'Thousands of popular sites' at risk of Drown hack attacks

Websites have been warned they could be exposed to eavesdroppers, after researchers discovered a new way to disable their encryption protections.

The experts said about a third of all computer servers using the HTTPS protocol - often represented by a padlock in web browsers - were vulnerable to so-called Drown attacks.

They warn that passwords, credit card numbers, emails and sensitive documents could all be stolen as a consequence.

A fix has been issued.

But it will take some time for many of the website administrators to protect their systems.

The researchers have released a tool that identifies websites that appear to be vulnerable.

They said they had not released the code used to prove their theory because "there are still too many servers vulnerable to the attack".

As yet, there is no evidence hackers have worked out how to replicate their technique.

An independent expert said he had no doubt the problem was real.

"What is shocking about this is that they have found a way to use a very old fault that we have known about since 1998," said Prof Alan Woodward, from the University of Surrey.

"And all this was perfectly avoidable.

"It is a result of us having used deliberately weakened encryption, which people broke years ago, and it is now coming back to haunt us."

Call to action

The researchers, cybersecurity experts from universities in Israel, Germany and the US as well as a member of Google's security team, found a computer server could be vulnerable to attack just by supporting 1990s-era encryption protocol SSLv2 (Secure Sockets Layer version 2), even if in day-to-day use it employed more modern encryption standards to scramble communications.

In practice, older email servers would be more likely to have this problem than the newer computers typically used to power websites. 

But many organisations reuse encryption certificates and keys between the two sets of servers.

The researchers dubbed the flaw Drown - an acronym for decrypting the Rivest-Shamir-Adleman (RSA) algorithm with obsolete and weakened encryption.

"Operators of vulnerable servers need to take action," they wrote.

"There is nothing practical that browsers or end-users can do on their own to protect against this attack."

Export restrictions

The SSLv2 protocol was deliberately weakened because, at the time of its creation, the US government wanted to try to restrict the availability of tough encryption standards to other countries.

It has since eased its export limits, but the effects live on.

"The problem is that while clients - such as [web] browsers - have done away with SSLv2, many servers still support the protocol," blogged Prof Matthew Green, from Johns Hopkins University.

"In most cases this is the result of careless server configuration.

"In others, the blame lies with crummy and obsolete embedded devices that haven't seen a software update in years - and probably never will. "

Quick attack

To mount a successful attack on a website would still require a considerable amount of computational force.

But, the researchers said, under normal circumstance, hackers could rent the required capacity from Amazon's cloud compute division for as little as $440 (£314).

In addition, because many of the servers vulnerable to Drown were also affected by a separate bug, a successful attack could be carried out using a home computer.

"This form of the attack is fast enough to allow an online man-in-the-middle style of attack, where the attacker can impersonate a vulnerable server to the victim," the researchers wrote.

"We were able to execute this form of the attack in under a minute on a single PC."

The researchers said many popular sites - including ones belonging to Samsung, Yahoo and a leading Indian bank - appeared to be vulnerable.

Prof Woodward said the team's test had also indicated a problem with bbc.co.uk.

"The weakness is actually in the old Pop3 server," he said.

"Few people still use Pop3, but it means that things like your password reset server could theoretically be eavesdropped upon."

Syria: Under Russia's fist

Since September 30, 2015, Russia has been carrying out air strikes in Syria in support of its ally President Bashar al-Assad. The campaign has been relentless and growing in intensity, with Russian jets flying 444 combat sorties against more than 1,500 targets between February 10 and 16  alone.  

Moscow insists these attacks have been aimed only at fighters from ISIL and other  "terrorist groups" such as al-Nusra Front.  But monitoring groups, including the Violations Documentation Center and the Syrian Observatory for Human Rights, say thousands of non-combatants have also been killed or wounded. Amnesty International  and others have said the bombings may be war crimes. Indeed, Amnesty has also cited consistent reports of second bombardments from planes returning to kill and injure rescue workers, paramedics and civilians attempting to evacuate the wounded and the dead from earlier raids.

So are civilians being deliberately targeted - and could Russia be guilty as charged? In this exclusive report for People & Power, Danish-born filmmaker and journalist Nagieb Khaja went to investigate. His remarkable film, shot in Aleppo, Idlib and other rebel-held areas of Syria  at the end of last year, is a harrowing, tense and at times breathtaking portrayal of life underneath the Kremlin's bombs.  Viewers may find some of the images disturbing. 

Editor's note: Earlier this week Russia and the US announced a ceasefire in Syria from February 26. However, air strikes against ISIL and al-Nusra are excluded from the deal.

---

FILMMAKER'S VIEW 

By Nagieb Khaja

"Where are the terrorists?" the rescue worker, Abu Rahmo, asks while he shows me around a district in Aleppo that was levelled by Russian bombs.

