Secure Sockets Layer Intro

Secure Sockets Layer (SSL) provides client/server authentication and encrypted communications on the Internet. To understand how it fits into the big picture, it would be good if you knew the Open Systems Interconnection (OSI) model for network communications. This is a sever layer model to represent a network. TCP/IP is pretty low operating at the network layer in this model. On top of that is where SSL works, which is the transport layer. Much high in the application layer is protocols such as HTTP and LDAP.

SSL makes use of certificate authorities to verify certificates. It also has two sub protocols: the SSL Record Protocol for formatting, and the SSL Handshake Protocol which negotiates the keys and techniques used for encryption. One way to perform this negotiation is to employ the RSA Key Exchange. There are many options available. The exchange algorithm lets the both ends of the network determine which option to use. I will review these options from the least secure to the strongest.

The simplest and least secure is to do no encryption. This option uses something called MD5 which stands for Message Digest algorithm 5. It is a cryptographic hash function written by Ron Rivest. This technique allows the receiver of network communications to detect whether the messages sent have been tampered with. MD5 is essentially being replaced by SHA-1 which I shall explain below.

Next the RSA Key Exchange can use something called RC2 with 40 bit encryption and MD5. RC2 is a block cipher also invented by Ron Rivest. A block cipher is a symmetric key cipher (encryption and decryption use the same key) that operates on fixed length blocks at a time. This cipher had a 64 bit block with a variable sized key. It is slower than another option of using RC4 with 40 bit encryption and MD5. RC4 uses a stream cipher and is the most widely used software based stream cipher. Both RC2 and RC4 can also be used with 128 bit encryption which makes them more secure.

There are more modes that the RSA Key Exchange can choose. I will cover them in a future posting. SSL can also use techniques other than the RSA Key Exchange to determine how to choose a method and key for encryption. I hope to also go over these in a future post. There are a lot of details to this SSL.

Cryptography

As I mentioned before, I am looking to enter the computer security field. One topic in this field is cryptography. Information transferred over the Internet is subject to all kinds of evil activities. There can be third party eavesdropping and/or tampering with the data. Furthermore a third party can misrepresent who they are. A solution to this is the encrypting and decrypting of data. This is normally done with the use of a key.

There are two main flavors of key encryption. Symmetric key encryption is one where encryption and decryption uses the same key. If is efficient and therefore fast. The other type of encryption is public key encryption. This is also known as asymmetric encryption. It uses public keys which are published, and private keys as well. This method is more complex. It has the benefit of allowing you to digitally sign messages from you using your key.

Public key encryption makes use of certificates which identify individuals. The certificate associates your identify with a public key. The certificate is issued by a certificate authority (CA). Using the certificate you can confirm an identity. The other way the confirmation can be done is through passwords.

An implementation of public key encryption is the Secure Sockets Layer (SSL) protocol. It governs authentication. SSL defines a type of certification called an SSL Certificate. This technique, like all public key encryption, uses symmetric key encryption.

There is a lot more to the world of cryptography. It seems like an interesting domain. I plan to get more into this, specifically on the computer programming side. I did not have time to mention the Secure Multipurpose Internet Mail Extension (S/MIME) used to sign email. And there is also x.509.v3 which is a specification for certificates by the International Telecommunications Union (ITU). I am hoping there will be tine to explore these topics in the future.

Security Job Skills

I am looking to get a job in the computer security field. Since my background is in computer programming, I thought I would go for a development job in this field. There seem to be some opportunities. However the open jobs seem to require background in some topics I am not familiar with. To me that just means I need to study up.

One thing that the jobs like you to have is some certifications. In the past I have never been a big fan of certification. That is because a lot of times it just meant somebody without experience crammed to pass some certification test. However now that is probably exactly what I need. The certifications usually listed are CISSO and Security+. I think I have heard some colleagues say they had CISSO. But I don’t even know what Security+ is.

Some of the skills needed for development positions are generic. For example, a job may call for experience with Java, J2EE, Service Oriented Architectures, Networking, Linux and POSIX. These do not appear to be specific to the computer security industry. Unfortunately those are skills I do not have work experience with. That is ok. My plan is to bone up on my web development skills anyway. So I think I can take care of some of that knowledge.

Other skills required for development positions were very specific to the computer security industry. To tell the truth I have never used these technologies. They include Netscape Security Services, digital signatures, and symmetric/asymmetric cryptography. Well I have the web and Google at my disposal. It is time to bone up on these topics. I will share what I find.

Hacker Sting

Recently I decided to join the Association of Computing Machinery. This happened because I found out my company would pay for it. Right now I am waiting for my membership. It will give me a subscription to their ACM magazine. I will also get access to some technical references online. I though I would talk about a story from the Communications of the ACM. This story is over 20 years old. But the topic is one that I think is still of interest today.

