Overclock.net › Forums › Industry News › Software News › [CNET]New attack tool targets Web servers using secure connections
New Posts  All Forums:Forum Nav:

[CNET]New attack tool targets Web servers using secure connections

post #1 of 11
Thread Starter 
Quote:
Hackers have released a program they assert will allow a single computer to take down a Web server using a secure connection.

The THC-SSL-DOS tool....
For once, they actually gave the name of the tool used to go through with the action.

Article Source

Here's the tool source site for those interested.

Tool Source
BlueRaven
(13 items)
 
Dead BIOS
(9 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 G74Sx NVIDIA GeForce GTX 560M  Samsung  
RAMRAMHard DriveHard Drive
Samsung  Samsung  Momentus 7200.4 Scorpio Blue 
Mouse
Logitech G700 
  hide details  
Reply
BlueRaven
(13 items)
 
Dead BIOS
(9 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 G74Sx NVIDIA GeForce GTX 560M  Samsung  
RAMRAMHard DriveHard Drive
Samsung  Samsung  Momentus 7200.4 Scorpio Blue 
Mouse
Logitech G700 
  hide details  
Reply
post #2 of 11
knew about this for a little over a week, works great.


here is another source,

The Hacker News
    
CPUMotherboardGraphicsRAM
AMD E350 @ 2Ghz Gigabyte GA-E350N (USB 3.0) AMD Radeon HD 6310 graphics (FUSION) G.Skill 4Gb 1333 
Hard DriveOptical DriveOSMonitor
WD BLACK 500gb Mini ITX Windows 7 Vizio 23" Razer 
Power
250W built in 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
AMD E350 @ 2Ghz Gigabyte GA-E350N (USB 3.0) AMD Radeon HD 6310 graphics (FUSION) G.Skill 4Gb 1333 
Hard DriveOptical DriveOSMonitor
WD BLACK 500gb Mini ITX Windows 7 Vizio 23" Razer 
Power
250W built in 
  hide details  
Reply
post #3 of 11
Quote:
Originally Posted by source
A German group known as Hackers Choice said it released the exploit to bring attention to flaws in SSL...The industry should step in to fix the problem so that citizens are safe and secure again
this is ridiculous. we are so concerned for citizens' safety and privacy, that instead of reaching out to the Internet protocols organization and assisting with this matter privately, we have decided to release the flaw so that anyone can take advantage of it. mainly, because if WE weren't headlined in the news, then obviously this flaw wouldn't get fixed if we talked to everyone privately. we feel that by enabling other hackers who wouldn't know how to exploit SSL, we are protecting innocent citizens. look, i'm all for finding flaws and exploits and making sure they get fixed, but saying you're releasing something like this for "the good of innocents" is stupid
First Time Build
(20 items)
 
  
CPUMotherboardGraphicsGraphics
Intel Core i7 920 MSI X58 Pro-E (MS-7522) EVGA GeForce GTX 460 EVGA GeForce GTX 460 
GraphicsRAMRAMRAM
Galaxy GeForce GTX 460 Corsair  Corsair  Corsair  
Hard DriveOptical DriveCoolingOS
Seagate Barracuda 7200.12 Sony DVD+-RW Noctua NH-D14 Windows 7 64bit 
MonitorMonitorKeyboardPower
Acer P215H Acer P221W Dynex Silverstone OP1000-E 1kW PSU 
CaseMouseMouse PadAudio
Cooler Master HAF 932 Dynex Dynex ASUS Xonar DG 
  hide details  
Reply
First Time Build
(20 items)
 
  
CPUMotherboardGraphicsGraphics
Intel Core i7 920 MSI X58 Pro-E (MS-7522) EVGA GeForce GTX 460 EVGA GeForce GTX 460 
GraphicsRAMRAMRAM
Galaxy GeForce GTX 460 Corsair  Corsair  Corsair  
Hard DriveOptical DriveCoolingOS
Seagate Barracuda 7200.12 Sony DVD+-RW Noctua NH-D14 Windows 7 64bit 
MonitorMonitorKeyboardPower
Acer P215H Acer P221W Dynex Silverstone OP1000-E 1kW PSU 
CaseMouseMouse PadAudio
Cooler Master HAF 932 Dynex Dynex ASUS Xonar DG 
  hide details  
Reply
post #4 of 11
Quote:
Originally Posted by b3machi7ke View Post
this is ridiculous. we are so concerned for citizens' safety and privacy, that instead of reaching out to the Internet protocols organization and assisting with this matter privately, we have decided to release the flaw so that anyone can take advantage of it. mainly, because if WE weren't headlined in the news, then obviously this flaw wouldn't get fixed if we talked to everyone privately. we feel that by enabling other hackers who wouldn't know how to exploit SSL, we are protecting innocent citizens. look, i'm all for finding flaws and exploits and making sure they get fixed, but saying you're releasing something like this for "the good of innocents" is stupid
It's already out there before they "released" it. What this tool will do is allow administrators to test their own servers.
post #5 of 11
Quote:
Originally Posted by TFL Replica View Post
It's already out there before they "released" it. What this tool will do is allow administrators to test their own servers.
i would have assumed that people who do this stuff for a living would be able to come up with their own tool/program to test this stuff, and releasing a tool to the public would make this flaw much easier to exploit by script kiddies and people that don't have the knowledge/experience to exploit it.
First Time Build
(20 items)
 
