For the chip ‘n pin attack see here, and for the security analysis on 3D Secure see here.

The chip ‘n pin attack is really simple, and is born out of a huge mistake in the protocol design for the EMV pin validation routine. Basically, the terminal is happy to simply trust the card when it returns a “pin valid” or “pin invalid” response, rather than something more substantial such as “please sign this challenge with your pin validation key” so that the terminal (and subsequently the issuing bank) can be 100% assured that the pin was validated by the correct card. The attack simply performs a man-in-the-middle and returns a “pin valid” on behalf of the card, i.e. the card never is asked to validate the pin, but gladly authorizes any subsequent transaction. The terminal simply believes the pin is validated, asks the card to authorize the transaction, and then informs the bank that both went ok (pin + transaction). EMVCo’s official response concludes with:

“while such an attack might be theoretically possible, it would be extremely difficult and expensive to carry out succesfully”.

However, this article on StorefrontBacktalk mentions:

“That argument was effectively obliterated with a wonderful piece of video journalism done by the BBC. It filmed one of the Cambridge researchers actually using this attack—successfully—at a wide range of retail locations leveraging borrowed cards of BBC staffers. Seeing the attack in action makes two things clear: It’s not theoretical, and it’s even practical. The movements of the pretend cyberthief were natural and not at all suspicious.”

EMVCo is clearly delusional.

The 3D Secure analysis is a good read too, and is a great example of a very badly designed web authentication system. Basically 3D Secure / SecureCode breaks all the rules, leaving the user in a position where his security cannot be guaranteed. Awesome tricks such as iframing the credential entering page so that SSL padlocks etc are ineffective, plus the fact that transaction data is passed to all parties really gives me the impression that the architecture was never properly security reviewed. This coupled with the fact that 3D Secure (and chip ‘n pin infact) push more and more liability onto the cardholder. Of course this is a question of economics - if the mere existence of this technology means that VISA washes their hands of fraud, why would they bother making it secure. The liability and incentive to secure should be in the same place.

Your thoughts?

Unfortunately, any internet banking application which deals with credit-card information is PCI-PSR non-compliant by default, purely because this sensitive information “pops” out in the clear in the web server. SSL obviously does a great job of securing the transportation of the traffic between browser and web server, but once that traffic is decrypted you’re screwed. And this is not purely a theoretical attack either - think malicious administrator schnyfing the HTTP packets off somewhere to be collected later.

So it’s a real problem, and I’d like to prove it by building a tool to grab packets out of apache memory space after SSL decrypt. I was kind of hoping this would be simple, and I started off by just making use of system tools commonly available to most Linux servers, such as strace, ltrace, and python. It turns out that apache is *actually* designed quite well, not allowing decrypted traffic to cross the system boundary, therefore making strace pretty useless. ltrace by default borks apache dead on startup, possibly because it doesn’t follow the fork() / clone() combination used by the worker-mpm threading model, so I gave up on this approach quite quickly. So thats as far as my initial investigation went, and I think I’ve got a much better idea of how to tackle this, the following doors are still open to me:

• Although I don’t get decrypted traffic out of strace, I do get all the ENcrypted traffic, including the SSL handshake / key exchange. I can schnife the key, then do the RC4 decrypt myself.
• Write a custom apache module which hooks into the apache stack and grabs traffic, this is really easy to do, but isn’t as elegant or edgy as I’d like. Some existing apache modules available already give us this, e.g. mod_forensic and mod_security
• Hack openssl to make it bleed, and dynamically overwrite the default reference to the openssl system library (using ldconfig, LD_LIBRARY_PATH, or hacking the new lib path into the apache binary directly). This one sounds like fun, and might be useful for making more than apache leak, but still not as great as I’d like
• Scrape apache memory directly from an external app - this sounds really appealing, but might have some issues. How long does the decrypted stream stay in memory and therefore how reliably can I grab packets? If I were apache I would zero my memory after handling the request, and close this door instantly on me. Also, I’d need to spend many moons researching linux memory management. So a potentially good last-resort approach for me.

