Exploiting Network Cards

Posted on June 1, 2008 by Chris Samuel

Now this is a scary (and pretty cool) potential abuse of network card firmware and PCI bus architecture to bypass firewalls described by Arrigo Triulzi (quoted on Ben Laurie’s blog):

3) from 1 & 2 above, after about two years, Iâ€™ve reached my goal of writing a totally transparent firewall bypass engine for those firewalls which are PC-based: you simply overwrite the firmware in both NICs and then perform PCI-to-PCI transfers between the two cards for suitably formatted IP packets (modern NICs have IP â€œoffload enginesâ€ in hardware and therefore can trigger on incoming and outgoing packets). The resulting â€œJedi Packet Trickâ€ (sorry, couldnâ€™t resist) fools, amongst others, CheckPoint FW-1, Linux-based Strongwall, etc. This is of course obvious as none of them check PCI-to-PCI transfers,

Ben reckons it’s possible to do even more:

IMO: because of the nature of the PCI bus, you can use the same technique on any machine with a vulnerable NIC to read all of RAM.

Of course the attacker would need to compromise the card first, either by cracking the box or supplying malicious hardware.

VueStar Image Link Patent Info Site

Posted on May 30, 2008 by Chris Samuel

For those who’ve heard about the crazy news about the patent trolls that are invoicing people based on their claims to have invented image linking in 2000 (and patented it in 2002) there is a site that is gathering information about the patent itself (Republic of Singapore Patent No. 95940) and the Australian company behind it.

The site is at http://suevuestar.biz/ and includes the handy information that the Australian patent actually lapsed because they failed to pay the renewal fees!

Response to PayPal on EV Certificates

Posted on May 20, 2008 by Chris Samuel

Over on the PayPal blog Michael Barrett (their chief security officer) mentions a paper he and Dan Levy wrote extolling the virtues of Extended Validation certificates.

I’ve left a comment there (yet to escape from moderation) questioning the merits of EV and I thought I’d reproduce it here, especially in light of the recent cross-site scripting attack against PayPal through a page protected by such a certificate.
Continue reading →

Re: Glen Turner: Key generation

Posted on May 19, 2008 by Chris Samuel

In his blog Glen writes on the Debian OpenSSL stuffup:

Hopefully this fiasco will re-energise hardware manufacturers into providing hardware-based randomn number generation. The current scavenging across the operating system for any source of entropy isn’t acceptable and is one of the root causes of this current flaw.

But this wouldn’t have helped in this situation as OpenSSL already supported those sources but the patch ((which was posted to the openssl-dev list for comments prior to being applied, well worth a read as it’s a short thread )) effectively removed the call to add those (and all other) sources of entropy into the pool, leaving just the PID – hence 32,768 possible keys.. 🙁

If you’re an LWN subscriber (and if you’re not, you should be!) this article is well worth a read (it’ll become accessible to non-subscribers on Thursday, Australian time)..

Vacation 1.2.7.0 rc1 released

Posted on May 18, 2008 by Chris Samuel

This is the first release candidate for vacation 1.2.7.0 and fixes a segmentation fault for a broken Reply-To: header where there is no address specified.

I’ve also added a KNOWN_BUGS file which lists the fact that vacation currently doesn’t cope with multi-line (wrapped) headers, this is scheduled to be fixed in 1.3 and work is in progress in the SVN trunk for this.

Please test this and report back – if you find any problems please do report them!

Download the release from SourceForge.

Vacation 1.2.6.4 released

Posted on May 17, 2008 by Chris Samuel

This is a minor bugfix release to the 1.2.6 series of Vacation which purely changes the default location for manual page installation to be /usr/share/man rather than the old /usr/man.

Download from SourceForge.

Help Search for the Missing 1999 Mars Polar Lander

Posted on May 17, 2008 by Chris Samuel

The Planetary Societys Emily Lakdawalla has blogged about an interesting project up on their website at the moment, trying to rope in volunteers to help NASA locate Mars Polar Lander using images from the HiRISE camera on the Mars Reconnaissance Orbiter. Emily writes:

What I would really love is if any of you readers out there who wanted to join in the search would write to me and let me know which image you’re searching, or ask me to assign you one, so that we can spread out the effort of all the volunteer searchers and make sure each image is examined by multiple people. I’ve also given some guidelines on how to report anything that you think might be a piece of the missing Mars Polar Lander. So if you want to join in the search, go check out that page.

Currently there are 18 images to search through, and the full resolution JPEG 2000 images are over 1GB a shot..

Debian OpenSSL stuffup – SSH keys and SSL certs not random enough (updated)

Posted on May 14, 2008 by Chris Samuel

Update: Debian has a good summary page on their wiki.

This is pretty serious – a packaging stuff-up for OpenSSL by Debian (and hence Ubuntu) has resulted in not-very-random randomness being used in various packages such as OpenSSH for key generation. The Ubuntu report says:

A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

This is a Bad Thing(tm), Debian have told their own developers:

Since the nature of the crypto used in ssh cannot ensure confidentiality if either side uses weak random numbers we have also randomized all user passwords in LDAP.

It’s also been around for almost 2 years now according to the Debian security notice:

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable distribution on 2006-09-17, and has since propagated to the testing and current stable (etch) distributions. The old stable distribution (sarge) is not affected.

So now would be a good time to change your passwords, unless you can be certain you’ve never logged into a Debian or Debian derived system..

Old protocols have their advantages

Posted on May 9, 2008 by Chris Samuel

If you were fretting about the Ubuntu mirrors being so slow, remember that the installer defaults to using HTTP, rather than FTP.

Download speed of KDE4.0.4 in hardy-backports from http://au.archive.ubuntu.com/ubuntu/ – 20KB/s.
Download speed of KDE4.0.4 in hardy-backports from ftp://au.archive.ubuntu.com/ubuntu/ – 150KB/s
Happiness at remembering old, forgotten protocols – priceless

Warning: download speeds can go down as well as up..

Quote of the day

Posted on May 6, 2008 by Chris Samuel

By Bruce Schneier:

You know you’ve got a problem when you can’t tell a hostile attack by another nation from bored kids with an axe to grind.

Also, on a crypto related humour note – The Traveling Cryptographerâ€™s Problem, via Bart. 🙂

The Musings of Chris Samuel

Computers, science, archaeology and other random burblings

Category Archives: Computers