Friday, September 9, 2011

Ich Sun Rising – The Story Of How SSL Certificate Authorities Died


This is the story of how Certificate Authorities were killed ... It's a story of incompetence, arrogance, and a 21 year old hacker that goes by the name "Ich Sun". WARNING, there comes a high potential for self injury after reading this post - If you have ever done so much as set up a wireless (WiFi) router, you may want to remove any sharp objects from your immediate vicinity before continuing.

NOTE: This article is written such that my dad might understand SSL and what's going on with the "Comodo Hacker"... I'm sorry if that just adds to your frustration. (Feel free unleash anger in comment section)

Quick Explanation SSL

Ok, sadly enough i have to start with a brief overview on Secure Sockets Layer (SSL) before I can say why it is doomed. First off, SSL is the standard for securing many of the financially lucrative & popular sites across the internet from Man in the Middle attacks (MitM). MitM attacks are a notorious and self explanatory method of intercepting communications online. You might have HTTPS right now on your browser, which is secured with SSL, & not even have noticed it. Currently there are over two million websites "secured" with SSL.

SSL works through the exchange of what are know as public keys and private keys.  The public keys are available by anyone, while private keys are held by the server of the requested website and signed off by a Certificate Authority.  When you connect to a website now, that site sends the request to the Certificate Authority.  The Authority then responds with the verified private key which is passed back to the user, tying  the users public key to websites private key..... (User → website → CA → website → User)

SSL relies on Certificate Authorities (CA's), which are trust monopolies in the SSL system.  There are now roughly 650 CAs in the world ranging from 'root' CA's like Mozilla to crap-tastic CA's like SSL-in-a-box, all of whom play on the same field.  This is not so much the fault of White Hats (they are pretty fail too) as it is the fundamentally flawed idea of centralizing some verification entity for an indefinite period who have the primary goal of money.  But that will become more apparent after I discuss Comodo and DigiNotar CAs.


Comodo: The Tip of the Iceburg

Back in March 2011, Comodo was claiming that it was the victim of "state driven/ funded attacks" & proceeded to point every finger it could at Iran.  Comodo even went so far as to release the IP address of the alleged hacker, originating from an Irani ISP block.  What had actually happened was Ich Sun rising. And Comodo was utterly befuddled when the morning's light came with rain.

Comodo's re-sellers and it's own servers were hacked (a total of four times), fake certificates were generated and stolen for login.skype.com, mail.google.com, and login.live.com (among others).  Comodo's fail was only compounded by Mozilla, in association with other browsers, made the decision to withhold information on the attack from the public.  It took some elite detective work by Jacob Appelbaum (@ioerror) in noticing code changes to Chromium to bring attention to what became known as "ComodoGate".

Comodo ended up waiting over a week to inform anyone of the hack.  Then once the attack came into the public light, it became clear that "CAs are failing to do their job properly and are almost entirely unaccountable... The browsers are failing users by refusing to hold CAs to account" (Appelbaum, 2011). These rouge certificates were spawned & swiped by the outspoken, self proclaimed, "Comodo Hacker" aka Ich Sun.

Ich Sun arose on Twitter & PasteBin, he took responsibly for the Comodo hack & posted Mozilla's private key as proof of his claim. Reactions of the unbelievers ranged from 'Ich Sun was not the hacker responsible at all' to that he was really 'an Iranian Cyber Army' or 'Basij' spokesman. However, Moxie Marlinspike (@moxie__) the designer & coder of SSLsniff (a MitM attack program that simply inputs a CA certificate & intercepts traffic) paints the best picture of the "Comodo Hacker" Ich Sun, who had just downloaded SSLsniff off of Moxie's website. Moxie used the referrer information he obtained & debunked the "state sponsored" claims made by Comodo. (BlackHat USA, 2011 [~5 minutes long])



Comodo exposed countless people & untold amounts of digital infrastructure through their complete & unwavering incompetence. But Comodo is as strong today as it was in March. Even after their extraordinary claims of “state sponsored attacks” were shown to be nothing but hype. Their business didn't take a hit relative in relation to their failure, they still have trust in the public's eyes (who were mostly unaware what happened). Comodo just rolled on, continuing to secure a quarter of the internet nonchalantly. And for all intensive purposes, ComodoGate blew over. Well for most people it did, except for Ich Sun, to him it was just the beginning.

