The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.

By contrast, Duong and Rizzo say they’ve figured out a way to defeat SSL by breaking the underlying encryption it uses to prevent sensitive data from being read by people eavesdropping on an address protected by the HTTPs prefix.

“BEAST is different than most published attacks against HTTPS,” Duong wrote in an email. “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

Instead, BEAST carries out what’s known as a plaintext-recovery attack that exploits a vulnerability in TLS that has long been regarded as mainly a theoretical weakness. During the encryption process, the protocol scrambles block after block of data using the previous encrypted block. It has long been theorized that attackers can manipulate the process to make educated guesses about the contents of the plaintext blocks.

If the attacker’s guess is correct, the block cipher will receive the same input for a new block as for an old block, producing an identical ciphertext.

At the moment, BEAST requires about two seconds to decrypt each byte of an encrypted cookie. That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour for their PayPal attack to work. Nonetheless, the technique poses a threat to millions of websites that use earlier versions of TLS, particularly in light of Duong and Rizzo’s claim that this time can be drastically shortened.

In an email sent shortly after this article was published, Rizzo said refinements made over the past few days have reduced the time required to under 10 minutes.

“BEAST is like a cryptographic Trojan horse – an attacker slips a bit of JavaScript into your browser, and the JavaScript collaborates with a network sniffer to undermine your HTTPS connection,” Trevor Perrin, an independent security researcher, wrote in an email. “If the attack works as quickly and widely as they claim it’s a legitimate threat.”

The scripts on the page check for installed plugins and compare the version of the installed plugin with the latest version that is offered officially by the developer of the plugin. Some supported plug-ins (among others) are Apple Quicktime, Shockwave Flash, Adobe Acrobat, Java, RealPlayer and Windows Media Player plugins. Furthermore the Mozila Firefox development team now extends the page to support all the popular browsers.

The service checks the browser plug-ins on Internet Explorer, Chrome, Opera, Safari and Firefox. This special page promises to check these plug-ins for you, and advise you of when it is time to update. Johnathan Nightingale, director of Firefox development, claimed that in the months since the page was deployed, it had seen over 60 per cent of Adobe Flash users with the most recent version, with the number growing to more than 75 per cent if the second most recent update is included.He said: “We believe that plug-in safety is an issue for the web as a whole, so while our initial efforts focused on building a page that would work for Firefox users, the team has since expanded plug-in check coverage to work with Safari 4, Chrome 4 and Opera 10.5.“We have added support for Internet Explorer 7 and 8 for the most popular plug-ins, as well, but since IE requires specific code to be written for each plug-in it will take us a little longer to get to full coverage.“This has been a phenomenal amount of work to develop and test, and the matrix of browser, plug-in and OS grows very quickly.”

Plugins are either rated as safe or potentially vulnerable (there might be a third rating for vulnerable plugins). An update button is displayed next to potentially vulnerable plugins which should lead to a download page to update the latest version of the plugin. Some plugins do not reveal their full version which means that they will be shown as potentially vulnerable even if the latest version is installed.

Graham Cluley, senior technology consultant at Sophos, said: “It’s great that Mozilla has extended its service to offer an additional security check for users of other browsers. Hopefully it will encourage more computer users to keep their systems patched, and make life more difficult for hackers.”

You can check your plugins here and you can find more on this project here.

References : scmagazineuk

As part of the seminar programme the FP7 EU project FORWARD was presented along with another EU funded project PSIRP. In a half-hour presentation Edita Djambazova from IPP-BAS described FORWARD’s goal, objectives, and results. Some of the emerging security threats identified during the project were discussed. The established security community around ICT-FORWARD was outlined as one of its important achievements.

On May 4th and 5th of 2009, the FORWARD consortium organized the 2nd workshop of the project. The workshop took place in Hotel Delcloy in Côte d’Azur. The agenda focused on the progress of the FORWARD working groups (WGs) having both summary presentations of their work and focused panel discussions for each WG. The keynotes and presentations helped to spark discussions during the panel sessions that were also carried on during the scheduled breaks.

Highlights of Day 1

The first day included some very interesting presentations, starting with the keynote of Marc Dacier, head of Symantec Research – Europe,  during the first session of the workshop. Marc highlighted the economic motives behind cyber-attacks. He stressed that research focus should be put on threats based on their profitability.

