A slice of Kimchi - IT Security Blog


Why Full Disclosure is the solution ? An example with RIPE

TL;DR: hashes list from the RIPE database has been posted to MEGA, containing usable hashes from 2011 to July 2015.

The human is reluctant to change. Full Disclosure is, sometimes, the only solution to improve Security by forcing the change.

RIPE, Reseau IP Europeen, is in charge of IP allowance in Europe.

In 2011, I had grabbed all the authentication MD5s of the RIPE database before they were taken out from the public view and RIPE asked people to change their passwords. These MD5s were public-made available in WHOIS reponses for years.

I don't think I was the only security researcher who downloaded all the hashes. Clearly, there were a lot of people who had this database. The 36.000 hashes stayed in my hard disk for 4 years.

Finding them again in 2015 in my $HOME, some may have wanted to deface the WHOIS RIPE database by inserting giant ASCII penises everywhere and changing IP attributions. Instead, I contacted the RIPE NCC Information Security Officer and then the RIPE Database Working Group Members, hoping to have open discussions and find a solution:

As I said in the first email:

According to the RIPE transparency, as recommended by RIPE NCC
Security, therefore I am now contacting this working group to work
together because deprecation of MD5 is an important change in the RIPE
database and it must be debated in a democratic manner.

This john-compatible file (containing MNT logins and MD5 hashs) was
never exposed to public but the  hashes  can  be  (VERY) easily
cracked. From the discussion with RIPE Security (who received a copy
of this file), 27.000 usable hashes (on a total of 36.000) appeared to
be valid til now.

When I discussed it with RIPE NCC Security, I gave a 90 day disclosure
policy about this "public" information, starting from the 16 Apr 2015.
The 90 day period can be adjusted by adding more days at the end if
RIPE shows a good progress of the migration. I wanted to do
responsible disclosure when I saw the RIPE Responsible Disclosure
Policy which is a Really Good Thing, I think.

My analysis is simple: The MD5 authentication is broken for years and
it's time to change to a more secure method. I think people needs to
be encouraged to move to SSO authentication. Using MD5 now is unsafe
and dangerous, especially with unchanged 4 year-old passwords.

Please share your thoughts about this situation. I will be happy to
debate with you.

After a debate with the RIPE working group about the impact of the fact 27.000 hashes were still usable (75% of total valid hashes 36.000) and MD5 is prone to collision attacks, and the ethics in releasing this information, which was not the point, I think, RIPE changed the affected passwords and encouraged stronger authentication methods.

You can read all the posts in the RIPE public mailing list, database working group archives:

Now that all the hashes are invalid from July 2015, I am releasing the database. These informations were PUBLIC before 2011. Releasing the hashes is still subject to ethical problems. The release is expected to allow people to study the strengh of the hashes. Again, the hashes (and the decrypted passwords) are now UNUSABLE to anyone.

I want to thank all the RIPE participants in the Database Working Group for exchanging their opinions about this problem, especialy Tim Bruijnzeels and Ivo Dijkhuis, from RIPE. Even if, sometimes, we didn't share the same ideas, the debate was democractic allowing people to share their visions of improving security in RIPE. I really think RIPE managed this problem in an effective manner, improving the security of their IT infrastructure.

RIPE has a blogpost explaing how to migrate to a safer authentication method here:

Now, a small personal analysis:

In Twitter, Blogs and vulnerability reports, we are speaking about 0days and new exploitation techniques: I consider it's very important.

But I really think too there is a big gap between the research in security and the reality. Companies are mainly hacked using word macros and lazy sysadmins.

It is a VERY bad sign in IT Security that:

Mentality needs to change. Apparently, for some people, this disclosure of information is unethical. This was not the problem of ethics but protection of private information. A lot of people had the RIPE credentials in their hands and something needs to be done.

So now, enjoy the show. The hashes list, as a john-compatible file, is available at MEGA.

Note: this email has been sent to Full-Disclosure and has been blogposted to: https://pierrekim.github.io/blog/2015-07-22-why-full-disclosure-is-the-solution-an-examble-with-ripe.html.


published on 2015-07-22 01:00:00 by Pierre Kim <pierre.kim.sec@gmail.com>