RSA’s SecurID 800 is one of at least five commercially available security devices susceptible to a new attack that extracts cryptographic keys used to log in to sensitive corporate and government networks.

Scientists have devised an attack that takes only minutes to steal the sensitive cryptographic keys stored on a raft of hardened security devices that corporations and government organizations use to access networks, encrypt hard drives, and digitally sign e-mails.

The exploit, described in a paper to be presented at the CRYPTO 2012 conference in August, requires just 13 minutes to extract a secret key from RSA’s SecurID 800, which company marketers hold out as a secure way for employees to store credentials needed to access confidential virtual private networks, corporate domains, and other sensitive environments. The attack also works against other widely used devices, including the electronic identification cards the government of Estonia requires all citizens 15 years or older to carry, as well as tokens made by a variety of other companies.

“They’re designed specifically to deal with the case where somebody gets physical access to it or takes control of a computer that has access to it, and they’re still supposed to hang onto their secrets and be secure,” Matthew Green, a professor specializing in cryptography in the computer science department at Johns Hopkins University, told Ars. “Here, if the malware is very smart, it can actually extract the keys out of the token. That’s why it’s dangerous.” Green has blogged about the attack here.

It’s this version of the attack the scientists used to extract secret keys stored on RSA’s SecurID 800 and many other devices that use PKCS#11, a programming interface included in a wide variety of commercial cryptographic devices. Under the attack Bleichenbacher devised, it took attackers about 215,000 oracle calls on average to pierce a 1024-bit cryptographic wrapper. That required enough overhead to prevent the attack from posing a practical threat against such devices. By modifying the algorithm used in the original attack, the revised method reduced the number of calls to just 9,400, requiring only about 13 minutes of queries, Green said.

Other devices that store RSA keys that are vulnerable to the same attack include the Aladdin eTokenPro and iKey 2032 made by SafeNet, the CyberFlex manufactured by Gemalto, and Siemens’ CardOS, according to the paper.

BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.

It works way better than it ever should.

How?
Basic usage:

$ ruby bozocrack.rb my_md5_hashes.txt

The input file has no specified format. BozoCrack automatically picks up strings that look like MD5 hashes. A single line shouldn’t contain more than one hash.

Example with output:

$ ruby bozocrack.rb example.txt
Loaded 5 unique hashes
fcf1eed8596699624167416a1e7e122e:octopus
bed128365216c019988915ed3add75fb:passw0rd
d0763edaa9d9bd2a9516280e9044d885:monkey
dfd8c10c1b9b58c8bf102225ae3be9eb:12081977
ede6b50e7b5826fe48fc1f0fe772c48f:1q2w3e4r5t6y

Why?
To show just how bad an idea it is to use plain MD5 as a password hashing mechanism. Honestly, if the passwords can be cracked with this software, there are no excuses.

Who?
BozoCrack was written by Juuso Salonen

Download: bozocrack.rb

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Two days after this article was first published, Google released a developer version of its Chrome browser designed to thwart the attack.

addons.mozilla.org disclosure
12.27.10 – 10:35pm

On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.

The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.

It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure. This information was also sent to impacted users by email on December 27th.

Chris Lyon
Director of Infrastructure Security – Mozilla

Researchers have decomposed a 768-bit number with 232 decimal places into its two prime factors and published a paper with their results. The number is the string released as “RSA-768″ under the now defunct RSA Challenge. As a result, RSA encryptions with 768-bit keys must, from now on, be considered cracked.

It took the team of researchers from Switzerland, Japan, Germany, France, the US and the Netherlands about two and a half years to perform the factorisation. The first step of the calculation, polynomial selection, required half a year on a cluster consisting of 80 PCs, while the second and considerably more labour-intensive sieving step took about two years on a cluster of several hundred computers. According to the researchers, a single Opteron processor with 2 Gbytes of RAM would have needed about 1,500 years to complete the sieving step.

As RSA-512 was cracked about a decade ago, the researchers assume that the computing power required to master RSA-1024 is likely to become available in about ten years. They therefore recommend that all 1024-bit RSA keys be decommissioned by 2014 at the latest.

Source: The H Security