Ad Mortem Festinamus

Music to hack by. Qntal released their first album 16 years ago in 1992.

In April of that year three RFCs appeared that covered MD2, MD4, and MD5. MD5 survived several years of cryptanalysis until a significant, practical attack was announced at the Crypto 2004 conference. Additional information appeared at the EUROCRYPT 2005 conference. Currently, the U.S. government only approves five hash algorithms: SHA-1, SHA-224, SHA-256, SHA-384, SHA-512.

Note that the attacks against MD5 are based on cryptanalysis of the algorithm. This attack differs greatly from those based on "Rainbow Tables." A Rainbow Table trades the computational time required to discover, via brute force, the input value of a hash with the memory required to store all possible hashes for a set of input values. This technique, a time-memory trade-off, is hardly new. An IEEE paper by Martin Hellman described an approach to attacking DES in 1980.

However, the feasibility (and popular adoption) of rainbow tables also needed the cost of memory -- gigabytes to terabytes of disk space -- to drop. In 2008, it is trivial (though perhaps still expensive) to have three terabytes of disk space in a desktop computer. Consequently, the input value of a hash can be discovered in a matter of seconds or minutes rather than days or years. Rainbow tables are generated by running through a key space, say all seven-character alphanumeric combinations, once and storing the mappings between input value and hash. Any subsequent lookup merely requires the user to look up a hash value and then find the input value that generated it. In other words, all of the exhaustive brute force only needs to be executed by one user and the results shared with multiple users.

Rainbow tables can be generated for any algorithm, from MD5 to SHA-512 to certain modes of AES. They are based on simple brute force attacks rather than any underlying weakness of the algorithm. However, rainbow tables can also be trivially defeated.

Think of a rainbow table as something like this:

hash = MD5(input value)

Where hash is the result of an MD5 operation on input value. Typically, input value will be the complete key space of a length of characters (e.g. seven character alphanumeric).

Now, consider this small modification:

hash = MD5(salt + input value)

In this case, a fixed set of characters, the salt, is prepended (it could also be appended) to the input value to produce the hash. The salt doesn't need to be secret or even random -- it could be "apple" or "zombie." The function of the salt is to extend the length of characters used as the input and to prevent trivial hash comparisons. The combination "zombie" plus "password" turns an eight-character input value into a 14-character one. For an attacker who relies on a rainbow table to attack eight character passwords, the addition of "zombie" doesn't make the table any bigger, but it makes it different from the rainbow table for hashes without a salt. As a result, the attacker needs to rebuild the table -- which turns the problem back into a time-consuming brute force attack.

If your application stores hashed passwords, then make sure that the hashes are salted. It won't make the passwords more secure against phishing, sniffing, or replay attacks, but it can make them resistant to rainbow attacks if the hashes are compromised.

If your web application stores passwords in plain text, then it has more fundamental security issues.

Paul Atreides predicted further ahead in time, but he had spice

In November 2008 the National Intelligence Council (NIC) released a report that looks at "how key global trends might develop over the next 15 years to influence world events." The report doesn't claim prophecy. The authors review current trends in order to "provide US policymakers with a view of how world developments could evolve, identifying opportunities and potentially negative developments that might warrant policy action."

One interesting aspect is the discussion of cyber warfare as an emerging aspect of conflict. The report avoids details of what cyber warfare might look like (or already looks like, for that matter), but the type of conflict earns specific mention. So, it must be important to some degree.

Rather than focus on the future right now, it might be worthwhile to see how previous editions of the NIC's report fared with time and hindsight. In November 1997 the NIC released a report looking towards 2010. It makes for interesting reading through the lens of computer security.

The report intentionally avoids specific predictions, but its expectation of the clash between government and technology arrived with significant examples, a few of which include DRM, freedom of speech, Google and Yahoo in countries with human rights problems, and the Great Firewall of China.

The good news is that governments will derive benefits from technology that moves information, goods, and services rapidly. The bad news from the perspective of governments is that they will have less and less capacity to control these flows unilaterally.

This message was reinforced with:

However, communications will also thwart government efforts to control the flow of information, which, in some instances, will undermine their authority.

The report also deserves credit for explicitly highlighting organized crime's adoption of the Internet, exploiting its underlying technologies, and targeting its multitude of rubes:

International organized crime groups will take advantage of such technology as well, bypassing governments, or seeking to undermine them when governments try to block their efforts to run and expand their illegal activities.

