Home » Archive by category "Privacy" (Page 8)

ROCA:Infineon Technologies 的 RSA 實做問題

最近的另外一個大包,不過這包是 Infineon Technologies 在實做 RSA 算法時的問題,倒不是 RSA 算法本身有問題。之所以會「大」是因為有太多人用了:「ROCA: Vulnerable RSA generation (CVE-2017-15361)」。

起因於 Infineon Technologies 在產生 key 時的組合有限,於是要猜測的 keyspace 小很多。

以研究者的估算,可以看出 CPU year 都被大幅減少了,都是屬於「可行」的範圍:

The time complexity and cost for the selected key lengths (Intel E5-2650 v3@3GHz Q2/2014):

512 bit RSA keys - 2 CPU hours (the cost of $0.06);
1024 bit RSA keys – 97 CPU days (the cost of $40-$80);
2048 bit RSA keys – 140.8 CPU years, (the cost of $20,000 - $40,000).

而且這邊是用 CPU year 估算,如果考慮 FPGA 加速計算,應該會短更多...

另外從發現到公開的時間線也拉得很長,可以看到中間一直在找解決方案:

2nd of November 2017 - Presentation of all details at the ACM CCS conference (to come)
16th of October 2017 - The initial version of the public disclosure published
May to October 2017 - Cooperation with the manufacturer and other affected parties to help evaluate and mitigate the vulnerability
1st of February - The vulnerability disclosed to Infineon Technologies AG
End of January - The vulnerability found

過一陣子就會去 conference 上報告了...

CircleCI 的隱私問題

作者看 CircleCI 網站時發現的問題:「CircleCI trusts 8 analytics companies with your source code and API tokens」。

CircleCI 網站引用了這八個網站的 javascript:

  • Pusher
  • Intercom
  • Launch Darkly
  • Amplitude
  • Appcues
  • Quora (??)
  • elev.io
  • Optimizely

有些有很明顯目的而且也夠大,但有些就沒聽過了... 不過照 BuiltWith 上分析的資料「circleci.com Technology Profile」,遠超過這些啊 XDDD

可以看到 GitHub 站上只引用了 Facebook (不過這是哪邊出現的啊?),另外因為使用 Fastly 的 CDN 服務,所以 Fastly 也是屬於 GitHub 的信任名單;這兩家都算夠大的 vendor:「github.com Technology Profile」。

Travis CI 則是 Google Analytics 與 Fastly,也是兩家夠大的 vendor:「travis-ci.com Technology Profile」。

所以對於很注重這資安方面的人,應該還算是有選擇...

加州也禁止詢問之前的薪資了

在「California bosses can no longer ask you about your previous salary」這邊看到的消息。繼「麻州立法禁止詢問前一份工作的薪資」與「紐約市也將禁止雇主詢問薪資」後,加州也加入了這個行列。

The salary privacy bill, was enacted by Gov. Jerry Brown on Thursday, Oct. 12, at a celebratory signing ceremony at Women’s Empowerment, a Sacramento nonprofit for homeless women. He was surrounded by members of the California Legislative Women’s Caucus.

法案將於 2018 年生效:

The salary privacy bill takes effect on January 1, 2018.

DHS 要求郵件系統都必須使用 STARTTLS、DMARC,並且全面禁用 RC4 與 3DES

Twitter 上看到 18F 貼了 DHS 的新規定:「Enhance Email and Web Security」。

郵件系統的部份,要求要有 STARTTLS,並且設定 SPFDMARC。另外禁用 SSLv2 SSLv3,以及 RC43DES

網站的部份,則是要求 HTTPS 以及 HSTS。另外也與郵件系統一樣禁用 SSLv2、SSLv3,以及 RC4 與 3DES。

不只 18F 一個單位在推動,這樣整體的速度才會加快...

WPA2 安全漏洞

話說 WPA2 也撐了十三年了:

WPA2 became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard.

這次的漏洞可以參考「Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping」這邊。

PoC 稱作 KRACK (Key Reinstallation Attacks),漏洞將會在十一月正式發表,從會議的標題名稱大概可以知道方向,是對 Nonce 下手:「Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2」。另外站台 www.krackattacks.com 已經放好,等後續的發表更新了。

對於無線網路的各種漏洞,老方法還是目前最有效的方法,也是這次的 workaround 之一:上強度足夠的 VPN。

Update:補上論文「Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2」。

機器學習與情色產業的問題

Bruce Schneier 提到了最近幾個剛好相關的議題,關於機器學習在情色產業使用時遇到的隱私議題:「Technology to Out Sex Workers」。

第一個提到的是 PornHub 用機器學習辨識演員以及各種「其他資訊」,這邊引用的報導是 TechCrunch 的「PornHub uses computer vision to ID actors, acts in its videos」:

PornHub is using machine learning algorithms to identify actors in different videos, so as to better index them.

