Security and the Net

Hot on the heels of yesterdays news about large-scale phishing attempts targeting Twitter users, Twitter just announced that a number of high-profile accounts were hacked. 

These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We’ll put them back only when they’re safe and secure.

So it appears as though Twitter is off to a bad start this year. The timing of these two events suggests they might be related; perhaps a member of the support team was tricked into sharing his account info with the phishers, and that’s how these hackers got access to the support tools. It might also be a separate issue where there was a bug in the support tools that could allow any attacker access to them, but that would be an amazing coincidence. 

Graham Cluley at Sophos has some more details about the timing of the events, and a screenshot of the Britney Spears twitter page shortly after the hack.

Both the Independent and the Times Online reported yesterday that the UK police wants to be able to search computers remotely, without the need for a search warrant. Some of the methods that might be used include installing keyloggers, hacking wireless networks and installing backdoors on the suspect’s PC:

Police might also send an e-mail to a suspect’s computer. The message would include an attachment that contained a virus or “malware”. If the attachment was opened, the remote search facility would be covertly activated.

This prompted an immediate response from Sophos: 

One thing I can promise you though: If Sophos encounters any malware written by the police, we won’t turn a blind eye. We will add detection for it.

[...]

Even if security vendors were made aware of the code, how would we know that our customer was the intended target of police surveillance? You see, by planting spyware on the PCs of those under suspicion, the police could essentially be placing a weapon directly into the hands of their enemies.

While that is a clear statement, and one that I totally agree with, it might place them in a difficult position: they might be charged with intentionally interfering with a police investigation it they actually remove “Police.Spyware.Win32″…

Since the publication of the attack against RapidSSL’s certificate issuing process, numerous stories have been published about how many SSL certificates are suddenly “unsafe”. The best (or worst) example I’ve seen so far is this one at TG Daily. It starts with the following statement:

14% of SSL certificates on the Internet potentially unsafe
Netcraft provided more details on a critical digital certificate vulnerability revealed last week. Although Microsoft downplayed the problem by stating that the successful exploit was not published, Netcraft found that 14% of SSL certificates use the vulnerable MD5 hashing algorithm. 

This suggests that there is something wrong with the certificates; if you read the actual publication about the attack, you’ll notice that it requires ordering new certificates, and certificates that have already been issued are not at risk. Your secure website doesn’t become less secure because the certificate it’s using was signed using an MD5 hash. The article then continues to tell us that other CA’s use SHA-1:

The remaining 7000 vulnerable certificates from Thawte and Verisign, but the analysis firm noted that most of their certificates are signed with the SHA-1 algorithm, which is currently believed to be secure. All other certificates on the Internet use only SHA-1.

If you compare this with the actual text from the Netcraft press release they are quoting, you’ll find that they are not actually saying it is “believed to be secure”:

Security remains a moving target, however, as researchers have also started to find weaknesses in SHA1. Although there are no attacks as advanced as those against MD5, it is likely that SHA1 will also be increasingly threatened by collision attacks as research in this area continues. There are more secure cryptographic hashes available, however, so we can expect to see CAs start to phase in newer, stronger hashes over the next few years.

There is a big difference between “believed to be secure” and “we know there are weaknesses, and we’ll switch to a better alternative when it’s available”. The good news is that the attack that was presented will soon become impossible to execute; RapidSSL has stopped using MD5 within 24 hours of the presentation, and Verisign (the owner of RapidSSL) will stop using MD5 entirely by the end of january.

Microsoft has just shown the world what the consequences of a relatively small programming mistake can be. In this case, it’s a classic “off-by-one” error in the clock driver of the Zune mediaplayer:

year = ORIGINYEAR; /* = 1980 */

while (days > 365)
{
    if (IsLeapYear(year))
    {
        if (days > 366)
        {
            days -= 366;
            year += 1;
        }
    }
    else
    {
        days -= 365;
        year += 1;
    }
}

The code above converts the internal “seconds since 1980″ time to something more readable, but on the last day of a leap year the number of days will be exactly 366, and thus it will stay in the loop until 24 hours later. While this is not a security risk, it does show how easy it is to make these kinds of mistakes. This is a simple piece of code, and even then it took me a while to figure out what the problem was.

