Security

The prototype SSL crack in action: It's a supposedly secure Web site (note "https:" in the menu bar). But the SSL certificate is issued by MD5 Collisions Inc.

(Credit: Jonathan Stray)

By Jonathan Stray

Updated at 3:30 p.m. PST with Microsoft comment, at 1:50 p.m. PST with VeriSign comment, at 10 a.m. PST with comment from cryptography expert Paul Kocher, and at 9 a.m. PST to reflect that presentation has taken place and include comment from cryptography expert Bruce Schneier.

BERLIN--A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers announced on Tuesday.

They demonstrated how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss.

The problem is unlikely to affect most Internet users in the near future because taking advantage of the vulnerability requires discovering some techniques that are not expected to be made public as well as overcoming engineering hurdles: performing the initial digital forgery consumed approximately two weeks of computing time on a cluster of 200 PlayStation 3 consoles. In addition, a criminal needs to find a way to reroute traffic from a legitimate Web site to his own, perhaps through techniques that have become well-known in the last few years.

Yet if one group can do it today, others eventually will. "We have a proof-of-concept that allows us to impersonate any supposedly secure Web site on the Internet," said David Molnar, a doctoral student in computer science at the University of California at Berkeley.

Molnar and six other researchers presented their findings during an afternoon session of the Chaos Computer Club's annual conference here on Tuesday. Other team members include Jacob Appelbaum and Alexander Sotirov.

Their work has focused on finding vulnerabilities in a technology known as Secure Sockets Layer, or SSL, which was designed to provide Internet users with two guarantees: first, that the Web site they're connecting to isn't being spoofed, and second, that the connection is encrypted and is proof against eavesdropping. SSL is used whenever a user navigates to an address beginning with "https://". SSL certificates essentially stand for the claim that, for instance, etrade.com actually belongs to E-Trade Inc., and is not being operated by a thief hoping to steal account passwords.

Most browsers indicate that SSL is active by displaying a small padlock icon. An attack using a forged authentication certificate--which is what the researchers say they have done--is insidious because the browser can't detect it and the padlock icon would still appear.

Talk announcement on the CCC schedule in Berlin.

(Credit: Jonathan Stray)

Unlike most security issues, this problem cannot be fixed with a simple software update. "The bug is not in anyone's software," Sotirov said. "It's not the browser that's at fault. The browser does exactly what it's supposed to do... The problem is that what it's supposed to do is wrong."

The attack exploits a mathematical vulnerability in the MD5 algorithm, one of the standard cryptographic functions used to check that SSL certificates (and thus the corresponding Web sites) are valid. This function has been publicly known to be weak since 2004, but until now no one had figured out how to turn this theoretical weakness into a practical attack.

An SSL certificate is a small file that ties a real-world corporate identity to a Web site address and a corresponding public encryption key. This is presented to a private certificate authority firm, which is supposed to verify the link between identity and domain name and then cryptographically "sign" the certificate to vouch for it.

The problem arises when someone else is able to forge the same signature.

VeriSign, which operates the largest certificate authority in the world, learned of the vulnerability early on Tuesday and acted quickly to close the hole in its certificates, according to Tim Callan, vice president of product marketing at the company.

"We went into our systems and removed the MD5 algorith and replaced it with SHA-1 (Secure Hashing Algorith)," he said. "You can not get an SSL certificate from VeriSign now that is subject to this attack." More information from VeriSign is available on Callan's SSL blog.

VeriSign was in the process of phasing out MD5 before the issue came up and is now on track to have it entirely out of commission in January, Callan said. "On balance, public key infrastructure works extraordinarily well," he said when asked if the vulnerability illustrated a need to change the trust model.

Microsoft, while noting that the issue wasn't a vulnerability with one of its products, tried to downplay the threat to users in a security advisory Monday.

"This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information," the advisory said.

A 1991-era protocol, but modern problems
When MIT professor Ron Rivest developed MD5 in 1991, it was considered sufficiently secure. But starting in 1996, a series of increasingly serious flaws started calling the continued viability of MD5 into question.

As CNET News reported in 2004, flaws discovered at that time "could eventually make it easier for intruders to insert undetectable back doors into computer code or to forge an electronic signature--unless a different, more secure algorithm is used." Then, in 2007, Arjen Lenstra of Bell Laboratories Switzerland, with Marc Stevens and Benne de Weger of TU Eindhoven, demonstrated a technique to construct two new certificates with different content but the same fingerprint.

Although security researchers had been worrying, and recommending that other alternatives be considered, nobody had yet demonstrated how to exploit this theoretical flaw in a practical attack.

The researchers who attacked SSL authentication. Left to right: David Molnar, Alexander Sotirov, Marc Stevens, Arjen Lenstra, Jacob Appelbaum. Not pictured: Benne de Weger and Dag Arne Osvik.

(Credit: Jonathan Stray)

Molnar, Appelbaum, and Sotirov joined forces with the European MD5 research team in mid-2008, along with Swiss cryptographer Dag Arne Osvik. They realized that the co-construction technique could be used to simultaneously generate one normal SSL certificate and one forged certificate, which could be used to sign and vouch for any other. They purchased a signature for the legitimate certificate from an established company that was still using MD5 for signing, and then applied the legitimate signature to the forged certificate. Because the legitimate and forged certificates had the same MD5 value, the legitimate signature also marked the forged one as acceptable.

The process amounted to transferring a photograph from a real ID to a fake by carefully matching the holographic security markers.

The rogue certificate can then be used to sign any other certificate of the attacker's choosing--such as one which assures Web browsers that a malicious phishing site is actually the legitimate etrade.com or bankofamerica.com.

After three unsuccessful attempts, each of which required approximately three days of compute time on a cluster of 200 PlayStation 3s, the researchers obtained a forged certificate authority in early November, at which time they notified browser developers and certificate authorities, or CAs, about the security flaw. Molnar estimates that the same processing time could be purchased from Amazon for about $1,500.

The team decided to disclose the vulnerability at the Berlin conference in hopes that the news will encourage everyone involved to fix the problem quickly. "The main message here is to stop issuing MD5 certificates, now," said Molnar. He believes that MD5 is so weak it no longer should be used for any applications: "More secure, freely available alternatives exist." (In November 2005, the U.S. government announced plans to find successors to MD5 and SHA-1, an official federal standard with its own problems. The new federal standard will be called SHA-3.)

By itself, the MD5-certificate-forging vulnerability wouldn't be too worrisome. That's because it relies on criminals being able to capture Web traffic to display a fraudulent Web site. But setting up a fake wireless access point to lure unsuspecting neighbors or business travelers is trivial, and a program released earlier this year to attack the domain name system (DNS) provides another way to direct Internet traffic for malicious purposes.

While only a few CAs currently sign certificates with MD5, Appelbaum estimates that 30 percent to 35 percent of all SSL certificates currently in use have an MD5 signature somewhere in their authentication chain. "The CAs should contact every customer that currently uses an MD5-signed certificate and offer a free replacement."

In an interview on Tuesday morning, cryptography expert Bruce Schneier praised the research but downplayed the real-world consequences of the findings.

"SSL protects data in transit but the problem isn't eavesdropping on the transmission. Someone can steal the credit card on some server somewhere. The real risk is data in storage. SSL protects against the wrong problem," he said.

"This is good work, great cryptography. I love the research, but this doesn't matter a whit," Schneier added. "There are half a dozen ways to forge certificates and nobody checks them anyway."

Paul Kocher, president of Cryptography Research and an architect of the SSL 3.0 protocol, said the exploit highlights the need for a new universal hash function "that everyone is comfortable with."

"The paper is not a surprise, but at the same time it's the crispest demonstration for why it's necessary to remove this broken algorithm everywhere it is being used," he said, before adding "there are bigger things to worry about, like browser bugs and operating security bugs."

The researchers have created a Web site signed with a forged certificate which can be viewed here. The forged certificate was backdated so that it could not be used maliciously even if stolen from researchers, so you have to reset your system clock to August 2004 to view it.

Even though their work may be controversial, the researchers view their efforts as fundamental to creating a more secure Internet. "I don't want to be hit by this type of attack either," Sotirov said. "I use the Internet too."

The author is a freelance contributor to CNET News and is not an employee of CBS Interactive. His Web site can be found at jonathanstray.com.

Microsoft on Monday denounced reports that a vulnerability exists in Windows Media Player that could pose a security risk for users.

Microsoft said in a company blog post that it had investigated reports that surfaced on the Internet last week and found them to be "false." The flaw is "reliability issue with no security risk to customers," the company said on its Security Vulnerability Research & Defense blog.

