Connect with us

Hacking

TLS is Flawed: New TLS Vulnerability Found

Published

on

TLS is flawed. The decades-old protocol is vulnerable to man-in-the-middle attacks throwing into question the nature of encryption on the world wide web. An Austrian IT firm has prevented a security disaster threatening many popular Internet websites and applications by compiling research on a new vulnerability in the twenty year old cryptographic system.

Austrian researchers from Research Industrial Systems Engineering GmbH (RISE) unveiled last month vulnerabilities found in the TLS (Transport Layer Security) protocol at a USENIX WOOT conference. TLS, most commonly known as a wrapper around HTTP as HTTPS, evolved from SSL (Secure Sockets Layer).

The new vulnerability, called “Key Compromise Impersonation (KCI) attack,” allows MitM attackers to control client-side code running in a victim’s browser. This means the information appearing on a website or application can be changed.

This security protocol forms the basis of most Internet security critical to important functions like e-banking. As RISE reported, the protocol has been vulnerable to a man-in-the-middle attack. The attack could allow hackers to read private communication between users. You can learn more about the vulnerability here. The group published a proof of concept video on Youtube demonstrating a hack against Facebook.

In the RISE press release, “Security disaster prevented,” the Austrian IT firm outlines how hackers can attack major Internet pages and apps. The vulnerability had already been disclosed to companies like Google, Microsoft, Apple and Facebook before RISE went public.

Solutions are in the works. Thomas H. Ptacek, well-known in InfoSec and co-chair of the USENIX WOOT conference this year recently stated on Twitter: “Suggestion: there should be a ‘Secure Transport Protocol Competition’, to design the alternative to TLS.”

RISE security researcher Clemens Hlauschek answered some questions for Hacked

Do you have any comments on the process of exposing the bug?

CH: Everything has been responsibly disclosed before our firm went public. Since TLS implementations are so numerous, and we do not have access to scrutinize all possible TLS client implementations (some are proprietary, etc), there are probably still some other clients apart from the ones identified by us out
there who remain vulnerable. Of course, all the major player have been informed: Google, Microsoft, Apple, etc.

If this is not a Facebook specific problem, does this means that all social networks are vulnerable on this level. Does it stop there? Can info be changed in our online banking accounts, perhaps the most sensitive accounts people have?

CH: In principle yes. In practice, servers must provide elliptic curve certificates, and they are not that widespread yet as less than 10% of all certificates are EC certificates. Other security measures, such as X509 Key Usage extension settings, can further prevent the attack, but they are neither mandatory, not always correctly honored by client implementations, and often poorly configured by certification authorities. This is also a situation that will hopefully change in part due to the disclosure of our attack.

For Internet laymen, it would appear that using the Internet is hopeless. That the entire thing needs to re-done. How does your team feel these sorts of issues should be approached?

CH: Keeping critical systems secure these days is a full time job involving many experts who specialize in different areas, and who always keep up-to-date with the newest developments and state-of-the-art research with a sharp and alert mindset.

But it is not completely hopeless. Security needs to be built into critical systems and IT infrastructure from the beginning of the planning and development phase. Many systems in the past have been designed without deep security considerations, and security has been added only as an afterthought during the end of the development phase.

It is still common practice to design a system and only afterwards employ a penetration testing team who take a cursory look at the system for a week. This kind of testing stops some basic and obvious attacks, so is not always completely useless and better than nothing at all. But to build a secure system, security considerations have to be taken into account from the very beginning of the development.

My company develops various different security-critical IT solutions, such as airport software, payment infrastructure, as well as government and health-care systems. These systems deal with very sensitive, private data. The damage to the public, to the citizens of a country, would be immense if health data leaks and gets into the hands of private actors. Therefore, at RISE, the development of critical IT systems is always accompanied and supervised by security engineers and security experts from the very beginning of the initial planning phase.  You need experts who live and breath security.

Your feeling that many things have to be redone is certainly right. Take TLS, which was designed more than twenty years ago. It has been attacked over and over by researchers, and evolved to be a much securer system over the years.

