Monthly Archives: November 2015

DANE missed the boat

This article represents my personal views

What problem does DANE try to solve ?

DANE wants to be an alternative model for validating domain names with TLS, by moving some of the security check inside the DNS. However, it does not work with plain DNS, it needs DNSSEC as the underlying protocol. The perceived advantage is that it prevents people from issuing rogue certs, unlike the current CA model.

First, let's look at DNSSEC

DNSSEC suffers from a number of issues. One is the complexity of protocol, and deep learning curve. Second is the deployment of DNSSEC. It enjoys a lot of support from ICANN & the RIRs, but comparatively little from the commercial world. Neither ebay.com nor alibaba.com, 2 of the major e-commerce websites in the world. Lastly, the problem that NONE of the Internet Organizations want to talk about is security at the edge. DNSSEC-aware resolvers in CPE equipment are NOT available in 2015. The most popular DNS software for CPE equipment still has a WiP implementation of DNSSEC, which still has some bugs, causing valid DNSSEC signatures to fail. [I have other points on DNSSEC, but I will expand it in another blog post] Good Luck finding an off-the-shelf modem that can do correct DNSSEC for your grandparents.

DANE's history with the commercial world

Despite the issues with the underlying DNSSEC protocol, DANE still managed to gain some support from the commercial world. In my humble opinion, the greatest opportunity came from Google, when it implemented DANE in Google Chrome. That was the right opportunity to solve the massive deployment of DANE (and DNSSEC in the process). However, a number of issues complicated the implementation of DANE: The size of DNSSEC messages caused issues at the edge of the internet. It also introduced additional latency, due to the complex nature of DNSSEC validation process. Google later took the hard decision to remove DANE from Google Chrome. None of the DANE or DNSSEC WG at the IETF addressed those issues. DANE support, enabled by default , is NOT happening in any Google product which are flooding the market. It is available as a plugin. But will your grandmother download a DANE plugin when she downloads Google ? Experience suggests very few grandmothers would do that.

Conclusion

DANE missed the boat when the DANE & DNSSEC community failed to address the implementation issues that Google was facing. It was the golden train, and DANE missed it. Other solutions which were easier to implement and deploy filled that gap. It's very likely that DANE's adoption both on the server and client side will remain small.

An interesting nginx vulnerability

What is nginx

Nginx is a web server, similar to Apache. It was designed much later than Apache, and is faster. Due to its speed, it's often used in combination with Apache, or as a replacement for Apache. The marketshare of nginx has increased during the recent years. so, when you navigate to http://www.hackers.mu/, your request is taken care by the HTTP server. I use Apache for logan.hackers.mu. I could also have used nginx.

Security vulnerability

A security vulnerability is a coding error that allows an attacker to take advantage of the flaw to get some form of control over the server. Nginx has its fair share of vulnerabilities. I'm going to talk about a particular vulnerability: CVE-2013-2028.

CVE-2013-2028

A stack based overflow is usually one of the easiest type of overflow that can be used to remotely take control of a server. CVE-2013-2028 is one such vulnerability. In the HTTP format, there's a field known as the HTTP header. One of the options that can be used for this header is the transfer-encoding chunk mechanism. In this particular case, this field was supposed to contain up to a maximum size. What happens if you go beyond ? Well, it overflows . As the original nginx code contained no way to handle this particular case, an attacker can leverage this to his advantage. He can put a large chunk size, and inject other code that you grant his a remote access to the server. The server can then be controlled remotely. You can change the contents of the website for example, or use the server to attack other servers on the Internet.

If you would like to have additional details, please let me know :)

The tale of Mauritian backdoors

The government of Mauritius

The government of Mauritius loves to operate in a non-transparent fashion. Internet Filtering has been implemented by ICTA with little input from local Internet Users. They once blocked facebook in Mauritius. There are probably other plans underway to undermine the privacy of Internet Users in Mauritius. How could the government go and spy on the citizens of Mauritius ? This question has been on my mind since a while now. I would argue that it's easier to implement in Mauritius than in other countries.

