August 2, 2009

Hackers Reveal Security Vulnerability In Trusted Sites

A nefarious new tactic used by hackers works similar to a telephone tap, intercepting information between computers and the trusted Web sites they visit.

Hackers at last week's Black Hat and DefCon security conferences revealed a significant flaw in the way Web browsers filter untrustworthy sites and block users from accessing them.

The flaw allows cybercriminals who penetrate a network to establish a secret eavesdropping position, enabling them to capture passwords, credit card numbers and other private data flowing between computers on that network and the Web sites users believe are safe.

In an even more worrisome scheme, a hacker could hijack the auto-update feature on a victim's computer, and trick it into automatically installing malicious code from the attacker's Web site.   In that case, the computer would simply believe the code was a valid update coming from the software manufacturer.

Three hackers demonstrated the attack at the conference -- independent security researcher Moxie Marlinspike, who presented alone, and Dan Kaminsky, with security consultancy IOActive Inc., and security researcher Len Sassaman, who presented together.

All three concluded there are serious problems with the way browsers interact with Secure Sockets Layer (SSL) certificates, standard technology used on banking, e-commerce and other Web sites that handle sensitive information.

Companies who make Web browsers and those that sell SSL certificates are now working to address the problem.

Microsoft Corp., who makes the top selling Internet Explorer (IE) browser, said it was looking into the issue, while Mozilla Corp., which makes the No. 2 Firefox browser, said most of the issues were fixed in the latest version of Firefox, with the remainder addressed in an update coming later this week.

VeriSign Inc., one of the leading SSL certificate firms, says its certificates aren't vulnerable.

Tim Callan, a marketing executive in VeriSign's SSL business unit, noted that the "tap" would not work against Extended Validation SSL certificates, which cost more and include a deeper inspection of a company's application.

The hack falls into a class of attacks known as "man-in-the-middle," in which a cybercriminal places himself between a victim's computer and a legitimate Web site and pilfers data as it is transmitted back and forth.

Jeff Moss, founder of the Black Hat and Defcon conferences, said the fact a hacker has to actually infiltrate a victim's network for the attack to work could limit its effectiveness.

"That's the nice mitigating thing," said Moss, who this summer was appointed to the Homeland Security Department's advisory council.

However, "for targeted attacks it's absolutely deadly," he warned.

"This is the way you can get everything. If you can get in the middle, you can get everything. It's a big, giant wake-up call for the industry," he told the Associated Press.

SSL certificates are vital in ensuring trust on the Internet.  Web sites purchase the certificates to encrypt traffic and assure users their information will be kept confidential and not compromised.

Companies that sell SSL certificates verify that the person or business purchasing a certificate actually owns the Web site to which the certificate will be attached.

Although a site's use of an SSL certificate is typically denoted by the presence of a padlock in the address bar, many visitors don't pay attention to whether or not the padlock is present.

But unlike people, browsers do care, which is why this week's presentations are so important.  Web browsers are programmed to block sites without a valid SSL certificate, or those with a certificate displaying a Web address that doesn't match the address a Web surfer was trying to access (which can indicate a hacker has hijacked a user's Internet session).   If the sites are not blocked, users are warned of a potential threat and given the option to click through.

The issues presented by the hackers involve an idiosyncrasy in the way browsers read SSL certificates.   Many SSL certificate companies will allow the attachment of a programming symbol known as a "null character" into the Web address of the certificates they receive.  But Web browsers typically disregard the symbol, and stop reading at it when they're verifying the Web address on a certificate.

For the latest attack, the security experts said all a hacker would need to do is put the name of a legitimate Web site before the null character, thereby tricking the browser into believing it is visiting the legitimate site, when in fact the site was actually under the hacker's control. The criminal could then forward the traffic onto the legitimate Web site and spy on everything the victim does while visiting that site.  

The attack underscores a serious vulnerability in the very technology used to guarantee safety when sending and receiving sensitive information.

SSL expert Jon Miller, director of Accuvant Labs, predicts considerable attacks against businesses in the coming months using the new technique. 

Cybercriminals who operate "phishing" scams, in which people are tricked into visiting fraudulent Web sites, will also likely embrace the new hack.

"What kind of makes this earth-shattering is these aren't the most sophisticated attacks in the world," he told the Associated Press.

"This is going to become a huge problem."

Indeed, it may already be starting.  Callan said within hours of the discussions his company received a number of applications for SSL certificates featuring null characters.  Verisign denied the requests.


On the Net: