最新的 SSL connection 攻擊:DROWN attack

前幾天 OpenSSL 宣佈將在三月一日更新版本,包括了幾項層級被標示為 High 的問題:「[openssl-announce] Forthcoming OpenSSL releases」。

今天看到這個問題了,被稱為「The DROWN Attack」,全名為 Decrypting RSA with Obsolete and Weakened eNcryption,整個 internet 上大約 33% 的伺服器受到影響:

Our measurements indicate 33% of all HTTPS servers are vulnerable to the attack.

包括兩類,第一類是支援 SSLv2 的伺服器,約 17%:

It allows SSLv2 connections. This is surprisingly common, due to misconfiguration and inappropriate default settings. Our measurements show that 17% of HTTPS servers still allow SSLv2 connections.

第二類是指那些,雖然 server 不支援 SSLv2,但與第一類共用同一把 key,於是可以拿來攻擊,約 16%:

Its private key is used on any other server that allows SSLv2 connections, even for another protocol. Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server. When taking key reuse into account, an additional 16% of HTTPS servers are vulnerable, putting 33% of HTTPS servers at risk.

要注意的是這不只包括了 HTTPS,也包括了 POP3S 與 IMAPS,以及其他有用 SSLv2 的 server 都有受到影響。尤其是第二類會發生在小型伺服器上,mail server 與 web server 共用同一份 SSL certificate/key 的時候。

如果手上有使用 SSLv2 的 server,解法是關閉 SSLv2 (目前新的 SSL library 預設應該都是關閉),撤銷並重新申請 SSL certificate。

Linode 的被攻擊報告

Linode 這陣子一直被 DDoS 攻擊,前幾天放出報告:「The Twelve Days of Crisis – A Retrospective on Linode’s Holiday DDoS Attacks」。

其中這段提到了一些數字,Linode 有個小機房有 40Gbps 的能力,但以現在的 DDoS 規模會馬上爆掉:

Linode’s capacity management strategy for IP transit has been simple: when our peak daily utilization starts approaching 50% of our overall capacity, then it’s time to get more links.

This strategy is standard for carrier networks, but we now understand that it is inadequate for content networks like ours. To put some real numbers on this, our smaller datacenter networks have a total IP transit capacity of 40Gbps. This may seem like a lot of capacity to many of you, but in the context of an 80Gbps DDoS that can’t be blackholed, having only 20Gbps worth of headroom leaves us with crippling packet loss for the duration of the attack.

另外把 DNS 整個放上 CloudFlare 讓他們來擋:

Our nameservers are now protected by Cloudflare, and our websites are now protected by powerful commercial traffic scrubbing appliances.

後續的改善應該還要幾個月?完成後應該會再看到 blog post...

Amazon 之前放出的 s2n 的安全性問題

Amazon 之前放 s2n 出來當作 TLS protocol 的方案,於是就有人摸出東西來:「Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS」。

即使是經過外部資安檢證,仍然還是有找到問題。這次找到的問題是 timing attack 類在 CBC-mode 下的 plaintext recovery:

At the time of its release, Amazon announced that s2n had undergone three external security evaluations and penetration tests. We show that, despite this, s2n - as initially released - was vulnerable to a timing attack in the case of CBC-mode ciphersuites, which could be extended to complete plaintext recovery in some settings.


Our attack has two components. The first part is a novel variant of the Lucky 13 attack that works even though protections against Lucky 13 were implemented in s2n. The second part deals with the randomised delays that were put in place in s2n as an additional countermeasure to Lucky 13. Our work highlights the challenges of protecting implementations against sophisticated timing attacks.

最後還是酸了一下 Amazon:

It also illustrates that standard code audits are insufficient to uncover all cryptographic attack vectors.

