Attack of the Week: Log Jam
Written by InsidiousX on May 21, 2015
Written by InsidiousX on May 21, 2015
Written by InsidiousX on April 15, 2015
Written by InsidiousX on March 4, 2015
|Cryptography used to be considered
This is the story of how a handful of cryptographers ‘hacked’ the NSA. It’s also a story of encryption backdoors, and why they never quite work out the way you want them to.
A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a ‘man in the middle attacker’ to downgrade connections from ‘strong’ RSA to ‘export-grade’ RSA. These attacks are real and exploitable against a shocking number of websites — including government websites. Patch soon and be careful.
What is SSL/TLS and what are ‘EXPORT cipher suites’ anyway?
clients to negotiate ‘strong’ ciphersuites with servers that supported them, while still providing compatibility to the broken foreign clients.
If EXPORT ciphers are known to be broken, what’s the news here?
The MITM attack works as follows:
How common are export-enabled TLS servers?
Factoring an RSA key seems pretty expensive for breaking one session.
PoC or GTFO.
|This is what happens to EC2 spot pricing
when Nadia runs 75 ‘large’ instances
to factor a 512-bit key.
Just because someone says an implementation is vulnerable doesn’t mean it actually is. You should ask for proof.
|Attack images courtesy Karthik, Antoine INRIA.|
Some will point out that an MITM attack on the NSA is not really an ‘MITM attack on the NSA’ because NSA outsources its web presence to the Akamai CDN (see obligatory XKCD at right). These people may be right, but they also lack poetry in their souls.
Is it patched?
The most recent of OpenSSL does have a patch. This was announced (though not very loudly) in January of this year.
Apple is working on a patch.
Akamai and other CDNs are also rolling out a patch to solve these problems. Over the next two weeks we will hopefully see export ciphersuites extinguished from the Internet. In the mean time, try to be safe.
What does it all mean?
Encryption backdoors will always turn around and bite you in the ass. They are never worth it.
Special thanks to Karthik and Antoine for sharing this with me, Nadia for factoring, Ivan Ristic for interrupting his vacation to get us data, and the CADO-NFS team for the software that made this possible.
Written by InsidiousX on February 9, 2015
Televisions that offer voice commands are the hottest new thing on the market. If you have Samsung unit you should read the fine print. The fine print for Samsungs Smart TV voice recognition system says that it will not only capture your private conversations, but all pass them onto third parties.
Seems like the NSA’s isn’t the only one you need to worry about spying on you. Then again, perhaps that is what we get if we feel that pressing a few buttons is too much like work.
The possibilites boggle the mind.
But this doesn’t end with Smart TVs, or Nest thermostats. Anything that has a digital connection is a possibility for eavesdropping in what you think is your private life.
This is your digital bed, lie in it.Tags: nsa, record, smart tv
Written by InsidiousX on December 23, 2014
Written by InsidiousX on December 20, 2013
Written by InsidiousX on December 18, 2013
Update: As is now appears, 40 million accounts have been compromised.
The Secret Service is investigating a possible data breach around the time of Black Friday that involves Target stores. It appears that the breach mainly targeted customers that actually visited stores as opposed to those that shopped online.
The report was released by a security researcher Brian Krebs, at krebsonsecurity.com, and possibly involves millions of accounts.
The thieves reported gained magnetic strip data of customers cards, and may even have captured PIN data, leaving ATM cards vulnerable. If you remember back in 2006, Target competitor TJ Maxx and Marshalls — fell victim to the worst security breach ever, when hackers gained access to at least 94 million accounts.Tags: data breach, hacked, target
Written by InsidiousX on December 10, 2013
It was recently released that the NSA has infiltrated popular MMO’s, such as World of Warcraft, Second Life, and others in an attempt to catch terrorists.
Secret briefings from 2007 and 2008 show agents expressing great enthusiasm for video games as a “target-rich communication network” affording bad guys “a way to hide in plain sight.” At one point, the Guardian reports: “According to the briefing documents, so many different US intelligence agents were conducting operations inside games that a “deconfliction” group was required to ensure they weren’t spying on, or interfering with, each other….”
At first thought I figured this was insanity at its best. But after thinking about it, I thought, how clever this actually is (from the terrorist perspective). Let me explain in more detail.
Let’s say that I belong to some “uber secret society” that law enforcement keeps trying to infiltrate. We already know, Governments can tap your cell phone, wired phone, sat phone, internet traffic (unless heavily encrypted), and written correspondence. Practically any traditional method of communicating with other members of this “uber secret society” is at risk.
