Nicely timed to drop on the final day of Windows 7 support, Windows 10 received a fix to an extremely serious flaw in
crypt32.dll. This flaw was reported by the good guys at the NSA. (We know it was the good guys, because they reported it rather than used it to spy on us.) It’s really bad. If you’re running Windows 10, go grab the update now. OK, you’re updated? Good, let’s talk about it now.
The flaw applies to X.509 keys that use elliptic curve cryptography. We’ve discussed ECC in the past, but let’s review. Public key encryption is based on the idea that some calculations are very easy to perform and verify, but extremely difficult to calculate the reverse operation.
The historic calculation is multiplying large primes, as it’s unreasonably difficult to factorize that result by a conventional computer. A true quantum computer with enough qubits will theoretically be able to factorize those numbers much quicker than a classical computer, so the crypto community has been searching for a replacement for years. The elliptic curve is the solution that has become the most popular. An agreed-upon curve and initial vector are all that is needed to perform the ECC calculation.
There are potential weaknesses in ECC. One such weakness is that not all curves are created equal. A well constructed curve results in good cryptography, but there are weak curves that result in breakable encryption.
With that foundation laid, the flaw itself is relatively easy to understand. An X.509 certificate can define its own curve. The Windows 10 implementation doesn’t properly check the curve that is specified. A malicious curve is specified that is similar to the expected curve — similar enough that the checks in
crypt32 don’t catch it. Continue reading “This Week In Security: Windows 10 Apocalypse, Paypal Problems, And Cablehaunt”
[Prusa]’s business is doing great. This year, he released the Prusa i3 Mk. 2, a four color upgrade to the printer, and sales are through the roof. There’s just one problem: Paypal just locked his funds. Prusa is turning away from Paypal and given Paypal’s history, this will eventually be worked out. Be warned, though: don’t use Paypal for your hardware business. We’ve seen this same story played out too many times before.
Those millennials are always on their phones. How do you get rid of that distraction? Airplane mode? No, that’s stupid. Put those phones in a metal box. It’s the exact same thing as airplane mode – which is free – but this extra special metal box costs $45 and ships in March. Is this metal box different from any other metal box, like a cookie tin, perhaps? Probably not.
Nothing to see here, folks.
The holidays are here, and it’s time for Cards Against Humanity to do something stupid with other people’s money. This year, they’re throwing money into a hole. No, really. People are contributing money to dig a gigantic hole. There’s a livestream of the digging. Five dollars lets the dig continue for another few seconds. Join in on the holiday spirit: throw your money into a hole.
You don’t want to throw your money into a hole? Buy some stuff on Tindie! There’s robots, CNC controllers, servo drivers, MIDI arpeggiators, USB testers, power supplies, blinky glowy things, and retro gaming stuff. Go plug your Raspberry Pi into some of these gizmos.
The Mechaduino is a board that clips onto a ubiquitous NEMA stepper motor to turn it into a servo motor. It won 5th place in the Hackaday Prize last month, and we can’t wait to see it integrated into a closed-loop 3D printer. [Chris] came up with an Ethernet-enabled servo-stepper conversion, and now it’s a project on Kickstarter. Of course, you can buy a Mechaduino right now, making the future of stepper motor-controlled desktop CNC very interesting.
Individually addressable RGB LEDs exist, and we’re waiting for Clark Griswold to electrify his house in red, green, and blue. Until then, [Michel built a holiday ornament loaded up with 16 WS2812b LEDs. The star features caps and diodes to make everything work as it should and requires only three wires per star.
For the last decade or so, PayPal has drawn the ire of Internet commentators and people who try to do business on the Internet. The claims go from freezing the accounts of non-profits for months, earning interest all the while, ineffectual support, and generally behaving exactly like a bank but without all those nifty consumer protection laws on the books in every sane country. Then the founder of PayPal turned into Tony Stark and everything was cool again.
This doesn’t mean PayPal isn’t up to its old tricks, though. [Gareth Hayes], the guy behind the HackRF Blue, recently had a run-in with PayPal. The PayPal account associated with the HackRF Blue Indiegogo project was frozen shortly after the campaign ended. To unfreeze his account, [Gareth] was required to submit a few forms of identification and proof of residence. He could submit this via fax (‽) or through an ‘upload’ button in the PayPal resolution center that didn’t exist.
[Gareth] is not one to mess around, and it was only after several emails, ending with him demanding PayPal release the funds with interest and a few hours of consulting at $300/hr that the funds were released. When somebody is keeping $40,000 from you, it’s a good idea to play hardball. However, [Gareth]’s PayPal account was still frozen for the better part of three weeks. For a crowdfunding campaign, that’s three weeks that suppliers can’t be paid, components can’t be bought, and assembly can’t happen. For any campaign, PayPal is a liability.
This, unfortunately, isn’t anything new. Google News is littered with stories of PayPal withholding funds from crowdfunding campaigns. The message is clear: get your passport, driver’s license, utility bills, dog license, and fourth grade report card uploaded to PayPal somehow before the campaign ends.
Yesterday, [Gareth] received word that his account had been unfrozen, but not before he threatened the nuclear option and started letskillpaypal.com. A worthy cause if we’ve ever seen one.
The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.
Paypal is a huge player in the payment processing world, but that doesn’t mean they aren’t without their flaws. Sometimes the bigger the target, the more difficult it is to find problems. [Yasser] wanted to experiment with a cross-site request forgery attack. This type of attack typically requires the attacker to trick the victim into clicking a malicious link. The link would then impersonate the victim and make requests on the victim’s behalf. This is only made possible if the victim is logged into the target website.
PayPal has protection mechanisms in place to prevent this kind of thing, but [Yasser] found a loophole. When a user logs in to make a request, PayPal gives them an authentication token. This token is supposed to be valid for one user and one request only. Through experimentation, [Yasser] discovered a way to obtain a sort of “skeleton key” auth token. The attacker can attempt to initiate a payment transfer without first logging in to any PayPal account. Once the transfer is attempted, PayPal will request the user to authenticate. This process produces an auth token that apparently works for multiple requests from any user. It renders the authentication token almost entirely ineffective.
Once the attacker has a “universal auth token”, he can trick the victim into visiting a malicious web page. If the user is logged into their PayPal account at the time, the attacker’s webpage can use the universal auth token to trick the victim’s computer into making many different PayPal requests. Examples include adding email addresses to the account, changing the answers to security questions, and more. All of this can be done simply by tricking the user into clicking on a single link. Pretty scary.
[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly. It’s always great to see big companies like PayPal promoting responsible disclosure and rewarding it rather than calling the lawyers. Be sure to catch a video demonstration of the hack below. Continue reading “Hacking PayPal Accounts With CSRF”