Whois (-i) This Hacker Ich Sun...? [sic]

That is a question that heavily relies on what he has disclosed & how you gauge his PasteBin posts that offer a glimpse of his philosophy. The highlights include: He's 21 years old, he thinks himself defending or avenging grievances against Muslims through his hacks to promote a 'more equal internet'. He makes references to a HAARP earthquake machine and believes that Jacob Appelbaum is C.I.A.. He calls the Green Party "fake" and alludes to it being western backed cells, but perhaps the most is revealed by his messages left in servers he has attacked, signed "Janam Fadaye Rahbar".

* Janam Fadaye Rahbar is a Persian saying that means "I'll sacrifice my soul to my leader". Retrieved from DigiNotar servers by FOX-IT.

I tested Ich Sun on his loyalties back in March. I asked him about Stuxnet and the Iran nuclear program which he listed as his primary motivations for the Comodo hack. I received several responses that have been removed. We exchanged several messages which basically amounted to him admitting that one of the primary reasons he felt Iran wanted nuclear technology was simply because the West said they couldn't have it (which has been a long standing suspicion of mine). Ich Sun then disappeared & deleted his Twitter account. (For more info on his political philosophies see his PasteBin)

DigiNotar; an anagram for 'Idiot rang'

At the end of August 2011, *.google.com rouge certificates were found being used in Iran. 300,000 of these faked certificates were being used to intercept communications through all channels Google, and 99% of these originated from Iran. While DigiNotar is not anywhere near the scale of the CA that handles Google certificates (VeriSign does), the fact the two are on the same playing field make it possible to authenticate rouge certificates (Thank NetScape for the SSL protocols).



Once identified, these rouge certificates stood out like the Oakland Raiders would at the FIFA World Cup. The rouge certificates being used in Iran were found originated from a small scale CA in the Netherlands called DigiNotar.

Now the fail at DigiNotar was extra special... So special I don't think a stoned fifteen year old would have made the same simple errors. But I think this point is best made in the form of a question. If you were to think of the best way to nullify millions of Euros in security infrastructure & equipment by creating the most flawed network configuration you could, how would you set it up?

If you said you would set up the network such that: “The most critical servers contain malicious software that can normally be detected by [free] anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.” Also you would configure the network such that, “All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.” (FOX-IT, Operation Black Tulip v1.0)

Submit your resume now, because that's just the type security DigiNotar provides.

To recap the FOX-IT report, DigiNotar ran a external Windows network that was tied into their protected server room. Those Windows boxes had zero anti-virus protection. They were unable to detect Cain & Able in their system (Cain & Able is a brute force password cracker that I can't even install on my own Windows box without 10 messages popping up, lights flashing, and two phone calls from the free anti-virus company). To top it off, DigiNotar had one master admin account that could compromise the whole system if cracked, and they had that accounts password set to “Pr0d@dm1n” (Have you never heard of Rainbow Tables?!?). It is not that DigiNotar failed to handle one of the problems that lead to CA-tastrophe we are in now, it's that they failed to negotiate a single one of these basic networking errors. DigiNotar took SSL, a single point of failure system, and added their own single point of failure on top of it.

Even with these elementary errors on the part of DigiNotar, there is some words to be said towards the skill of the attacker. For starters; he was able to pass multiple firewalls, connected remotely to a server with no internet access, bypassed a domain controller, removed log files, but perhaps most impressively he was able to write scripts in a language called XUDA written exclusively for PKI software (FOX-IT, Operation Black Tulip v1.0). The use of Cain & Able by the attacker might suggest a degree of unsophistication, but that argument would only be valid if DigiNotar had detected the program prior to getting owned. One could then argue that it's embarrassing to leave Cain & Able behind, but it's also a pretty good illustration that DigiNotar has shame is their network.

What were the rouge CA's spawned through DigiNotar?

