Security Basics mailing list archives
RE: Checkpoint smart defance as IPS
From: "Craig S. Wright" <craig.wright () Information-Defense com>
Date: Sat, 5 Jun 2010 06:28:41 +1000
You have no idea of what you are talking about. "Illegally fake" I did not say that an organisation publishes certificates on the web. These are used internally. There is no illegality here. Illegality comes from fraud. I do not believe that I have ever stated this as a valid course of action, let alone for companies. Fraud consists of an intentional misrepresentation of material existing fact made by one person to another with knowledge of its falsity and for the purpose of inducing the other person to act, and upon which the other person relies with resulting injury or damage. Dr Russell Smith of the Australian Institute of Criminology stated in 2000 that: The perpetrators of many on-line scams are often not large corporations. They are able to close-down their operations quickly and easily, move assets to secure locations and use digital technologies to conceal their identities and disguise evidence. In such cases there is little likelihood of success whether civil or criminal proceedings are taken. If you check your browser certificate trust list, you will note that a few banks have not only opted for crossed signed trusted roots (where they are signed by a trusted root), but have become a trusted root CA. When you obtain a cross signed certificate there is a permanent record. You issue certificates INTERNALLY for your own systems. As long as the company has a policy that states it can do this - there is NO illegality. Here is NSW, Au, the requirements are that employees etc are informed that they can be monitored when accessing the Internet. The company does not need to provide detailed technical details as to how this occurs. As for setting up an ILLEGAT RA. I at no point stated this. As for interception, the organisation sets a gateway with a device using certs from their own internal CA infrastructure. If this is cross signed using a trusted root certificate, bowsers will trust it. This is legal. To setup an internal RA and be cross signed, you have to be valued to be a significant business. Generally, this is around $5 million in capital value. This excludes small business and not much more. The CA needs to be secured (FIPs is usually mandated - but as stated, I have FIPs hardware on my laptop these days). At the gateways, the organisation CAN intercept and monitor ANY SSL communication. TLS with a client certificate is another matter as this is an authenticated session and the client cert is not given to the gateway. The use of client certs are rare. I know of several financial organisations here in Au doing just this, and not I am not going to state who on the list. As for forensic uses, interception can easily occur at an ISP etc with a court order. This is not the same as an organisational interception at a company on the companies equipment for the purpose of monitoring. If you are too clueless concerning this topic to understand this, I suggest you get a different job. When a client accesses the gateway, they are not going to receive a warning unless they have the latest version of Firefox, have cached the real certificate and have the CA root change option ticked. When this is deployed, no errors are supplied, but the certificate is stored in the cert cache. Forensic analysis of the system will return the cert. The repudiation features of certificates mean that the client has proof they have been intercepted if they look. This does not make for good fraud. Again, policy etc is required to allow this. In the US, interception requirements vary both by organisational type and state. How does this scenario involve "taking over VeriSign"? "The challenge experiment is still open if you don't ask for infeasible requirements" What infeasible experiment. I have FIPs hardware. I have a Checkpoint device. I have a organisational CA. You pay for a cross signing process, and I will happily demo it. Either that or get a clue and read up on X.509. As for the 200 PS3s, I have more computing power at my disposal than this. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: Shreyas Zare [mailto:shreyas () secfence com] Sent: Saturday, 5 June 2010 12:55 AM To: craig.wright () information-defense com Cc: security-basics () securityfocus com Subject: Re: Checkpoint smart defance as IPS Hi Craig, What a great BS idea! So in the context of this thread, you want organizations to setup their own RA and illegally fake all the SSL certificates? IANAL but this is still an infeasible solution. Also, do you regularly sell illegal solutions to your clients like this? And for the challenge part, you want me to pay for setting up RA which will be used basically to fake certificates and is totally not legal and out of question? You are forgetting the purpose of security. While all complex systems can be compromised in some way at some level, security is to increase difficulty level for an attack. So difficulty involved in registering an RA is part of the security of PKI. And as you know, the entire PKI system