Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
Il 5/15/14, 11:47 PM, Tom Ritter ha scritto: On 14 May 2014 23:36, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: i think that would be very important to organize a project to Audit the functionalities of Auto-Update of software commonly used by human rights defenders. Sounds interesting. What software did you have in mind? Look what an attack tool has been just released: Patch Binaries via MITM: BackdoorFactory + mitmProxy https://github.com/secretsquirrel/BDFProxy Sounds like that all SourceForge downloaded software can be easily MitMed, along with GPG4Win and a long list. Now mitm based binary patching to inject trojan it's also easier, we really need to have someone work on that problem. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
Hi all, Sorry to jump in awkwardly into this thread without quoting, but I don't know how else to reply in digest mode. Regarding MitM attacks, we looked at this a couple of years ago and got too depressed to continue. Our campus was forcing people to install a policy key that used Blowfish (i.e., non-symmetric) encryption to update itself with admin privileges. This was fixed in a pretty stupid way that made exploitation still pretty easy, and then finally fixed in a slightly less stupid (but still pretty stupid) way where the vendor basically gave all their customers their private key. Then we took a look at Java, figuring that it was installed by everyone, everywhere. It also had a MitM vulnerability in its software updates. So we published a workshop paper... http://www.cs.unm.edu/~crandall/foci2012asymm.pdf ...and then gave up and moved on to other things, because finding MitM vulnerabilities for software updates is apparently too easy of a problem to be considered academic research. We toyed around with the idea of developing some network scanning rules to count updates on a campus network and perform some kind of triage process where the most common updates for our campus were assessed to find the most likely binaries that would have poor update practices (e.g., by doing some dynamic analysis to answer questions like, does this binary even bother to do any crypto at all?). Get in touch with me if you're interested in discussing that more. Note that Stuxnet exploited a poor update process on Microsoft's part and FinFisher did the same for Apple, so the big vendors are not immune to this problem. Also wanted to point out these papers, in addition to The Update Framework that someone else mentioned: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf http://usenix.org/events/hotsec06/tech/full_papers/bellissimo/bellissimo.pdf Jed -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
Il 5/20/14, 4:24 AM, Tony Arcieri ha scritto: Also note that most software update systems are one key (or sadly in many cases, zero keys) away from being remote code execution vulnerabilities. All of these attacks are covered by The Update Framework: http://theupdateframework.com/ But it's not so unrealistic that most of that small software being used by people on-field will move or change their update framework. Still the activity to be done is to: a) identify mostly used software by people on-field b) audit them c) have the manufacturer to fix their existing update procedures But we just do not have any kind of data on the security status of small softwares being used by people on-field on their outdated windows/osx machines. What i know for sure is that those kind of techniques are heavily exploited by governmental agencies and no-one from the security community is trying to fix that kind of problem. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
There was a good thread on this topic on the OSS-Security list, and another, probably this list about 6 months ago. It'd be worth studying Tor's Thandy, a secure update tool. I wish I could recall why Tor abandoned Thandy, that might be important. :-( There might be clues in Trac. https://gitweb.torproject.org/thandy.git/blob/HEAD:/specs/thandy-spec.txt https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Thandy BTW, when auditing auto-updates, don't both Windows and Apple use CDNs like Akamai, to push out their new updates? I seem to recall some Snowden-related articles mentioning CDNs including Akamai; a great place for an adversary to update system binaries. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
On Mon, May 19, 2014 at 07:24:39PM -0700, Tony Arcieri wrote: If you really want secure updates, depending on your threat model doing it correctly is a very difficult problem. First, thanks for the pointer to the web site/paper/etc.: that's going to make for some interesting reading later today. Second, I think that the threat model, unfortunately, should include the presumption of pervasive monitoring of least connection metadata: source IP, destination IP, ports, time, duration, and traffic volume in each direction. I have the uncomfortable thought that even if we had a solution to the problems articulated by The Update Framework, that others would remain. Still, it's not at all a bad idea to solve the obvious ones that are in front of us while thinking about the others. ---rsk -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
Il 5/18/14, 6:24 PM, Rich Kulawiec ha scritto: On Thu, May 15, 2014 at 07:36:07AM +0200, Fabio Pietrosanti (naif) wrote: i think that would be very important to organize a project to Audit the functionalities of Auto-Update of software commonly used by human rights defenders. Yes, but I'll go one step further: auto-update is a horrible idea -- even if the connection is encrypted. But the problem is still there: - there's plenty of small software with auto-update functionalities to be audited/exploited - there's probably many that provide their download instructions / installation files over http Auditing most of them would make the people more resilient against easier/stupid attacks, increasing the attack difficulty for the adversary. But you should not just ask people to switch to a more secure software, but also understand what software do they use, working towards to secure what they are using today . -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
