Overclock.net banner

1 - 17 of 17 Posts

·
Banned
Joined
·
15,763 Posts
Discussion Starter #1
Quote:
A powerful new type of Internet attack works like a telephone tap, but it operates between computers and Web sites they trust.

Hackers at the Black Hat and DefCon security conferences have revealed a serious flaw in the way Web browsers weed out untrustworthy sites and block anybody from seeing them. If a criminal infiltrates a network, he can set up a secret eavesdropping post and capture credit card numbers, passwords and other sensitive data flowing between computers on that network and sites their browsers have deemed safe.

In an even more nefarious plot, an attacker could hijack the auto-update feature on a victim's computer, and trick it into automatically installing malware pulled in from a hacker's Web site. The computer would think it's an update coming from the software manufacturer.

The attack was demonstrated by three hackers. Independent security researcher Moxie Marlinspike presented alone, while Dan Kaminsky, with Seattle-based security consultancy IOActive Inc., and security and privacy researcher Len Sassaman presented together.

They reached essentially the same conclusion: There are major problems in the way browsers interact with Secure Sockets Layer (SSL) certificates, which is a common technology used on banking, e-commerce and other sites handling sensitive data.

Browser makers and the companies that sell SSL certificates are working on a fix.

Microsoft Corp., whose Internet Explorer browser is the world's most popular, said it was investigating the issue. Mozilla Corp., which makes the No. 2 Firefox browser, said most of the problems being addressed were fixed in the latest version of its browser, and that the rest will be fixed in an update coming this week.

VeriSign Inc., one of the biggest SSL certificate companies, maintains that its certificates aren't vulnerable.


http://news.brisbanetimes.com.au/bre...0802-e5hf.html
 

·
Banned
Joined
·
15,763 Posts
Discussion Starter #2
Quote:


Microsoft Corp., whose Internet Explorer browser is the world's most popular, said it was investigating the issue. Mozilla Corp., which makes the No. 2 Firefox browser, said most of the problems being addressed were fixed in the latest version of its browser, and that the rest will be fixed in an update coming this week.


Looks, like firefox have already addressed the issue.
 

·
Banned
Joined
·
4,340 Posts
Seriously, if someone wanted to hack you computer IT WILL BE HACKED. All the consumer firewalls, anti-virus, spyware, malware will not save you.

You will be owned.
 

·
Banned
Joined
·
11,112 Posts
Quote:


Originally Posted by OpTicaL
View Post

Seriously, if someone wanted to hack you computer IT WILL BE HACKED. All the consumer firewalls, anti-virus, spyware, malware will not save you.

You will be owned.

 

·
Registered
Joined
·
1,456 Posts
Quote:


Originally Posted by OpTicaL
View Post

Seriously, if someone wanted to hack you computer IT WILL BE HACKED. All the consumer firewalls, anti-virus, spyware, malware will not save you.

You will be owned.

... No
 

·
Premium Member
Joined
·
11,178 Posts
This is nothing new...

"man in the middle" attacks have been arround for years. The best way to do it is get a packet redirect in the mix...perferably on a server, but can also be done on routers/smart switches...and then redirect all packets to your self, do a quick serach for certain type of data, and then send them back to were they needed to go. Most people will not even think it is anything but their slow crappy network to blame.

SSL, though...I guess that is a bigger deal. If a packet is tampered with it is supposed to be rejected. I wish they went into more detail on how this worked. For this to work I think they would have to know exactly what certificate was being used and then forge it which last I checked was very hard to do since SSL certs are cautiously guarded and the forging process will most likey trigger the packet tamper alarm anyway. If it's just getting the browser to switch back to http from https and hope that the user doesn't realize it, then it is definately nothing new. That tactic has been around as long as SSL has. Since that Verisign says that their certificates are still secure I would bet that this is the case. If not...I would not access your bank account online till these browser updates are complete because every cracker and script kiddie will be going full bore.
 

·
Premium Member
Joined
·
3,241 Posts
Quote:


Originally Posted by Vagrant Storm
View Post

This is nothing new...

"man in the middle" attacks have been arround for years. The best way to do it is get a packet redirect in the mix...perferably on a server, but can also be done on routers/smart switches...and then redirect all packets to your self, do a quick serach for certain type of data, and then send them back to were they needed to go. Most people will not even think it is anything but their slow crappy network to blame.

SSL, though...I guess that is a bigger deal. If a packet is tampered with it is supposed to be rejected. I wish they went into more detail on how this worked. For this to work I think they would have to know exactly what certificate was being used and then forge it which last I checked was very hard to do since SSL certs are cautiously guarded and the forging process will most likey trigger the packet tamper alarm anyway. If it's just getting the browser to switch back to http from https and hope that the user doesn't realize it, then it is definately nothing new. That tactic has been around as long as SSL has. Since that Verisign says that their certificates are still secure I would bet that this is the case. If not...I would not access your bank account online till these browser updates are complete because every cracker and script kiddie will be going full bore.

Exactly. These attacks have been around for quite a while, I know because I have performed a few on my own network a year or two ago. Its not complicated to arp spoof and/or fake a security cert.

Dont see how this is news... Seems like black hat is more like burnt up broken down scorched to charred remains hat now. At least the iphone bug was neat though.
 

·
Banned
Joined
·
10,584 Posts
lol, old tricks are old.

Quote:
In an even more nefarious plot, an attacker could hijack the auto-update feature on a victim's computer, and trick it into automatically installing malware pulled in from a hacker's Web site. The computer would think it's an update coming from the software manufacturer.

Disable automatic updates. Closes that exploit every time.
 

·
Registered
Joined
·
1,369 Posts
Quote:


Originally Posted by TestECull
View Post

lol, old tricks are old.

Disable automatic updates. Closes that exploit every time.

As far as I know, they don't automatically install anyway (the updates)... unless the hacker is going to magically do that as well?
 

·
Registered
Joined
·
3,689 Posts
Quote:


Originally Posted by OpTicaL
View Post

Seriously, if someone wanted to hack you computer IT WILL BE HACKED. All the consumer firewalls, anti-virus, spyware, malware will not save you.

You will be owned.

And no one is going to because you're Bob Smith.
 

·
Premium Member
Joined
·
4,337 Posts
Not news. Also, if man built it, man can tear it apart and that goes double for hacking it and causing mayhem.
 

·
Registered
Joined
·
1,249 Posts
Quote:


Originally Posted by C-bro
View Post



I love it.

 

·
Banned
Joined
·
10,584 Posts
Quote:


Originally Posted by Dockery
View Post

As far as I know, they don't automatically install anyway (the updates)... unless the hacker is going to magically do that as well?


Most users set it to automatically install as well. IE doesn't offer a choice, either. You can either disable updating entirely, or you can download and install them automatically.

still, nipping auto update in the bud can only give you good things. You can still update it manually, it won't pester you, it won't download things behind your back, and it won't be open to the method of attack I quoted.
 
1 - 17 of 17 Posts
Top