New Job

June 15th, 2012 No comments

I’ve been pretty absent from both blogging and tweeting recently as I left my job as a Security Researcher to do penetration testing for Convergent Network Solutions. This involved moving from Reading to London, which was great since I’ve always wanted to live there. Other than starting what I hope will be a long career as a Penetration Tester, I’ve also been working on my MSc, where I am developing a web application fuzz tester.

Of course, there are already a lot of fuzz testers out there, especially for web apps, so mine will be “special” in a number of ways. Firstly, it will be a command-line tool so that users can run it from machines without a display manager (always useful). Secondly, it will use an XML-based “scripting” language that I have developed, which will allow people not familiar with programming (QA teams for instance) to easily write tests in a structured way that they can understand. Finally, it will support multiple fuzzing methods including a simple list of values, incrementing numbers, and completely random data.

I hope to open source it at the end of development, and of course I’ll make any such announcements on this blog.

New Targeted Malware: Flame

May 29th, 2012 No comments

Various organisations have revealed the existence of yet another piece of malware used for targeted attacks against a country’s infrastructure. Flame (also known as Flamer and sKyWIper), was discovered jointly by Kaspersky Lab, Iran’s MAHER Center, and CrySyS Lab of the Budapest University of Technology and Economics.

The most visible difference between Flame and earlier pieces of targeted malware like Stuxnet and Duqu is the size, expanding to 20 megabytes when fully installed (Stuxnet was only half a megabyte). CrySyS Lab, which discovered Duqu in 2011, have described Flame as “arguably… the most complex malware ever found.”

More information on Flame can be found below:

Identification of a New Targeted Cyber-Attack - Iran National CERT (MAHER)

The Flame: Questions and Answers – Kaspersky Lab

sKyWIper: A complex malware for targeted attacks [PDF] – CrySyS Lab

Meet ‘Flame’, The Massive Spy Malware Infiltrating Iranian Computers – Threat Level (Wired)

Flame malware – more details of targeted cyber attack in Middle East – Naked Security (Sophos)

Flame: Massive cyber-attack discovered, researchers say – BBC News

How to Secure your Facebook Account

May 25th, 2012 No comments

A few months ago I joined the UK Yahoo! Contributor Network, which pays people to write specific articles that are then published on Yahoo! After a few assignments about movies and mobile technology, the editors were impressed enough to let me write on various security related topics.

I’ve written three so far, the first of which has just been approved and published, so please go read it and share it with friends:

How to secure your Facebook account

Unlike the rather technical and complex articles on this blog, my Yahoo! articles will apply to as many people as possible. If you’ve ever wondered about the security of your Facebook account, or have friends who need it drastically, this article should help you out.

IBM Security Gaffes

May 14th, 2012 No comments
Image representing IBM as depicted in CrunchBase

Image via CrunchBase

Part of my job involves reading through a lot of documentation, especially if it is security related. I don’t usually come across many mistakes or gaffes, but when I do, 99% of the time they were written by someone at IBM. The following quotes are all taken from IBM’s AIX V6 Advanced Security Features [PDF] redbook.

AES, as standardized by NIST, is not exactly in the form the Rijndael was originally submitted. It has a fixed block size of 128 bits, and has key sizes of 128, 192, and 512 bits.

Whilst a 512 bit key size for AES might be more secure, the standard doesn’t support it. The key sizes are actually 128, 192, and 256 bits. This is a simple mistake to make, so it is more forgivable than the others.

SHA256 is the Secured Hash Algorithm with a 256-bit key.

I’m not sure what the author of this statement was thinking of when writing it. The ’256′ in SHA256 corresponds to the length of the output the hash generates (256 bits). It is possible that the author was confusing a cryptographic hash function like SHA256 with an HMAC, which does involve a key. However, even then the key size is not dictated by the hash function used in the HMAC. Indeed, any length of key can be used, the longer the better. Additionally, the ‘S’ in SHA stands for “Secure” not “Secured”, but that is just a small nitpick.

Typically the owner of the private key encrypts data with their private key, and the receiver or reader of the data decrypts with the public key.

This explanation of how public key cryptography works is completely backwards, quite literally. The public key can safely be known by anyone (hence the name), so it makes no sense to use it to decrypt data. The proper way to use public key cryptography is to encrypt using the public key, and decrypt using the private key. This means that anyone can send encrypted data, but only the private key owner can decrypt it. The other way around, there is practically no security gained by encrypting the data; you are no better off than sending it in plaintext.

