Old attack vectors are back in style

Dennis Fisher
LAS VEGAS -- While many of the talks at Black Hat USA 2006 this week focus on new vulnerabilities or innovative techniques for attacking known flaws, one session showed in graphic detail that sometimes older attack methods can be just as useful.

Chris Eng, director of security services at Burlington, Mass.-based security analysis firm Veracode Inc., on Thursday demonstrated several techniques for analyzing encrypted data in Web applications and recovering sensitive information, such as usernames and passwords.

Eng, a veteran penetration tester and former consultant for security giant Symantec Corp. and @stake, said there's no need to bother attacking the algorithms used to encrypt data in cookies if you understand how a Web application's cryptosystem works.

    Requires Free Membership to View

Black Hat USA 2006

Check out's special coverage of Black Hat USA 2006 as reporters from and Information Security magazine post the latest news and tidbits from Las Vegas.
"It's all about recognizing the patterns and understanding how changing one piece of data affects the ciphertext," said Eng.

He cited an example in which a Web application uses a block cipher to encrypt cookie data. By examining the ciphertext, Eng could see that the cipher was in Electronic Code Book (ECB) mode, which means that identical plaintext blocks are encrypted identically and are easy to recognize. Eng then began modifying pieces of data in the cookie that he could control, such as the email address, and observing how the modifications changed the block.

Once he identified where in the block those pieces of data were, he could manipulate the ciphertext itself, using it to build his own cookie for the site and impersonate another user.

"This isn't a brand new attack, but it takes some time to understand how it works and what it can do for you," Eng said. "There are major companies with live Web apps that are at risk from this."

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: