Monthly Archives: December 2008

VeriSign's RapidSSL HACKED!

Researchers successfully exploited a known “bug” with the MD5 hash algorithm to create duplicate SSL certificates.

As you know, when you want to show your site visitors that their transaction is safe with you, you purchase an SSL certificate. That certificate is registered to your domain and proves you are who you say you are.

So, no other site can “prove” they are you because there is only one valid SSL certificate for your domain and you own it.

With this latest breakthrough, phishers can create bogus websites and duplicate your SSL certificate. It’s like having the same DNA between 2 or more people.

The really interesting part of this announcement is that the researchers used over 200 Sony Playstations to crack the encryption. That’s right. Sony Playstations.

Reportedly, the Playstation 3′s cell processor is quite handy with cryptographic calculations and therefore was a natural for this experiment.

Keep in mind that this was not found “in the wild”. It was conducted by researchers in a lab, however, if they can produce it, I’m sure the cybercriminals won’t be far behind.

What can you do to protect yourself and more importantly your customers?

Be sure your SSL certificate was created with SHA-1 hashing rather than the MD5 hash found vulnerable in this situation. I have read that VeriSign has just now changed their cryptographic hashing from MD5 to SHA-1 but I’m not sure if that is only for new certificates issued from this point forward or if you’re able to update yours.

Some of the CA’s (Certificate Authorities) still using MD5 hashing include: RapidSSL, FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte and Verisign.co.jp

I also want to point out that using this information is quite complicated and would not be easy to implement, but the fact remains that you can be proactive now and prevent your certificate from being used in a malicious way.

Forums Under Attack

If you’ve ever visited a forum before, you know how helpful they can be.

These very same forums can also harm you. Well not you personally, but your computer. And if you’re like me, your computer is an extension of you.

Want to start some really heated discussion in a forum? Write a post that declares whatever forum software you use is the best and safest. I’ve seen many of these posts and the name calling and defensive posture people take over their decision to use one forum software over another is sometimes ridiculous.

After scanning many, many forums for people, we’ve come to discover 2 things:

  1. None of them are always safe
  2. They’re all safe – sometimes

In order to better understand the above you have to get into the mind of a hacker.

Hackers don’t hack just to hack. They now hack for money. Their income depends on how many computers they can infect and remotely control. They need to reach as many computers as possible because they know their “hacks” won’t work on every computer.

They’re playing a numbers game.

Let’s see now, where can they reach thousands of people unaware of their malicious intent?

AH HA! Forums.

Many people visit forums to solve a problem. When you’re looking for a new web hosting provider, you can go to www.webhostingtalk.com or other such forums. When you’re looking to solve a problem with a cascading style sheet you can search for “forum CSS” and you’ll find a ton of sites offering you contact with potential solutions.

In other words, your guard is down. You’re focused on getting an answer to your question or a solution to your problem. If a window pops up asking you to install something, you might just be tempted to follow along just so you can get to your end result.

And after all, forums are safe, right?

In our work, we’ve seen Drupal, phpBB, vBulletin, php Fusion and Joomla based sites all hacked. Sometimes it’s the plugins used. Other times it’s a carefully crafted SQL injection. Or it could be a remote file injection attack that succeeds. Whatever the attack vector, the point is that every website is a target for hackers. The scans we do today may not uncover an exploit discovered tomorrow.

It’s part of our daily routine to scan the forums and chat rooms that hackers use to discover what they know. Our business is a game of chase and the hackers are always leading the way. 

I’m not saying you should never visit forums, that would be ridiculous. I visit them all the time. What I am saying is that you have to be just as careful when visiting forums as you would just viewing any webpage. Don’t click on things you aren’t 100% sure are safe.

Another thing to discuss is when people change their forum or blogging software because they’ve been hacked.

I just read a posting that read, “we were using phpBB and we were hacked (twice), the second time nothing could be done to retrieve our forum and to wipe everything and start from scratch. Drupal was recommended to us so we decided to give it a whirl.”

Why, after spending so much time learning one system, would you change to something else? Why not spend some time learning how to lock down your existing system? Why not ask questions of other forum owners, how they keep their forum from being a hacker victim?

Maybe I’m wrong on this, but that’s what makes sense to me. If I’m wrong or if you disagree, please voice your opinion with a comment or two.

Thank you for your time and attention.