25C3: MD5 Collisions and SSL Certs

At the Chaos Computer Congress currently on in Berlin, a group of researchers have described an attack that utilizes MD5 collisions to create an intermediate Certificate Authority which would permit them to act as a Man-in-the-Middle in SSL transactions. While a lot of effort went into creating a huge hype for this announcement, the short answer is that the Internet is not dead yet.

That said, this is a potentially serious attack. It permits somebody who is capable of generating an MD5 collision to effectively impersonate any SSL enabled website.

There is very little the end user or any website administrator can do. The solutions to this attack lie with the certificate providers...who must stop issuing MD5 signed certs. Verisign has announced that they are no longer issuing MD5 signed certs, others will follow quickly.

If you are an administrator of an SSL enabled web server or application you should take a look at your cert and see if it is signed with MD5 or SHA-1. If it is MD5, it would not be a bad idea to replace it with a new one signed with SHA-1. This will not prevent this particular attack; even if you have a SHA-1 signed cert someone could impersonate your site using an MD5 signed cert; but it will go a long way to putting a nail in the coffin of MD5 signed certs once and for all.

How do you tell? Connect to each of your SSL enabled sites and double click on the padlock in the bottom right corner. Click "View Certificate", click the details tab, scroll all the way down to the bottom and click on "Certificate Signature Algorithm" It should say "PKCS #1 SHA-1 With RSA Encryption" or something similar. If it says MD5 then I recommend calling your cert issuer and requesting a new one signed with SHA-1.

New (to me) nmap features!

I spent a little time today catching up on some emails I filed away for future reading. One of the emails that caught my attention was a write up on Fyodor's announcement at Defcon of new features in the new version of Nmap (was 4.75, 4.76 is out now) and the subsequent email from Fyodor on the nmap-hackers list. A few of these features caught my attention.

The first one is -top-ports. Essentially Fyodor and company spent the summer scanning the Internet and doing some research classified all the TCP and UDP ports by frequency found open.

According to their research

nmap -top-ports 10

will give you about 50% of the open ports and

nmap -top-ports 1000

will give you approximately 94% of the open ports.

The biggest difference is from a reconnaissance point of view. With the older nmap versions if you just let nmap loose with the default set of ports

nmap -sS -sU

nmap would scan over a thousand TCP and UDP ports. It wasn’t quick against one IP, it was interminably slow against a large IP range. For this reason most pentesters have a small range of 20-50 ports they used to discovery scans. With – top-ports this is largely superfluous, although their may be reasons you might want to add extra ports based on the environment being scanned.

Another option that came out of this research is the Fast Scan option (-F).

nmap -F

is perfect for discovery scans. It scans the top 100 ports of each protocol, increasing the speed from the default behaviour by an order of magnitude.

Taking a slightly different direction...I have always been an nmap command line bigot. This is partly because I have used nmap from the days when all that was available was the command line. Another reason is that I have never found an nmap GUI that I liked. Some of the new features in Zenmap have me re-evaluating that.

The two that got my attention are scan aggregation and mapping.

In short, scan aggregation is a feature that combines all scans performed from the same Zenmap window. This permits incremental scans, and analysis of the combined scan. Here is a screen shot of a couple of scans aggregated in Zenmap:

The mapping feature I still find a little lightweight, but it is an outstanding start. Here is the map from the same scan.

Some more detailed sample maps and a feature description are available at http://nmap.org/book/zenmap-topology.html.

There are other features that I haven't had time to look at yet, such as improved OS detection, rate limiting, and many, many, more.

Now if I can just get past my fear that nmap on Windows is somehow less accurate than nmap on *nix.

Cool: New Nmap features

Fyodor is God!!

Seriously...thanks to the Google Summer of Code and the hard work of Fyodor there a bunch of new and way cool features coming in nmap.

Declaration of Independence

Those who know me rapidly learn that I am not cut from the same cloth as the average person. I consider myself eccentric, intelligent, logical, and at the same time creative. I am not a good sheep, I can't settle for conformity, I challenge the status quo, and feel sorry for people who are willing to accept their lot in life without attempting to improve it.

While not directly security related, Pamela Slim has assembled a flash movie that closely resembles my philophy on life, and is one of the most inspirational pieces I have seen in a long time. While she is trying to push the viewers towards entrepreneurial endeavours, the attitude and lifestyle she is proposing is very applicable to my life and should be applicable to most security practitioners lives. This is not an industry that is made for people who are willing to accept the status quo, but rather for those who creatively look for solutions and push the envelope of technology and conventional thinking.

Hope you enjoy it!
Rick

Stephen Northcutt weighs in on security predictions (sort of)!

An interesting and somewhat inciteful posting by Stephen Northcutt, the boss over at the SANS Technical Institute. Instead of doing his own predictions he has "borrowed" others.

I would like to take a chance to comment on some of these:

"Apple Will Gain Significant New Market Share"
While I expect that Apple will gain market share (I know I am hoping to go back to one), I can't see it being huge over the long term. The problem is that the people who are going to Apple are tech-savvy people looking for something better, and I expect will also have a Windows computer around. The problem is the "unwashed masses" don't have the ability to realize that there should be something better than Windows, nor are they prepared to look past the mountains of software available for Windows to make an informed decision to go to a computer system which is easier to use and easier to live with.

Information Centric Security Phase One
I have been trying to convince people to make this shift for years. Unfortunately through whatever fault decison makers aren't prepared to look past security FUD spewed by the security vendors and do a proper risk analysis. I think if you start looking at your information and classifying it you will be drawn to the conclusion that the hard crunchy shell with the soft interior is no longer applicable. The concept of perimiter security was great for its time, but it comes from a day when very little information was available online and the perimiter protected a few machines. But this is a different world, most companies are 100% connected, and all of their crown jewels live on or is accessible from their corporate LANs. The volume of information available via a breach is astronomical compared to when the perimiter security was conceived, and the sensitivity of the data stored on your corporate network is scary. It does not make sense to cast all data with the same brush any longer. Most information generated by the average corporation is mundane...however some of it is critical and the loss of that data can be fatal or at least severely harmful. Doesn't it make a lot of sense to start focusing security on the data and making sure the critical assets are better protected than your mundane information?

"even more paperwork will be devised by the clueless trying to help"
It sure seems the longer I am in security the more this is true. Nowadays it seems we spend more effort checking to see if we are compliant with whatever legislation or standard is sexy this week and less actually getting compliant, or better yet, getting secure! Standards are a wonderful thing to measure against, but the fact is they are a minimum set of controls which are great as a starting point. The fact is they don't represent reality, and they certainly don't represent your environment. We would all be better off if we spent less time doing compliance, and put more effort into doing what makes sense for us!

GIAC, 20,000 strong

Near the end of December GIAC passed the 20,000 mark in certified individuals. This is a huge milestone for what is arguably the best security training organization anywhere (I am biased). Congratulations! Hopefully, 100,000 is not far off!