  
CPUMotherboardGraphicsGraphics
Intel Core i7 920 MSI X58 Pro-E (MS-7522) EVGA GeForce GTX 460 EVGA GeForce GTX 460 
GraphicsRAMRAMRAM
Galaxy GeForce GTX 460 Corsair  Corsair  Corsair  
Hard DriveOptical DriveCoolingOS
Seagate Barracuda 7200.12 Sony DVD+-RW Noctua NH-D14 Windows 7 64bit 
MonitorMonitorKeyboardPower
Acer P215H Acer P221W Dynex Silverstone OP1000-E 1kW PSU 
CaseMouseMouse PadAudio
Cooler Master HAF 932 Dynex Dynex ASUS Xonar DG 
  hide details  
Reply
First Time Build
(20 items)
 
  
CPUMotherboardGraphicsGraphics
Intel Core i7 920 MSI X58 Pro-E (MS-7522) EVGA GeForce GTX 460 EVGA GeForce GTX 460 
GraphicsRAMRAMRAM
Galaxy GeForce GTX 460 Corsair  Corsair  Corsair  
Hard DriveOptical DriveCoolingOS
Seagate Barracuda 7200.12 Sony DVD+-RW Noctua NH-D14 Windows 7 64bit 
MonitorMonitorKeyboardPower
Acer P215H Acer P221W Dynex Silverstone OP1000-E 1kW PSU 
CaseMouseMouse PadAudio
Cooler Master HAF 932 Dynex Dynex ASUS Xonar DG 
  hide details  
Reply
post #6 of 11
Quote:
Originally Posted by b3machi7ke View Post
this is ridiculous. we are so concerned for citizens' safety and privacy, that instead of reaching out to the Internet protocols organization and assisting with this matter privately, we have decided to release the flaw so that anyone can take advantage of it. mainly, because if WE weren't headlined in the news, then obviously this flaw wouldn't get fixed if we talked to everyone privately. we feel that by enabling other hackers who wouldn't know how to exploit SSL, we are protecting innocent citizens. look, i'm all for finding flaws and exploits and making sure they get fixed, but saying you're releasing something like this for "the good of innocents" is stupid
You're assuming that nothing like that was done. Who's to say that the person who found this exploit did not info the proper group of people. Also, it's better to have a exploit be public because that typically makes the company that made the product respond to the incident much more quickly. Besides that the purpose of doing this isn't to harm the public but rather to educate.

Quote:
Originally Posted by TFL Replica View Post
It's already out there before they "released" it. What this tool will do is allow administrators to test their own servers.
This is exactly the reason.
Perpetual debt
(15 items)
 
Money Pit
(17 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 2600k Asus P8P67 Pro PNY GTX 480 2x4gb G.Skill Ripjaws 2133mhz 
Hard DriveCoolingOSMonitor
OCZ Vertex 3 Coolit Freezone Elite Win7 Ultimate Samsung 2233rz 
KeyboardPowerCaseMouse
Logitech G15 Corsair HX750 Antec Server case Razer Deathadder 
Mouse PadAudioAudio
Thermaltake LCD Mousepad Logitech 5.1 Surround Tritton AX PC Pro 5.1 Surround Headset 
CPUMotherboardGraphicsRAM
Intel q6600 @ 3.9ghz (433x9) EVGA 780i FTW evga 8200gs 512mb  4x2gb Corsair XMS TwinX 866mhz @ 5-5-5-5-18 
Hard DriveHard DriveOptical DriveCooling
2x 750gb Seagate Baracuda 7200.12 RAID0 5x 1.5tb Seagate Baracuda 7200.11 RAID5 LITE-ON 22X DVD Burner Black SATA Corsair H70 
OSMonitorKeyboardPower
Win7 Ultimate x64 22" Acer x223w Logitech G15 Corsair HX750 
CaseMouseMouse PadAudio
APEVIA MX-ALIEN Razer Deathadder Thermaltake LCD Mousepad Triton AX Pro PC 
Audio
Logitech 5.1 surround sound. 
  hide details  
Reply
Perpetual debt
(15 items)
 
