<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style>
<!--
@font-face
{font-family:Calibri}
@font-face
{font-family:Tahoma}
@font-face
{font-family:Verdana}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif"}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif"}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Times New Roman","serif"}
span.emailstyle18
{font-family:"Calibri","sans-serif";
color:#1F497D}
span.BalloonTextChar
{font-family:"Tahoma","sans-serif"}
span.EmailStyle22
{font-family:"Calibri","sans-serif";
color:#1F497D}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
-->
</style><style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
</head>
<body ocsi="0" fpstyle="1" vlink="purple" lang="EN-US" link="blue">
<div style="direction: ltr; font-family: Verdana; color: rgb(0, 0, 0); font-size: 13px;">
<div style="">The SSL system (as it is currently implemented) does not make this easy.<br>
<br>
If a new device was to generate it's own keys, it would need them signed by a CA in order for connections to that device to not generate errors. If the device were to do it on its own, the company would be leaking a CA, which would reduce the security of the
system as a whole. If the device were to automatically generate a CSR and send it to an outside party for signing, it would open up a ton of concerns. These would include the possibility of an attacker breaking the system and gaining a free "sign as many
CSRs as you want" service, the cost of building and maintaining the infrastructure and increased helpdesk calls for situations where the device may not have direct access to the net. Economically, they're just not going to do this unless the customer demand
is there. The risk/reward equation just isn't in their favor.<br>
<br>
Probably the best things for us little folks to do is to purchase products or use projects that allow us to create our own keys. Then, once we get them, we can find out if they automatically generate their own keys or if it's an optional thing. Then we can
just assume that all other systems use a pre-shared key system and is potentially vulnerable to this sort of issue.<br>
<br>
<br>
</div>
<div><br>
<div style="font-family: Tahoma; font-size: 13px;">
<div style="font-family: Tahoma; font-size: 13px;">
<div style="font-family: Tahoma; font-size: 13px;">
<div style="font-family: Arial; font-size: 13px;">
<div style="font-size: 13px;">
<div style="font-size: 13px;">
<div style="font-size: 13px;">
<div style="font-size: 13px;">
<div style="font-size: 13px;">
<div style="font-size: 13px;">
<div style="font-size: 13px;">
<div style="font-size: 13px;"><font size="2"><span style="font-size: 11pt;"><font size="2"><span style="font-size: 10pt;"><font size="3"><span style="font-weight: bold;">Josh More</span></font> | Senior Security Consultant - CISSP, GIAC-GSLC, GIAC-GCIH<br>
<span style="font-weight: bold;">Alliance Technologies</span> | <a href="http://www.alliancetechnologies.net" style="color: rgb(255, 0, 0);">
www.AllianceTechnologies.net</a><br>
400 Locust St., Suite 840 | Des Moines, IA 50309<br>
515.245.7701 | 888.387.5670 x7701<br>
</span></font></span></font><br>
Santa is Secure. Are you? <br>
<a href="http://www.alliancetechnologies.net/security/santa-2010">http://www.alliancetechnologies.net/security/santa-2010</a><br>
<br>
<font size="2"><span style="font-size: 11pt;"><font size="2"><span style="font-size: 10pt;">How are we doing? Let us know here:<br>
<a href="http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey">http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey</a><br>
</span></font></span></font>
<p class="MsoNormal"></p>
<div style="font-size: 13px;"></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div style="font-family: Times New Roman; color: rgb(0, 0, 0); font-size: 16px;">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF614613"><font color="#000000" size="2" face="Tahoma"><b>From:</b> cialug-bounces@cialug.org [cialug-bounces@cialug.org] on behalf of Nathan C. Smith [nathan.smith@ipmvs.com]<br>
<b>Sent:</b> Thursday, December 23, 2010 10:51<br>
<b>To:</b> 'Central Iowa Linux Users Group'<br>
<b>Subject:</b> Re: [Cialug] DD-WRT (and others) Risk<br>
</font><br>
</div>
<div></div>
<div>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">I (naively?) thought most systems generated their own keys the first time you started them up. I’m a bit disappointed to find out about this.</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">I’m hoping there is a demarcation in there somewhere between the D-link, Linksys and Netgear stuff and the Juniper, Cisco, etc. equipment where
this is not the case.</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">-Nate</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"> </span></p>
<div>
<div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";"> cialug-bounces@cialug.org [mailto:cialug-bounces@cialug.org]
<b>On Behalf Of </b>Josh More<br>
<b>Sent:</b> Thursday, December 23, 2010 10:27 AM<br>
<b>To:</b> Central Iowa Linux Users Group<br>
<b>Subject:</b> Re: [Cialug] DD-WRT (and others) Risk</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt; font-family: "Verdana","sans-serif"; color: black;">Nate,<br>
<br>
Not that I know of. I'm just starting to look into it myself. Fundamentally, though, what we're seeing is the other end of asymmetric cryptography. It's great for cases when you have to cross a trust boundary, but the instant the security of the private
key is breached, the cryptosystem fails.<br>
