Matasano Chargen - Latest Comments in Nate Lawson and Thomas Ptacek: Predictions: 2008

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

bostonmovinghelp22 — Sun, 05 Jul 2009 17:47:33 -0000

Prediction is just a guess of what so ever. . . just move your ass out! i don't believe in that.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Andre Gironda — Mon, 07 Apr 2008 19:07:56 -0000

I think http://www.aspectsecurity.com/documents/Aspect_... has the potential to change the web application security landscape.

You'll probably claim that this is just a simple HTTP header injection - "already been done". Today and in the past, most responses to typical URL redirection and/or HRS vulnerabilities are "we use SSL so we're not vulnerable". File download injections will popularize HTTP header injections so that they are looked for with the same fervor as XSS, SQLi, and CSRF.

On the surface, it looks trivial. But when you dig deeper, I think you'll come to the conclusion that this is a lot nastier than it appears at first.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

craig — Tue, 26 Feb 2008 21:43:22 -0000

As usual guys, very informative.

Love the statement on NAC. It dead set has the be the most overhyped / under-delivered so called *security* technology of the decade. Been reading posts everywhere saying that people are simply getting nailed anyway.

Check this one out http://www.computerworld.com.au/index.php?id=14...

Keep it up lads, big fan.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Thomas Ptacek — Fri, 15 Feb 2008 14:26:38 -0000

I'm disqualifying cloning, is all.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

David Molnar — Fri, 15 Feb 2008 00:58:31 -0000

For door locks, cloning basic prox cards has been known since at least 2003. More recent TV demonstrations:

Jonathan Westhues at the California Capitol
http://www.youtube.com/watch?v=4jpRFgDPWVA

Chris Paget shows a hand-held version at RSA
http://www.youtube.com/watch?v=fDimlEdeGjM

Were you unaware of these demonstrations, or do they not qualify?
If they don't qualify, is it that you're looking to see widespread "adoption" of the attack by criminals or something else?

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Dave — Thu, 14 Feb 2008 03:02:56 -0000

>My criteria are pretty specific:
>
>* The door locks on F-500 companies

Josh Perrymon's RFID SQL injection?

>* Tolling or mass transit

The various attacks on the Dutch Transit Mifares?

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Thomas Ptacek — Wed, 13 Feb 2008 19:05:34 -0000

Chris, I'm a Tavis Ormandy fan, but that bug doesn't qualify. To qualify, the bug has to not be fixable with a simple language kernel (interpreter/compiler) patch. In other words, it has to necessitate auditing of actual Perl code to eradicate.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Chris Evans — Wed, 13 Feb 2008 16:06:27 -0000

Hi!

Your perl prediction already came true in 2007. My colleagues Will Drewry and Tavis Ormandy found a heap overflow in perl's regex parser:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=C...

The general concept of nailing a supposedly buffer-overflow-proof server-side environment goes back further. For example, here's a bug I enjoyed in Sun's JDK JPEG parser, found in 2006; disclosed in 2007:

http://scary.beasts.org/security/CESA-2006-004....

Cheers
Chris

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Jake Brodsky — Wed, 13 Feb 2008 14:41:31 -0000

I hope you're right about SCADA. The problem is that everything moves a lot slower when you're carrying the heavy risk analysis and validation baggage that SCADA systems usually have. It's going to take years to get truly secure in SCADA. We may not have that much time.

That said, I agree with your assessment that more damage will be self inflicted than externally inflicted. In fact, if you take note of how many attacks came from disgruntled employees or contractors, the number is damned close to zero (no matter what the CIA says).

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Door locks vs. Keys — Wed, 13 Feb 2008 13:19:56 -0000

My impression (a year or so out of date) is that the prox cards used to operate the doors of corporate facilities are significantly less secure than the vehicle immobilizer transponders. Typically these are unencrypted RFID devices, some operating at standard frequencies. Of course, it's entirely possible that larger companies are moving to cryptographic devices, but again, most of the devices on the market are identical to (or variants of) the transponders originally developed for use in vehicle immobilizers.

