Published by Jeffrey Latzer on 12 Aug 2009 at 11:53 am
Are Finance Sites Prone to Hackers’ Moxie?
Fresh on the heels of our Mutual Fund Monitor Report on Online Security comes word out of the Black Hat security conference that ubiquitous page verification technology SSL (Secure Sockets Layer) may have some loopholes in the way it functions with Internet browsers.
Mutual fund firms will clearly wince at this news, as our report found that all 18 MFM companies employ SSL for security. The good news is that potential breaches such as these were discovered before they were nefariously implemented, so it gives security and browser developers a head start in plugging the holes.
One of the Black Hat security researchers (a hacker on payroll to identify threats) named Moxie Marlinspike – whose name did not detract from the seriousness of his finds – showed a trick called “null-termination certificate” that can create a phony digital identity to be used in bait-and-switch phishing scams. Elevating the stakes, Marlinspike explained how hackers can intercept a browser’s auto-update function (which relies on SSL), allowing him to modify the browser, “so that anytime you submit something to a site, it sends me a copy,” he said.
On the same day the Black Hat conference was making headlines, VeriSign put out a reassuring press release announcing that all of its systems are already safe from these new SSL threats. The firm even spun this as a selling point, stating that, “Until client software vendors can fix these vulnerabilities in their applications and operating systems, solutions like VeriSign EV SSL provide effective and reliable protection against these potential threats.” VeriSign is one of the most common certificate authorities (firms that issue digital security certificates to verify the identity of websites), and according to our Security Report, used by 72% of MFM firms.
The threats are largely hypothetical at this point, but all browser companies are racing to release safeguards. Firefox 3.5 is already immune to these threats, and developers have released a fix for the majority of users with version 3.0. Microsoft is reportedly close to releasing an update for its Internet Explorer. No word as of yet on the Google blogs regarding their Chrome browser.
