AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Software > Data Security

Data Security Viruses, Firewalls and Safe computing


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 30th December, 2008, 07:12 PM
danrok's Avatar
AOA Staff
 
Join Date: March 2003
Location: Great Britain
Posts: 18,917

Boffins bust web authentication with game consoles

PS3 fleet spoofs SSL certs

See front page:
AOA - Boffins bust web authentication with game consoles

Comments?
__________________
Desktop PC: AMD FX-8370E / Asus M5A99X Evo R2.0 Motherboard / 16GB DDR3 RAM / GeForce GTX 970
AOA Team fah
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 30th December, 2008, 10:53 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

NG,NG Not good , Not good!!
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 1st January, 2009, 10:28 PM
booman's Avatar
AOA Staff
 
Join Date: December 2005
Location: Mesa AZ
Posts: 4,030

So is this a weakness on the Playstations part or for computers also?
Sounds like a Phishing problem for console webs browsing
__________________
Booman
Mint 17.3 64-bit
Wine 2.0
PlayOnLinux 4.2.10
Linux Guides: PC Games Linux Beginners Tips Linux Games List
Mack Truck Dungeon Of Fire Spray Booth Tutorial
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 2nd January, 2009, 02:20 AM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

This is stringing a big mess of PS3 cell processors together and going after big time incription targets...like major banks and such...
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic


Last edited by Daniel ~; 2nd January, 2009 at 02:21 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 2nd January, 2009, 02:35 AM
booman's Avatar
AOA Staff
 
Join Date: December 2005
Location: Mesa AZ
Posts: 4,030

Wow, people must really be bored to think of stuff like that...
__________________
Booman
Mint 17.3 64-bit
Wine 2.0
PlayOnLinux 4.2.10
Linux Guides: PC Games Linux Beginners Tips Linux Games List
Mack Truck Dungeon Of Fire Spray Booth Tutorial
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 2nd January, 2009, 02:54 AM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

They can make pretty good money doing this....if they don't get caught! ":O}
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 8th January, 2009, 12:14 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Basically, what the researchers have done is to take an existing SSL certificate and modified it. The certificate is protected by a hashing algorithm which turns the contents of the certificate into a mostly unique long number. When your web browser downloads a certificate to check it, it will also perform the hashing and check that the hash in the certificate is the same as the hash that the browser calculated. This helps to protect against corruption and attacks.

There are several mathematical algorithms for hashing. The most commonly used ones are currently MD5 and SHA-1. However MD5 has been known to be broken for a while now (since 2004!), at least for this kind of use. Unfortunately it seems that some of the certificate authorities that issue SSL certificates haven't quite caught up with the rest of the world.

The attack is that under certain circumstances, two sets of data can end up creating the same MD5 hash. Thus, if I modify an SSL certificate for internetbank.com so that it's an SSL certificate for make money fast free earn at stealyourmoney.com, and then I can work out a way to ensure that the hash still provides the same long number as the original certificate, so you think you're connected to the real website. Hence the 200 PS3 machines attempting to find those 'collisions' that allow my certificate to match.

However, I still need to make sure that you visit my website rather than the real web site - which is another problem. Phishing is probably the easiest way to do this.

For example, I looked at citibank - I went to their online banking website and then looked at the certificate they use in firefox.

Boffins bust web authentication with game consoles-citibankcert.jpg

From here, you can see that the MD5 algorithm isn't in use, as they've preferred to use SHA-1. MD5 certificates are the ones that need to be watched out for. If you're wondering, approximately 14% of legitimate SSL certificates still use the older MD5 algorithm.
__________________

Last edited by Áedán; 8th January, 2009 at 12:16 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Swiss boffins sniff passwords from (wired) keyboards 65 feet away danrok Data Security 2 21st October, 2008 06:29 PM
Deals on Laptops, Monitors, and Game Consoles at BestBuy - Exp. 10/13/2007 Gizmo Online Deals, and Steals 0 8th October, 2007 02:57 AM
Crypto boffins break car cypher danrok Random Nonsense! 15 28th August, 2007 10:03 PM
Steam authentication servers are down Favu GAMES! OH YEAH! 0 15th December, 2006 05:55 PM
I bust my motherboard loop CRASHED! 11 22nd February, 2002 07:23 AM


All times are GMT +1. The time now is 05:30 AM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0