Problems using an OpenPGP smartcard for SSH with gpg-agent

I have been using an OpenPGP smartcard for encryption, signing and authentication for over a year now and I’ve found it to be really useful as a root of trust. I have all my systems locked down to only allow public key authentication as a 2 factor security mechanism. While the Free Software Foundation Europe have a good guide about setting up a OpenPGP smartcard using subkeys and offline backups  its unfortunately still not very straight forward to get the card set up.

Recently the EEPROM on my first card died and I had to replace the card. However after setting up the new card with the respective subkeys I  consistently encountered an error from gpg-agent where it was looking for the previous card to be inserted during SSH authentication:

Please insert the card with serial number xxxxxxxxxxxxxxxxx

Please remove the current card and insert the one with serial number xxxxxxxxxxxxxxxxx

Via the magicsauce of strace I eventually determined that gpg-agent was attempting to load the key and card data from a file in ~/.gnupg/private-keys-v1.d/ which referenced the original smartcard. Resolving this issues was as simple as removing the key file in that directory, logging out and logging back into the user account, and finally running the following commands with the card inserted to reload the desired key into the agent.

$ gpg --card-status
$ gpgkey2ssh [KEYID]
$ ssh-add -l

At this stage  ssh-add -l should list your correct card serial number and you will again be able to authenticate over SSH with the card.

Coinbase – Owning a Bitcoin Exchange Bug Bounty Program

When I first started analyzing the Coinbase website I had a quick look over the site layout and the functionality/attack surface available for potential exploitation. I quickly determined it was running Ruby on Rails based on the encoding of the “_coinbase_session” cookie. This was supported by the fact Coinbase’s founder Brian Armstrong had a lot of Ruby snippets on his Github Gist and some more Ruby questions on his Stack Overflow account.

1. Reflected XSS.

Previously I have had some successes finding XSS vulnerabilities in Flash .swf files on some sites. I quickly saw references to a file, https://coinbase.com/flash/ZeroClipboard.swf in the main CSS file. I recalled reading an advisory about this swf file before, but on first tests it did not appear to be exploitable. This .swf file is typically bundled with ZeroClipboard10.swf. In this case it was also uploaded but not referenced. Bingo! We have found a reflected XSS vulnerability on Coinbase with a known vulnerability in third party code (CVE-2013-1808).

Flash-based XSS on Coinbase.comI reported the vulnerability to Coinbase but @Ciaranmak, who referred me to the Coinbase bug bounty program had reported it independently a few hours before. The Coinbase team still sent me 1 BTC for it.

Continue reading

Trawling Tor Hidden Service – Mapping the DHT

Update 2013-08-15: I have been really enthused by reactions I received to this blog post. It has been referenced from Forbes, Gawker and the Daily Mail and a number of people have been in contact about tracking the DHT for themselves. I would recommend the IEEE S&P paper, “Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization” which presents the same issues allowing the DHT to be trawled. They also present some very serious attacks allowing an adversary to locate hidden services with practical resources. It is well worth checking out if you have an interest in Tor.

Tor hidden services have got more media attention lately as a result of some notorious sites like the Silk Road marketplace, an online black market. On a basic level, Tor hidden services allow you to make TCP services available while keeping your server’s physical location hidden via the Tor anonymity network.

TL;DR

  • Tor hidden service directories (HSDir’s) receive a subset of hidden service look-ups from users, allowing them to map relative popularity/usage of hidden service.
  • An adversary with minimal resources can carry out complete DoS attacks of Tor hidden services by running malicious Tor hidden service directories and positioning them in a particular part of the router list.
  • Many look-ups for Tor hidden services go to the incorrect hidden service directories which negatively affects the initial time to access the site.
  • Hidden services such as are popular, sites such as the Silk Road marketplace receive more than 60,000 unique user sessions a day.

Introduction

For users to access a hidden service they must first retrieve a hidden service descriptor. This is a short signed message created by the hidden service approximately every hour contain a list of introduction nodes and some other identifying data such as the descriptor id (desc id). The desc ID is based on a hash of some hidden service information and it changes every 24 hours. This calculation is outlined later in the post. The hidden service then publishes its updated descriptor to a set of 6 responsible hidden service directories (HSDir’s) every hour. These responsible HSDir’s are regular node on the Tor network which have up-time longer than 24 hours and which have received the HSDir flag from the directory authorities. The set of responsible HSDir’s is based on their position of the current descriptor id in a list of all current HSDir’s ordered by their node fingerprint. This is an implementation of a simple DHT (Distributed Hash Table).

Continue reading

Hello world’ or ‘1’=’1

Welcome to my new website! This is the mandatory, ambitious first post which proceeds the later sporadic activity as the enthusiasm gradually dies away. I don’t have a big picture for this site as of yet.

I registered the domain donncha.is primarily to host my email as I transition away from using third-party email providers. Hosted email is fine, but if your receiving a “free” service, your the product. Your also vulnerable to the whim’s of a provider who may block your account and lock you out of your online life for the slightest reason. I have decide to get an Icelandic domain as they are implementing strong protections for freedom of speech on the internet thanks to the influence of the IMMI, and they’re also easier to get than .ie domains!

Predominantly this blog will just be a place for me to publish projects I’m working on at the moment. Until now I have limited myself to 140 characters and haven’t been able to get idea’s across as I’d like. I also have various half-finished projects left lying around. I’m hoping that actually having a place to publish and get some feedback on my projects will give me the motivation I need complete them. I should have my first proper post up in a day or two outlining some work I have done analyzing the Tor hidden service DHT. Stay tuned!