20 cities in Texas were hit by a coordinated ransomware attack
infosec

20 cities in Texas were hit by a coordinated ransomware attack

Twenty Texas local governments have been hit by a coordinated ransomware attack, the Information Resources Department announced Friday ...
Read More
infosec

Binance compensates the hacker who hacked it!

Binance, the cryptocurrency exchange company, intends to compensate the white hat hacker who breached his domain name and ...
Read More
infosec

The hacker who invaded Capital One has hacked other 30 companies

Further investigation into Paige A. Thompson, the hacker accused of causing data breach on Capital One, showed ...
Read More
infosec

Instantly update Windows 10 users. Critical vulnerabilities identified!

Microsoft warns Windows 10 users to update their operating system immediately because of two critical vulnerabilities. OR...
Read More
infosec

European Central Bank hacked!

The European Central Bank (ECB) closed one of its websites on Thursday after being hacked and infected by a hacker ...
Read More
Latest Posts

Drown Attack puts millions of OpenSSL HTTPS websites at risk

More than 11 million HTTPS websites are at risk from a new Drown attack

After the deadly vulnerability heartbleed which shook the world last year, another critical vulnerability is looking for ways to create similar concerns. A newly discovered OpenSSL security gap activates an obsolete one protocol security, Secure Sockets Layer (SSLv2), to be used for attacks on modern websites.

Drown Attack puts millions of OpenSSL HTTPS websites at risk

Readers should understand the severity of this vulnerability, as virtually all banks, financial institutions, and other websites that collect personally identifiable information (PII) use HTTPS for secure communication between the user and web server.

The attack that exploits this vulnerability, called DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), is estimated to be able to kill at least a third of all HTTPS servers. Researchers who discovered the flaw stated that at least 11,5 millions of websites using the HTTPS protocol may be at risk from the Drown attack.

The Drown attack was revealed by academic researchers from the Department of Electrical Engineering, Tel Aviv University, Münster University of Applied Sciences, Horst Görtz Institute for IT Security, Ruhr University of Bochum, University of Pennsylvania, Hashcat Project, University of Michigan, Two Sigma / OpenSSL, Google / OpenSSL.

The researchers said: "We are already in a position to perform the attack on OpenSSL versions that are vulnerable to CVE-2016-0703 in less than one minute using a single computer. Even for servers that do not have these specific bugs, the general attack index, which runs against any SSLv2 server, can be run in less than 8 hours, with a total cost of $ 440. "

As for today, some of the top websites mentioned in Alexa are vulnerable to man-in-the-middle attacks based on Drown, including Yahoo, Sina and Alibaba. Even the first state bank, Bank of India, India, is vulnerable to CVE-2016-0703 (MITM attack), which allows potential hackers to decipher the recorded traffic and steal data.DROWN-attack

The researchers said that outdated 7 versions of Microsoft Internet Information Services (IIS) were previously vulnerable, and versions of the Network Security ServicesNSS), a common cryptographic library embedded in many server products, before the 3.13 version of 2012, is also open to attack.

You can find out if your site is vulnerable by using it DROWN attack test site.

In any case, if you use OpenSSL for security, it's time to upgrade to 1.0.2g. OpenSSL 1.0.1 users will also need to upgrade to the 1.0.1s version.

Share
Do you have an opinion? Leave your comment.

The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on by

Reader Interactions

Leave a reply

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *