Security

How to nab a HTTPS cert for a stranger's website: Step one, shatter those DNS queries...

Domain validation systems fooled by boffins


Updated Researchers in Germany have discovered how to obtain HTTPS security certificates for web domains they don't own – even if the certs are protected by PKI-based domain validation.

Essentially, some certificate authorities can be tricked into incorrectly issuing the cryptographic certs, meaning a miscreant can get a SSL/TLS certificate for someone else's domain and use it to create a malicious copy of that website. People fooled into connecting to the faked site will be told by their browsers that the connection is secure, when really they're visiting a spoofed version.

Dr Haya Shulman of the Fraunhofer Institute for Secure Information Technology (SIT), and one of the boffins behind told The Register a "weak off-path attacker" can – using nothing more than a laptop – effectively steal credentials, eavesdrop, or distribute malware using the method. The group at this stage withheld the names of the certificate authorities (CAs) that can be tricked into incorrectly issuing cryptographic certs.

In a paper seen by The Register, to be presented at the ACM's Conference on Computer and Communications Security conference in Toronto, Canada, in October, Dr Shulman's team wrote:

The attack exploits DNS cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker's public key to a victim domain.

The group has asked The Register not to republish the paper because it names affected certificate authorities. We have, however, seen a demo of a live attack by Fraunhofer SIT's team. The technique ensures the DNS domain validation checks run by the CA are performed, in part, using the attacker's DNS server rather than a server belonging to the domain's owner. This can be leveraged by the hacker to therefore obtain a cert for that domain.

"The attack is initiated with a DNS request," the paper explained. "To succeed in the attack, the attacker has to craft a correct DNS response before the authentic response from the real nameserver arrives."

The attack depends on getting said DNS responses broken into fragments, and then injecting malicious fragments to fool the CA into handing over the cert to the attacker. The first fragments of the response contain valid DNS challenge-response fields. The inserted fragments can be whatever the miscreant needs to complete the transaction so that he or she gets the cert.

Network admins will have worked out by now that the attacker needs to do some offline research to get this to work – they have to examine responses from the victim's nameserver to calculate "the offset where the fragmentation should occur."

The research team proposed a domain validation protocol they dubbed "DV++" to block the attack. In summary, DV++ uses a distributed model which sends requests to multiple certification agents.

"To pass a DV++ validation, domain owners must prove their ownership to a majority of the agents in a fully automated manner by responding to queries sent by the agents for the resource records in the domain."

Dr Shulman's collaborators in the project are Markus Brandt, Tianxiang Dai, Amit Klein and Michael Waidner. ®

Editor's note: This article was revised after publication to clarify that it is the websites being spoofed, not the certificates. The certs are handed over to the wrong person, in effect, and used to spoof legit sites.

Send us news
17 Comments

Hyundai takes 80-percent stake in terrifying Black Mirror robo-hound firm Boston Dynamics

Korean giant sees bots as helping it become 'Smart Mobility Solutions Provider'

Hyundai has acquired a controlling interest in US robotics company Boston Dynamics from Softbank for US$880M.

The deal has been in the works since December 2020 when the board of directors at three Hyundai affiliates approved the purchase that would give them a combined 80 percent of the robot-maker. A SoftBank affiliate will keep the remaining 20 percent.

Boston Dynamics firm was founded by Massachusetts Institute of Technology boffins in 1992. It's since been owned by Google and Softbank.

Continue reading

India seeks ban on e-commerce sites discounting own-brand goods

Crackdown on global giants comes as UN criticises content takedown rules and Yoga app debuts

India’s government has revealed new rules it’s proposed to curtail the market power of big e-commerce players.

The Consumer Protection (E-Commerce) Rules, 2020 [PDF] propose that India’s Department for Promotion of Industry and Internal Trade will create a registration scheme that awards operators an ID number that proves their legitimacy to consumers.

The rules also suggest a ban on “flash” sales that see an e-commerce platform lend a hand to a related entity. A government announcement of the new rules describes the type of sales as follows:

Continue reading

Do you want speed or security as expected? Spectre CPU defenses can cripple performance on Linux in tests

All depends on whether your workload is making a lot of system calls or not

The mitigations applied to exorcise Spectre, the family of data-leaking processor vulnerabilities, from computers hinders performance enough that disabling protection for the sake of speed may be preferable for some.

Disclosed in 2018 and affecting designs by Intel, Arm, AMD and others to varying degrees, these speculative execution flaws encompass multiple variants. They can be potentially exploited by malware via various techniques to extract sensitive information, such as cryptographic keys and authentication tokens, from operating system and application memory that should be off limits.

Though a lot of research has gone into the Spectre flaws, and work done to prevent their exploitation, basically no miscreants are abusing the weaknesses in the real world to steal information, to the best of our knowledge. There in lies the rub; does one keep the protections on and take whatever performance hit arises (it does depend enormously on the type of workload running) or switch them off because the risk is low? Or, from another point of view, put speed promised by chip manufacturers over security that was supposed to be present.

Continue reading

Now that China has all but banned cryptocurrencies, GPU prices are falling like Bitcoin

Let's just check BTC-USD, oh yeah, waaay down

Prices for graphics processors in China have plummeted following the nation's crackdown on cryptocurrency mining, ownership, and trading.

The decrease in demand for the chips, and therefore price, is a direct result of Beijing all but banning the digital cash, according to the South China Morning Post.