ISP Market

When ICTA got the great idea to filter some internet content in Mauritius, there was little protest from any ISP. Orange, which is partially owned by the government agreed to it. I was somewhat surprised that Emtel did not take a public stand against it, as it's a private company. This leads me to believe that there is NO ISP in Mauritius is committed to protecting the privacy of its customers. It's interesting to see how the first backdoor was implemented in Mauritius: The government lacked the necessary technical expertise, and outsourced it to a New Zealand based company to implement the Internet Filtering system. I believe that it's possible that the ICTA filtering system is not only blocking, but also logging the traffic of Internet Users to some of those pornographic websites. Due to the lack of transparency regarding the list of websites, it's hard to say. However, one could speculate that if a political party launches its own website (e.g www.mmmparty.com), ICTA could potentially have any visitor to that website from Mauritius logged passively using the Internet Filtering system. In other words, do not block the website, but log the IP addresses of people accessing the website. This would give the government an idea of how many supporters are behind an opposition party. The ICTA Internet Filtering is the first example of a known backdoor implemented by the Government of Mauritius.

Another backdoor could be in the modems that the ISP deploy on the Customer premises. By matching the customer details and the Internet Traffic from the modem to get a better idea of the different people within a house. I'll give a concrete example: If there is a lot of traffic to the mmmparty.com coming from a particular house, the ISP cannot know exactly who is exactly behind it, as ISPs in Mauritius allocate a single public IPv4 address to each customer. By putting a backdoor within the modem, it can get a full picture of which device is connecting to that website. However, the government itself does not have this kind of technical expertise. It would mandate an ISP to implement that, and a router manufacturer would happily accept that as a "business requirement".

Tablets in school & Wireless Access Points

A number of people are currently raising concerns that a private company is getting all of the contracts for tablets, and wireless access points in Mauritius. The young generation constitutes a sizable group that will be able to vote in 4 years. A contractor could include a backdoor that would log any traffic to those tablets and get the government an idea of the political inclinations of young people. As far as I know, there has not been any audit of the tablets.

Controlling the smartphone market

ICTA has implemented all kind of measures to discourage people from importing wireless equipment under the pretense of "regulatory concerns". This favours companies like Orange and Emtel who are selling smartphones. Since none of those companies are committed at protecting the privacy of their customers, That would be a great avenue to implement another backdoor. By bugging every smartphone, the government can collect information on who is talking to who, and the duration of the call. I heard that the government of Mauritius was taping phone calls at one point right before the elections. The government of Mauritius has historically been tied to the ITU, which is known to operate in a non-transparent manner, so It's safe to say that telephone calls through the GSM network (2G, 3G, 4G) can be monitored.

Monitoring facebook

When the interim Minister of TCI started talking about avenues of co-operation between facebook and the government of Mauritius, I felt uneasy. A few months earlier, Orange was announcing that it would offer facebook for free via its Data package. By channeling mobile traffic via its GSM network, Orange can potentially monitor Internet Traffic of facebook users. I started wondering if the announcement weren't somewhat connected. "We give you free facebook, but we monitor it." Facebook is the most popular social network in Mauritius. Dangerous is the road ahead ...

Encrypting my DNS traffic

Protecting my DNS traffic

I use Internet Banking because my bank forced me to. They prefer that I avoid going to their regional office for bank transfers. When I launch my mobile banking application, There's a message known as DNS, which is sent to my ISP. The message is basically : "What is the IP address of Internet Banking web site ?". The DNS server at the ISP side will reply with something like "22.22.11.22".

Building a profile

The problem here is that this message is sent unencrypted. My ISP can capture this traffic and send it to some agency somewhere. We already know that they are filtering Internet in Mauritius, and blocking Child pornography. However, we don't know what else they might be collecting on us. Lack of transparency is an issue with the ICT Authorities in Mauritius. I'm not comfortable with my DNS traffic passing around unencrypted. It can be used to guess when I am checking my bank account. It can also be used to check which websites I've been visiting. DNS is a very good metadata to build a profile about anybody on the Internet :)

We have DNSSEC right ?

