Only 99.8% of the worlds PKI uses secure randomness

• PKI (Public Key Infrastructure) is a type of encryption system known as asymmetric cryptography
• This means there is one key used to encrypt data, and then a different key is used to decrypt the data
• In the RSA algorithm, a public/private key pair are generated by selecting two large prime numbers and multiplying them together. This value serves as the modulus (n) for both the public and private keys
• Then a public exponent (e) is selected, typically 65537 because it was found to provide more efficient encryption
• The private exponent (d) is then calculated as: (d*e)mod φ(n) = 1 Euler’s totient function
• An encrypted message (c), is calculated by turning the plaintext message (m) in to an integer, using a padding algorithm: c = m^e (mod n)
• To decrypt the message: m = c^d (mod n)
• This all seems relatively simple, one just has to remember the scale of the numbers being computed, in a 2048bit RSA key like the one used by your bank or amazon.com, each of the prime numbers has over 300 digits, and then you multiply them together.
• Researchers have found that some RSA keys in use on the internet had the same modulus (meaning they were using the same secret prime numbers). This means that the two parties that happen to end up using the same key, could compromise each other
• The researchers also found some public keys where it was possible to compromise the private key
• Overall, many of the compromisable keys appear to belong to expired certificates and old PGP keypairs, and the danger to modern properly generated RSA keys is much lower
• Rebuttal by Dan Kaminsky
• New York Times Coverage
• Research Paper

Cryptome hit by blackhole exploit kit

• Cryptome is a popular and long standing document repository for whistle blowers and others interested in secret information
• From the site: “Cryptome welcomes documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance – open, secret and classified documents – but not limited to those. Documents are removed from this site only by order served directly by a US court having jurisdiction. No court order has ever been served; any order served will be published here – or elsewhere if gagged by order. Bluffs will be published if comical but otherwise ignored.”
• On February 8, an attacker managed to upload some PHP code to serve an some malicious javascript that inserted an iframe and loads an attack site that exploits a vulnerability in Internet Explorer. The PHP code specifically avoids serving the exploit when the requesting IP comes from google or a number of other web scanners designed to detect malware, to avoid getting the infected sites blacklisted
• By February 14, 16:30 UTC, all files had been restored from backup
• Symantec has offered to help investigate the attack
• The malware is very common and accounts for a large portion of all infected websites found on the internet
• The exact vector that was used to infect the site is not yet known
• Details Analysis
• Additional Coverage
• Official Announcement with extensive details

War Story:

This week we have another in the series of war story sent in by Irish_Darkshadow (the other other Alan)

I joined IBM in February 1999 as a tech support agent for US Thinkpad (laptop) support. The training regime in those days was 7 weeks long with the final 5 weeks each being dedicated to hands on experience with a different product family / line. The call center had two support sections – Aptiva (IBM desktops for home users) and Thinkpad (IBM laptops for business & home users). The most technical staff from Aptiva were usually moved onto Thinkpad support before too long as that was the flagship brand.

Major emphasis during the training for Thinkpad support was placed on never resorting to a reload to solve an issue. We had solid problem solving technique driven into us constantly for the 7 weeks. The only caveat was that if the support call exceeded 1 hour then we should ask a team leader for permission to escalate the case to 2nd level support. I got the distinct impression that to do so was an admission of defeat and the only exception with passing your case over to 2nd level was if there was some procedure or fix that required advanced skills or registry changes.

My first shft was coming in at 16:30 until 01:30 from Monday to Friday which was typical for supporting US based users. For my first few hours on the floor I simply call shadowed an existing agent to get a feel for the type of calls and how they were handled. Immediately prior to joining IBM I had been running my own computer shop but my partner swindled funds from the company and I shut it down and made my money doing freelance work until I got the “I’m pregnant” revelation from my girlfriend and decided a steady paycheck was a smarter option. This gave me a major ego when it came to these mere tech support calls compared to my level of experience and that bit me in the ass on my first time out of the gate.

I finished up my call shadowing and went to my own desk, set up my applications for creating the tickets. My workstation was a P166 running OS/2 Warp 4.0…awesome eh? So once I was settled in I hit the Avail button on my phone and awaiting my first US user encounter. It only took a minute or so for a call to come in then I dished out the scripted greeting “Thank you for calling the IBM PC Help Center. My name is Alan with Thinkpad support. How may I help you?”. Then you let the user give the opening details, capture anything that might be relevant….ask for computer type and serial number to assess warranty status and from there it’s just problem determination.

