This screenshot shows the researcher’s demo in action on a PayPal account.
(Credit:
Juliano Rizzo and Thai Duong)
Browser makers are devising ways to protect people from a security protocol weakness that could let an attacker eavesdrop on or hijack protected Internet sessions. Potential solutions include a Mozilla option to disable Java in
Firefox.
The problem–considered theoretical until a demonstration by researchers Juliano Rizzo and Thai Duong at a security conference in Argentina last week–is a vulnerability in SSL (Secure Sockets Layer) and TLS (Transport Layer Security) 1.0, encryption protocols used to secure Web sites that are accessed using HTTPS (Secure Hypertext Transfer Protocol).
The researchers created software called BEAST (Browser Exploit Against SSL/TLS) that can decrypt parts of an encrypted data stream and can be used in what is known as a “man-in-the-middle” (MITM) type of attack. BEAST uses JavaScript running in the browser and can let an attacker snoop on traffic, as well as impersonate a Web surfer by compromising session cookie data used to authenticate a Web surfer with a site. More details and a video of the demo are on Duong’s blog.
Here are responses from representatives of the major browsers:
Firefox
“We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so,” a Mozilla Security blog post says. “Firefox itself is not vulnerable to this attack. While Firefox does use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack require the ability to completely control the content of connections originating in the browser, which Firefox does not allow. The attackers have, however, found weaknesses in Java plugins that permit this attack. We recommend that users disable Java from the Firefox Add-ons Manager as a precaution.”
Internet Explorer
“We consider this to be a low risk issue for customers, but we released Security Advisory (2588513) to provide guidance and protection for customers with concerns,” Jerry Bryant, group manager of Response Communications at Microsoft Trustworthy Computing, said in an e-mail. To be clear, Internet Explorer depends on the Windows implementation of these protocols, so our mitigations and workarounds apply to the operating system and not the browser. We are looking at other ways to address the issue both in our products and within the industry and will update our guidance as it becomes available.”
Chrome
A Google representative referred CNET to a blog post from late last week written by Adam Langley, a member of the Chrome team, that said the company was preparing and testing a workaround. “The attack is still a difficult one; the attacker has to have high-bandwidth MITM access to the victim. This is typically achieved by being on the same wireless network as the victim,” the post says. “Nonetheless, it’s a much less serious issue than a problem which can be exploited by having the victim merely visit a Web page. (Incidentally, we pushed out a fix to all Chrome users for such a Flash bug only a few days ago.)”
Opera
Opera developed a fix and tried shipping it in Opera 11.51 but found that changes made to how the browser connects to servers were “incomprehensible to thousands of servers around the world,” Opera’s Sigbjorn Vik wrote in a blog post. “This issue will have to be solved in close cooperation between browser vendors and Webmasters. Since this cannot be directly exploited in Opera, we decided to wait until we have an industry agreement on how to move forward. We have test systems in place which can connect to millions of secure sites around the world and detect how these sites will react to changes to the protocol. We will be sharing our results from these test runs with other browser vendors and affected parties, to give us a good basis for finding the best solution to the issue.”
Safari
Apple representatives did not respond to e-mail or telephone requests for comment about the
Safari browser.
Just upgrading to TLS 1.1, which is not vulnerable to the threat, won’t work because nearly all SSL connections use TLS 1.0, according to a Qualys study reported on by Dan Goodin at The Register, which broke the BEAST story. In addition, “upgrading TLS is proving surprisingly difficult, mostly because almost every fix breaks widely used applications or technologies,” he wrote.
According to Lebanese sources, the suspect, identified as Ibrahim S., has confessed to spying for Tel Aviv and that sophisticated espionage equipments, including a satellite device and an Israeli SIM card, were found in his apartment.
Ibrahim’s wife, a Lebanese national, was also arrested on suspicion of involvement in his espionage activities against Beirut.
Ibrahim, 55, has lived in Hasbaya, southeast Lebanon, for the past 20 years. He was apprehended on Saturday and is currently under interrogation.
Security sources said Ibrahim crossed into Israel during the 1982 Israeli invasion of Lebanon and worked there for years.