A few examples are the Russian Business Network, sophisticated credit card black markets, auction fraud, and cons. Not only does technology enable criminal markets (IRC bots running credit card exchanges), but common vulnerabilities provide the attackers with a large pool of potential victims. No longer do attackers deface web sites to impress friends. Newer attacks rely on subtle infection of a web page with a single line of JavaScript that may point to a server in China or Russia. This infected web page then loads an exploit that tries to attack the web browser of each person visiting the site. Vulnerable browsers leave their users open to theft of credit card numbers, online game account credentials (e.g. World of Warcraft), or banking information.

On the cyberwar front, the report provides only vague extrapolations for the future:

Precision- guided munitions and information technologies will continue to be the hallmarks of the revolution in military affairs. Other countries will have technologically advanced military equipment at their disposal, obtained from arms merchants and other governments. However, no power will be able to match US battlefield technological capabilities during this time frame, and potential adversaries are unlikely to repeat Iraq's mistake in challenging the United States via set-piece conventional warfare.

So, it alludes to a continued U.S. superiority of information technologies, but at the same time emphasizes

we may find what some would call a "doctrine of massive technological superiority" as limited in the future as the doctrine of massive retaliation was forty years earlier.

For the moment consider cyberwar simply hacking between opposing state-sponsored groups. The U.S. has the 24th Air Force (among others, surely), which faces counterparts across the world -- most notably China. For example, a 2008 DOD report to Congress notes

...China’s leaders stress asymmetric strategies to leverage China’s advantages while exploiting the perceived vulnerabilities of potential opponents using so-called “assassin’s mace” programs (e.g., counterspace and cyberwarfare programs).

The same report also details why the U.S. has concern for China's hacking efforts (detailed on pages 3 and 4).

Yet Cyberwar may not only be a term in search of a definition, but a topic for which contemporary examples are few (at least to public knowledge). Russia vs. Estonia typically serves as the most recent popular example, but being state-sponsored on both sides and the actual impact of the "war" diminishes under scrutiny and skepticism. Russia vs. Georgia was rumored to be a sequel. However, that conflict included tanks, guns, and soldiers crossing borders -- all a more pressing concern for civilians than a virtual carpet-bombing of computer networks with IP packets.

It will be interesting to see how Internet-related events unfold in relation to the trends recorded in the 2025 report.

Yet it won't be necessary to wait until 2025 to review the current trends report. By November 2019 a much more important event will occur.

The Internet is dead! Long live the Internet!

In 1998, L0pht claimed before Congress that in under 30 minutes their seven member group could make online porn and Trek fan sites unusable for several days. (That's all that existed on the Internet in 1998.) In February 2002 an SNMP vulnerability threatened the very fabric of space and time (at least as it related to porn and Trek fan sites -- if you still don't believe me, consider that Google added Klingon language support the same month). More recently, a DNS vulnerability was (somewhat re-)discovered that could enable attackers to redirect traffic going to sites like google.com and wikipedia.com to sites that served porn, even though many people wouldn't notice the difference. (Dan Kaminsky compiled a list of other apocalyptic vulnerabilities that similar issues with those that plagued DNS.)

This year at the OWASP NYC AppSec 2008 Conference Jeremiah Grossman and Robert "RSnake" Hansen shared another vulnerability, clickjacking, in the Voldemort "He Who Must Not Be Named" style. In other words, yet another eschatonic vulnerability existed, but its details could not be shared. This disclosure method continued the trend from Black Hat 2008 prior to which the media and security discussion lists talked about the secretly-held, unsecretly-guessed DNS vulnerability information with the speculation usually retained for important things like when Gn'Fn'R would finally release Chinese Democracy. [If you don't care about gory details of the disclosure drama and just want to skim the abattoir, then read this summary.]

Yet none of these doom-laden vulnerabilities have caused to Internet to go pfft like a certain parrot that need not be named.

Until now.

I've discovered a web-based vulnerability that can be trivially exploited called Cross-Hype Attack Forgery Exploit (CHAFE). It affects all web browsers and can't be patched (nor will you be protected by FireFox's NoScript or using lynx). In fact, if you're reading this entry then I guarantee you can be vulnerable to it. Public release of the details would be self-defeating, but I'm willing to sell the details to the highest bidder -- as well as anyone else who wants to pay for the information. To ensure the validity of this vulnerability, consider that it has both "cross" and "forgery" in the name. So, it clearly has a working exploit associated with it. No peer review is necessary to establish the vulnerability's credibility. To build further confidence, I'll hint that the vulnerability builds on prior research, but who really cares about dusty problems from 1991 when you can have a working exploit in 2008?

