Fiddling with Chromium’s new certificate pinning

Over the past few years, there have been various high-profile incidents and concerns with the Certificate Authority-based infrastructure that underpins https connections. Various different efforts are underway to tackle the problem; many are enumerated here:

And in terms of things baked directly into the browser, we have things like Firefox's Certificate Patrol add-on:

My colleague Adam Langley summarized some features and directions we've been exploring in Chromium recently, it's a good read:

These features can also be controlled via the command-line, so to give a glimpse of the future, I present to you:

Twitter Like A Boss

Run Chrome (v12 dev channel or newer required) with a command line like this:

google-chrome --user-data-dir=/tmp/chrome_twitter --incognito --disable-plugins --proxy-server=localhost:1 --proxy-bypass-list=,https://*,https://* --hsts-hosts='{"df0sSkr4gOg4VK8d/NNTAWFtAN/MjCgPCJ5ml+ucdZE=":{"expiry":2000000000.0,"include_subdomains":true,"mode":"strict","public_key_hashes":["sha1/TXoScD1SXPfhmRO8ACTPrkXD9Yk="]},"tGm+XsbBPK211uMWtg2k071vijQkuVLvd62QzfNFol8=":{"expiry":2000000000.0,"include_subdomains":true,"mode":"strict","public_key_hashes":["sha1/06curQTaPH4PGumbNSeL79da23s="]},"wZU3atDOXaxKkaRgSdlWwB4UYjulRq46SGnIBij5I98=":{"expiry":2000000000.0,"include_subdomains":true,"mode":"strict","public_key_hashes":["sha1/O6hykhOmHJ5HQUREC0DTDeu6+mE="]}}' --user-agent='LIKE A BOSS'

(You'll need to edit a couple of things such as the command name and the temp directory if you're on Windows or Mac).

If you wish to connect securely to Twitter, well it pretty much does so... like a boss. It does the following things and defends against the following situations:

  • The --user-data-dir flag loads Twitter in a new profile so that you get a new Chrome instance and therefore new cookie jar. Therefore, carelessly clicked links in your other browsing windows won't get you XSSed.

  • The --incognito flag applies the usual incognito changes; notably, things like profile photos won't be cached to disk; might be useful if you're an activist.

  • --disable-plugins is strictly unnecessary since Twitter generally isn't using plug-ins. However, any "secure" command line should likely include that flag.

  • The --proxy-server=localhost:1 is a good defensive catch-all which will stop any site traffic being sent by your browser unless it is whitelisted. Specifically, a link to an XSS payload won't work on you. (You'll need to paste such links into an alternate browser which shouldn't be logged in to Twitter). This will also stop non-pinned https requests going out (which might otherwise compromise the integrity of the main page). Mixed-content bugs, cookie forcing and failure to mark cookies "Secure" will also be mitigated.

  • --hsts-hosts is the magic. It locks, and such that SSL traffic from/to Twitter will only be accepted if the leaf SSL certificate's public key is exactly what we expect. It's called "certificate pinning", and along with HSTS, it defends against any compromised root CA, Comodo-gate, Tunisia-like sslstrip attacks, and the "evil country owns firewall + CA" situation.

  • --user-agent='LIKE A BOSS' is strictly optional, depending on your mood.

The above command line isn't finished. Although Twitter seems to run fine, there are under-the-hood failures to and other places because I haven't added the correct certificate pin for that host. The above will break if any of the leaf certificate public keys change (this doesn't necessarily happen on expiry rollover but may otherwise happen for various reasons).

Hopefully this demo is compelling. The plan is to push this technology more and more under the covers so that it happens for less technical users who have an empty command line!

PlayStation Network hacked: Personal data of up to 70 million people stolen

PlayStation NetworkUsers of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

    * Name
    * Address (city, state, zip code)
    * Country
    * Email address
    * Date of birth
    * PlayStation Network/Qriocity password and login
    * Handle/PSN online ID

Sony statement

In addition, Sony warns that profile information – such as your history of past purchases and billing address, as well as the “secret answers” you may have given Sony for password security may also have been obtained.

As if that wasn’t bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

So how could hackers exploit the information stolen from the Sony PlayStation Network?

