Category: Writing

Categories
Links Writing

Testing for “reverse” Heartbleed

Testing for “reverse” Heartbleed:

The Heartbleed vulnerabilityin OpenSSL allows a malicious TLS implementation to extract random chunks of memory from an unpatched peer. If you’re not up to speed on Heartbleed, check out the excellent documentation on that site andcheck your servers ASAPto see if you might be vulnerable.

Most of the attention around the Heartbleed attack has focused on the simplest and most obvious scenario: a malicious client attacking an HTTPS server to steal cookies, private keys, and other secrets. But this isn’t the only attack possible: a malicious server can also send bad heartbeat packets to a client that uses OpenSSL and extract data from that client. The TLS heartbeats used in this attack aresymmetric: they can be initiated by either the “client” or the “server” in a TLS connection, and both endpoints use the same vulnerable parsing code.

Importantly, even if the server that you are querying (e.g. Tumblr.com) is patched against this OpenSSL vulnerability the servers behind the front-end of the server may not be. As a result, payment gateways, agents responsible for fetching URLs, some identity federation protocols, and so forth may also be vulnerable. In Meldium’s tests, who have they announced was vulnerable?

  • An unnamed top 5 social network (we’re waiting for confirmation of their fix) that fetched our URL to generate a preview. The memory we extracted from their agent included results from internal API calls and snippets of python source code.
  • Reddit, which can use a URL to suggest a name for a new post, used a vulnerable agent that they’ve now patched. The memory we were able to extract from this agent was less sensitive, but we didn’t get as many samples because they patched so quickly (nice work!).
  • We registered a webhook to our malicious URL at rubygems.org to notify us whenever a gem was published. Within a few minutes, we captured chunks of S3 API calls that the Rubygems servers were making. After the disclosure, they quickly updated OpenSSL and are now protected (really nice work, especially from an all-volunteer staff!).

This is just a very, very small snippet of vulnerable parties. And given how many backend systems will simply not be updated for fear of breaking compatibility (e.g. in the case of payment gateways) this will be a long-term vulnerability.

SSL: the solution to a problem that is persistently generating problems unsolvable by SSL itself.

Categories
Aside Links

How Heartbleed transformed HTTPS security into the stuff of absurdist theater

I think the link between absurdist theatre and SSL certificate revocation checking is a (bit) tenuous, but nevertheless Dan Goodin’s article over at Ars Technica does a good job in describing (in less technical language than Adam Langley’s post) why having your browser check for revoked SSL certificates really isn’t all that effective.

Categories
Aside Links

Google is researching ways to make encryption easier to use in Gmail

Google is researching ways to make encryption easier to use in Gmail:

In response to Edward Snowden’s mass surveillance revelations, Google is working to make complex encryption tools, such as PGP, easier to use in Gmail.

PGP, or Pretty Good Privacy, is an encryption utility that historically has been difficult to break. But Google has “research underway to improve the usability of PGP with Gmail,” according to a person at the company familiar with the matter.

If Google is actually going to throw engineers and designers (most important: lots, and lots, and lots of UI and UX designers!) towards improving the basic usability of PGP that would be incredible. However, given people’s suspicion of the company given the NSA disclosures I have to wonder whether any public offering from Google will be regarded as some kind of a trojan horse by some civil liberties groups and the cynical public alike.

Categories
Aside Links

Outrageous cost estimates for open records requests

Some real gems in that post. Highly recommended if you want to understand why researchers/journalists complain vociferously about the hell of FOIA/ATIP laws.

Categories
Links

Air Canada flight from Vancouver carried child with measles

Air Canada flight from Vancouver carried child with measles:

Health officials in Edmonton are issuing warnings after a passenger who arrived in the city on a flight from Vancouver was later diagnosed with measles, but similar warnings have not been issued in Vancouver.

I think that bad movies, and unpleasant contagious outbreaks, are premised on such realities.

Categories
Links

More than half Canada’s Navy vessels are either being repaired, modernized or otherwise at reduced readiness

Of a total of 33 main ships and submarines, 15 are being repaired or undergoing upgrades, while another four are at a lesser state of readiness as they conduct tests on recently installed and modernized systems.

This is an embarrassment given that Canada is (in theory) a naval nation. We have no serious land-borders to defend and are largely unable to project any significant force abroad via our navies. Such force projection needn’t be in the service of aggressive or ‘peacekeeping’ missions: simply being able to guard major shipping lanes is something that Canada is increasingly ill-suited to contribute to. Decades of failed procurement process have led to an embarrassing state of affairs, and one unlikely to improve anytime in the near future.

