What's new
  • ICMag with help from Phlizon, Landrace Warden and The Vault is running a NEW contest for Christmas! You can check it here. Prizes are: full spectrum led light, seeds & forum premium access. Come join in!

FBI Wants New Internet Powers!

Status
Not open for further replies.
M

Mr. Nevermind

Hate to be the bearer of bad news, but. .... The FBI dont give a fuck about what laws are passed in order to look into somoene. The FBI has and alays will do exactly what they want , regardless of legality . I have a client who is a head of a divission in the FBI. I asked him years ago once the patriot act was passed if it would make his job easier. he said " the patriot act dont mattter, it just makes what we have been doing for years legal now" . FBI does what they like and there is little we can do about it at this point, sorry.

f they are tlaking about passing a law in orfder to look at people online, chances are they have been doing so for years anyway and are making a new law and grandfather it so they arent criminals. Thats the game.





Nevermind
 
You guys sure SSL is working on this site? It throws an error message in FireFox when I try. Perhaps it only works for login. I would love to see this working both here and on SBay. I think Sbay would be more important at this point, but last time I tried connecting to it securely, all kinds of error messages came up. One seemed to indicate a certificate was there, but not implemented correctly.

Back to the topic: this will not happen. Everyone can be very thankful that Dems are back in power for a couple of years. They alone will stave off a fare amount of this crap. Furthermore, no way in hell are developers going to do this for them. MS and Apple could be considered web developers. I could see Apple telling the feds to piss off, not 100% sure about MS, although I think they would do the same. The fact that their [MS] systems get shipped all over the world and are used by every large company and modern governments would basically turn MS into a branch of the FBI and CIA, opening the door for large scale corporate espionage and "friendly" espionage of allies throughout the world which would then backfire, both on a relationship basis and an economic one. I think the back door would become publicly known while the system was in beta and would be the nail in the coffin for MS as people are already sick of all the security flaws with Windows. I could see the EU kicking MS out of Europe over this as they already have it in for them.

All I can say is I run OpenSource software as much as possible since a lot of knowledgeable, descent people can look at the source code and make sure everything is kosher. A stunt like this would kill the commercial software market and open up the landscape for OpenSource systems and software.

BTW - PGP (the commercial version) already has a back door. Stay away from it. Use one of the open source PGPs instead.
 

badboyg

Member
two points for you all..

1. SCREW HTTPS.. use TOR

2. MSN has had a back door to the NSA for a LONG TIME folks/// i recall a flap a few years back.. they relesed a early vertion of XP?? may have been back with 2000 or 98?? I forget time flies.... anyway a "outside" group got access to the pre-release,, and it showed several NSA keys and other issues... all were renamed and hidden for later issues....

face it is a brave new world and it scares the SHIT out of me........
 

guineapig

Active member
Veteran
badboyg how did you post 3 times the same message without your post count going up?????

NOW i'm really scared!!!!!

(guineapig hides in a corner of the cage)
 

badboyg

Member
guineapig... sorry about DUP POSTS.. it kept hanging up so I would resend,, the "resend" did not refresh the thread.. soo when I did .. HOLLY SHIT BAT MAN<<<

St0n3r.. the deal with TOR is it does not show up as a proxy AND it uses many servers so its not hitting the same place every time.. unlike a proxy alone,, IF your not using it I would HIGHLY suggest it.... FAST!!


MOSSE. dude yo called it... as long as the public is DISTRACTED with such media CRAP.. and have food and the cell phone, the sheep will not make much noise,,,,,

you know I think reading 1984 needs to be manditory.... if you look at how our conflits have gone in past years, it looks like a page out of 1984,,, remember where in a ralley the ememy was suddenly changed... and everyone just changed who they hated..... they made it look like a plot of some sort,,

its just like all the elections,,, total distractions and BS flying,,, always keeping some drama on the screen,,, BASTARDS....
 

GMT

The Tri Guy
Veteran
You know for years I have been hearing folks say bring back maggie, and only now am I starting to understand how special that Ronnie / Maggie thing was. Maggie used to say that Government had no role in people's private lives, and despite all her other madness, I'd take her back over the crook Blair anyday.
What happened to the https thing on this site?
 

badboyg

Member
you know I recall hearing the same thing about maggie MORE than once,, you just do not know HOW good it is till its gone,,,,,
 

WIHotHead

New member
HAHA That sucks so bad if it comes down to it.


I will have to go to the library to use there computers!!!!!!!!!!!!!!
 
G

Guest

High everyone,

Excuse the noob question, how can I use TOR?

Any one with more info on encryption?
 

Existenzophile

New member
REZDOG said:
SSL is a JOKE, and everyone that knows encryption would tell you so.