works on trust factor, your solution for the current thread scenario is invalid and thus your claim is invalid. Nothing is broken in here; the system is working as it was designed. SSL/TLS and PKI are working as designed and serving the purpose for which they were designed for - provide privacy, authentication and protect against MITM. All this stupid argument was done because of out of context claims and shear stupidity on your part which any sane person reading this list would agree too. And then your arguments are filled with stupid things that don't really explain your claim in the context of the thread. I too can claim (for fun ofcourse!) that I have capability to intercept *any* SSL/TLS communication in the world, only I need to takeover Verisign! Those who want to challenge must take over Verisign first hand over it to me! So simple, isnt it?! (Terms and Restrictions apply!) The challenge experiment is still open if you don't ask for infeasible requirements and have some other techniques to accomplish the task at your disposal (don't ask me to deliver 200 PS3 processors to Australia!). Regards, Shreyas Zare Sr. Information Security Researcher Secfence Technologies www.secfence.com Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe. - Albert Einstein On Fri, Jun 4, 2010 at 12:40 PM, Craig S. Wright <craig.wright () information-defense com> wrote:
You pay the costs and no problem. Co9sts are for an RA setup. Not my clients ones, but you arrange to pay
the
costs for this and I will happily do it. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: Shreyas Zare [mailto:shreyas () secfence com] Sent: Friday, 4 June 2010 5:02 PM To: craig.wright () information-defense com Cc: security-basics () securityfocus com Subject: Re: Checkpoint smart defance as IPS Hi Craig, If you still claim its possible, why not you take this challenge? The challenge is quite clear and "easy" to achieve for you. It will prove the point and enlighten us all on the list. We would fix a favorable date and time (UTC) and do it. What you say? And since you are stressing on the MD5 collision point, the researcher took a weeks time to create a fake cert using 200 PS3 Cell Processor. While that was really impressive and can be practical too for a particular target; its not what you claim. You claim your system works on-the-fly for any website. Challenge quoted below again for clarity: ==BEGIN CHALLENGE== 1. I, with my personal laptop will connect to any VPN that you provide. 2. I would use my default web browser (Firefox v3.6.3 with no-script addon) and would visit *any* HTTPS website I wish and login with my credentials. 3. This VPN that I would dial, can/will be in your control; you can route the traffic anyway to the internet (this part is quite easy to achieve) and sniff the data and do whatever you can do to intercept and "decrypt" the traffic. 4. I will use the DNS server which the VPN connection provided. 5. I would visit only one website, login then disconnect the VPN. There will be only one attempt for me to login to that website. I would myself capture the traffic that went through VPN with wireshark for comparison and post it. 6. You would then use whatever means possible to get my credentials and you can freely post it publicly on the list or on any other forum. 7. And since, as you claim, this will happen on-the-fly, you will have to post the credentials within 24hrs on the list (24hrs is too generous anyways). ==END CHALLENGE== Regards, Shreyas Zare Sr. Information Security Researcher Secfence Technologies www.secfence.com On Fri, Jun 4, 2010 at 2:55 AM, Craig S. Wright <craig.wright () information-defense com> wrote:As stated, yes this is possible. As I have also stated, the browser trusts all certificate authorities equally. There is evidence of the change. The repudiation features of certificates allow you to have a copy that proves I was in the middle. Todothis, you have to check certificate finger-prints for the most part. All traffic from your site is redirected via a controlled gateway. Unless you have been to a website before, you will have no idea of any change at all. There is no single root CA, there are 100's of them. If you have
been
to a site before, it will depend on your browser settings. Firefox will alert the change in CA is a CA from a different country is used. IE can
be
configured to do something similar (both if you have the latest version
IE
7does not do this and nor does an older version of Firefox). I have a cross signed root certificate. As an enterprise with at least $5million in assets etc, it is not too difficult to obtain. There are at least 80 CAs that will issue one. Some are easier and require far less validation. A savvy user may think it is strange that it is strange thattheUS government uses a CA in China, but few non-IT (and even most IT)
people
do not check. I issue a zero key from my RA. This is self signed. The self signed certistrusted as a cross signed CA has trusted the signing cert. As the browser has a list of root CA's it trusts, my chained cert is also trusted. This is if I am doing this honestly. I could also spoof a request to a
CA.