A hacker tried to attack the computer system in a lab. The lab decided to let him think he had broken in. They further decided to use this individual to study how hackers operate. They tracked his activities for about a year. This individual used their lab computer to try to reach other systems. He mainly targeted military and defense systems. They thought he might be doing this for espionage purposes.

Over the year, the hacker attempted to attack over 450 computer systems. He did not use any new approaches. He only used techniques that were found elsewhere, like known security holes. They first detected his attack on their systems when they found a new account that was created. He seemed to search their e-mail to find signs that he had been detected. The hacker used X.25 ports to get in. He tried guessing passwords of accounts.

The intruder was evasive. He only stayed connected for a couple minutes at a time. He also disconnected when he noticed that a system manager was online. He was traced when the researchers at the lab set up a sting. They created some bogus files of interest. It caused the hacker to stay connected longer reading them. The hacker also sent in some snail mail correspondence based on what he read in the bogus files.

This hacker relied on some common account names being present in most systems like root, guest, and system. He also used utilities such as who or finger to find the user names of people logged on. Many people store all kinds of passwords in plain text files. This guy was also able to crack encrypted passwords. It did not help that many people chose passwords that could be found in a dictionary.

There is a lot more to this story. I plan to access the original story in the archives when I become a member of the ACM. Come to think of it, I tried to apply for membership quite some time ago. I have not heard from them since. Maybe it is time to call them up.

Laptop Hacked

I read a funny story about a guy whose laptop got infected. He was a college student with a laptop. He used the laptop for taking notes. One day he walks into class and turns on his laptop. For some reason the laptop kept playing music by itself. It kept repeating the song “See You Again” by Miley Cyrus. This poor guy asked for help on the Internet. He was desperate.

The student noticed that a “miley.exe” process was now always running. Some amateurs recommended that the guy delete this file. No dice. The file could not be deleted because it was being accessed (in other words it was locked due to use).

More level headed individuals recommended the guy do a Google search to help research the problem and any solutions out there. Many people chimed in that, at worst case, he could reinstall Microsoft Windows on the laptop. I had a chuckle when people started calling this the Miley Cyrus Virus. That rhymes in case you didn’t know.

Other good advice included recommendations to run antivirus software. Specifically some guys in the know said he should run Malware Bytes Antispyware to get rid of the problem. I have used this product myself with good success rates.

Some jokers said the guy should sue Miley Cyrus. Yeah. That was just a joke. One out of the box approach was to mute all the sound devices. And a hard core approach to this would be to cut the physical wires that lead to the speakers.

I hope this guy found a way to combat the problem. My own PC got into a phase where it would play sounds and music by itself. These malware and virus authors make us go through all kinds of bad times.

WPA Cracked

The Arstechnica blog has reported that some researchers have found a whole in WiFi Protected Access (WPA). This was presented in a paper by Erik Tews and Martin Beck. It discusses how they cracked the WPA encryption. They are able to successfully send bogus data to a WiFi client. The researchers started with an existing attack on Wired Equivalent Privacy (WEP). The original hack sniffed packers and modified them. They are only able to decrypt short packets.

WEP came out with a basic encryption technique. However the checksums were too weak. The replacement had a goal to be stronger. But it also needed to maintain backward compatibility. An advanced encryption system (AES) option was added. Using AES alleviates the risk of your packets being cracked. Some other techniques to make it hard for the crackers is to employ the option to rekey regularly. This makes transmission more secure. The best method is to choose a very long key.

The idea to move from WEP to WPA was a good one. However the limitation was that they wanted to still run on legacy hardware. The solution chosen was to use a 128 bit key. WPA, or more specifically Temporal Key Integrity Protocol (TKIP), changes the key for every packet. There is a sequence in the key. The length of the sequence is 48 bits. This is good because it will be a long time before such a long number is ever repeated.

I have seen the options to enable both WEP and WPA on my router. Previously they were just weird acronyms. However I want to get more into security and encryption and all that good stuff. There is a lot to learn however. Luckily I have a little bit of background in networking programming. Hopefully that will enable me to get up to speed quickly. The problem is that I am doing this as a side project. I am hoping that maybe I can get a job, even if it is a short term one, in this field to totally immerse myself in it.

Storm Worm Usage

I read an interesting article in the Washington Post newspaper. Some researchers from UC Berkley and another university had conducted an experiment with the Storm Worm virus. They infiltrated the network of machines that have the Storm Worm. They instructed bots to send spam sending unsuspecting readers to their phony pharmaceutical sites.

Within 26 days, they had the Storm Worm distribute 350 million spam emails. They conceded that about 75% of this email got filtered out. The remaining 25% made it to people’s inboxes. Almost 30 people decided to buy pharmaceutical products from their phony sites. They ensured that their sites aborted right before the sale completed.