DNSSEC was never designed to to encrypt the question-reply DNS messages between my ISP and my home router. It was designed to check if the reply (22.11.22.22) I'm getting from my ISP DNS server is valid or NOT. If it's not valid due to failing the DNSSEC validation, we know that there might be an attack somewhere or someone who did not configure DNSSEC properly. [I will talk about misconfiguration of DNSSEC in another blog post.]

What I want to achieve

I want the DNS server on my ISP to receive my request encrypted, and also reply to me using encryption. So, if I type, ib.mcb.mu, I want "ib.mcb.mu" to be sent as "XSDSDDSDSDASASDS", and my ISP takes this string that nobody can make sense, and turn it back into "ib.mcb.mu". Then, It takes the IP address "22.11.22.22", and sends it back as "DEADBEEF0x42asd" to my home router. My home router takes this gibberish, does some math vodoo and sends it back to me as "22.11.22.22". However, in this case, I do not trust my ISP DNS server since it's operated by a partially-owned government ISP which blocked facebook once. The gibberish string is what is important here: This is what is called Encryption. This is key to prevent pervasive monitoring on the Internet.

Enter DNScrypt

A group of really smart people came up with a protocol known as dnscurve. It encrypts the traffic between resolvers, and the big DNS servers on the Internet. OpenDNS is the major company to deploy DNScurve for its public DNS servers. OpenDNS also released dnscrypt, which encrypts the "last mile". It encrypts the traffic between OpenDNS public servers, and my house. Perfect. Exactly, what I'm looking for ! The icing on the cake is that DNScurve and DNScrypt have NOT been influenced by NIST "recommendations" for cryptography.

Configuring DNScrypt

DNScrypt is surprisingly easy to configure and deploy on my end user equipment. The process can be improved further. Below is a snapshot of the start-up messages.


daemon.info dnscrypt-proxy[29929]: Generating a new
key pair
daemon.info dnscrypt-proxy[29929]: Done
daemon.info dnscrypt-proxy[29929]: Server certificate #1435874751 received
daemon.info dnscrypt-proxy[29929]: This certificate looks valid
Tue Nov 10 18:59:49 2015 daemon.info dnscrypt-proxy[29929]: Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
daemon.info dnscrypt-proxy[29929]: Server key
fingerprint is
ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
daemon.notice dnscrypt-proxy[29929]: Proxying from
127.0.0.1:5353 to 208.67.220.220:443

Fun adventure

I tested by snooping on the outgoing traffic leaving my router: my DNS messages are encrypted using strong crypto ! No need to change anything on my home PCs, wireless APs, smartphones, or tablets. It's all transparent to them. And my aim which is to encrypt my DNS traffic has been achieved ! It's going to make the job of pervasive surveillance agencies much harder to build a profile of my surfing habits. A follow-up blog post could be about combining DNScrypt and DNSSEC to get both the validated DNS reply from DNSSEC, with the encryption capabilities of DNScrypt.

Smart cars in mauritius

Smart cars in the Cyberisland

I went to one of the car sellers, and they were trying to sell me a car with a lot of gadgets. Despite being a hardcore geek, I prefer to avoid "smart" cars that are currently sold in Mauritius and elsewhere. This may come as a surprise for some of you. Read on.

Lack of transparency

Volkswagen was caught cheating on the emission test by tweaking the software of their engine to change its engine behaviour when it was passing auditors test for carbon emission. Volkswagen is apologising, and they want to "win back the faith of their customers". What about the other manufacturers ? Why should I trust them ? How safe are the other car makers ?

2 security researchers discovered a way to play around with the aircon, and sound of Jeep Cheerokees. Some security researchers claim to be able to remotely shutdown, and turn the wheel of a car while it is on the road. I'm pretty sure that the other car manufacturers are vulnerable to this. Just because it's german or the US does not mean it's security proof. A pattern is emerging: The smart car manufacturers are not investing in securing their products.

