Archive for September, 2007

Quickies – social, rngs, remail, moon

Friday, September 28th, 2007

Time for some quickies…

This short article seemed in line with some of my ramblings here (e.g., this and this), albeit quite sparse.

Enterprises must invest more heavily in staff training and social engineering tests to ensure corporate data cannot be compromised by outsiders who trick their way into the company, according to experts at this years ISSE event in Warsaw.

I discussed training and testing in a long ramble, where I sort of combined the training and testing into one service. I thought along the lines of utilizing testing to not only monitor the effectiveness security efforts (including training) and to identify security strengths and weakness, but also to help tailor the training to a particular organization based on real feedback and to provide relevant examples during the training that have a strong impact on attendees of training. The third part part of this ramble covers these thoughts in a messy fashion.

Now, pull the results of these attacks into your security training. Will there be an impact?

Well, I think so. You don’t quickly forget seeing yourself and/or those around you up in lights, as it were, and the attacks can certainly be used to increase the sense of responsibility felt by every employee. The demonstrations hit home because they can be related to – the attacks happened to you, your neighbors, your community. Whether the attacks succeed or fail, they amount to a shared experience for the organization, and teach people their importance to the security of their organization.

The next paragraph of that article goes on to say…

Sharon Conheady, a consultant in social engineering for consultancy Ernst & Young, explained that the scale of the problem is often underestimated by firms, because many are unaware it is even going on. She revealed criminals are using tools such as Google and company web sites to research and gather information about a particular firm, before conning their way into the building with the aim of stealing sensitive data.

I talked about this sort of intelligence gathering back a few months ago in this post.

Mapping out organizations is often one of the tools used in social engineering, and there is a wealth of information to be gathered from OSINT and HUMINT. For example, when you can talk the organizational lingo, it is much easier to convince people within that organization you can be trusted.

Of course, while I like playing with in person attacks (with a bit of a focus on beauty) and would wager that conning one’s way into many a building is quite trivial, physically entering a place and/or interacting with people can be a high risk game. As such, phone calls, email/IM, etc. might be the more popular, safer mediums here for most attackers.

So, I’d be curious to know the “scale of the problem” out there in the real world. I know I play with this in some ways, but not enough to have generalizable, concrete numbers. Perhaps the presentations on which this article was based had some detail here.

In any case, I think the testing and training mentioned here can be applied equally well.

(That reminds me – just entering my reading queue, “Choices, Values, and Frames” edited by Daniel Kahneman and Amos Tversky.)

-

Since lots of FIPS people visit this blog, I thought pointing out this paper might be useful, which looks at the security properties of the underlying primitives utilized in the PRNGs recommended by NIST in SP 800-90 in relation to the security of the output of the said PRNGs. Their conclusions are as follows.

In general, block cipher DRBG should not be used in any circumstances. If block cipher DRBG is currently implemented, then, if possible, one should change the DRBG immediately; otherwise, one should be certain that the outputs generated are as short as possible relative to the output block size of the block cipher used. The other three DRBGs are secured under the current knowledge we have about the underlying mechanisms. Elliptic curve DRBG is the most computationally expensive DRBG. However, it is also the one that is the best understood. ECDLP has been researched for many decades and is still believed to be a hard problem, whereas many hash functions are failing collision resistance as time passes. Two major advantages elliptic curve have over hash or HMAC based DRBG are that the maximum length of output is significantly greater and that it is a number theoretic based instead of heuristic based. If elliptic curve computations can be done as efficiently as hashing (via improve algorithms or hardware), then elliptic curve DRBG is currently the best DRBG out of the recommendations from NIST.
If elliptic curve DRBG is implemented, it is necessary to not follow the NIST generation process exactly due to the poor choice of truncation function1. Refer to Appendix B of [4] for more detail on TPP.
A few other cares must be taken before a DRBG is implemented. See Appendix C for a brief discussion on additional aspects to consider.

FYI, I think the block cipher based PRNGs (namely the ANSI X9.31 Appendix A.2.4 PRNG and its NIST derivatives) are the most commonly implemented in PRNGs in the FIPS world due to their simplicity and open source availability. A quick scan of this list might confirm or deny that.

Update: I haven’t directly dealt with modules that implement the EC based PRNG recommended in 800-90, but, before you do undertake such an implementation, you may want to take note of these slides. [via Schneier commentary]

On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng

Conclusion
• WHAT WE ARE NOT SAYING:
NIST intentionally put a back door in this PRNG
• WHAT WE ARE SAYING:
The prediction resistance of this PRNG (as presented in NIST SP800-90) is dependent on solving one instance of the elliptic curve discrete log problem.
(And we do not know if the algorithm designer knew this before hand.)


