The good news is that only a minority of digital certificates are signed with MD5, and VeriSign fixed the hole within four hours with the more secure SHA-1 algorithm once the researchers went public with the attack at CCC. VeriSign says it was in the process of transitioning to SHA-1 before the hack was revealed, but critics say the certificate authority should have dropped its use of MD5 in its RapidSSL and other certificates long ago.
Another presentation at CCC also raised a few eyebrows, but for some reason didn't get as much attention as the SSL hack. Its significance to router security still seems to be sinking in. (Do eggnog hangovers really last this long?) Felix Linder, or "FX," known for his vulnerability finds in Cisco routers, kicked it up a notch by devising a method of hacking Cisco routers with only basic knowledge about the targeted device.
What's the big deal? Well, traditionally router exploits have been targeted at specific IOS router configurations -- a process deemed too complex and intensive to pose a real attack risk. But FX was able to execute his code remotely on some low-end Cisco routers, regardless of their configuration. That opens the door for easier and more widespread router hacking, especially since few organizations regularly patch their custom-configured routers for fear of causing network outages or other problems.
So while some of us were trying to wind down for the holidays, these researchers made sure we stayed on our toes. Both the digital certificate and router hacks demonstrated that you should never get too comfortable with security, and that you should never take a vacation from it.
-- Kelly Jackson Higgins, Senior Editor, Dark Reading