Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Why One-time Passwords Suck For MITM Attacks

Posted by CmdrTaco on Mon Aug 18, 2008 04:11 PM
from the my-password-is-pass1234 dept.
Security
whitehartstag writes "Black Hat 08 disclosed several SSL VPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-In-The-Middle attack on SSL VPN tunnels. This article walks you through how using certificates, instead of OTP tokens, for second-factor authentication can increase the security of your SSL VPN against these new types of attacks."
+ -
story

Related Stories

Submission: Why one-time passwords suck for MITM attacks by whitehartstag (1112871)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Why One-time Passwords Suck For MITM Attacks 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • The Love Triangle... (Score:5, Funny)

    by kcbanner (929309) * on Monday August 18 2008, @04:17PM (#24650767) Homepage Journal
    Alice and Bob's relationship will be at stake when an unknown interloper...Larry...arrives on the scene. Is this love line segment about to become a love triangle? Will the self-signed certs be accepted?

    Coming to you this fall...Larry is...The Man in the Middle.

  • frequency in the wild ? (Score:5, Interesting)

    by jacquesm (154384) <j.ww@com> on Monday August 18 2008, @04:21PM (#24650821) Homepage

    I know that there are some people that are very clever at doing these man in the middle attacks, but they usually happen in an academic setting as proof of concept.

    Have there been documented cases of (successful) mitm attacks on banks or other high profile targets ?

  • This is NOT an attack on SSL VPN (Score:5, Interesting)

    by ugen (93902) on Monday August 18 2008, @04:27PM (#24650883)

    This isn't an attack on anything, really.

    Here is what the article says:
    "They will then go to all of the trusted CAâ(TM)s and try to get them to issue them a valid âoeinternal onlyâ certificate with the FQDN of a target sslvpn URL. As soon as they get a success, that company now becomes their target of choice. Remember, the certificate they need can be issued from any trusted CA in the browser and does not need to match the CA that the SSLVPN gateway is using."

    Now, may be I am not understanding the purpose of SSL certificates and the PKI infrastructure in general, but I was under distinct impression that the whole reason those authorities exist is to verify who they give the certificate to, and in such a way that we, users, can trust these certificates.

    If this is not correct, and anyone can with relatively minor effort get certificate for a random domain name from one of recognized cert. authorities - game over, none of this matters, the entire PKI infrastructure is in the crapper.

    So, either we have to deal with cert. authorities signing things they should not or this is not an attack that is worth discussing. Everything else is a half-measure.

    • Re:This is NOT an attack on SSL VPN (Score:5, Funny)

      by Diss Champ (934796) on Monday August 18 2008, @04:36PM (#24650989)

      Cert authorities are notorious for poor checking. The main thing they check is that they are getting paid. There are things certificates are good for- knowing for sure the first time you see one for a site that they are who they claim they are without further checking is not one of them.

    • Roll yer own... IPCop and Zerina OpenVPN (Score:3, Interesting)

      by Anonymous Coward

      I made a VPN server using IPCop and added the Zerina OpenVPN package to it. Simple plug and play. It has it's own internal certificate authority, and issues it's own client certificates for each road warrior client you set up to be an OpenVPN client under the Zerina webgui. Very secure, since it will only accept the client certificates that were generated locally to the machine. The cost for the software, is of course FREE. The old AMD Athlon 2400 Compaq PC upon which I'm running it, is worth maybe $200 top

    • Re:This is NOT an attack on SSL VPN (Score:5, Insightful)

      by Sloppy (14984) on Monday August 18 2008, @05:57PM (#24651845) Homepage Journal
      Authority is subjective. Once everyone realizes this, they might as well switch to the OpenPGP trust model, which acknowledges it, instead of trying to hide this inescapable truth from the user.

    • Re:This is NOT an attack on SSL VPN (Score:5, Informative)

      by tgd (2822) on Monday August 18 2008, @07:31PM (#24652935)

      You miss the point -- they are issuing a valid cert for an internal address.

      "intranet" would be an example. Not intranet.mydomain.com.

      Since your DNS will append mydomain.com automatically, it leaves you vulnerable to anyone who installs an "intranet" cert on a server they have spoofed into your DNS if you the browse to "intranet".

      If "intranet" is an SSL VPN, then they can get in the middle and get your OTP.

