Courses:

Offensive Countermeasures: The Art Of Active Defense: SANSFIRE June 15-16, Blackhat USA July 27-28 & 29-30


Defensive Countermeasures: Foundations for Becoming A Devious Defender: Blackhat USA July 27-28 & 29-30


Conferences:

Check out the entire PaulDotCom crew at BsidesRI June 14-15th!



Subscribe:

Blog:
Videos:
Podcast:


PaulDotCom EspaƱol


Hack Naked TV


Hack Naked At Night


Stogie Geeks


Sponsored By:


www.coresecurity.com


www.tenablesecurity.com


www.sans.org



Follow Us On:


twitter.com/pauldotcom

PaulDotCom YouTube Channel


From concept to exploit in 5, 4, 3, 2....

By
John Strand
on November 16, 2009 10:23 PM |

I was just kicking around the ridiculous speed of the new SSL vulnerability went from academic curiosity to exploit demonstration. For those of you that are catching up, this is not the Moxie stuff. The new attack allows you to insert arbitrary text into the beginning of an SSL or TLS session. At first, many researchers thought this to be interesting, but did not see it as a very effective attack in the real world. Then Anil Kurmus came and demonstrated how this attack can be used to steal credentials from Twitter. This attack was successful because of the very nature of the Twitter API. I would love to spend some time poking around to see how may other attack vectors there are for this.

There are a few things we need to take from this. First, obscure/novel attacks don't stay that way for long. We need to pay very close attention to any new attack that comes out that targets the very core protocols we use every day. Second, don't take any level of security, provided by various "secure" protocols, for granted. It is simply a matter of time before someone cracks them wide open. Finally, I read that initially some vendors were getting together in secret to look into how to fix this vulnerability. This sucks. I understand the need for vendors to get a head start, but the infosec community lives and breathes on information. There have been some serious attacks on the underlying infrastructure of how we do business every day: From Dan's DNS attacks, to BGP prefix attacks, and to the work that Moxie has done. This is just another attack on what we consider to be secure.

The point is to never make assumptions about how secure a particular component of your infrastructure is. It is just a matter of time before someone drives a Kenworth through it. If one attack to something like SSL compromises your entire security architecture, then your security architecture sucks.


jonh_praise_hacking.jpg

What said truck might look like...

-strandjs

John Strand will be teaching SANS Network Penetration Testing in
London from 11/30 to 12/6 2009, and SANS hacker techniques and Incident Response in New Orleans from 01/10/10 till 01/18/10.