A group of hackers has released a new cyberattack tool that allows a single, Internet-connected computer to launch the kind of massive distributed denial-of-service (DDoS) attacks that traditionally requires a network of computers and loads of bandwidth.
Released yesterday (Oct. 24) by a German group called The Hackers Choice, the tool, called "THC SSL DOS," exploits a vulnerability in Secure Sockets Layer (SSL) encryption, the standard protocol used to secure data as it moves between the user and the server he or she is logged into. The attack tool overwhelms the target with secure connection requests much in the same way a typical DDoS attack does, except THC SSL DOS only needs a single computer using a standard DSL connection as its hub.
Kim Zetter from Wired explained that the SSL flaw exists in SSL renegotiation, a process that is supposed to verify a Web browser's connection to a remote server, such as one used by an email provider or bank. Websites can use HTTPS encryption without turning on SSL renegotiation, Zetter wrote, but many sites have it on by default, leaving them open to this type of exploit.
"Renegotiating key material is a stupid idea from a cryptography standpoint," a spokesperson from The Hackers Choice wrote on the group's blog. "If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not re-negotiated."
The Hackers Choice said it wants the security community to take notice of the problem, and that the impetus for developing and releasing the tool, which works for both Windows and Unix systems, was not to launch malicious attacks, but to highlight a glaring problem that needs to be addressed — one that has already been exploited in the wild several times.
"We are hoping that the fishy security in SSL does not go unnoticed," the group wrote. "The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century." The group added, "It's time for a new security model that adequately protects the citizens."