National Security Breaking Agency | TechSNAP 236

Posted on: October 15, 2015

Posted in: Featured, TechSNAP, Video

Comment on This Video

Share This Video

Embed This Video

National Security Breaking Agency | TechSNAP 236

How the NSA might be breaking Crypto, fresh zero day exploit against Flash with a twist & Keylogging before computers.

Plus a great batch of your questions, a rocking round-up & much more!

Thanks to:


DigitalOcean

Ting

iXsystems

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Foo

— Show Notes: —

How might the NSA be breaking crypto?

  • “There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand. However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community.”
  • “Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.”
  • PDF: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
  • “The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.”
  • “If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.”
  • “For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.”
  • “Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.”
  • “Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation. For instance, the Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted connections and passing certain data to supercomputers, which return the key. The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto. While the documents make it clear that NSA uses other attack techniques, like software and hardware “implants,” to break crypto on specific targets, these don’t explain the ability to passively eavesdrop on VPN traffic at a large scale.”
  • “8.4% of Alexa Top 1M HTTPS domains allow DHE_EXPORT, of which 92.3% use one of the two most popular primes”
  • “After a week-long precomputation for each of the two top export-grade primes (see Table 1), we can quickly break any key exchange that uses them. Here we show times for computing 3,500 individual logs; the median is 70 seconds.”
  • “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?”
  • If the NSA has precomputed just one DH 1024 group, they would be able to compromise 37% of the HTTPS traffic to the top 1 million sites using an active downgrade attack. If they have precomputed the ten most popular DH 1024 groups, that number increases to 56%
  • When applied to VPNs, the single most popular DH 1024 group would comprise 66% of all traffic. For SSH, the number is 25%. For both VPN and SSH, the top 10 does not increase the likelihood of compromise, this suggests that outside of a specific very popular 1024 bit group, most other sites do not reuse the same group as others.
  • “we performed a scan in which we mimicked the algorithms offered by OpenSSH 6.6.1p1, the latest version of OpenSSH. In this scan, 21.8% of servers preferred the 1024-bit Oakley Group 2, and 37.4% preferred a server-defined group. 10% of the server-defined groups were 1024-bit, but, of those, near all provided Oakley Group 2 rather than a custom group”
  • Recommendations from the paper:
    • Transition to elliptic curves: Transitioning to elliptic curve Diffie-Hellman (ECDH) key exchange with appropriate parameters avoids all known feasible cryptanalytic attacks
    • Increase minimum key strengths: Server operators should disable DHE_EXPORT and configure DHE ciphersuites to use primes of 2048 bits or larger.
    • Avoid fixed-prime 1024-bit groups: For implementations that must continue to use or support 1024-bit groups for compatibility reasons, generating fresh groups may help mitigate some of the damage caused by NFS-style precomputation for very common fixed groups.
    • Don’t deliberately weaken crypto: Our downgrade attack on export-grade 512-bit Diffie-Hellman groups in TLS illustrates the fragility of cryptographic “front doors”. Although the key sizes originally used in DHE_EXPORT were intended to be tractable only to NSA, two decades of algorithmic and computational improvements have significantly lowered the bar to attacks on such key sizes.
  • “Prior to our work, Internet Explorer, Chrome, Firefox, and Opera all accepted 512-bit primes, whereas Safari allowed groups as small as 16 bits. As a result of our disclosures, Internet Explorer, Firefox, and Chrome are transitioning the minimum size of the DHE groups they accept to 1024 bits, and OpenSSL and Safari are expected to follow suit.”
  • Additional information from the researchers site WeakDH.org
  • Sysadmin’s guide to securing your servers
  • https://www.onlinemeetingnow.com/register/?id=pmsy0fu2ck&inf_contact_key=c3de960e4fc660a9c3744ecc74a608bdde91a80fc9d58288c71bfd6d9c0209ad

Fresh Zero Day exploit against fully patched Adobe Flash

  • Just last week, we were commenting on how quiet things have been on the Adobe Flash front
  • Sorry for jinxing it for everyone
  • This zero day exploit even affects Flash version 19.0.0.207 which was released on Tuesday
  • Adobe expects to release a patch that fixes the Zero day some time next week
  • “Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player so they can surreptitiously install malware on end users’ computers”
  • “So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It’s not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 19.0.0.185 and 19.0.0.207 and may also affect earlier versions. At this early stage, no other technical details are available”
  • “In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit”
  • In this wave of attacks, the emails were about the following topics:
    • “Suicide car bomb targets NATO troop convoy Kabul”
  • “Syrian troops make gains as Putin defends air strikes”
  • “Israel launches airstrikes on targets in Gaza”
  • “Russia warns of response to reported US nuke buildup in Turkey, Europe”
  • “US military reports 75 US-trained rebels return Syria”
  • The most startling thing here is that you would not expect government employees to get such news via email, so they should know better than to fall for emails with these subjects or follow links with such headlines.
  • “It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.”
  • It will be interesting to see if any of the exploit kits manage to pick up this Zero-day before the patch is released
  • This attack is currently focused on the government, and the attackers likely want to keep their zero-day to themselves
  • Once a fix is released, I would expect the regular malware authors to reverse engineer the fix to find the exploit, and see this added to the regular exploit kits
  • Additional Coverage: Krebs