Money Pit
(17 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 2600k Asus P8P67 Pro PNY GTX 480 2x4gb G.Skill Ripjaws 2133mhz 
Hard DriveCoolingOSMonitor
OCZ Vertex 3 Coolit Freezone Elite Win7 Ultimate Samsung 2233rz 
KeyboardPowerCaseMouse
Logitech G15 Corsair HX750 Antec Server case Razer Deathadder 
Mouse PadAudioAudio
Thermaltake LCD Mousepad Logitech 5.1 Surround Tritton AX PC Pro 5.1 Surround Headset 
CPUMotherboardGraphicsRAM
Intel q6600 @ 3.9ghz (433x9) EVGA 780i FTW evga 8200gs 512mb  4x2gb Corsair XMS TwinX 866mhz @ 5-5-5-5-18 
Hard DriveHard DriveOptical DriveCooling
2x 750gb Seagate Baracuda 7200.12 RAID0 5x 1.5tb Seagate Baracuda 7200.11 RAID5 LITE-ON 22X DVD Burner Black SATA Corsair H70 
OSMonitorKeyboardPower
Win7 Ultimate x64 22" Acer x223w Logitech G15 Corsair HX750 
CaseMouseMouse PadAudio
APEVIA MX-ALIEN Razer Deathadder Thermaltake LCD Mousepad Triton AX Pro PC 
Audio
Logitech 5.1 surround sound. 
  hide details  
Reply
post #7 of 11
Quote:
Originally Posted by KusH View Post
You're assuming that nothing like that was done. Who's to say that the person who found this exploit did not info the proper group of people. Also, it's better to have a exploit be public because that typically makes the company that made the product respond to the incident much more quickly. Besides that the purpose of doing this isn't to harm the public but rather to educate.



This is exactly the reason.
i thought SSL was a protocol that was used by certificate agencies, not a product made by a single company. i still disagree, releasing a tool to allow people to take advantage of an exploit is certainly not as educational to the public as it is useful to people with malicious intent. but i also know when i don't know enough to have an intelligent debate with people, so i suppose i'll end my posting in this thread with this post.
First Time Build
(20 items)
 
  
CPUMotherboardGraphicsGraphics
Intel Core i7 920 MSI X58 Pro-E (MS-7522) EVGA GeForce GTX 460 EVGA GeForce GTX 460 
GraphicsRAMRAMRAM
Galaxy GeForce GTX 460 Corsair  Corsair  Corsair  
Hard DriveOptical DriveCoolingOS
Seagate Barracuda 7200.12 Sony DVD+-RW Noctua NH-D14 Windows 7 64bit 
MonitorMonitorKeyboardPower
Acer P215H Acer P221W Dynex Silverstone OP1000-E 1kW PSU 
CaseMouseMouse PadAudio
Cooler Master HAF 932 Dynex Dynex ASUS Xonar DG 
  hide details  
Reply
First Time Build
(20 items)
 
  
CPUMotherboardGraphicsGraphics
Intel Core i7 920 MSI X58 Pro-E (MS-7522) EVGA GeForce GTX 460 EVGA GeForce GTX 460 
GraphicsRAMRAMRAM
Galaxy GeForce GTX 460 Corsair  Corsair  Corsair  
Hard DriveOptical DriveCoolingOS
Seagate Barracuda 7200.12 Sony DVD+-RW Noctua NH-D14 Windows 7 64bit 
MonitorMonitorKeyboardPower
Acer P215H Acer P221W Dynex Silverstone OP1000-E 1kW PSU 
CaseMouseMouse PadAudio
Cooler Master HAF 932 Dynex Dynex ASUS Xonar DG 
  hide details  
Reply
post #8 of 11
Quote:
Originally Posted by b3machi7ke View Post
i thought SSL was a protocol that was used by certificate agencies, not a product made by a single company. i still disagree, releasing a tool to allow people to take advantage of an exploit is certainly not as educational to the public as it is useful to people with malicious intent. but i also know when i don't know enough to have an intelligent debate with people, so i suppose i'll end my posting in this thread with this post.

You're correct it is a protocol, however protocols are standardized by a company/agency. When you put someone in the hot seat they tend to respond much more quickly then when they are told about an exploit yet don't see a need to put resources into it because it isn't a significant enough of a problem to put the resources into fixing it.

You're also correct in stating that it isn't very helpful to the general public as a whole but that's because the general public is ignorant to computer security as a whole. However those sys admins that need to be aware of it to protect the general users and to test against their own systems to harden infrastructure.

