Static in the Ether

I had an interesting question posed ot me today by Dominic who asked me to verify whether his all new Digital certificate was correctly being used for signing mail. Thunderbird sadly complained that the signature was invalid, which was unexpected, and that the issuer was unknown ( expected since it comes form a private hierarchy.)  The question then lead to where did the problem lie?

My gut feel was that it was the disclaimer being inserted by an intermediary gateway ( one has to love corpmail).  Setting about proving this was the hard part.  The first issue at hand wa to actually extract the certificates so I could play with the verification.  Cert Viewer Plus for Thunderbird made this part a dream. Creating a modified version of the signed message was a little bit more problematic.

Trusting the command line, I started hunting around for details on openssl support for SMIME, which it has.  OPenSSL needs a full CA path for being able to verify SMIME signed messages. One can optain this from various places ( such as exporting form your browser) but in a case like this where a private hierarchy was being used, its enough to just make used of a somewhat smaller subset contianing only the certificates used in this chain.  These can be extracted using Cert Viewer Plus. Alternately some command line magic can be used to extract the PKCS7 formatted embedded certificates out in standard PEM format., using the following command:

openssl smime -pk7out -in mail.txt | \
        openssl pkcs7 -print_certs > extract.crt

Now that we have a certificate chain we can attempt the verify. The extract.crt below can be either from the openssl method above or the Cert Viewer plus PEM dump.

openssl smime -CAfile extract.crt -verify -in mail.txt

Now e actually have a more usable error message. Although I really don’t know why I have such a deep distrust in GUI apps for actually telling me what is wrong.

Verification failure
88175:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_doit.c:808:
88175:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pkcs7/pk7_smime.c:265:

As suspected the digest filed, which lead to a overall signature failure.  The next step was to see if removing the disclaimer worked.  Repeating on a slightly edited version of the the mail gave the following:

openssl smime -CAfile extract.crt -verify -in mail2.txt
...
mail contents deleted
...
Verification successful

So the original question posed was if the signature system was working correctly which it now was. The differences between the two mail files was checked using diff

diff -u mail.txt  mail2.txt
--- mail.txt         Mon Aug 25 18:06:33 2008
+++ mail2.txt      Mon Aug 25 18:08:10 2008
@@ -61,10 +61,6 @@
    South Africa

-Important Notice: This email is subject to important restrictions, qualifications
 and disclaimers ("the Disclaimer") ..that all was one very long line that made
 up the corporate disclaimer.....
-
-
-
 ------=_NextPart_000_0048_01C906C7.DB6FB700
 Content-Type: application/x-pkcs7-signature;
        name="smime.p7s"

From the above the only difference shown is that a mailgateway had added in a extra four lines of disclaimer and whitespace padding.  The question now evolves as to how to provide the now pretty much ubiquitious organisational disclaimer in outgoing mail in such a way that it doesnt trash any cryptographic operations in which the mail is involved.  Ive gone back over mails from a  couple of other people in corporate South Africa that I know , and the problem seems to be widespread.

The solution may be that the disclaimer as such is encapsulated as a separeate mime component, which is what interestingly one university here does ( although it insists on prepending its mime encapsulated HTML disclaimer, which makes for relaly ugly mail reading!)

I probably should have posted this a while back but, its still worth noting that Raffael Marty’s Applied Security Visualization has been released, and includes a copy of the DAVIX CD as distributed at Defcon 16 (davix-1.0.1-defcon16.iso.gz - also obtainable from the homepage, includes a couple of packet traces as used in the Defcon workshop) , which includes a copy of InetVis as one of their four chosen visual analysis tools on the live CD.

For the impatient some instructions are available for getting started. Now to work out what else to order form amazon so that the 40USD specail shipment fee hurts a little less ( thanks to our totally criminal and incompetent post office in South Africa)

Failing that its time to wait till the local places get round to stocking it.

The Proceedings of the 2007 Workshop on Visualization for Computer Security (VizSec 2007) are finally available. Springer Has the book available for order at a princely 60 Euros. Amazon has the book listed but not yet available for shipping , but one can pre-order. For those interested, Springer has a flyer and table of contents available. PDF versions of the presentations given are available form the VizSec 2007 website.

