lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.42.0209092007270.26057-100000@nimue.bos.bindview.com>
From: lcamtuf at ghettot.net (Michal Zalewski)
Subject: Strange Attractors and TCP/IP Sequence Number Analysis - One Year
 Later

Hello,

Over a year ago, I published a paper that attempted to analyze the
randomness of PRNGs used in TCP/IP stacks on several operating systems.
The approach I've chosen resulted in detecting some non-trivial
dependencies in several generators, and some amusing 3D pictures. The
original RAZOR research is available here:

  http://razor.bindview.com/publish/papers/tcpseq.html

Since then, I've received numerous requests to publish a follow-up
document that would review some more operating system, and address the way
vendors addressed problems reported previously. I'm cross-posting this to
BUGTRAQ and VulnWatch, because some of newly included or re-tested systems
turned out to have fairly weak ISNs, and I would expect some vendor
response soon.

The new review is available here:

  http://lcamtuf.coredump.cx/newtcp/

To explain the reason I decided to write this - I have a strong feeling
that this problem is still important nowadays, even if often downplayed.
There are several attack scenarios to consider:

  - high-profile information - website contents, e-mails, DNS zone
    transfers, ftp data, etc - is typically exchanged without encryption;
    the ability for an attacker to disrupt or modify the information flow
    in those streams is generally a bad thing in the real world; and
    weak ISNs make it much easier for a third party to accomplish this goal,

  - many systems still rely on IP addresses to implement the first line
    of defense; for example, limiting an access to a SSH or FTP
    server to a specific set of IP addresses is a common practice; the
    underlying service can become exposed if the system has weak ISNs,

  - IP addresses logged for a completed TCP/IP handshake are typically
    trusted by administrators for purposes such as tracking spam,
    script kiddies, or detecting unauthorized access. The ability for
    an attacker to act as an other system can mislead the administrator,

  - most of crypto protocols turned out to be less than perfect;
    susceptibility to MITM attacks is a pretty common problem,
    sometimes caused by the implementation, often caused by the human
    factor; blind spoofing makes it feasible to launch cerain MITM
    attacks.

Note that I'm not trying to be alarmistic, the sky is not falling yet, but
it's certainly something worth looking at.

Well :-) Have fun.


-- 
Michal Zalewski
Got jobs?



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