The average sale was over $100 worth of pharmaceutical goods. The research team estimated that they only used 1.5% of the botnet network capacity. If they were able to fully use the botnet, they projected that they could clear $3.5 million worth of sales a year. This was all through advertising using Storm Worm spam.

There are a couple lessons here to learn here. One is that botnets like the Storm Worm are profitable ventures. Smart people can hack into these botnet networks. Some small percentage of people will make purchases in response to spam email. Perhaps it is the large numbers involved that makes the small percentage worthwhile.

Do you have the Storm Worm secretly installed on your computer? You may be supporting the huge botnet network that propagates criminal activity such as the one studied by these researchers. The thing I wonder is how much are the original authors of the Storm Worm actually making out there? And if they could get such profit from these illegal activities, could their skills be harnessed for legitimate business opportunities?

Script Kiddie Tools

I read a post to the Downgrade Blog entitled “Script Kiddies Have Awesome Tools”. The author checked out a recent hack to Wordpress. He tried to decode the source. However he found that it had been compressed and encoded many times. Eventually he got to the original code. There was an amazing suite of tools available to hackers.

The author compared this tool suite to a tool he obtained about 10 years ago. That tool was supplied as C source code. You needed to get your development environment correct first. Then you needed to supply the compiler with the correct flags for it to successfully build. Finally you needed to figure out how to run the darn app.

This latest suite of tools was much more user friendly to the hacker user community. There were a lot of tools in the suite he discovered. There was a tool to find files with security holes. There was also a program to execute commands as the web server user. It included a backdoor tool installer. It also had an FTP brute force cracker. The suite came with a self remover program as well. This is just a few of the tools included.

The guy realized that with this tool set, it would be easy to go into business. You could scan for Wordpress installations. Once found you could use the tools to check for vulnerabilities. Then you could exploit the ones you find for ill gotten gain. The hard work was done. Somebody coded and provided this tool set. You just need to be a script kiddie to use it.

The tool suite itself was about 2500 lines of PHP code. It took advantage of files not being read only on the file system. Advice from readers who commented included a recommendation to lock down your Wordpress. You should always patch third party code. And you should definitely sanitize SQL before using it. Others mentioned that this tool suite was actually old news. Well I had never heard about it.

Learn UNIX

Some guy had posted a question on Reddit asking for advice on learning UNIX. This was in preparation for doing admin work. He inquired whether he should become familiar with Linux, Free BSD, or Solaris. There was a lot of interesting commentary from Reddit readers that posted replies.

At least one person believed a good UNIX sys admin would need to learn all those UNIX flavors. It would also be most valuable to know UNIX to Windows connectivity. One way to learn any or all of these is to try them out on a virtual machine.

Some readers favor the knowledge of the Ubuntu distribution. Others recommended Gentoo. Solaris knowledge will give you the ability to be involved with interesting work. Others commented that even Apple OS X is UNIX underneath.

The best advice I read was to learn generic UNIX first, and not a specific brand. The most hard care advice was to get some source code and roll your own Linux. That would give you the truly deep knowledge. Now that may not be really needed if you want to be a light sys administrator. But it would be very worthwhile nonetheless.

Personally I am a Microsoft Windows kind of guy. However I used UNIX a lot during school. I even took a UNIX systems development class. I have found the knowledge most useful in my career. You never know when you need to get on a UNIX box and write some code. If you had never been exposed to it before, you would be in trouble. With the low or no cost UNIX available now, there is no excuse not to be fluent in UNIX.

Pause in Coding

I thought I would write a post to say that I know I have not been posting many new programs here lately. My day job is killing me. Pretty much I was going strong producing good results at work. My reward was that I got a second task that requires as much time as my primary one. This just does not add up.

There are multiple problems at work. One is that things are a bit disorganized. That’s ok when I have some slack time in my schedule. But now I am filled to the brim and it is causing me some pain. Another team keeps needed me to join their meetings. That causes a severe drop in productivity.

So now I am falling behind on my main job. And I am not even working the second task I got handed. After working in this crazy environment all week, I do not have any energy left to write some new cool progs for Black of Hat. However I still have a lot of ideas. And if I can get out of this crazy work schedule, I can go back to doing that which I love.

Here is a taste of a new idea I started coding up, but had little or no time to follow through on. I want to code a robot which writes blog posts quickly. This is talking about posts just like the ones I write here, complete with images. At first I looked into using a Google API directly to communicate with Google from the problem. That would have been the easiest. However Google looks like it has no way to automate posting images.

I am left with coding up a sort of screen scraper. My robot will trick the browser into thinking it is a regular user. That is hard to code. But it is the safest way to make sure things work. After I resolve how my program interacts with the browser like a human, I will dive into the artificial intelligence required for the robot to write coherent sentences like any real blogger would. Does that sound like a tight program or what?