|200 PS3's Used to Expose Internet Security Flaw|
Posted by Nikhil on December 30, 2008
It would seem that the PS3 supercomputer is starting to gain favor among scientists. You may remember our previous article about how a supercomputer cluster of PS3s was used to solve one of the many mysteries surrounding black holes (read about it here). Well, a group of scientists recently used the PS3 supercomputer for something a bit more down to earth: cracking the MD5 algorithm commonly used in secure websites.
Researchers in the Netherlands and Switzerland used a cluster of 200 PS3s to exploit a known weakness in the MD5 algorithm. This allowed them to create false Certification Authorities that are trusted by all modern web browsers. In short, this research allows hackers to launch undetectable phishing attacks, completely defeating the method that current browsers use to trust secure sites.
For the technically savvy, here’s what Alex Sotirov, one of the scientists involved, had to say: “Our main result is that we are in possession of a “rogue” Certification Authority (CA) certificate. This certificate will be accepted as valid and trusted by many browsers, as it appears to be based on one of the “root CA certificates” present in the so called “trust list” of the browser. In turn, web site certificates issued by us and based on our rogue CA certificate will be validated and trusted as well. Browsers will display these web sites as “secure”, using common security indicators such as a closed padlock in the browser’s window frame, the web address starting with “https://” instead of “http://”, and displaying reassuring phrases such as “This certificate is OK” when the user clicks on security related menu items, buttons or links.”
In addition, an attack launched through this MD5 flaw could have serious consequences according to Sotirov: “For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users’ passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.”
Luckily, researchers claim that this attack was extremely hard to pull off. The scientists involved will obviously not release the specifics of their hack to the public, and it would take months for anyone else to pull off such a feat successfully. However, any secure sites using MD5 are encouraged to change to a more modern encryption such as SHA-2 or SHA-3 to be safe. Let’s just hope that no hacker gets his hands on 200 PS3s!
Stay tuned to PCN for the latest in PS3 news!