But still, its design is outdated.  In the meantime, the science of cryptography has advanced over the years. Cryptographers established the tools that allow us to build many cool things. We have tools available now that we did not have 20 years ago. We have formalized the notion of a secure channel, we can prove and formally verify that a protocol is secure in these models. However, these tools cannot easily be applied to outdated  systems such as TLS. Many research groups have tried to provide formal proofs of security for TLS, but the task turned to to be elusive. TLS was not designed with formal analysis or provable security in mind, because these tools did not really exist back then.

Now, more is available, but we are still stuck with the old tools, mainly due to compatibility issues. The main reason TLS use is so widespread today is because TLS is supported across all kinds of different devices. It’s difficult to get rid of that, and to provide an alternative. In a system where we develop both clients and backends, we do not need that kind of compatibility, and can employ something more secure than TLS.

What’s the future of TLS?

CH: TLS evolved out of a SSL, the first versions of which have been really crappy and insecure, but TLS got attacked, fixed, attacked, fixed in an seemingly endless circle.

Currently, the TLS WG at the IETF is working on the next version of TLS (1.3). This time, much more established cryptographers are involved in the process than the last times, so it looks a little bit more promising than the iterations before, and they plan to redo quite a lot of stuff, and get rid of many insecure options. But still, I am not convinced yet regarding the end result of this process.

How did the companies respond to your warning?

CH: The affected vendors we worked with quickly fixed their systems. Facebook basically did everything, such as change their server certificates and setting more restrictive X509 Key Usage Extension settings. It really was a pleasure to work with Facebook’s security teams – they are polite, quick, and very responsive. But since certification revocation is basically universally broken, attackers can still use the old Facebook server certificates to pull off the attack successfully, provided the client uses unpatched software.

The MitM attack against Facebook was nice for demonstration purposes, because everyone knows Facebook, and it creeps people out if someone tampers with their private communication and data. But I guess, the main message of our research should not be that Facebook has been vulnerable, but that (1) TLS is old, overly complex, and has some serious issues, partly because it carries too much luggage, and that (2) system implementers should pay attention so that this protocol issue does not resurface. Only recently did OpenSSL implement non-ephemeral Diffie-Hellman client authentication – which we identified to be a security problem – and they seemed to be on a trajectory to also implement the even more security-critical elliptic curve version (fixed ECDH).

What do you hope the results of your findings bring about?

CH: We hope that our disclosure of the attack will stop such developments from ever being integrated in large-scale and production-ready software. It could have been a real disaster if such changes would have been pushed into systems such as Google Android, where client certificates can be easily inserted into the systems’ certificate store by completely benign looking apps in order to attack security-critical apps – a backdoor undetectable by malware researchers, automated malware analysis systems – without the knowledge of the attack vector as described in our research paper.

You can view RISE’s findings in PDF format here.

Featured image from Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

5 stars on average, based on 1 rated postsJustin O'Connell is the founder of financial technology focused CryptographicAsset.com. Justin organized the launch of the largest Bitcoin ATM hardware and software provider in the world at the historical Hotel del Coronado in southern California. His works appear in the U.S.'s third largest weekly, the San Diego Reader, VICE and elsewhere.




Feedback or Requests?

Altcoins

EOS Price Forecast: EOS/USD Heading for Another 300% Move?

Published

on

  • EOS/USD price action via the 4-hour chart view has formed a bullish flag pattern.
  • The price is moving around levels seen back end of March to early April, before a bull run of over 300%.

The past six sessions for EOS/USD have been erratic to say the least. It has been subject to a high amount of volatility, swinging aggressively in both directions. There has been a lack of commitment from either the bear or bull camps of late. As the market continues to trade with such behavior, it appears to be trying to find its feet, ahead of a potential chunky firm trend.

EOS DApp Hacked Again

An EOS based gambling DApp, EOSBet has been hacked, with $338,000 being reported as stolen. This isn’t the first time; just back in September, hackers managed to get away with a reported 40,000 worth of EOS, which at the time had a value of $200,000. It has been said that they were able to exploit their smart contracts, having found security vulnerabilities.