http://www.phreedom.org/research/rogue-ca/md5-collisions-1.0.ppt MANY CAs still have predictable serial #s. Some are low volume making
this
simple if you are willing to spend the money (about $1-5k). Many stilltakeASCII Nulls in submissions. Worse, there are several CAs that take submissions through a browser correctly, but which can be spoofed with
the
standard injection techniques to accept non-ASCII chars. Many Asian CAswilltake "funky" characters, making other attacks possible. Several CAs still have MD5 if you know where to go. There are also issues with SHA1, but I will not go into this here... Google's cert fingerprint has changed several times this year. Ebays a
few
as well. Have you called them to manually validate the certificate? Ifnot,then you can be MiTM'd. Do you write down the cert fingerprint for your online banking? Do youcheckit each time and call the bank if it changes? "X.509 is a remarkably fragile piece of work." Dan Kaminsky, 2009. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: Shreyas Zare [mailto:shreyas () secfence com] Sent: Friday, 4 June 2010 2:30 AM To: craig.wright () information-defense com Cc: security-basics () securityfocus com Subject: Re: Checkpoint smart defance as IPS Hi Craig, I dont know whats missing, may be the issue is not clear. I will write the claim you made in below paragraph: You claim that its possible to Man In The Middle (MITM) attack on *any* SSL/TLS communication without tampering anything on the client side and that SSL/TLS is, and can, be intercepted for *any* possible website a client visits on-the-fly. Now, I will create a scenario which will make things clear: 1. I, with my personal laptop will connect to any VPN that you provide. 2. I would use my default web browser (Firefox v3.6.3 with no-script addon) and would visit *any* HTTPS website I wish and login with my credentials. 3. This VPN that I would dial, can/will be in your control; you can route the traffic anyway to the internet (this part is quite easy to achieve) and sniff the data and do whatever you can do to intercept and "decrypt" the traffic. 4. I will use the DNS server which the VPN connection provided. 5. I would visit only one website, login then disconnect the VPN. There will be only one attempt for me to login to that website. I would myself capture the traffic that went through VPN with wireshark for comparison and post it. 6. You would then use whatever means possible to get my credentials and you can freely post it publicly on the list or on any other forum. 7. And since, as you claim, this will happen on-the-fly, you will have to post the credentials within 24hrs on the list (24hrs is too generous anyways). This exercise would clear up things that you claim and surely the entire mailing list would like to know how this thing is really technically possible and how you achieved it. Regards, Shreyas Zare Sr. Information Security Researcher Secfence Technologies www.secfence.com On Thu, Jun 3, 2010 at 1:08 PM, Craig S. Wright <craig.wright () information-defense com> wrote:"DNSSEC is not related to SSL/TLS security" SSL security is based on DNS. DNSSEC is security for DNS. " Again I would say my point: you *cannot* do MITM on a website if youdon'thave private key for the certificate on that website." Really? I have devices doing this at clients right now. " If you are NSA, you can crack the encryption with brute force and
that
toowill take quite some time." BS "Again for god sake, this is social engineering! there is no way this can be used to MITM an existing SSL website. Well, if you can get a cert from any of the 264+ CA for citibank, that would be fault of the CA and not SSL/TLS or PKI, plus that would involve legalities. This compromise is in theory possible, but again you need access to a CA and SSL/TLS protocol is still not broken (its working as designed)" No it is not, the certs are already in the browser. I can get a .comcertfrom several CAs. " not possible for any guy to obtain the same " Really? I have setup a number of RAs. " Lastly, why on earth would people use electronic banking if what you claim is true and so easy to carry out?" As the issue is not one people care about. The banks have the risk. DNSandrouting are the weak points. Perception. Well the simple thing here is I do this for clients from time to time.