The user had just picked up a 3Com PCMCIA network card and the thinkpad wouldn’t detect it properly. It was a Win95 preload and the user seemed savvy enough to have installed the drivers properly but nonetheless, I made him go through the entire process again with me listening in. Nothing seemed to be at fault. I got the user to go into Device Manager (making sure the other agents around me could hear what an absolute BOSS I was being in handling this call). Once there I asked if he could see an entry for the card and he did, as suspected it had an exclamation mark beside it. In my head I started to jump forward to possible causes like memory address space conflicts, IRQ conflicts, corrupted drivers or even operating system updates that might be needed to support such a high tech card (yep, I said it…1999…it WAS high tech damn it!). I reckoned that the IRQ conflict was the most likely starting point and asked the user to check the IRQ view in Device Manager and tell me what he saw. As he described the device tree to me I got that sinking feeling. The one were you know that the next thing you are going to do is going to make you look like a complete and total tit in front of the colleagues that you have just been showboating for. The user had explained to me that every single hardware entry in the IRQ list showed the status of “In Use By Unknown Device”. There is only 1 explanation for that – corrupted registry. I had two choices….#1 was to do a user.da0 and system.da0 restore from DOS mode and #2 was admit defeat and reload the machine. #1 was not something that IBM wanted agents doing so I bit the bullet and called 2nd level support to explain. It turned out that the 2nd level support guy was floor walking near my seat and had heard EVERYTHING. He swaggered over with an evil smirk and told me to reload the system. My first call turned into the one solution that we were absolutely NOT supposed to resort to. To cap it all off the 2nd level guy finished with “I’ll be keepin’ an eye on you Elliott. A close eye.” and at that point the only phrase going through my head was “bollocks drink feck arse girls diddy wank!”. And so began my tech support career.

Round-Up:

• Microsoft Antivirus Flags Google.com as Malicious
• Cloudcracker – Cloud WPA Cracking
• NASDAQ website suffers DDoS attack
• Internet crackdown in Iran continues, but Tor users are all back online
• Experts say Iran has neutralized Stuxnet virus
• Chinese hackers had unfettered access to nortel networks for a decade
• Microsoft Store hacked in India, passwords stored in plain text
• Bitcoin Exchange TradeHill Suspends Trading

The post First Day Fail | TechSNAP 45 first appeared on Jupiter Broadcasting.

https://original.jupiterbroadcasting.net/11308/planning-for-failures-techsnap-19/ Thu, 18 Aug 2011 22:05:43 +0000 https://original.jupiterbroadcasting.net/?p=11308 Find out how to plan your servers and network for failure, start building a website for cheap and much more in this packed audience Q&A episode!

The post Planning for Failures | TechSNAP 19 first appeared on Jupiter Broadcasting.

]]>

The RSA leak exposes the dirty under-belly of the commercial security industry, it’s a story that sounds like it’s straight out of Hollywood.

Then – We’ve packed this episode full of Audience questions, and our answers. Find out how to plan for failure, start building a website….

All that and more, on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes:

News

EXCLUSIVE: Leaked “RSA dump” appears authentic

• A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal.
• The dump claims the operation targets include private US defence firms.
• The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China.
• The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong.
• HBGary codenamed the operation “Soysauce”.
• the HBGary document suggests that each sub-domain of each registered domain name corresponds to a successfully compromised target.
• Pastebin Dump

Feedback

Q: (DreamsVoid) I have a server setup, and I am wondering what it would take to setup a backup server, that would automatically take over if the first server were to go down. What are some of the ways I could accomplish this?

A: This is a rather lengthy answer, so I will actually break it apart, and give one possible answer each week, for the next few weeks. The first possible solution, is to use something like BSD’s CARP (Common Address Redundancy Pool). With it you assign each server an IP address like normal, then on each, you create a virtual CARP interface, where you assign a shared IP between the servers in your CARP group. The servers will advertise their control of the shared IP address, whichever server does so first, will become the master for that IP. The way you configure multiple hosts to fail over in a specific order, is by setting and ‘advertisement skew’, of 100ms multiplied by the servers position in the pool. So the 3rd server will wait 200ms before advertising, and will only gain control over the IP address if the 1st and 2nd server are no longer advertising. This system basically moves the IP address of the service you are trying to keep up, to whatever machine in the pool is actually up. This CARP system requires that the servers have identical services and static copies of the content. Obviously, you don’t want to failover your webserver to your mail server, if your mail server is not running an HTTP server. CARP works best for ‘stateless’ protocols, one of the most common uses of CARP is for redundant routers. If you are using FreeBSD or a derivative such as pfSense, you can use CARP on the IP your DHCP server gives our as the default gateway, so that if one of your routers is down, the other automatically takes over. pfSense even includes a protocol to sync the NAT tables between the two routers so that open connections are not dropped. This type of setup can be important if the business running behind the router cannot afford downtime for such trivial things as OS upgrades on the routers, with CARP, you can take down one router at a time, upgrade it, and put it back in service, without effecting the end users and servers behind the routers. Another option in carp is called ‘preempt’, this causes CARP to take it’s interface offline is ANY interface on the machine goes offline, not just the one the CARP IP is on. This can be important if your routers are connected to different ISPs, if one of the links goes down, the router will take it self offline, causing traffic to be routed via the backup Internet connection.

