Entries Tagged "forgery"

Page 7 of 13

Forging SSL Certificates

We already knew that MD5 is a broken hash function. Now researchers have successfully forged MD5-signed certificates:

Molnar, Appelbaum, and Sotirov joined forces with the European MD5 research team in mid-2008, along with Swiss cryptographer Dag Arne Osvik. They realized that the co-construction technique could be used to simultaneously generate one normal SSL certificate and one forged certificate, which could be used to sign and vouch for any other. They purchased a signature for the legitimate certificate from an established company that was still using MD5 for signing, and then applied the legitimate signature to the forged certificate. Because the legitimate and forged certificates had the same MD5 value, the legitimate signature also marked the forged one as acceptable.

Lots and lots more articles, and the research.

This isn’t a big deal. The research is great; it’s good work, and I always like to see cryptanalytic attacks used to break real-world security systems. Making that jump is often much harder than cryptographers think.

But SSL doesn’t provide much in the way of security, so breaking it doesn’t harm security very much. Pretty much no one ever verifies SSL certificates, so there’s not much attack value in being able to forge them. And even more generally, the major risks to data on the Internet are at the endpoints—Trojans and rootkits on users’ computers, attacks against databases and servers, etc—and not in the network.

I’m not losing a whole lot of sleep because of these attacks. But—come on, people—no one should be using MD5 anymore.

EDITED TO ADD (12/31): While it is true that browsers do some SSL certificate verification, when they find an invalid certificate they display a warning dialog box which everyone—me included—ignores. There are simply too many valid sites out there with bad certificates for that warning to mean anything. This is far too true:

If you’re like me and every other user on the planet, you don’t give a shit when an SSL certificate doesn’t validate. Unfortunately, commons-httpclient was written by some pedantic fucknozzles who have never tried to fetch real-world webpages.

Posted on December 31, 2008 at 1:39 PMView Comments

Buying Fake Nintendo Consoles Helps Terrorists

Really:

Speaking to the BBC, HMRC spokesperson Clare Merrills warned that faulty counterfeit consoles could be unsafe.

“You might find you plug it in and the adaptor sets on fire or the wires start to melt and stick out,” she warned.

“When you buy these goods, you’re not funding our economy, you’re actually funding criminals in these far off places and it could be linked to terrorism,” she added.

Why be rational, when you can stoke fear instead?

EDITED TO ADD (1/13): How to spot a fake Nintendo console.

Posted on December 16, 2008 at 10:47 AMView Comments

How to Steal the Empire State Building

A reporter managed to file legal papers, transferring ownership of the Empire State Building to himself. Yes, it’s a stunt:

The office of the city register, upon receipt of the phony documents prepared by the newspaper, transferred ownership of the 102-story building from Empire State Land Associates to Nelots Properties, LLC. Nelots is “stolen” spelled backward.

To further enhance the absurdity of the heist, included on the bogus paperwork were original “King Kong” star Fay Wray as witness and Willie Sutton, the notorious bank robber, as the notary.

Still, this sort of thing has been used to commit fraud in the past, and will continue to be a source of fraud in the future. The problem is that there isn’t enough integrity checking to ensure that the person who is “selling” the real estate is actually the person who owns it.

Posted on December 15, 2008 at 12:23 PMView Comments

Tourist Scams

Interesting list of tourist scams:

I have only heard of this happening in Spain on the Costa del Sol, but it could happen anywhere. This scam depends on you paying a restaurant/bar bill in cash, usually with a €50 note. The waiter will take your payment, then return shortly after, apologetically telling you that the note is a fake and that you need to pay again. He will return the “fake” bill to you, and any change you’re due. Of course, you gave him a REAL note, he gave you a FAKE note, and you gave him a second real note, so you paid €100 for a €50 meal. What I do now is write unobtrusively on all large notes I get, so I can challenge them if it happens to me.

Posted on December 8, 2008 at 6:54 AMView Comments

Kip Hawley Responds to My Airport Security Antics

Kip Hawley, head of the TSA, has responded to my airport security penetration testing, published in The Atlantic.

Unfortunately, there’s not really anything to his response. It’s obvious he doesn’t want to admit that they’ve been checking ID’s all this time to no purpose whatsoever, so he just emits vague generalities like a frightened squid filling the water with ink. Yes, some of the stunts in article are silly (who cares if people fly with Hezbollah T-shirts?) so that gives him an opportunity to minimize the real issues.

Watch-lists and identity checks are important and effective security measures. We identify dozens of terrorist-related individuals a week and stop No-Flys regularly with our watch-list process.

It is simply impossible that the TSA catches dozens of terrorists every week. If it were true, the administration would be trumpeting this all over the press—it would be an amazing success story in their war on terrorism. But note that Hawley doesn’t exactly say that; he calls them “terrorist-related individuals.” Which means exactly what? People so dangerous they can’t be allowed to fly for any reason, yet so innocent they can’t be arrested—even under the provisions of the Patriot Act.