The computer vision system can identify specific actors in scenes and even identifies various positions and… attributes.

第二個提到的是花名與真實身份連在一起的問題:

People are worried that it can really identify them, by linking their stage names to their real names.

最後是提到 Facebook 已經有能力這樣做,而且已經發生了:

Facebook somehow managed to link a sex worker's clients under her fake name to her real profile.

Her sex-work identity is not on the social network at all; for it, she uses a different email address, a different phone number, and a different name. Yet earlier this year, looking at Facebook’s “People You May Know” recommendations, Leila (a name I’m using using in place of either of the names she uses) was shocked to see some of her regular sex-work clients.

這個議題與 Mass surveillance 有點像...。

OnePlus OxygenOS 內建的 Malware

看到「OnePlus OxygenOS built-in analytics」這篇,講作者在聽連線時看到 OnePlus OxygenOS 內建的 Malware:

維基百科上的說明好像不怎麼意外啊:

一加(全稱:深圳市萬普拉斯科技有限公司,英語:OnePlus)是中國一家行動通訊終端裝置研製與軟體開發的企業,於2013年12月7日成立,主要開拓國外市場。

作者一開始看到各種行為,像是 screen_offscreen_onunlockabnormal_reboot

{
    "ty": 3,
    "dl": [
        {
            "id": "258cfeb1",
            "en": "screen_off",
            "ts": 1484177517017,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "screen_on",
            "ts": 1484177826984,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "unlock",
            "ts": 1484177827961,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "abnormal_reboot",
            "ts": 1484178427035,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ...
    ]
}

然後是各種機器資訊,包括 MAC address、IMEI 之類的:

{
    "ty": 1,
    "dl": [
        {
            "ac": "",
            "av": "6.0.1",
            "bl": 82,
            "br": "OnePlus",
            "bs": "CHARGING",
            "co": "GB",
            "ga": 11511,
            "gc": 234,
            "ge": 6759424,
            "gn": 30,
            "iac": 1,
            "id": "258cfeb1",
            "im": "123456789012345,987654321098765",
            "imei1": "123456789012345",
            "it": 0,
            "la": "en",
            "log": "",
            "ma": "aa:bb:cc:dd:ee:ff",
            "mdmv": "1.06.160427",
            "mn": "ONE A2003",
            "nci": "23430,",
            "ncn": ",",
            "noi": "23430,",
            "non": "EE,",
            "not": "LTE,",
            "npc": "gb,",
            "npn": "07123456789,07987654321",
            "nwa": "aa:bb:cc:dd:ee:ff",
            "nwb": "ff:ee:dd:cc:bb:aa",
            "nwh": false,
            "nwl": 0,
            "nws": "\"CHRISDCMOORE\"",
            "ov": "Oxygen ONE A2003_24_161227",
            "pcba": "",
            "rh": 1920,
            "ro": false,
            "romv": "3.5.6",
            "rw": 1080,
            "sov": "A.27",
            "ts": 1484487017633,
            "tz": "GMT+0000"
        }
    ]
}

然後是開了什麼 app XDDD

{
    "ty": 4,
    "dl": [{
            "id": "258cfeb1",
            "pn": "com.Slack20003701",
            "pvc": "20003701",
            "tk": [
                [1484079940460, 1484079952177],
                [1484081525486, 1484081603191],
                [1484081603424, 1484081619211],
                ...
            ],
            "it": 0
        }, {
            "id": "258cfeb1",
            "pn": "com.microsoft.office.outlook170",
            "pvc": "170",
            "tk": [
                [1484084321735, 1484084333336],
                [1484084682578, 1484084683668],
                [1484084685843, 1484084688985],
                ...
            ],
            "it": 0
        }, ...
    ]
}

以及在 app 裡面做了什麼 XDDD (像是 ChromeTabbedActivity startRecentsActivity stopWifiSettingsActivity startSettings start)

{
    "ty": 2,
    "dl": [{
            "id": "258cfeb1",
            "pi": 12795,
            "si": "127951484342058637",
            "ts": 1484342058637,
            "pn": "com.android.chrome",
            "pvn": "55.0.2883.91",
            "pvc": 288309101,
            "cn": "ChromeTabbedActivity",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ... {
            "id": "258cfeb1",
            "pi": 4143,
            "si": "41431484342115589",
            "ts": 1484342115589,
            "pn": "com.android.systemui",
            "pvn": "1.1.0",
            "pvc": 0,
            "cn": "RecentsActivity",
            "en": "stop",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "pi": 26449,
            "si": "264491484342115620",
            "ts": 1484342115620,
            "pn": "com.android.settings",
            "pvn": "6.0.1",
            "pvc": 23,
            "cn": "WifiSettingsActivity",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ... {
            "id": "258cfeb1",
            "pi": 2608,
            "si": "26081484346421908",
            "ts": 1484346421908,
            "pn": "com.android.settings",
            "pvn": "6.0.1",
            "pvc": 23,
            "cn": "Settings",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ...
    ]
}