But yes you are also correct in saying that people could use this for bad intentions but that goes with damn near everything.
Perpetual debt
(15 items)
 
Money Pit
(17 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 2600k Asus P8P67 Pro PNY GTX 480 2x4gb G.Skill Ripjaws 2133mhz 
Hard DriveCoolingOSMonitor
OCZ Vertex 3 Coolit Freezone Elite Win7 Ultimate Samsung 2233rz 
KeyboardPowerCaseMouse
Logitech G15 Corsair HX750 Antec Server case Razer Deathadder 
Mouse PadAudioAudio
Thermaltake LCD Mousepad Logitech 5.1 Surround Tritton AX PC Pro 5.1 Surround Headset 
CPUMotherboardGraphicsRAM
Intel q6600 @ 3.9ghz (433x9) EVGA 780i FTW evga 8200gs 512mb  4x2gb Corsair XMS TwinX 866mhz @ 5-5-5-5-18 
Hard DriveHard DriveOptical DriveCooling
2x 750gb Seagate Baracuda 7200.12 RAID0 5x 1.5tb Seagate Baracuda 7200.11 RAID5 LITE-ON 22X DVD Burner Black SATA Corsair H70 
OSMonitorKeyboardPower
Win7 Ultimate x64 22" Acer x223w Logitech G15 Corsair HX750 
CaseMouseMouse PadAudio
APEVIA MX-ALIEN Razer Deathadder Thermaltake LCD Mousepad Triton AX Pro PC 
Audio
Logitech 5.1 surround sound. 
  hide details  
Reply
Perpetual debt
(15 items)
 
Money Pit
(17 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 2600k Asus P8P67 Pro PNY GTX 480 2x4gb G.Skill Ripjaws 2133mhz 
Hard DriveCoolingOSMonitor
OCZ Vertex 3 Coolit Freezone Elite Win7 Ultimate Samsung 2233rz 
KeyboardPowerCaseMouse
Logitech G15 Corsair HX750 Antec Server case Razer Deathadder 
Mouse PadAudioAudio
Thermaltake LCD Mousepad Logitech 5.1 Surround Tritton AX PC Pro 5.1 Surround Headset 
CPUMotherboardGraphicsRAM
Intel q6600 @ 3.9ghz (433x9) EVGA 780i FTW evga 8200gs 512mb  4x2gb Corsair XMS TwinX 866mhz @ 5-5-5-5-18 
Hard DriveHard DriveOptical DriveCooling
2x 750gb Seagate Baracuda 7200.12 RAID0 5x 1.5tb Seagate Baracuda 7200.11 RAID5 LITE-ON 22X DVD Burner Black SATA Corsair H70 
OSMonitorKeyboardPower
Win7 Ultimate x64 22" Acer x223w Logitech G15 Corsair HX750 
CaseMouseMouse PadAudio
APEVIA MX-ALIEN Razer Deathadder Thermaltake LCD Mousepad Triton AX Pro PC 
Audio
Logitech 5.1 surround sound. 
  hide details  
Reply
post #9 of 11
"The vendors are awareof this problem since 2003"

thats alot of years for plenty of hackers to take advantage of and im sure it was talked privately among hackers/groups until this this group publicized it.
    
CPUMotherboardGraphicsRAM
AMD E350 @ 2Ghz Gigabyte GA-E350N (USB 3.0) AMD Radeon HD 6310 graphics (FUSION) G.Skill 4Gb 1333 
Hard DriveOptical DriveOSMonitor
WD BLACK 500gb Mini ITX Windows 7 Vizio 23" Razer 
Power
250W built in 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
AMD E350 @ 2Ghz Gigabyte GA-E350N (USB 3.0) AMD Radeon HD 6310 graphics (FUSION) G.Skill 4Gb 1333 
Hard DriveOptical DriveOSMonitor
WD BLACK 500gb Mini ITX Windows 7 Vizio 23" Razer 
Power
250W built in 
  hide details  
Reply
post #10 of 11
Just another DOS method...
Rig
(16 items)
 
  
CPUMotherboardGraphicsRAM
Intel i5 2500k MSI P67A-GD65 (B3) 760ti G.Skill Ripjaws 
Hard DriveCoolingOSMonitor
OCZ Vertex 2 Noctua NH D14 Windows 7 64bit Dell SP2309W 
MonitorMonitorKeyboardCase
Dell S2009W Dell S2009W CM Storm Quickfire XT NZXT Phantom Black 
Mouse
Razer Deathadder Chroma 
  hide details  
Reply
Rig
(16 items)
 
  
CPUMotherboardGraphicsRAM
Intel i5 2500k MSI P67A-GD65 (B3) 760ti G.Skill Ripjaws 
Hard DriveCoolingOSMonitor
OCZ Vertex 2 Noctua NH D14 Windows 7 64bit Dell SP2309W 
MonitorMonitorKeyboardCase
Dell S2009W Dell S2009W CM Storm Quickfire XT NZXT Phantom Black 
Mouse
Razer Deathadder Chroma 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
Overclock.net › Forums › Industry News › Software News › [CNET]New attack tool targets Web servers using secure connections