You are here

Written by: Michael J. Unsworth

Using the Old to Break the New
Attack surfaces, which are all of the entry points that unauthorized users can try to break through to steal your data, are continuously expanding due to prime targets like the use of old network protocols, and unpatched hardware and software.  An example occurred just this spring when researchers discovered a new attack called Decrypting RSA using Obsolete and Weakened eNcryption (DROWN). 

DROWN allows hackers to exploit vulnerabilities when customers or employees believe they are using a secure website connection. In particular, they have found weaknesses in SSLv2 and TLS encryption. Researchers were able to break a 2048-bit RSA cipher text, a type of encryption, in less than eight hours and for only about $440 using Amazon’s EC2 service, which allowed them to intercept and read all of the data that was supposed to be encrypted. [1]

The risks of relying on any variation of SSL protocol to protect your data have existed for years with exploitable vulnerabilities having been identified in all versions. Significant risks also exist in other aging protocols and software that attackers can use to gain access to your devices, data and entire networks. For instance, HVAC or any similar control systems generally don’t have updates released or are neglected when they are released.

Low Hanging Fruit
Due to their visibility, web servers are the most likely targets for hackers. Even if the servers are not configured to support SSLv2, they may still be at risk if the same private key is shared between them and any other server that allows SSLv2 connections. In many cases, private keys are reused on servers and between web servers and email servers. This means that if either server allowed SSLv2, then the private key could be compromised and used against other servers using the same key. 

How You Can Stay Ahead
The DROWN attack demonstrates that while a configuration may seemingly be innocuous, it could actually become a potential attack avenue for a determined attacker. New vulnerabilities are identified every day, and hackers are quick at finding ways to exploit them. 

To identify and mitigate these risks for your institution, comprehensive assessments need to be conducted on an on-going basis. Additionally, you should review your protocols, running services, and installed software, and remove any of those that are non-essential. Implementing these protective measures will reduce the visible attack footprint and your risk of falling victim to a hacker.

For assistance with your security program, contact Michael J. Unsworth, IT Assurance Senior Consultant, at 617-933-3372 or munsworth@wolfandco.com. 

[1] https://drownattack.com/drown-attack-paper.pdf