And thats all I’ve got so far. Any other ideas?

Grab it here (107mb 192kbps mp3).

Maybe I’ll make this a monthly thing… maybe.

Also figured out how to make apache serve the download link as a “download” rather than clever browsers trying to play the media themselves. It looks like this:

<FilesMatch “\.(mp3)$”>
ForceType application/octet-stream
</FilesMatch>

The independent and problem-solving type. They are especially attuned to the demands of the moment are masters of responding to challenges that arise spontaneously. They generally prefer to think things out for themselves and often avoid inter-personal conflicts.

The Mechanics enjoy working together with other independent and highly skilled people and often like seek fun and action both in their work and personal life. They enjoy adventure and risk such as in driving race cars or working as policemen and firefighters.

Pretty accurate :)

Illan: [...snip...] Link to google comic strip [...snip...] I found it interesting because just by looking at Google Chrome the underlying differences are not always evident.  Although its adoption will be based on UI innovations (and there are some nice ones), these are not the main advances – mostly its in the security and stability, as well as being designed for richer applications.  Which makes me think it could perhaps become a good choice for corporate internal web applications[..snip..]

It was an early morning for me and I hadn’t entirely woken up so I was probably a bit cranky still, but I responded with the following (reply all, cc’d to the company of course):

Tom: Propaganda!

Security and stability were certainly not part of their release prerequisites and clearly a backburner issue for google, a number of vulnerabilities were discovered within the first week of launch – most of them related to google’s evil concoction of old and unpatched open-source components. Can you believe they didn’t bother to upgrade their components, but released with old garbage.

We can’t dismiss chrome completely however, it is just a beta version and google “probably” is interested in protecting their users and will patch – just don’t expect to get a hardened browser out the box, or within the first 2 years at least. Firefox (with security extensions installed such as NoScript and Ad-Block Plus) is the only trusted browser in terms of security scrutiny, and they have the battle scars to prove it. It baffles me why google decided to reinvent – and it makes me nervous. They already track a massive percentage of users through their 2037 expiring cookies, gmail and google-analytics (to name a few) – but every security professional knows to really “own” (or pwn) the internet you need to be the man-in-the-browser.

Ok now I’m ranting – but I wouldn’t touch chrome with a 10 foot pole.

I have to admit that I hadn’t really bothered to look at Chrome except for the list of published vulns that had been released. I hadn’t even read the stupid comic, so was probably a bit unprepared to make that statement.

Illan’s response was taking up the google-is-cool-cause-it-appeals-to-geeks view, and I appreciate he didn’t burn me down to the ground (I think he thinks I know more about security and ethics than I really do so handled me lightly):

Illan: Erk, I had better not get into a security debate with you – but I have to answer one point:

“It baffles me why google decided to reinvent –“…

It baffled me too, and of course one could take the hackneyed view and assume they are trying to take over the world. But that would be evil.
Obviously to enter into this fray you’d need to be super duper quantum advanced, and Chrome clearly isn’t that.  That’s why I thought the propaganda (of course it is that) I forwarded was interesting – it explains why they bothered.  The changes are under the hood, geeky type things that are never going to get it accepted by the general populace.  And yes, they certainly stuffed up using old bits of code and will have as much (actually more because they borrow from two different browser families) of time as anyone keeping their browser up to date from the point of view of exploits and flaws.

But did you read the thing [he means the comic strip -tom]? Don’t you think separate processes, with more sandboxing, is cool?. A compiled Javascript and being built from scratch to work as an application container? And you can’t argue with their testing capabilities – of course there are bugs, but If anyone is positioned to find and fix them quickly its them (of course if we don’t see them doing this then its game over since they have touted their own ability to do so).  As for the user interface I do enjoy the minimalism and the googlesearchism but its not the main point. And it does seem fast.

