Security Week 43: hard prime numbers, cryptography in HDD, Adobe and Oracle patches

Opening the door to the world of cryptography, be careful! It may come out so that it will not work. Of course, this is a coincidence, but as soon as I recovered from the news of last week about collisions in SHA-1, the topic of breaking encrypted traffic immediately arose with an attack on the Diffie-Hellman protocol. Well, already by the name it is clear what is the matter, yes? An expert in the field of cryptography, Bruce Schneier, in May of this year published an angry post about “amateur encryption”. In any other field of activity, statements like “leave it to professionals, you still don’t understand anything” usually provoke a wave of criticism, but with regard to encryption, you can probably agree with this statement. Moreover, the story around the Diffie-Hellman protocol, with the participation of mathematicians, programmers and even Edward Snowden, is good evidence of this. This is a story about how a good, good algorithm was poorly implemented in practice.

And here they also discovered that hard drives with built-in encryption protect your data not as well as we would like. In general, this issue of the weekly security news digest is about cryptography. And about patches. Pro very, very many patches. Bonus: a selection of the most hackneyed stock photographs on the topic of security.

All episodes of the series can be found here .

Prime numbers are the weak point of the Diffie-Hellman protocol.
News Research work .
')
This time I will not even try to explain something in simple words. Useless. Diffie-Hellman is a secure key exchange protocol for setting up an encrypted connection, originally published in 1976. Whitfield Diffie and Martin Hellman (as well as some other comrades) were among the first to propose a solution to an important problem — how to exchange encryption keys so that the eavesdropping side could not intercept them.

There are two participants who want to exchange data in encrypted form. Each participant has their own private key, but if they simply exchange these keys, the eavesdropping party can intercept them, and here is the end of the story. To avoid this, one side passes the other a large prime number (well, one that can be divided only into one and oneself), and the result of the calculation using this prime number and secret code. Having exchanged such large numbers, the two sides can, independently of each other, calculate the same third number, which will become the key for the cipher. At the same time, this key is never transmitted over the network, and it is impossible to calculate it, knowing only what was transmitted over an open channel, for some reasonable time.


Predictable username and unreliable password are floating in the ocean of numbers and letters.

So, in order for this algorithm to work, and it could not be hacked, the simplest number that is transmitted openly must be Large and Random. If it is Random, but small (for example, a key length of 512 bits is used), then the probability of hacking increases. This was shown in two attack methods published by researchers earlier this year - FREAK and Logjam . It is necessary to understand that to know the key (that simple number) is not enough to immediately take everything and decrypt it. But computational power, for example, for an attack, Logjam requires a small amount — using the power of Amazon EC2, it took researchers only 7.5 hours to perform the necessary calculations, which greatly simplify further decryption of intercepted encrypted traffic.

But those were the keys with a length of 512 bits, which had long been recognized as unreliable, and they appeared thanks to the US export restrictions on strong cryptography, introduced back in the 80s. Keys with a length of 1024 bits were considered reliable, but, as a new study showed a group of 14 cryptographers, options are possible. There is 7.5 hours on Amazon you can not manage, it takes a huge and very expensive computing system, and about a year time. If the primes used in practice were really random, this would not help. Unfortunately, in real implementations of the Diffie-Hellman protocol, they are not random enough. That is, some very rich organization named A (or H, or B) can exploit this non-randomness, build a supercomputer for several hundred million dollars, drive it a year and get, no, not ciphers, but source data that is further Allow to crack specific traffic relatively quickly.

As a result, such a powerful organization allows hacking up to 66% of IPSec VPN connections, 26% of connections via SSH and 18% of HTTPS connections. Judging by the data from the documents stolen by Edward Snowden, the NSA budget for the exploitation of vulnerabilities in network communications is really huge - $ 1 billion annually. This means that the probability that a supercomputer was actually built there and allowed it to analyze a large amount of intercepted encrypted traffic — non-zero.


A keyboard with a special “make me safe” button can be found, it seems, on all IT Security sites. Well, that is, in general, at all.

And what to do? Yes, nothing yet. It is advisable to make sure that your browser does not use the very weak version of the DH protocol with 512-bit keys (you can do it here ). But there is no any ready-made solution for possible hacking of communications using a 1024-bit key. Diffie-Hellman is used in a huge number of protocols, so right now it will not be possible to take and fix it. According to Alex Halderman, one of the authors of the study, this will take years. It is bad news. The relatively good news is that this is still a Very Dear Hacking Method, and it will remain so for a very long time.

Embedded hard drive encryption multiple vulnerabilities
News Research

OK, the attack on the Diffie-Hellman protocol cannot be called trivial, but this news shows how to significantly weaken cryptography due to far simpler errors. The authors of the new study immediately bought a lot of external hard drives with data encryption function. A detailed study of encryption methods showed that there are many ways to crack the protection there, to put it mildly. Let's start with the simplest: by default, in some WD models they don’t even ask for a password to access data. That is, information, on the one hand, is encrypted, on the other - available to anyone.


