Home > Security News > Old attack vectors are back in style
Security News:
EMAIL THIS LICENSING & REPRINTS

Old attack vectors are back in style

By Dennis Fisher, News Director
03 Aug 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

LAS VEGAS -- While many of the talks at Black Hat USA 2006 this week focus on new vulnerabilities or innovative techniques for attacking known flaws, one session showed in graphic detail that sometimes older attack methods can be just as useful.

Chris Eng, director of security services at Burlington, Mass.-based security analysis firm Veracode Inc., on Thursday demonstrated several techniques for analyzing encrypted data in Web applications and recovering sensitive information, such as usernames and passwords.

Eng, a veteran penetration tester and former consultant for security giant Symantec Corp. and @stake, said there's no need to bother attacking the algorithms used to encrypt data in cookies if you understand how a Web application's cryptosystem works.

Black Hat USA 2006

Check out SearchSecurity.com's special coverage of Black Hat USA 2006 as reporters from SearchSecurity.com and Information Security magazine post the latest news and tidbits from Las Vegas.
"It's all about recognizing the patterns and understanding how changing one piece of data affects the ciphertext," said Eng.

He cited an example in which a Web application uses a block cipher to encrypt cookie data. By examining the ciphertext, Eng could see that the cipher was in Electronic Code Book (ECB) mode, which means that identical plaintext blocks are encrypted identically and are easy to recognize. Eng then began modifying pieces of data in the cookie that he could control, such as the email address, and observing how the modifications changed the block.

Once he identified where in the block those pieces of data were, he could manipulate the ciphertext itself, using it to build his own cookie for the site and impersonate another user.

"This isn't a brand new attack, but it takes some time to understand how it works and what it can do for you," Eng said. "There are major companies with live Web apps that are at risk from this."

Tags: Web Application Security (Also see Web Access Control)Enterprise Data ProtectionVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts