Category Archives: Curiosities

Do Security Incidents hurt your business? Well, not if you are Adobe, it seems.

Brian Krebs published some stats from ThreatMetrix around how quickly users upgrade their browsers once security incidents have been posted. See http://krebsonsecurity.com/2014/05/the-mad-mad-dash-to-update-flash/ for more details.

I have read bits and pieces but the economic impact of having security incidents is a very interesting topic and I think it ranges from breaches/security incidents having zero impact on the business (apart from a temporary drop) and businesses going out of business due to that (Diginotar is an example - http://www.darkreading.com/attacks-breaches/diginotar-hacked-out-of-business/d/d-id/1136356?, or Target’s Ex-CEO as well)

Concluding the data analytics exercise with Flash, the below chart shows the number of devices flash is installed. The data looks at all of the endusers of our 2,500 enterprise customers of ThreatMetrix’s Global Trust Intelligence network representing more than 160 million accounts.

flash_percentage

As you can see that the percentage of flash is very constant at around 62% of the devices and not a single one of Adobe’s security critical severity incident over the last 6 months encouraged enough people to stop using Adobe Flash.

My personal advise: If you haven’t uninstalled Flash, do it now.

Protection vs Censorship

The title might sound a bit harsh, but with all these “good” people trying to protect you, where is the line between protection and censorship?

Byron Acohido (@byronacohido) just posted this tweet

tweetI personally hate these short URLs, but I thought this sounds interesting. The reason I hate these short URLs is that you don’t know where they take you (this one takes you from bit.ly/1eUu9e2 to t.co/yzm89jFvxS ;-) In this case it leads you to this:

pic1Wow… That’s what I preach almost daily… Watch out what you click on!!! And now I have to be saved by twitter??? Let’s have a look what this page really is all about:

pic2I can confirm that this is neither a “web forgery” or a “phishing site”. It’s also not a “site that downloads malicious software onto your computer”, nor is it a “spam site that requests personal information”. There is no iframe, not even javascript on this page. Only a couple of external references (e.g. youtube)..

Now I don’t care too much about whether TouchID has been hacked yet, but this almost crosses the line for me where twitter’s security team has been a bit too “motivated” to block content that is definitely not malicious.

What’s next? What other pages will be blocked in the name of security?

Research about “Why isn’t everyone hacked every day” also applies to the fraudsters

Ok, so I was reading the article by Michael Kassner “Why isn’t everyone hacked every day” (http://www.techrepublic.com/blog/security/why-isnt-everyone-hacked-every-day/6633) which talks about a paper by Cormac Herley and Dinei Florencio about “Where Do all the attacks go?” (http://research.microsoft.com/pubs/149885/WhereDoAllTheAttacksGo.pdf)

In short the paper gives a plausible explanation of why the internet still works at large even though the security state is a mess (well, not exactly, but almost).

One of the key statement that caught my eye was “Thus, how common a security strategy is, matters at least as much as how weak it is“.

Basically this means if you are a bank and you deploy the same security solution than anyone else, you are more likely to be hit as the fraudsters can just reuse an attack vector.

However it occurred to me that this is obviously also true for the bad guys and if all the bad guys would be using the Zeus trojan to perpetrate their crime, the good guys can obviously be much better prepared to defeat the attacks.

If the bad guys are using a new trojan (with new configuration files, encryption, hooking, …) all the time, then the good guys have a much harder time to provide the same level of protection.

If you use any off-the-mill Zeus trojan service, chances are high that you’ll be detected pretty quickly through zeustracker and lots of services provided by many companies that will give financial institutions an early warning.

However if you either use a different trojan or alter the trojan to make the detection and decryption harder (such as the Zeus variants based on the leaked Zeus source code - http://www.tidos-group.com/blog/?p=429), the chances of not being detected will increase. We have seen this over and over again and when Carberp hit the scene, it made a big impact because nobody really knew what was happening and how things worked.

So while the paper by Herley and Florencio talk about the security industry, the same thing applies to the fraudsters as well and as such I’m sure we’ll always see a proliferation of lots of different trojans for exactly this reason.

Quo vadis Certificate Authorities?

Quo vadis Certificate Authorities?

I’m sure you’ve heard about DigiNotar compromize (e.g. here http://www.theregister.co.uk/2011/08/29/fraudulent_google_ssl_certificate/) where DigiNotar (a subsidiary of Vasco) signed a certificate for “*.google.com” to someone who isn’t google. We’ve seen this before with another well known Certificate Authority Comodo where one of their resellers got hacked which resulted in 9 certificates to be issued fraudulently (http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html)

 Fraudulent certificate  “real” google certificate

 

Well, the certificate was issued on July 11, 2011 and exactly 7 weeks after issuance it is now revoked and all browser vendors even got rid of the CA altogether with a client update (!)

