Double Security Whammy, No Patches: Killer SSL DDoS Attack, XML Encryption Broken

The Germans have wreaked all kinds of mass destruction on the security forefront. The hacking group "The Hacker's Choice" released a new THC-SSL-DOS tool that allows a single laptop's DSL connection to take down a server. Other German researchers found a flaw and broke the W3C standard with a serious attack against XML Encryption that works in all cases, including against Microsoft, IBM, Red Hat, Apache and other XLM framework providers.

The Germans have wreaked all kinds of mass destruction, a double security and privacy whammy. A hacking group released a new SSL DDoS tool that can be successfully launched from a single laptop, a single DSL connection, to take down a server. Other researchers in Germany found and exploited a flaw that breaks the W3C XML Encryption standard with a serious attack that works in all cases. The researchers said that Microsoft, IBM, Red Hat, Apache and other major XML framework providers will need to adopt a new standard.

Establishing a secure SSL connection requires about 15 times more processing power on the server than it does on the client. But a server has so much more bandwidth than a single DSL connection that a traditional DDoS attack cannot be launched from a single DSL connection. It's no match for the server. A new SSL DOS tool turns that on its head. The German hacking group "The Hacker's Choice" (THC) released a killer new DDoS hacking tool for both Windows and Unix that has a deadly attack twist. The THC-SSL-DOS tool hits the server with thousands of SSL renegotiations via one little TCP connection until the server crashes and dies . . . until it is overloaded and knocked offline.

The hacking group said that traditional DDoS tools, which played "a vital role in demonstrations against oppressive governments (like the DDoS attack against Iran's leader) and against companies that violate free speech (like the DDoS attack against Mastercard for closing Wikileak's non-profit donation account)," are resource hogs. The THC-SSL-DOS attack tool "does not require any bandwidth and just a single attack computer." THC said the old saying is true, "Complexity is the enemy of security." SSL renegotiation was supposed to make SSL more secure, yet it is rarely used, is enabled by default, and is what makes servers more vulnerable to this attack. A THC member added, "Renegotiating Key material is a stupid idea from a cryptography standpoint."

"Here at THC the rights of the citizen and the freedom of speech are at the core of our research," said a member of THC. "We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in and fix the problem so that citizens are safe and secure again." They added that their testing revealed "the average server can be taken down from a single IBM laptop through a standard DSL connection. Taking on larger server farms who make use of SSL Load balancer required 20 average size laptops and about 120kbit/sec of traffic."

Darknet points out there is no real solution, but countermeasures include disabling SSL-Renegotion and investing in a SSL Accelerator. The ethical hacker that runs Darknet included tips and tricks for whitehats:

  • The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
  • Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
  • Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, ... or the secure database port).

Technical details about the THC-SSL-DOS tool can be found here, as well as the zipped Windows binary file and Unix source.

Meanwhile, more bad news for security as researchers in Germany from Ruhr University Bochum broke the W3C standard of supposed security for XML Encryption with a "serious attack" and said that large companies like "IBM, Microsoft and Redhat Linux that use XML standards for integrating Webservice projects for large customers" are affected.

XLM (eXtensible Markup Language) is the W3C standard for "platform-independent data exchange." As of 2009, "hundreds of XML-based languages have been developed, including RSS, Atom, SOAP, and XHTML. XML-based formats have become the default for most office-productivity tools, including Microsoft Office (Office Open XML), OpenOffice.org (OpenDocument), and Apple's iWork." W3C sets an XML Encryption standard "that defines how to encrypt the contents of an XML element."

The German researchers said, "XML Encryption was designed to protect the confidentiality of the exchanged data" and is used in a "large number of major Web-based applications," including business communications, e-commerce, financial services, healthcare applications, as well as governmental and military infrastructures. However, the message "everything is insecure" was highlighted when Juraj Somorovsky and Tibor Jager exploited a weakness and "were able to decrypt data by sending modified ciphertexts to the server, by gathering information from the received error messages." The attack works "against the implementations of companies that responded to the responsible disclosure - in all cases the result was the same: the attack works, XML Encryption is not secure."

Like The Hacker's Choice DDoS attack tool, there's no real solution to fix the problem as of yet.  Somorovsky stated, "There is no simple patch for this problem. We therefore propose to change the standard as soon as possible." The attack was presented at ACM Conference on Computer and Communications Security last week.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!