TLS is flawed. The decades-old protocol is vulnerable to man-in-the-middle attacks throwing into question the nature of encryption on the world wide web. An Austrian IT firm has prevented a security disaster threatening many popular Internet websites and applications by compiling research on a new vulnerability in the twenty year old cryptographic system.
Austrian researchers from Research Industrial Systems Engineering GmbH (RISE) unveiled last month vulnerabilities found in the TLS (Transport Layer Security) protocol at a USENIX WOOT conference. TLS, most commonly known as a wrapper around HTTP as HTTPS, evolved from SSL (Secure Sockets Layer).
The new vulnerability, called “Key Compromise Impersonation (KCI) attack,” allows MitM attackers to control client-side code running in a victim’s browser. This means the information appearing on a website or application can be changed.
This security protocol forms the basis of most Internet security critical to important functions like e-banking. As RISE reported, the protocol has been vulnerable to a man-in-the-middle attack. The attack could allow hackers to read private communication between users. You can learn more about the vulnerability here. The group published a proof of concept video on Youtube demonstrating a hack against Facebook.
In the RISE press release, “Security disaster prevented,” the Austrian IT firm outlines how hackers can attack major Internet pages and apps. The vulnerability had already been disclosed to companies like Google, Microsoft, Apple and Facebook before RISE went public.
Solutions are in the works. Thomas H. Ptacek, well-known in InfoSec and co-chair of the USENIX WOOT conference this year recently stated on Twitter: “Suggestion: there should be a ‘Secure Transport Protocol Competition’, to design the alternative to TLS.”
Suggestion: there should be a “Secure Transport Protocol Competition”, to design the alternative to TLS.
— Thomas H. Ptáček (@tqbf) May 23, 2015
RISE security researcher Clemens Hlauschek answered some questions for Hacked
Do you have any comments on the process of exposing the bug?
CH: Everything has been responsibly disclosed before our firm went public. Since TLS implementations are so numerous, and we do not have access to scrutinize all possible TLS client implementations (some are proprietary, etc), there are probably still some other clients apart from the ones identified by us out
there who remain vulnerable. Of course, all the major player have been informed: Google, Microsoft, Apple, etc.
If this is not a Facebook specific problem, does this means that all social networks are vulnerable on this level. Does it stop there? Can info be changed in our online banking accounts, perhaps the most sensitive accounts people have?
CH: In principle yes. In practice, servers must provide elliptic curve certificates, and they are not that widespread yet as less than 10% of all certificates are EC certificates. Other security measures, such as X509 Key Usage extension settings, can further prevent the attack, but they are neither mandatory, not always correctly honored by client implementations, and often poorly configured by certification authorities. This is also a situation that will hopefully change in part due to the disclosure of our attack.
For Internet laymen, it would appear that using the Internet is hopeless. That the entire thing needs to re-done. How does your team feel these sorts of issues should be approached?
CH: Keeping critical systems secure these days is a full time job involving many experts who specialize in different areas, and who always keep up-to-date with the newest developments and state-of-the-art research with a sharp and alert mindset.
But it is not completely hopeless. Security needs to be built into critical systems and IT infrastructure from the beginning of the planning and development phase. Many systems in the past have been designed without deep security considerations, and security has been added only as an afterthought during the end of the development phase.
It is still common practice to design a system and only afterwards employ a penetration testing team who take a cursory look at the system for a week. This kind of testing stops some basic and obvious attacks, so is not always completely useless and better than nothing at all. But to build a secure system, security considerations have to be taken into account from the very beginning of the development.
My company develops various different security-critical IT solutions, such as airport software, payment infrastructure, as well as government and health-care systems. These systems deal with very sensitive, private data. The damage to the public, to the citizens of a country, would be immense if health data leaks and gets into the hands of private actors. Therefore, at RISE, the development of critical IT systems is always accompanied and supervised by security engineers and security experts from the very beginning of the initial planning phase. You need experts who live and breath security.
Your feeling that many things have to be redone is certainly right. Take TLS, which was designed more than twenty years ago. It has been attacked over and over by researchers, and evolved to be a much securer system over the years.
But still, its design is outdated. In the meantime, the science of cryptography has advanced over the years. Cryptographers established the tools that allow us to build many cool things. We have tools available now that we did not have 20 years ago. We have formalized the notion of a secure channel, we can prove and formally verify that a protocol is secure in these models. However, these tools cannot easily be applied to outdated systems such as TLS. Many research groups have tried to provide formal proofs of security for TLS, but the task turned to to be elusive. TLS was not designed with formal analysis or provable security in mind, because these tools did not really exist back then.
Now, more is available, but we are still stuck with the old tools, mainly due to compatibility issues. The main reason TLS use is so widespread today is because TLS is supported across all kinds of different devices. It’s difficult to get rid of that, and to provide an alternative. In a system where we develop both clients and backends, we do not need that kind of compatibility, and can employ something more secure than TLS.
