News Stay informed about the latest enterprise technology news and product updates.

Old attack vectors are back in style

Black Hat: Like hip-huggers and tweed, once-popular attack methods like ciphertext manipulation are finding new life as hackers look to cut through well-worn Web applications.

LAS VEGAS -- While many of the talks at Black Hat USA 2006 this week focus on new vulnerabilities or innovative techniques for attacking known flaws, one session showed in graphic detail that sometimes older attack methods can be just as useful.

Chris Eng, director of security services at Burlington, Mass.-based security analysis firm Veracode Inc., on Thursday demonstrated several techniques for analyzing encrypted data in Web applications and recovering sensitive information, such as usernames and passwords.

Eng, a veteran penetration tester and former consultant for security giant Symantec Corp. and @stake, said there's no need to bother attacking the algorithms used to encrypt data in cookies if you understand how a Web application's cryptosystem works.

Black Hat USA 2006

Check out's special coverage of Black Hat USA 2006 as reporters from and Information Security magazine post the latest news and tidbits from Las Vegas.
"It's all about recognizing the patterns and understanding how changing one piece of data affects the ciphertext," said Eng.

He cited an example in which a Web application uses a block cipher to encrypt cookie data. By examining the ciphertext, Eng could see that the cipher was in Electronic Code Book (ECB) mode, which means that identical plaintext blocks are encrypted identically and are easy to recognize. Eng then began modifying pieces of data in the cookie that he could control, such as the email address, and observing how the modifications changed the block.

Once he identified where in the block those pieces of data were, he could manipulate the ciphertext itself, using it to build his own cookie for the site and impersonate another user.

"This isn't a brand new attack, but it takes some time to understand how it works and what it can do for you," Eng said. "There are major companies with live Web apps that are at risk from this."

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.