RSS Alerts

Related Links

Related Stories

  • Peter Wood to present at FaceTime webinar on Tuesday
    Infosecurity is pleased to report that Peter Wood, chief of operations with First Base Technologies, the penetration testing specialist, is presenting at the FaceTime-sponsored webinar taking place at 10am on Tuesday of this week.
  • Israeli-Hamas battle escalates to botnets
    The ongoing conflict between Israel and Hamas in the Middle East has escalated beyond a spat of hacker Web site attacks plus defacements and into the realms of botware.
  • Browser developers scramble to fix major security flaw in SSL technology
    Reports are coming in that a major security flaw in the way secure sockets layer (SSL) technology renegotiated user sessions across the internet, with software developers reportedly scrambling to develop a fix for the issue they have known about for some weeks.
  • Nine lives - when malware becomes self-modifying
    As the Conficker (aka Downadup and Kido) worm proved when it first appeared in October 2008, there's more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager's nightmare has become programming reality...
  • Two-thirds of internet surfers reuse electronic banking credentials
    A report just published claims to show that 73% of online banking users share their electronic banking credentials with non-financial applications.

News

More weaknesses in e-commerce and SSL-VPN connections revealed

13 July 2009

A report just published by Ben Chai - a director with Incoming Thought Limited and editor of the SecurityVibes portal - claims to show that a security flaw in the secure sockets layer (SSL) internet protocol has been used by criminals to circumvent supposed secure e-commerce website.

The security flaw says Chai, who is a regular presenter with Infosecurity's information security webinar programme, allows hackers to use man-in-the-middle attack techniques and break into e-commerce sites round the world.

E-commerce sites, he says, are renowned for their security as they use the secure HTTPS protocol for all business transactions.

However the report shows how the UK ethical hacking and penetration testing firm, First Base Technologies, has been using a configuration weakness listed in OWASP's web developer's guide since 2007 that allows cybercriminals to hijack connections.

As reported by Infosecurity in late April when we interviewed Peter Wood, the chief of operations with First Base and another regular on the Infosecurity webinar programme, the cookie hi-jack works regardless of the authentication type and the amount of encryption used.

This, says Chai, is because criminals are essentially hijacking the session using the session token of a user connection to the e-commerce site.

"In other words the attack works whether you use two-factor authentication or a highly secure SSL-VPN connection."

In the report, SecurityVibes members have mentioned an even more alarming SSL hack using Moxie Marlinspike's SSLstrip technology, which Chai claims is currently more difficult to defend against.

A copy of the report can be seen here...

 

This article is featured in:
Encryption Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water