Abu Rahmo is wearing a blue vest and a cap with the logo of the English Premier League club, Liverpool FC. He jokes a lot, and at first it's difficult to understand how a man who sees death and destruction every day can smile like he does. But maybe this is the only way to survive doing his job.

"Russia says they are fighting Daesh [Islamic State], but Daesh has not been in our city for two years. There was not even any Free Syrian Army here," he says. "There were only civilians living here."

I can see no sign that were any military forces here. There is no military equipment. And strewn among the rubble of the houses, there are children's toys and kitchenware - the ordinary stuff of everyday life.

I spent three weeks in North West Syria, filming for Under Russia's Fist, and everywhere I went I saw evidence of civilian casualties: schools and houses and marketplaces that had been destroyed by Russian bombs.

In Aleppo, the largest city in Syria, people still go to work, send their children to school, and eat in the many restaurants lining the streets, but at any minute they could be killed by the seemingly arbitrary Russian and Syrian regime strikes. I filmed what appeared to be Russian warplanes flying over the city. I heard the explosions of the bombs hitting the ground close by, and I filmed the huge columns of smoke rising from the impacts.

Residents inspect a damaged site from what activists said were air strikes carried out by the Russian air force in Nawa city, Deraa, Syria [Reuters/Alaa Al-Faqir]

I embedded for a day with Syrian Civil Defence Force rescue workers as they rushed to the places where the bombs had hit, and found civilian neighbourhoods full of smoke and dust, and homes reduced to rubble. I filmed as these volunteers, better known as the White Helmets, rushed from one attack to the next. And this was on what they told me was a quiet day - when only one person was killed in their section of the city.

I did not see any rebel fighters in these places that were hit. Of course, there are rebels – from many groups with differing agendas - in Aleppo. However, the major concentrations of rebel troops are on the front lines outside the city, far away from the civilian areas that I saw being hit.

Thousands or civilians have already fled. Those still remaining have decided that they either cannot or will not leave the city. Some have decided it is better to stay in their own homes rather than become refugees. Other are simply too weak or poor to flee. And then there are others who did flee, but after experiencing life as second-class citizens in neighbouring Turkey, decided it was better to return to their homes.

Abu Rahmo stays out of defiance and determination to resist the regime by saving people from the bombs. Two of his kids were killed by regime attacks, and now he has made it his own mission to save other people's children.

As he shows me around we hear planes overhead. "Harbi Russi - Russian airplanes," comes the warning voice from his radio receiver. 

"Everybody can see the difference between Syrian and regime airplanes," he tells me. "We have been bombed so many times that even our children can see the differences between the airplanes that are attacking us."

On a street in the Ferdaus neighbourhood of central Aleppo, a shopkeeper is drinking a cup of coffee on the street when he's interrupted by a huge blast. A thick cloud of grey and black smoke erupts in the distance, and then slowly dissipates in the evening air.

"Where should we go?" he asks rhetorically. "Should we flee? Leave our country? That will be over my body. There are only civilians here. Just show me one fighter, one militant in this street!"

Human rights groups later reported that 32 civilians were killed by Russian bombs in Aleppo alone on this day. Soon after I left Aleppo, the Russian bombing campaign escalated and regime troops began a major push to encircle and besiege the city. Supply lines of food, fuel and medical equipment for civilians in the city have been cut. The situation in Aleppo is now becoming even worse. Even after five years of constant horror and atrocities, a humanitarian crisis is now unfolding on a scale that has not yet been seen in this war.

Geneva Motor Show: Spotlight on self-driving concept cars

At the Geneva Motor Show this week, self-driving car concepts are everywhere.

Theo Leggett has taken a look at some of the automakers' visions of the future.

Rich People Are Buying More Super-Yachts

Despite global economic uncertainty, rich people are still buying lots of giant yachts. A new report from the real estate consultancy Knight Frank found that sales of yachts longer than 78 feet increased 40% in 2015. The value of classic cars, a staple luxury item of the super-rich, also rose 17% during the year, and the value of wine and luxury watches both increased by 5%.

At the same time, the number of people who are actually extremely wealthy is in decline, thanks to volatile equity markets and a economic slowdown in China. The so-called “ultra rich,” who have assets worth at least $30 million, fell from 193,000 in 2014 to 187,000 in 2015. The number of millionaires in the world also declined by from 13.6 million to 13.3 million.

However, Knight Frank believes the rich will find a way to bounce back. The group predicts there will be more than 18 million millionaires by 2025.

NHS 'Scandal' As UK Pays Millions To EU

New figures show the NHS is paying out millions more for EU healthcare than it is claiming back from EU countries.

In what one MP described as a "scandalous failure", it has emerged that the UK pays more than £670m to EU countries for Brits' healthcare abroad, while claiming back less than £50m from the EU, even though there are significantly more EU citizens in the UK than UK citizens in the EU.