Keylogging before computers: How Soviets used IBM Selectric keyloggers to spy on US diplomats

  • “A National Security Agency memo that recently resurfaced a few years after it was first published contains a detailed analysis of what very possibly was the world’s first keylogger—a 1970s bug that Soviet spies implanted in US diplomats’ IBM Selectric typewriters to monitor classified letters and memos.”
  • “The electromechanical implants were nothing short of an engineering marvel. The highly miniaturized series of circuits were stuffed into a metal bar that ran the length of the typewriter, making them invisible to the naked eye. The implant, which could only be seen using X-ray equipment, recorded the precise location of the little ball Selectric typewriters used to imprint a character on paper. With the exception of spaces, tabs, hyphens, and backspaces, the tiny devices had the ability to record every key press and transmit it back to Soviet spies in real time.”
  • “The Soviet implants were discovered through the painstaking analysis of more than 10 tons’ worth of equipment seized from US embassies and consulates and shipped back to the US. The implants were ultimately found inside 16 typewriters used from 1976 to 1984 at the US embassy in Moscow and the US consulate in Leningrad. The bugs went undetected for the entire eight-year span and only came to light following a tip from a US ally whose own embassy was the target of a similar eavesdropping operation.”
  • “”Despite the ambiguities in knowing what characters were typed, the typewriter attack against the US was a lucrative source of information for the Soviets,” an NSA document, which was declassified several years ago, concluded. “It was difficult to quantify the damage to the US from this exploitation because it went on for such a long time.” The NSA document was published here in 2012. Ars is reporting the document because it doesn’t appear to have been widely covered before and generated a lively conversation Monday on the blog of encryption and security expert Bruce Schneier.”
  • “When the implant was first reported, one bugging expert cited in Discover magazine speculated that it worked by measuring minute differences in the time it took each character to be imprinted. That theory was based on the observation that the time the Selectric ball took to complete a rotation was different for each one. A low-tech listening device planted in the room would then transmit the sounds of a typing Selectric to a Soviet-operated computer that would reconstruct the series of key presses.”
  • “In fact, the implant was far more advanced and worked by measuring the movements of the “bail,” which was the term analysts gave to the mechanical arms that controlled the pitch and rotation of the ball.”
  • “In reality, the movement of the bails determined which character had been typed because each character had a unique binary movement corresponding to the bails. The magnetic energy picked up by the sensors in the bar was converted into a digital electrical signal. The signals were compressed into a four-bit frequency select word. The bug was able to store up to eight four-bit characters. When the buffer was full, a transmitter in the bar sent the information out to Soviet sensors.”
  • “There was some ambiguity in determining which characters had been typed. NSA analysts using the laws of probability were able to figure out how the Soviets probably recovered text. Other factors which made it difficult to recover text included the following: The implant could not detect characters that were typed without the ball moving. If the typist pressed space, tab shift, or backspace, these characters were invisible to the implant. Since the ball did not move or tilt when the typist pressed hyphen because it was located at the ball’s home position, the bug could not read this character either.”
  • “The implants were also remarkable for the number of upgrades they received. Far from being a static device that was built once and then left to do its job, the bugs were constantly refined.”
  • “There were five varieties or generations of bugs. Three types of units operated using DC power and contained either eight, nine, or ten batteries. The other two types operated from AC power and had beacons to indicate whether the typewriter was turned on or off. Some of the units also had a modified on and off switch with a transformer, while others had a special coaxial screw with a spring and lug. The modified switch sent power to the implant. Since the battery-powered machines had their own internal source of power, the modified switch was not necessary. The special coaxial screw with a spring and lug connected the implant to the typewriter linkage, and this linkage was used as an antenna to transmit the information as it was being typed. Later battery-powered implants had a test point underneath an end screw. By removing the screw and inserting a probe, an individual could easily read battery voltage to see if the batteries were still active.”
  • “The devices could be turned off to avoid detection when the Soviets knew inspection teams were in close proximity. Newer devices operated by the US may have had the ability to detect the implants, but even then an element of luck would have been required, since the infected typewriter would have to be turned on, the bug would have to be turned on, and the analyzer would have to be tuned to the right frequency. To lower this risk, Soviet spies deliberately designed the devices to use the same frequency band as local television stations.”
  • I thought this was an interesting example of how espionage works and how hard it can be to detect

Feedback:

Round Up:

Question? Comments? Contact us here!