Open Source Security
Welcome at

After a lengthy hiatus during which I focused on building secure things on top of open source and with open source rather than on building actual open source, I’m back to focusing on open source security in my day job. I hope that will give me more time to focus on things that I would be willing to discuss here, on my blog. I also hope that I will be able to discipline myself and focus on technical topics, such as my most popular and wildly outdated post on maximum password length from eons ago. But I fear that I will never be able to wean myself entirely from the “someone is wrong on the Internet!” type of post, because they are fun, cathartic, and easy to write.
Don’t be jealous, but I now have the best job in security. Make no mistake, I still speak for myself and not for my employer.

USA Today has two eye popping stories on the NSA crypto capabilities. The first story is entitled “Why NSA’s decrypting is OK” in their mobile app and The Case Supporting the NSA’s PRISM decrypting in their online version. The title already gives an idea of the slant that the article will take. The article starts with a bold statement “A consensus is gelling that the NSA — in using brute-force password hacking techniques, cracking into Virtual Private Networks and Secure Sockets Layer services and taking steps to weaken certain inherently weak encryption protocols – is simply doing what the NSA has always done, and was, in fact, created to do: keep the U.S. competitive in the spy-vs-spy world.” The article never defends this assertion and it is wildly at odds with the consensus that I see gelling on Facebook and on the technical cryptography mailing lists which I browse. To give the author the benefit of the doubt, I could be convinced that this is a consensus of NSA mouth pieces.

The second story is entitled Latest PRISM Disclosures Shouldn’t Worry Consumers and proves that the author the the story has no conception of why people are legitimately angry about the revelations. “Should the latest disclosures of decrypting techniques used as part of the NSA’s PRISM anti-terrorism surveillance program keep you awake tonight? Only if you do not believe President Obama and NSA Director Army Gen. Keith Alexander that any and all spying techniques are used strictly in very narrow circumstances to target suspected foreign terrorists, under a federal court review process.” You would be crazy if you did believe this because the NSA themselves have admitted that the techniques have been abused. Google LOVEINT for a clue.

“‘The people who work on PRISM are working to protect us,’ says Tom Kellermann, Trend Micro’s vice president of cybersecurity. ‘They don’t care what movie you’re going to or whether someone is cheating on his wife.'” Whether they care or not, they shouldn’t have access to that information.

“‘The big revelation is that the NSA is actually able to view more encrypted data than anyone thought,’ says Chris Petersen, chief technology officer at security analytics company LogRhythm. ‘What this will really do is put our adversaries on notice that they need to invest in stronger encryption. This really has no bearing on the average citizen.'” Spoken like a person who does not believe in democracy and freedom.

I won’t quote anymore from that article. I wish I could give the people quoted in the article the benefit of the doubt – that, as usual with reporters, their comments were taken out of context. I will say to the people quoted in the story, if this is really what you think, then you are the problem.

I post these because it is fun to see what people on the other side of the debate are thinking. And because I want to take note of the people in the industry who said these crazy things. And because it is sometimes just *fun* to read these types of articles and get outraged.

Apropos of nothing, this squiggled my funny bone this morning: Pew Research reports that there is a glass ceiling for female white collar criminals. It sounds like they are doing it wrong: “More than half of all women (56%) did not personally profit from the fraud”. Some backbone is needed: “Still others said they knowingly committed illegal acts simply because they were instructed to do so by a superior”. Sigh. They couldn’t at least ask for a candy bar? I heard the story on NPR this morning during my commute.

The hack of iOS devices by a malicious charger is one of the most interesting stories from Black Hat this week. Pretty amazing that the chargers have this much power yet are not authenticated via a solution such as ORIGA from Infineon. (I do not now and have never worked for Infineon. I’m sure that there are many more solutions like this from other companies, this is just one at hand that would serve to fix this vulnerability without giving up any of the functionality. Whether or not a charger needs that functionality is another kettle of worms.)

University of Texas demonstrates GPS signal spoofing quite dramatically, by sending a private yacht off course and thus “hijacking” it.
Another source with an ad wall and less technical detail but with the following key quote:

These consumer spoofing devices, the sale of which has been banned in the U.S., can still be legally purchased in the UK, and are available for as cheap as $78 (£50).
And, of course, North Korea has already experimented with the technology, reportedly blocking GPS signal in South Korea on several occasions. One such attack launched in 2012 affected 1,016 aircraft and 254 ships.

Article from May 2013 from Azimuth Security on Exploiting Samsung Galaxy S4 secure boot.
Key quotes:

Examining the check_sig() function in more detail revealed that aboot uses the open-source mincrypt implementation of RSA for signature validation. The bootloader uses an RSA-2048 public key contained in aboot to decrypt a signature contained in the boot image itself, and compares the resulting plaintext against the SHA1 hash of the boot image. Since any modifications to the boot image would result in a different SHA1 hash, it is not possible to generate a valid signed boot image without breaking RSA-2048, generating a specific SHA1 collision, or obtaining Samsung’s private signing key.

