Hello, Over a year ago, I published a paper that attempted to analyze the randomness of PRNGs used in TCP/IP stacks on several operating systems. The approach I've chosen resulted in detecting some non-trivial dependencies in several generators, and some amusing 3D pictures. The original RAZOR research is available here: http://razor.bindview.com/publish/papers/tcpseq.html Since then, I've received numerous requests to publish a follow-up document that would review some more operating system, and address the way vendors addressed problems reported previously. I'm cross-posting this to BUGTRAQ and VulnWatch, because some of newly included or re-tested systems turned out to have fairly weak ISNs, and I would expect some vendor response soon. The new review is available here: http://lcamtuf.coredump.cx/newtcp/ To explain the reason I decided to write this - I have a strong feeling that this problem is still important nowadays, even if often downplayed. There are several attack scenarios to consider: - high-profile information - website contents, e-mails, DNS zone transfers, ftp data, etc - is typically exchanged without encryption; the ability for an attacker to disrupt or modify the information flow in those streams is generally a bad thing in the real world; and weak ISNs make it much easier for a third party to accomplish this goal, - many systems still rely on IP addresses to implement the first line of defense; for example, limiting an access to a SSH or FTP server to a specific set of IP addresses is a common practice; the underlying service can become exposed if the system has weak ISNs, - IP addresses logged for a completed TCP/IP handshake are typically trusted by administrators for purposes such as tracking spam, script kiddies, or detecting unauthorized access. The ability for an attacker to act as an other system can mislead the administrator, - most of crypto protocols turned out to be less than perfect; susceptibility to MITM attacks is a pretty common problem, sometimes caused by the implementation, often caused by the human factor; blind spoofing makes it feasible to launch cerain MITM attacks. Note that I'm not trying to be alarmistic, the sky is not falling yet, but it's certainly something worth looking at. Well :-) Have fun. -- Michal Zalewski Got jobs?
