news.buyenne.com

Enlarge (credit: Hanno Böck)

Dozens of HTTPS-protected websites belonging to financial services giant Visa are vulnerable to attacks that allow hackers to inject malicious code and forged content into the browsers of visitors, an international team of researchers has found.

In all, 184 servers—some belonging to German stock exchange Deutsche Börse and Polish banking association Zwizek Banków Polskich—were also found to be vulnerable to a decade-old exploit technique cryptographers have dubbed the "forbidden attack." An additional 70,000 webservers were found to be at risk, although the work required to successfully carry out the attack might prove to be prohibitively difficult. The data came from an Internet-wide scan performed in January. Since then, Deutsche Börse has remedied the problem, but, as of Wednesday, both Visa and Zwizek Banków Polskich have allowed the vulnerability to remain and have yet to respond to any of the researchers' private disclosures.

The vulnerability stems from implementations of the transport layer security protocol that incorrectly reuse the same cryptographic nonce when data is encrypted. TLS specifications are clear that these arbitrary pieces of data should be used only once. When the same one is used more than once, it provides an opportunity to carry out the forbidden attack, which allows hackers to generate the key material used to authenticate site content. The exploit was first described in comments submitted to the National Institute of Standards and Technology. It gets its name because nonce uniqueness is a ground rule for proper crypto.

Ah, there you are. That didn't take too long, surely? Just a click or a tap and, if you’ve some 21st century connectivity, you landed on this page in a trice.

But how does it work? Have you ever thought about how that cat picture actually gets from a server in Oregon to your PC in London? We’re not simply talking about the wonders of TCP/IP, or pervasive Wi-Fi hotspots, though those are vitally important as well. No, we’re talking about the big infrastructure: the huge submarine cables, the vast landing sites and data centres with their massively redundant power systems, and the elephantine, labyrinthine last-mile networks that actually hook billions of us to the Internet.

And perhaps even more importantly, as our reliance on omnipresent connectivity continues to blossom, the number of our connected devices swells, and our thirst for bandwidth knows no bounds, how do we keep the Internet running? How do Verizon or Virgin reliably get 100 million bytes of data to your house every second, all day every day?

For those of you who don't remember, this is what an 8-inch floppy disk looks like. (credit: Government Accountability Office)

Some of the most critical business systems run by US government agencies are older than many of the IT people who support them, written in mainframe assembler code or COBOL. That might not shock or surprise anyone who works in mainframe-centric industries like insurance and finance, where the time-tested reliability of some systems has granted them lives that reach back to the Johnson administration. But a new GAO report has called out some of these systems as being so archaic that they're consuming increasingly larger portions of agencies' IT budgets just for operation and maintenance. As the breach at the Office of Personnel Management demonstrated, old systems are also a security risk—particularly when they've been "updated" with now-unsupported versions of Windows Server and Internet and database components that were end-of-life'd by their creators years ago.

To drive those points home, the report—written by David A. Powner, GAO's Director for Information Technology Management Issues—called out specific legacy systems from multiple agencies that are particularly obsolete, reliant on older programming languages and older computing technology that are no longer supported. To help members of Congress too young to remember them, the report also included an infographic (as show above) to explain what an 8-inch floppy disk was.

Of the top ten oldest systems cited by GAO, six are over 50 years old—and five of the ten oldest systems, all dating from before the 1980s, are not slated to be replaced anytime soon. And it should come as no surprise that the two oldest systems in government are at the Internal Revenue Service, and both will remain in place for some time.