Kiwi web servers vulnerable to hacker attacks

[InfoSec News <isn () C4I ORG>]

http://www.stuff.co.nz/inl/index/0,1008,640793a1898,FF.html

By TOM PULLAR-STRECKER
MONDAY, 12 FEBRUARY 2001

The majority of New Zealand's secure web servers are vulnerable to a
flaw which could let hackers obtain confidential information such as
customers' credit card numbers or even clone the website itself.

So says Wellington-based Baycorp ID business development manager Ron
Segal.

Mr Segal says the problem arises because "private keys" used to
authenticate the identity of customers and encrypt their Internet
links are usually stored on a secure web server's hard drive.

Each time a secure link with a customer's web browser is established,
the private key is decrypted and brought into the computer's memory.

As private keys have their own specific "signature" they can easily be
located by a hacker if they can gain access to the web server's
computer memory.

"A very simple program can be used to extract a private key from
computer memory in about 10 seconds."

It may theoretically be possible for an external hacker to access
secure web server memory depending on the other security measures the
website has in place by introducing a "trojan" program to the site,
says Mr Segal.

"But internal attack that is where I would say the real issue is, and
80 per cent of attacks are internal, many studies have shown that."

Baycorp is marketing a range of Hardware Security Modules (HSMs)
manufactured by United States firm nCipher and approved by global
financial institution consortium Identrus, which he says eliminate the
problem by holding private keys on a special plug-in card.

"They can be plugged into a web server, where they are used to carry
out all cryptographic operations, making them immune from hacking."

Mr Segul says HSMs also increases the performance of secure web
servers.

"A typical web server will handle no more than two secure connections
every second before a backlog effect occurs.

"Customers will experience this queuing effect as a very slow
responding browser, which in some cases may actually lose the
connection.

"HSMs are capable of handling hundreds or thousands of secure
connections per second, relieving this particular bottleneck."

Mr Segul says several Australian banks are piloting Identrus-approved
HSMs and are likely to decide within the next three months which to
roll out.

"Major e-commerce merchants that link to the banking system will then
also require Identrus approved systems. Banks and associated merchants
in New Zealand can be expected to follow."

Mr Segal says he knows of two security breaches overseas where private
keys were obtained by employees of the organisations concerned who
exploited the flaw.

"The discoveries were made before there was any serious effect."

But he says the potential consequences of the flaw are so serious that
secure website owners should be concerned. Only one New Zealand
organisation, a Government department, uses HSMs, he says.

"New Zealand is pretty slack, frankly, at the moment when it comes to
this sort of security device. Over here, the issue is a lack of
knowledge and a lack of understanding about the problem.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".