Michael Behringer‘s talk was also very insightful. Michael identified human as the weakest link in security of complex ICT infrastructures. He argued that we’ll be able to increase the overall security of the infrastructures if we shift responsibility of some complex but mundane tasks (e.g. configuration) from human to software.

Of course, the above is true only for thorougly tested software. Manuel Costa‘s presentation focused on explaining how the reliability of an OS kernel can be compromised from the unprotected use of  extensions (e.g. device drivers, network protocol implementations etc). Manuel cited that many thousands of new OS extensions appear every year and because there’s just not enough time for thorough testing they end up having a very high failure rate. This also makes the OS kernel vulnerable because it shares its address space with the unreliable extensions. Manuel argued in favour of the implementation of fine-grained access rights inside the kernel space in order to reduce the effect of faulty extensions on the overall security of the OS kernel.

The presentation of David Brumley also provided some surprising insights to the modus operandi of attackers. David argued that existing security patch delivery mechanisms can actually help the attackers. He explained that it is possible to automatically generate an exploit using the corresponding vulnerability fix. The process is fast enough to allow the attacker to launch an attack with the new exploit before all computers have been patched. Therefore there is a need to revisit the current patch distribution mechanisms.

The first day was completed with split panel discussions of the three FORWARD WGs. The discussions are summarized in the related project deliverable (to be published soon).

Highlights of Day 2

The second day started with the presentations of the work in the different WGs and concluded with the last session of guest presentations. The presentation of Christian Kreibich was very interesting as it provided insight to the spam business. Until now many have speculated on the conversion rates and revenue generated by spam, however there’s little evidence to support or refute any of the speculations. Christian presented a new study on a small part of the Storm botnet that attempts to shed light on these issues. The study concludes that the whole Storm botnet generates less than $2M of revenue annually from its pharmaceutical spam campaign.  This is an order of magnitude less than previous speculations. It is also a hint that Storm may be a vertically integrated business. This can be concluded because the profit margin from selling pharmaceuticals would be very low if Storm was selling spam to a third party on the reported   market price for spam.

Another interesting presentation was Peter Van Rossum‘s which focused on new vulnerabilities of the Mifare Classic smartcard. Mifare Classic is the most widely used contact-less smartcard on the market, with deployment cases such as the Oyster Card used to pay for public transportation in the Greater London area. In the presentation, four attacks were proposed that can be executed by an adversary having only wireless access to just a card. This is an important advance since previous attacks against the card required access to a legitimate reader, which allowed vendors to refute their applicability in realistic situations.  Although NXP (manufacturer of the Mifare Classic) already prepares a successor to the vulnerable card that fixes the identified problems, the existing cards cannot be fixed and should be replaced. The case proves that candidate technologies  for use in critical infrastructures (such as the public transportation) should be closely scrutinized by experts before coming to a final decision whether they are suitable for the desired use.

Overall, the 2nd FORWARD workshop was very interesting. The insightful presentations and the friendly atmosphere contributed to constructive discussions that helped participants get a more concrete view on the threats that they will be called to encounter in the near future. Seeing more events with similar scope in Europe would be very beneficial for the European ICT security research community.

The Head of Unit “Trust & Security” in DG INFSO of the European Commission Mr. Jacques Bus presented the ICT priorities in the Seventh Framework Program. He outlined that the main goals of the objective “Trustworthy ICT” is the building of Trustworthy Network Infrastructures and Trustworthy Service Infrastructures which are the way to develop the Future Internet as a conglomerate of heterogeneous networks and systems. The infrastructures of secure and trustworthy networks have to make the Future Internet more secure, to allow for monitoring and managing the security threats, to build secure infrastructures and virtual objects. It is important to make experiments, to pay attention to the societal impact and to the interaction between the technologies and the users. Mr. Bus announced the indicative opening date of the next Call for proposals is 31st July 2009 and the submission deadline is 3rd November 2009.

Useful information and some advice on how to prepare successful project proposals was presented by Mr. Ives Paindaveine from the DG INFSO, Unit 5 “Trust & Security.” He underlined the significance of the well structured consortium and the clear abstract and contents of the proposal. Proposals are submitted only electronically and they can be updated until the deadline. After the deadline the evaluators can read the proposals remotely and check their contents. The final evaluation is done in Brussels where all evaluators give their final marks.

Mr. Paul Drath from Singleimage Ltd., a training company for the European framework programs, gave the audience valuable advice about the preparation of project proposals. He directed the interested participants to web sites and tools where they could search for partners, check the financial indicators of their proposals, and estimate the allocated budget. Some useful notes were given of what to do and what not do in writing a proposal.

The work of the Fair continued in three parallel sessions. The Thematic Session „Secure and Trustworthy Network Infrastructures” was moderated by Dr. Todor Tagarev (IPP-BAS). Six presentations were given of ongoing FP7 projects in the objectives “ICT Security” and “Critical Infrastructure Protection (CIP)” and some past experience. After the introductory notes of Dr. Boyanov (IPP-BAS) about the session and the FORWARD Project, Luigi Romano (University of Naples “Parthenope”) presented the STREP project INSPIRE (Increasing Security and Protection through Infrastructure Resilience). The project objectives are to identify and assess the vulnerabilities of SCADA systems, to determine dependencies among different infrastructures, to propose a self-reconfigurable architecture, and to apply intelligent techniques for reconfiguration. Salvatore D’Antonio (CINI) presented the STREP project INTERSECTION. It is directed to assessment and classification of heterogeneous networks’ vulnerabilities aiming at building a database for them, constructing and applying security techniques, contributing to the standards for information security which could be implemented by all telecommunications operators, and make a roadmap of security-enhancing strategies. Piotr Kijewski (NASK/CERT Polska) presented the IT security projects where NASK and CERT Polska are involved. Based on a sensor network which acquires data from honeypot networks, firewalls, darknets, etc., threat analysis and data enrichment are made in order to develop effective countermeasures. The other goal of the projects is to stimulate information sharing and alerting about incidents and attacks. The WOMBAT Project was presented by Corrado Leita (Symantec Research). Data on attacks is collected, then the attacks are prioritized and the defense level of networks is assessed. The current defense techniques are also estimated. To share his experience from a successfully completed FP6 project, Prof. Miloslav Dusek (Palacky University) presented SECOQC (Development of a Global Network for Secure Communication based on Quantum Cryptography). Quantum cryptography is used to enhance network security. The project has a contribution to the quantum key distribution (QKD) technology, to the development of the network concept, to the development of interfaces. It initiated the QKD standardization. Dr. Tagarev presented a methodology for assessing vulnerabilities and planning measures for critical infrastructure protection (CIP). The methodology is aimed at supporting the decision making process in the CIP. By clear identification of the main sectors and critical assets, identification and classification of the threats, assessment of vulnerabilities, interdependencies, and risks, the best measures and risk mitigation strategies can be sought for and strategy and policy for CIP can be built.

There was an interesting discussion about all presented projects during the thematic session where questions were asked about the applicability of the presented ideas, the difficulties in reaching the goals, the achieved results to date.

At the end of the Fair the outcomes of the three parallel sessions were summarized.

The opinion of the Project Officer Dr. Massimo Ciscato and of the participants was that the Fair on Trust & Security Research was successful. The presentations concerned interesting research areas, useful experience and new questions that require answers from the IT security community. Many useful contacts were made between the participants. Some practical advice was shared about how to prepare a successful project proposal that can pass the EC evaluation procedures.

The event is aimed at fostering partnership and stimulating scientific discussions about research priorities in the area of ICT Trust and Security in view of the upcoming FP7 call for proposals that will be launched in the summer. One of the objectives of the Fair is to stimulate participation to EU-funded research (FP7) in the area of ICT Trust and Security from partners from Central and Eastern European Countries. The Institute for Parallel Processing – Bulgarian Academy of Sciences (IPP-BAS) organizes and chairs the Thematic Session “Secure & Trustworthy Network Infrastructures”. We have speakers from several ongoing FP7 projects on Security and Critical Infrastructures: WOMBAT, INSPIRE, INTERSECTION, as well as representatives from NASK/CERT Polska, Palacky University, and IPP-BAS. They will present their current research activities and the opportunities for future research in the field of ICT Trust & Security.