A presentation at 25C3 today detailed how researchers were able to create their own Certificate Authority that is recognized by all current webbrowsers, allowing them to create valid certificates for any website they like. While it’s presented as an example of why using MD5 hashes is considered harmful, it also serves as a perfect example of why trusting an SSL certificate in general is a bad idea. 

If you want to read all the details of this “hack”, you can find them here. The full article is pretty easy to understand, even if you are not a PKI expert. If you prefer the short version, here it is:

While using MD5 to sign digital certificates has now been shown to be dangerous, the researchers also highlight several other factors that made this attack possible:

• For this specific attack to work, they needed to predict the serial number of certificates issued at a specific time. This turned out to be remarkably easy: RapidSSL uses a simple incrementing counter, instead of generating random serial numbers. 
• It’s also necessary to know the validity date of a generated certificate beforehand; this was also way too easy, since RapidSSL generates a certificate exactly six seconds after confirming the order.
• And, last but not least, RapidSSL’s root certificate that is included in web browsers doesn’t include a “path length” attribute. If this had been set to 0, it would only be valid for creating certificates, and not for creating intermediate certificate authorities. 

And RapidSSL is not the only party that issues certificates way too easily. You don’t need to create your own fake certificate authority; Comodo allowed anyone to order certificates for domains not under their control. 

So as you can see, there are multiple ways to get a real, “trusted” certificate for a domain that is not yours, thus making man-in-the-middle attacks a lot easier. My Firefox came with tens of certificate authorities pre-installed, and there is no easy way for me to check how secure their procedures for issuing certificates are. So just relying on a pre-determined list of “trusted” sources is an accident waiting to happen; it’s just a matter of time until the private key of one of these trusted sources is stolen or one of these also starts issuing certificates without performing proper checks.

Fortunately, alternatives for this system are being developed. One of these are the new Extended Validation certificates, which promise better validation of the party that requested the certificate. But a more important initiative is the Perspectives system: this allows you to detect man-in-the-middle attacks by verifying that you are presented with the same certificate as other users. Most of the time, you don’t really need to know exactly who a certificate belongs to, but you do want to be sure nobody is eavesdropping on your communications. If that is what you need, install the Perspectives plugin for Firefox now.

Graham Cluley warns people about a new wave of phishing attempts being sent via Google Calendar. These are legitimate mails, receiving via Google Calendar, from Google’s mailservers, looking just like a real invitation for a meeting or party. In fact, it is just that. A phisher creates a fake Gmail account, sets up a meeting in his Google Calendar account with a text that asks you to send some account information, and invites lots of people. This lets Google do the hard work (delivering the phishing mail) and makes sure it comes from a “trusted” address. 

This is a trend that I expect to continue in 2009. We’ve already seen Microsoft’s services being abused, and there are many other possibilities now that most captchas are broken. Take, for example, the Google Calendar service; the phishing attempt is still a bit simple, but you can also use it to send spam from Google’s servers using the same technique:

• Create a Gmail account
• Create a Calendar event
• Add your URL’s to the event description
• Invite the people you’d like to spam
• Google will spam them for you, including hyperlinks for your spamvertized site. 

Don’t believe it’s that easy? You thought Google would check the contents of the messages you sent? Creating the following message took less than a minute, and with captchas effectively broken it should be easy to automate.

The “more details” link takes you to this page:

As you can see, Google has even created some nice clickable links. This will make fighting spam increasingly hard; simply blocking all mail from Google’s servers will lead to angry users, and since most of the message will look the same as other legitimate calendar invitations, blocking based on the contents of the message is almost impossible to do. We’ll have to trust the Google’s of this world to tackle this problem on their side of the fence.

As more people are becoming concerned about their online privacy, the use of tools to protect that privacy such as Tor and Privoxy is getting more common. One of the main features that these offer are “hiding” your IP address; privoxy by offering the option to send all your traffic through a proxy server, and Tor by even more advanced routing. 