Amazon 的官方說明則在「s2n and Lucky 13」這邊可以看到。

微軟也宣佈 SHA-1 的 SSL certificate 將於 2016 年七月停用

在「SHA-1 Deprecation Update」這篇文章中宣佈本來在「Windows Enforcement of Authenticode Code Signing and Timestamping」這邊宣佈 2017 年停用 SHA-1 SSL certificate 的進度將提前到 2016 年七月 (到 2016 六月前仍然可以使用)。

在微軟的文章裡也有提到,如同 Mozilla 在前幾個禮拜宣佈的「Continuing to Phase Out SHA-1 Certificates」計畫,也是預定把 2017 年的淘汰計畫提前到 2016 年七月。

主要是因為「對 SHA-1 的攻擊進展」這邊提到對 SHA-1 的新攻擊,所以決定提前半年...

對 Zeus Web Server 的 Timing Attack

Update:這應該是在講 Zeus C&C 系統,不是 Zeus Web Server... ~_~

在「Timing attack vulnerability in most Zeus server-sides」這邊看到難得的 HTTP-based timing attack,藉由程式的漏洞而產生出能夠偵測出來的 timing attack:

雖然 Zeus Web Server 已經收攤了,不過這還是示範了很好玩的攻擊手法...

在瀏覽器上面用 JavaScript 進行 Side-channel attack

用 JavaScript 就可以攻擊 L3 cache,進而取得資料:「JavaScript CPU cache snooper tells crooks EVERYTHING you do online」。

論文出自「The Spy in the Sandbox – Practical Cache Attacks in Javascript」(PDF) 這篇。

不需要任何外掛或 exploit,就純粹是利用 cache 反應時間的 side-channel attack。另外由於 AMD 的 cache 架構不同,這次的攻擊實作僅對 Intel 有效:

The Intel cache micro-architecture isinclusive– all elements in the L1 cache must also exist in the L2 and L3 caches. Conversely, if a memory element is evicted fromthe L3 cache, it is also immediately evicted from the L2 and L1 cache. It should be noted that the AMD cachemicro-architecture is exclusive, and thus the attacks described in this report are not immediately applicable tothat platform.



第四公民》(Citizenfour) 這部電影描述了 Edward Snowden 在 2013 年披露稜鏡計畫的過程以及後續的效應,雖然是紀錄片,但整件事情還在進行發展中。

以最佳紀錄片的身份橫掃 2014 與 2015 的獎項,包括了奧斯卡金像獎與英國電影學院獎:


前幾天發現沒跟上四月 11 日的 2015 金馬奇幻影展 (應該是台灣區的首映),昨天就跑去華山看:「《第四公民》首週上映時刻表」。


整部片子裡穿插了 GnuPGTails 這些工具,用來保護通訊的隱私與安全。以及當你可能被 APT 時要保護自己的一些手段。


Tor 官方預測將會被攻擊

Tor 官方預測將會被攻擊:「Possible upcoming attempts to disable the Tor network」。

透過扣押機器的方式降低 Tor 對 client bootstrap 的承載能力:

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities.


jQuery 官網疑似被攻陷...

起因在「jQuery.com Malware Attack Puts Privileged Enterprise IT Accounts at Risk」這篇,RiskIQ 的人偵測到 jQuery 官方網站異常,帶有惡意軟體。檢查後發現在官網的 html 裡面出現了 jquery-cdn.com 這個非官方的 domain:

這個 domain 可以看到是全新建立的:

   Domain Name: JQUERY-CDN.COM
   Registrar: NAMESILO, LLC
   Whois Server: whois.namesilo.com
   Referral URL: http://www.namesilo.com
   Name Server: NS1.DNSOWL.COM
   Name Server: NS2.DNSOWL.COM
   Name Server: NS3.DNSOWL.COM
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 18-sep-2014
   Creation Date: 18-sep-2014
   Expiration Date: 18-sep-2015

透過這個 domain 一路穿出去將惡意程式導進來。

jQuery 官方收到 RiskIQ 的人通之後也開始調查發生什麼事情:「Was jquery.com Compromised?」、「Update on jQuery.com Compromises」。


很特別的 Side-channel attack 方法以取得 RSA 與 ElGamel 的 private key

在「A new Side channel attack-how to steal encryption keys by touching PCs」這邊看到一種很特別的 side-channel attack:(直接先看圖)


The signal can also be measured at the remote end of Ethernet, VGA or USB cables.

方法愈來愈特別了 XDDD