SSL is not a joke, even the underlying encryption powering it is susceptable to any ever increasing array of attacks (one was just released last week), and the implementation of the RSA encryption algorithim in SSL has flaws, It is still a valuable tool to protect traffic analysis attacks when visiting webpages.

I would take SSL over nothing anyday.
 

Existenzophile

New member
Chakal said:
High everyone,

Excuse the noob question, how can I use TOR?

Any one with more info on encryption?

Download it from http://tor.eff.org/dist/vidalia-bundles/vidalia-bundle-0.1.1.25-0.0.7.exe

Vidalia is a graphical front end for tor, that is actually very slick.

There are plugins for firefox called "FoxyProxy" & "torbutton" that will automatically configure firefox to you use tor.

--
I've got plenty of information on Encryption, you'll just have to tell me in more detail what you are looking for. If you look back through this forum there is a thread called "How to Encrypt" that I posted some great info in. Start there. :)
 

REZDOG

Active member
Veteran
SSL is easily defeated by sniffer programs,afom sits at a cafe and tears SSL a new asshole.
You wouldn't believe how many people think what they send thru the air,"SSL encrypted" is safe.
I can assure you,it's not.
 

Existenzophile

New member
REZDOG said:
SSL is easily defeated by sniffer programs,afom sits at a cafe and tears SSL a new asshole.
You wouldn't believe how many people think what they send thru the air,"SSL encrypted" is safe.
I can assure you,it's not.

SSL cannot be defeated by a sniffer alone. A sniffer like Wireshark or TCPdump cannot intrinsically break the encryption SSL provides. Other tools do indeed circumvent SSL, but that by no means makes it worthless. I would much rather authenticate with a website over SSL than without it.

Is it the best solution? Absolutley not. But it is Much Safer than sending login credentials in plain text.

Is it a Worthwhile addition to a security setup? Yes.

There's a Cafe less than a Mile from my house, and I can associate with clients on their network with a 9db Yagi from my desk. It can be loads of fun to read Trendy folk's email, but it's much more fun acting as a Rouge AP or re-injecting packets on the network. Even from a mile away, i can respond to TCP/IP requests faster than Google can. I don't think many people really enjoy goatse with their Latte though...


Even more fun is the old Laptop in the Airport game. (or on the plane) You would be amazed how many people leave on their wireless cards in places where there sure as shit aren't any access points.
 

Existenzophile

New member
Here's a great writeup on SSL's strengths and weaknesses from Security Focus.

http://www.securityfocus.com/infocus/1198

SSL - Rumours and Reality: A practical perspective on the value of SSL for protecting web servers
by Charl Van Der Walt
last updated Jan. 24, 2001

Introduction to SSL

You may have connected to a web page every now and then and noticed a small padlock icon at the bottom of your browser window. What does this padlock signify? It means that the web-site is protected by SSL. SSL stands for 'Secure Sockets Layer' and refers to a protocol (or technique) that ensures a secure connection to a web-site. It does this in two ways. First, SSL provides a means by which the parties involved in an information exchange can verify one another's identity. Obviously it's important to know who you are connected to before you start exchanging confidential information. SSL addresses this requirement very nicely by means of digital certificates, which I will explain shortly. Secondly, it changes data into an unreadable format while it traverses an untrusted network like the Internet. You may know of this as encryption. This article will discuss the ways in which SSL provides safe, secure Internet transactions, including: how SSL works, why it is an effective weapon against hackers and how it can sometimes help hackers.

Digital Certificates

In order to discuss SSL, it is crucial to understand the concept of digital certificates. Digital certificates are a mechanism through which we are able to accurately identify something (like a person or a web server) in a completely open system like the Internet. (I say that the Internet is an open system because we have no control over who the users of that system are.) A digital certificate contains information that authenticates the identity of the user, ensuring those who communicate with the holder of the certificate that he or she is who they say they are. Digital certificates are granted by Certificate Authorities, trusted third-party sources that have been authorised by banks, governments and other institutions to guarantee the identity of the holder of the certificate. In addition to containing unique identifying information, digital certificates also contain the public encryption key of the certificate holder.

For example, a bank may want to offer secure online banking facilities using encryption. Encryption necessitates the exchange of encryption keys, which is very hard to do on the Internet where one has no way of knowing who they are actually dealing with on the other side. SSL overcomes this hurdle through the use of digital certificates that not only identify the parties of information exchange, but also already include keys with which the exchange can be encrypted. When SSL is used to encrypt connections to a web server, it is sufficient that only the server itself has a certificate. The users are able to identify themselves by means of the traditional user name and PIN combination. As we shal see later in this discussion, SSL version 3 also makes it possible for users to identify themselves using digital certificates. This is called 'client side authentication' and, when properly implemented, it can significantly raise the security of the system.

