DISQUS

Matasano Chargen: Nate Lawson and Thomas Ptacek: Predictions: 2008

  • grey · 1 year ago
    ack, carriage returns are nice!
  • comment · 1 year ago
    Unreadable in its current formatting.
  • required · 1 year ago
    That is impossible to read, thanks for taking all the time to write it.
  • grammarnazi x 2 · 1 year ago
    ugh, paragraph formatting would aid in readability 10000%
  • John · 1 year ago
    Can you repost this with some sort of sensible formatting? I don't need bleeding eyes this early in the morning...
  • Thomas Ptacek · 1 year ago
    I blame WordPress.
  • Phill · 1 year ago
    Eh, here's hoping your DRM prediction fails.
  • Dave · 1 year ago
    >within the next 12 months of this post, there is
    >going to be a public, trivially-reproduceable break
    >in a security-critical piece of infrastructure.
    >Even more specifically, it’s going to be one of
    >three things:

    How about "a week before this post"? See http://eprint.iacr.org/2008/058.
  • Thomas Ptacek · 1 year ago
    KeeLoq totally doesn't count. Neat hack. Who cares? Nobody thought cars were safe to begin with.
  • Dave · 1 year ago
    >KeeLoq totally doesn’t count.

    Why not? It seems to match your criteria perfectly, it's an RF lock, based on fielded hardware, and attacks the modulation (or at least a side-channel). The fact that it recovers the manufacturer key makes it particularly scary.

    (Shouldn't you be pleased that your prediction came true? :-).
  • sigsegv · 1 year ago
    Thomas: You're already right about the "game-over bug class in a scripting language kernel" prediction. In fact, it's been kicked around since mid 2007. We're just not telling anyone yet. ;)

    Non-disclosure FTW.
  • Chris · 1 year ago
    Ive been doing a lot of language binding audits. While not specifically mentioned in your scripting language prediction, I can tell you they are one of the less audited areas.
  • Thomas Ptacek · 1 year ago
    Dave: the KeeLoq hack is cool. But they could ship exactly the same car door lock for the next 10 years, and the incidence of car theft won't substantially increase.

    My criteria are pretty specific:

    * The door locks on F-500 companies

    * Tolling or mass transit

    * Metering

    One of the three falls in the next 12 months, in a big way. Let's see if it happens. =)
  • Thomas Ptacek · 1 year ago
    segv: remember, to qualify, the bug has to:

    * not be fixable with a patch to the language kernel

    * require auditing of actual script code

    * be easy to accidentally create

    * not be domain-specific (ie, SQL)

    Obviously, we've been finding serious PHP bugs that don't qualify here for years.

    I'm also going to exempt bindings, Chris: bugs in bindings are really C code bugs. To my knowledge, there's no external SWIG-style dep in Python, Ruby, or Perl that everyone uses. More importantly, most binding bugs can be fixed with patches. The game-over bug requires audits. Ouch!
  • Chris · 1 year ago
    Thomas: Totally agree. Binding vulns are easily patched. I'm just stating I think we will see a lot more vulnerabilities in those perl/ruby/python kernels in the years to come. They have been largely ignored for awhile (with the exception of PHP I suppose).
  • Nate · 1 year ago
    Dave, thanks for the pointer to the Keeloq DPA attack. The corrected URL is http://eprint.iacr.org/2008/058

    DPA attacks (unless based on RF emissions) require physical access to the device. So if someone, say a valet, has access to your keys, they can clone them. That is valid, but unsurprising.

    The more interesting one is the DPA attack against the receiver. Apparently they retrieved a manufacturer global key from this. Again, the DPA attack is nice but incremental, but the fact that Keyloq uses a global mfgr key is a huge design error.
  • 2bluesecrets · 1 year ago
    Enjoyed the predictions. Helps to know the trends.

    Didn't 2007 seem worse overall in security? Full disclosure died. Supply and demand might get interesting in OSS security in 2008.
    Formated and reads perfect in Lynx browser.
    2008 year of OSS desktop migration?

