[Cialug] DD-WRT (and others) Risk

Nathan C. Smith nathan.smith at ipmvs.com
Thu Dec 23 10:51:21 CST 2010


I (naively?) thought most systems generated their own keys the first time you started them up.  I'm a bit disappointed to find out about this.

I'm hoping there is a demarcation in there somewhere between the D-link, Linksys and Netgear stuff and the Juniper, Cisco, etc. equipment where this is not the case.

-Nate

From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org] On Behalf Of Josh More
Sent: Thursday, December 23, 2010 10:27 AM
To: Central Iowa Linux Users Group
Subject: Re: [Cialug] DD-WRT (and others) Risk

Nate,

Not that I know of.  I'm just starting to look into it myself.  Fundamentally, though, what we're seeing is the other end of asymmetric cryptography.  It's great for cases when you have to cross a trust boundary, but the instant the security of the private key is breached, the cryptosystem fails.

The lesson here is that open source projects should make it easy for you to roll your own keys.  Closed source products should make use of revocation lists, engage in frequent key rotation, and code the updates into the products themselves (or allow you to roll your own keys).

Otherwise all someone has to do is start collecting leaked keys and being patient.

The rule of thumb to follow is that if you think your organization can protect private keys better than your vendor can, you should probably replace their keys with your own.

Josh More | Senior Security Consultant - CISSP, GIAC-GSLC, GIAC-GCIH
Alliance Technologies | www.AllianceTechnologies.net<http://www.alliancetechnologies.net>
400 Locust St., Suite 840 | Des Moines, IA 50309
515.245.7701 | 888.387.5670 x7701

Santa is Secure.  Are you?
http://www.alliancetechnologies.net/security/santa-2010

How are we doing? Let us know here:
http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey
________________________________
From: cialug-bounces at cialug.org [cialug-bounces at cialug.org] on behalf of Nathan C. Smith [nathan.smith at ipmvs.com]
Sent: Thursday, December 23, 2010 10:24
To: 'Central Iowa Linux Users Group'
Subject: Re: [Cialug] DD-WRT (and others) Risk
Josh,

thanks for pointing this out.  Is there a plain listing of suspect manufacturers/devices somewhere?

-Nate

From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org] On Behalf Of Josh More
Sent: Thursday, December 23, 2010 10:09 AM
To: cialug at cialug.org
Subject: [Cialug] DD-WRT (and others) Risk

Since we still have a list right now, and since I know that tomorrow is a down day for everyone with no obligations other than reading and responding to security threats, I thought I'd share this link:  http://seclists.org/fulldisclosure/2010/Dec/492

Nutshell version:  If you're running DD-WRT, you might want to roll your own self-signed cert.  If you're running one of the others in the DB, you're probably out of luck.  If you typically have to analyze SSL traffic for fun or profit, merry Christmas.

Josh More | Senior Security Consultant - CISSP, GIAC-GSLC, GIAC-GCIH
Alliance Technologies | www.AllianceTechnologies.net<http://www.alliancetechnologies.net>
400 Locust St., Suite 840 | Des Moines, IA 50309
515.245.7701 | 888.387.5670 x7701

Santa is Secure.  Are you?
http://www.alliancetechnologies.net/security/santa-2010

How are we doing? Let us know here:
http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20101223/6500977e/attachment-0001.htm 


More information about the Cialug mailing list