xkcd.com - Security Holes

Follow on from my last post the wonderful xkcd.com has a humorous take on the whole matter

Debian/Ubuntu: Serious OpenSSL/SSH vulnerability

Back in September 2006 a line of code was removed from the Debian distributed OpenSSL package. The reason? That one line of code was responsible for causing an uninitialized data warning in Valgrind, the linux based programming tool used for memory debugging, memory leak detection, and profiling, by removing it the error went away!

Unfortunately that one line of code also seeded the random number generator used by OpenSSL, so as a result the keyspace used by affected systems went from 2^1024 to about 2^15.

Secure Sockets Layer (SSL), and the newer Transport Layer Security (TLS) are the cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, instant messaging and other data transfers. There are slight differences between SSL and TLS, but they are essentially the same.

The problem is when creating a encryption key with the affected version of OpenSSH, there are only 32,767 possible outcomes for a given architecture, key size, and key type (as opposed to the intended 1.79769 × 10³⁰⁸), leaving it wide open to attack.

A large majority of Debian and Ubuntu systems are affected. To correct the problem, users need to not only update OpenSSL, but also revoke and replace any cryptographic keys and certificates that were generated on the affected systems. From the Debian security advisory:

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

For most people this affects the SSH server's host key and any public key pairs used for remote SSH authentication. However it is a more of a headache for people with web servers as any keys or certificates generated on the affected machines for SSL/Https use also need to be revoked and regenerated.

There is a lot to think about here. I have worked with many software developers and have noticed that many have this natural tendency to want to fix and re engineer things that aren't even broken. (I am guilty of it myself)

This stems from an engineer's weird desire to make sense of thing, by taking something apart and putting it back together is a common way to increases familiarity and understanding of the machine, engine or indeed the code they are working on. But it hard to restrict the tendency is to try and make 'improvements'.

More discussion of the problem here
Debian OpenSSL Predictable PRNG Toys

Security flaw turns Gmail into spam open-relay server

A recently-discovered flaw in Google's very popular email service is capable of turning Gmail into an effective spam machine. According to the Information Security Research Team (INSERT) the flaw allows a spammer to send thousands of bulk e-mails through Google's servers without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail.

The worry is not just that the flaw allows spammers to send a potentially unlimited number of messages, it is also the trustworthiness given Gmail by other e-mail providers could exacerbate any potential spam attack.

Spam currently accounts for 95 percent of all e-mail traffic and many e-mail providers have adopted whitelists and blacklists as a first line of defence against the flood. An e-mail from a known spamming domain (or the corresponding IP address block) may be automatically blocked by any given e-mail service, while an e-mail from a trusted, authenticated source such as Gmail is automatically allowed through the gateway.

Most e-mail providers use multi-level filtering services, which might detect that the forged Gmail message is spam, but the message will have cleared a substantial hurdle that would have otherwise stopped it. Messages originating from Google, it seems are well-regarded by both Yahoo and Hotmail. The INSERT team tested the degree of trust between the three major e-mail providers by sending spam messages to Yahoo and Hotmail using two sources. In the first test, messages were sent from personal systems whose IP addresses had been blacklisted by Yahoo and Hotmail. The second test consisted of sending the exact same message via the Gmail flaw that INSERT discovered.

The difference was significant. E-mail sent to Yahoo and Hotmail from a blacklisted IP didn't even necessarily reach the account's spam box, while forged e-mail sent via Gmail always arrived. That is not to say that trusted-source filtering is bad, but it demonstrate how a security flaw in a single product or service can ripple through an ecosystem.

It is being reported the flaw is still present at the time of this post.

(credit to the Arstechnica report)

Radio Paradise Scrobbler

Radio Paradise is one of my favourite Internet radio stations, whether I am listening to it via my PC or via my Logik IR100 Reciva based Internet radio.

Radio Paradise is a popular and pioneering Internet radio station that defines itself as "eclectic online rock radio". The channel differs from most FM channels and other Internet stations in that the music played is not limited to any specific genre but instead represents great variety, much like my own listening tastes. Radio Paradise mostly plays different styles of pop and rock music, but occasionally also everything from jazz to classical to electronic music and world music.

I also am an avid fan of last.fm the music community website and have been scrobbling my listening habits for 4 years now. The problem with listening to Internet radio is that media players plugins won't scrobbled the track information, even if it is supplied in the stream, enter build.last.fm which I posted about a while ago, this is a site where developers can post utilities and applications that utilise the last.fm API.

