There were a lot of excellent talks at conferences this year, but perhaps the most interesting and far-reaching presentation was one given by researchers Thai Duong and Juliano Rizzo at Ekoparty on a crypto attack against ASP.NET applications. The “padding oracle” attack that the pair implemented enabled them to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application’s crypto API. The attack affected millions of ASP.NET applications and resulted in Microsoft issuing an emergency patch to protect customers. “It’s worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes,” Duong said.
(Photo via leduardo Flickr photostream)