The resulting ciphertext was, and still is, impossible to crack with a brute force attack.

This was found in a section discussing Triple DES, which whilst being far stronger than regular DES, is not “impossible” to crack with a brute-force attack. In fact, nothing is impossible to crack with a brute-force attack (apart from properly implemented one time pads), since brute-force attacks generate and test every possible key. Such an attack on Triple DES is unfeasible, since generating the keys and running the attack takes a very long time with current hardware.

Blocking The Pirate Bay

May 9th, 2012 No comments

Just over a week ago, the High Court in the UK ruled that ISPs in the country must block access to notorious file sharing site The Pirate Bay. Since that ruling, only Virgin Media has complied with the demand, and that resulted in their website getting taken offline after Anonymous targeted it with a DDoS attack. There are more serious problems for ISPs than hacktivist retaliation over the enforcement of this ruling though; blocking access to something on the Internet is very hard indeed.

DNS Filtering

When you type in the web address for The Pirate Bay (https://thepiratebay.se), the first thing your browser does is send a query to a DNS server to translate the domain name (thepiratebay.se) into an IP address (194.71.107.15). Without this vital step, your browser is unable to make any connections to The Pirate Bay at all, so one way to block access would be to have the DNS server respond with a fake or invalid IP address. All ISPs have their own DNS servers, and these are usually set as the default in home routers, so this is easy to do. However, this default can be overridden, sometimes on the router itself, but also on your home computer. To get around this type of block, you would simply have to tell your computer to get The Pirate Bay’s IP somewhere else.

IP Filtering

The other popular method for blocking content is to block connections to the IP addresses themselves. The ISP will collect all IP addresses that correspond to the site that needs to be blocked, and when connections to that IP are detected, they are either dropped, or routed somewhere else. In the case of Virgin Media’s block of The Pirate Bay, it seems that this is the method they are using, with all traffic destined for The Pirate Bay’s IPs being routed to Virgin Media’s servers instead.

The main problem with this type of filtering is that it also blocks any other websites that are hosted at the same IP address. This isn’t an issue with The Pirate Bay, who own and operate their own IP addresses and have dedicated servers, but could be if this type of blocking is widely used in the future. For instance, this blog is hosted on a dedicated server along with several other websites, one of which is my personal site (adrianhayter.com). If some ISP were to decide that cryptogasm.com needed to be blocked, and they blocked its IP address, then access to adrianhayter.com would also be blocked. That’s not good at all.

Although IP filtering is harder to get around than DNS filtering, it is still possible by using proxies.

Proxies

Proxy servers (proxies) are servers dotted around the Internet which allow you to forward requests and receive responses through them. As long as the proxy’s ISP isn’t blocking the content you seek, you will be able to access it. There are many proxy servers out there on the Internet, including ones that have been set up to directly counter the blocks on The Pirate Bay.

There are some problems with using proxies though; the main one being that they tend to be much slower than accessing the site normally. However, this is a small price to pay to avoid censorship. The good thing about proxies is that they can be based anywhere, and so blocking access to them becomes almost impossible, as new ones will emerge all the time. The one thing that ISPs can do to counter the use of proxies is to use deep packet scanning.

Deep Packet Scanning

When handling the packets of data that you have either sent or have requested, your ISP typically scans the headers in order to send them on to the correct locations. However, they do have the ability to scan the bodies of the packets as well, and with the right analysis could be able to detect whether the content inside came from The Pirate Bay. Luckily, this technique is easily mitigated by using HTTPS, which means that all data transmitted between yourself and The Pirate Bay (or the proxy) encrypted.

So, if you are using a proxy to gain access to The Pirate Bay, or another blocked website, make sure that the proxy itself supports HTTPS (usually denoted by a padlock or green tick in your address bar). The two proxies I listed above both support it, so they should be fine to use.

Solving Piracy

Don’t get me wrong, I don’t condone piracy, but I also don’t think the solution to it lies with blocking good websites (The Pirate Bay has a lot of legal content, as do other torrenting sites). In my opinion, the main reason people pirate things is because it is easy to do so. People do not mind paying for things, but they want to pay for things on their terms, which is why services like Spotify and Netflix are so popular.

The solution to piracy is for the copyright owners to embrace change, and to start services of their own, which allow their customers to buy a single song rather than the entire album, or a few episodes of their favourite TV show and not the box set. This popular cartoon by The Oatmeal lays the argument out quite neatly.

Update (25/5/2012): The Pirate Bay recently announced a new IP address which they can be reached at: 194.71.107.80.