As for secret agendas, its open source.  But I do agree that they have a hell of hill to climb with Mozilla. But perhaps its not so much that they are trying to compete as they are trying to get the others out there to improve – because they want everyone to have browsers that can run the kind of apps they want to write.

So to paraphrase:

1. Google is not evil
2. They screwed up, but they will fix all the problems
3. Technically Chrome is nicely architected and it’s fast
4. Chrome is not evil because it’s open source and their intension is to play nicely with the competing browsers in the market (more competition will up the level of all browsers)

So there was some back and forth about the process-per-tab nonsense plus the amazing performance experiences, thanks to Dom for giving me some ammo from his Chrome war with Yusuf (see comments):

Tom: In terms of the separate tab-per-process idea – yes it’s great, and it does minimize the risk of browser bugs to some extent – but doesn’t get us anywhere nearer to solving the real big internet security issues of XSS, CSRF, and SQL injection. Some would argue that these can’t be solved by the browser, but even the granular way that chrome handles cookies shows the browser has a long way to come to start tackling these security problems.

The process separation means that attackers won’t be targeting the tab process because it doesn’t provide much, but will rather go after the parent layer. The browser crash discussed at http://www.networkworld.com/news/2008/090308-early-security-issues-tarnish-googles.html?page=1 is already an example of the entire browser crashing meaning that it is possible to break out of the tab process into the parent process. But sure they will fix this and we’ll be safe for another week or two. Also, I have no doubt that chrome plans to support community plug-ins (right? They can’t expect to compete with Firefox without them.) – where will these plug-ins run? Inside each tab process, or within the parent process (and how will they communicate between each process) – my point is that yes it’s definitely a step in the right direction, but there are lots of very complex problems to solve if they plan to make the architecture usable, and complexity breeds vulnerabilities.

As for performance – I don’t think we can really compare chrome’s performance with any fully featured browser yet. A buddy of mine [that's you Dom -ed] pointed out that he could get just as snappy a browser if he docked the Mozilla Gecko engine into a gtk widget and called it a browser.

Then we moved onto some philosophical stuff around browser 2.0 (if no-one else has already, I coined this!):

Illan: The bugs and vulnerabilities don’t bother me , its whether it is inherently potentially better designed… I don’t expect it to be perfect out of the box.

Bottom line: If the browser world can benefit from a bottom –up redesign, then Chrome may be a good start, and if (a big if) it is adopted by open source community then no reason it couldn’t piggy back on Mozilla and do some things Mozilla can’t without a redesign.  I mean, who was going to try redesigning anything, at least Google has given it a shot.

Good point about the speed though.

If you had to redesign the web for better security, what would you do?

So what we need is a browser re-design, and if not what is the alternative - my response:

Tom: I don’t agree that chrome is a re-design at all – sure they have done some nifty process separation, but I wouldn’t call it “browser 2.0″ [COINED! You just experienced a historic moment on the Internet -tom] just yet. The UI enhancements do look pretty, but that’s really all it is – and it all looks a bit dumbed down. Maybe I would install it for my parents to use – but they are notorious for getting fooled into clicking malicious adverts and the such so I’ll stick with firefox with NoScript for them in the meantime.

If I had to redesign the web for better security I wouldn’t go to google for ideas – their entire business revolves around profiling their users for targeted advertising. I don’t have an issue with that as its the price of good web tools, but to give them a chunk of my desktop too feels a bit big-brother. Google is more and more becoming very invasive and I don’t agree that their intensions with Chrome are to “give it a shot building a browser” – I think they really aim to own the browser market and the unfortunate thing is that they probably are in a position to be successful at it. And maybe they will improve our lives somehow in the process, but at what cost.