-

I’ve mentioned remailers on here, so I thought this might interest some of you. It sounds like the mixmaster and mixminion remailer networks have suffered from a bit of a flood in traffic, malicious or otherwise.

The Mixmaster flood we saw in the last two weeks
is unprecedented, as volume of mail that flow
*successfully* throught the remailer.
Most trafficked ones remailers a tenfold raise of their
normal traffic for days; George peaked as 60K message
a day.

Nothing major it seems, but it did reinforce the need for a new release of mixminion.

Mixminion 0.0.8alpha3 is now available. It fixes a bug that crashed some servers over the last month; if you’re running a server, you should upgrade. There are some other small bugs fixed too.

Anyway, I thought these words important.

In the mean while, if people can post stats about the flood, and if someone wants to port my timestamp hack to Mixminion and start recording the rate at which these messages are arriving and share that data, it may help. (Just don’t do any kind of logging that could reveal identity/break anonymity. Let’s hold remop ethics to a higher standard than some recent Tor operators have shown.)[1]

-

Finally, I found this a bit interesting.

CAPE CANAVERAL, Florida (Reuters) – Web search leader Google Inc. will sponsor a $30 million competition for an unmanned lunar landing, following up on the $10 million Ansari X Prize that spurred a private sector race to space.

Of course, I must point out Koman’s Kings Of The High Frontier is sitting on my bookshelf.

Posted in Anonymity & Privacy, Crypto, Security | No Comments »

Tor yet again

Thursday, September 13th, 2007

Ok, so recently this surfaced and caused a little stir in the Tor world.

Last month, Swedish security specialist Dan Egerstad exposed the passwords and login information for 100 e-mail accounts on embassy and government servers. In a blog entry today, Egerstad disclosed his methodology. He collected the information by running a specialized packet sniffer on five Tor exit nodes operated by his organization, Deranged Security.

This has been discussed here in some form before, and I commented on the trustworthiness of nodes in another form before that.

While there is often logic thrown about that the larger the number of nodes in a mixnet, the stronger the anonymity, such logic often leaves out one key point, the honesty of the nodes. There is a reason remailer networks have traditionally been very small and (at least partially) maintained by some “trusted” nyms. Such honesty problems are not trivial to solve.

So, the real questions here revolve around how well Tor can be made to scale while still achieving its anonymity goals and remaining usable. Increasing popularity not only attracts the attention of more adversaries, but it also means the Tor network itself must grow. With such strong honesty requirements for certain nodes in the network, this growth could pose some particularly interesting problems. (Of course, I am biased in that I always seem to find questions of reputation interesting.)

Once your traffic leaves the Tor network through an exit node, it is no longer, well, in the Tor network. This means the traffic is visible to the exit node (and anyone it passes through from there) without any of the encryption that was utilized as the traffic flowed through the Tor network. If the traffic is plaintext, then the exit node can easily snoop on that traffic. If the traffic is encrypted (say by being piped through an SSL or SSH session), then the exit node could attempt a MITM attack on that traffic, and, especially with regards to the average person using a web browser, many times a user will just ignore any warning dialogs that pop up indicating such an attack.

In this regard, a post was written to Practical Security asking what can be done to mitigate this risk with regards stealing pseudonyms for WWW discussion forums without SSL. I said the following.

1. Use pgp to digitally sign all forum posts. Then your pseudonym is tied to a pgp key pair and not just an account provided by the WWW forum software. If your forum account gets compromised, move on and just keep signing with the same private key – you may even be able to use digital signatures to convince the forum mods to help you here.

2. Rather than utilize rogue nodes when posting to a vulnerable WWW forum, avoid rogue nodes by setting options in torrc (e.g., configuring a set of ExitNodes and turning on StrictExitNodes) to only use particular exit nodes that you deem trustworthy enough not to snoop and such. The lower risk of snooping might be worth the possibly lesser anonymity.

Side note: As another option for performing 2 above, I just noticed the following in here

– If a user tries to connect to or resolve a hostname of the form <target>.<servername>.exit, the request is rewritten to a request for <target>, and the request is only supported by the exit whose nickname or fingerprint is <servername>.

Now, thinking along the lines of 2 above, I thought it might be nice to excerpt part of a discussion I had a while back.

Trust requirements are not new to mixnets, but the performance objectives of Tor and its large, dynamic network make the issue all the more challenging. AFAIK (and I really don’t know), most P2P metrics can really tell you nothing about the anonymity intentions of a mixnet node – they can cover things like performance or fairness, but you need something like, say, automated open source intelligence gathering tied in with some sort of behavior modeling or, much much simpler, people
intelligence (e.g., the Tor directory server operators), to build a “trust” metric for a mixnet node.