The project participants from Central and Eastern European EU Member States (EU12) will share their experience and success stories from past EU-funded projects. The session also aims at stimulating discussion on emerging research challenges in the area and exchange ideas for potential proposals for the upcoming call and partnership building among participants in view of the formation of project consortia. Those who are looking for new research opportunities and are willing to participate in the Thematic Session and the ICT Fair can visit the website and register for the event. We are looking forward to seeing you in Olomouc.

The panel discussion revolved around the already defined project WGs:

• Smart environments
• Critical systems
• Malware & fraud

The discussion started with a talk on smart systems, which mainly focused on the threats introduced by the advent of smart devices. Smart-phones and other such mobile smart-devices are slowly replacing the older mobile phones greatly increasing the offered functionality. A smart-phone can be used for accessing email, online banking, e-commerce, etc same as with a PC. Furthermore, new location based services (via GPS) are offered, and plans are made to turn these devices to e-wallets. Also, since a phone is considered highly personal, users tend to store personal items such as photos, PIN and credit card numbers. All the above turn these devices to very attractive targets for attackers, while at the same time users are not even aware of the existence of threats against their new device. Applying already developed security solutions to mobile devices is not always possible, because of their inherent limitations such as limited battery life, and hardware resources. As such additional research is needed to address security in such devices.

Critical systems were discussed second in the panel. Such systems include telecommunications infrastructure, transportation, energy production and distribution, etc. These systems have been using computers for a long time, but in the future there are many plans to allow their management over the Internet. Extending their connectivity can leave them open to a multitude of attacks, if security is not considered early in the design and implementation. Unfortunately, in this case as well, people involved with critical systems are not always aware of the new threats and challenges they will be facing.

A very interesting example from the car industry was brought up. Cars today already include 40-50 computers connected via LAN. Security has not been an issue till today, but with plans to interconnect cars with each other,  or even with the Internet it is made obvious that security will be a prime concern. Failure to introduce security mechanisms could prove catastrophic, not in this example alone but on all critical systems.

The final subject of the panel was malware and fraud. The discussion centred on the new incentives and modus operandi of malware writers today. Malware is no longer written “for fun”, but for profit. One can easily be made aware of this by considering the very successful worms of the past such as CodeRed, Blaster, and Sasser. Even though millions of systems were infected, the damages inflicted were relatively small. Today on the other hand, malware writers are driven by profit, and form groups that resemble traditional crime organisations. Botnets such as the renowned Storm botnet are used to circulate spam e-mail, which is either directly providing income to the botnet “owners”, or is used to perform fraud. Botnets have even been observed being rented out in the cyber underground through IRC channels and web pages. To better understand this new generation of criminals, traditional investigation is needed to provide warning of new attacks and frauds, while at the same time more research is needed on disrupting malware operation and propagation.

The conclusions extracted from the panel discussion can be summarised into that: a) additional security research is needed to address future threats on new technologies, and b) well established industries need to be made aware of the new threats they will be exposed to, because of the interconnection of previously unconnected components.

The European Network and Information Security Agency (ENISA) held a workshop on “Improving Resilience in European e-Communication Networks” on the 12-13 of November 2008 in Brussels. Sotiris Ioannidis participated in the workshop and gave a talk on the Resilience improving features of MPLS, IPv6 and DNSSEC.

In 1995, the EU decided to negotiate a “Framework Agreement on Trade and Cooperation“, in recognition of South Korea’s increasing role in the Asian and global economy, and of its success in consolidating democracy. This Agreement entered into force in April 2001 and is implemented through an annual meeting of a Joint Committee.

The EU – South Korea dialogue has broadened these last years, namely through “EU-Korea Summits” and regular ministerial meetings. Both parties cooperate closely in a number of multilateral fora, and have close relationship within the Asian Europe meeting (ASEM).

The 2nd EU-Korea Cooperation Forum on ICT Research was held in Brussels between the 1st and 2nd of December. This second Cooperation Forum is a follow-up event to the one successfully held in Seoul, South Korea in June 2008, and is organised under the aegis of the European Commission (Directorate General Information Society and Media), and of the Ministry of Knowledge Economy (MKE), Korea.

Engin Kirda from Institute Eurecom held a talk on the FORWARD and the WOMBAT EU projects and discussed possible collaboration opportunities with Korean partners. The slides from the talk are available from the publications section of the FORWARD website.