The Middle Kingdom's authoritarian rulers are not keen on the likes of Bitcoin and Ethereum, saying the currencies have no inherent value and can be manipulated, making them a poor investment. And now with mining frowned upon – or outright banned in Sichuan, Inner Mongolia, and Xinjiang – there's less demand for the number-crunching hardware, driving down prices. We imagine mining farms are selling off their kit, too. Funnily enough, Bitcoin and the gang were pulled down in value by China's edict.

Continue reading

APNIC left a dump from its Whois SQL database in a public Google Cloud bucket

File was supposed to be private. It was not. And it was out in the open for months

The Asia Pacific Network Information Centre (APNIC), the internet registry for the region, has admitted it left at least a portion of its Whois SQL database, which contains sensitive information, facing the public internet for three months.

Its Deputy Director General Sanjaya revealed details of the configuration blunder late last week. He explained the error occurred when staff were performing maintenance work on APNIC’s Registration Data Access Protocol (RDAP) service, which, ironically, is set to replace Whois.

During that maintenance effort, a dump from APNIC’s Whois SQL database was copied to a Google Cloud storage bucket that Sanjaya said “was believed to be private”. It wasn’t, and APNIC only learned it was accessible to the public when an independent security researcher tipped it off to the problem on June 4. As Sanjaya put it, “a configuration error meant this bucket was actually publicly visible for a period of three months.”

Continue reading

The urgent shift to modern apps: A matter of boom or bust

Speed to market must not come at expense of security, visibility and control

Sponsored The path to digital transformation may be a familiar one, strewn with unfulfilled objectives and regrets. It pays to start the journey with clear strategic goals and objectives. Galvanised by the risk of losing competitive advantage – or worse, fading into obsolescence – many organisations have tried to accelerate transformation by leveraging the advantages of application modernisation.

The global COVID crisis has only reinforced what many IT organisations already knew – they must rapidly increase agility and accelerate innovation to better serve customers and ride out future disruptions. Although CIOs have successfully migrated some applications to the cloud, a McKinsey study found that around 80% of them report not having achieved the agility or business outcomes they sought from application modernisation.

Many organisations modernise applications in hopes of harnessing newer approaches – including newer languages, frameworks, and infrastructure platforms – to extend their lifespan, reduce the resources required to run them, and increase the agility, efficiency and reliability of deploying them, among other benefits.

Continue reading

It's 2021 and a printf format string in a wireless network's name can break iPhone Wi-Fi

Hope no one's created guest networks called '%Free %Coffee at %Starbucks'

Joining a Wi-Fi network with a specific sequence of characters in its SSID name will break wireless connectivity for iOS devices. Thankfully the bug looks to be little more than an embarrassment and inconvenience.

On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named "%p%s%s%s%s%n".

The offending name is made up of good old C language printf()-style string format specifiers. On iOS, they are handled by Apple's open source CFString framework, available to those writing Objective-C or Swift applications. CF stands for Core Foundation; CFString is a C API in macOS and iOS.

Continue reading

Ex-NSA bigwig Chris Inglis appointed America's national cyber director by Senate

Plus: Impact of ransomware payments, CVS database not secured

In brief Chris Inglis was last week appointed America’s national cyber director, responsible for coordinating the government’s computer security strategy and defending its networks. The former deputy director at the NSA, who spent nearly three decades at the agency, was approved by the Senate on Thursday.

The United States has been lacking a government computer security chief since President Trump eliminated the position of cybersecurity advisor to the National Security Council in 2018, then held by ex-NSA exploit extraordinaire and Christmas lights enthusiast Rob Joyce. Inglis’s appointment bodes well for Jen Easterly, a similarly experienced candidate for the job of Director of the Cybersecurity and Infrastructure Security Agency (CISA).

The Biden administration has made online security a priority — or at least announced it as such by executive order. How effective this will be remains to be seen, but the Senate moving for experts rather than partisan hacks is an encouraging sign.

Continue reading

EU court rules in Telenet copyright case: ISPs can be forced to hand over some customer data use details

Belgian firm must produce the IP addresses of BitTorrent users

Europe’s top court has ruled ISPs can be forced to hand over the details of customers who are alleged to have downloaded material illegally online - but only if they meet certain criteria.

That’s the latest judgement in another case involving Cyprus-based Mircom International Content Management Consulting, and Belgian ISP Telenet.

The complex case - which involves a number of legal arguments - appears to pivot on the balance between enforcement of IP rights and the data protection of the individuals accused of infringing them.

Continue reading

What's that hurtling down the Bifröst? Node-based network fun with Yggdrasil 0.4

Ragnarök and roll: Release Candidate boasts significant improvements on 0.3

Version 0.4 of the Yggdrasil networking platform is imminent, bringing with it improved performance and routing.

Currently at the Release Candidate stage, version 0.4 is quite a different beast to its predecessor. This means that a configuration backup would be a good idea since v0.4 nodes will not peer with v0.3 nodes. "We will be wiping the public peers list around the time of release as a result," said the project's Neil Alexander.

Continue reading

Germany's competition watchdog to investigate whether Apple's ecosystem damages other businesses

Joins queue of regulators peeking into iOS walled garden model

Germany's competition watchdog, the Bundeskartellamt, today said it has opened a preliminary investigation into Apple's grip on the market and its walled garden ecosystem.

The Bundeskartellamt said it seeks to determine whether Apple is "of paramount significance" across the various markets it caters for with its services including the App Store, Apple Music, iCloud, and others.

"An ecosystem which extends across various markets may be an indication that a company holds such a position. It is often very difficult for other companies to challenge such a position of power," the watchdog said.

Continue reading