Today in a meeting I referenced a 2007 paper by Arjen Lenstra and Benne de Weger on how to break MD5 to abuse vendor software updates.

Here it is again for convenience:

Given the recent insights into the weaknesses of MD5, the bottomline of our work is: MD5 should no longer be used as a hash function for software integrity or code signing purposes. By now, everyone should be aware of this.

The paper also explained why their collisions were different from before.

In December 2004 Dan Kaminsky and Ondrej Mikle, and later Peter Selinger, published similar attacks, based on the Wang-type collisions that require two binary files that differ only in the colliding blocks. To create such files from two executables with different behaviour that yet collide under MD5, each of the two files has to contain both executables in full, somehow using the collision to switch on the one and hide the other.

Our colliding files are based on chosen-prefix collisions. This means that we only have to append a few thousand carefully chosen bytes to each file to reach an MD5 collision. Each file by itself contains only one of the two executables. This is less suspicious.

And we also knew in 2007, in terms of real-world data, that Google could easily show collisions were far more common than one might expect.

Fast forward to today and it is like some people completely missed five years of warnings.

…the collision attacks observed in Flame could have been prevented if Microsoft had stopped employing MD5 sooner.

Whether or not you buy into the big compute-power argument or the attack sophistication argument for Flame (neither of which are well quantified) since 2007 the message has been to stop using MD5 for trust.

The xorg-x11-server log may have a format string flaw in certain forms of its log message. An attacker would have to give a device a specific name and then get the local Xorg server instance to use it for the flaw to cause the server to abort or malfunction.

IBM rated this vulnerability high risk yet gave it a base score of 4.4

X.org could allow a local attacker to execute arbitrary code on the system, caused by a format string error when adding an input device with a malicious name. By persuading a victim to open a specially-crafted file containing malicious format specifiers, a local attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash.

NIST gives it a perfect 10, however.

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

The flaw is explained on Patchwork

The culprit here was not the user-supplied format string but rather xf86IDrvMsg using the device’s name, assembling a format string in the form of

 [driver]: [name]: message[/name][/driver]

i.e. “evdev: %n%n%n%n: Device \”%s\”\n”
and using that as format string to LogVWrite.

I also mentioned a serious vulnerability related to evdev in an earlier post.

…crash is related to changing the driver for input devices using evdev (xserver-xorg-input-evdev) — the kernel event delivery mechanism that handles multiple keyboards and mice as separate input devices

I have had several people ask about the possibility of terrorist activity related to the Colorado fires. There are two main factors to explore at this point. Recent intelligence reports coupled with the evidence of arson in proximity of inhabited areas make it impossible to rule out terrorism.

Intelligence reports

Terrorist groups on May 2nd, 2012 published details on how to use fire as a weapon, as reported by ABC news on May 3rd.

Several days later, on May 7th, 2012, the Denver Division of the FBI released a Criminal Activity Alert to raise awareness about wildfires and Al-Qaida. It mentioned the terrorist group was monitoring for the right conditions, such as high winds and dryness, to spread fires. By the end of the month a Homeland Security / DHS report was issued called “Terrorist Interest in Using Fire as a Weapon.”

For at least a decade, international terrorist groups and associated individuals have expressed interest in using fire as a tactic against the Homeland to cause economic loss, fear, resource depletion, and humanitarian hardship. There is no evidence that international terrorist groups and inspired individuals are responsible for any purposeful destruction of public or private property by setting wildfires in the United States. Using fire as a weapon, however, is inexpensive and requires limited technical expertise, giving it a strong advantage over other methods of attack. Statements advocating this tactic are most often found on violent extremist Web forums and in violent extremist propaganda.

[…]

We have no indications AQAP or unaffiliated violent extremists are planning to act upon the suggestions contained in Inspire.

[…]

We do not have any current intelligence indicating terrorists or violent extremists in the United States are planning to use fire as a weapon as described in Inspire magazine and online violent extremist forums. However, because terrorists have long shown interest in this tactic, which is inexpensive, low risk, and requires little technical knowledge, we encourage first responders to remain vigilant to indicators of the potential use of fire as a weapon

Evidence of Arson

It is not clear whether it is by “inspired individuals” or terrorists but reports indicate human fault during the exact conditions mentioned by the FBI.

Fire investigators believe the fire was sparked by someone participating in recreational shooting over the weekend, possibly by people shooting a gun at a fuel tank.

The latest Detailed Situation Report from the Geographic Area Coordination Center (GACC) for the Rocky Mountains (RMCC) has the following data showing rapid spread of fires in populated areas:

New Fires: 18
Acres: 54,105
Uncontrolled Fires: 7

InciWeb shows the proximity of the Waldo fire to Colorado Springs, forcing the evacuation of more than 30,000.

Here are recent photos taken by Phillip Smith in the Colorado Springs area

The GACC Large Incident Report gives current estimates such as the following:

Waldo Canyon Structures Threatened: 20,085 PRIM , 160 COMM
Waldo Canyon Costs to Date: $1,950,194
High Park Structures Threatened: 1,969 PRIM , 6 COMM
High Park Structures Destroyed: 257 PRIM , 52 OUTB
High Park Costs to Date: $33,100,000

Although these numbers are incredibly large and show the fires to be disastrous, the Incident Information System and National Interagency Fire Center puts them in context of national activity.

Large fire activity increased yesterday as 15 new large fires were reported: four in Montana, three in Alaska and Alabama, and one in Arizona, Colorado, New Mexico, Utah and Wyoming. Firefighters contained five large fires, including the Dump and Grease fires in Utah.

[…]

10 Year Average 2003-2012
Fires: 36,407
Acres: 1,931,551

The large fire data across the western states corresponds with their map of high risk areas.

It can also be compared to the current Large Fire Incidents map from the USDA Forest Service Active Fire Mapping Program.

So there is a strong correlation of intelligence data with evidence of arson, but cause still needs to be fully investigated.

A domain has been registered called goodsecurityquestion.com. It’s hard to believe it isn’t a phishing site but it seems legit, albeit a bit sarcastic. It warns emphatically, for example, “there really are NO GOOD security questions” while at the same time it provides a list called “Good Security Questions”.

Maybe they should have said there is NO goodsecurityquestion.com.

My real issue with the site is that it does not explain in much detail why a good question differs from a fair question. Answering with a city in the good list does not seem any better than answering with a city in the fair list. In other words, the start of the question in the good list is “In what city…” and the start of the question in the fair list is “In what city…”, which seems to violate their own rules.

Perhaps an argument could be made for types of city questions. Threats will use brute force or research to guess the answers. So a question that asks for a honeymoon city might be easier to guess (shorter list) than a question that asks about a birth city. But that seems unlikely. Counter arguments are easy to make (e.g. if you ask for a city the rest of the question is ignored).

We used to spend long days and nights at Yahoo! trying to craft tough questions. A lot of research has been done since then but what I haven’t seen yet is a compound question system. It would be nice if the user could select from two parts (e.g. favorite sports team and then color, or favorite sports team and MVP). When answering they only get the first half of the question. The second part would be hidden from the attacker and therefore brute force and research would both be seriously disadvantaged.