Security Week 42: SHA-1 collisions, practical hacking of routers, Android / Security / Sadness

When you are at the epicenter of events, it is sometimes difficult to understand what really happened. Being in a traffic jam, you will not know that it occurred due to an accident until you reach two shot down pilots who have occupied three lanes. Up to this point, you simply do not have enough information to draw conclusions. In the information security industry, it happens so often: the topic is complex, there are many nuances, and the result of some research can only be realistically assessed in a few years.

This week, the three most interesting security news have nothing to do with each other, except for a thick layer of subtexts. If you do not constantly deal with the topic, the importance of some events can be estimated incorrectly, or you may not see some important details. I will try, as far as I can, to explain with examples, although the subtexts are such a thing — everyone sees something different. Welcome to episode 11 of Security Week. Disruption Pokrovov. Traditional rules: Every week, the editors of the news site Threatpost selects the three most significant news, to which I add an extended and merciless comment. All episodes of the series can be found here .

The collision search for the SHA-1 algorithm has fallen in price seriously
News Bruce Schneier's post three years ago. A new study that changed the concept of security algorithm.

Those who have come to know Linux a little further than the automatic installation of Ubuntu know that this system motivates them to read instructions. I mean, first, of course, I try to google the dock, where the sequence of commands is simply indicated, but in some cases it will not work for me at first, and then everything will break. This news is from the same series: without at least a minimum immersion in the materiel it is difficult to understand. Despite the fact that this is perhaps the most difficult topic for the entire existence of the series, I will try to tell you what the essence is, in simple words.
')

Well, somehow I will try.

SHA-1 is a cryptographic hashing algorithm. Such an algorithm can be given at the input a sequence of data of almost unlimited length, and at the output to get 160 bits of information that allow you to identify the original data array. Unless, of course, you have it: recovering information from the hash fails, the stuffing cannot be turned back.

More precisely, it should not be obtained, even if, for example, there is a password for an unlucky user of type 123456. For any such algorithm there are two requirements: the inability to obtain source data, having only a hash and the inability to select such a pair of data sets so that their hash matches . More precisely, the opportunity to do both is almost always there. It just has to be connected with such a large amount of calculations that there is nothing even to try. Well, that is, you buy the most powerful supercomputer, give it a task to break the cipher. After 240 years, he says that the answer is 42, but by that time you don’t care.

But there is a nuance . First, the performance of computers is constantly growing. Secondly, researchers are looking for workarounds to allow hacking into cryptographic systems. For a hashing algorithm, finding a collision is much easier than decrypting the original data. Meanwhile, the same SHA-1 is used in various encryption and authorization systems, where its main task is to make sure that the data of two different subscribers coincide. If you can find two or more data arrays that have the same hash, and to do it cheaply and quickly , then the algorithm is no longer reliable.

Perhaps, I’ll stop on this, because then begins a very severe matan who doesn’t change the essence of the matter. The work of researchers looks like this: we come up with a collision search algorithm, which allows us to find one in a slightly smaller number of operations than a simple search. More precisely, it makes sense to talk about the attack of " Birthdays ". Birthdays, Karl!

I have some wrong simple words.

Then the researchers improve this algorithm, further reducing the number of operations. As a result, the very attack, which required 240 years, becomes possible to accomplish in 120 years. Or for 12. Or for 2. That's when instead of two and a half centuries it takes only two months, you can start to worry. So, three years ago, Jessie Walker from Intel, a cryptographic expert, suggested that by 2015, finding the collisions of the SHA-1 algorithm would require two to eleventh degree server-years (well, if we take this spherical typical server in a vacuum). Fortunately, thanks to cloud services, specifically Amazon EC2, you can calculate a more specific monetary equivalent: about 700 thousand dollars and you will get a theoretical way, for example, to fake a digital signature in a relatively short time.

But it was a 2012 estimate. It turned out that even then the SHA-1 algorithm was not as reliable as we would like, only very wealthy organizations could exploit this unreliability , for example, the intelligence of some non-poor country. Naturally, such offices are not in a hurry to issue press releases about their successes in the field of the fight against cryptography. So it is more important to understand when access to such a “tool” will be obtained, albeit well-to-do, but cybercriminals.



