I was just kicking around the ridiculous speed of the new SSL vulnerability went from academic curiosity to exploit demonstration. For those of you that are catching up, this is not the Moxie stuff. The new attack allows you to insert arbitrary text into the beginning of an SSL or TLS session. At first, many researchers thought this to be interesting, but did not see it as a very effective attack in the real world. Then Anil Kurmus came and demonstrated how this attack can be used to steal credentials from Twitter. This attack was successful because of the very nature of the Twitter API. I would love to spend some time poking around to see how may other attack vectors there are for this.
There are a few things we need to take from this. First, obscure/novel attacks don’t stay that way for long. We need to pay very close attention to any new attack that comes out that targets the very core protocols we use every day. Second, don’t take any level of security, provided by various “secure” protocols, for granted. It is simply a matter of time before someone cracks them wide open. Finally, I read that initially some vendors were getting together in secret to look into how to fix this vulnerability. This sucks. I understand the need for vendors to get a head start, but the infosec community lives and breathes on information. There have been some serious attacks on the underlying infrastructure of how we do business every day: From Dan’s DNS attacks, to BGP prefix attacks, and to the work that Moxie has done. This is just another attack on what we consider to be secure.
The point is to never make assumptions about how secure a particular component of your infrastructure is. It is just a matter of time before someone drives a Kenworth through it. If one attack to something like SSL compromises your entire security architecture, then your security architecture sucks.


What said truck might look like…

John Strand will be teaching SANS Network Penetration Testing in
London from 11/30 to 12/6 2009, and SANS hacker techniques and Incident Response in New Orleans from 01/10/10 till 01/18/10.

About the author