Cryptology Attacks: What’s New
A new attack on RSA called Simple Branch Prediction Analysis promises to reveal “almost all of the secret key bits” by executing a parallel spy process that only needs to watch a single execution of the RSA private key. Some more technical details show it to be a sophisticated, dangerous attack:
Namely, in the context of simple side-channel attacks, it is widely believed that equally balancing the operations after branches is a secure countermeasure against such simple attacks. Unfortunately, this is not true, as even such “balanced branch” implementations can be completely broken by our SBPA attacks. Moreover, despite sophisticated hardware-assisted partitioning methods such as memory protection, sandboxing or even virtualization, SBPA attacks empower an unprivileged process to successfully attack other processes running in parallel on the same processor.
If that weren’t bad enough, a rootkit now can be persisted in your PCI device. A paper called Implementing and Detecting a PCI Rootkit details how PCI cards execute bios code which can be flashed from the windows software if the user is running as an administrator. Combined with a remote exploit, this could lead to a remote rootkit injection. Also, given that PCI BIOS software is not verified in any way, the rootkit would difficult to detect.
Blocking Hackers With Perl, Cron, Shell
I just wrote a little shell script for this server:
cat /var/log/messages | grep "authentication failure" | sed 's/^.*rhost=//g' | cut -d " " -f 1 | sort | uniq -c | ban-hackers.pl && cp /var/log/messages /var/log/messages.`date '+%s'` && >/var/log/messages
The ban-hackers.pl file looks like this:
#!/usr/bin/perl -w
use strict;
while(<stdin>){
chomp($_);
$_ =~ m/^\s*(\d+)\s+([^ ]*)$/i;
if($1 > 4){
system("iptables -A INPUT -s $2 -j DROP");
}
}
1;
When this command gets scheduled to run, say, every hour, what it means is that attackers trying to brute-force the system will be added to the banlist. Or, I could have rewritten the program all in perl to glom up entries from particular addresses discarding only the violators, and remembering the rest in case they try again later.
I’m new to shell scripting and perl, so point out anything horrible with this hack, please!
Macs Don’t Have Viruses?
When I read about new proof of concept code in OSX that allows arbitrary code execution by manipulating flaws in system files, I sigh, and wonder why the public has the misconception that their Apple Macintosh computers are somehow safer and less prone to malware than PCs. According to an article by the Register, Apple is not focusing enough on the security of their core operating system product:
This is almost certainly the year of the OS X exploit,” said Jay Beale, a senior security consultant for Intelguardians and an expert in hardening Linux and Mac OS X systems. “The OS X platform may be based on a Unix platform, but Apple seems to be making mistakes that Unix made, and corrected, long ago.
Perhaps we should call it OS V, for virus, instead. Then the public would have a symbol to remind them that Apple’s operating system cannot provide perfect security:
One only has to look at the Secunia OSX vulnerabilities page or Symantec’s OSX threat advisory center to realize that the Apple platform has the same potential for malware as any other. No software is bug-free; yet Apple is trying to foster a reputation that pretends it is:
Historically, Apple has not had very good external communication skills. They have a tremendous marketing team, but the amount of information (as opposed to marketing hype) that comes out of Apple is low.
When a software company would rather hide the flaws in its software until the “next patch” rather than publically own them, there’s a big security problem. When the next 0-day OSX exploit comes out, do you want to know about it, or would you rather pretend it doesn’t exist?