Source: More than half Canada’s Navy vessels are either being repaired, modernized or otherwise at reduced readiness

Categories
Aside Links

Heartbleed Internet Security Flaw Used in Attack

Using Heartbleed, the name for a flaw in security that is used in a wide range of web servers and Internet-connected devices, the attacker was able to break into an employee’s encrypted virtual private network, or so-called VPN, session.

From there, the hacker or hackers used the Heartbleed bug about 1,000 times until successfully extracting information like passwords to get broader access to the victim’s network, said researchers at Mandiant, a cybersecurity firm.

The targeted company only noticed the attack in its later stages. When it began analyzing what happened, it realized the Heartbleed bug was used as the entry point, said Christopher Glyer, an investigator at Mandiant.

It’s a statement from Mandiant and so some mindfulness should be taken when reading their comments. (The same is true when parsing statements from other for-profit security companies.) Still, that Heartbleed is not only weaponized (that happened almost immediately after it was integrated into Metasploit) but is showing up in the wild prominently enough to warrant a response from Mandiant demonstrates why Heartbleed is going to be a problem for years going forward. For a good, if technical, discussion of why the hurt is just going to continue (like all things that involve breaking SSL…) see Adam Langley’s recent post titled “No, Don’t Enable Revocation Checking.”

Also: even if you don’t read Adam’s post you can follow the lesson he provides in the title of his technical post. If in the aftermath of the Heartbleed vulnerability you enabled Revocation Checking in Chrome then disable it, ASAP.

Source: Heartbleed Internet Security Flaw Used in Attack

Categories
Aside Links

Heartbleed may lead to more security audits, advanced security services

Chris Parsons, a post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs, said that there has been an increased call for outside security audits for OpenSSL, the security system affected by Heartbleed.

“Researchers have been grumbling that OpenSSL and other highly-relied upon security libraries need to be subject to more ‘forensic audits’ by professionals to identify and patch flaws before they are exploited in the wild,” he said.

Heartbleed was discovered by ateam of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.

Missed this when it went up, but posting because I think it touches on something that is important to track as things move forward: despite experts inside and outside of industry recognizing the need for more audits of critical packages like OpenSSL, will resources actually be devoted to enable such work?

Source: Heartbleed may lead to more security audits, advanced security services

Categories
Links Writing

Stubborn negatives undermine Tories’ shot at another majority

Den Tandt writes:

Third, and most important: The Conservative government, read the prime minister, has ignored this glaring strategic reality: To counter a Trudeau-led Liberal party and a Mulcair-led NDP, the Conservatives needed to curb their anti-democratic tendencies — epitomized by omnibus bills and constant, intransigent resistance to compromise, which looks like the arrogance of long-held power — and make themselves credible on the environment. Unfortunately for their more moderate supporters, they have done neither; if anything, they’ve doubled down.

Core Conservative support, just under 30 per cent of the voting population, has kept the party more than solvent; but it can’t win it a majority. That is a fundamental problem for the Harper team, and one it has precious little time to solve.

While I’d like to agree that the current governing party of Canada’s anti-democratic approaches should cost it seats, if not the election, I have strong doubts. I often speak with Canadians (of various political stripes)  and ask whether they want decisive action (demonstrated in the form of the current government’s omnibus legislation) or a more drawn out periods of action as parties communicate to develop some kind of quasi-consensus on issues (often as characterized in a minority government situation). Save for the extremely rare person, most state a preference for decisiveness and regard omnibus legislation as efficient. The rationale is almost always that ‘government should be doing things, not stuck just talking for a long time and wasting taxpayer monies’.

Personally, I find such responses extremely depressing. But if my anecdotal conversations have any resonance with the broader Canadian public then I’d be doubtful that ‘anti-democratic’ approaches to governance will be what relieves the current governing party from power. Scandal, perhaps, but I don’t even think the Duffy affair is sufficiently scandalous to cost the government too much.

Categories
Links

The Wright affair: The RCMP falls off its horse … again

Beyond a short press release announcing its decision to drop the Wright probe on the eve of a state funeral, the RCMP’s top brass has taken up residence in the cone of silence to skirt all sorts of uncomfortable, unanswered questions about this discreditable affair.

The ordinary citizen part of me is perturbed by yesterday’s surprising events — which signal, yet again, that the rich, powerful and politically-connected are seemingly immune from any meaningful accountability for their actions.

The former investigative reporter in me is resigned to it all. I recall that the RCMP decided not to do a damn thing when it was revealed that former prime minister Brian Mulroney pocketed at least $225,000 in cash-stuffed envelopes from Karlheinz Schreiber, a notorious Austrian financier and arms dealer, while the pair met in New York soon after Mulroney left office in 1993.

Andrew Mitrovica, on the sadness and frustration that passing 90K to a sitting Senator is apparently neither a summary or indictable offence.

Source: The Wright affair: The RCMP falls off its horse … again