One of these applications is a Radio Paradise Scrobbler which makes use of the extensive playlist information readily available on the Radio Paradise website to add to your listening data. It works pretty well, the only criticism is that it doesn't actually know if you are actually listening to the tracks, this is done independently of the application using the media player of your choice, it seems to simply monitors the playlist for changes whilst running and posts the data. So you will need to remember to close it when you aren't listening.

Twitter expanding my Web2.0 world and a broken Facebook application

I signed up to Twitter months ago (primarily to squat on the username!) and have never used it, to be honest I have not really seen the usefulness of it, pointless short messages along the lines of "The dog has just broken wind", "I have a headache" and " Did I just hear Hall and Oates singing "Locomotion"? That can't possibly be right ... can it?" (thanks to Wil Wheaton for the last one)

But I decided to give it a go, and of course in the spirit of Web2.0 decided to install the twitter application on my new Facebook page but it bombed out with page full of compiler debug code, a little investigation and it seems I am not the only new user experiencing the problem.

AJ Vaynerchuk posted about the problem five days ago and there is a discussion thread on Facebook full of "me too" posts, but as yet no response and no fix from either party.

Interestingly it coincides with a number of articles and programs I have recently read and listened too concerning the dangers of building a product and/or business model on the top of a platform over which you have no control. If that platform changes, fails or disappears then your are in trouble. While am sure this is more likely to be sloppy coding it is an interesting portent.

Listening to this week's BBC World Service program Digital Planet it had an interview with Jonathan Zittrain who has written a book called The Future of the Internet--And How to Stop It, the synopsis on Amazon.co.uk reads

In "The Future of the Internet: And How to Stop It", Jonathan Zittrain explores the dangers the internet faces if it fails to balance ever more tightly controlled technologies with the flow of innovation that has generated so much progress in the field of technology. Zittrain argues that today's technological market is dominated by two contrasting business models: the generative and the non-generative. The generative models - the PCs, Windows and Macs of this world - allow third parties to build upon and share through them. The non-generative model is more restricted; appliances such as the XBox, iPod and TomTom might work well, but the only entity that can change the way they operate is the vendor. If we want the internet to survive we need to change. People must wake up to the risk or we could lose everything.

On the Amazon.com website it has a slightly different synopsis

This extraordinary book explains the engine that has catapulted the Internet from backwater to ubiquity—and reveals that it is sputtering precisely because of its runaway success. With the unwitting help of its users, the generative Internet is on a path to a lock down, ending its cycle of innovation—and facilitating unsettling new kinds of control.

IPods, iPhones, Xboxes, and TiVos represent the first wave of Internet-centered products that can’t be easily modified by anyone except their vendors or selected partners. These “tethered appliances” have already been used in remarkable but little-known ways: car GPS systems have been reconfigured at the demand of law enforcement to eavesdrop on the occupants at all times, and digital video recorders have been ordered to self-destruct thanks to a lawsuit against the manufacturer thousands of miles away. New Web 2.0 platforms like Google mash-ups and Facebook are rightly touted—but their applications can be similarly monitored and eliminated from a central source. As tethered appliances and applications eclipse the PC, the very nature of the Internet—its “generatively,” or innovative character—is at risk.

It is an interesting observation and prophecy

Last.fm client has not been submitting tracks for days

Just had a strange problem, the last.fm client has been merrily collating all the tracks I have listened to the last few days, but they haven't been showing up on my played list, the last tracks showing were submitted 5 days ago. The client updated itself this morning as well to version 1.5.0.24910

Checking the support forums it seems I haven't been the only one suffering this problem, and this posted solution seems a little strange but I can verify it worked, the official solutions that have been posted don't.

It appears that when the client is starting up (initiated by your media player starting) it doesn't always successfully connect to the servers correctly. If you click the Help and Check For Updates it reports an error about not being able to connect. Shut down the client and restart it and immediately it updates the list of the unsubmitted tracks. If you check for updates again, it will reports if it's up to date, or that it needs to update (this means the client is actually connecting to the server).

There definitely seems to a bug somewhere, and as it wasn't submitted tracks with the previous client it suggests a fault at the last.fm end.

My broadband speed tests

Following on from my post about the SamKnows.com monitoring initiative, I decided to do a check on my broadband speed, firstly I used the very pretty graphical test at speedtest.net initially it chose a recommended server in Maidenhead and I only got a pathetic 9345Kbps download, switching to an alternative in London I got the following results (17397Kbps download and 703Kbps upload).



Next I check the speed test at Broadband-expert.co.uk and got the following (19.9Mbps download and 704 Kbps upload)



So seems my 20Mbps connection is preforming well.

On the broadband-expert.co.uk website it also has accumulated results (click speed test results button at bottom of screen) for most of the UK ISPs and my ISP VirginMedia seems to come out pretty well, despite the introduction of even more extreme and complicated traffic shaping schemes.