Potential customers

Electronic Frontier Foundation is fighting for the right to inspect the software running on a car. They did so in a US court. The car manufacturers wanted to make it illegal for security researchers to audit the security of cars. They want to hide behind repressive laws to prevent the security flaws from becoming public.

We can and should boycott smart cars until car manufacturers are transparent about the software running on their cars. Car companies should pay independent security companies to inspect the software running on their cars because LIVES are at stake.

Let’s encrypt

An intriguing mail

When I opened my mailbox in the morning, an interesting mail showed up ! At first, I thought that it was spam, as it said that "You had been selected to participate .."

A closer look

Upon taking a closer look, I quickly realized that it was coming from the letsencrypt non-profit foundation ! Letsencrypt aims to make TLS available to everybody, and wants to make it easy. You might be suprised to hear this when you know that a TLS certificate costs at least $9 USD. I heard about letsencrypt from websites, and they were active at the IETF in Prague when I was there. For Mauritius & Africa, this represents a huge opportunity for non-profits, educational and Small and Medium enterprises to get better security for their websites, for little cost, except investing time to learn how to use the ACME client from letsencrypt.

The downside

You do not get the full EV (Extended Validation) from SSL/TLS vendors which have much more strict requirements, and are normally costly. This is what a critical Internet organization or a bank would use for its HTTPS services.

First impressions

The service is still in limited BETA phase. It can be setup with a single command:

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly

More to come

Stay tuned as I move a personal website to HTTPS powered by letsencrypt :)

security experts in Mauritius

Cybersecurity in the cyberisland

In Mauritius, We have 7000 people who work in the IT sector. There are many web developers, Enterprise software engineers, and Infrastructure engineers (sysadmin/netadmin). However, there are very few security engineers.

Most companies in Mauritius tend not to think about security of their infrastructure. Paradoxically, most are increasingly relying on their IT infrastructure to store/retrieve/manipulate their data, which is often sensitive. This has led to very few job openings for security experts. Many still think that security is an "add-on" that they buy. Few realise that security is woven into the development process of the software they are developing for their clients, until the client loses faith due to a security flaw.

Recently, 2 LUGM members and myself decided to organize a Security Contest. The goal was to defend and attack a server via the Heartbleed vulnerability to steal sensitive information, such as private keys.After doing a short presentation, on Heartbleed, we gave ample time to participants to come up with a working code, and a reasonable explanation. Heartbleed is fairly old: it happened in 2014.

2 months later, and we still didn't receive a single submission. I grew very worried of the current situation in Mauritius. The implications are far reaching: Most IT workers have little understanding of how vulnerabilities work. There are many self-proclaimed "Hackers" and "Security experts" in Mauritius. However, none of them are able to understand Heartbleed in a detailed manner. Most IT professionals are unable to distinguish between a security expert and someone who is not. In case of a cyberwar, Mauritius would be at an immediate disadvantage.

Developing local security expert talent pool is one of the key pillars of a "Cyberisland". The rise of the Internet of things, where almost everything can be hooked to the internet, has many implications in terms of security. A "smart" car can be hijacked, and people killed. We need security experts who can understand the small details of security flaws and come up with reasonable counter-measures to protect our CyberInfrastructure. This requires a LOT of mental effort & time investment. However, I get the impression that most students are more interested in Computer Security as a fashion trend . Few want to do the hard mental work.

Sadly, I noticed the same attitude with professionals working in the IT sector. Many prefer to copy, without any thought as to what is really happening underneath. They rely on work done by others, instead of making the mental effort needed. A good way to test a security expert is to show him a piece of vulnerable code, and ask him to write an exploit for it. The Contest that we designed followed this principle. It encouraged participants to think about the code that they are copying from the Internet.

The net result is that this has negatively impacted the image of Security Experts from Mauritius. I spoke with a friend who resides in Switzerland, and he told me that he read about the security experts from Mauritius. Upon taking a close examination, he wasn't impressed at all. The lack of skills is obvious, according to him. To be fair, I pointed out that at least 2 Mauritians did understand security to a very good level. On a global picture, we still got a long way to go to secure & protect our Cyberisland.