Hackers devise attack vs secure servers

What good are secure servers if they can get kicked off the Internet? This is the premise of a new distributed denial-of-service (DDos) tool released by a German hacker group, targeting servers using secure sockets layer (SSL). “We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century," said a member of the German hacker group "The Hackers Choice," on the group's site. Earlier this week, THC released a new DDoS tool that exploits a weakness in SSL to kick a server off the Internet. A member of the group said the tool had already leaked to the public a couple of months ago. Unlike traditional DDoS tools, this new tool does not require any bandwidth and just a single attack computer (“bot"). THC said its attack is at par with other DDoS attacks, adding some of those methods played a vital role in demonstrations against "oppressive governments" and companies that violate free speech. In the second case, it cited the DDoS attack against Mastercard for closing WikiLeaks' non-profit donation account because of an alleged typo/misspelling in the application form. “Here at THC the rights of the citizen and the freedom of speech are at the core of our research," said a member of the group. The group said its tests show the average server can be taken down from a single IBM laptop through a standard DSL connection. Taking on larger server farms using SSL Load balancer required 20 average-size laptops and about 120kbit/sec of traffic. "All in all superb results," it said. SSL encryption broken? THC said that in 2009, a vulnerability was disclosed that broke the encryption of SSL, potentially making all SSL traffic unsafe. In 2011, various Certification Authorities got hacked, making all SSL traffic potentially unsafe again. “We warned in 2002 about giving hundreds of commercial companies (so-called Certification Authorities) a master key to ALL SSL traffic. Only a real genius can come up with such an idea!" said Fred Mauer, a senior cryptographer at THC. “It’s time for a new security model that adequately protects the citizens," the group said. Proof of concept The THC said its THC-SSL-DOS tool is a Proof Of Concept tool to disclose fishy security in SSL. It works if the server supports SSL Renegotiation, and even if SSL Renegotiation is not supported although it requires some modifications. Irony The group said it was "interesting" that a security feature supposed to make SSL more secure makes it more vulnerable to this attack. "SSL Renegotiation was invented to renegotiate the key material of an SSL connection. This feature is rarely used. In fact we could not find any software that uses SSL Renegotiation. Yet it’s enabled by default by most servers," it said. "An old saying comes true all over again: Complexity is the enemy of security," it added. — TJD, GMA News