Scientists have identified a new weakness in TLS encryption technology
Two internet security research scientists say they have identified a new vulnerability in TLS, the encryption technology used to safeguard online shopping, banking and privacy.
Discovered today, the design flaw could be exploited to snoop on passwords and other sensitive information sent by users to HTTPS websites.
Professor Kenny Paterson from the Information Security Group at Royal Holloway, University of London and PhD student Nadhem Alfardan claim that they can easily crack TLS-encrypted traffic in a man-in-the-middle attack.
According to their study, the weakness revolves around altering messages exchanged between the web server and browser, and noting microsecond differences in the time taken to process them.
These timings effectively leak information about the data being transferred, allowing eavesdroppers to rebuild the original unencrypted information slowly piece by piece.
Specifically, an attacker strategically changes the data used to pad out the encrypted blocks of information, and measures the time taken for the server to determine that the message was tampered with before rejecting it.
The progress of the algorithms processing the blocks is revealed by this time difference, and it’s enough to gradually calculate the contents of the original message.
But it’s tricky to precisely measure these timings due to network jitter and other effects. And tampering with the data will cause the connection between the browser and the server to fail.
Thus, a bit of client-side malware is needed to repeatedly probe a server with new connections, replaying slightly altered versions of the original encrypted message, which might for example be a login cookie.
This is similar to the earlier BEAST (Browser Exploit Against SSL/TLS) attack. We’re told attacks against DTLS – a variant of TLS used by VPNs to secure traffic – can be carried out in a single session as well.
“TLS is not quite as bullet-proof as we thought, and that’s disturbing.” A paper titled Lucky Thirteen: Breaking the TLS and DTLS Record Protocols was published late yeaterday and states: The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks like the Internet. It is widely used to secure web traffic and e-commerce transactions on the Internet. Datagram TLS (DTLS) is a variant of TLS that is growing in importance. We have found new attacks against TLS and DTLS that allow a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode encryption is used.”
The attacks arise from a flaw in the TLS specification rather than as a bug in specific implementations. We have carried out experiments to demonstrate the feasibility of the attacks against the OpenSSL and GnuTLS implementations of TLS, and we have studied the source code of other implementations to determine whether they are likely to be vulnerable.
Professor Paterson said: “While these attacks do not pose a significant threat to ordinary users in its current form, attacks only get better with time. Given TLS’s extremely widespread use, it is crucial to tackle this issue now.
“Luckily, we have discovered a number of countermeasures that can be used. We have been working with a number of companies and organizations, including OpenSSL, Google and Oracle, to test their systems against attacks and put the appropriate defences in place.”
The attacks apply to all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. All TLS and DTLS cipher-suites that include CBC-mode encryption are potentially vulnerable.
Like CRIME (Compression Ratio Info-leak Made Easy) and the earlier BEAST SSL exploit, both developed by security researchers Juliano Rizzo and Thai Duong, the Royal Holloway academics’ Lucky Thirteen study threatens a fundamental eCommerce security protocol.
The latest attacks “are quite different from BEAST and CRIME” as the university pair explain in an FAQ: “BEAST exploits the inadvisable use of chained IVs in CBC-mode in SSL and TLS 1.0. CRIME cleverly exploits the use of compression in TLS.”
“Our attacks are based on analyzing how decryption processing is carried out in TLS. However, our attacks can be enhanced by combining them with BEAST-style techniques.”
The computer-science duo tested their attacks against OpenSSL and GnuTLS. For OpenSSL, full plaintext recovery of encrypted data is possible. For GnuTLS, partial recovery is possible. The researchers have not studied any closed-source implementations of TLS.
Blocking the attack can be achieved by either adding random time delays to CBC-mode decryption or switching to either the RC4 or AES-GCM cipher-suites.
GnuTLS released a patch late yesterday. And OpenSSL is also working on a fix at their end. Other security services vendors, including web browser developers, may also need to adapt their software in response to the threat.
The security researchers have a neat explanation for why the attack they have developed is called Lucky Thirteen– “In Western culture, 13 is considered an unlucky number. However, for our attack, the fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible. So, in the context of our attacks, 13 is lucky – from the attacker’s perspective at least. This is what passes for humour amongst cryptographers.”
