The security of the Web is looking a little like Al Bundy right about now (look it up kids). Granted Black Hat is fresh on our minds and you always come away from that event less willing to use the Internet, but this year seemed especially bad in terms of new attacks—or new twists on old attacks—that leave you associating just one word with the Internet right about now: Broken!
Not sure if last week’s assault on the Internet was unprecedented, but it was perhaps the most frightening few days in a long time because a good number of the hacks uncovered in Vegas targeted architectural problems in browsers or protocols rather than patchable vulnerabilities. In other words, there’s no way to fix this stuff without a pretty sizable tear-down of things. That’s expensive, complicated and time-consuming—and in the meantime hackers have free run at these problems to pwn websites, steal accounts, monitor traffic and lots more.
These attacks also brought out the beauty of the research community too and its ability to think about problems in radical and often simple, ways. In what other industry can you do something as simple as buy an online advertisement through an ad network and amass an army of browsers to do your bidding?
Jeremiah Grossman and Matt Johansen of WhiteHat Security took their best shot at breaking the Web with a presentation on using online ad networks to distribute third-party javascript that could crash webservers or be used as a sort of utility computing, hacking CPU cycles as long as a browser is open to a page hosting their javascript ad to crack passwords, for example.
The simplicity of their attack is facilitated by not only the architecture of online ad networks, but the business model at play.
“We input one set of code and got it approved and then that was it,” Johansen said. “There’s no real way for any of them to spend the money keep up with [our] code changing. It’s a business case issue for them.” Grossman added: “There’s not a whole lot they can technically do about it because we can change the code at any time without validation, and that’s just the way the Web works.”
With the ad network as the delivery method, Grossman and Johansen could use their javascript to get browsers to point to a website, for example. There are no hacks against browsers, no malware traversing the ad network, nothing to set off red flags. And no one can fix this broken part of the Web because really no one is culpable.
“It’s everybody’s problem,” Grossman said. “The browser vendors can’t do anything about it without breaking the Web. The ad vendors can’t do anything about it because their business model prevents it. The user isn’t a victim either, because we’re using their browser to temporarily attack someone else, and we’re not negatively impacting them.”
Javascript seems to be the causeway connecting a lot of these problems. UK researcher Paul Stone discovered a means of stealing browser data by using javascript-based timing attacks to exploit some known and previously unknown browser problems. His method could not only expose browser data, but also unhinge a website’s source code, revealing user IDs and more. All major browsers are susceptible and researchers believe it could be another black hole that vendors can do little about.
Broken protocols and crypto algorithms are also conspiring to break the Web. The CRIME attack’s little brother BREACH was released late last week; all it does is steal secrets embedded in HTTPS responses by measuring changes in compression. A CERT advisory shrugged its collective shoulders too, dejectedly admitting in an advisory: “We are currently unaware of a practical solution to this problem.”
An in yet another bombshell, crypto experts put a lifespan on the venerable RSA encryption algorithm and made a call for browser vendors, certificate authorities and crypto companies to move to ECC before it’s too late. In the last couple of years, a number of crypto attacks such as CRIME, BEAST and now BREACH have shed scary light on the fact that crypto, the technology upon which e-commerce markets it security, is on shaky ground.
Clearly, the problem lies beyond old crypto schemes or fancy hacks; the Web can be broken and has been broken—several times last week alone. The real problem is: What can be done about it?