  • long story short... (Score:5, Interesting)

    by brunascle (994197) * on Monday August 18 2008, @04:29PM (#24650899)
    The guy was able to buy a certificate for Microsoft's login.live.com, from an undisclosed CA that's trusted by IE by default, because he checked a box saying it was only going to be used for internal use.

    Please reveal the CA. They need to be shut down.

    • Re:long story short... (Score:5, Insightful)

      by jacquesm (154384) <j.ww@com> on Monday August 18 2008, @04:32PM (#24650943) Homepage

      Shutting them down is stopping short, all the certificates issued by them need to be revoked as well and reissued by another CA after thorough checking.

      If there is one documented case there are likely to be many more undocumented cases.

      • Re:long story short... (Score:5, Insightful)

        by QuoteMstr (55051) <dan.colascione@gmail.com> on Monday August 18 2008, @04:57PM (#24651199)

        Somebody, preferably a government agency, should be in charge of testing CAs. CAs have very strong economic incentives to loosen verification rules in order to compete and sell more certificates. When one CA loosens its rules a little bit, all the others are compelled to do the same to stay competitive. It's a race to the bottom [wikipedia.org].

        Market forces cannot solve the problem because there's a fundamental information asymmetry. Joe Myspace isn't going to understand what a root CA is, much less manually remove it from his browser. And even if he did understand what that meant, would he lose access to his favorite SSL-protected sites for some egghead's paranoid security fears?

        We need regulation, and we need it now. We need several free, worldwide certificate revocation lists [wikipedia.org], and we need agencies running these lists to randomly and anonymous ensure CAs are following the verification rules.

        Having just one CRL gives too much power to one authority, which is especially dangerous if these authorities are organs of government. Browsers should check all CRLs and consider a certificate invalid if, say, two-thirds of the CRLs say to do so.

        In any case, the current situation is untenable.

        • I don't know about you, but I remember enough of the history of the FBI and CIA to know that's a terrible idea. Anyway, the intarweb is international - which government?

          • You misunderstand my proposal. The FBI and CIA abused special investigatory powers. On the other hand, these bodies I'm proposing only need the power any private citizen would have. They're only likely to be government organizations because there's no profit in them.

            And the whole reason for having multiple organizations here is to avoid any one of them being made into a DoS-a-matic.

            Each organization only has the "power" to state "this certificate is invalid" or "this CA's certificates are invalid." It's up

                • Re: (Score:3, Interesting)

                  by silas_moeckel (234313)

                  Replace "attempt to buy" with a "get a court order" (or whatever flimsy paperwork the FBI is giving out because our fearless leader says it's good thats an entirely different point) throw in a gag order. Hell simplify the whole process and have them sign a signing cert to make a NSA CA legit in most browsers.

                  The SSL cert process is broken by design because stopping MITM attacks is hard. It's also only a tech good for commercial encryption if a power government wants to subvert it it will. Military grade

      • Agreed. Doesn't revoking the signing root certificate then revoke all certificates signed by them? That's what needs to happen.

    • Please reveal the CA. They need to be shut down.

      ... and then the execs need to be drawn and quartered.

      Only partly joking. This is such a flaming case of massive malfeasance that impacts **SO** much more than your run-of-the-mill corruption and other shenanigans. As other posters have noted, this shadiness means certs like this are, in general, complete crap, and given the extent to which many very vital businesses conduct online operations on the basis of these certs, a simple slap on the hand -- or even

      • ...they were then fired for their incompetence.
        ...then they were taken out and beaten to a pulp.
        ...then they were ground up into this powder!

    • Thawte (Score:5, Informative)

      by an.echte.trilingue (1063180) on Monday August 18 2008, @04:51PM (#24651145) Homepage
      Thawte does this; look about halfway down the page [thawte.com]

      I must say that in general I have been unsatisfied with thawte. They gave me a hard time about re-issuing my cert after the debian-ssl debacle and in general their tech support people don't know anything beyond what is already on their site.

      Seriously, I pay over a hundred clams a year just to so that I can have ssl communication without the "OMFG THIS SITE IS GONNA HAXOR YOU" dialog box pop up in user's browsers, and they pull all kinds of monkey business.

      But since verisign owns them, I wouldn't hold my breath for them to be shut down. My guess is the other CAs do this, too.

      • It doesnt necessarily mean it was Thawte, though. From an earlier article [networkworld.com]:

        he simply checked the box that stated that the certificate was not going to be used on the internet and was for internal testing only. Luckily, Michael also stated that most CA's rejected his requests.

