The Heartbleed Vulnerability Panic?

 Computing, Security  No Responses »
Apr 092014
 

The interwebs are all a flutter over the latest vulnerability announcement – an OpenSSL vulnerability that has been termed the heartbleed vulnerability. But is it that serious? And what is it anyway?

What Is It?

OpenSSL is a very widely used software component that adds encryption – a web server will very likely use OpenSSL to allow it to encrypt communications between yourself and it. The vulnerable versions of OpenSSL come equipped with new functionality – a “heart beat” that is used to keep connections alive and open.

When this functionality is not disabled and you are using a vulnerable version of OpenSSL, an attacker can make a connection to your server and ready up to 64Kbytes of the process memory. For each and every request.

This is a classic information leakage issue, and the attacker can trawl through a collection of 64Kbyte “chunks” of binary data looking for interesting information. In theory, these chunks of information can contain anything the process (the web server, the mail server, etc) contains within itself. Some examples include :-

  1. A researcher has used this vulnerability to expose Yahoo Mail account passwords.
  2. It is believed to be possible to extract a server’s private key to allow an attacker to decrypt communications traffic and/or impersonate the server.

Whilst trawling through binary chunks of data looking for interesting data is the sort of activity that seems to normal people to be so difficult that it would be almost impossible for someone. However it is possible, and for something like passwords is even easy. And for private keys, there are hints out there on how to do it.

But How Does This Affect Me?

If you are not a server administrator, this will all seem a bit geeky and not have much meaning for you.

It is probably better to ask: What should I do about this? And the answer is to do nothing unless you are advised to do so by a trusted source. Whatever damage has taken place already and service providers will be busy fixing the vulnerability.

The only addition to that is to make sure you update your software on your computers – your laptop, phone, tablet, etc. Whilst the media is concentrating on the server side of the problem, OpenSSL is also used on client machines, and that means that your computers are vulnerable in some way – whilst no exploits are known to exist today, it is still worth being proactive in making sure you apply updates.

Because sooner or later, attackers will use this vulnerability to attack you directly rather than via servers.

But How Serious Is This?

Very.

But perhaps not as much as some of the more extreme possibilities might suggest.

There is a great deal of probability involved here. For example, was it possible that this vulnerability was known to the “bad people” before the announcement this week? The vulnerability has existed for a year or two so it is possible it was known about. But probably not widely known.

Was it exploited? Possibly, but it’s probable that it wasn’t widely exploited – the activities of “bad people” tends to leak. If it was exploited, it was quite possible that it was limited to the NSA and GCHQ.

As to over-reaction, there was a comment on a blog entry about this that claimed that his Yahoo Mail account password had been compromised three times in the last month by this method. Well, possibly but it seems far more likely that his password had been compromised via other methods – such as using a weak password. Using this method against Yahoo’s servers may reveal some account passwords, but it is likely to reveal random account passwords each time. Meaning that an attacker will find it quite hard to compromise the password for a single account more than once.

Going forwards, it is very likely that this vulnerability will be used by “bad people” – there are already indications that they may be starting to try this.

So it is important and urgent for server administrators to look at this problem and fix :-

  1. Update vulnerable OpenSSL versions.
  2. Revoke the old SSL certificates
  3. Issue new SSL certificates.
  4. If passwords are known to have been compromised, issue a notice to suggest people change their passwords.

It is also important that client machines are updated as and when fixes are released.

Time To Name And Shame The “Bad” ISPs – It’s Not Just NTP DDoS!

 Computing, Security  No Responses »
Feb 222014
 

Having had a wee bit of fun at work dealing with an NTP DDoS attack, I feel it is long past time to tackle the root cause of the problem – the ISP’s who have neglected to implement ingress/egress filtering despite it being considered best practice for well over 15 years. Yes, longer than most of us have been connected to the Internet.

It is easy to point at the operators of NTP services that allow their servers to be used as attack amplifiers. And yes these insecure NTP servers should be fixed, but given the widespread deployment of NTP in everything it could take up to a decade for a fix to be universally deployed.

And what then? Before the widespread use of NTP for the amplification distributed denial of service attacks, DNS was commonly used. And after NTP is cleaned up? Or even before? There are other services which can be exploited in the same way.

But the way that amplification attacks are carried out involves two “vulnerabilities”. In addition to the vulnerable service, the attacker forges the packets they send to the vulnerable service so that the replies go back to the victim. Essentially they trick the Internet into thinking that the victim has asked a question – millions of times.

Forging the source address contained within packets is relatively easy to do, and it has been known about for a very long time and the counter-measure has also been known for nearly as long. To put it simply, all the ISP has to do is to not allow packets to exit their network(s) which contain a source address that does not belong to them. Yet many ISPs – the so-called “bad” ISPs – do not implement this essential bit of basic security. The excuse that implementing such filters would be impossible with their current routers simply doesn’t wash – routers that will do this easily have been on the market for many years.

It is laziness pure and simple.

These bad ISPs need to be discovered, named, and shamed.