I’ve been involved with SSL and certificates for the last 11 years and frankly it has been a mess for the most of these 11 years.

  • We’ve seen incidents where a financial institution “forgot” to renew its certificate and only 1 in 200 (that is 0.5%) customers denied the connection.
  • We’ve seen the list of Certificate Authorities growing and growing and when the system almost broke down, the EV-SSL certificates were “invented”. Basically along the lines of “hey, the system is broken. Let’s not fix it, let’s just charge more”.
  • We’ve seen many, many browser flaws that wouldn’t properly validate the certificate, allowing the use invalid certificate for well known sites without a browser warning.
  • The revocation system is broken at best, simply unusable at worst.
  • On the malware front, more and more trojans use HTTPS (even with valid certificates) for the C&C communication.
  • Most modern MITB trojans have to use real HTTPS certificates for injecting malicious JavaScript and other content into a legitimate bank website. We have seen with every decent attack, such as Gozi, Carberp

Apparently a new Browser feature in the google Chrome browser alerted the user of this fraudulent certificate. The feature is that only a very small subset of CA’s are allowed to vouch for Gmail (see http://blog.chromium.org/2011/06/new-chromium-security-features-june.html). Did I read right? Chrome has hardcoded CA’s that override the default behaviour? That can’t seriously be the right solution going forward.

This reminds me of an initiative of “Safe Webbrowsing” from the FSTC a couple years ago where the idea was to switch to a “banking mode” in your browser which would limit the CA’s and only allow certain CA’s. Goes in the right direction, but is still based on CA’s.

So what’s the solution?

Unfortunately that’s not the easiest question to answer as it has to do with trust in the internet. SSL was always designed for encryption and authentication. While in the beginning the encryption part got most of the attention, the authentication part is actually at least equally important. It proves to users who they are talking to. In a world of explosive growth rates in eCommerce, the consumer needs to be sure that the site he’s looking at is the right site. If we can’t guarantee that, trust is gone…

We know that the hierarchical trust structure from the CA’s won’t solve the problem – regardless how much one pays for a certificate.

In fact it even solves the wrong problem. What a consumer wants to know whether he is at the right page and NOT if the certificate was signed by some CA, is not expired and the URL matches the CommonName of the certificate.

Maybe if we could relate a particular webservice to one or many SSL certificates, that would make a big difference to the trust model? How cool would it be if I go to (say) www.citibank.com and I would know that the SSL certificates that I’m about to encounter are all owned by Citibank and are actually used for the banking session?

As a matter of fact, TrustDefender realized this a long time ago and their concept of  “Client Policies” provides exactly that relationship for enterprise customers of ours. This enables TrustDefender to “distinguish” internet requests that belong to the current banking session from other completely irrelevant connections (such as malicious C&C server communication).

How would this have solved this incident?

Well, because all SSL certificates are part of these Client Policies, the fraudulent one from above wouldn’t be in there and from the very first second it would have been detected.

Regardless of what technology will be employed. We need to do something different.

 

mobile browsers user interface vs. security

I came across a curiosity the other day that I’m still not able to solve, but here you go…

Recently, when logging in to facebook, the following message appeared on my iPhone:

I thought… Ok, in light of all the recent hacks, maybe someone miraculously hacked my iPhone and is trying to steal my facebook details (not that they are worth anything, but anyway).

So I took an almost maiden iPad here in the office and tried the same thing again and came across this picture

WTH???

I could not reproduce the same thing with any other device or browser. I tried IE, Firefox, Chrome on a PC, Android phone, … I could not reproduce this… On an iOS device, it doesn’t happen all the time, but I can fairly reliably reproduce…

With all the information I have, I am absolutely sure that this is the right certificate… I double checked all the details, including the serial number and the SHA-1 hash. This is definitely the correct certificate.

User Interface

But the real issue that I have is that there is no way in the world anyone can actually make sense of any of the presented information…

The world is abuzz at the moment with cloud offerings… more and more people will transact online… the traditional computer won’t exist anymore and we will only store things online if things go the way google pushes them.. But we can’t really solve the most basic security  issues?

The right action to do is to block this as its impossible to ascertain whether this is the right site… (leaving aside the fact for the moment that it is the right site!!!)

For completeness, here are the screens that are visible when you click on “Details”.

And one iPad picture with the serial number and the signature

And lastly the confirmed correct certificate. (actually raises a good question: how do you undeniably confirm this?)

Does anyone know what’s happening here? Is this a bug in iOS? session-renegotiation?