In other internet security news
It would appear that Oracle is trying hard to be more proactive when it comes to Java security implementation on its IT solutions and appliances.
The software company has brought forward the timetable of an upcoming Java security update by two weeks in order to block off a new security hole recently discovered.
The security update, originally scheduled for February 19, was released on Feb. 1st because of active exploitation ‘in the wild’ of one of the security vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.
The update covers no less than fifty-one security holes, forty-nine of which are remotely exploitable. To be sure, twenty-seven of the security flaws carry the maximum Common Vulnerability Scoring System (CVSS) risk score of 10.
And the latest official versions are Java 7, update 13 and Java 6, update 39. This month marks the end of life of Java 6, however.
Despite the update, many security experts continue to advise against installing Java plug-in on browsers. If users do need to use Java applets to use certain sites, or for internal applications, then these should be accessed using a second browser, not used for day-to-day surfing.
The overall security implications of Oracle’s new Java security update can be found in a blog post by Paul Ducklin of Sophos on their site.
In other internet security news
Twitter was very busy last night resetting passwords and revoking cookies, following a serious security breach that may have leaked the account data of about 250,000 users.
“Last night, we detected some very unusual access patterns that led us to identify unauthorized access attempts to Twitter user data,” said Bob Lord, Twitter’s director of information security.
According to Lord, Twitter was able to fully shut down the breach attack within moments of discovering it, but not before the attackers were able to make off with what he calls “limited user information,” including usernames, email addresses, session tokens, and encrypted passwords.
The encryption on such passwords is generally difficult to crack – but it’s not impossible, particularly if the attacker is familiar with the algorithm used to encrypt them, suggesting that it may have been an inside job.
As a precaution, Lord says Twitter has reset the passwords of all 250,000 affected accounts – which, he observes, is just “a small percentage” of the more than 140 million Twitter users worldwide.
If yours is one of the accounts involved, you’ll need to enter a new password the next time you login. Lord reminds all Twitter users to choose strong passwords – he recommends 10 or more characters, with a mix of letters, numbers, and symbols – because simpler passwords are easier to guess using brute-force methods.
In addition, he recommends against using the same password on multiple sites. Lord says Twitter’s investigation is ongoing, and that it’s taking the matter extremely seriously, particularly in light of recent attacks experienced by The New York Times and The Wall Street Journal.
“This attack wasn’t the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the internet safer for all users,” Lord added.
Although the attack took place last night, it seems to have no relationship to the outage that took Twitter offline for several hours on Thursday.
On the other hand however, Lord’s revelations do make rather cryptic mention of the U.S. Department of Homeland Security’s recent recommendation that users disable the Java plug-in in their browsers.
He mentions Java twice, in fact. While it’s true that the Java plug-in contains multiple known vulnerabilities and that numerous security experts have warned that it should be considered unsafe, the connection between Java and the attack Twitter experienced isn’t clear, and Twitter reps didn’t respond to our request for clarification.
In other internet news
About 71.2 percent of all exploits kits that attempt to inject malware into internet surfers’ computers were developed in Russia, and about 51.8 percent exploit rather older operating system vulnerabilities.
To be sure, Blackhole 2.0 is the most often used hacking rootkit, installed on thousands of websites to attack and takeover visitors’ computers.
However, it targets fewer software security holes than rival cybercrime kits. That’s according to a fresh report by managed security firm Solutionary.
Contrary to various hype that exploit kits target unpatched flaws in products, Solutionary found that the overall majority (59 percent) of exploited security vulnerabilities were more than two years old.
The company reviewed 26 commonly used malware kits and discovered code abusing security bugs dating as far back as 2004, evidence that older vulnerabilities continue to be mined for profit by cybercrooks.
Typically, criminal hackers compromise otherwise perfectly legitimate websites to plant hacking toolkits and distribute fake antivirus software, banking Trojans and other bad code.
Researchers at the security firm concluded that antivirus products cannot detect more than about 64 percent of malware being distributed, a finding that’s likely to be controversial in more ways than more.