I
amhappy to know I am doing the impossible. Encrypted is NOT secure. It is private. These are not the same thing.
If
youactually believe that SSL is security, then I feel sorry for yourclients.Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: Shreyas Zare [mailto:shreyas () secfence com] Sent: Thursday, 3 June 2010 4:56 PM To: craig.wright () information-defense com Cc: security-basics () securityfocus com Subject: Re: Checkpoint smart defance as IPS Hi Craig, I disagree with you my friend. And the points you are using to defend your previous claim are totally different and thus not valid for the argument. Firstly, you claim that SSL/TLS can be intercepted and MITM is possible (and effectively protocol is broken). And now you defend it citing bad implementation of SSL/TLS in browsers and social engineering. Most of your points (like phishing, fake domains etc) are social engineering and not MITM or interception for that matter. SSL/TLS is not to protect user from his/her stupidity. SSL/TLS do provide a secure channel to a site and you cannot just sniff the traffic and decrypt it (as you suggest). DNSSEC is not related to SSL/TLS security. Clients just blindly trust their ISP DNS server. DNSSEC is to make faking/spoofing a DNS reply really difficult and it will be done using digital signatures. And surely, you can attack DNSSEC too with social engineering or making the client machine trust a fake CA that you control then sign a fake reply with your private key. Again I would say my point: you *cannot* do MITM on a website if you don't have private key for the certificate on that website. However, you can be a CA and fake a certificate on the fly on your gateway, that too only when the client trusts the CA in the first place. If you are NSA, you can crack the encryption with brute force and that too will take quite some time. And ... On Thu, Jun 3, 2010 at 4:45 AM, Craig S. Wright <craig.wright () information-defense com> wrote:Hello, I suggest that you learn to reference more than simply Wiki.I suggested you wiki to get the basics. and wikipedia for that matter is really good. You claimed that browser only checks for domain name and totally didn't know about the handshake which involves private key of the website."If it was possible as you claimed, the protocol will be totally
broken
andit will be front page news article." I suggest you keep up. This is why TLS was introduced (which also hasflaws)- which is still not used correctly either. But read on for somethingthatmatters.
http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_
1.htmlPhishing is not MITM, its social engineering.PS. A complete compromise of the CAs and DNS would not likely make afrontpage article. Most people do not care and it is not something thatsellspapers.A persons net-banking account can be intercepted while he and his bank wont care? great!This is also why DNS and routing are important. What do you thinkDNSSECisreally about?DNSSEC and SSL/TLS are different things. SSL/TLS use certificates to match domain that's true but, the handshake is done as client sends a random number encrypted with public key and the server which has the private key can *only* decrypt it.SSL is about privacy, NOT security. It was NEVER about security.this is simply great!How about I give you some real reading, something more than the online golden book encyclopaedia that is Wikipedia...Thanks, I have done much more reading already.Let's take a quote from Kurt Seifried: "Even ignoring all these problems the simple fact is that SSLcertificatesonly identify the server to the user, they do not authenticate it.
This
isasubtle but incredibly important difference. My online bank is attdbank.ca,td.ca on the other hand is owned by someone else and banktd.ca is
still
free. I know for example that www.openssl.org is the "official" siteforOpenSSL, but what about www.openssl.de? Shouldn't that be the officialsitefor OpenSSL translated into German? Well it turns out that it isn't.
