Researchers at the Chaos Computer Club in Moscow just published results of their research into MD5 collisions for x.509 Certificate Authorities.  By exploiting weaknesses in RapidSSL's certificate request implementation, they were able to successfully create a valid Intermediate CA certificate trusted by 99+% of browsers.  Combined with a man in the middle (MitM) attack such as the Kaminski DNS finding, this would truly break some of the fundamental trust models on the Internet.

Research paper here: http://www.win.tue.nl/hashclash/rogue-ca/

Demo site here: https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/

There are a couple of interesting related findings from this presentation:

Just saw this today on LifeHacker:
Bypass Network Blocks with Remote Desktop
"In a world of virtual communication, having personal email, Twitter, and access to blogs, etc is critical and necessary for many of us. Therefore, it becomes a nuisance when our employers block us from the sites that we love and hold so close to our virtual-loving-hearts." [. . .] "I recommend this for anyone who has that tight network administrator who has blocked all your favorite sites."

This isn't the first time I've seen bypass the firewall articles, nor is it even the most technically adept (most networks would block tcp/3389 inbound and outbound).  However, I think the language of the article speaks directly to the attitudes of the "digital natives" generation.  People, used to near-ubiquitous connectivity, are willing to bypass restrictions (and rules!) to get their Internet fix.  The following are some ideas for addressing this trend.

I wrote previously about the need to find ways to increase security without (much) spending.  I'd like to use this first post in the series to highlight two areas in which you may be able to find additional server resources, which may be necessary for some of the future ideas in the series.

At the recent 2008 Gartner Symposium, one of the major themes was that many CEOs are cutting back on capital budget in response to the current economic downturn, and projections show that this will continue well into 2009. Because of this, Information Security practitioners need to find new ways to deal with security threats, while reducing spending.

Information Security as an industry has been particularly bad about letting vendors run the show.  For many companies the response to most security challenges has been to spend money to acquire a new product that addresses the problem.  I suggest reading "The New School of Information Security" by Adam Shostack and Andrew Stewart for insight on the reasons for this.  However it came about, in this new economic environment we need to find new solutions to problems that don't always involve purchasing.

I will be writing a series of blog posts on the subject of finding and utilizing capabilities that your company may already have available, but are not using or are under-utilizing.  In general, I think these fall into these three categories:

(ISC)² has announced a certification for application development security called Certified Secure Software Lifecycle Professional (CSSLP).  According to their site, CSSLP seminars will be offered beginning "early 2009" and exams will start June 2009.  There will also be an "experience assessment window" starting September 30th in which candidates may submit "Accomplishment Records" for review - accepted qualified applications will get the $650 USD exam fee waived skip the exam for a $650 fee.  Similar to the CISSP, the CSSLP requires four years of experience in four or more of the topic areas listed below, endorsement from a current (ISC)² certified individual, and a commitment to the (ISC)² Code of Ethics.

I am planning on being at the Gartner ITxpo Symposium in Orlando, FL from October 12th-16th for the Security and Risk Management track.

If you are going to be at ITxpo or live in the Orlando area, please drop me a note at http://riosec.com/contact so hopefully we can meet up at the event or in the evening.

- Christopher

Google has announced a new browser, called "Google Chrome" that aims to improve the way applications are delivered on the web.  In typical Google fashion, they've created a comic book that depicts the features of the new browser.  The browser should be officially released tomorrow at www.google.com/chrome (edit: site is now up!).  Below are a more details I've gathered about the security features of this upcoming browser.

As they say in the comic book "when we started this project, it was a very different landscape from when other browsers started."  This difference in focus is apparent due to the plethora of announced design decisions which, if done as stated, should create a much more secure browser.  Read on for some of the details.

Note: Previously I created a quick post on creating GIFAR files.  This post is to expand on the topic with additional information and a new (and much improved) video.

At BlackHat, security researchers Billy Rios and Nathan McFeters presented "The Internet is Broken" which contained information on GIFARs, a term meaning GIF image files combined with Java ARchives (JAR).  These files could be uploaded to sites that allow image uploading (such as many site's member photos), to run code in the context of that site - getting around the "same origin policy" that browsers impose.  This works because GIF images (along with many other file types) store their header in the beginning of the file, and ZIP archives (which is what JAR files are made of) store their data at the tail.

The folowing video demonstrates this technique.

Overnight the Metasploit DNS exploit module continues to evolve to more devistating effect.  Perhaps most importantly, a new module was introduced based on feedback from Cedric Blancher named Auxiliary::Spoof::Dns::BailiWickedDomain, which replaces the nameservers for a domain, allowing an attacker to redirect all traffic for the entire domain through them.  Showcasing the ease of use of the Metasploit Framework, this entire exploit is written in 330 lines, including comments!