Metasploit has just published an updated version of their decloaking engine that shows how easy it is to bypass these tools. Most of them depend on configuring a proxy server in all your applications, forcing them to send all traffic through the anonymizing software. But security is only as strong as the weakest link; your webbrowser has the ability to start all kinds of external programs automatically. Decloak.net uses that fact to bypass popular anonymizing software. There are multiple steps involved:

• Doing a DNS query for the decloak site. This will in most cases reveal the nameserver you are using;
• Starting a Java applet that will force a DNS query, in most cases without using a proxy server even if you have one configured;
• Doing a UDP request from a Java applet, which will in most cases go directly to a machine that will see your real public IP;
• The Java applet will also see your internal, private IP address;
• Loading a Flash applet that opens a direct outbound connection;
• Sending a Word document that will fetch an external image;
• Starting Quicktime with a setting that will override any proxy settings present;
• Sending a URL that is normally handled by iTunes.

That’s a list of five applications that need to use the correct settings; if only one of them is not using the correct proxy settings, your real public IP address can be seen. An attacker would have no way of knowing which of these tests return the correct one, but if multiple tests reveal the same IP address, and that is different from the one that is seen on a normal HTTP connection, an attacker can be confident that he’s found the right one.

The Metasploit team assures everyone that a proper Tor setup should still be safe, but then again Tor has its own issues…

A properly configured Tor+Torbutton+Privoxy solution still stands up against Decloak, but just about everything else fails.

Microsoft just released MS08-78, a security bulletin describing the issue that has been affecting Internet Explorer users for almost a week (CVE-2008-4844). The bug is fixed for Internet Explorer 5.01, 6, 7 and the beta version of IE8. As Microsoft points out on their Internet Explorer homepage, the browser is now “safer than ever”. Don’t you just love that? 

The security bulletin itself doesn’t contain any surprises, but I did notice a new piece of information I haven’t seen before:

In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.

To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.

KB887012 contains an explanation of why your computer needs to reboot after installing security updates. Now if only they’d use their expertise to improve their update process instead of trying to explain why these reboots are necessary… I’m not an expert at OS-level programming, but I assume Windows knows what processes are running and what files are in use. If a particular DLL needs to be updated but is in use, it shouldn’t be too hard to track down what service is using that DLL, and ask for permission to restart that service.

This is a bad week for browser security; not only is Microsoft rushing out an emergency patch tonight, other browser makers are releasing their own updates as well as people worldwide go online to do their Christmas shopping.

Opera released version 9.63 of their browser yesterday, fixing several security issues. The most critical ones allow arbitrary code execution, making these just as critical as the Internet Explorer vulnerability. The Firefox developers have also been busy, pushing out the final update for the 2.0 version of their webbrowser which fixes four critical vulnerabilities, and version 3.0 that has three critical issues. 

And to complete the list, Apple included a Safari update in their Mac OS X 10.5.6 release as well (CVE-2008-3170; CVE-2008-4234 can also affect Safari users). This might be a good time to have another look at Chrome; it has security issues as well, but the design philosophy is good (run every tab in a separate security zone), and since it contains relatively few extra’s other than browsing and managing bookmarks, there is less code to check for security problems.

Microsoft has just announced that a fix for the critical bug in Internet Explorer 5, 6 and 7 is to be published tomorrow. As usual, there will be webcasts detailing the fixes:

Microsoft is hosting two webcasts to address customer questions on these bulletins: on December 17, 2008, at 1:00 PM Pacific Time (US & Canada) and December 18, 2008, at 11:00 AM Pacific Time. Register now for the December 17 webcast and the December 18 webcast. Afterwards, these webcasts are available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

The issue is listed as critical for all supported versions of Windows and Internet Explorer, so be sure to install this update once it becomes available! As Larry Dignan notes, this proves that Microsoft can move (reasonably) fast when necessary:

The good news: Microsoft can move on critical patches when it wants to and can be nimble. The bad news: Microsoft is moving on the IE patch because the attacks are escalating.

More details are available in this security advisory; this still leaves known vulnerabilities in Wordpad and SQL Server.