Since I haven't gotten around to creating PayPal account yet (although a reminder to update my account information just arrived in my InBox a few moments ago), send an e-mail to chafe@hackculture.com if you're interested in the details and you have some money from which you'd like to be departed.

A sense of history

Cross-site scripting (XSS) vulnerabilities provide some of the most interesting and creative exploits. These exploits range from banal pop-up windows that annoy people to using the browser as a port scanner to insidious theft of authentication credentials. The fundamental cause of the vulnerability is well known and has been described in many other places. What isn't commonly discussed is the history of XSS (more generally described as HTML injection) and the provenance of the security concern.

The original CERT advisory was published on February 2, 2000.

Keep in mind that the term "XSS" is neither an accurate description of the vulnerability or the original short-hand reference for attacks that modify the HTML DOM or execute scripting code in the browser. USENET references to "malicious html" and "malicious javascript" go back as far as 1996. In March of that year a post showed up on comp.security.unix that described what malicious content might do:

A funny-looking link can persuade a fancy browser to send mail, perhaps to exploit a bug in the mail program to do something much worse. The newest craze, Java, actually downloads programs into the browser, and runs them.

Another post in comp.sys.acorn.misc in June of 1996 contained a nice description of the potential of malicious JavaScript:

Another 'application' of JavaScript is to poke holes in Netscape's security. To *anyone* using old versions of Netscape before 2.01 (including the beta versions) you can be at risk to malicious Javascript pages which can
a) nick your history
b) nick your email address
c) download malicious files into your cache *and* run them (although you need to be coerced into pressing the button)
d) examine your filetree.

Now, compare the previous description with the definition of XSS from the most recent OWASP Top Ten list.

Cross-site scripting, better known as XSS, is in fact a subset of HTML injection. XSS is the most prevalent and pernicious web application security issue. XSS flaws occur whenever an application takes data that originated from a user and sends it to a web browser without first validating or encoding that content.

XSS allows attackers to execute scripts in the victim’s browser, which can hijack user sessions, deface web sites, insert hostile content, conduct phishing attacks, and take over the user’s browser using scripting malware. The malicious script is usually JavaScript, but any scripting language supported by the victim’s browser is a potential target for this attack.

Of course, it's important to have a term or phrase that codifies a type of web application vulnerability. XSS serves this purpose quite well -- think of it as the Kleenex or Xerox of HTML injection vulnerabilities. On the other hand, there's clearly a fundamental problem with web application development and web browser design if such a long-standing vulnerability can continue to pose such a threat to web security.

Advice on creating a conference presentation

Follow these five easy steps to create a presentation for a security conference. Don't bother asking for a Top Ten list. They're unnecessary and would take twice as long to implement anyway.

1. Select a title that includes a bad pun. If you can't think of a pun, then use a weak double entendre. Don't worry about the topic yet.

2. Use copious amounts of bullet points. Each slide should have at least 20 bullets. Use a smaller font if you find it difficult to fit that many on one page. Also consider that one bullet point counts as six punctuation characters. So, don't worry about periods, commas, or even capitalization; semi-colons are equally useless.

3. Omit any references to previous work on the same topic. This just makes the slide deck longer and confuses people who want to find out more information -- the lazy bastards can use a search engine.

4. Make a snide comment about Microsoft. This works very well if you used PowerPoint to make the slides.

5. Create a new acronym. This should preferably contain the word "cross" or "injection." Bonus points if you manage to think of an acronym that can be used as a pun. If it is a profanity, then you've spent too much time coming up with a snappy acronym -- get back on task and write some bullet points.

That's it! Your presentation is ready to satisfy most conferences' Call For Papers. If it gets rejected, then you probably forgot to litter the slides with quotes from Sun Tzu.

Sing this corrosion to me

Music to hack by. The Sisters of Mercy released Floodland 21 years ago on November 13, 1987.
To give some perspective, this was about a year before the first Internet Worm appeared. On November 2, 1988 the Morris Worm [more here] raged across the fledgling Internet. It spread using a command injection attack against Sendmail, a buffer overflow against fingerd, and brute force password guessing against rsh and rexec. Twenty years later, web applications still suffer from these exact types of vulnerabilities.