Archive for Security

When “Encryption” can be bad for sysadmins?

Posted in Security with tags , on February 1, 2011 by Xacker

Encryption has always been a man’s best friend, but is it really true for sysadmins with encrypted applications?

Imagine this scenario, and allow me not to be – so – brief in order for non-technical people to understand the security issue.

– A PHP programmer distributes a web application.

– To protect his property from snooping eyes, he decided to encode his PHP files with something like Zend Guard, IonCube, etc.

– Unfortunately, the poor programmer missed a security vulnerability in his application.

– An attacker finds the vulnerability, of course, remember… no matter that the application is encoded, we’re talking runtime here.

– The attacker gains access to the PHP files source-code one way or another.

– The attacker is capable of decoding the encrypted content thanks to tens of freeware tools on the Internet that targets such encryption (Google: “dezend”, “zend decoder online”, …)

– The attacker needs to inject a backdoor in the system for future use to gain access in case the security vulnerability has been fixed.

This is were the security behind encryption fails.

All the attacker needs now is to decode one of the original files (for example), insert his evil shellcode among the original code, encrypt the file again and replace it on affected website.

If I’m a sysadmin (and I am :P), I would get VERY suspicious about encrypted content in one of my website pages, but that is not going to be the case if all my website content were originally encrypted by the programmer and I’m aware of that from the beginning.

How do you even trust an encrypted content on your website in the first place? What if the programmer himself originally placed a backdoor among the safe source-code? How can you tell then?

I think web masters should run this thought in their heads and think long before they accept running any encrypted stuff on their websites.

That being said, my coffee is getting cold.

Let me know what you think.

Enjoy.

SSL broken!

Posted in Networks, Security with tags , , on January 5, 2009 by Xacker

Hackers create rogue CA certificate using MD5 collisions!

Using computing power from a cluster of 200 PS3 game consoles and about $700 in test digital certificates, a group of hackers in the U.S. and Europe have found a way to target a known weakness in the MD5 algorithm to create a rogue Certification Authority (CA), a breakthrough that allows the forging of certificates that are fully trusted by all modern Web browsers.

The research, which will be presented today by Alex Sotirov (top left) and Jacob Appelbaum (bottom left) at the 25C3 conference in Germany, effectively defeats the way modern Web browsers trust secure Web sites and provides a way for attackers to conduct phishing attacks that are virtually undetectable.

The research is significant because there are at least six CAs currently using the weak MD5 cryptographic algorithm in digital signatures and certificates.  The most commonly used Web browsers — including Microsoft’s Internet Explorer and Mozilla’s Firefox — whitelist these CAs, meaning that a fake Certificate Authority can display any site as secure (with the SSL padlock).

We basically broke SSL,” Sotirov said in an interview ahead of his 25C3 presentation.

Read More