Bid to find the truth about broadband preformance

ISP watchers SamKnows.com have launched a bid to discover the truth about the state of UK broadband by recruiting volunteers to install a monitoring device on their network, to collect reams of independent performance data.

They are aiming to attract 200 volunteers who'll be sent a free tweaked Linksys router (a WRT54GL) that will measure and report download speeds for HTTP and non-HTTP traffic, latency, packet loss, DNS response, and website loading times.

It comes as there is a sharp increase in consumer anger against ISPs over blatenty misleading marketing campaigns, opaque traffic management policies and low investment in infrastructure.

I have signed up, so wait to hear.

Secunia PSI - Personal Security Inspector

Secunia is a respected Danish computer security service provider, one of their primary missions is to track vulnerabilities in software and provide security tools primarily for the corporate IT market.

In addition they also provide a free tool (for personal non-corporate use) called PSI - Personal Security Inspector.

PSI acts on a dangerous problem of vulnerabilities on auxiliary and add-on software. The problem of vulnerabilities in the Microsoft Windows operating system and Microsoft Office are tackled by the much improved Microsoft Update system. However what about all the other installed software which are prone to vulnerabilities? Software like Adobe Acrobat Reader, Flash, Java VM, Media players, compression utilities, third party browsers to name but a few.

Most vulnerabilities are triggered by malformed data files distributed across the internet and unless addressed can prove a real danger to the regular user. The problem is despite a lot of these programs having update systems built in it is easy to miss important updates and critical patches can be forgotten, leaving your system exposed.

PSI using a huge database from Secunia to verify your installed software and will indicate if they are insecure and have updates available.

I liked to think I kept my software updated, but after running the tool for the first time I was told I was only 92% secure there were around 15 programs that were running old insecure versions. I few updates later and I am up to 96%, there are still some programs that updates are not available for with know vulnerabilities, and some whose update process is so confusing and convoluted that updating is next to impossible (not helped by hideously unnavigable support websites, Yes Adobe/Macromedia I am looking at you!)

In my scan there were some expected culprits for being out of date, Adobe Flash, Acrobat Reader, Quicktime and Realplayer and others I was not aware of, such as VLC, 7-Zip and WinZip. It is easy is to have vulnerable software running on your computer. If you are not using anything to keep track of software updates, try PSI, you may be surprised. PSI does a good job on detecting software that needs to be updated, so I heartily recommend it.

There is a on-line version available but the installable client is much more capable. The scanning process is a bit resource intensive, so I would suggest you run it periodically (say once a week) rather than letting it permanently run, which is it's default setting.

OpenDNS

My current ISP is VirginMedia née NTL née Diamond Cable and has generally been pretty reliable, what issues I have had with connectivity and browsing have often been DNS related.

Most people have experienced this problem at some time, you type in the website address and hit enter then there is a long delay before the website appears, or doesn't appear instead you get an error message. This is quite often the result of Domain Name System (DNS) problems, DNS is the system where the websites alphanumeric name (e.g www.virginmedia.com) is converted into the IP number (212.250.162.12) , effectively it's an internet phone book.

If that system is slow or fails either due to server load, or connectivity problems it creates a delay or failure when using the internet. Also like much of the original infrastructure of the internet DNS was not originally designed with security in mind, and thus has a number of security issues have occured, such as DNS Cache poisoning which has lead to phishing attacks. Because DNS works in the background the idea behind these attacks is to feed the browser an alternative IP address we redirects it to spoof and fake website, either in an attempt to introduce malware or to harvest personal information for ID fraud from the unsuspecting user.

In an attempt to offer a solution to these growing problems or reliability, speed and security David Ulevitch created OpenDNS in July 2006.

OpenDNS offers DNS resolution for consumers and businesses as an alternative to using their internet service provider's DNS servers. The system comprises of servers in strategic locations and employing a large cache of the domain names, the result is DNS queries are usually processed much more quickly, increasing page retrieval speed.

Other features of OpenDNS include a phishing filter and typo error correction (for example, typing wikipedia.og instead of wikipedia.org). By collecting a list of malicious sites, OpenDNS blocks access to these sites when a user tries to access them through their service. OpenDNS has also launched Phishtank, where computer users around the world can submit and review suspected phishing sites. OpenDNS can also be configured to limit access to adult related sites. Details of all the features on offer can be found here.

I have switched my network to OpenDNS, full instructions and HowTos are available on the site. It was painless and simple, browsing does seem quicker but I haven't used it long enough to really comment on the speed improvements but the ability to view statistics and lots of graphs is enough to convince me!