Mining The ฿itcoin “Bubble”

 Computing, General, Security  No Responses »
Feb 102014
 

So I’ve heard about this strange Bitcoin stuff for ages, but never found the time to look into it, until now. It cropped up at work, s I thought I should get acquainted. And this blog posting is an expression of my level of understanding, so it could well be wrong in places.

Certainly don’t take any of this as financial advice!

Bitcoin is a digital cash currency, but what does that mean?

Well the “cash” bit is understandable; it is normally expressed as a ‘peer-to-peer’ currency but essentially I hand over to you a certain number of bitcoins in exchange some agreed goods or services. Just the same as if I paid you in an ordinary currency in the form of cash.

It is a bit more complex than that as transactions have to be computationally confirmed. Or to put it another way, once you transfer the bitcoins, the transfer has to be independently verified which takes some time. The average seems to be about 8 minutes. So not quite the same as cash then; on the other hand it should be as anonymous as cash – perhaps even more so.

The “currency” bit is a tad more controversial. There’s more than a few governments that declare that bitcoins aren’t a currency but behaves more like a commodity (like gold). Of course they may be speaking with a forked tongue, or simply warning of the dangers of using bitcoins. Fundamentally a currency is a medium of exchange – so if you can find something to buy with your bitcoins, or you are prepared to sell goods or services for bitcoins, it is a currency for you.

Lastly the “digital” bit is where it can get a bit complex, so I won’t be trying. To put it very briefly, a bitcoin is a long string of digits that has been “discovered” (or more accurately mined) according to some complex calculation and then independently verified. It also includes details of all previous transactions that have occurred. The obvious question here is how is it that bitcoins cannot be forged?

There is no answer to that question without getting involved in the details of how bitcoins work computationally, but it is commonly held to be impossible without access to enough computational power to overwhelm the combined computational power of the bitcoin miners.

The Bitcoin “Bubble”?

In conventional economics a bubble is essentially some activity that becomes massively over valued and eventually loses it’s value. Examples include the South Sea Bubble, and the dot-com bubble. There are those who claim that bitcoin shares characteristics with famous historical bubbles, which is a very easy thing to say.

After all, no bubble is a bubble until it has been popped; at least in economics.

The trouble is that bitcoins are essentially worth what people agree they are worth. If everyone turned around tomorrow and agreed that they were worthless, you wouldn’t be able to spend them.

Which makes them the same as practically all modern currencies – the pound, the dollar, the euro. They are all backed not by silver or gold, but people’s confidence. Bitcoins are subject to much larger fluctuations than ordinary currencies which is at least partially a result of the small size of the bitcoins marketplace and the effect of external events such as China banning bitcoins.

The Wallet

To make use of bitcoins, you need a wallet to put them into. This is essentially an application that processes bitcoin transactions and keeps a record of how many bitcoins there are in the wallet. Full-blown wallets (such as one of the earliest – Bitcoin-QT) keep a full record of the bitcoin transactions to fully verify bitcoins; mobile wallets are less capable. Whilst there are still protections in mobile wallets, you may wish to be less trusting with mobile wallets until you know more about this than I do!

Once you have a wallet fully set up – which can take several days due to the large number of transactions it needs to download – you can start using it. Of course initially it will be empty, so you will be unable to buy anything, but you will be able to set up addresses for people to send you bitcoins which will look like 16hQid2ddoCwHDWN9NdSnARAfdXc2Shnoa.

Yes that’s a real address – it’s my “donation” address – and you are more than welcome to send me a coin or two. Or more realistically a tiny fraction of a coin.

Once you have something in your wallet, you can send bitcoins to addresses like the one above … or perhaps another address in return for something useful!

Mining Bitcoins

Previous sections have indicated that there is something called “mining” and that a great deal of computational power is behind the workings of the bitcoin network. Numerous volunteers contrib computer power – almost always using special hardware to do so – in the hope of making money.

Can you make money? Yes, but probably not enough to pay for the increased electricity bill and almost certainly not enough to pay back the initial hardware investment. People who got into mining earlier may have made a bit of money – when you could effectively mine with ordinary computer power, but unless you are prepared to invest many thousands of pounds on a regular basis it is unlikely that you will see anything like a reasonable return.

And this is probably bitcoin’s biggest weakness. The bitcoin network needs miners to validate all of the transactions that go on, and in the future, there may be a lack of volunteers if the return is not reasonable.

But of course I might be discouraging you as I’m mining a bit myself – and the more miners there are, the fewer bitcoins there are for me 🙂

The New Cold War

 Computing, General, Politics, Security  No Responses »
Jan 272014
 

I’m old enough enough to remember the tail end of the real cold war between the West and the old Soviet Union when we were waving nuclear missiles at each other. And threatening each other with nuclear annihilation.

So it is a bit of an exaggeration to speak of a new cold war when the threat is nowhere near as apocalyptic. But if you take a look at how the old cold war was fought – with espionage, and signals intelligence – you begin to realise we do have a new cold war. Intelligence agencies around the world are cooperating in fighting against a new enemy.

Us.

Oh, they’ll defend themselves by saying that it’s not the normal man or woman in the street they are worried about, but but the terrorists in our midst they are targeting. But to do that they have to spy on us.

