Recently, a new hacking tool has been created that targets faulty AES encryptions in Microsoft ASP.Net applications. The hackers can view encrypted cookies that contain different personal information, like social security numbers and banking information. It was actually developed by two researchers, Juliano Rizzo and Thai Dong. Basically a hacker can decrypt cookies without knowing the encryption keys. This hacing tool automates the process of finding unprotected website cookies and then decrypts them. Many websites contain unprotected cookies to gather information about the user, luckily for most people, the majority of banks have protected cookies and require some other type of access code, like the jumbled letters and numbers, to get into their website after typing in your user name and password.
This is a disheartening article and simply makes online users feel even more unsafe on the internet. The developers said that the vulnerabilities exploited affect the famework used by 25 % of the internet's websites. Also by releasing this information, it gives people with bad intentions an opportunity to figure out how to use this tool and then implement it on unsafe web users.
I recommend that internet users do not browse without having some type of antivirus even though that probably won't protect them 100 %. I suggest that they be very cautious about what websites they are putting their valuable information into and really to not trust any site that seems like it could be easily hacked.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1520252,00.html
Thursday, September 16, 2010
Subscribe to:
Post Comments (Atom)
Posts
I find it amazing that these guys are able to estimate a quarter of the internet's websites are vulnerable to this type of attack. It seems to me that information security is just a never ending battle were the bad guys are continuously chipping away at everything and anything. Thankfully there are the 'white' hackers who help to point out these vulnerabilities.
ReplyDeleteI found this post very interesting because it is very relevant to what we have been covering in class lately. The hacking tool has an automated attack design that doesn't need an encryption key to decrypt cookies with personal information. We have learned that encryption keys are the most important component of encryption security, and therefore should be the most difficult thing for hackers to obtain. It is surprising to me that hackers have found a way to decrypt information without an encryption key. It makes it seem as though there is little that can be done to effectively secure information.
ReplyDeleteOne positive step to securing information is to add a type of access code, such as jumbled letters and numbers, to prevent automated attacks. With the use of these types of codes, it eliminates the ability for hackers to run thousands of guessed encryption keys and possibly get one that works.
Another fact that I found surprising was that an estimated 25% of websites have cookies that can be decrypted by this new hacking tool. It is always staggering how easily seemingly secure information can be hacked, but the extent to which these attacks can be successful all over the internet is the true shocker.
One final note, I was disturbed that information regarding such a prominent hack was released to the public. While white hat hackers are very helpful in the information security community, I feel that the discoveries of such weaknesses should be privately reported to the websites that have said weaknesses. Regardless, this article shows how vulnerable our personal information is on the internet, even if it is encrypted.