FOLLOW US ON FACEBOOK!
Thursday, September 8, 2011
This weeks Low-down on hacker activity compliments of our friends at SecurityProNewz.com
The Internet Taken By The Horns: WikiLeaks, Certificate Authorities, And Apache
Joe Purcell Staff Writer
2011-09-08
Insider Reports RSS Feed |
The internet is a universe of information. Just like in reality, not everyone is permitted to go wherever they like, thus, we have military, fences, and signs that say "Employees Only". On the internet we just have Certificate Authorities (CA), usernames, and passwords. While WikiLeaks' complete database was released, the internet has been taken by the horns with the breach at the CA DigiNotar and security vulnerabilities in Apache and other software.
 |
| The Internet Taken By The Horns: WikiLeaks, Certificate Authorities, And Apache |
 |
The full WikiLeaks database of 250,000 diplomatic cables is now released. It can be found on sites like cryptome.org. According to an interview between NewScientist and Julian Assage, there was a secure arragnement between the Guardian and WikiLeaks for them to have access to the cables in order to do journalism. Long story short, the credentials for accessing the cables was leaked. The Guardian has its own story that involves Assange telling them that the password would expire. WikiLeaks tweeted, "It is strictly false that the Guardian was told the password or file were temporary, hence the elaborate password handover method."
Nonetheless, it alll resulted in WikiLeaks publishing the entire cables in order to minimize the amount of harm that could be done. Having the information public allows for those who might do harm and those who might be harmed to have the same information. The second reason, Mr. Assange states, was that there is now a reliable source for the cables. Knowing that the cables were released, but without a sound source allows for people to claim authenticity. There have already been stories published in other countries that were based on manufactured cables. Mr. Assange appeared on 60 Minutes with CBS and the release of the cables will have enormous implications for the future.
Another earth shaking event was the breach last month of a Duth Certificate Authority, DigiNotar, which was just made public. Certificate Authorities are very little understood. An article "The Internet's Secret Back Door" by Danny O'Brien published last year explains how these Certificate Authorities work and the reason they were implemented. Essentially, SSL certificates are the way that a user knows the authenticity of the site they are viewing, which is worse than the recent DNS attacks since certificates are expected to be secure. Some 531 false certificates were released last month, and according to a nakedsecurity post the false certificates were used by the Iranian government to spy on secure communications in their country. The Tor Projects' website has a list of all rogue certs, which shows that false certificates were issued for websites such as Facebook, Twitter, Microsoft, and Google.
This means that information transferred to those websites could be decoded. Firefox immediately released an update (6.0.1) to remove all DigiNotar signed websites from its list of trusted ones and then immediately released a second update (6.0.2) to catch ones for DigiNotar's other signatory it had missed. Also, Microsoftreleased some patches that revoke DigiNotar certificates as well, yet Mac has yet to do so. Paul Suh, a former Apple employee, made a post on how to remove the certificates from Mac computers in the mean time. He makes the stark statement that "due to the nature of the certificates system, until the DigiNotar.nl registrar is completely secured and how the attack was conducted becomes publicly available, every SSL protected website and service in the world is vulnerable." Such a statement is perhaps extreme, but other CAs, such as GlobalSign, are taking precautions.
Lastly, a major issue in Apache was fixed with the release of version 2.2.20. The vulnerability in previous versions of Apache involves sending complex byte-range requests. Byte-ranges are sent in HTTP headers to tell the recipient to read only part of the body, which is used in progressive downloads of large files such as media files. Parsing complex ranges that overlap require memory to process and even just a few requests can consume all the memory, thus, resulting in a Denial of Service (DoS). Here is an example of a complex overlapping byte-range request:
HEAD / HTTP/1.1
Host: ziel.host.tld
Range: bytes = 0 - [...] ,5-0 ,5-1 ,5-2 ,5-3 ,5-4 ,5-5 5-1297 ,5-1298 ,5-1299
There is a proposal to change the IETF specification for byte-ranges to fix this issue. In the mean time, there are several solutions, one being to use multi-stage filtering with mod_rewrite, such as the one posted by Douglas Huff:
RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-[0-9]+, [NC,OR]
RewriteCond %{HTTP:Range} bytes=([0-9-],){4,} [NC,OR]
RewriteCond %{HTTP:Range} bytes=[0-9,-]+,0-(,|$) [NC]
RewriteRule .? http://%{SERVER_NAME}/ [NS,L,F]
Later comments mention some changes (comment 1, comment 2) to make to this. The example above is a HEAD request, but Apache is also vulnerable to other requests such as GET. To test this, one can use a perl script that was released in an email
A lot more is going on as well, such as DNS hacks that have taken down sites like The Register, Acer, UPS, and many others thatzone-h has listed. The Linux kernel's site, kernel.org, was hacked, though, as the article explains, the use of Git, a RCS, is used which makes it nearly impossible to impersonate a false version of the kernel. The group 0xx0 has allegedly obtained 840,000 user records with plain text passwords and some 46 databases from K&M Electronics, which is perhaps confirmed by their post of the entire database schema and continued updates on their site of vulnerabilities at K&M.
View All Articles by Joe Purcell
About the Author:
Joe Purcell is a technology virtuoso, cyberspace frontiersman, and connoisseur of Linux, Mac, and Windows alike.