What’s the future of TLS?
CH: TLS evolved out of a SSL, the first versions of which have been really crappy and insecure, but TLS got attacked, fixed, attacked, fixed in an seemingly endless circle.
Currently, the TLS WG at the IETF is working on the next version of TLS (1.3). This time, much more established cryptographers are involved in the process than the last times, so it looks a little bit more promising than the iterations before, and they plan to redo quite a lot of stuff, and get rid of many insecure options. But still, I am not convinced yet regarding the end result of this process.
How did the companies respond to your warning?
CH: The affected vendors we worked with quickly fixed their systems. Facebook basically did everything, such as change their server certificates and setting more restrictive X509 Key Usage Extension settings. It really was a pleasure to work with Facebook’s security teams – they are polite, quick, and very responsive. But since certification revocation is basically universally broken, attackers can still use the old Facebook server certificates to pull off the attack successfully, provided the client uses unpatched software.
The MitM attack against Facebook was nice for demonstration purposes, because everyone knows Facebook, and it creeps people out if someone tampers with their private communication and data. But I guess, the main message of our research should not be that Facebook has been vulnerable, but that (1) TLS is old, overly complex, and has some serious issues, partly because it carries too much luggage, and that (2) system implementers should pay attention so that this protocol issue does not resurface. Only recently did OpenSSL implement non-ephemeral Diffie-Hellman client authentication – which we identified to be a security problem – and they seemed to be on a trajectory to also implement the even more security-critical elliptic curve version (fixed ECDH).
What do you hope the results of your findings bring about?
CH: We hope that our disclosure of the attack will stop such developments from ever being integrated in large-scale and production-ready software. It could have been a real disaster if such changes would have been pushed into systems such as Google Android, where client certificates can be easily inserted into the systems’ certificate store by completely benign looking apps in order to attack security-critical apps – a backdoor undetectable by malware researchers, automated malware analysis systems – without the knowledge of the attack vector as described in our research paper.
You can view RISE’s findings in PDF format here.
Featured image from Shutterstock.
The Pirate Bay is Hijacking PCs to Stealth-Mine Cryptocurrency
For the second time in as many months, The Pirate Bay has been caught mining cryptocurrency on your computer without consent. The torrent platform was actually test-driving cryptocurrency mining in your browser – no doubt a lucrative revenue stream.
The Pirates Are At It Again
The news was later confirmed by Bleeping Computer, which reported that,”The Pirate Bay, the internet’s largest torrent portal, is back at running a cryptocurrency miner after it previously ran a short test in mid-September.”
Estimates indicate that the scheme has earned the pirates a total of $43,000 over a three-week period.
Users had no way to opt their computers out of being test-driven by the torrent network. Back in September, The Pirate Bay got away by telling people it was just a test. The site’s owners cannot use the same excuse this time around.
CoinHive advises websites to let their visitors know their browser is being used to mine cryptocurrency.
“We’re a bit saddened to see that some of our customers integrate CoinHive into their pages without disclosing to their users what’s going on, let alone asking for their permission,” the company said.
The good news is most ad-blockers and antivirus programs will block CoinHive, given its recent abuses. That means not all visitors of The Pirate Pay were being used as a conduit for mining Monero.
Monero Joins Global Crypto Rally
The value of Monero (XMR) shot up nearly 8% on Friday, and was last seen trading at $94.17. With more than 15.2 million XMR tokens in circulation, the total market cap for Monero is $1.4 billion, according to CoinMarketCap. That’s enough for ninth on the global cryptocurrency list.
Twelve cryptos have now crossed the $1 billion valuation mark. A handful of others have made their way north of $500 million.
Coders Safeguard Vulnerable Ethereum Wallets Following Security Breach
Ethereum suffered large-scale security breaches last week after anonymous hackers targeted vulnerable wallets in the network, resulting in the loss of tens of millions of dollars. However, it didn’t take long for a volunteer group of coders to “rescue” the funds in 500 at-risk wallets before the same attackers could get to them too.
White Hat Group Takes Charge
The so-called White Hat Group showed initiative by “rescuing” the funds using the same techniques the thieves employed to compromise $32 million USD worth of ether from three multi-signature wallets. As of Monday, the White Hat Group of ethical hackers was in possession of $86 million worth of ether and an additional $122 million in tokens.
Tokens are digital assets that are sold during an Initial Coin Offering (ICO) fundraising event. They have proven to be extremely popular.
Tens of millions of dollars worth of ether and tokens have already been returned to their owners. The White Hat Group says it will issue full refunds by the end of July.
Blockchain-based trading platform Coindash was also breached last week, resulting in the loss of more than $7 million worth of ether.
Security Breaches Nothing New in Crypto World
For all its benefits, cryptocurrency has been vulnerable to several high-profile security breaches. Last summer, Hong Kong-based Bitfinex was the target of a major attack that resulted in the theft of around $70 million worth of bitcoins. In response, the exchange announced a controversial plans to “socialize” its losses among all users. Each Bitfinex trader was docked 36% as a result.