Recently, a team of researchers from universities in the Netherlands, Singapore and France published a report in which they shared new ideas for optimizing the collision search algorithm. Thanks to them, in short, the real attack can cost "at Amazon prices" only 75 thousand dollars and take about 49 days. Well, or more expensive and faster, as you like. Well-known expert in the field of cryptography Bruce Schneier commented on it this way: the 2012 assessment took into account Moore's law, but did not take into account the improvement of the attack algorithm and the method of conducting the attack (for example, using graphics processors for calculations that perform the task faster and cheaper). It is really impossible to reliably predict the effect of such optimization.

And then we ask the traditional question: in practice is this new research and a new assessment of someone threatening? Not so much. How can such “vulnerabilities” be exploited? There is an example for a much less robust MD5 algorithm: we take two different files (in this case, we used photos of rock stars) and, successively modifying the data in one of them, we end up with the same hash for two completely different images.

And if more specifically? Cyber ​​spy campaign Flame used this technique to sign a malicious file with a valid (at that time) Microsoft certificate. More precisely, the signature was fake, but the hashes of the fake signature and the real one coincided. According to independent estimates , such a trick, even with a weaker algorithm, could cost from 200 thousand to 2 million dollars. Expensive!

And what about SHA-1? The algorithm has been used since 1995, and, in general, already in 2005, 10 years ago, it was clear that this is not the most reliable technology in the world. But even with the new input data, the practical operation is still far away, while SHA-1 is gradually being withdrawn from use and replaced with more reliable hashing algorithms. Until 2017, the developers of the main browsers plan to abandon the use of SHA-1. Perhaps we should hurry, because if in three years the estimated price of the attack fell from 2.77 million dollars to 100 thousand, what could happen in a year? On the other hand, all SHA-1 vulnerability studies have so far been of purely scientific value. Trying to understand in practice what this threatens is the same as from the message “250 tons of rocket fuel burned over April 12 over Kazakhstan” to conclude that a man first flew into space, not knowing this in advance. Wait and see.

Fun fact: a hash is generally properly called a digest or message digest. So, you just listened to a digest about a digest. Recursion, uiiii!

Vulnerability in Netgear routers is exploited in practice
News Description of the vulnerability.

A vulnerability has been discovered in Netgear N300 routers. Well, yes, another hole in the routers, and somehow it turns out that they are all different, but at the same time on the same person. In one of the previous series, we have already discussed a bunch of holes in Belkin devices. At Netgear and all somehow completely offensive. Open the web interface of the router. We enter the password, wrong, because the router is someone else's and we do not know the password. We are sent to the page where they write Access Denied. But if you try to open a page with the name BRS_netgear_success.html, then ... we, too, will not be allowed anywhere. But if you try to do it several times in a row, then they will let it go.



Naturally, it is desirable to be already inside the local network, which somewhat complicates the task. Although if a router, for example, distributes WiFi to a cafe, getting inside is not a problem. And if the owner for some reason turned on access to the web interface from the Internet, then in general everything is simple. By the way, can anyone say why, in principle, you need access to the web interface from the outside? It is to the web interface of the router, and not to any pieces on the local network. It seems to me there are no reasons for doing this at all, but, as you see, there are plenty of reasons not to do it.

In general, everything went quite well here: the vendor was notified, two months later he made a beta version of the firmware. It would have cost a little bit more, but no, it turned out that the vulnerability was exploited, as they say, “in the fields”. The Swiss company Compass Security discovered such a router with changed settings: the address of the provider was not registered as the DNS server, as is usually the case, but don’t understand what. Accordingly, all DNS queries passed through this nepolimichto. An investigation of the server of the attackers showed that it “services” more than 10 thousand hacked routers.