On Mon, May 19, 2014 at 1:02 PM, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: But you should not just ask people to switch to a more secure software, but also understand what software do they use, working towards to secure what they are using today . If you really want secure updates, depending on your threat model doing it correctly is a very difficult problem. Fixing what exists today on a case-by-case basis is going to be quite a chore. Particularly problematic is the case of an MitM who knows a vulnerability but wants to prevent certain clients from getting software upgrades to fix it, so they can simply prevent the updaters from dialing home and the user is typically none the wiser. Also note that most software update systems are one key (or sadly in many cases, zero keys) away from being remote code execution vulnerabilities. All of these attacks are covered by The Update Framework: http://theupdateframework.com/ See their paper Survivable Key Compromise In Software Update Systems: http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=1046401A7F09F0F4F794359255756038?doi=10.1.1.175.6938rep=rep1type=pdf -- Tony Arcieri -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
El 18/05/14 09:40, Fabio Pietrosanti (naif) escribió: Il 5/15/14, 11:47 PM, Tom Ritter ha scritto: On 14 May 2014 23:36, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: i think that would be very important to organize a project to Audit the functionalities of Auto-Update of software commonly used by human rights defenders. I'm afraid I see more and more how the on-field activist people use facebook (YES, I saw it), google mailing-list, google accounts without encryption, whatsapp, and the list is more and more terrific... I talk about Sudamerica. But I saw it either in other places. I'm not IT professional, then even when I can talk their language (because IT people talk in other language, impossible to journalist or activist) they - in 95% of the cases - don't care. I can count on my horror list even lawyers fighting for HR or govs censorship! NGOs, ... They now all about Snowden and net neutrality bot they don't know and - as say before, in general - don't care, about OTR, free software, etc. I think that's plenty of software that are used by activists and journalists on field in difficult places that have a lot of insecurities, being graphical software, data collection software, web editing software, etc, etc While our hackish communities mostly focus on the security softwares, on-fields the people use just general purposes sofware for doing general purpose works, but that's where the adversary able to MitM a connection, can leverage stupid bugs to inject directly or indirectly monitoring malware. The adversary has the work so easy...one part because of the lack of interest of the technical people to *really* explain the the tools (not only suggest links) to the non technical, without expect that a lawyer, an activist or a journalist became hackers; and the other part because of the lack of interest (or a kind of over confidence?) of the non-IT group. It's a real problem we observe and try to solve here, but in general, without mentionable results. I hope we can reverse it. Cristina foike.org -- Esta comunicación puede ser ilegalmente recogida y almacenada por la Agencia Nacional de Seguridad de los EEUU (NSA) en secreto. Las partes de este correo electrónico no consienten la recuperación o almacenamiento de esta comunicación y los metadatos relacionados, así como la impresión, copia, re-transmisión, difusión, u otra forma de usarlo sin el consenso de sus autores. Si usted no es destinatario explícito de este mensaje, por favor bórrelo inmediatamente y considere denunciar la actividad ilegal de su empleador a la justicia de su país o a la prensa. La privacidad es un derecho fundamental, no colabore en ningún crimen contra ella. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
On Thu, May 15, 2014 at 07:36:07AM +0200, Fabio Pietrosanti (naif) wrote: i think that would be very important to organize a project to Audit the functionalities of Auto-Update of software commonly used by human rights defenders. Yes, but I'll go one step further: auto-update is a horrible idea -- even if the connection is encrypted. Why? Because someone observing network traffic can deduce which operating system(s) and application(s) a target is using by doing traffic analysis: that is, just looking at where connections are originating and terminating. Even passively checking for the existence of updates -- that is, not actually downloading and installing them -- can facilitate this same traffic analysis. The results of that analysis have many uses: one that occurs to me offhand is that a repressive government might wish to identify everyone who appears to be using a particular application X because (a) it's not widely used across the entire population (b) but it's used extensively within a certain political/social movement/organization Y. Combined with other traffic analysis (e.g., visits to the web site of Y) this would be useful intelligence. Combined with research into the security vulnerabilities of X this would be VERY useful intelligence. Another use that occurs to me is that particular combinations of updates could constitute a signature that facilitates the tracking of individuals. In other words, lots of people might check for updates to A, or updates to B, or updates to C, etc.; but how many individuals check for updates to A, B, F and M but never C, D or J? I'm not sure what the answer to this problem will look like, but I suspect it's going to involve doing away entirely with the concept of auto update. ---rsk -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
