RSS Alerts

Related Stories

  • Browser developers scramble to fix major security flaw in SSL technology
    Reports are coming in that a major security flaw in the way secure sockets layer (SSL) technology renegotiated user sessions across the internet, with software developers reportedly scrambling to develop a fix for the issue they have known about for some weeks.
  • Black Hat: Researchers reveal more flaws in secure sockets layer
    Researchers at the Black Hat security briefings in Las Vegas this week revealed a number of flaws that affect the secure sockets layer (SSL) system for secure internet web browsing.
  • Nine lives - when malware becomes self-modifying
    As the Conficker (aka Downadup and Kido) worm proved when it first appeared in October 2008, there's more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager's nightmare has become programming reality...
  • Security fears over Lloyds website flaw
    A potential security flaw has been detected by a user of the personal banking website run by Lloyds Banking Group (LBG).
  • More weaknesses in e-commerce and SSL-VPN connections revealed
    A report just published by Ben Chai - a director with Incoming Thought Limited and editor of the SecurityVibes portal - claims to show that a security flaw in the secure sockets layer (SSL) internet protocol has been used by criminals to circumvent supposed secure e-commerce website.

News

Infosecurity Europe: Serious structural internet security flaw revealed

29 April 2009

Peter Wood, chief of operations with First Base Technologies, the penetration testing specialist, and a member of the ISACA conference committee, has uncovered a structural security flaw with the internet that is not easily fixable.

The flaw, which centres on the security flag of session cookies on popular web sites, means that, as web sites move users between http and https (secure) IP sessions, the cookie can be intercepted and used by someone eavesdropping on the internet data stream.

And with the widespread use of WiFi and mobile broadband methods of accessing the internet, Woods says it is a relatively easy task for hackers and man-in-the-middle attackers to use the session cookie and so masquerade as the original internet user.

Many sites, says Wood, do not set the secure text flag on their site`s session cookie.

Because http sessions have far less data and IT resource overheads than https sessions, major sites often only use the latter secure protocol when requiring users to enter personal data such as payment card details on specific pages.

And if the hacker uses the cookie to take over an internet session - on a wireless or cellular connection, or even in an internet cafe - they can then intercept this personal data.

Under certain circumstances, says Wood, it is even possible for a hacker to seize control of a supposed secure - and authenticated - IP session just as the user has entered their payment card data and other personal information.

Wood speculates that hackers may already be aware of what is a structural security flaw on the internet, bearing in mind a number of high profile hacks of e-commerce sites that use secure protocols to protect the interests of their customers.

"I`m pretty sure this exploit has been used by hackers in the past, It explains a lot about how some sites have been hacked," he says.

What makes matters worse is the fact that, if a site were to use the https protocol for an entire web session - the only way, says Wood, of preventing a hacker exploiting this flaw - then the data overheads of the site would soar by several hundred per cent.

"This isn`t a software or an internet browser problem. It`s also not an operating system security flaw. It can`t easily be solved unless web site operators invest in the required IT resources and bandwidth to support https sessions for the entire length of the user access session," he says.

http://www.firstbase.co.uk

 

 

This article is featured in:
Encryption Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water