Off to an Information Security conference

[JettaKnight]

Thinking about I see two possible ways:

1. Put certificate on your computer that show the middle man as Amazon. Here the flaw in the system is that you (the human) trusts that your computer won't lie to you.
2. Get a proxy server that routes request to the CA to new internal CA that has a host of bogus certificates.

Either way, they exploit trust - either human or computer trust.

 

[printcraft]

hillary clinton wants to subscribe to your newsletter.

 

[JettaKnight]

Thanks, Pudly! I guess I was right with #2.

 

[Jludo]

That would work the same for vpns?

 

[pudly]

A VPN can be SSL based, but that is entirely independent from SSL proxying. If you have any concerns, just use the same, simple procedure to check if the cert has been replaced with a bogus one.

 

[Jludo]

A VPN can be SSL based, but that is entirely independent from SSL proxying. If you have any concerns, just use the same, simple procedure to check if the cert has been replaced with a bogus one.

That's my point, I thought on a vpn the traffic was encrypted on your computer and you already have the receivers cert so in theory there can't be a man in the middle right ?

 

[pudly]

That's my point, I thought on a vpn the traffic was encrypted on your computer and you already have the receivers cert so in theory there can't be a man in the middle right ?

Nope. The entire idea is that an SSL proxy can be used to trick your system into accepting bogus certs for encryption. The tough part to implement is that you need to update the user's CA list to trust the proxy. Microsoft/Google/Mozilla/Apple/etc only set you up with publicly recognized CAs. Companies can update your CA list as part of their setup to get your device on their network. Otherwise, it is hard to get people to accept random CAs.

 

[JettaKnight]

Nope. The entire idea is that an SSL proxy can be used to trick your system into accepting bogus certs for encryption. The tough part to implement is that you need to update the user's CA list to trust the proxy. Microsoft/Google/Mozilla/Apple/etc only set you up with publicly recognized CAs. Companies can update your CA list as part of their setup to get your device on their network. Otherwise, it is hard to get people to accept random CAs.

So, it requires an SSL proxy and some level of tampering on the client?

 

[JettaKnight]

That's my point, I thought on a vpn the traffic was encrypted on your computer and you already have the receivers cert so in theory there can't be a man in the middle right ?

Well, sometimes.

There's TONS of sites with SSL. So there's no possible way you can have everyone's key. So there's a dance that's done between the two you you to secretly establish a single symmetrical encryption key that you use doing the session.

Now, if you're able to exchange keys in another method, say via key in a file transferred via a secure method (e.g. sneakernet) then no, certificates aren't required and there's no key exchange for a man in the middle attack. That's why you may have to install the key while behind the firewall first before you can run the VPN.

Another method is to use a physical device that only you have and the middle man doesn't. (RSA SecurID)

 

[JettaKnight]

I should probably go into security; there's a lot of money to made.

You guys work on the computer side - desktops, servers, etc.; whereas I work on the embedded side - HVAC, ECMs, toasters.

The first two are already hacked, but, just you wait till your home network is exploited by you toaster.

 

[eldirector]

The first two are already hacked, but, just you wait till your home network is exploited by you toaster.

Exactly why I like my devices "dumb"!

 

[wtburnette]

Information Security field can be very lucrative. No lie.

 

[pudly]

So, it requires an SSL proxy and some level of tampering on the client?

Yes. The "tampering" (updating your CA list) is the harder part. Companies can claim the right for devices that connect to their network and require that you install it. You may not know that is part of what is happening when you agree. There are legitimate reasons for this tool beyond monitoring. However, it obviously can be abused as well. Malware may update your CA list entirely without your consent. The good news is that it is easy to detect if you are concerned.

There are even developer/administration tools that work using this technology. For example, Fiddler is an HTTP debugging tool for developers. It uses this same technique so that you can examine all of the details of HTTP going back and forth between your browser and the server, including decrypting SSL communications.

I should probably go into security; there's a lot of money to made.

You guys work on the computer side - desktops, servers, etc.; whereas I work on the embedded side - HVAC, ECMs, toasters.

The first two are already hacked, but, just you wait till your home network is exploited by you toaster.