The practical upshot to all of this is that system admins would be wise to regularly update their servers especially Windows Server 2003, 2008 and 2012, Adobe Flash, web browsers and Java code, rather than rely on security scanners to block any attacks that come their way.
“Exploit root kits largely focus on targeting end-user applications,” said Rob Kraus, a director of security research at Solutionary. “As a result, it’s absolutely critical that organizations pay close attention to security patch management and endpoint security controls in order to significantly lower the likelihood of a server compromise.”
In other internet security news
A large group of activists, privacy organizations, journalists and others have called upon Microsoft to be more forthright about when, why, and to whom it discloses its data about Skype users and their communications.
In an open letter published yesterday, the activist coalition argues that Microsoft’s statements about the confidentiality of Skype conversations have been “persistently unclear and confusing,” casting several doubts on the security and privacy of the Skype platform.
“Many users of the platform rely on Skype for so-called ‘secure communications’ – whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends,” the letter explains.
Among the group’s numerous concerns is that although Skype was founded in Europe, its acquisition by a U.S.-based company may mean it is now subject to different eavesdropping and data-disclosure requirements than it was before.
The coalition group claims that both Microsoft and Skype have refused to answer several questions about what kinds of user data the service retains, whether it discloses such data to governments, and whether Skype conversations can be intercepted in any manner.
The letter calls upon Microsoft to publish a regular transparency report outlining what kind of data Skype collects, what third parties might be able to intercept or retain, and how Skype interprets its responsibilities under the laws that pertain to it.
Additionally, it asks for quantitative data about when, why, and how Skype shares data with third parties, including governments.
As the letter points out, several other companies already provide such reports, including Google, Twitter, and Sonic.net. Google’s most recent report showed that government requests for user data from online companies have increased 70 percent since mid-2010.
Microsoft acquired Skype in 2011 for $8.5 billion and has since been working to make the service a key pillar of its communications strategy. Most recently, Microsoft announced that it would shut down its Windows Live Messenger service in March and urged all current Messenger users to switch to Skype.
As could be expected, Microsoft’s strong-arm tactics haven’t pleased Messenger fans, but they’ve impressed privacy advocates even less, given the ambiguity about what information Skype discloses.
“On the eve of Microsoft’s integration of Skype into many of its key software and services, the time has come for the company to publicly document Skype’s security and privacy practices,” the open letter reads.
The letter is co-signed by a total of 61 individuals and 45 organizations, including such groups as the AIDS Policy Project, Cyber Arabs, DotConnectAfrica, the Egyptian Initiative for Personal Rights, the Electronic Frontier Foundation (EFF), Reporters Without Borders, the Thai Netizen Network, and the Tibet Action Institute.
“Microsoft has an ongoing commitment to collaborate with advocates, industry partners and governments worldwide to develop solutions and promote effective public policies that help protect people’s online safety and privacy,” the company said in an emailed statement.
In other internet security news
Kaspersky Labs said today that it has discovered yet another global spying campaign that targets numerous governmental agencies, political groups, universities and research institutions.
On the same level as the memorable ‘Flame Malware’ Kaspersky and a number of Cyber Emergency Response Teams (CERTs) discovered the malware, known as ‘Rocra or Red October’ which mostly targets institutions based in Eastern Europe, former USSR members and countries in Central Asia.
Kaspersky Labs says that Red October has been gathering a lot of data and intelligence from “mobile devices, computer systems and network equipment” and is currently still active. Data is gathered and sent to multiple command-and-control servers which the security firm says rivals the complex nature of Flame.
The malware is sent via a spear-phishing email which, according to Kaspersky, targets carefully-selected victims within an organization such as a government agency or the like. Containing at least three different exploits in Microsoft Excel and Word, once downloaded, the infected files drop a trojan on the affected computer which then scans the local network or the PC’s hard drive to detect if any other devices are vulnerable to the same security hole.
By simply dropping modules that can complete a number of tasks, usually as .dll libraries, an infected computer obeys various commands sent by the command center and then immediately discards the evidence.