The investigation followed claims published Wednesday on the Bugtraq security mailing list by researcher Laurent Gaffie that a vulnerability existed in Windows Media Player 9, 10, and 11. Gaffie said the vulnerability would allow a hacker to create a malformed WAV, SND, or MIDI file to create a denial of service, and included a proof-of-concept code.

Along with its denial, Microsoft criticized Gaffie for publishing his claims without first contacting the software giant:

The security researcher making the initial report didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list. After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player. Those claims are false. We've found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn't affect the rest of the system.

The company said that the flaw had already been identified during routine code maintenance and corrected in Windows Server 2003 Service Pack 2.

A network administrator will stand trial for allegedly hijacking the network he designed and maintained for the city of San Francisco.

A superior court judge ruled Wednesday that there was enough evidence to hold Terry Childs for trial on four felony charges of tampering with a computer network, denying other authorized users access to the network, and causing more than $200,000 in losses, according to a report in the San Francisco Chronicle. Childs, who has been in custody since July 13, had worked at San Francisco's Department of Telecommunication Information Services for five years. Childs, 44, is being held on $5 million bail and is scheduled to be arraigned on January 13.

Childs is accused of tampering with the city's Fiber Wide Area Network after allegedly being disciplined for poor performance. He was also accused of electronically spying on his supervisors and their attempt to fire him.

Childs allegedly denied other administrators access to the system, which maintains law enforcement, payroll, and jail-booking records. Childs reportedly refused to surrender secret codes that would allow access to the system.

However, after a week in the city's jail, Childs agreed to give the access codes to San Francisco Mayor Gavin Newsom during a secret jail house visit. The meeting reportedly was so secret that the police department and district attorney were not informed of the meeting ahead of time.

Childs' attorney has claimed that there was no destructive intent and that Childs was merely protecting the network from incompetent city officials who were trying to force him out of his job.

"Mr. Childs had good reason to be protective of the password," Erin Crane argued in an unsuccessful attempt to lower his client's bail. "His co-workers and supervisors had in the past maliciously damaged the system themselves, hindered his ability to maintain it...and shown complete indifference to maintaining it themselves...He was the only person in that department capable of running that system."

Ari Juels' fascination with numbers is the stuff of fiction, literally.

Ari Juels

(Credit: ZDNet Asia)

The chief scientist and director of RSA Laboratories recently completed a novel in which the protagonist is hired by the U.S. government to counter the efforts of Pythagoreans, a Greek group that believed in the supremacy of numbers--subscribing to the notion that by mastering numbers, one could understand and control the forces of the universe.

That concept, he told ZDNet Asia during a recent visit to Singapore, had been "a little silly" until cryptography developed to a stage where "mastery of certain mathematical problems could in principle lead to considerable power over computing resources and consequently over our lives."

The book, which will be launched at the RSA Conference 2009 in San Francisco in April, was in essence, the coming together of two of Juels' interests--computer security and classical literature. He graduated from Amherst College in 1991 with degrees in Latin Literature and Mathematics.

Thirty-eight-year-old Juels, who joined RSA in 1996, shed some light on recent RFID (radio frequency identification) issues in e-passports, identity documents, and transport-related systems, as well as how to balance security and privacy.

Q: What are you currently working on?
Juels: With the acquisition of RSA by EMC, we've turned our attention to some of the special security problems that storage systems present. In particular, we've looked at...the ability of a client to verify that a file that is stored on remote servers is still there--intact. We've been able to develop a protocol which accomplishes the seemingly paradoxical property of enabling a client to verify that a file is completely intact--that every bit is there, not a single bit has been changed--without downloading the file. In fact, the archiving service can send a very short proof--some tens of bytes--and that's enough for the client to establish that the file is completely retrievable. That's been a major area of research for us.

Is there a name for this concept?
Juels: There've been several names. I guess the most recent is an acronym called HAIL, for High Availability and Integrity Layer.

MIT students Alessandro Chiesa, R.J. Ryan, and Zack Anderson show up at, but do not speak at, the Defcon conference in August.

(Credit: Declan McCullagh/News.com)

Three MIT students who were sued by the Massachusetts Bay Transit Authority over their research into subway card vulnerabilities are now working with the transit authority to improve the fare collection system.

The lawsuit against the students was dismissed after a judge lifted a gag order in August that prevented the students from discussing their work. The students had planned to present their research at the Defcon hacker conference in Las Vegas on August 10, but canceled their presentation after a judge granted the MBTA's request for an injunction the day before.

