About us Contact us RSS Newsletters Blogs Video Follow us on Twitter

Register | Login

Advertisement
  • Networking
  • Storage
  • Security
  • Mobility and Wireless
  • Applications
  • OS and Servers
  • Mid-sized Business
  • Green IT
  • Virtualisation

News 

News



31 December 2008

'Undetectable' phishing attack identified by research team

By Robert McMillan, IDG news service

 A team of security researchers, armed with 200 Sony Playstations, has found a way to undermine the algorithms used to protect secure web sites and launch a nearly undetectable phishing attack.

Advertisement

To do this, they've exploited a bug in the digital certificates used by websites to prove that they are who they claim to be. By taking advantage of known flaws in the MD5 hashing algorithm used to create some of these certificates, the researchers were able to hack Verisign's RapidSSL.com certificate authority and create fake digital certificates for any website on the Internet.

Hashes are used to create a "fingerprint" for a document, a number that is supposed to uniquely identify a given document and is easily calculated to verify that the document has not been modified in transit. The MD5 hashing algorithm, however, is flawed, making it possible to create two different documents that have the same hash value. This is how someone could create a certificate for a phishing site having the same fingerprint as the certificate for the genuine site.

Using their farm of Playstation 3 machines, the researchers built a "rogue certificate authority" that could then issue bogus certificates that would be trusted by virtually any browser. The Playstation's Cell processor is popular with code breakers because it is particularly good at performing cryptographic functions.

They plan to present their findings at the Chaos Communication Congress hacker conference, held in Berlin Tuesday, in a talk that has already been the subject of some speculation in the Internet security community.

The research work was done by an international team that included independent researchers Jacob Appelbaum and Alexander Sotirov, as well as computer scientists from the Centrum Wiskunde & Informatica, the Ecole Polytechnique Federale de Lausanne, the Eindhoven University of Technology and the University of California, Berkeley.

Although the researchers believe that a real-world attack using their techniques is unlikely, they say that their work shows that the MD5 hashing algorithm should no longer be used by the certificate authority companies that issue digital certificates. "It's a wake up call for anyone still using MD5," said David Molnar a Berkeley graduate student who worked on the project.

In addition to Rapidssl.com, TC TrustCenter AG, RSA Data Security, Thawte and Verisign.co.jp all use MD5 to generate their certificates, the researchers say.

Jump to page : [ 1 ] [ 2 ]

Follow highlights from Techworld on Twitter
Stay Informed > Subscribe to our Newsletters
The UK IT News widget Get it for your site!

<<newer article | back to index | older article>>

close

Email this article to a friend or colleague:




PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

close
  • This article is now being printed.
close

What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.


Characters remaining:

close

Click below to add ''Undetectable' phishing attack identified by research team' to your blog.



If you do not have a ComputerworldUK Account and would like to use this feature, please Register.

If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.

What is this?
Advertisement
Advertisement

WHITE PAPERS

  • Seven Ways ITIL Can Help You in an Economic Downturn
    Learn more about how ITIL can help your business weather the economic storm, and how it can leave you better positioned for growth when the economy begins to rebound.
  • Make Compliance Work For You
    Learn how to make compliance work for you, rather than the other way around, with this whitepaper form Oracle.
  • Modernizing IT: Strategies for Improving Service Quality and Reducing IT Costs
    Working harder simply won’t get you there. No matter how many people you allocate, sinking more labour into old IT practices cannot concurrently meet rising demands on IT and cut costs. Read about cost-effective, automated ways to meet this challenge head-on in this whitepaper.
  • Security and Trust: The Backbone of Doing Business over the Internet
    When shopping online, consumers are concerned about identity theft and are therefore wary of providing untrusted sources with their personal information, especially their credit card details. Find out how to gain the trust of online customers.
  • Business Continuity - Are you always open for business?
    Business continuity is not an end in itself, but the key to improving performance. Oracle solutions for midsize organisations contribute by providing a secure, easily accessible, and always available information infrastructure thats's also simple and cost-effective to manage. This Oracle Business Brief explains how.

Techworld topic pages