有人提供了移除的方法:

但你可以不要買這個牌子啊 XDDD

ALB 支援 SNI

AWS 宣佈 ALB 支援 SNI 了:「Application Load Balancers Now Support Multiple TLS Certificates With Smart Selection Using SNI」。

不過這篇比較有趣的是,他範例用的是 VimIsBetterThanEmacs.comVimIsTheBest.com 這兩個網域名稱 XDDD:

I’ll use a few example websites like VimIsBetterThanEmacs.com and VimIsTheBest.com. I’ve purchased and hosted these domains on Amazon Route 53, and provisioned two separate certificates for them in AWS Certificate Manager (ACM). If I want to securely serve both of these sites through a single ALB, I can quickly add both certificates in the console.

VPN 保留連線記錄幫助 FBI 抓犯人

這應該是這幾天鬧得蠻大的事情:「PureVPN Logs Helped FBI Net Alleged Cyberstalker」。

起因在於 PureVPN 的廣告寫著他們不會記錄:

但在證詞裡卻提到 PureVPN 有記錄:

“Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,” the agent’s affidavit reads.

然後回頭看 PureVPN 的 Privacy 條款發現他們在條款裡面寫著他們會記錄連線資訊:

Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a ‘connection’ and the total bandwidth used during this connection is called ‘bandwidth’. Connection and bandwidth are kept in record to maintain the quality of our service. This helps us understand the flow of traffic to specific servers so we could optimize them better.

然後被告 Ryan S. Lin 就幹剿了:

“There is no such thing as a VPN that doesn’t keep logs,” Lin said. “If they can limit your connections or track bandwidth usage, they keep logs.”

以後挑 VPN 還得仔細看條款裡面留 log 的部份啊...

U2F Security Key 產品測試?

Adam Langley 的「Testing Security Keys」這篇測試了不少有支援 U2F Security Key 的產品,這邊作者是以 Linux 環境測試。

tl;dr:在 Linux 環境下,除了 Yubico 的產品沒問題外,其他的都有問題... (只是差在問題多與少而已)

Yubico 的沒找到問題:

Easy one first: I can find no flaws in Yubico's U2F Security Key.

VASCO SecureClick 的則是 vendor ID 與 product ID 會跑掉:

If you're using Linux and you configure udev to grant access to the vendor ID & product ID of the token as it appears normally, nothing will work because the vendor ID and product ID are different when it's active. The Chrome extension will get very confused about this.

Feitian ePass 的 ASN.1 DER 編碼是錯的:

ASN.1 DER is designed to be a “distinguished” encoding, i.e. there should be a unique serialisation for a given value and all other representations are invalid. As such, numbers are supposed to be encoded minimally, with no leading zeros (unless necessary to make a number positive). Feitian doesn't get that right with this security key: numbers that start with 9 leading zero bits have an invalid zero byte at the beginning. Presumably, numbers starting with 17 zero bits have two invalid zero bytes at the beginning and so on, but I wasn't able to press the button enough times to get such an example. Thus something like one in 256 signatures produced by this security key are invalid.

Thetis 根本沒照 spec 走,然後也有相同的 ASN.1 DER 編碼問題:

With this device, I can't test things like key handle mutability and whether the appID is being checked because of some odd behaviour. The response to the first Check is invalid, according to the spec: it returns status 0x9000 (“NO_ERROR”), when it should be 0x6985 or 0x6a80. After that, it starts rejecting all key handles (even valid ones) with 0x6a80 until it's unplugged and reinserted.

This device has the same non-minimal signature encoding issue as the Feitian ePass. Also, if you click too fast, this security key gets upset and rejects a few requests with status 0x6ffe.

U2F Zero 直接 crash 沒辦法測 XDDD:

A 1KiB ping message crashes this device (i.e. it stops responding to USB messages and needs to be unplugged and reinserted). Testing a corrupted key handle also crashes it and thus I wasn't able to run many tests.

KEY-ID (網站連 HTTPS 都沒上...) / HyperFIDO 也有編碼問題但更嚴重:

The Key-ID (and HyperFIDO devices, which have the same firmware, I think) have the same non-minimal encoding issue as the Feitian ePass, but also have a second ASN.1 flaw. In ASN.1 DER, if the most-significant bit of a number is set, that number is negative. If it's not supposed to be negative, then a zero pad byte is needed. I think what happened here is that, when testing the most-significant bit, the security key checks whether the first byte is > 0x80, but it should be checking whether it's >= 0x80. The upshot is the sometimes it produces signatures that contain negative numbers and are thus invalid.

所以還是乖乖用 GitHub 帳號買 Yubico 吧...

Archives