They’ll say that they are not spying on the people in their own country; just on those sneaky foreigners. But when GCHQ spies on US citizens, they pass the information they obtain to the NSA; and the NSA passes information on their spying activities to GCHQ.

Which means that what little protection we have against our own intelligence agencies spying on us is effectively meaningless.

Why Is Password Security So Important?

 Computing, Security  No Responses »
Dec 032013
 

People like me keep banging on about why the security of passwords is so important. We keep telling people they need strong passwords, when what people really want are easy to remember passwords. Of course we keep on saying the same message because not everyone pays any attention.

The truth is that it is possible; or at least partially possible to have both strong passwords and relatively easy to remember ones. But first why is it necessary at all?

The sad fact is that there are criminals out there; not spotty teenagers in basements having some sort of weird fun, but genuine criminals who want your account details for a variety of reasons. Organised crime has moved on from bathtub gin, bank robberies, and drugs realising that (amongst other activities) computer crime can be quite profitable with a lower risk of being caught.

The most obvious accounts targeted by criminals are bank accounts – online access to your bank. Whilst they will target such accounts, criminals will also target the most innocuous accounts as well – your ISP account, or a work account. The lowest level of usage of a stolen account is to send spam; not in vast quantities but even several hundred spams sent in your name can really ruin your day.

And will continue to have a less obvious negative effect over time – your email address will be less trusted by recipients if it has ever been used by a spammer. And of course that is the damage I know of. The criminals may use your account for other purposes.

In fact it is probable that any stolen account has a small but definite value on underground markets such as the Silk Road (or deeper and darker places).

And that is excluding the damage that criminals can more directly cause you by access to all the data contained within your account.

How Do Criminals Get Your Password?

So how do criminals get hold of account passwords? It turns out there are three main methods, and one is only useful in certain circumstances (and happens to be the most technical and so the most interesting to geeks).

Just Ask!

It may seem crazy, but probably the easiest method of obtaining account details is simply to ask for those details! The question is normally dressed up to confuse the situation so that it appears to be a legitimate organisation asking for the password. An email from your bank asking you to login via a provided link; an email from your IT support department asking for your password to increase your mail quota.

The defense against this is to never tell anyone your password. Your password is a method of demonstrating that you are yourself; if you give it away, you let other people pretend to be you.

Don’t do it.

Just Guess!

Some people use passwords so weak that they can be guessed relatively easily – or at least easily when the password guessing is scaled up. If a criminal has a 0.001% chance of guessing a password, but they try 1,000 different accounts with 10 different passwords at 1,000 different sites per day, they can expect to get 100 accounts a day!

The best defense against this sort of attack (for an individual) is to make sure you do not have a weak password – go for one that is long and strong (we’ll get to that later).

Password Cracking

The last method of getting account passwords is only possible with access to the password hashes which normally involves exploiting some kind of vulnerability. Once access to those hashes is obtained, it is possible to use a password cracking dictionary to generate a list of candidate passwords and calculate the password hash for each one. When the hash for a candidate password matches the hash of a real account, you know what the password is.

It shouldn’t be possible for a criminal to get access to password hashes, but they do get access to them on a regrettably frequent basis. In addition, it is not uncommon for password cracking to be used as the ultimate test of whether a password is “strong enough” – if it can be cracked with a reasonable level of resources, it is weak.

The best defense against this kind of attack is again to use a long and strong password.

Long And Strong (And Memorable) Passwords

The best passwords are long and random, but very definitely not memorable – as an example, a typical random password might be Y2JkOGY3OTg0YzY1NGMyNTUxMmUzZDkyNDFhZTU2OWYgIC0K. Not the sort of password anyone would want to remember, although password stores such as LastPass allow the use of such passwords. Certainly worth investigating.

However it still needs a master password and there are other circumstances where passwords you have to remember are essential. In such cases memorable becomes a requirement, but we still need strong passwords.

For most of us, a memorable password is made up of dictionary words, yet we are often told that a word-based password (no matter how cleverly transformed it might be) is a weak password. It turns out to be correct for single word passwords, but multi-word passwords are still relatively strong. A lot weaker than truly random passwords of an equivalent length, but somewhat surprisingly a lot stronger than short truly random passwords.

The mathematics of this gets a bit hairy, so take it on trust – length is the most important factor in determining password strength with certain exceptions (a very long word isn’t strong no matter how long it is).

The XKCD Password strength comic

Stringing together a whole bunch of words may not seem the most sensible way to come up with a memorable password; in fact I’ve been using a five word password for many years, and at this point I can’t forget it! I would suggest though that the XKCD method can be strengthened a wee bit by adding a symbol between every word – pick a random symbol like “@”.

Now pick three to four “random” words, and string them together with your random symbol :-

${word 1}${symbol}${word 2}${symbol}${word 3}${symbol}${word 4}${symbol}

Becomes: four@blatter@pong@zoo@

One thing to watch out for – you should have at least one “unusual” word in the list of random words, and don’t have too many short words – the password trustno1 is a weak password!

 Older Entries  Newer Entries