And if Secretary Chertoff is telling the truth when he says that there are only 2,500 people on the no-fly list and fewer than 16,000 people on the selectee list—they’re the ones that get extra screening—and that most of them live outside the U.S., then it is just plain impossible that the TSA identifies “dozens” of these people every week. The math just doesn’t make sense.

And I also don’t believe this:

Behavior detection works and we have 2,000 trained officers at airports today. They alert us to people who may pose a threat but who may also have items that could elude other layers of physical security.

It does work, but I don’t see the TSA doing it properly. (Fly El Al if you want to see it done properly.) But what I think Hawley is doing is engaging in a little bit of psychological manipulation. Like sky marshals, the real benefit of behavior detection isn’t whether or not you do it but whether or not the bad guys believe you’re doing it. If they think you are doing behavior detection at security checkpoints, or have sky marshals on every airplane, then you don’t actually have to do it. It’s the threat that’s the deterrent, not the actual security system.

This doesn’t impress me, either:

Items carried on the person, be they a ‘beer belly’ or concealed objects in very private areas, are why we are buying over 100 whole body imagers in upcoming months and will deploy more over time. In the meantime, we use hand-held devices that detect hydrogen peroxide and other explosives compounds as well as targeted pat-downs that require private screening.

Optional security measures don’t work, because the bad guys will opt not to use them. It’s like those air-puff machines at some airports now. They’re probably great at detecting explosive residue off clothing, but every time I have seen the machines in operation, the passengers have the option whether to go through the lane with them or another lane. What possible good is that?

The closest thing to a real response from Hawley is that the terrorists might get caught stealing credit cards.

Using stolen credit cards and false documents as a way to get around watch-lists makes the point that forcing terrorists to use increasingly risky tactics has its own security value.

He’s right about that. And, truth be told, that was my sloppiest answer during the original interview. Thinking about it afterwards, it’s far more likely is that someone with a clean record and a legal credit card will buy the various plane tickets.

This is new:

Boarding pass scanners and encryption are being tested in eight airports now and more will be coming.

Ignoring for a moment that “eight airports” nonsense—unless you do it at every airport, the bad guys will choose the airport where you don’t do it to launch their attack—this is an excellent idea. The reason my attack works, the reason I can get through TSA checkpoints with a fake boarding pass, is that the TSA never confirms that the information on the boarding pass matches a legitimate reservation. If all TSA checkpoints had boarding pass scanners that connected to the airlines’ computers, this attack would not work. (Interestingly enough, I noticed exactly this system at the Dublin airport earlier this month.)

Stopping the “James Bond” terrorist is truly a team effort and I whole-heartedly agree that the best way to stop those attacks is with intelligence and law enforcement working together.

This isn’t about “Stopping the ‘James Bond’ terrorist,” it’s about stopping terrorism. And if all this focus on airports, even assuming it starts working, shifts the terrorists to other targets, we haven’t gotten a whole lot of security for our money.

FYI: I did a long interview with Kip Hawley last year. If you haven’t read it, I strongly recommend you do. I pressed him on these and many other points, and didn’t get very good answers then, either.

EDITED TO ADD (10/28): Kip Hawley responds in comments. Yes, it’s him.

EDITED TO ADD (11/17): Another article on those boarding pass verifiers.

Posted on October 23, 2008 at 6:24 AMView Comments

Me Helping Evade Airport Security

Great article from The Atlantic:

As we stood at an airport Starbucks, Schneier spread before me a batch of fabricated boarding passes for Northwest Airlines flight 1714, scheduled to depart at 2:20 p.m. and arrive at Reagan National at 5:47 p.m. He had taken the liberty of upgrading us to first class, and had even granted me “Platinum/Elite Plus” status, which was gracious of him. This status would allow us to skip the ranks of hoi-polloi flyers and join the expedited line, which is my preference, because those knotty, teeming security lines are the most dangerous places in airports: terrorists could paralyze U.S. aviation merely by detonating a bomb at any security checkpoint, all of which are, of course, entirely unsecured. (I once asked Michael Chertoff, the secretary of Homeland Security, about this. “We actually ultimately do have a vision of trying to move the security checkpoint away from the gate, deeper into the airport itself, but there’s always going to be some place that people congregate. So if you’re asking me, is there any way to protect against a person taking a bomb into a crowded location and blowing it up, the answer is no.”)

Schneier and I walked to the security checkpoint. “Counterterrorism in the airport is a show designed to make people feel better,” he said. “Only two things have made flying safer: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.” This assumes, of course, that al-Qaeda will target airplanes for hijacking, or target aviation at all. “We defend against what the terrorists did last week,” Schneier said. He believes that the country would be just as safe as it is today if airport security were rolled back to pre-9/11 levels. “Spend the rest of your money on intelligence, investigations, and emergency response.”

