{"id":195203,"date":"2016-03-02T14:08:50","date_gmt":"2016-03-02T14:08:50","guid":{"rendered":"http:\/\/4cd.e16.myftpupload.com\/?p=195203"},"modified":"2016-03-02T14:08:50","modified_gmt":"2016-03-02T14:08:50","slug":"195203","status":"publish","type":"post","link":"https:\/\/citifmonline.com\/?p=195203","title":{"rendered":"&#8216;Thousands of popular sites&#8217; at risk of Drown hack attacks"},"content":{"rendered":"<p class=\"story-body__introduction\">Websites have been warned they could be exposed to eavesdroppers, after researchers discovered a new way to disable their encryption protections.<\/p>\n<p>The experts said about a third of all computer servers using the HTTPS protocol &#8211; often represented by a padlock in web browsers &#8211; were vulnerable to so-called Drown attacks.<\/p>\n<p>They warn that passwords, credit card numbers, emails and sensitive documents could all be stolen as a consequence.<\/p>\n<p>A fix has been issued.<\/p>\n<p>But it will take some time for many of the website administrators to protect their systems.<\/p>\n<p>The researchers have released a tool that identifies websites that appear to be vulnerable.<\/p>\n<p>They said they had not released the code used to prove their theory because &#8220;there are still too many servers vulnerable to the attack&#8221;.<\/p>\n<p>As yet, there is no evidence hackers have worked out how to replicate their technique.<\/p>\n<p>An independent expert said he had no doubt the problem was real.<\/p>\n<p>&#8220;What is shocking about this is that they have found a way to use a very old fault that we have known about since 1998,&#8221; said Prof Alan Woodward, from the University of Surrey.<\/p>\n<p>&#8220;And all this was perfectly avoidable.<\/p>\n<p>&#8220;It is a result of us having used deliberately weakened encryption, which people broke years ago, and it is now coming back to haunt us.&#8221;<\/p>\n<figure class=\"media-landscape has-caption full-width\"><span class=\"image-and-copyright-container\"><img loading=\"lazy\" decoding=\"async\" class=\"responsive-image__img js-image-replace\" src=\"http:\/\/ichef.bbci.co.uk\/news\/624\/cpsprodpb\/15755\/production\/_88539878_fed27be6-b171-42ae-8fcd-cc842b4e5094.jpg\" alt=\"Drown Attack website\" width=\"583\" height=\"328\" \/><\/span><\/figure>\n<figure class=\"media-landscape has-caption full-width\"><\/figure>\n<p><strong>Call to action\u00a0<\/strong><\/p>\n<p>The researchers, cybersecurity experts from universities in Israel, Germany and the US as well as a member of Google&#8217;s security team, found a computer server could be vulnerable to attack just by supporting 1990s-era encryption protocol SSLv2 (Secure Sockets Layer version 2), even if in day-to-day use it employed more modern encryption standards to scramble communications.<\/p>\n<p>In practice, older email servers would be more likely to have this problem than the newer computers typically used to power websites.<\/p>\n<p>But many organisations reuse encryption certificates and keys between the two sets of servers.<\/p>\n<p>The researchers dubbed the flaw Drown &#8211; an acronym for decrypting the Rivest-Shamir-Adleman (RSA) algorithm with obsolete and weakened encryption.<\/p>\n<p>&#8220;Operators of vulnerable servers need to take action,&#8221; they wrote.<\/p>\n<p>&#8220;There is nothing practical that browsers or end-users can do on their own to protect against this attack.&#8221;<\/p>\n<figure class=\"media-landscape has-caption full-width\"><span class=\"image-and-copyright-container\"><img loading=\"lazy\" decoding=\"async\" class=\"responsive-image__img js-image-replace\" src=\"http:\/\/ichef-1.bbci.co.uk\/news\/624\/cpsprodpb\/A7FC\/production\/_88540034_b6369dc6-895f-454b-b8f1-55339e51ab7f.jpg\" alt=\"Computer server\" width=\"564\" height=\"317\" \/><\/span><\/figure>\n<p><strong>Export restrictions\u00a0<\/strong><\/p>\n<p>The SSLv2 protocol was deliberately weakened because, at the time of its creation, the US government wanted to try to restrict the availability of tough encryption standards to other countries.<\/p>\n<p>It has since eased its export limits, but the effects live on.<\/p>\n<p>&#8220;The problem is that while clients &#8211; such as [web] browsers &#8211; have done away with SSLv2, many servers still support the protocol,&#8221; blogged Prof Matthew Green, from Johns Hopkins University.<\/p>\n<p>&#8220;In most cases this is the result of careless server configuration.<\/p>\n<p>&#8220;In others, the blame lies with crummy and obsolete embedded devices that haven&#8217;t seen a software update in years &#8211; and probably never will. &#8221;<\/p>\n<p><strong>Quick attack<\/strong><\/p>\n<p>To mount a successful attack on a website would still require a considerable amount of computational force.<\/p>\n<p>But, the researchers said, under normal circumstance, hackers could rent the required capacity from Amazon&#8217;s cloud compute division for as little as $440 (\u00a3314).<\/p>\n<p>In addition, because many of the servers vulnerable to Drown were also affected by a separate bug, a successful attack could be carried out using a home computer.<\/p>\n<p>&#8220;This form of the attack is fast enough to allow an online man-in-the-middle style of attack, where the attacker can impersonate a vulnerable server to the victim,&#8221; the researchers wrote.<\/p>\n<p>&#8220;We were able to execute this form of the attack in under a minute on a single PC.&#8221;<\/p>\n<p>The researchers said many popular sites &#8211; including ones belonging to Samsung, Yahoo and a leading Indian bank &#8211; appeared to be vulnerable.<\/p>\n<p>Prof Woodward said the team&#8217;s test had also indicated a problem with bbc.co.uk.<\/p>\n<p>&#8220;The weakness is actually in the old Pop3 server,&#8221; he said.<\/p>\n<p>&#8220;Few people still use Pop3, but it means that things like your password reset server could theoretically be eavesdropped upon.&#8221;<\/p>\n<p>&#8211;<\/p>\n<p>Source: BBC<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Websites have been warned they could be exposed to eavesdroppers, after researchers discovered a new way to disable their encryption protections. The experts said about a third of all computer servers using the HTTPS protocol &#8211; often represented by a padlock in web browsers &#8211; were vulnerable to so-called Drown attacks. They warn that passwords, [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jnews-multi-image_gallery":[],"jnews_single_post":[],"jnews_primary_category":[],"jnews_social_meta":[],"jnews_override_counter":[],"footnotes":""},"categories":[106],"tags":[],"class_list":["post-195203","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts\/195203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=195203"}],"version-history":[{"count":0,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts\/195203\/revisions"}],"wp:attachment":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=195203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=195203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=195203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}