My copy should hopefully be arriving in the next few weeks, but I’m looking forward to the Work done by John R Goodall, Gregory Conti and Kwan-Liu Ma as editors. I’m just sorry I’m not going to make VizSec 2008 this year.

The two papers that I presented are (links to the PDF slides):

• High level Internet Scale traffic visualization using Hilbert curve mapping - Barry Irwin and Nick Pilkington. This details the initial work we did using the Hilbert Curve Analysis tool for IP networks
• Using InetVis to evaluate Snort and Bro scan detection on a network telescope - Barry Irwin and Jean-Pierre van Riel. InetVis is the result of three years of JP’s work to build a scalable 3-D vizualisation tool for network traffic — primarily that collected by network telescopes.

DAVIX is the upcoming live CD for data analysis and visualization, which will be released at Blackhat/DEFCON in Las Vegas this summer, with another talk at VizSec 2008. From the VizSec.org announcement:

Jan Monsch and Raffael Marty and have prepared the second beta version of DAVIX. And are now seeking for beta testers that have the time to test DAVIX and answer the questionnaire that comes along with the beta version. All completely filled out questionnaires received by me until Monday 23 June 2008 18:00 UTC will enter a raffle for one autographed copy of Raffy’s upcoming book “Applied Security Visualization”.

If you want to participate in the beta test please contact: jan.monsch ät iplosion.com

What makes me quite happy is that they have included InetVis as one of their four chosen visual analysis tools on the live CD.

I’ve been paying with this since this morning and so far so good.

Wired has a article on the Artwork done by MIT Media Lab’s grad student Alex Dragulescu. Working under contract to MessageLabs he has produced a number number of pictures, showing images of Mydoom, Ghost Keylogger and other bits of Malware.
While all quite pretty there seems to be no detail of how they were created in the original post although the MalWarez link on his homepage describes the process as follows:

..For each piece of disassembled code, API calls, memory addresses and subroutines are tracked and analyzed. Their frequency, density and grouping are mapped to the inputs of an algorithm that grows a virtual 3D entity.

The Storm Worm is probably my favorite visualizations. He also has an interesting set of images entitled SpamPlants, based on input relating to the ASCII character frequency of spam messages.

Now this sounds like a great project for an aspiring security researcher with a graphical bent.

With Nick now in Grahamstown, development on the Hilbert Curve application has progressed well. Version 4.05 has been released around a month after the 2.05 edition previously mentioned, which is heading much closer towards completion. The unix build scripts still need to be integrated, but there has been much improvement. The most noticeable improvements are in the processing speed new around 90 seconds for a datafile of 53 million Addresses, and its ability to put out some very high res images (4096×4096) when working with higher order curves. At this resolution we are able to present a single pixel as representing a class C network or in effect 256 individual IP addresses. The updated release also allows for the application of image overlays when in interactive mode, which can make navigation significantly easier.

A sample of the kind of output is seen below (full resolution image is 990K) which shows destination IP addresses harvested from the Albany Schools Cache server during January through May 2008:


A plot of 53 million packets from the CAIDA telescope project - 27 Feb 2007 midnight to 6am:





With these higher resolution images available, analysis can be performed at a much finer grained level.

The Hilbert Curve Rework project is progressing well with version 2.05 having been released, by Nick earlier this week. Ive now taken the opportunity to port the current Windows code across to unix and particularly FreeBSD. Around 10 lines worth of changes later the app built and ran on my FreeBSD 7.0 system. For once the mantra of the C/C++ work actually proved try - write once, run anywhere. I really wish Java was that simple.

A couple of issues still need to be addressed:

• Rework the source to we can maintain a single source three for Windows and Unix targets- this is mostly slog rather than thinking work.
• There is a bug in that some images are coming out a little wrong, but I think this may have to do with line termination issues the good old \r\n vs. \n issue again.
• Write some decent docs!

With a bit of luck Nick should be returning to Grahamstown for a month or so thanks to some funding from the Center of Excellence in the department. Working on the Hilbert project will be one of his main priorities.

Taking some data gathered form various filters I’m investigating for the local schools network,a nd combining with some custom scraping tools which Blake has been assisting with Ive drawn a map of the location of some 15 000 IP addresses representing the seedy side of the Internet.

The image is rendered using the Hilbert Curve Program developed in conjunction with Nick Pilkington, as a project for VizSec 2007 last year.