Under the European Health Insurance Card (EHIC) - countries can claim back health costs from other EU countries if their citizens use medical services abroad.

The new figures reveal that nearly every country claims more from the UK than the UK claims back from the rest of the EU.

For example the UK pays France £147,685,772, but France only pays UK £6,730,292 and the UK pays Germany £25,873,954 but Germany only pays the UK £2,189,664.

Even in countries such as Poland where net migration is massively towards the UK, the discrepancy is four-fold in Poland's favour.

MP John Mann, who obtained the figures in a parliamentary question, told Sky News that "logically the UK should be receiving more than it pays out".

He estimates "the real cost is a billion pounds a year".

Ben Carson Says No Path Forward For Campaign

Republican presidential hopeful Ben Carson has said he does not see a path forward after Super Tuesday's results, effectively ending his campaign.

The former neurosurgeon said he would make an announcement on Friday about the future of his 2016 bid for the White House.

Mr Carson said he would not attend Thursday's Republican debate hosted by Fox News in his hometown of Detroit.

"I do not see a path forward for my campaign in light of last evening's Super Tuesday primary results," he said in a statement.

"However, this grassroots movement on behalf of 'We the People' will continue."

not suspend his campaign, his statement signals the death knell for a bid that once seemed filled with promise.

He was propelled to the lead in opinion polls last year only to steadily lose steam amid stumbles blamed on his political inexperience.

Mr Carson is due to speak at the Conservative Political Action Conference in Washington DC on Friday.

:: Profile: Ben Carson

His withdrawal would leave four candidates vying to be the Republican nominee for November's White House election.

Mr Carson's statement comes as Republican leaders scramble to derail the momentum of their own front runner, Donald Trump.

The party fears the pugnacious 69-year-old billionaire would be an electoral liability in an expected match-up against Democratic contender Hillary Clinton.

Amid the prospect that the party of Abraham Lincoln and Ronald Reagan could be led by a political newcomer who has called for Muslims to be banned from entering the US, some power brokers have even raised the option of forming a completely new party.

Republican leaders fear a Trump nomination could not only ruin their chances of recapturing the White House, but even cost them their control of Congress if undecided voters shun the party.

Mr Trump and Mrs Clinton won seven states apiece in Super Tuesday's contests, taking a big stride towards their respective parties' presidential nominations, which will be decided at conventions in July.

But while Democrats are increasingly rallying behind Mrs Clinton, the former Secretary of State, the Republican party is in disarray.

Florida Senator Marco Rubio, who won his first presidential state contest in liberal Minnesota on Tuesday, told Fox News the party would "never" unite behind Mr Trump.

The party's 2012 nominee, former Massachusetts Governor Mitt Romney, has scheduled a speech for Thursday about the state of the race.

Retirement Warnings: Work Until Your 70s

People are not saving enough and may have to work until well into their 70s to receive the retirement income they want, experts have warned.

One report, the Independent Review of Retirement Income (IRRI), has said people should be putting 15% of their lifetime earnings into their pension pot "to avoid future pensioner poverty".

Under workplace pension schemes, the minimum contribution as a percentage of earnings is currently set at 2% and will increase to 8% in the coming years.

The IRRI report follows a two-year study commissioned by Labour. The review is chaired by Professor David Blake, director of the Pensions Institute at Cass Business School.

It also warned pensioners withdrawing lump sums from their pension pots under new retirement freedoms introduced last year could become a "honey pot" for fraudsters.

Another report, from Royal London, found people making minimum workplace pension contributions from the age of 22 would need to work until 77 to be able to enjoy the sort of "gold standard" pensions enjoyed by many of their parents' generation.

This varies across the country due to different wage levels so that it would be as high as 81 in Westminster.

Former pensions minister Steve Webb, director of policy at Royal London, said: "It is great news that millions more workers are now being enrolled into workplace pensions, but the amounts going in are simply not enough to give people the kind of retirement they would want for themselves."

The warnings come as the Government launched a review of the state pension age - which experts think will see the benefit not being available until employees currently joining the workforce have reached their 70s - to be led by former CBI director general John Cridland.

The state pension age has already been undergoing changes since 2010 so that its long-standing level of 60 for women will equalise with men at 65. From 2018 it will rise for both and reach 67 by 2028 under Government plans.

Legislation requires the policy to be reviewed during each Parliament. This will be the first such review to take place.

It will not cover the existing timetable for changes up to April 2028. Mr Cridland will report in time to allow the Government to consider the recommendations by May 2017.

Financial services firm Hargreaves Lansdown said further changes were likely to mean it goes up faster than currently planned.

Tom McPhail, head of retirement policy at the firm, said: "Those joining the workforce today are likely to find themselves waiting until their mid-70s to get a payout from the state system."