Monday, January 12, 2009

Isolate applications on your PC

A lot of IT professionals and security experts try to lock down their machine against malicious code (especially those who run Windows OS's). When I come along a new free application, I first like to try it out in a virtual machine environment, just to be on the safe side in case their is malicious code running in the application.

But, there are malicious applications that can detect the virtual environment, and do not try to exploit the machine. What can someone do in that case?

There is a very very nice applications, called Sandboxie by Ronen Tzur. This small application basically runs any application (even installers) in isolated space, so any changes made to the filesystem are not reflected in the actual systems' filesystem. This space may be discarded at any time, and with it, any changes made by malicious code.

The newest version (3.34) has the addition of a DropMyRights like feature, which runs the isolated application with the lowest possible level of rights on the machine. In general this is a very nifty application, and one that is very modestly priced. Purchase allows the user a lifetime subscription of updates, and unlimited use of the application on any computer that the end-user owns.

There are limitations though (such as the inability of Sandboxie to be installed on Vista or XP 64 bit versions, due to Windows PatchGuard), but is overall, in my modest opinion, a must have application for the security conscious.

Friday, January 9, 2009

SSL Blacklist - Useful tool for recent MD5 risk

Marton Anka (www.CodeFromThe70s.org) has a pretty nifty tool for detecting pages that use certificate chains with signatures based on the MD5 algorithm which was recently attacked.

The tool is a Firefox extention, that pops-up a window informing the user that the certificate used by the page is potentially compromised and that access to that url may be not be secure. Here is a screenshot:




















Following the recent compromise of SSL certificates and the fact that a lot of DNS servers still remain unpatched against the Kamnisky attack, this is a tool that I am using and would recommend to anyone. Keep in mind that this only informs you about a potential risk. It does not know if the certificate is indeed insecure (as there is no way to know this).

Also, after listening to my favorite podcast (Security Now!), certificates can be reissued for free so they are signed using SHA1 instead of MD5. So, when you come accross a site that has an MD5 signed certificate, drop a message to the webmaster to inform them about this.

Monday, January 5, 2009

PS3 cracks security yet again...

Well, after the last blog I wrote (a year ago, embarassing, I know), it seems that SONY's PS3 has delivered yet again on it's pre-release promises of computational power.

In my previous blog spot, I wrote about the PS3's ability to crack MD5 hashes. Of cource, one machine could only (!) do 1000 times better than an Intel based processor, yielding the attack probably too time-consuming to be a real threat. But, as I predicted, a real threat has appeared.

Combining the computational force of 200 of these machines, attackers managed to break one of the MD5 algorithms used by Equifax and forge an invalid certificate from a valid provider. More details can be found here, here and here.

But the problem is not the attack itself, but rather the downplay from a number of parties, including the researches that performed the attack, and Microsoft. They are basing their evaluation of the risk to the fact that in order for black-hat attackers to use the breakthrough they need to have the cryptographic backround. And of course, we know how dumb hackers are when it comes to monetary gain...

A remedy of sort is not using MD5 as a hashing algorithm for SSL. It is well known that SSL uses two (primary) methods for doing hashing, MD5 and SHA1. For those who might be a bit worried, simply trust (for the time being) encrypted pages that use certificates that either use only SHA1 or use both SHA1 and MD5. It also has to be noted that in order for an attack to be succesful, not only does an attacker have to create a forged SSL certificate, but also redirect a victim to a malicius server. And we know that can't happen (remember the Kaminsky attack? 25 per cent of the worlds DNS servers still remain unpatched!)

To keep things short, I said it a year ago, I'll say it again. I may not be a guru in the field, but I know enough to understand that week algorithms should be made obsolete. SHA1 may be a remedy for the time being (as it is more secure than MD5 currently), but remember, it has not been ckacked, but it has been broken. Serious businesses should move to more secure algorithms, as if they wait for the tidal wave of security failure, I'm pretty sure they will go down with their ship.