Information Security News mailing list archives
Kiwi web servers vulnerable to hacker attacks
From: InfoSec News <isn () C4I ORG>
Date: Mon, 12 Feb 2001 00:53:11 -0600
http://www.stuff.co.nz/inl/index/0,1008,640793a1898,FF.html By TOM PULLAR-STRECKER MONDAY, 12 FEBRUARY 2001 The majority of New Zealand's secure web servers are vulnerable to a flaw which could let hackers obtain confidential information such as customers' credit card numbers or even clone the website itself. So says Wellington-based Baycorp ID business development manager Ron Segal. Mr Segal says the problem arises because "private keys" used to authenticate the identity of customers and encrypt their Internet links are usually stored on a secure web server's hard drive. Each time a secure link with a customer's web browser is established, the private key is decrypted and brought into the computer's memory. As private keys have their own specific "signature" they can easily be located by a hacker if they can gain access to the web server's computer memory. "A very simple program can be used to extract a private key from computer memory in about 10 seconds." It may theoretically be possible for an external hacker to access secure web server memory depending on the other security measures the website has in place by introducing a "trojan" program to the site, says Mr Segal. "But internal attack that is where I would say the real issue is, and 80 per cent of attacks are internal, many studies have shown that." Baycorp is marketing a range of Hardware Security Modules (HSMs) manufactured by United States firm nCipher and approved by global financial institution consortium Identrus, which he says eliminate the problem by holding private keys on a special plug-in card. "They can be plugged into a web server, where they are used to carry out all cryptographic operations, making them immune from hacking." Mr Segul says HSMs also increases the performance of secure web servers. "A typical web server will handle no more than two secure connections every second before a backlog effect occurs. "Customers will experience this queuing effect as a very slow responding browser, which in some cases may actually lose the connection. "HSMs are capable of handling hundreds or thousands of secure connections per second, relieving this particular bottleneck." Mr Segul says several Australian banks are piloting Identrus-approved HSMs and are likely to decide within the next three months which to roll out. "Major e-commerce merchants that link to the banking system will then also require Identrus approved systems. Banks and associated merchants in New Zealand can be expected to follow." Mr Segal says he knows of two security breaches overseas where private keys were obtained by employees of the organisations concerned who exploited the flaw. "The discoveries were made before there was any serious effect." But he says the potential consequences of the flaw are so serious that secure website owners should be concerned. Only one New Zealand organisation, a Government department, uses HSMs, he says. "New Zealand is pretty slack, frankly, at the moment when it comes to this sort of security device. Over here, the issue is a lack of knowledge and a lack of understanding about the problem. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Kiwi web servers vulnerable to hacker attacks InfoSec News (Feb 12)