The security week ahead: Hacking the media, Plus: more encryption woes
Last week's revelations about hacks of prominent media outlets continues. Plus: new questions about the security of encrypted communications will dominate the news this week.
Image credit: iStockphoto
Newspaper hacks - The story continues
Last week, the headlines were dominated by news of high-profile hacks at U.S. newspapers and the Twitter micro-blogging network. You can expect the bad news to keep on rolling this week as the full extent of the attacks becomes clear.
Word of the targeted attacks on prominent, Western media outlets began Wednesday, when The New York Times acknowledged that it had been hacked by unknown parties, who breached a Times domain controller and, potentially, downloaded the login information for Times employees. The sophisticated attack placed more than 40 pieces of malware on the Times network, and seemed targeted at reporters and editors who cover China for the paper, including those involved in a series of stories on corruption within The Chinese Communist Party.
That revelation sparked similar admissions from The Wall Street Journal and The Washington Post. And, by week's end, Twitter acknowledged that it, also, had been hacked, with information on 250,000 users falling into the hands of a sophisticated hacking group.
All signs point to the hacks as being part of a larger campaign to infiltrate and spy on media organizations - especially in regard to their coverage of China. The digital forensics firm Mandiant, which was hired to help clean up after the Times hack, said that telltale signs in that attack pointed to one of a couple dozen "APT" or Advanced Persistent Threat groups it monitors.
What's still unclear is how many newspapers and journalists were targeted, and how far afield the spying went. But, as reporters dig deeper into the serial media hacks, we should expect the list of victims to grow and evidence of more widespread spying to appear.
Researchers find more holes in common Internet encryption technology
Serious security vulnerabilities in commonly used software like Java or Internet Explorer are bad. Security holes in really common Internet protocols are even worse. Even worse than that: flaws in the specifications for really common Internet protocols. And that's what researchers at the University of London said that they've found.
In a blog post on Monday, researchers Nadhem AlFarden and Kenny Paterson of the Information Security Group at Tyoral Holloway at The University of London said that they found a flaw in the specification of TLS - or Transport Layer Security - a cryptographic protocol that's widely used to secure online sessions for web browsing, e-mail, IM, VoIP and other critical functions.
The report, available for download here, describes a number of theoretical attack against TLS and DTLS (Datagram TLS) that, if properly executed, could give attackers the ability to conduct a man-in-the-middle attack that recovers plaintext from an encrypted TLS or DTLS connection that used the CBC (Cipher Block Chaining) mode of encryption. TLS and DTLS are used by a wide range of high profile firms to protect sensitive information in transit, including Gmail, Twitter, DropBox and others.
The researchers say that they have discovered a number of potential attacks, not all of them of the same complexity and severity. However, because the problem is with the way the TLS specification was written, a wide range of products are vulnerable to these attacks. Specifically, the researchers say they have successfully used them against OpenSSL and GnuTLS - to common implementations of TLS.
The report is just the latest in a string of investigations of the security of common encryption functions and protocols in recent years. Researchers Juliano Rizzo and Thai Duong developed at least two methods, dubbed 'BEAST' and 'CRIME' to exploit holes in TLS and SSL to decode protected content. And AlFarden and Patterson have found other critical holes in these protocols, as well. They include a denial of service (DoS) vulnerability in DTLS that allowed attackers to decrypt secured communications without possessing the encryption key.
The researchers say they're working with leading vendors and open source projects to get fixes in, so stay tuned for more news on this, as the list of affected products grows!