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you.

So you should always use unique passwords.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Oh, and you better be sure that you have changed your “secret answers” too.

2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn’t be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.

3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account – if you notice that money is missing, you’ll have to go through the rigmarole of claiming the money back from your credit card company.

Sony controllerThis security breach is not just a public relations disaster for Sony, it’s a very real danger for its many users.

If you’re a user of Sony’s PlayStation Network now isn’t the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.

That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you’re concerned the card is now compromised.

Should you cancel your credit card?

Look at it this way.

Cancel credit card

If I lost my credit card in the back of a taxi I would cancel my card. I wouldn’t wait for a fraudster to sting it for cash. If Sony has lost your credit card details then it’s worse as the credit card information is now being held digitally, right in the hands of people best placed to exploit it.

So, yes. I would cancel my credit card.

More information can be found in Sony’s blog post and in their FAQ.

Update: Sony has now said that the credit card data was encrypted, but questions still remain about the strength of that encryption.

419 Scammers Still Open to ‘Traditional Postal Services’ Option

Communication in the today’s world is dominated by email, instant messaging, and social networking. However, for making any formal statement or announcement, hard-copy letters are still sent using postal services. In both mediums, unwanted, unsolicited letters are not new; however, it may still be surprising if a spam message is sent over using postal services - somewhat low tech, but perhaps most effective way to bypass all kinds of online security. In a letter shared by a recipient, we found familiar text seen in emails associated with scams. We confirmed the hard-copy letter to be a 419 scam.

Here is the scanned copy of the letter (where the identity and address of the recipient have been blurred):

Text inside the letter has everything that we commonly see with email scams, except that we do not find any reply-to email addresses. Also, the scammer stresses that recipients must only fax the information (direct telephone and fax number), even if that means buying a new fax machine.

Such spam campaigns are already known to be widespread online and quite possibly had been seen in the past in letter form as well. As always, Symantec is committed to provide maximum security to its online users. However, with this particular incident, we would like to remind users to be careful of these hand-delivered scams also.

I LOVE YOU – Virus-inspired movie trailer and world premiere

Newport Beach Film FestivalThe Love Bug. I LOVE YOU. LoveLetter. All different names for one of the world’s most famous viruses, which spread around the globe in May 2000, infecting millions of computers and clogging up email systems.

If you have an interest in IT and were around at the time, you’ll surely remember it. But if you don’t, you can quickly catch up by checking out my memories of those crazy days.

So what can possibly be new to say about the Love Bug? Well, on Friday a movie inspired by the malware will be getting its world premiere.

The stars of 'Subject: I love you'

I first wrote about “Subject: I Love You” way back in November 2008, but now it’s finally seeing the light of day – at 5pm on Friday 30th April, at the Newport Beach Film Festival in California.

And here is its trailer:

It certainly looks professionally done, and has some not entirely unfamiliar actors (Briana Evigan plays the female lead, ex-Superman Dean Cain has a role, and True Blood’s Kristin Bauer also features).

Want more information about the movie? Here’s the promotional puff:

This action-packed romantic drama is based on the destructive 'I Love You' computer virus. This virus spread around the globe at the turn of the millennium, shutting down computer systems at the Pentagon, Parliament and the CIA. For Victor he will do anything to reconnect with the only woman he's ever loved - even if that means entangling himself in an international criminal investigation. Never have the words "I love you" almost ruined the world.

It sounds like your usual story of “Boy meets girl. Loses girl. Writes computer virus to infect millions of computers around the world to tell girl he loves her. Gets girl.” Nothing out the ordinary there then..

Inspired by true events? Hmm.. well, not with the greatest precision. The real Love Bug wasn’t written to impress a girl, but instead attempted to steal internet passwords. One wonders also if the film’s producers will engage in any err.. viral marketing to promote it.

I don’t want to come across as too much of a fuddy-duddy, but let’s hope the movie doesn’t glorify too much the creation of malware. Even in the days of the Love Bug it was a problem which could have a serious impact on businesses and home users.

If you’re able to get to the movie premiere and see “Subject: I Love You” why not leave a comment with your review of the film?