On 05/18/2014 09:54 AM, Cristina wrote: El 18/05/14 09:40, Fabio Pietrosanti (naif) escribió: Il 5/15/14, 11:47 PM, Tom Ritter ha scritto: On 14 May 2014 23:36, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: i think that would be very important to organize a project to Audit the functionalities of Auto-Update of software commonly used by human rights defenders. I'm afraid I see more and more how the on-field activist people use facebook (YES, I saw it), google mailing-list, google accounts without encryption, whatsapp, and the list is more and more terrific... I talk about Sudamerica. But I saw it either in other places. I'm not IT professional, then even when I can talk their language (because IT people talk in other language, impossible to journalist or activist) they - in 95% of the cases - don't care. I can count on my horror list even lawyers fighting for HR or govs censorship! NGOs, ... They now all about Snowden and net neutrality bot they don't know and - as say before, in general - don't care, about OTR, free software, etc. That doesn't sound right, because when they talked to me they seemed to care. Granted it was after showing some of them to use Tor, teaching others about free software, and even switching one person over from WinXP to Linux Mint with an XP theme. But I admit I may have misunderstood them. -Jonathan -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
Fabio Pietrosanti (naif): Hi all, i think that would be very important to organize a project to Audit the functionalities of Auto-Update of software commonly used by human rights defenders. Most of Governmental's managed client-side attacks are done trough proper MITM to tweak the target into downloading and/or executing something. It's plenty of major and minor software that have security vulnerabilities that could be exploited in the following processes and procedures: - Auto-Update of software - Version Checking (to notify a new existing version) - Web Page providing Download/Update information If only one of the previously defined functionalities can be exploited by a clever MITM (because not properly secure), the target (a normal target, not a paranoid one) is likely compromised. In past the IT Security and Hacking environment looked at this problems, but then no big progress has been done, everything has been abbandoned and auto-update/version-checking/software-download-methods has been of the pure interests of governmental agencies. Organizations that now take care of the security of software being used by human rights defenders should look at this kind of problem a bit deeper, by organizing such a projet and/or providing proper funding for such purpose. I think this should include putting pressure on OSes and distros to deliver update checks, software, and crash reporting over HTTPS. Common practice is HTTP (even in linux distros) and it makes it very easy to malicious actors to fingerprint the software used by individuals for exploitation analysis (as we've read the NSA does with Windows crash reports). While the MITM threat is hopefully low as any tweaked software won't install due to signing and checksumming, it's a huge leak of personal information that makes targeting and exploitation much easier for malicious actors. Michael -- Michael Carbone Manager of Tech Policy Programs Access | https://www.accessnow.org GPG: 0x81B7A13E Fingerprint: 25EC 1D0F 2D44 C4F4 5BEF EF83 C471 AD94 81B7 A13E -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
On 14 May 2014 23:36, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: i think that would be very important to organize a project to Audit the functionalities of Auto-Update of software commonly used by human rights defenders. Sounds interesting. What software did you have in mind? -tom -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
On Thu, May 15, 2014 at 2:47 PM, Tom Ritter t...@ritter.vg wrote: On 14 May 2014 23:36, Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: i think that would be very important to organize a project to Audit the functionalities of Auto-Update of software commonly used by human rights defenders. Sounds interesting. What software did you have in mind? start with evilgrade; there's a reason it had hundreds and hundreds of vectors. MitM position is absolute failure more often than not... best regards, -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
Hi all, i think that would be very important to organize a project to Audit the functionalities of Auto-Update of software commonly used by human rights defenders. Most of Governmental's managed client-side attacks are done trough proper MITM to tweak the target into downloading and/or executing something. It's plenty of major and minor software that have security vulnerabilities that could be exploited in the following processes and procedures: - Auto-Update of software - Version Checking (to notify a new existing version) - Web Page providing Download/Update information If only one of the previously defined functionalities can be exploited by a clever MITM (because not properly secure), the target (a normal target, not a paranoid one) is likely compromised. In past the IT Security and Hacking environment looked at this problems, but then no big progress has been done, everything has been abbandoned and auto-update/version-checking/software-download-methods has been of the pure interests of governmental agencies. Organizations that now take care of the security of software being used by human rights defenders should look at this kind of problem a bit deeper, by organizing such a projet and/or providing proper funding for such purpose. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.