The astute reader will have already noticed the design flaw present in the above program logic. Notice the order in which the steps are performed: first, aboot loads the kernel and ramdisk into memory at the addresses requested by the boot image header, and then signature validation is performed after this loading is complete. Because the boot image header is read straight from eMMC flash prior to any signature validation, it contains essentially untrusted data. As a result, it’s possible to flash a maliciously crafted boot image whose header values cause aboot to read the kernel or ramdisk into physical memory directly on top of aboot itself!

Exploitation of this flaw proved to be fairly straightforward. I prepare a specially crafted boot image that specifies a ramdisk load address equal to the address of the check_sig() function in aboot physical memory. In my malicious boot image, I place shellcode where the ramdisk is expected to reside. I flash this image by leveraging root access in the Android operating system to write to the boot block device. When aboot reads the supposed ramdisk from eMMC flash, it actually overwrites the check_sig() function with my shellcode, and then invokes it. The shellcode simply patches up the boot image header to contain sane values, copies the actual kernel and ramdisk into appropriate locations in memory, and returns zero, indicating the signature verification succeeded. At this point, aboot continues the boot process and finally boots my unsigned kernel and ramdisk. Victory!

Similar attack from Azimuth Security on Motorola phones from April 2013.
Key quotes:

At this point, the end was in sight, but I knew I would need a vulnerability in the TrustZone kernel in order to set this flag to zero, allowing my SMC call to blow the QFuse required to unlock the bootloader. Fortunately, I didn’t have to look long, since one of the other SMC commands in the same section of the TrustZone kernel contains a fairly obvious arbitrary memory write vulnerability…

The Trusted Computing Group has released a draft version of the new Trusted Platform Module specification for public review and comment: TPM 2.0. Five years+ in development, the spec contains a lot of new material to allow for hash and algorithm agility and enhanced authorization support. (Details of what is included in this new version can be found in the FAQ.) Comments can be submitted to a mailing address created especially for this review which can be found on the first page of each part of the specification. Weighing in at 1,397 pages, you better get started now, if you want to have any chance of completing your review before TPM 3.0 comes out. That reminds me… I have some work that I have to go do.

The local chapters of OWASP and ISSA jointly sponsored a 1/2 day Metasploit Training session taught by Raphael Mudge. It was held one Friday afternoon about 10 days ago at the Microsoft campus here in Austin which is a super nice facility and well set up for this type of class.

Metasploit is one of those technologies that is always near the top of my list to try out, but never quite takes that top spot, so I jumped at the chance to take this seminar. It sold out in less than 2 days, so it would seem that a lot of people felt the same way.

Raphael Mudge is the author of the Armitage front-end to Metasploit so he was a great choice to teach the class. He is a very high energy speaker and sprinkles anecdotes and experiences throughout, so the seminar never dragged. The seminar was an excellent mix of labs and presentation. The labs started with the exercise of installing metasploit and Armitage which was provided on a DVD. Virtual images which were vulnerable to attack were also provided and these were the targets of the exercises. Throughout the class, Raphael offered his experience on which exploits were typically the most successful, which payloads are the most valuable and other nuggets of information which are gained through experience. Armitage itself does a great job of lowering the barrier to entry and makes metasploit much easier to use.

This seminar was a great introduction to Armitage and metasploit, enough to make it useful for personal use of metasploit, but it is clear that I could spend many fun hours experimenting with the various exploits and payloads. Raphael made it clear throughout that he was not training crackers. The seminar succeeded brilliantly and so I would like to again thank Raphael Mudge, OWASP Austin and ISSA for making this seminar possible.

Great stuff!

Raphael left us with the following links for more information:
Penetration Testing and Vulnerability Analysis
Metasploit Unleashed
Backtrack Linux

My first experience with Gnome 3 is that it frowns at me for not living up to its expectations.

RSA – hacked
Lockheed Martin – hacked
Northrup Grumman – hacked
L-3 – hacked
Sony – hacked
Nintendo – hacked
Gmail – spear phished
PBS – hacked (and seriously?)

There must be millions of corporate security presentations that start off with the premise that the security apocalypse will soon be upon us if security doesn’t receive premium investment. It feels to me as if the security apocalypse long promised has now arrived. Whether these events are coordinated or independent, whether they are script kiddie cracking or cyber warfare, does this harald a new dawn? The risks which were once deemed remote have now been exploited multiple times. Is this a wake-up call or is everyone still yawning when security is mentioned?