"This is a great opportunity for both the MBTA and the MIT students. As we continue to research ways to improve the fare system for our customers, we appreciate the cooperative spirit demonstrated by the MIT students," MBTA General Manager Daniel Grabauskas said in a statement published on the Electronic Frontier Foundation Web site on Monday. EFF attorneys represented the students in their legal defense.

One of the students, Zack Anderson, was quoted as saying: "We've always shared the goal of making the subway as safe and secure as can be. I am glad that we can work with the MBTA to help the people of Boston, and we are proud to be a part of something that puts public interest first."

As part of their presentation, entitled "The Anatomy of a Subway Hack: Breaking Crypto RFIDs and Magstripes of Ticketing Systems," the students planned to describe several attacks to break the CharlieCard, an RFID card that the MBTA uses on the Boston T subway line.

In spite of the global economic recession, information security will continue to be a dominant IT priority in 2009. Why? There are simply too many threats and vulnerabilities creating a perpetual increase in IT risk.

With that, here is my top-10 list (in no particular order) of technologies and trends to watch for in the new year:

1. The evolving definition of endpoint security: Some analysts have declared that, antivirus software is dead. I disagree and submit that endpoint security is simply evolving as a function of the changing threat landscape. This is the primary reason why Sophos (a legacy antivirus company) bought Utimaco (a data security company) in 2008. Look for traditional antivirus, anti-spyware, and firewall software to merge with endpoint operations, data loss prevention, and full-disk encryption in 2009.

2. More emphasis on cybersecurity: This year began with the establishment of the Comprehensive National Cybersecurity Initiative (CNCI), an effort to strengthen government networks. While well-intended, CNCI has received minimal funding and support. In December, a Center for Strategic and International Studies report, further described the sorry state of cybersecurity and called for drastic improvements. Look for President-elect Barack Obama to get behind this effort in a big way with funding, a real public/private partnership, and cooperative intelligence and law enforcement with a growing list of foreign nations.

3. Increasingly stringent privacy legislation: Privacy advocates like the American Civil Liberties Union and the Center for Democracy and Technology are hopeful that the change in administration will finally lead to more comprehensive national privacy legislation in 2009 and beyond. This momentum should persuade the Senate to finally push the Personal and Data Privacy Act of 2007 (S.495), which has been dormant since May. In the meantime, look for states like Michigan and Washington to follow the lead of Massachusetts and Nevada in mandating data encryption.

4. Security in the cloud: While "cloud" has turned into a vague industry security blanket term, I do believe that 2009 will be a strong year for managed security services. Many organizations simply don't have the capital budget dollars or security skills to take on the increasingly sophisticated bad guys themselves--good news for IBM and Symantec. Additionally, companies like Blue Coat, Cisco, and Trend Micro will supplement on-site security equipment with scalable reputation and update services in the cloud.

5. Virtualization security: As server and desktop virtualization continues to proliferate, we will need better security tools for things like role-based access control, virtual server identity management, virtual network security, and reporting/auditing. Citrix, Microsoft, and VMware will lead this effort with partnering support from others like IBM (Project Phantom), McAfee, and Q1 Labs.

6. Secure software development: In 2008, the majority of malicious code attacks targeted applications, not operating systems. This fact combined with growing focus on cybersecurity will force software companies to embrace secure software development efforts such as the Open Web Application Security Project (OWASP) or the SANS Software Security Institute. Ironically, Microsoft and its Pro Network partners like Security Innovation are best positioned to bring secure software development best practices to the masses.

7. Information-centric security: The recent Microsoft/RSA announcement is a sign of things to come. Organizations large and small need to be able to discover and classify sensitive information, apply security policies, and then enforce these policies throughout the network. This will continue to become a reality in 2009 as documents and file systems are integrated with data loss prevention and enterprise rights management systems. Look for further progress like the introduction of PKI in the mix along with discussions about metadata standards for data classification and security rules enforcement.

8. Ubiquitous encryption: Encryption technologies are more often becoming "baked in" rather than "bolted on." Tape drives now contain cryptographic processors as do hard drives from Fujitsu, Hitachi, and Seagate. And Intel will ship a version of its vPro chip set in 2009 that also supports on-board encryption. In 2009, we will start to see multiple layers of encryption technologies running on top of each other. Good for data confidentiality and integrity but this will also highlight the need for enterprise-class encryption key management--another technology on the 2009 "watch list."