The Value of Server Certificates of Authentication

The use of digital certificates allows SSL to offer authentication - the promise that the server the user is connected to is the one that he or she requested. This is obviously critical for users to know before they disclose any confidential information such as a credit card number or a PIN. How could it happen that the server I've connected to is not the one I requested? It's simple really. On the Internet, web servers are actually known by an IP address - a unique 32-bit number that's very hard for humans to remember. DNS - the Domain Name System - and other mechanisms are used to map those addresses to names that are easy for users to understand, like 'www.internetbanking.com'. When a user types 'www.internetbanking.com' in the address window of the browser a complex process kicks off to determine what IP address actually being requested is. Large parts of this process are usually beyond the control of the both the user and the website administrator and are vulnerable to attack at a number of points. This can have the effect that, when users type 'www.internetbanking.com', they are in fact directed to a site controlled by a potential attacker and not by the bank.

The impact of such an attack can range from embarrassing (if the new site displays porn, for example) to disastrous. Imagine if the attacker were to build an exact duplicate of the bank's online banking site. Users could potentially submit their card numbers and PINs only to be told that there was a technical problem with the site and "please try again later". In the meantime, the attacker could use the newly-acquired card number and PIN to steal money from the real site at leisure. (There's a lot more to be said about this kind of attack, but I'll leave that for another time.)

SSL attempts to address exactly this kind of problem by storing the domain name of the server in the digital certificate. When a user connects to a site using SSL, the server presents the certificate in which the domain name is contained. The browser then compares the name contained in the certificate with the name that the user entered in the address window. Any discrepancy is seen as a possible security issue and the user is notified through a pop-up window. In theory (and technical implementation errors aside) this mechanism works perfectly. However, the process falls short on two faulty assumptions:

1. that the user will react correctly to the security notification; and,
2. that the user is aware that the site has a certificate in the first place.

Imagine an attack like the one described above in which the attacker creates a duplicate of a bank's site. The hacker doesn't know of any easy way to trick the SSL authentication mechanism, so he or she simply leaves SSL out of it. The attacker's imposter site would not have a certificate so there would be no name field for the browser to check. The only noticeable difference would be that there would be no little lock in the corner of the browser window to indicate that the connection is SSL secured. However, for a variety of reasons, the user might overlook the fact that there is no secure site icon and unknowingly enter their valuable personal information on the hacker's site.

Clearly, SSL technology offers effective authentication. However, it could be argued that an insufficient number of users are adequately aware of the necessity of SSL to establish a secure connection. Unless more users are educated about SSL and secure sites, having those measures in place will not necessarily serve as any sort of guarantee of users' protection. Unless users are made sufficiently aware of the need to look for security measures on a site, the presence of security measures may not be optimally effective.

SSL and Stored Data

Once a user enters data on a web-site that is secured with SSL, what is the status of that data? Can it be considered secure. As a user enters his or her credit card number the data is encrypted and it travels securely over the Internet to the web server, where it is processed. What happens to the data then? Typically the card number, along with the user's name and other personal details is stored on a database and/or forwarded to some financial switch for further processing. Is that data secured? Is it secure where it is stored? Who has access to it there? Although there are some really excellent e-commerce back-end switches, hackers have successfully managed to compromise the servers on which data is stored (as was exemplified by the Egghead break-in of December, 2000.) In fact, my guess is that in the most cases when we hear of credit card numbers or other data being compromised, this is how it was done.

Although a site may be secured by SSL, this does not necessarily meant that data entered, and subsequently stored, on a site will be secure as well. We all need to realise that SSL offers a solution for only a very small part of the total e-commerce security problem. The fact that a site presents a digital certificate actually says nothing about the level of security protecting a user's information at that site.

The Value of SSLv3 and Client-Side Certificates

With the introduction of version 3 in 1996, SSL offered support for 'client-side' certificates. This means that a server can request clients (or machines that are requesting to be connected to the server) to present their own digital certificates before an SSL session is established. The user's name or email address is recorded in the certificate and can be used by the server to verify the user's identity. Remember that the client's certificate has been digitally 'signed' by a Certificate Authority as confirmation of the user's identity. Client-side authentication, when properly implemented, presents the hacker with a pretty formidable obstacle. So does that mean they throw in the towel? Not likely (hackers are not known for backing down from a challenge!)

SSL and Vulnerability to Attacks

The use of SSL on a web server can give administrators a false sense of security. A web server that uses SSL is just as vulnerable to attacks as any other server, and should be cared for in exactly the same way. In short, encryption and a digital certificate, the main components of SSL, can never protect a server - they can only protect data in transit to and from that server. The following examples will illustrate the ways which SSL is still vulnerable to attack.