Technical Review – 4-hour Chart View

EOS/USD 4-hour chart

EOS/USD price action has formed a bullish flag pattern, which began taking shape on 15th October, after the aggressive price behavior stabilized. The bulls at the time ran the price well up into $6 territory. Consequently, it then met the breached ascending trend line, failing to move back above this area. This followed the sharp breakthrough to the downside, which occurred on 11th October. As a result, a drop of over 15% was seen, forcing EOS/USD to retreat in a demand area, within the $5.0000 level proximity.

Looking to the upside, small near-term resistance is seen at around $5.6100, which is the upper trend line of the mentioned bull flag pattern. A breakout will likely open the doors to a retest of the broken ascending trend line, tracking around $6.1100. Support can be eyed at $5.4600, which marks the lower trend line of the flag. Furthermore, should this fail to hold, EOS/USD could likely fall back down to the serving demand area, within the lower $5.0000 territory.

April 2018 Bull Run

EOS/USD April bull run

In April of this year EOS/USD entered a chunky bull run, gaining over 300%. From the back end of March until 11th April, the price had been stuck within consolidation mode. Resulting in the price trading within a tight range, at levels of where the price is currently seen today.

Something quite astonishing started to unfold. Between the period of 11th April to the 29th April, a bull run of around 290% was seen. Over this time frame EOS/USD went from $5.9500 up to a high of around $23.0811. The price is currently demonstrating a similar behavior to that of what was seen during the mentioned period. It is interesting to note that the price did have historical levels to break through, as it had already run higher during the period of December 2017 and came back down. Finally, this is not to say EOS/USD will observe the same bull run. However, it is an interesting observation to be aware of.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.5 stars on average, based on 33 rated postsKen has over 8 years exposure to the financial markets. During a large part of his career, he worked as an analyst, covering a variety of asset classes; forex, fixed income, commodities, equities and cryptocurrencies. Ken has gone on to become a regular contributor across several large news and analysis outlets.




Feedback or Requests?

Continue Reading

Altcoins

Crypto Market Development: South Korea’s National Policy Committee Chair Calls For ICO Legalization

Published

on

  • A member of South Korea’s governing Democratic party and the chairman of Korea’s National Policy Committee, Min Byung-Doo, is urging to ease the current regulations on Initial Coin Offerings (ICOs).
  • Min Byung-Doo wants to introduce necessary regulatory framework, allowing ICOs in the country.

Allow ICOs In South Korea

The South Korean National Policy Committee Chief, Min Byung-Doo, is calling for a regulatory framework to be explored. This would be to allow for Initial Coin Offerings (ICOs) to take place within the country. He stated that the current prohibiting of ICOs weakens the industry’s competitiveness appeal with foreign markets. Further boldly adding, this would be preventing growth.

In his statement at to lawmakers, Byung-Doo said, “We can see that the flow of investment is clearly changing compared to ICO and angel fundraising. The ICO has raised $1.7 billion for Telegram and $4 billion for Block.One, it is getting bigger and bigger.”

Further in the statement, Min Byung-Doo said, “Let the government, the National Assembly and the blockchain association quickly create a working group to block fraud, speculation, money laundering and develop the block-chain industry,”. However, he acknowledged the government’s reluctance to create the needed framework.

In September 2017, the Financial Services Commission in South Korea announced a ban on ICOs. The law has not yet been enacted.

Crypto Market Reaction

A lack of reaction has been observed for now, despite this determination to help further legitimize the digital currency market in South Korea. Crypto market developments in the country are always watched very carefully. This is given their large crypto market participation. It was reported in December 2017 that South Korea accounted for as much as 17% of all Ethereum trades occurring in cryptocurrency markets.

Market Reactions To South Korean Related News

Ripple (XRP) crashed in January, following CoinMarketCap’s decision to remove XRP price data from Korean exchange desks. This as a result largely brought down the total average.

XRP/USD Coinmarketcap update triggered drop

On 11th January, Korean crypto exchange Coinrail was hacked, and over $40 million in tokens were stolen. Bitcoin initially dropped over 11% on this.