Fun fact: Compass Security has been unable to get any response from NetGear for quite a while. Then the dialogue did happen, and they even sent a beta version of the firmware for verification. But here (out of nowhere) Shellshock Labs company appeared and published its study of the same vulnerability without any agreement with anyone at all (which, however, is not very good). Of course, to call a company after a bug in bash is cool, but the principle of "do no harm" has not been canceled. But from the study of "shell shooters" it becomes clear where the vulnerability in the web interface came from. The firmware code provides the ability to enter the web interface without a password once, at the first launch . To further it did not work, a flag was provided, which was simply forgotten. Yes, the firmware was finally updated .

85% of Android devices are insecure
News The site of researchers , with a rating of security vendors.



What do you mean! Never was this, and here again! Meanwhile, we are talking about another scientific study, although of course not as much as in the history of SHA-1. Researchers from the University of Cambridge did an interesting thing. We collected data on 32 serious vulnerabilities in Android, so we chose 13 of them to be the most serious, and immediately checked many phones from different manufacturers for the presence of this vulnerability. They checked it like this: they made the Device Analyzer application , through which various anonymous telemetry was openly collected from the experiment participants, including such parameters as the OS version and the build number. In total, we managed to collect information from more than 20 thousand smartphones.

Further, comparing the version number of Android with information about vulnerabilities, we were able to roughly estimate the scale of the trouble. The result was this picture:



Averaging the indicators for the entire study time gave the same figure of 85% - on average, at any given time, this proportion of Android devices is exposed to one of the known and potentially dangerous vulnerabilities. Or not one. As usual, the emphasis should be placed on “potentially” - using the example of Stagefright it is clear that even the most dangerous vulnerability is subject to severe restrictions on practical implementation.

But the researchers did not stop there and made a rating of the “danger” of devices by manufacturers, calling it FUM Score. It also takes into account the vendor's reaction time to information about a new vulnerability — how quickly the patch appears in the devices of a particular manufacturer. The winner was, predictably, the Nexus series of smartphones: it fixes bugs as quickly as possible. LG is second, Motorola is third. But there are actually no “winners” here, only losers. The calculation takes into account the proportion of updated devices, that is, not only the vendor must release the patch, but also the owner - do not be lazy to update. The older the device, the worse: in a separate rating on the models of smartphones not the oldest devices of two or three years ago are very dull indicators. Why? Do not update. But enjoy.

In general, there are quite a few voluntary assumptions in the research methodology, and it also proves what everyone knows already. According to the researchers, one of the goals of their work is an additional motivation of manufacturers to repair the system of patching holes in their devices. But what is really important: in the picture above, we see an example of an ecosystem that, in principle, cannot be one hundred percent safe. Although Android with its fragmentation is the most telling example, there are many such ecosystems. You can say that iOS is safer, but as the first story of the digest pro, um, digest, there are no absolutely reliable systems, there are limitations on the budget. And this is such a very important point when choosing a protection strategy.

What else happened:
Apple removed applications that installed root certificates from the App Store, which allowed them to intercept, track, or modify data transmitted over a secure connection. For example, to block ads, or something worse. I understand that new applications with this functionality can no longer be downloaded. Why was it possible before?

The European Aviation Safety Agency reported on the vulnerability in the ACARS system used for data transmission between the aircraft and the ground station. In general, it was initially clear that it was easy to send a fake message in the system without any package verification. It’s impossible to steer an airplane, but you can send a message that will mislead the pilots. Researchers spoke about the vulnerability of ACARS (docks in PDF format) in 2013, but they were information security specialists, and here the supervisory authority directly responsible for security. And this is good news.

Antiquities:
"Indicator-734"

Dangerous resident virus. Infects .COM files when they are loaded into memory. The old beginning of the file encrypts, and uses 10h bytes of BIOS as the key. Those. files will be properly decrypted and normally executed only on a computer with the same BIOS version on which they were infected. If, however, it was not possible to decrypt the old beginning of the file, the virus blocks the operation of the file (performs int 20h), after running its counters. Depending on their condition (approximately 1 time per hour), the virus draws a red cross on the screen, in the center of which is the inscription: "VINDICATOR". Intercepts int 1Ch, 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 70.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.