Currently there are over 531 rouge certificates that were identified by FOX-IT. The proof of the *.Google.com certificate was posted by Ich Sun via a Microsoft Calculator which he had signed off with his rouge cert:
        * Posted in a public ZIP file on mutiupload.com

Some of the more notable rouge certificates include:
*.windowsupdate.com
Comodo Root CA
Mossad.gov.il
Facebook.com
*.*.com
*.mozilla.com
VeriSign Root CA
Cia.gov
Twitter.com
*.*.org
*.Torproject.org
GlobalSign Root CA
sis.gov.uk (MI6)
*.skype.com
JanamFadayeRahbar.com

Notable Rouge CA's: Ich Sun claims that he can issue a Windows update with his certificate. This claim is yet materialize but seems possible, at least for the time being. Tor looks as if it had exit nodes owned, resulting in MitM attack on Tor users. DigiNotar told Tor Project that they had revoked the *.Torproject.org certificates, but Jacob Appelbaum says that is not the case (as of Sept. 1st).

Certificates For Other CA's: The compromised DigiNotar CA was used to generate 187 root certificates for CA's much larger & more well known. Truthfully, I have no idea of the implications of having a rouge root cert for another CA. I asked software developer Marsh Ray who said “Certainly some effective phishing. Need to see the certs themselves to know more” (@marshray). As well as Oscar Koeroo from Nikhef who questioned whether Designated Name (DN) identifying information was enabled, which would potentially complicate any exploitation involving the root certificates. However he concluded by saying “until somebody figures out these detail, this part of the saga continues” (@okoeroo).

GlobalSign was directly named along with four other Certificate Authorities by Ich Sun in his second round of PasteBin posts.  Ich Sun claimed to have access to “their entire server” in his post the next day.   After only 24 hours of the first threat that Ich Sun had one of their root certificates, GlobalSign posted a statement that they would “cease issuance of all Certificates until the investigation is complete” (9/6/2011).  As of the last update before this post went live GlobalSign posted that the “GlobalSign CA root was created offline, and always has been offline.  Any claim of the Comodohacker to holding a private key does not refer to the GlobalSign offline root CA. The investigation also continues” (Incident Response, 9/8/2011).

Western Intelligence Agencies: Rouge certificates for the C.I.A., MI6, & Mossad were spawned.  I have no clue of their network configurations or the responsibly of the public servers to guess at the treat.  But it is none the less embarrassing that an Irani hacker obtaining multiple intelligence agencies' SSL certificates through a Certificate Authority in the Netherlands. (Can we all just burn SSL already?)

Social Media & Private Conversations: If their exists one system of surveillance that is more efficient than the C.I.A., MI6, & Mossad – It's Facebook!  Throw a few MitM interceptions on Skype, major email providers and Twitter to top it off – You got yourself a invasive surveillance cocktail...  It would be funny if it were not so serious for dissidents in Iran which my concern lays.

Goofiness on the part of Ich Sun: After spawning the certificates above, it looks as if Ich Sun had some fun.   He spawned and authenticated certificates for *.*.com and *.*.org (Notation means 'all files', 'all directories') as well as one for JanamFadayeRahbar.com (just in case he ever makes it). This is just insult to injury for DigiNotar and SSL in general.  The “trusted” third party entity (CA's) that only exists to prevent MitM attacks, can be targeted.  Where as; If a CA gets owned, “trust” can be hijacked and certificates can be forged not only for popular sites, but for sites that don't even exist yet, and even for internet fiction like star-[dot]-star[dot]com.
A complete list of the rouge certs click here.

Ich Sun and his references to Anonymous & LulzSec

Ich Sun has made two references to teaching Anon's "courses" on 0-day bugs & rootkits, so far I have seen no reply from Anon. Here are his messages:

After I explain, you'll understand how sophisticated attack it was, It will be a good hacking course for hackers like Anonymous and Lulzsec :) There was so many 0-day bugs, methods and skill shows...” (Ich Sun, 9/5/2011)
May I also start a web hacking course for Anonymous and Lulzsec and friends of them, Rootkit development for Stuxnet developers, 0-day vuln. assessment in Windows and Linux environment for Stuxnet developers and other hackers too. huh? What do you think? “ (Ich Sun, 9/6/2011)

I mention this because I have yet to hear Anon's response, or even an acknowledgment of the offer... I'll just leave it at that.

