Data theft is too easy now: websites’ encryption becomes a BS!

As Gary Locke, the US Commerce Secretary announced Monday, he has a firm belief the long-term health of the US economy would be positive despite concerns raised by the sovereign debt crisis in Europe.

“It's obviously a fragile economy and we're really feeling the effects of what's happening in Europe as well as some of the concerns on Asia, but the fundamentals of the US economy are strong,'' Locke said.

Being optimistic he also added that consumer confidence is to move up, manufacturing orders - up, production - up, hours - up. Even the employment figures have been up for the last five months in a row, Locke said.

However, the Secretary assumes that private sector job growth in the May US employment report was not "as much as we would like.''

But US economic growth for 2010 will be in "positive territory, perhaps around 3% growth, compared to ... 2008 when it was negative 6% growth,'' Locke stated.

aA new application has been recently developed by researchers that can exploit vulnerabilities in websites to access private data. Released this week Poet easily exploits a common vulnerability in the way many websites encrypt text stored in cookies, hidden HTML fields and request parameters. The text is designed to help servers keep track of purchases, user preferences and other settings while at the same time ensuring account credentials and other sensitive data can't be intercepted.

The application exploits the critical bug which comes to the failure of JavaServer Faces to implement AES/DES encryption algorithms correctly. The scheme provides no way to sign the ciphertext or authenticate the block cipher mode.

“The tool exploits a very common mistake -- using encryption alone instead of encryption + authentication/integrity protection," Rizzo told The Register. "You can get information about the plaintext from the server reaction.”

Researchers say that such kind of attack can be used by criminals to bypass CAPTCHAs, view customer account numbers and even create webpages that will execute malicious software on the underlying server. Attackers can also use the technique to map all ciphertexts to corresponding plaintexts, a feat that breaks a website's underlying cryptosystem.

Vulnerable websites can be easily found by means of Google search. By typing “Given final block not properly padded” and “javax.crypto.BadPaddingException” in the query bar they can get multiple results of exposed web applications.

Poet runs on Windows, Mac OS X and Linux.