Bitcoin prices declined sharply following the attack, stopping what had been a blistering summer of gains.
Ethereum Enterprise Alliance
For anyone doubting the potential of the ether, take a look at the list of companies participating in the Enterprise Ethereum Alliance (EEA). The EEA is a forum that connects Fortune 500 companies, startups and academics with ethereum subject matter experts. The EEA is made up of multinational banks and some of the world’s biggest technology companies.
The forum has made cyber security a top priority, according to a May 22 press release. In the release, companies like Infosys, Mitsubishi UFJ Financial Group, Synechron and others expressed their intent to contribute to the future of ethereum’s security.
Hackers Only Need Seconds to Figure Out Card Details
Experts from Newcastle University in England has found that hackers only need six seconds to figure out the card number, expiry date, and security code for a Visa debit or credit card by simple guesswork, according to a report from The Telegraph.
According to figures from the Office of National Statistics, in the U.K. the number of bank account fraud cases reported up to June 2016, from the beginning of the year, amounted to over 2.3 million.
The researchers found that all that a hacker needs is a computer and an Internet connection. It is believed that hackers simply utilize what is known as a Distributed Guessing Attack enabling them to get around security features that help prevent online fraud.
By using the Distributed Guessing Attack, the system was unable to detect multiple attempts made by hackers.
Process of Elimination
As such, within a matter of seconds hackers were able to determine the correct information on a person’s card by a process of elimination.
Only recently Tesco bank account customers were subjected to hacking after criminals were able to gain access to their accounts. It is believed that these hackers may have used the Distributed Guessing Attack to siphon money from peoples’ accounts.
Payment Cards Remain Vulnerable
Unfortunately, even though Visa debit and credit cards remain popular and convenient forms of payment, they remain vulnerable as well.
And hackers know this, which is why reports of online card fraud are becoming more prevalent in today’s technologically-advanced world.
Visa states though:
The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.
However, while this may be the case, it seems something is amiss if cybercriminals can simply determine a person’s card details in six seconds through guesswork.
Bitcoin to the Rescue?
The digital currency bitcoin, however, may provide an answer to this problem.
As a type of digital currency that is held and created electronically with no central bank governing it, bitcoin is considered the cash of the Internet.
Due to its popularity more people are turning to it instead of fiat currency.
It was recently reported that Sweden is considering the issuance of its own digital currency, ekrona, in an effort to address the significant decline of the use of cash in the country.
Whereas India has announced that digital currency will become the new normal in the country as it attempts to reduce the amount of cash transactions with the banning of its biggest banknotes, the Rs 500 and Rs 1,000.
While these are just a few instances of how bitcoin is revolutionizing how we see money, many are quickly catching on to how safe and effective bitcoin is as a form of payment in a world where hackers are gaining easy access to a person’s Visa debit and credit cards.
Featured image from Shutterstock.
- Technical Analysis: Volatility on the Rise Again...
- Crypto Market Reaches Historic Milestone as Ether...
- Trade Recommendation: Syscoin
- Trade Recommendation: Ride the Next Rally of Bitco...
- Trade Recommendation: Bitcoin
- Ripple Spikes 50% as Bitcoin Lifts Smaller Altcoin...
- A Career in Crypto: How to Work in the World’s Fas...
- Can a New Generation of Regulated Token Sales Save ICOs? December 14, 2017
- Trade Recommendation: NZDJPY December 14, 2017
- Trade Recommendation: Bitcoin December 14, 2017
- Asian Market Update – Thursday: Ethereum Extends Rally; Asian Stocks down After US Rates Hike December 14, 2017
- Daily Analysis: Dollar Falls, Gold Jumps after Yellen’s Final Move December 14, 2017
- Crypto Market Reaches Historic Milestone as Ether, Ripple Surge December 14, 2017
- Technical Analysis: Volatility on the Rise Again, as Ripple and Ethereum Hit Targets December 13, 2017
- Federal Reserve Hikes Interest Rates for Third Time This Year, Keep 2018 Policy Outlook Unchanged December 13, 2017
- Trump’s Proposed Tax Changes Could Impact Cryptocurrency Investors December 13, 2017
- Trade Recommendation: Syscoin December 13, 2017
A part of CCN
Analysis5 days ago
Long-Term Cryptocurrency Analysis: Look Out Below?
Recommendations6 days ago
Trade Recommendation: Litecoin
Analysis1 week ago
$100 Litecoin Looks Poised for Greater Upside
Cryptocurrencies4 days ago
Trade Recommendation: Zcash
Cryptocurrencies2 days ago
Trade Recommendation: Bitcoin Cash
Cryptocurrencies6 days ago
Trade Recommendation: Stellar
Cryptocurrencies6 days ago
Trade Recommendation: Ethereum Classic
Analysis3 days ago
Technical Analysis: Litecoin Continues Surge as Bitcoin Tests Highs