9. Entitlement management: Authentication gets you in the network door, while entitlement management governs what you can and can't do. Entitlement management is currently done on an application-by-application basis but this doesn't scale, is ripe for human error, and is nearly impossible to audit for compliance. Enter centralized entitlement management brought to you by Cisco, IBM/Tivoli, Rohati, and RSA Security. Look for lots of buzz as well as pilot projects by the summer. By the end of 2009, IT professionals should be intimately familiar with XACML (XML Access Control Markup Language).

10. Business process security: Securing all IT assets across the enterprise is a daunting task--too big for risk-averse business managers. Rather than rely on IT reports and security point tools alone, line-of-business executives will want more visibility and oversight into their exclusive domains with detailed and succinct portals, reports, and auditing systems. Ultimately, CEOs will support this effort as it forces individual business units to build security into their P&Ls. This trend favors big services vendors like Accenture, CSC, and HP with vertical industry tools, business process expertise, and executive relationships.

I'm generally an optimist, but I do have one additional, more gloomy prediction. Given the alarming state of disarray, look for some type of security breach in 2009 that exceeds the TJX incident.

On that cheerful note, happy holidays.

For a look back at security in 2008, check out Elinor Mills' year in review.

Microsoft is investigating reports of a flaw that could allow someone to remotely execute code on a system running certain versions of SQL Server.

"Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory," the company wrote in a security advisory published on Monday. "Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time."

Affected systems are: Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected, the advisory says.

Microsoft said that once it completes its investigation, it will "take the appropriate action to protect our customers," which could include issuing a security patch through a service pack, in the monthly security update, or via an out-of-cycle security update.

The vulnerability was disclosed December 4 by Bernhard Mueller of SEC Consult Vulnerability Lab.

Microsoft issued an advisory late Monday confirming a remote code execution vulnerability affecting its SQL Server line.

The vulnerability affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).

Not affected by this issue, Microsoft said, are systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008.

From Microsoft's advisory:

Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time.

In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary.

Microsoft said it was unaware of any active attacks utilizing the exploit code.

The advisory comes less than a week after Microsoft released a critical security patch to plug vulnerabilities in Internet Explorer amid malicious attackers taking advantage of the security flaws.

Check Point Software Technologies announced Monday it plans to acquire the security appliance business of cell phone giant Nokia.

With the acquisition, the security software maker plans to use Nokia's security appliance business to broaden its footprint in the security appliance market.

Check Point, which is predominately known for its security firewall business, has branched out into the security appliance business over the past five years, beginning with its VPN-1 Edge device.

Nokia's security appliance business currently serves 23,000 customers throughout the world and is already designed to work with Check Point's firewall, virtual private network (VPN), and unified threat management software.

The two companies have collaborated on product development for over a decade, including developing security software for mobile and Internet devices.

For example, Nokia's Internet appliance clustering technology allows groups of VPN and firewall appliances to work together, with an aim toward improving performance and reliability.

The deal is expected to close in the first quarter. Terms were not disclosed.

Mozilla has released updates to its popular Firefox browser, its Thunderbird e-mail client, and its SeaMonkey application suite, aiming to address highly critical security flaws that could expose users' sensitive information.

Users are advised to update to version 3.0.5 of Firefox, which was released Tuesday. They are also advised to update to version 2.0.0.19 of Thunderbird and version 1.1.14 of SeaMonkey.

The vulnerabilities were found in earlier versions of Firefox 3, as well as in versions of Firefox 2.

According to a research note released Wednesday by security researcher Secunia:

Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system.

1. Errors in the layout and JavaScript engines can be exploited to corrupt memory and potentially execute arbitrary code.
2. An error when processing the "persist" XUL attribute can be exploited to bypass cookie settings and uniquely identify a user in subsequent browsing sessions.
3. Multiple errors can be exploited to bypass the same-origin policy, disclose sensitive information, and execute JavaScript code with chrome privileges.

One advisory addresses critical security flaws in all three programs (Firefox, Thunderbird, and SeaMonkey) that could arise from memory corruption and result in malicious attackers launching arbitrary code from users computers.

Mozilla also notes that another set of critical vulnerabilities in all three could redirect users from a legitimate site to a malicious one, where users' private data could be stolen. And a third set of critical flaws noted in all three could lead to the launching of arbitrary JavaScript within a different Web site.