<br>
The lesson here is that open source projects should make it easy for you to roll your own keys. Closed source products should make use of revocation lists, engage in frequent key rotation, and code the updates into the products themselves (or allow you to
roll your own keys).<br>
<br>
Otherwise all someone has to do is start collecting leaked keys and being patient.<br>
<br>
The rule of thumb to follow is that if you think your organization can protect private keys better than your vendor can, you should probably replace their keys with your own.</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt; font-family: "Verdana","sans-serif"; color: black;"> </span></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-family: "Arial","sans-serif"; color: black;">Josh More</span></b><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: black;"> | Senior Security Consultant - CISSP, GIAC-GSLC, GIAC-GCIH<br>
<b>Alliance Technologies</b> | <a href="http://www.alliancetechnologies.net" target="_blank">
<span style="color: red;">www.AllianceTechnologies.net</span></a><br>
400 Locust St., Suite 840 | Des Moines, IA 50309<br>
515.245.7701 | 888.387.5670 x7701<br>
<br>
Santa is Secure. Are you? <br>
<a href="http://www.alliancetechnologies.net/security/santa-2010" target="_blank">http://www.alliancetechnologies.net/security/santa-2010</a><br>
<br>
How are we doing? Let us know here:<br>
<a href="http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey" target="_blank">http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey</a></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div class="MsoNormal" style="text-align: center;" align="center"><span style="color: black;">
<hr align="center" size="2" width="100%">
</span></div>
<div id="divRpF696598">
<p class="MsoNormal" style="margin-bottom: 12pt;"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: black;">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: black;"> cialug-bounces@cialug.org
[cialug-bounces@cialug.org] on behalf of Nathan C. Smith [nathan.smith@ipmvs.com]<br>
<b>Sent:</b> Thursday, December 23, 2010 10:24<br>
<b>To:</b> 'Central Iowa Linux Users Group'<br>
<b>Subject:</b> Re: [Cialug] DD-WRT (and others) Risk</span><span style="color: black;"></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">Josh,</span><span style="color: black;"></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"> </span><span style="color: black;"></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">thanks for pointing this out. Is there a plain listing of suspect manufacturers/devices somewhere?</span><span style="color: black;"></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"> </span><span style="color: black;"></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);">-Nate</span><span style="color: black;"></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125);"> </span><span style="color: black;"></span></p>
<div>
<div style="border-width: 1pt medium medium; border-style: solid none none; border-color: windowtext -moz-use-text-color -moz-use-text-color; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: black;">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: black;"> cialug-bounces@cialug.org [mailto:cialug-bounces@cialug.org]
<b>On Behalf Of </b>Josh More<br>
<b>Sent:</b> Thursday, December 23, 2010 10:09 AM<br>
<b>To:</b> cialug@cialug.org<br>
<b>Subject:</b> [Cialug] DD-WRT (and others) Risk</span><span style="color: black;"></span></p>
</div>
</div>
<p class="MsoNormal"><span style="color: black;"> </span></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom: 12pt;"><span style="font-size: 10pt; font-family: "Verdana","sans-serif"; color: black;">Since we still have a list right now, and since I know that tomorrow is a down day for everyone with no obligations other than
reading and responding to security threats, I thought I'd share this link: <a href="http://seclists.org/fulldisclosure/2010/Dec/492" target="_blank">
http://seclists.org/fulldisclosure/2010/Dec/492</a><br>
<br>
Nutshell version: If you're running DD-WRT, you might want to roll your own self-signed cert. If you're running one of the others in the DB, you're probably out of luck. If you typically have to analyze SSL traffic for fun or profit, merry Christmas.</span><span style="color: black;"></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size: 10pt; font-family: "Verdana","sans-serif"; color: black;"> </span><span style="color: black;"></span></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><b><span style="font-family: "Arial","sans-serif"; color: black;">Josh More</span></b><span style="font-size: 10pt; font-family: "Arial","sans-serif"; color: black;"> | Senior Security Consultant - CISSP, GIAC-GSLC, GIAC-GCIH<br>
<b>Alliance Technologies</b> | <a href="http://www.alliancetechnologies.net" target="_blank">
<span style="color: red;">www.AllianceTechnologies.net</span></a><br>
400 Locust St., Suite 840 | Des Moines, IA 50309<br>
515.245.7701 | 888.387.5670 x7701<br>
<br>
Santa is Secure. Are you? <br>
<a href="http://www.alliancetechnologies.net/security/santa-2010" target="_blank">http://www.alliancetechnologies.net/security/santa-2010</a><br>
<br>
How are we doing? Let us know here:<br>
<a href="http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey" target="_blank">http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey</a></span><span style="color: black;"></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>