A man presses a finger on an imaginary lock. Number two in the list of the most hackneyed pictures, after the keyboard with the button.

We go further. If the owner still has his own password, then it is stored in encrypted form either in the controller's memory or in hidden sectors of the disk. It is easy enough to get it from there, and it is theoretically possible to decipher it by simple brute force. But that's not all. One of the controllers, the researchers managed to translate the firmware update mode, and thus get the encrypted password, although this method allows you to do many other bad things. For example, write a malicious code in the firmware. Finally, another type of controller uses keys generated by the vulnerable random number generator. At the entrance, this generator uses the computer system time, which reduces the encryption strength from theoretical 256 bits to real 32 bits. Finally, in one of the cases, the encryption key was stored in clear text, which made it possible to bypass the password set by users.

In general, this is what happens. You buy a hard drive, see inscriptions on the box like AES256, and are sure that your data is protected. In fact, nuances are possible, and you won’t even know - which ones - because even in one series of hard drives, controllers (and iron in general) may differ. The degree of trust in such “ready” encryption solutions depends on the level of paranoia. The study did not have a single example of fast and simple hacking, all of them required either a soldering iron or brute force. It is unlikely that this will deal with the one who found the hard drive, you accidentally forgotten in a taxi. Probably law enforcement agencies can do this if they are suddenly interested in you. At the same time, there are many ways to complicate their lives, and if you are considering such scenarios , then you should be aware of these methods.

Finish the topic of cryptography with what we started. In data encryption methods there is a huge amount of subtleties, because of which “amateur” their implementations may indeed be less resistant than necessary. Many things in cryptography must be proved “on paper”, because a practical experiment cannot always be carried out, and when it becomes possible, it’s usually too late to change something. Consumers of cryptography are now generally all people using the Internet, and this complex topic concerns everyone. But the conclusion, for users and companies wishing to evaluate the reliability of the methods they use, is quite simple. “Everything is encrypted with me” is not a reason to calm down and not use other data protection methods.

Another patch set for Adobe Flash (3 vulnerabilities, 1 critical) and Oracle Java (154 vulnerabilities (!), 84 serious)
News about Adobe. News about Oracle. Post on an Oracle blog.

What happened to Oracle? A big update has been released covering 154 vulnerabilities in 54 different products. Of these, 84 vulnerabilities can be exploited remotely. 24 vulnerabilities in Java SE of different versions, 7 of them dangerous. According to Eric Maurice, in Oracle for Security Assurance, they do not observe exploitation of in-the-wild vulnerabilities. This number of found and closed bugs is due, in part, to the quarterly update release model. That is, the next update is expected only in January 2016.


Credit card with lock, very cute. Security is not affected in any way.

What happened with Adobe? Three vulnerabilities in Flash Player are closed , one of them is critical ( CVE-2015-7645 ), which allows running code on a computer with Flash installed. The Adobe patch came out earlier than planned (they were going next week), and the rush is due to the fact that the vulnerability is already being exploited.

Perhaps it would be interesting to talk about the different approaches of the two companies to the release of updates: Adobe sticks to the weekly schedule (like Microsoft), Oracle - quarterly. But it is more interesting to look at this screenshot from the Adobe site:



Both in Oracle Java and in Adobe Flash there are many, many vulnerabilities. This week's news again raised an old topic - that let us all stop using both. So, on September 1, Google Chrome has already made the launch of Flash objects only on demand, and even earlier, Java was actually blocked there by default. Yes, in general, it is possible to consider both of them as a heavy inheritance from the Internet at the beginning of the 2000s, but the “let's ban it already” approach, of course, will not work. The “run Java in an isolated browser, and better in a virtual machine” approach, if it works, for a very limited circle of people. So, before Java and Flash are finally banned, it may be possible to make them more secure - and the news of this week, in general, gives hope for the best. But in general, is there any point in trying to get the message about vulnerable Flash to the widest range of users? After all, this is, in fact, technical details, and it’s better to talk about more understandable things, for example, about protecting payments using bank cards on the Internet.

What else happened:
For iOS 9, they did a jailbreak, but they already closed the update to 9.1. And all because the jailbreak was public, and so far no one has received a million dollars for a private exploit .

Next year, GMail will switch to the strict identification of mail messages using the DMARC protocol. Other popular services are planning to do the same. The DMARC protocol began to be developed three years ago. It works in conjunction with existing message identification systems, such as DKIM, and is mainly aimed at fighting phishing.

Antiquities:
"Hard-662"

Very dangerous resident virus, standardly recorded in the .COM files that are run. On Mondays at 6 p.m., it displays the text “It's hard days days!” And erases 50 first sectors on all available disks. Intercepts int 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 69.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.