I go online and buy a CD at GameStop, or stop at my local one and pick up two (or more) copies for cash. It is something that I can carry with my anyplace in the world, and is not subject to export regulations (like heavy encryption) nor is any “game” going to trigger any unusual alerts or investigation. I pass that game on to another contact and he installs it, I do the same.
We log in, create an “guild or group” and bam. Done. One “player” can be sitting in a cave in some remote location with a sat or cell phone internet data connection, and I can be sitting in New York with mine, and nobody will give a care. Think about it. Who cares if you see World of Warcraft traffic? I am sure if someone was sniffing traffic in the ether looking for “email” and they noticed World of Warcraft packets they would probably laugh about it.
And I know that some of you guys are gonna say, you can’t play Warcraft on a sat or cell phone data connection, the latency is too high. I say bull. I am not raiding Ice Crown Citadel in a 25 man to kill the Lich King, so I don’ t care if my latency is through the roof. I am only sending text messages in chat, and maybe running around killing bats in Tirisfal Glades. What a great way to obfuscate your data, encapsulated in the middle of something nobody cares about (or in plain site).
Also, anyone who has played Warcraft and looked at trade chat for more than 5 minutes knows that there is an ungodly number of messages flowing through that chat window. Albeit, most of them are about “your mom”, “Chuck Norris”, or how some PUG failed his group. But, there is a significant number of them. I would place my bets that these “chat” messages are not archived, and if they are, they are not archived for very long, which also makes a perfect way to purge any chat history. After all, keeping them (storing them long term) has absolutely no benefit to any game mechanic what-so-ever. So, why would a company want to spend millions of dollars on data storage for something that has no effect on game play.
Bottom line is, this is a pretty clever way to obfuscate your data in plain site. And it is interesting that the NSA caught on to this. Further more, according to the minutes of a January 2009 meeting, GCHQ’s “network gaming exploitation team” had identified engineers, embassy drivers, scientists and other foreign intelligence operatives to be World of Warcraft players—potential targets for recruitment as agents.Tags: mmo, nsa, warcraft
Written by InsidiousX on December 5, 2013
Once again I find myself hashing out the same information about social media sites being hacked and user accounts being released into the wild. This time 2 million accounts are compromised and their details are posted online. The list breaks down to the following top 10 list.
1) www.facebook.com 318,121 accounts compromised
2) login.yahoo.com 59,549 accounts compromised
3) accounts.google.com 54437 accounts compromised
4) twitter.com 21,708 accounts compromised
5) www.google.com 16,095 accounts compromised
6) www.odnoklassniki.ru 9,321 accounts compromised
7) www.linkedin.com 8,490 accounts compromised
8) th-th.facebook.com 8,008 accounts compromised
9) agateway.adp.com 7,978 accounts compromised
10) vk.com 6,867 accounts compromised
Most of those are self explainatory as popular websites. The 3 that most people won’t recognize are vk.com and odnollassniki.ru, which are social networking sites aimed at Russian speaking people, and adp.com, which is a payroll service provider.
Most of the attacks (96.66%) the command and control center for the botnet resolved to the Netherlands.
I find it very alarming is that even though this happens all the time, people don’t change their habits. What I mean is people are still using very simple passwords for these extremely large and popular social networking sites (or anywhere for that matter). Here is the breakdown the of the Top 10 passwords found during this attack.
1) ‘123456’ used on 15,820 accounts
2) ‘123456789’ used on 4,875 accounts
3) ‘1234’ used on 3,135 accounts
4) ‘password’ used on 2,212 accounts
5) ‘12345’ used on 2,094 accounts
6) ‘admin’ used on 1,991 accounts
7) ‘123’ used on 1,453 accounts
8) ‘1’ used on 1,224 accounts
9) ‘1234567’ used on 1,170 accounts
10) ‘111111’ used on 1,046 accounts
While it remains true that malware (Pony Botnet) was used to compromise these accounts, it would not technically matter if your password was ‘123abc’ or ‘AhsadfS9903!!6jhsgdh!’, you still would have lost it. But this is a refection of a broad problem.
I will be posting some information in regards to information sharing in some upcoming blogs.Tags: hacked, password, passwords, social media, weak
Written by InsidiousX on December 2, 2013
In October a security researcher discovered a backdoor vulnerability with certain D-Link routers. This vulnerability (CVE-2013-6027) [setting the browsers user agent string to “xmlset_roodkcable0j28840ybtide”] allows cyber criminals to alter a router setting without having a username or password. D-Link has released a new firmware version for the vulnerable routers that patches this vulnerability. The following routers have updates:
As a safety precaution you should not enable th ‘Remote Management’ feature, as you should download and install the relevant updates as soon as possible. D-Link Security AdvisoryTags: d-link, update, vulnerability