What does all this mean? (Conclusion)
SSL is dieing. Ich Sun has exposed the Certificate Authorities (for those that care to watch) as the over rated garbage they've always been. But while DigiNotar wallows in shame, they are not an isolated incident and there is no reason to think the worst is behind us. The type of breach seen at Comodo and now DigiNotar will inspire copy-cats (and I doubt the copy-cats will be as open as Ich Sun).

The time has come to reevaluate SSL & TLS as a whole. It is time to recognize that there is a single point of failure in the system. Certificate Authorities was fundamentally weak from conception, a problem that has been compounded through arrogance and complacency on the part of self proclaimed experts who peddle “security”. DigiNotar deserves to be symbolically burnt at the stake for their part. (I didn't even talk about owning SSL without hacking the CA, primarily through - look-alike unsecured redirects via SSLstrip, certificate path interception, and a TCP analyzer via SSLdump)



Where do we go from here?
A quote from an unknown source I heard today describes the situation facing us with SSL. It goes; “A strategic move in the wrong direction is better than a random move in any direction”. We are faced with few moves forward at this point. Waiting around to see if Ich Sun or others like him to disappear, or trying to repair the problem through fortifying Certificate Authorities, are equally equivalent to 'sticking your finger in a dike and praying'. We need to find a solution to the problem, a replacement for CA's that can be implemented on the mass scale necessary.

One option is to encrypt everything so that even if communications were to be intercepted, they would still need to have key for cracking the encryption. There are other problems with this I won't go into but I don't think it much of an improvement. What encryption everything would do is find one of the only ways to simultaneously increase complacency by CA's, website admins, and users. Meanwhile, the CA's and whoever else that would offer “encrypt everything” services would price gouge people that don't know any better, all while claiming increased “server load”. Over priced garbage is exactly what SSL is already, and when it's deployed through HTTPS, it's worthless and provides little other than a false sense of security. Encrypting everything is not the solution, it places the ball back in the court of the people that have repeatedly dropped it.

The best solution I have seen comes from the Perspectives Project at Carnegie Mellon University and is called “Convergence” (launched by Moxie at BlackHat 2011). The basic idea behind Convergence is to place “trust” in the hands of the user. This is accomplished through “notaries” which basically replace CA's. The user can select what notaries they choose to trust, and how many they wish to have validate a site. Convergence would allow trusted communities (like the EFF, the CCC, PirateBay, the Crypto Project, BlackHat, etc.) or for Universities to offer services as notaries. The CA game would change as users started to change who they trust in the Convergence system, especially when it is realized that certificates from notaries would be more secure and much cheaper than from a CA system today.

Convergence is very simple to install and use. First make sure you are running the newest version of FireFox (version 6) and then download the Add-on from convergence.io

Also if you don't have it already, download Tor at torproject.org and the Tor button for Mozilla FireFox version 6. Which I will end by quoting, Appelbaum: “This is the list of CA roots that should probably never be trusted again:
DigiNotar Cyber CA
DigiNotar Extended Validation CA
DigiNotar Public CA 2025
DigiNotar Public CA - G2
Koninklijke Notariele Beroepsorganisatie CA
Stichting TTP Infos CA

3 comments:

  1. Google asks Gmail customers in Iran to change passwords in the wake of Ich Sun. http://www.reuters.com/article/2011/09/09/us-google-security-idUSTRE7885U320110909

    ReplyDelete
  2. I'm really inspired along with your writing talents as neatly as with the format to your blog. Is this a paid subject or did you customize it yourself? Either way keep up the nice high quality writing, it's uncommon to see a great
    weblog like this one nowadays..

    Also visit my weblog: Juicing Beets

    ReplyDelete
  3. Awesome! Its genuinely awesome post, I have got much clear idea about
    from this post.

    Feel free to visit my site :: juicing vegetables

    ReplyDelete