For those that may not have seen the news, there is a new HTTPS weakness known as DROWN.
DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption and is a new attack that affects HTTPS and other services that rely on SSL and TLS, and allows an attacker to break the encryption and read or steal sensitive communications, including password, credit card numbers, trade secrets, or financial data.
Based on the website https://drownattack.com – 33% of all HTTPS servers are vulnerable to the attack.
A server is vulnerable to this attack if it allows SSLv2 connections or if the server’s private key is used on any other server that supports SSLv2 connections. “Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server,” according to the DROWN team’s website post which also includes instructions for disabling SSLv2 in different types of servers.
Now you may be thinking that SSL2 is old technology and you don’t use this anymore. This is true in the sense that SSL2 dates back to the 1990s, but many devices still support it or have it configured, so the threat is very real. And in case you were wondering if all of this is theoretical, an attack has been demonstrated against OpenSSL (exploiting a known vulnerability CVE-2016-0703) where it was possible to decrypt a connection in under a minute, using just a single PC to do the processing. Even not using the known vulnerability, it was possible to carry out an attack in under 8 hours (using cloud based computing such as AWS, this could be achieved for less than $500).
So what can you do?
- Understand your environment – conduct a thorough review to understand exactly what you use and where
- Conduct penetration testing to identify weaknesses
- Patch – probably the simplest thing to do, yet one of the worst conducted in practice (and largely connected to the first point of not knowing what is in your environment and consequently not patching effectively)
- Understand the assets and the value of your company’s data. Understand what you need to protect
It is easy to become disillusioned and think the battle has been lost, but this is not the case. Good intelligence, analytics of threats and a detailed understanding of your network environment can go a long way to protecting your company.
By Chris Leppard – Head of Consultancy – CIPHER