Schneier and I joined the line with our ersatz boarding passes. “Technically we could get arrested for this,” he said, but we judged the risk to be acceptable. We handed our boarding passes and IDs to the security officer, who inspected our driver’s licenses through a loupe, one of those magnifying-glass devices jewelers use for minute examinations of fine detail. This was the moment of maximum peril, not because the boarding passes were flawed, but because the TSA now trains its officers in the science of behavior detection. The SPOT program—Screening of Passengers by Observation Techniques—was based in part on the work of a psychologist who believes that involuntary facial-muscle movements, including the most fleeting “micro-expressions,” can betray lying or criminality. The training program for behavior-detection officers is one week long. Our facial muscles did not cooperate with the SPOT program, apparently, because the officer chicken-scratched onto our boarding passes what might have been his signature, or the number 4, or the letter y. We took our shoes off and placed our laptops in bins. Schneier took from his bag a 12-ounce container labeled “saline solution.”

“It’s allowed,” he said. Medical supplies, such as saline solution for contact-lens cleaning, don’t fall under the TSA’s three-ounce rule.

“What’s allowed?” I asked. “Saline solution, or bottles labeled saline solution?”

“Bottles labeled saline solution. They won’t check what’s in it, trust me.”

They did not check. As we gathered our belongings, Schneier held up the bottle and said to the nearest security officer, “This is okay, right?” “Yep,” the officer said. “Just have to put it in the tray.”

“Maybe if you lit it on fire, he’d pay attention,” I said, risking arrest for making a joke at airport security. (Later, Schneier would carry two bottles labeled saline solution—24 ounces in total—through security. An officer asked him why he needed two bottles. “Two eyes,” he said. He was allowed to keep the bottles.)

Posted on October 16, 2008 at 4:32 PMView Comments

New Cross-Site Request Forgery Attacks

Interesting:

CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don’t verify that a request came from an authorized user. Instead they verify only that the request came from the browser of an authorized user. Because browsers run code sent by multiple sites, there is a danger that one site will (unbeknownst to the user) send a request to a second site, and the second site will mistakenly think that the user authorized the request.

If a user visits an attacker’s website, the attacker can force the user’s browser to send a request to a page that performs a sensitive action on behalf of the user. The target website sees a request coming from an authenticated user and happily performs some action, whether it was invoked by the user or not. CSRF attacks have been confused with Cross-Site Scripting (XSS) attacks, but they are very different. A site completely protected from XSS is still vulnerable to CSRF attacks if no protections are taken.

Paper here.

Posted on October 6, 2008 at 5:42 AMView Comments

How to Clone and Modify E-Passports

The Hackers Choice has released a tool allowing people to clone and modify electronic passports.

The problem is self-signed certificates.

A CA is not a great solution:

Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:

  1. The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.

    Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.

  2. The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.
  3. Multiple CA’s would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A’s CA key. The terminal will validate and display the information as data from Country B.This option also multiplies the number of ‘juicy’ targets. It makes it also more likely for a CA key to leak.

    Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected.

So what’s the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job ‘assessing’ the person and not just the passport. Take the human part away and passport security falls apart.

EDITED TO ADD (10/13): More information.

Posted on September 30, 2008 at 12:24 PMView Comments

Cloned Trucks

Criminals are using cloned trucks to bypass security:

Savvy criminals are using some of the country’s most credible logos, including FedEx, Wal-Mart, DirecTV and the U.S. Border Patrol, to create fake trucks to smuggle drugs, money and illegal aliens across the border, according to a report by the Florida Department of Law Enforcement.

[…]

In August 2006, the Texas Department of Public Safety, on a routine traffic stop, found 3,058 pounds of marijuana and 204 kilograms of cocaine in a “cloned” Wal-Mart semi-trailer, driven by a man wearing a Wal-Mart uniform.

In another case, a truck painted with DirecTV and other markings was pulled over in a routine traffic stop in Mississippi and discovered to be carrying 786 pounds of cocaine.

This is the same problem as fake uniforms, and the more general problem of fake credentials. It’s very hard to solve.

EDITED TO ADD (2/6): Here’s someone who puts on a red shirt and predends to be a Target employee so he can steal stuff:

Police in North Miami Beach are looking for a man they say likes to pose as a Target employee while stealing pricey iPods, and the man allegedly knows so much about the store, he’s even helped customers who thought he was a real employee.

[…]

Investigators say McKenzie simply walks into the stores, wearing a red polo shirt, and pretends he works there. North Miami Beach police officials say he has extensive knowledge of Target procedures and has even assisted customers.

Posted on February 6, 2008 at 12:37 PMView Comments

1 5 6 7 8 9 13

Sidebar photo of Bruce Schneier by Joe MacInnis.