and proof of concept to force the change. I can’t think of a better answer to the full-disclosure question. Sometimes you have to expose the security of a system to make it better. All the pieces are there to recreate this attack. The Internet is not broken….. Yet.

–> breakdown of attack available here: http://www.win.tue.nl/hashclash/rogue-ca/

Overall this has been a great conference… can’t wait for Hacking At Random next year.

Comments are closed.

%d bloggers like this: