The security of the Web is looking a little like Al Bundy right about now (look it up kids). Granted Black Hat is fresh on our minds and you always come away from that event less willing to use the Internet, but this year seemed especially bad in terms of new attacks—or new twists on old attacks—that leave you associating just one word with the Internet right about now: Broken!
Not sure if last week’s assault on the Internet was unprecedented, but it was perhaps the most frightening few days in a long time because a good number of the hacks uncovered in Vegas targeted architectural problems in browsers or protocols rather than patchable vulnerabilities. In other words, there’s no way to fix this stuff without a pretty sizable tear-down of things. That’s expensive, complicated and time-consuming—and in the meantime hackers have free run at these problems to pwn websites, steal accounts, monitor traffic and lots more.
These attacks also brought out the beauty of the research community too and its ability to think about problems in radical and often simple, ways. In what other industry can you do something as simple as buy an online advertisement through an ad network and amass an army of browsers to do your bidding?
The simplicity of their attack is facilitated by not only the architecture of online ad networks, but the business model at play.
“We input one set of code and got it approved and then that was it,” Johansen said. “There’s no real way for any of them to spend the money keep up with [our] code changing. It’s a business case issue for them.” Grossman added: “There’s not a whole lot they can technically do about it because we can change the code at any time without validation, and that’s just the way the Web works.”
“It’s everybody’s problem,” Grossman said. “The browser vendors can’t do anything about it without breaking the Web. The ad vendors can’t do anything about it because their business model prevents it. The user isn’t a victim either, because we’re using their browser to temporarily attack someone else, and we’re not negatively impacting them.”
Broken protocols and crypto algorithms are also conspiring to break the Web. The CRIME attack’s little brother BREACH was released late last week; all it does is steal secrets embedded in HTTPS responses by measuring changes in compression. A CERT advisory shrugged its collective shoulders too, dejectedly admitting in an advisory: “We are currently unaware of a practical solution to this problem.”
An in yet another bombshell, crypto experts put a lifespan on the venerable RSA encryption algorithm and made a call for browser vendors, certificate authorities and crypto companies to move to ECC before it’s too late. In the last couple of years, a number of crypto attacks such as CRIME, BEAST and now BREACH have shed scary light on the fact that crypto, the technology upon which e-commerce markets it security, is on shaky ground.
Clearly, the problem lies beyond old crypto schemes or fancy hacks; the Web can be broken and has been broken—several times last week alone. The real problem is: What can be done about it?