October 25, 2011, 5:02 PM — A new tool released by the German hacking collective The Hackers Choice (THC) is designed to take down servers using the power of the security precautions added to keep those servers safe.
The app is one of several high-profile hacking tools released recently that are designed to crash servers not by hitting them with millions of requests from thousands of browsers, as in a Distributed Denial of Service attack.
Instead they use a feature hackers know is built into the server that can be called on freely by a client, but uses far more memory or processing power to run on the server than the client.
Anonymous introduced a new server attack tool called #RefRef based on Resource Exhaustion – wasting so much of a server's power that it crashes.
The tool from the German THC – called THC-SSL-DOS – uses a flaw in the Secure Sockets Layer (SSL) protocol that allows a client that has already logged in to a server to ask the server for a new SSL certificate authenticating the session.
The flaw was demonstrated as an effective way to create a man-in-the-middle attack by an IBM security researcher in 2009. To work correctly the attacker would need to have already gained access to the victim's network.
And, although it was possible to insert a small amount of text in the SSL request, which could be used for malware or a SQL injection, the hacker couldn't read the encrypted text that came back.
That made the initial effort to create a usable proof-of-concept exploit that would get Twitter to send the hacker's connection a copy of someone else's username and password as well as the certificate, difficult to pull off.