In April 2009, Lebanon, which has technically been in a state of war with Israel, launched a nationwide crackdown on Israeli spy cells arresting nearly 100 people, including members of the country’s security forces and telecommunications personnel, on suspicion of espionage for Mossad.
A number of the suspects have admitted to their role in helping Israel identify targets inside Lebanon, mostly belonging to Hezbollah, which Tel Aviv heavily bombed during its 2006 war against the country.
The most high-profile arrest came in August after Fayez Karam, a former army general and Christian Party politician, was charged with spying for Israel.
Karam, who was in charge of the Lebanese army’s anti-terrorism and counter-espionage unit in the 1980s, has been accused of meeting Mossad agents outside Lebanon and giving them information in exchange for money and weapons.
If convicted, the spies will face life sentences with hard labor. Should they be found guilty of contributing to the loss of Lebanese lives, the agents will face the capital punishment.
HM/HGH/HJL
Security experts also warn about Russia, Israel and even France, which in the 1990s reportedly bugged first-class airplane cabins to capture business travelers’ conversations. Many other countries, including the United States, spy on one another for national security purposes.
But China’s brazen use of Âcyber-espionage stands out because the focus is often corporate, part of a broader government strategy to help develop the country’s economy, according to experts who advise American businesses and government agencies.
“I’ve been told that if you use an iPhone or BlackBerry, everything on it — contacts, calendar, e-mails — can be downloaded in a second. All it takes is someone sitting near you on a subway waiting for you to turn it on, and they’ve got it,” said Kenneth Lieberthal, a former senior White House official for Asia who is at the Brookings Institution.
Chinese government officials say cyber-spying is a problem in much of the world. “It’s advisable for all international travelers to take due precautions with their computers and cellphones,” embassy spokesman Wang Baodong said. “China is not less insecure than other countries.”
Some industrial cyber-espionage takes place in the U.S corporate world, experts say, but not nearly to the extent found in China. Also, the U.S. government reportedly does not conduct economic espionage on behalf of U.S. industry.
Travelers there often tote disposable cellphones and loaner laptops stripped of sensitive data. Some U.S. officials take no electronic gear. And a few corporate executives detour to Australia rather than risk talking business in a bugged Chinese hotel room.
Other travelers hide files on thumb drives, which they carry at all times and use only on off-line computers. One security expert, who spoke on the condition of anonymity to avoid drawing scrutiny from the Chinese government, buys a new iPad for each visit, then never uses it again.
“It’s real easy for them [the Chinese] to read everything that goes in and out of the country because the government owns all the networks,” said Jody Westby, chief executive of Global Cyber Risk, a consulting firm.
“The real problem here is economic espionage,” she said. “There are countries where the search for economic information and high-value data is so aggressive that companies or people are very hesitant about taking their laptops to those countries.”
Business travelers began adopting such safety measures for China several years ago, experts say. On the eve of the 2008 Beijing Olympics, Joel Brenner, then the U.S. national counterintelligence executive, first issued government safety guidance to overseas travelers, with such tips as: “If you can do without the device, don’t take it.”
20 September 2011
Last updated at 11:04 ET
A report into the DigiNotar hack found a “severe breach” of the firm’s network
Dutch security firm DigiNotar has filed for voluntary bankruptcy following a series of attacks by a hacker.
The attackers penetrated DigiNotar’s internal systems and then issued fake security certificates so they could impersonate web firms.
The certificates are believed to have been used to eavesdrop on the Google email accounts of about 300,000 people.
The hacker behind the attacks claims to have penetrated four other firms that issue security certificates.
No tears
Read More
The new mini stream feature makes it simple to see what people are saying, even when they might not realize you’re listening
Not content to let Google+ hog the spotlight the day of its grand opening, Facebook caught many users off-guard last night as it rolled out a host of changes without much in the way or warning or direction. What’s evident is that Facebook and Google+ are pulling out all stops to win over social networkers of the world, though at least one of the changes to Facebook may have users scrambling to alter their privacy settings and friends lists.
The timing of Facebook’s move was not necessarily too surprising: Zuckerberg and company correctly view Google+ as a threat to their platform’s popularity, judging by the quantity and types of changes it has made since its rival’s platform was born. What better way to retain attention on the day of Google+’s coming-of-age celebration than by setting off noisy fireworks outside?
Read More
