April 2009
Black Hat Conference: Socket to me
A security researcher has demonstrated a way to hijack Secure Sockets Layer (SSL) sessions to intercept login data.
Moxie Marlinspike, who spoke at the Black Hat security conference, explained how to subvert an SSL session by performing a man-in-the-middle attack. The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions.
“SSL strip man-in-the-middles of all the potential SSL connections on the network, specifically attacking the bridge between http and https,” Marlinspike said in the video.
Secure Sockets Layer and its successor Transport Layer Security are cryptographic protocols used to encrypt communications over TCP/IP networks. Banks and other organizations use SSL and TLS to secure web transactions.
The attack relies on users not directly calling up an SSL session by typing a URL into a browser. Most users initiate sessions by clicking on a button. These buttons are located on unencrypted http pages, and clicking on them will take users to encrypted https pages to log in.
“That opens up all kinds of avenues for ways that you might intercept [details],” Marlinspike said. In his Black Hat presentation, he claimed to have gathered details on 117 e-mail accounts, seven PayPal logins, and 16 credit card numbers, within a 24 hour period.
SSLstrip works by watching http traffic, then by acting as a proxy when a user attempts to initiate an https session. While the user believes the secure session started, and SSLstrip has connected to the secure server via https, all traffic between the user and SSLstrip is http.
This means “disastrous warnings” displayed by browsers do not occur, and the session appears normal. That is when the harvesting of login details takes place.
While most everyone accepts SSL as being secure, security researchers have claimed outsiders can intercept SSL communications.
Separately, a group of U.S. government security organizations has listed the top 20 security actions they recommend organizations should take to improve computer security, reported ZDNet. It is the “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance.” A conglomerate of U.S. government agencies, including NSA, US-Cert, various U.S. Department of Defense computer security groups, and security training organization Sans Institute published the list in late February. View it at http://www.sans.org/cag/.
Alan Paller, director of Sans Institute, said the list, also known as the Consensus Audit Guidelines, would spark “a complete revolution in federal and business cyber security.”
Nicholas Sheble (nsheble@isa.org) writes and edits Automation Update.
Read questions answered by our experts or join the email list.
