Black Hat 2013 happened in Las Vegas yesterday – for those of you who don’t speak geek, Black Hat is the annual conference where top computer security officials and hackers get together to chat. And this years conference even featured a certain general from the NSA. There was some definite discord in the crowd as he spoke. But I digress.
By now you all know how obsessed we are with your email security here at TouchDown and why we use encryption that is not vulnerable to the many exploits out there. What I always find most interesting at Black Hat is all the ways hackers (technological wizards who are pushing the envelope, sometimes for good, sometimes for bad) find out that a user’s information is not secure… Well, at this years Black Hat some interesting tidbits have already come to the surface (and luckily, their exploits does not apply to TouchDown !)
Some of the world’s leading computer security researchers weighed in on security issues and in somewhat eyebrow raising news, Ben Smyth and Alfredo Pironti of the French National Institute for Research in Computer Science and Control (INRIA) explained how it is possible to utilize some loose ends in popular webbased email services. The TLS (Transport Layer Security) technology encrypts and secures website connections, and some of web-based email services have an inherent flaw in the TLS. When a user goes to log out, it is possible to block this action when the ‘log-out’ request is sent TO the server side – at which point an un-authorized user can inject an unencrypted TCP FIN message to close the connection. The server-side therefore never gets the request and is unaware of the abnormal termination, and your information is now vulnerable. YOU get a message saying that you are logged out (you aren’t) and walk away.
What makes it worse is that this attack attack does not rely on software being installed on your computer or some other sort of more obvious way of snooping. All that has to happens is that someone (the bad guy) gets between your computer and and the server, with something as simple as a controlled router or even a wireless hotspot – the “Man in the Middle” Attack. Its possible because the user receives feedback that the sign-out request has been successfully executed, where in actuality the server is unaware of the user’s request, so the attacker can now access email without the users knowledge.
The way the researchers explained it:
“In essence, we block encrypted messages that are sent over the network to de-synchronize authorisation: we force Gmail and Hotmail [Outlook.com] to display on your browser the page that announces that you have successfully signed-out, whilst ensuring that your browser maintains authorisation with Gmail and Hotmail [Outlook.com]. Given such an announcement, you should be assured that you are secure, in particular, a hacker should not be able to access your email, even if you [log out and] leave your computer unattended. However, we can violate this basic security premise and access your Gmail and Hotmail [Outlook.com] accounts just by reloading the web page.”
This of course caused quite the stir at Black Hat, because the services mentioned by the researchers such as Google and Microsoft are extremely popular. Smyth and Pironti went so far as to say that:
“…shared machines – even un-compromised computers – cannot guarantee secure access to systems operated by Helios (an electronic voting system), Microsoft (including Account, Hotmail, and MSN), nor Google (including Gmail, YouTube, and Search).”
Now this “Man in the middle” type of attack is not a new one by any means, but the ease of which this can happen wasn’t apparent to most, especially with services that are considered by the masses as secure and private. We’ll be reporting more from Black Hat later this week…and continuing to write emails using TouchDown.