If google were concerned with our privacy they would have given us encrypted mail in gmail – not because the technology doesn’t exist, but because it doesn’t help their business. It all sounds like a conspiracy theory but don’t think google won’t hand out your data if pushed – Yahoo was strong-armed into handing over search data to the Chinese government resulting in real people being detained. And even if you don’t feel that no dirt would be found on you – an attacker with your credentials suddenly has your life in his hands. The lines between our digital and physical identities suddenly become scary blurred. [Dom thanks for the ammo here again :) - ed]

Illan ended off with a:

Illan: Ya, Google would hand over my data, they most certainly are not concerned with maximising privacy. I agree that we are putting a lot into Google’s hands. It is getting big brotherish and  I don’t like to think about it – which is probably what most people do. I could of course disengage from using their tools – just. In a  year or two maybe I will be just too entrenched.

But I am not at all convinced they are trying to own the browser market (not that they’d object but can they really expect to) and what good would it do them with an open source product.  I can’t see how they could expect to take over the browser world with a slight improvement. As someone once said, to change the world you have to be not 20% better than the rest, not 100%, but 1000% better. (Paraphrasing desperately).  Surely Google isn’t so naïve as to think they could manage it with this incremental attempt at improvement.  They can’t believe that just because its Google it will dominate. It’s the browser wars for goodness sake,  even Netscape couldn’t win them.  Look at Google Talk for example – its certainly no Skype-usurper,  its not even better than Skype – although I have to admit its nice that its there for free with anyone who has gmail (and who would normally not bother with an IM).[...snip...]

So what would browser 2.0 be? I certainly think we could do with an “secure application runtime environment” – oops wasn’t that Java Applets? But mediated  by a text-based descriptive language  - oops wasn’t’ that Mozilla’s XUL or whatever it is called?  Maybe browser 2.0 is Flash? Oh no its Silverlight.  What happened to Silverlight  by the way.

Then he went home and I went to get some lunch. A good morning :) I still haven’t installed Chrome and I don’t plan to, which is unusual for the early-adopter symdrome I suffer from. 6 months ago I probably would have backed Google here - but something just smells fishy. Maybe I’m paranoid, but damn it really bothers me whenever I click that “History” link on the Google search page.

I especially enjoy the closeup snap of a notebook above containing meeting minutes, one hell of a dancing pig this photosynth thing!

Update: Found an article about a hacker who was busted after investigators found photographs posted of his cat on his laptop - they managed to zoom into the laptop screen, obtaining a lead as to his identity.

Good news is that my TimeWarner RoadRunner Cable service was patched only about 4 days ago. Check your status by going to doxpara.com and clicking the “Check My DNS” button.

I previously used ZiPhone to unlock my 1.1.4 phone, which worked great - but doesn’t look like the famous Mr Zibri will be releasing a ZiPhone 2.0 - looks like he’s a bit of a sulker! A recent iphone dev team rant lands a couple of massive blows, look forward to the cryptic response!

My prediction is things are gonna get nasty! Looking forward to the next episode?

So anyways, I think it’s time I did the upgrade - I’m busy getting all the pieces of the puzzle together, I’ll keep you updated :)

I’ve become thoroughly addicted to online shopping, especially ebay, I *WILL* find a bargain soon and it will all pay off - but in the meantime I have to continue hunting :) Got the bug after ordering a new 22″ LCD and Linksys-54g router for my study (read: desk in the kitchen) - looking forward to getting a real work environment in place. Also my internet connection is rediculous - I have the TimeWarner RoadRunner cable, and it’s really not that fast on paper, but hell it feels like a LAN, 13ms ping to almost everywhere might have something to do with it!

I’ve been keeping myself busy with writing a SQL Injection framework, well thats the idea, at the moment it’s a bunch of nasty looking python scripts but i’m slowly pulling some structure together and should have something to show y’all soon. Been testing against a couple of vulnerable ZA sites (makes me feel closer to home I suppose) as I don’t have my lab infrastructure ready here yet, promise not to break anything! ;)