Do
youtrust every single root certificate in your webbrowser software? Haveyoueven heard of "IPS SERVIDORES" (ips.es), "Saunalahden Serveri CA" (saunalahti.fi) or "SERVICIOS DE CERTIFICACION - A.N.C."(correo.com.uy)?Isure as heck haven't." REMEMBER - ALL CERTIFICATE AUTHORITIES ARE EQUALLYTRUSTED!!!!!!!!!!!!!!!!I have to state this again... ALL CERTIFICATE AUTHORITIES ARE EQUALLY TRUSTED!!!!!!!!!!!!!!!! Do you think your users go and check the CA and ensure it is really
the
onethat the real site has used? If you think users do this, you have some learning to do. If you actually believe that you cannot obtain a signed (from a CA inIE'slist) certificate for a MiTM device, you have not looked too hard. If you do not think this is a known issue, try reading some RFC's: "[Browser vendors] and users must be careful when deciding whichcertificateand certificate authorities are acceptable; a dishonest certificate authority can do tremendous damage." RFC 2246, The TLS Protocol 1.0 The 264+ root CAs trusted by Microsoft, the 166 root CAs trusted byApple,and the 144 root CAs trusted by Firefox are capable of issuingcertificatesfor any website, in any country or top level domain. See Ed Felten. "Web Certification Fail: Bad Assumptions Lead to Bad Technology". Freedom To Tinker, February 23 2010.
www.freedom-to-tinker.com/blog/felten/web-certification-fail-bad-assumptions
-lead-bad-technology.Again for god sake, this is social engineering! there is no way this can be used to MITM an existing SSL website. Well, if you can get a cert from any of the 264+ CA for citibank, that would be fault of the CA and not SSL/TLS or PKI, plus that would involve legalities. This compromise is in theory possible, but again you need access to a CA and SSL/TLS protocol is still not broken (its working as designed)Next, "'Packet Forensics' devices are designed to be inserted-into and removed-from busy networks without causing any noticeable interruption[... ] This allows you to conditionally intercept web, e-mail, VoIP andothertraffic at-will, even while it remains protected inside an encryptedtunnelon the wire. Using `man-in-the-middle' to intercept TLS or SSL is essentially an attack against the underlying Diffie-Hellmancryptographickey agreement protocol [. . . ]". Packet Forensics. Export and Re-Export Requirements, 2009. www.packetforensics.com/export.safe. So - the question is... have you removed all but the "trusted" CA'sfromyour users browsers? I doubt it. If you have, you also need to do thisEACHand EVERY time that IE updates.Again you need access to a CA, which a government like US can do for sure. And its again not possible for any guy to obtain the same.Next, have a read of more than this forum. Try the TLS list from theIETF:http://www.ietf.org/mail-archive/web/tls/current/msg03928.htmlFrom the link: "The problem: when Microsoft IIS is configured to request a client certificate after having received the request, then it WILL perform an unauthenticated request! Sending the reply back only to the authenticated client is a poor excuse for acting on an unauthenticated request." That is bad implementation of SSL, isn't it? and that too specific to a particular server. And in normal HTTPS scenario, client don't send a cert to server.Even not paying for a certificate (which is the option for the
scenario
thisderived from), you can still attack SSL/TLS: "...inject a chosen plaintext prefix into the encrypted data stream,oftenwithout detection by either end of the connection. This is possiblebecausean "authentication gap" exists during the renegotiation process atwhichtheMitM may splice together disparate TLS connections in a completely standards-compliant way." See
http://extendedsubset.com/wp-uploads/2009/11/renegotiating_tls_20091104_pub.
zip Finally, have you ever thought of a zero bit negotiated key. SSL with0-bitencryption. This can be done using a 128 bit certificate. The client
to
theIPS is clear text, but looks to the browser as being encrypted.Again an example of bad implementation in application.Research means more than wiki. If you use a title of researcher, it is something that you should try to do.Thanks for the tip. But, one really needs to read basics first not matter from wiki or some another source.Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty LtdLastly, why on earth would people use electronic banking if what you claim is true and so easy to carry out? While there are many attacks possible in theory, implementing them practically is very difficult indeed. And such attack will depend on bad implementation issues or social engineering. Still, doing a attack based on social engineering is quite viable option but, the success rate of such attack would vary with the target population. Regards, Shreyas Zare Sr. Information Security Researcher Secfence Technologies www.secfence.com
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: Checkpoint smart defance as IPS, (continued)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S Wright (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 07)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 09)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 03)
- Certificate Authority Question Craig S. Wright (Jun 03)
- Message not available
- Re: Certificate Authority Question Shreyas Zare (Jun 07)