Bombshells For The New Year

The week after Christmas should be a quiet, reflective time to get organized for the new year while the security industry takes a little winter's rest. Uh -- not so much. This is the security industry, remember? Vendors may not roll out products during the holidays, but hackers never sleep.The 25th Chaos Communication Congress in Berlin the week of Dec. 27 certainly proved that to be true. Several hot presentations revealed some pretty scary stuff with major implications for security. Take the "ownage" of the MD5 algorithm used in SSL digital certificates. Turns out there's no such thing as a sure thing when it comes to secure Websites. Just when we got our parents and the kids trained to look for the little padlock icon on a Web page, we now have to tell them, well, you can't necessarily trust that padlock after all. In case you missed it while you were still cleaning up wrapping paper or making your resolution list, a crack team of researchers from the U.S. and Europe hacked a known weakness in the Internet's digital certificate infrastructure to impersonate secure Websites -- and (gulp) email servers.

The good news is that only a minority of digital certificates are signed with MD5, and VeriSign fixed the hole within four hours with the more secure SHA-1 algorithm once the researchers went public with the attack at CCC. VeriSign says it was in the process of transitioning to SHA-1 before the hack was revealed, but critics say the certificate authority should have dropped its use of MD5 in its RapidSSL and other certificates long ago.

Another presentation at CCC also raised a few eyebrows, but for some reason didn't get as much attention as the SSL hack. Its significance to router security still seems to be sinking in. (Do eggnog hangovers really last this long?) Felix Linder, or "FX," known for his vulnerability finds in Cisco routers, kicked it up a notch by devising a method of hacking Cisco routers with only basic knowledge about the targeted device.

What's the big deal? Well, traditionally router exploits have been targeted at specific IOS router configurations -- a process deemed too complex and intensive to pose a real attack risk. But FX was able to execute his code remotely on some low-end Cisco routers, regardless of their configuration. That opens the door for easier and more widespread router hacking, especially since few organizations regularly patch their custom-configured routers for fear of causing network outages or other problems.

So while some of us were trying to wind down for the holidays, these researchers made sure we stayed on our toes. Both the digital certificate and router hacks demonstrated that you should never get too comfortable with security, and that you should never take a vacation from it.

-- Kelly Jackson Higgins, Senior Editor, Dark Reading