    Love you blog, good stuff.
  • ol · 1 year ago
    http://events.ccc.de/congress/2007/Fahrplan/att... - pre pay cards in .ch broken.. Does that fit your criteria for tolling?
  • sigsegv · 1 year ago
    Thomas: Yes, I know. And I meant what I said. The bug classes we’re kicking around meet all your requirements.
  • Thomas Ptacek · 1 year ago
    segv: didn't mean to sound petulant. Congratulations, quite a find, and looking forward to seeing it.
  • Umm · 1 year ago
    CVE-2007-5116
  • Door locks vs. Keys · 1 year ago
    My impression (a year or so out of date) is that the prox cards used to operate the doors of corporate facilities are significantly less secure than the vehicle immobilizer transponders. Typically these are unencrypted RFID devices, some operating at standard frequencies. Of course, it's entirely possible that larger companies are moving to cryptographic devices, but again, most of the devices on the market are identical to (or variants of) the transponders originally developed for use in vehicle immobilizers.

    Again, this is an area where the security responds to the threat. Since transponder cloning /has/ been a financial concern in the automative world, the technology has led vs. corporate security where the threats are more nebulous and hypothetical (and anyway, door cards are a thin layer of security-- and most facility security managers probably realize this). Of course, cloning isn't the only threat, etc. etc. But again, it's hard to imagine that building security is going to really lead in this area.
  • Jake Brodsky · 1 year ago
    I hope you're right about SCADA. The problem is that everything moves a lot slower when you're carrying the heavy risk analysis and validation baggage that SCADA systems usually have. It's going to take years to get truly secure in SCADA. We may not have that much time.

    That said, I agree with your assessment that more damage will be self inflicted than externally inflicted. In fact, if you take note of how many attacks came from disgruntled employees or contractors, the number is damned close to zero (no matter what the CIA says).
  • Chris Evans · 1 year ago
    Hi!

    Your perl prediction already came true in 2007. My colleagues Will Drewry and Tavis Ormandy found a heap overflow in perl's regex parser:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=C...

    The general concept of nailing a supposedly buffer-overflow-proof server-side environment goes back further. For example, here's a bug I enjoyed in Sun's JDK JPEG parser, found in 2006; disclosed in 2007:

    http://scary.beasts.org/security/CESA-2006-004....

    Cheers
    Chris
  • Thomas Ptacek · 1 year ago
    Chris, I'm a Tavis Ormandy fan, but that bug doesn't qualify. To qualify, the bug has to not be fixable with a simple language kernel (interpreter/compiler) patch. In other words, it has to necessitate auditing of actual Perl code to eradicate.
  • Dave · 1 year ago
    >My criteria are pretty specific:
    >
    >* The door locks on F-500 companies

    Josh Perrymon's RFID SQL injection?

    >* Tolling or mass transit

    The various attacks on the Dutch Transit Mifares?
  • David Molnar · 1 year ago
    For door locks, cloning basic prox cards has been known since at least 2003. More recent TV demonstrations:

    Jonathan Westhues at the California Capitol
    http://www.youtube.com/watch?v=4jpRFgDPWVA

    Chris Paget shows a hand-held version at RSA
    http://www.youtube.com/watch?v=fDimlEdeGjM

    Were you unaware of these demonstrations, or do they not qualify?
    If they don't qualify, is it that you're looking to see widespread "adoption" of the attack by criminals or something else?
  • Thomas Ptacek · 1 year ago
    I'm disqualifying cloning, is all.
  • craig · 1 year ago
    As usual guys, very informative.

    Love the statement on NAC. It dead set has the be the most overhyped / under-delivered so called *security* technology of the decade. Been reading posts everywhere saying that people are simply getting nailed anyway.

    Check this one out http://www.computerworld.com.au/index.php?id=14...

    Keep it up lads, big fan.
  • Andre Gironda · 1 year ago
    I think http://www.aspectsecurity.com/documents/Aspect_... has the potential to change the web application security landscape.

    You'll probably claim that this is just a simple HTTP header injection - "already been done". Today and in the past, most responses to typical URL redirection and/or HRS vulnerabilities are "we use SSL so we're not vulnerable". File download injections will popularize HTTP header injections so that they are looked for with the same fervor as XSS, SQLi, and CSRF.

    On the surface, it looks trivial. But when you dig deeper, I think you'll come to the conclusion that this is a lot nastier than it appears at first.
  • boston moving help · 5 months ago
    Prediction is just a guess of what so ever. . . just move your ass out! i don't believe in that.