---

Q: (Mattias) I have been using the NoScript addon for Firefox and have become aware of just how many sites use Google Analytics. Is it a good way for website admins track visitors, or just a way for google to track everyone?

A: Google Analytics is based on a product called Urchin that Google acquired. Google Analytics is basically just a cloud hosted version of this product. You can still buy a copy of Urchin, but they don’t mention host much it costs. Google Analytics just provides much richer detail than you get from just regular log file analyzers. One of the keys to the success of Google Analytics for e-Commerce is the integration with Adwords and other CPC/CPA sites. Google Analytics allows the store to pass good information about the purchases that are made, and Google correlates these with the keywords the user searched for, and how much was paid for the advertisement. This allow stores to optimize their bids to get the best return for their advertising.

While there are some privacy concerns about what google does with the collected data, they cannot infer all that much from it. Your personal data is never passed from the site you are visiting to Google, and only a small number of sites pass data about what you purchased back to Google, and they do this for the sales/conversion reporting, rather than for Google’s benefit. Usually, the data based back could just be an internal product id, and not provide google with any useful data about your purchase.

Find out who tracks you: Ghostery

---

Q: (Leon) Hi guys,

Thanks for answering my question last time.
I’ve set up a testbox here on my desk with FreeBSD to tinker with spamassassin/amavis. It’s been a long time since I did anything with FreeBSD but Allan/TechSNAP made me curious for it again.

My question: what’s the best way to keep your FreeBSD (ports) up to date? Just checking it manually/reading the security mailing lists or is there some kind of tool that Alan uses for automatically updating his servers?

Thanks again and thanks for the great show(s). The recent comment of Chris convinced me to support Jupiter with a monthly subscription.

Regards,
Leon

A: The built in tool for keeping your ports tree up to date is called portsnap. This tool will use the BSDiff algorithm to only download the changes to the ports tree since your last update, and supports a simple cron method, where it randomly sleeps before starting, so that everyone cron’ing portsnap won’t hit the server at the same time. Once your ports tree is updated, there are a number of tools that you can use to go about upgrading your various packages. The tool I use is called ‘portupgrade’, but there are also others such as ‘portmanager’ and ‘portmaster’. There are also services such as VuXML (Vulnerability and eXposure Markup Language) that provide information about vulnerable ports, and can be used to check against your installed packages, and packages you are about to install.

---

Q: (Dan) I was going to send this email to Chris, but since you guys are doing a Q&A session on Techsnap, I figured I might as well send it here. Do you have any recommendations on sources for building websites? I’ve got a career move pending on a creation of a website, and a deadline of next week. I haven’t done basic HTML for about 6 years, and this site will need a forum and a way to pay for a service. I’m not worried about the hosting, I will be hosting it on my home server until the site is approved and ready to hit the ‘tubes. Any suggestions or information you have would be greatly appreciated!

PS. Been watching for two years, he’s Honclbrif in the IRC Chat room!

A: There are a number of great Open Source CMS (Content Management System) platforms out there. Some of the most popular are WordPress, Drupal and Joomla, all of which have huge support communities, and 1000s upon 1000s of free design templates. They also feature rich plugin architectures that allow you to add functionality such as video embedding or e-commerce. WordPress is designed for a more ‘blog’ like website, and might not fit well depending on the type of site you are building. Drupal is very extensible, but their framework can be a bit frustrating at times. You might want to look at which platform has the plugins that best fit your needs, and then go from there.

---

Bitcoin Blaster:

• Mt.Gox -to Acquire Bitomat.pl, Compensate Loss Of Bitcoins
• GPGPU Bitcoin Mining Trojan
• Bitcoin Conference 2011 – NYC: Aug 19-21

The post Planning for Failures | TechSNAP 19 first appeared on Jupiter Broadcasting.

]]>