Hackers Still Hard At Work

Researchers recently discovered a cryptographic timing attack could be employed by hackers and cyber criminals to gain access into various web software solutions that are utilized by millions of users across the world. Taylor Nelson and Nate Lawson came across a security flaw that can be exploited and also affects many open source software libraries that are used to verify entered passwords and the names of users when they log onto various websites requiring the information. Some of the websites using the particular authentication include Digg and Twitter.

Not all, but some versions of these logins have been vulnerable to a timing attack. While these timing attacks have been around for approximately twenty five years, security experts believed they were very difficult to execute over a network. Taylor and Nate desire to prove that isn't necessarily so. It is believed these type of attacks are very hard to commit due to the fact that they need very precise measurements in order to work properly. They operate on the premise of breaking passwords by measuring how long it takes for a computer system to respond when a log on request is provided. Within some systems that check the login entry, the computer checks passwords by looking at each character one at a time and displaying a log on failure message when it sees an incorrect password character. In this process, the computer can give a log on failure message a little faster than a login scheme when the very first character in the entire password is correct. Hackers use a scheme of repeatedly logging in and going through each of the characters in measuring how long it takes for the computer system to answer. By doing this hackers can determine the right password.

It may sound like an intense theory, but timing attacks do actually work. A timing attack was utilized to hack into Microsoft's Xbox 360, and smart card manufacturers have given smart cards timing attack protection for a number of years. Others have believed factors including network jitter which speeds up or slows down the system response times would make it very difficult to gain precise calculations necessary for a successful attack. Taylor and Nate tested their theories and timing attacks in local area networks, the Internet, and cloud environments with success in cracking passwords each time with algorithms that sort out network jitter. Lawson stated, “Everyone should see exploits to understand is a problem in need of a fix.”

Nate and Taylor also discovered that a query sent to applications developed in interpreted languages including Ruby and Python gave password responses a lot slower than other kinds of programming languages including assembly language and C programming, which allow timely attacks to be more feasible. “Interpreted languages have a larger timing difference.” Both Nelson and Lawson gave notification to software makers that could be affected by the timing attack, and stated a fix is very simple. By using six lines of code to program their system to use the same amount of time in returning a response to a good password or a bad password, a timing attack would be more difficult to execute. The researchers also noted applications executing within a cloud have the possibility of being more vulnerable due to services which give the hackers a method to get closer to their intended target, which reduces the possibility of network jitter.

CISSP training in the realm of data security brings security awareness that can be used by everyone. Organizations can always use a good, certified information security professional to assist in protecting their critical data. K Alliance leads the way in information security training leading to certification in learning the many procedures of network security, business continuity, disaster recovery, security risk management, access security, application development security, cryptography, and many more topics.

About Us: Expert Training is a strong advantage for users and the success of a business in providing comprehensive IT training programs and IT training video courses. Microsoft Windows 7 training improves the productivity and success of a business in keeping its workforce up to date in the latest operating system innovations. Other corporate training courses include business soft skills that elevate the capabilities of managers and executives everywhere. Discover how Expert Training will become your premier training resource.