Weekly security week wrapup 22

Intercepting skype

Intercepting skype in transit is quite complicated. The ‘oracle’ needed to decode the signalling traffic is quite well known and understood, resulting into legible signalling information. The primitives used in the user-to-user voice traffic are also well known, but this knowledge does not gain you any understanding of the contained traffic. Knowing you’re looking at AES and RSA doesn’t make it any more fun to start cracking.

This week we also heard some news that a Russian reverse engineer, Efim Bushmanov, has been able to reverse engineer skype to the point where it should become possible to write your own (open source perhaps) skype client. Skype (being aquired by Microsoft, conspiracy theorists unite, but that’s a different topic) does not like this one bit and brought in the big lawyers to tell Efim that he was violating the EULA.

But there are other ways to gain access to the traffic: intercept at the end-point, where the traffic has been decrypted for you. This article in the wall street journal describes quite detailed how the Egyptian government has been using this method to intercept traffic of young dissidents.

Lockheed Martin breach

All over the news: Lockheed Martin has been breached because it used the RSA tokens that had been compromised a couple of weeks before that. LM has the resources to actually detect a compromise like that, but there are way more small companies that use RSA tokens. How are they going to handle it? This is not the last breach we’ve seen that’s caused by the broken RSA tokens.

Lowcost USB Bluetooth sniffer

This is so nice, and it’s NFH (Nice for Hometinkering)-appeal is big. A small usb bluetooth sniffer, ehm, bluetooth monitor. Ordinary bluetooth devices are very difficult to get in a monitoring mode and other commercial bluetooth monitoring tools cost you an arm and a leg and your soul. This one is selling for under 100 GBP, and you can make it more cheaply if you can solder, which I cannot.

Pentester’s cheat sheet

If you’ve been doing pentesting, one of the goals is to get a shell on the machine. This article lists a number of methods to (ab)use common tools to get the shell working. It’s a nice cheat sheet.


Wrapup for week 21

I’ve started to do something different. I’ll try and create a wrapup of the stuff on the security and/or forensics arena that got my attention. Some may be quite interesting, others may be more fleeting.

Chrome false start

Google has added a feature to Chrome which enables it to perform a SSL-handshake in less messages, resulting in a quicker session setup for the end-user. The beautiful thing is, that the only thing that needs adjustment is the browser, not the server. That’s very nice, and here is a writeup by @cyberwar on the implication that this effort will have on the adoption of SSL.

IPv6 failure coverup in chrome

If you have a network setup where IPv6 is somewhat broken, you are in trouble. The definition in this case for ‘somewhat broken’ reads as: you have a IPv6 address, but no real IPv6 connection to the interwebs. What happens is that you ask for an address to the DNS, which hands you a AAAA and an A record back. You try the AAAA record, which will fail, but it may take some time for the browser to actually notice that the IPv6 connection will not do what it intended to do, after that it will try the A record for IPv4. Chrome now has a feature called IPv4-fallback, which works like this: chrome tries to use the AAAA record, but sets a really low timer (300ms) on that connection. If it doesn’t get an answer within that time back from the server, it will start an IPv4 connection as well for the A record. The first connection to complete, either the AAAA or A, will be chosen to transfer the request and/or data. On a fast connection, this is a quite elegant way for the browser to solve the end-user’s broken network. Naturally, the end-user should fix his network, but with broken CPE it might not be that easy to do. Networkworld has an article on this, as well as the upcoming IPv6 world day (8 June 2011).

Google prediction API

The Google Prediction API may be the prelude of an upcoming trend, where the algorithms and computing power from Google can be used for your own benefit. The example described in the article is done by Ford motor company, but when you start to think about it, there may be a lot more cases where it makes sense to use the Google machine learning algorithms to make the business more profitable by helping the end-user attain his goals more easily.

Roll your own Supercomputer for $1060/h

To finish this weekly wrap-up: how to roll your own supercomputer for $1060/h, which is quite cheap once you think about it. I cannot run computing power like this for this tariff (when also including downtime and idletime).