Certification Weaknesses

It should be noted that public CAs like Verisign are not infallible. One mistake administrators often make is to place too much trust in public CAs like Verisign. Thus, if Verisign issues a certificate that states that I am 'John', the administrator henceforth accepts that I am John. Unfortunately, when it comes to user certificates, public certificate authorities probably care a lot less about who any particular user is than a site administrator does.

For example, Verisign issued a team of 'hackers', of which I am a member, in the name 'Administrator' (first name 'Administrator', last name blank'). The first thing we do when a site asks us for authentication is to offer the 'Administrator' certificate. You'd be amazed how far that gets us. What makes it even better is that IIS (Internet Information Server, Microsoft's Web server that runs on Windows NT platforms) has a feature called 'Client Certificate Mapping', which maps the name in the certificate you present to a user account under NT, thus giving us Administrator privileges on that host.

Brute-Forcing Certificates

If they are unable to penetrate a server using an illegitimate certificate, hackers can try a 'brute-force' attack. Although this is much harder with certificates then with passwords, it can still be done. To brute-force attack client-side authentication the attacker compiles a list of possible user names and applies to a CA for a certificate in each of those names. One-by-one each of those certificates is used in an attempt to gain access. The smarter the choice of user names, the better the chances that one of the certificates will be accepted. Brute-force with certificates is made easier by the fact that only has to guess a valid user name, not a user name AND password.

Stealing Valid Certificates with Trojan Horses

Finally, the hacker can try and steal a valid certificate with its corresponding private key. The easiest way to do this would be with a Trojan horse. A Trojan is a kind of remote control robot package that, if installed, gives an attacker full control over the victim computer. The trick is to get the package installed. But with a little creativity this is easier then you'd think. Microsoft was successfully attacked in this way in October, 2000. If someone can sneak a Trojan onto an internal computer at MS don't you think they can do it to your doctor's PC at home?

This last attack is where client certificates really fall short. While the attacks referred to previously rely primarily on human error, this attack exploits a fundamental weakness with certificates; namely, that the private key - the nucleus of the entire security system - is often stored on an insecure platform. The only real protection against this may be to store the certificates on a smart card or some other form of token, but that's another topic for another time.

These three types of attack indicate that certain weaknesses exist in the concept of security through certification. Is client authentication the answer to our problems then? I'm afraid not. For further reading on some of the inherent problems with certification as a security measure, read what Bruce Schneier and Carl Ellington have to say on this topic.

SSL and IDS

'IDS' stands for 'Intrusion Detection System' and it's a neat way of knowing when someone's attacking your server. An IDS typically monitors traffic on the network and compares the traffic patterns it detects with a database of known attack 'signatures' or methods. When an attack is detected, the IDS can react by notifying an administrator, terminating the connection or even launching a counter-attack! (Now there's a subject for further discussion!!) The problem is that if the traffic is encrypted then it can't be monitored by the IDS. This often makes the job of attackers much easier.

Given the typical DMZ scenario in which a group of servers are protected by a firewall and watched over by an IDS, hackers can safely probe around on the SSL-protected site because they are hidden from IDS detection by the encryption of SSL. Often a single web server responds to both SSL and normal TCP. Because hackers are attacking the server and not the connection, they can choose either path. Using SSL puts hackers at an advantage because they know that, thanks to the encryption offered by SSL, there is much less chance of being detected by an IDS.

Conclusion

Please don't get me wrong on this. Despite the problems that I have outlined here, SSL is still an effective component of a well-rounded, well-informed security strategy. However, as with all weapons in the security arsenal, it is ineffective if used in isolation from other weapons. Above all, like any other security tool, it is only as effective as the people using it. The danger lies in overestimating the value of SSL. SSL is not a secret weapon, it only wins one small battle in what is a very large, long and complex war. Until we can start winning some of the other battles e-business will remain risky business.

Post Script: How Do I Do My E-Stuff

After all I've said about the dangers of on-line commerce, you may be wondering whether I use the web for transactions at all. Absolutely. Although I am acutely and personally aware of the dangers of e-commerce, the convenience it offers is simply too good to ignore. I have two credit cards, one of which is used almost solely for web shopping etc. By carefully controlling the limits on this card I can minimise the losses I may incur if my number were to leak out. This is called 'risk management' and it is the essence of information security.

Thanks to Roelof Temmingh, my friend and partner, whose cunning mind is the greenhouse in which many of these ideas were grown.

charl van der walt is a founder-member of SensePost Information Security - an information security services company specialising in risk assessment and penetration testing, consultation and training. He has a dog called 'fish'. To discuss pets or any other issues related to security please mail me at [email protected], or visit our web site athttp://www.sensepost.com.
 
Status
Not open for further replies.
Top