Lost+Found: SSH key primer, Wireshark, toxic SSL certificates
Too small for news, but too good to lose, Lost+Found is a compilation of the other stories that have been on The H's radar over the last seven days: how to store and protect SSH keys, Wireshark 1.8.7 and 1.6.15, game engine vulnerabilities, Volatility plugins, irrevocable SSL certificates, and historical parallels to the internet.
- Martin Kleppmann describes how to store SSH keys, how things work with the passphrase, and especially how to store a secret SSH key with PKCS#8 and PBKDF2 to improve its resilience against brute force and dictionary attacks.
- The new versions 1.8.7 and 1.6.15 of Wireshark mainly fix a few security issues.
- Luigi Auriemma and Donato Ferrante from ReVuln have discovered security holes in the CryEngine 3, Unreal Engine 3, Hydrogen Engine and id Tech 4 game engines. These technologies are used in games such as Quake 4, Crysis 2, Homefront, Brink, Monday Night Combat, Enemy Territory: Quake Wars, Sanctum and Breach. In typical ReVuln fashion, no concrete exploits (these they sell) nor any protection advice (that would devalue their own product) have been released.
- A whole range of exciting plugins for the Volatility memory forensics tool have been released as part of the Month of Volatility Plugins II (MoVP II), including one for analysing VMware snapshots and one for extracting private RSA keys and certificates from memory dumps. Unfortunately, there doesn't seem to be an overview page – so start here and then click your way through via the blog archive on the right.
- Another SSL problem: Netcraft has discovered hundreds of certificates that are in actual use and are practically irrevocable because they neither specify a server for online checks via OCSP nor a URL for revocation lists (CRL Distribution Point). Even exposed HTTPS sites such as accounts.google.com still use certificates without OCSP.
- Halvar Flake presented an interesting keynote in which he compared the internet with the era of Spanish hegemony in the 16th century. The parallels he draws to official navy forces, British privateers such as Sir Francis Drake, and pirates without home ports are undeniable. The only question is: which nation is currently playing the part of Spain?