I refuse to participate in the IoT until they get a clue. It is the height of irresponsibility for manufacturers to bring unsecured internet devices into your home/business and not invest in a system to provide security updates as needed. Unfortunately, it is cheaper to leave security out and most customers are too ignorant to know the difference. The recent hacks of various automobiles control systems is starting to wake people up, but they have a very long way to go before they can be considered even minimally competent at security.

Exactly why I like my devices "dumb"!

 

[wtburnette]

I refuse to participate in the IoT until they get a clue. It is the height of irresponsibility for manufacturers to bring unsecured internet devices into your home/business and not invest in a system to provide security updates as needed. Unfortunately, it is cheaper to leave security out and most customers are too ignorant to know the difference. The recent hacks of various automobiles control systems is starting to wake people up, but they have a very long way to go before they can be considered even minimally competent at security.

Completely agree with you on this.

 

[JettaKnight]

It's Friday afternoon, and I'm a little bored, so I'll explain this better.

So you, Bob, want to exchange love letters with your girlfriend Alice. But Alice's dad, Oscar, wants to read these letters, you know, to ensure modesty. In addition, you and Alice are afraid that Mallory, your ex, might read the letters too. Mallory's also been caught writing letters to pretend to be you. Mallory once wrote to your previous girlfriend, "Carol, I want to break up" and signed your name! You really love Alice and don't want that to happen, so you want to create a code only you and Alice know.

The problem is, Alice is on a dude ranch Wyoming and you're here in Indiana and letters are the only way you can communicate. How do you create a code if you only have these letters - that Oscar can read and Mallory can change?

Well, that's where Trent comes in. You see Trent is a cowboy notary and puts his stamp on Alice's letter. You trust Trent (he's a cowboy after all) and Trent's stamp can't really be forged. So life is good, and using math, you and Alice devise a code. Now Mallory can't forge letters and Oscar can't snoop because they don't know the code.

Oscar, however, is peeved. He thinks you're planning on eloping or maybe Alice is giving you the family's 200 year old chili recipe. If you get that recipe, Oscar's days of dominating the church chili cook-off is numbered.

So Oscar devises an elaborate plan. While having a few drinks on the veranda, he convinces you that Sybil is just as reliable as Trent and you can trust Sybil (despite the multiple personalities). OK, you that's fine. What's harm? Sybil seems to be pretty reliable, plus, Oscar makes a fine Mint Julep.

So, Alice writes a letter and Trent stamps that letter. So good, so far, but Oscar surreptitiously grabs the letter out of the mailbox and replaces it with a similar letter - same text, but with Sybil's stamp instead. You (Bob) get the letter, OK, it's legit. So you go about establishing a code, thinking you code is for you and Alice, but in reality your code is for you and Oscar! Meanwhile, Oscar is establishing a similar code with Alice!

(ready for it?)

So, Alice writes letters think only you can read them, but Oscar intercepts these letters, reads them, then makes a copy using the code you and he set up. He sends these letters onto you and you decode them thinking that Alice encoded them for your eyes only. Then you write back, using the code for you and Oscar (unbeknownst to you), Oscar snags the letters before the mailman picks them up, decodes it, reads it and hastily makes a copy using the other code and sends it to Alice, who receives it and falsely thinks it came directly from you!

Does this make more sense? The problem was, Oscar tricked you into accepting Sybil's stamp of authenticity.

 

[JettaKnight]

From three years ago on, all of my projects with any M2M require a security plan, per my insistance. FMEA must be extended into the realm of security and exploits.

I've already had a few people ask me to go into security, and maybe if my current status changes (i.e. lose my job), I might go that way. The problem is, I don't have near enough Linux/Windows network security experience. Stuff like AD is still elusive.

 

[Dead Duck]

Great!

Another Gaming Thread....

 

[tatic05]

Great!

Another Gaming Thread....

 

[JettaKnight]

A real life example.

Hacking DefCon 23’s IoT Village Samsung fridge | Pen Test Partners

The fridge will go to Google to fetch your calendar then display it. The problem was the fridge didn't check the certs, so a man in the middle attack is possible.

 

[nsolimini]

So, man in the middle?

I thought SSL was meant to stop man in the middle attacks* using a CA.





* One man's "allow you to analyze" is another man's attack.

TLDR the whole thread, but the SSL decrypters I use act as the CA. The clients on my network trust my decrypter, it decrypt's the packets, logs them, encrypts them, and sends them back out.