E-commerce security solutions provider and research firm nCipher is alerting the online community to a potential threat that the company believes could leave e-commerce operations vulnerable to the theft of private cryptographic keys from a server.
nCipher is warning that e-commerce Web sites may be vulnerable to a “key-finding attack,” allowing unauthorized access to secure information ranging from personal customer data to credit card numbers.
An e-commerce operation that has implemented what experts identify as proper security procedure will utilize private keys to encrypt and store data on a server, where it must be decrypted before use. The problem, according to nCipher, is that the keys used in secure Web servers are unusual numbers with specific mathematical properties, making it possible for an intruder to identify them.
“Once the intruder has found the key, gained permission to read the memory where it is stored and copied the key, the Web server and its customers are defenseless,” said an nCipher statement.
However, according to security firms such as Entrust Technologies, the intruder is more likely to be an insider than a hacker/cracker working remotely.
A Proposed Solution
According to nCipher experts, a software solution alone will not be adequate. The company proposes a software export tool to migrate sensitive data from an existing Web server to another, more secure piece of hardware.
“Security vendors must be constantly on the lookout for potential vulnerabilities in order to develop more powerful preventative solutions, as well as to guide organizations on how to establish and follow best practice security standards,” commented Dr. Nicko van Someren, CTO and co-founder of nCipher.
“The use of dedicated key management hardware in e-commerce systems can vastly improve the standard of security achieved, since it has been demonstrated that techniques employing software alone are inadequate.”
nCipher has garnered support from a number of industry mainstays, including Microsoft, in what it describes as an attempt to make more businesses with an e-commerce component aware of the potential problems associated with a “key-finding attack.”
“Research like this is vital in enabling our customers to understand the full range of possible threats to their systems,” commented Scott Culp, security product manager at Microsoft. “Once they know the threat, they can assess whether software-only or hybrid software/hardware solutions are most appropriate for them.”
More significantly, nCipher has also indicated that it will work with intrusion detection software vendors to enable vulnerability checks designed for this type of attack.
In other online security news, @Stake, Inc. recently launched with $10 million (US$) in funding and an impressive roster of star players. The new e-commerce security firm, which aims to be more of a consultancy than a product manufacturer, has brought on John Rando, former Compaq senior vice president, and Ted Julian, former Forrester Research security analyst, as executives.
Additionally, the new company has merged with L0pht Heavy Industries, bringing head scientist and minor celebrity Dr. Mudge on as president of research and development. L0pht is an online security firm and think tank, composed of “freelance hackers.”