        It's a little vague, but it might mean that a lot of CAs have this checkbox.

  • A client cert, stored on the computer, should NOT be considered one factor in a two factor scheme, because the client computer is far too easy to compromise.

    OTOH, it makes a good point that a client cert (OR, hell, just caching the server cert and complaining when it changes!) should be used because its too easy to social engineer a valid cert from a CA

    • I agree. This is what SSH does, just cache the server's key and complain when it changes...this system works well (as long as your certain who your talking to on the first connection).

  • My wife has shown something to me today that really has been bugging me for the entire day, she connected to her work via VPN with a security token, a number generator that is given to her that is synchronized against a server number list I suppose and when she ran a search on something she mistyped, our provider, Rogers Canada, was able to get the mistyped word and injected their own search frame into the HTML that returned to her browser.

    Now, I am not sure how this happened, I was under the impression tha

    • Re: (Score:3, Informative)

      by carleton (97218)

      Most VPN Clients I've used support a split tunnel mode... the idea being that data going to your company's internal LAN goes through the VPN tunnel ; data going elsewhere goes outside the tunnel. The idea here is that if you're trying to do stuff on the public network (that's assumed to be less sensitive to begin with), you don't have to wait for the traffic to flow from your computer to your company and then to the site you want (worst case being if you wanted to say stream music off your music server on

      • You are probably correct, I am going to check that client. I wonder how it decides what is split, just by filtering out anything that is directed at an IP not within the company subnet or maybe there are lists of IPs that go through encrypted channel. Thanks.

    • Depends how the VPN is setup, and whether or not it sets itself as the default IP gateway. It could be that it's only routing VPN destined traffic across it. Presumably when she mis-typed, she was routing across her normal gateway, which Rogers then 'improved'.
    • VPNs are generally set up to route only a specific network's traffic - for instance, if your internal stuff is on 10.0.0.0/8, there's a rule routing 10/8 to the vpn, while the regular stuff (giggle) goes out into the big bad world.

  • too bad for the new blizzard authenticators (Score:3, Interesting)

    by poetmatt (793785) on Monday August 18 2008, @05:14PM (#24651365)

    Too bad that the new authenticators from blizzard are OTP's and people are convinced that it is 100% foolproof, as this article tends to prove otherwise.

  • I don't see how this is much better? (Score:4, Interesting)

    by JSBiff (87824) on Monday August 18 2008, @06:21PM (#24652171) Journal

    I might be missing something here, but this article proposes, as a way of trying to make the management of keys/certs easier (which is necessary to implement the client-side certs), to use this "SecureAuth" system. . . which downloads an SSL cert to your computer. So. . . uhh, why can't an attacker intercept this? Well, the answer seems to be (maybe I'm misunderstanding here) that before the SecureAuth system will download the cert to you, it sends you some sort of one-time-password via phone or SMS, which you must enter to get the key . . . but once you've typed in this one time password you got by phone, what prevents the MITM from intercepting that passsword the exact same way it would have been attacking the other one-time-password generated by the keychain fob, and therefor be able to impersonate you to the SecureAuth server and get the client cert which should have been sent to you?

  • Not all OTP's are vulnerable to MITM! (Score:3, Interesting)

    by freaker_TuC (7632) on Tuesday August 19 2008, @02:00AM (#24655417) Homepage Journal

    Not all OTP's are prone to MITM attacks; the Yubikey [yubico.com] for example has a (8hz) timer built in, initialized to a random value on connection. Next time a OTP gets generated the timestamp moves up too with a maximal difference of 10%. This timer prevents MITM attacks; without the use of a battery. Read more on their website.

    I'm currently writing an authentication platform working with Yubico's demo and reprogrammed Yubikeys.
    I'm not affiliated with Yubico, just a user of their product ; although I can tell this key has it done right!

    They also seem to have a nice mindset allowing a large suite of usages with their product by focussing on the hardware only, leaving the software with 3rd party developers.
    Oh, and did I mention it was open source?

      • Re: (Score:3, Interesting)

        by geminidomino (614729) *

        We need more Red Dwarf references...

        • We need more Red Dwarf references...

          A superlative suggestion sir, with only two minor drawbacks: one, we don't have enough boys from the dwarf and two, we don't have enough boys from the dwarf. I know that technically that's only one drawback, but I thought it was such a big one it was worth mentioning twice.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.