SSL remains security weakness despite latest reinforcements
There are many ways bad guys attack systems, disrupt infrastructures and steal data, but one of the most common uses an entry point that is vital to Internet communications and yet, it seems, carelessly disregarded: the humble, but crucial, SSL.
Secure Sockets Layer is the standard way of establishing an encrypted link between a server and a client, such as a web browser. All transactions that are needed for modern Internet-based communications and commerce – credit card numbers, personal identifiers such as Social Security numbers, website logins etc. – use SSL.
But despite the moniker, SSL is sometimes not that secure. One particular and apparently growing problem is with improper SSL validation. That was the focus of the GoTo bug discovered early this year (and since patched) in Apple’s iOS and Mac OS X. The vulnerability opened up users of those systems to so-called man-in-the-middle (MITM) attacks, in which those with a “trusted” certificate can insert themselves into a communication stream between systems and read its contents.
Similar concerns are being expressed about Android devices.
Given that there are now some 1.3 million apps in the Google Play store, a million or so of which are free, it would take a long, long time to test each of them to see if they are vulnerable to an MITM attack. Organizations, or individual users, can test a limited number of apps they use without much problem (such as with this method). Testing a wide range of apps to certify that they are OK for people to use is a different matter.
Fortunately, security organizations are starting to catch up with the need. In August, the CERT Coordination Center at Carnegie Mellon University, which works with many companies and government agencies, introduced CERT Tapioca (Transparent Proxy Capture Appliance), a virtual machine that automates MITM analysis.
According to CERT/CC researcher Will Dorman, Tapioca so far is only catching low-hanging fruit, but it at least doesn’t take up any of his time, and it’s already caught several hundred vulnerable applications in just a few weeks of use.
The issue should be getting even more press than it has, particularly in government circles, since there are expectations that Android devices could become more attractive in the public sector with the introduction and further development of Samsung’s Knox containerization technology. Apart from device-specific elements of Knox, which Samsung is keeping to itself, most of the technology could find itself incorporated in Google’s next generation operating system, Android L.
Samsung itself got some criticism late in 2013, when researchers from Ben Gurion University in Israel said they had found a vulnerability on a Galaxy S4 device that was using Knox, but Samsung later said that wasn’t a fault with Knox itself. The company also said Knox offers additional protection against MITM attacks through mobile device management and a feature that allows traffic only from designated and secure apps to be sent via VPN tunnel.
Altogether, it’s not been a good year for SSL. In April, a major vulnerability in OpenSSL, the so-called Heartbleed bug, was revealed, one that had been around for over a year before anyone noticed it. That was also fixed, but it’s still an ongoing concern. Researchers at IBM also recently reported that, though attacks using Heartbleed have quieted down, there might still be as many as 250,000 servers left unpatched.
The OpenSSL Project, pushed by the flak it got from the Heartbleed fiasco, for the first time recently published the policy of how it handles security issues. Internally, it says, it divides security issues into low, moderate and high severity and will notify the openssl-announce list and update the organization’s home page when any fixes are planned.
SSL users can also get help through a recently started SSL Blacklist, an online and downloadable resource of SSL certificates associated with malware or botnet activities.
None of the potential problems with SSL are all that new, but with attackers becoming ever more sophisticated in their methods, as is the malware they use to disrupt systems and extract sensitive data, at least those problems seem to be getting more attention, along with tools to address them.
Posted by Brian Robinson on Sep 12, 2014 at 12:12 PM