BTC/USD Coinrail hack triggered drop

One final example, UPbit, a South Korean exchange, was investigated by authorities for illicitly moving customer funds to the account of its executives. Bitcoin initially dropped over 7% on the news.

BTC/USD UPbit investigation triggered drop

Given the above mentioned, one should keep an eye on any developments coming out of South Korea, for the foreseeable future.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.5 stars on average, based on 33 rated postsKen has over 8 years exposure to the financial markets. During a large part of his career, he worked as an analyst, covering a variety of asset classes; forex, fixed income, commodities, equities and cryptocurrencies. Ken has gone on to become a regular contributor across several large news and analysis outlets.




Feedback or Requests?

Continue Reading

Altcoins

Crypto Market Update: Japan’s Self-Regulatory Group (JVCEA) Readying Tighter Rules on Digital Assets

Published

on

  • A group of cryptocurrency exchange operators in Japan is readying to tighten up measures following recent cyber breach.
  • Action follows reported hack earlier in the month; cryptocurrency exchange Zaif lost an estimated $59.67 million.

Self-Regulatory Group Set To Tighten Rules

The Japan Virtual Currency Exchange Association (JVCEA) is exploring new rules to safeguard against cyber theft, including setting a cap on the amount of digital currencies managed online. This is citing informed sources, being reported by local news outlet, the Japan Times.

Informed sources detailed that the cap will likely to be around 10 – 20% of customer deposits. The JVCEA are said to be soon revising its rules, which were originally drawn up in June following multiple cyber attacks. These will be implemented once all has been approved by the Financial Services Agency. This is as part of the payment services law process in the country.

The move likely received large motive due to the reported hack earlier in September. The Japanese start-up Tech Bureau said that its cryptocurrency exchange, known as Zaif, had been hacked. Losses were estimated around $59.67 million of Bitcoin and two other digital currencies -Bitcoin Cash and Monacoin.

Market Reaction

No initial reaction was observed across the cryptocurrency market on this latest update, coming out of Japan as of Sunday 30th September. Despite this, however, Japan and crypto sell-off are not uncommon to have been used in the same sentence over the past years and even months. This means volatility could be in store for digital assets in the short term.

Back in January of this year, the largest reported hack on a Japanese exchange took place with Coincheck losing $530 million worth of NEM in a coordinated attack. This incident massively spooked the market, and was  a heavy contributor to the large sell-off in January. As we’ve observed over the past eight months, the market has yet to reclaim January’s peak (although this can’t be solely attributed to the theft). At the time, South Korea’s Attorney General had already spooked investors with FUD related to the possible banning of digital currencies in the country.

Against this backdrop, investors are advised to pay attention to Japan-related volatility.

BTC/USD weekly chart

Most recently, looking in the month of June, another sell-off was seen. This one came after Japan’s financial regulator ordered several cryptocurrency exchanges to improve their practices against money laundering. The action led bitFlyer — the country’s largest crypto exchange — to suspend new account creation. This was initiated to improve internal processes in order to curb money laundering and terrorist financing.

Disclaimer: The author owns bitcoin, Ethereum and other cryptocurrencies. He holds investment positions in the coins, but does not engage in short-term or day-trading.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.5 stars on average, based on 33 rated postsKen has over 8 years exposure to the financial markets. During a large part of his career, he worked as an analyst, covering a variety of asset classes; forex, fixed income, commodities, equities and cryptocurrencies. Ken has gone on to become a regular contributor across several large news and analysis outlets.




Feedback or Requests?

Continue Reading

Recent Comments

Recent Posts

A part of CCN

Hacked.com is Neutral and Unbiased

Hacked.com and its team members have pledged to reject any form of advertisement or sponsorships from 3rd parties. We will always be neutral and we strive towards a fully unbiased view on all topics. Whenever an author has a conflicting interest, that should be clearly stated in the post itself with a disclaimer. If you suspect that one of our team members are biased, please notify me immediately at jonas.borchgrevink(at)hacked.com.

Trending