And,

From my take, the core issue here is that the Tor network relies on its nodes (including their operators) to be trustworthy; however, the network currently has no scalable metrics that define and speak to that trust. New nodes are essentially just accepted by the directory servers. From there, performance metrics seem to be used to rank a node’s trustworthiness, if you consider, say, being potentially selected as a guard basically a statement of trust about a node.

My comments on performance being the basis of trust for nodes partially came from a version of this. E.g.,

When a router posts a signed descriptor to a directory authority, the authority first checks whether it is well-formed and correctly self-signed. If it is, the authority next verifies that the nickname question is already assigned to a router with a different public key. Finally, the authority MAY check that the router is not blacklisted because of its key, IP, or another reason.

“Stable” — A router is ‘Stable’ if it is active, and either its Weighted MTBF is at least the median for known active routers or its Weighted MTBF is at least 10 days. Routers are never called Stable if they are running a version of Tor known to drop circuits stupidly. (0.1.1.10-alpha through 0.1.1.16-rc are stupid this way.)

To calculate weighted MTBF, compute the weighted mean of the lengths of all intervals when the router was observed to be up, weighting intervals by $\alpha^n$, where $n$ is the amount of time that has passed since the interval ended, and $\alpha$ is chosen so that measurements over approximately one month old no longer influence the weighted MTBF much.

“Fast” — A router is ‘Fast’ if it is active, and its bandwidth is either in the top 7/8ths for known active routers or at least 100KB/s.

“Guard” — A router is a possible ‘Guard’ if it is ‘Stable’ and its bandwidth is either at least the median for known active routers or at least 250KB/s. If the total bandwidth of active non-BadExit Exit servers is less than one third of the total bandwidth of all active servers, no Exit is listed as a Guard.

So, this discussion went on to convey the following, which is the meat of this post.

You know, I use certain remailers in a chain because I know, or know of, the operators, and I trust them to run a remailer as it should be run. The same goes for my acceptance of remailers in general or Tor.

Which is to say, the reputations certain people have built with me is what I use as a base for my decisions to employ their software and services. Such people’s reputations come from many sources for me. For example… For the people I know, reputations may have been built from all the things that make me say they are people I know, such as debating some aspect of life while sucking down alcohol in a bar together. For the people I know of, reputation may have been built from references from people I know or know of. For both people I know and people I know of, reputation may have been built from longer term exposure to papers, presentations, conversations, discussions, etc. in the appropriate forums. This probably maps to how current directory server operators make their decisions about Tor nodes, and all of these can be mapped to features of a decent social networking service, which is potentially scalable.

Taking a hint from the whole web 2.0 bang, we find lots of people that have links with lots of other people, and the number and quality of such links influences how much value we give to peoples’ opinions. The quality of feedback influences the reputation of the person providing the feedback, which in turn translates to how we value that person’s feedback, which is to say, how much that feedback effects the reputation of the thing being commented on. And so on. This people intelligence that gathers and mines data can lead to a large set of very interesting data, which can then undergo automated analysis. Now, forget web 2.0 though and go old school, the whole PGP web of trust is built on this type of thing.

You could see a Tor social network working in a similar way. People input followed by automated analysis could be the end result. For example, perhaps a system could be created such that node (i.e., node operators) are able to make trust statements about other nodes. The set of statements would be predefined, such as distrust, no trust, marginal trust, or full trust, and have guidelines that node operators should follow to make a determination of trust in a node. The weight of a node’s statements of trust about other nodes could be based on things like that node’s trustworthiness as determined by statements of trust made by other nodes about that node.

With some such metric in place, interesting decisions about a user’s path through the Tor network could be made. The obvious example is requiring specific trust levels for particular places in a user’s path through the Tor network, such as the entry and exit requiring highly trusted nodes but middleman only requiring marginally trusted nodes. As a more interesting example, I imagine a reputation web like that described would lead to clusters of closely linked nodes. Perhaps it would make sense to choose a path through the Tor network that picks nodes from different clusters. Or, if I have made trust statements about the nodes, it might make sense to heavily weight those statements in choosing a path for me – for example, if I fully trust a certain set of nodes, maybe my path through the network should be selected from the set of nodes I fully trust, nodes those nodes fully trust, and so on until there is a “large enough” set of nodes to choose from.

Finally, what I said here was pointed out to me.

In other words, right now, Tor uses the vigilance of people to ward off this type of attack. Such an approach might not scale well, but it works at the moment.

I don’t know if any of this scales well either or if it does more harm than good, but it is an idea nonetheless.

Oh, and for those asking about my Tor node. You know that lovely new motherboard? Well, it appears to have choked.

Posted in Anonymity & Privacy, Security | No Comments »