Again, this is an area where the security responds to the threat. Since transponder cloning /has/ been a financial concern in the automative world, the technology has led vs. corporate security where the threats are more nebulous and hypothetical (and anyway, door cards are a thin layer of security-- and most facility security managers probably realize this). Of course, cloning isn't the only threat, etc. etc. But again, it's hard to imagine that building security is going to really lead in this area.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Umm — Wed, 13 Feb 2008 07:30:20 -0000

CVE-2007-5116

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Thomas Ptacek — Tue, 12 Feb 2008 16:52:52 -0000

segv: didn't mean to sound petulant. Congratulations, quite a find, and looking forward to seeing it.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

sigsegv — Tue, 12 Feb 2008 16:17:21 -0000

Thomas: Yes, I know. And I meant what I said. The bug classes we’re kicking around meet all your requirements.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

ol — Tue, 12 Feb 2008 15:18:46 -0000

http://events.ccc.de/congress/2007/Fahrplan/att... - pre pay cards in .ch broken.. Does that fit your criteria for tolling?

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

2bluesecrets — Tue, 12 Feb 2008 13:39:56 -0000

Enjoyed the predictions. Helps to know the trends.

Didn't 2007 seem worse overall in security? Full disclosure died. Supply and demand might get interesting in OSS security in 2008.
Formated and reads perfect in Lynx browser.
2008 year of OSS desktop migration?

Love you blog, good stuff.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Nate — Tue, 12 Feb 2008 12:45:51 -0000

Dave, thanks for the pointer to the Keeloq DPA attack. The corrected URL is http://eprint.iacr.org/2008/058

DPA attacks (unless based on RF emissions) require physical access to the device. So if someone, say a valet, has access to your keys, they can clone them. That is valid, but unsurprising.

The more interesting one is the DPA attack against the receiver. Apparently they retrieved a manufacturer global key from this. Again, the DPA attack is nice but incremental, but the fact that Keyloq uses a global mfgr key is a huge design error.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Chris — Tue, 12 Feb 2008 11:09:58 -0000

Thomas: Totally agree. Binding vulns are easily patched. I'm just stating I think we will see a lot more vulnerabilities in those perl/ruby/python kernels in the years to come. They have been largely ignored for awhile (with the exception of PHP I suppose).

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Thomas Ptacek — Tue, 12 Feb 2008 10:38:25 -0000

segv: remember, to qualify, the bug has to:

* not be fixable with a patch to the language kernel

* require auditing of actual script code

* be easy to accidentally create

* not be domain-specific (ie, SQL)

Obviously, we've been finding serious PHP bugs that don't qualify here for years.

I'm also going to exempt bindings, Chris: bugs in bindings are really C code bugs. To my knowledge, there's no external SWIG-style dep in Python, Ruby, or Perl that everyone uses. More importantly, most binding bugs can be fixed with patches. The game-over bug requires audits. Ouch!

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Thomas Ptacek — Tue, 12 Feb 2008 10:35:06 -0000

Dave: the KeeLoq hack is cool. But they could ship exactly the same car door lock for the next 10 years, and the incidence of car theft won't substantially increase.

My criteria are pretty specific:

* The door locks on F-500 companies

* Tolling or mass transit

* Metering

One of the three falls in the next 12 months, in a big way. Let's see if it happens. =)

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Chris — Tue, 12 Feb 2008 10:31:26 -0000

Ive been doing a lot of language binding audits. While not specifically mentioned in your scripting language prediction, I can tell you they are one of the less audited areas.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

sigsegv — Tue, 12 Feb 2008 08:58:54 -0000

Thomas: You're already right about the "game-over bug class in a scripting language kernel" prediction. In fact, it's been kicked around since mid 2007. We're just not telling anyone yet. ;)

Non-disclosure FTW.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Dave — Tue, 12 Feb 2008 04:33:33 -0000

>KeeLoq totally doesn’t count.

Why not? It seems to match your criteria perfectly, it's an RF lock, based on fielded hardware, and attacks the modulation (or at least a side-channel). The fact that it recovers the manufacturer key makes it particularly scary.

(Shouldn't you be pleased that your prediction came true? :-).

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Thomas Ptacek — Mon, 11 Feb 2008 22:17:51 -0000

KeeLoq totally doesn't count. Neat hack. Who cares? Nobody thought cars were safe to begin with.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Dave — Mon, 11 Feb 2008 21:39:06 -0000

>within the next 12 months of this post, there is
>going to be a public, trivially-reproduceable break
>in a security-critical piece of infrastructure.
>Even more specifically, it’s going to be one of
>three things:

How about "a week before this post"? See http://eprint.iacr.org/2008/058.

Re: Nate Lawson and Thomas Ptacek: Predictions: 2008

Phill — Mon, 11 Feb 2008 19:48:59 -0000

Eh, here's hoping your DRM prediction fails.