Attacking the edges of secure Internet traffic

Jul 30, 2010 By JORDAN ROBERTSON , AP Technology Writer
A man passes a logo of the Black Hat technology conference in Las Vegas on Wednesday, July 28, 2010. (AP Photo/Isaac Brekken)

(AP) -- Researchers have uncovered new ways that criminals can spy on Internet users even if they're using secure connections to banks, online retailers or other sensitive Web sites.

The attacks demonstrated at the Black Hat conference here show how determined hackers can sniff around the edges of encrypted Internet traffic to pick up clues about what their targets are up to.

It's like tapping a and hearing muffled voices that hint at the tone of the conversation.

The problem lies in the way Web browsers handle Secure Sockets Layer, or SSL, encryption technology, according to Robert Hansen and Josh Sokol, who spoke to a packed room of several hundred experts.

Encryption forms a kind of tunnel between a browser and a website's servers. It scrambles data so it's indecipherable to prying eyes.

SSL is widely used on sites trafficking in sensitive information, such as , and its presence is shown as a padlock in the browser's address bar.

SSL is a widely attacked technology, but the approach by Hansen and Sokol wasn't to break it. They wanted to see instead what they could learn from what are essentially the breadcrumbs from people's secure Internet surfing that browsers leave behind and that skilled hackers can follow.

Their attacks would yield all sorts of information. It could be relatively minor, such as browser settings or the number of Web pages visited. It could be quite substantial, including whether someone is vulnerable to having the "cookies" that store usernames and passwords misappropriated by hackers to log into secure sites.

Hansen said all major browsers are affected by at least some of the issues.

"This points to a larger problem - we need to reconsider how we do electronic commerce," he said in an interview before the conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

For the average Internet user, the research reinforces the importance of being careful on public Wi-Fi networks, where an attacker could plant himself in a position to look at your traffic. For the attacks to work, the attacker must first have access to the victim's network.

Hansen and Sokol outlined two dozen problems they found. They acknowledged attacks using those weaknesses would be hard to pull off.

The vulnerabilities arise out of the fact people can surf the Internet with multiple tabs open in their browsers at the same time, and that unsecured traffic in one tab can affect secure traffic in another tab, said Hansen, chief executive of consulting firm SecTheory. Sokol is a security manager at National Instruments Corp.

Their talk isn't the first time researchers have looked at ways to scour secure for clues about what's happening behind the curtain of encryption. It does expand on existing research in key ways, though.

"Nobody's getting hacked with this tomorrow, but it's innovative research," said Jon Miller, an SSL expert who wasn't involved in the research.

Miller, director of Accuvant Labs, praised Hansen and Sokol for taking a different approach to attacking SSL.

"Everybody's knocking on the front door, and this is, 'let's take a look at the windows,'" he said. "I never would have thought about doing something like this in a million years. I would have thought it would be a waste of time. It's neat because it's a little different."

Another popular talk at concerned a new attack affecting potentially millions of home routers. The attack could be used to launch the kinds of attacks described by Hansen and Sokol.

Researcher Craig Heffner examined 30 different types of home routers from companies including Actiontec Electronics Inc. and Cisco Systems Inc.'s Linksys and found that more than half of them were vulnerable to his attack.

He tricked Web browsers that use those routers into letting him access administrative menus that only the routers' owners should be able to see. Heffner said the vulnerability is in the browsers and illustrates a larger security problem involving how browsers determine that the sites they visit are trustworthy.

The caveat is he has to first trick someone into visiting a malicious site, and it helps if the victim hasn't changed the router's default password.

Still: "Once you're on the router, you're invisible - you can do all kinds of things," such as controlling where the victim goes on the Internet, Heffner said.

Explore further: Brazil passes trailblazing Internet privacy law

4.9 /5 (9 votes)
add to favorites email to friend print save as pdf

Related Stories

Patch for flaw in key Internet protocol

Jan 15, 2010

(PhysOrg.com) -- A flaw was found in November in a key Internet protocol that encrypts most sensitive online transactions and communications, including credit card and banking transactions. A patch has now ...

Cyber criminals cloak their tracks

Feb 13, 2008

The 2007 X-Force Security report from IBM finds a disturbing rise in the sophistication of attacks by criminals on Web browsers worldwide. According to IBM, by attacking the browsers of computer users, cyber criminals are ...

Web browsers and iPhone hacked at contest

Mar 26, 2010

(PhysOrg.com) -- Hackers had a field day on the first day of the Pwn2Own contest, successfully attacking Safari, iPhone, Internet Explorer, and Firefox. The Pwn2Own contest is an annual event that encourages ...

Experts uncover weakness in Internet security

Dec 30, 2008

Independent security researchers in California and researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands have found ...

Recommended for you

Brazil passes trailblazing Internet privacy law

3 hours ago

Brazil's Congress on Tuesday passed comprehensive legislation on Internet privacy in what some have likened to a web-user's bill of rights, after stunning revelations its own president was targeted by US ...

Research shows impact of Facebook unfriending

18 hours ago

Two studies from the University of Colorado Denver are shedding new light on the most common type of `friend' to be unfriended on Facebook and their emotional responses to it.

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

User comments : 0

More news stories

Robot scouts rooms people can't enter

(Phys.org) —Firefighters, police officers and military personnel are often required to enter rooms with little information about what dangers might lie behind the door. A group of engineering students at ...

Finalists named in Bloomberg European city contest

Amsterdam wants to create an online game to get unemployed young people engaged in finding jobs across Europe. Schaerbeek, Belgium, envisions using geothermal mapping to give households personalized rundowns of steps to save ...

Internet TV case: US justices skeptical, concerned

Grappling with fast-changing technology, U.S. Supreme Court justices debated Tuesday whether they can protect the copyrights of TV broadcasters to the shows they send out without strangling innovations in ...

Brazil passes trailblazing Internet privacy law

Brazil's Congress on Tuesday passed comprehensive legislation on Internet privacy in what some have likened to a web-user's bill of rights, after stunning revelations its own president was targeted by US ...

In the 'slime jungle' height matters

(Phys.org) —In communities of microbes, akin to 'slime jungles', cells evolve not just to grow faster than their rivals but also to push themselves to the surface of colonies where they gain the best access ...

New alfalfa variety resists ravenous local pest

(Phys.org) —Cornell plant breeders have released a new alfalfa variety with some resistance against the alfalfa snout beetle, which has ravaged alfalfa fields in nine northern New York counties and across ...