It may have a clever name, but the DROWN vulnerability is no laughing matter. The acronym stands for “Decrypting RSA with Obsolete and Weakened eNcryption” and it’s a credible threat to your business’ privacy while you’re browsing the internet. Though cybersecurity threats seem commonplace these days, DROWN deserves to be taken seriously – instead of being a security bug or an easily-patched flaw, it’s an exploitation that can happen due to the 40-bit encryption in SSLv2.
According to The Next Web, 33% of servers worldwide are vulnerable, but there are still ways to keep your online activity safe and secure. Let’s examine DROWN and how it happens, as well as what you can do to stay on top of your business’ cyber-protection.
What It Is and How It Can Affect You
The DROWN vulnerability has roots that trace back to the 1990s and it’s still a problem today, given the fact that it’s often enabled accidentally or automatically when a new server is being set up. Because of U.S. government export restrictions years ago, 40-bit encryption in SSLv2 became the norm, and nowadays hackers can use modern technology to quickly decrypt it.
DROWN has a passive attack method in which the attacker captures the client/server RSA handshake, then modifies it a number of times before sending out these modified handshakes to an SSLv2 server. When the SSLv2 server responds to the attacker’s modified handshakes, its messages hint at the TLS session key – once the TLS session key is in hand, the TLS traffic is ripe for decryption.
However, DROWN’s effects are blunted by the fact that it can only really be used for a specific targeted attack, since the attacker needs to be on the same network as its victim. That means it’s not a good vulnerability to exploit for casual attacks. Still, as mentioned in the introduction, 33% of servers have this vulnerability; it’s a threat to supposedly secure online transactions.
A DROWN attack can target secure HTTPS communications, which includes credit card numbers and personal passwords, and decrypt them for a hacker’s use. TechBeacon also presents a scenario where a web server may have SSLv2 disabled, but the email server continues to have it enabled, and since the two servers share the same digital certificate, the attacker can utilize the SSLv2-enable email server to target the TLS traffic of the web server. Given that some companies share certificates as a cost-effective practice, this could prove to be disastrous if a DROWN attack occurs.
Best Method of Protection
Although DROWN may be used as a targeted attack rather than a casual exploit, it’s still around because so many people unknowingly promulgate it. There can be a level of ignorance when it comes to things like legacy, with many believing that you still need to retain old protocol and maintain default settings. This is how vulnerabilities from the past can survive – because even IT experts can have no idea about what’s lurking in the default.
That’s why it’s so important to stay on top of system protection. The first and most important step is to check and make sure your SSLv2 is disabled, and to see that the private key isn’t being shared with any other servers. This will help prevent an errant SSLv2-enabled server from sharing a key, which can open the door for attacks – and you might not even see it coming.
You should also perform continual audits on your servers to see what protocols are installed, and remove any that aren’t currently being used. This can help prevent not only DROWN, but other weak points that come with outdated protocols and certificates. It’s always a good idea to keep an eye on network traffic for any anomalies as well, and follow up with any activity that looks suspicious.
To be extra certain that you’re not inadvertently enabling the DROWN vulnerability, it’s wise to bring in third-party cybersecurity experts to evaluate your system and ensure that there are no weak spots. Given that even IT administrators can miss disabling SSLv2, having an expert team on your side to perform routine checks and updates is necessary to maintain solid security. When it comes to threats like DROWN, sometimes it’s what you can’t see that can hurt you – which means the best course of action is to disable SSLv2, update your key’s privacy, thoroughly monitor your system for any strange behavior, and do away with any outdated protocol.