i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

Bots to solicit stolen data

Hackers have proved they can break just about any computer network, shown by recent hacks of Sony and the like. However once data is compromised there is another challenge to face: unloading the virtual booty.

Often stolen credit card numbers, online banking credentials, e-mail logins, and Social Security numbers are released on to a sprawling network of underground chat rooms and invitation-only forums, this is where such data is bought and sold. Law enforcement investigators from around the world lurk there as well trying to catch the crooks, but with hacking incidents on the rise, the problem is far too big to police by traditional means.

Enter the modern day informant. A Texas based security firm, CSIdentity, has created artificial-intelligence software capable of posing as a hacker and engaging the crooks in the underground forums. The goal is to solicit stolen data – a hacker hoping to fence 1,000 credit card numbers will offer dozens for free to prove they’re real – and send them back to human investigators.

SSL Encryption Broken

Researchers have discovered a weakness in the SSL (secure sockets layer) protocol.  SSL is used by nearly all websites who are trying to protect data being sent from the web server to the end users browser.

The vulnerability was discovered in versions 1.0 and earlier of TLS (Transport Layer Security).  Although versions 1.1 and 1.2 of TLS aren’t vulnerable, not many websites or browsers support them, making encrypted transactions on the likes of PayPal, Banking sites and just about every other website, vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website being visited.

Researchers Thai Duong and Juliano Rizzo plan to demonstrate some proof of concept code later this week at the Ekoparty Conference in Buenos Aires.  The software is called BEAST, (Browser Exploit Against SSL/TLS). The code, apparently Javascript, works with a network sniffer to decrypt encrypted cookies that a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Two days after this research was first published, Google released a developer version of its Chrome browser designed to thwart the attack.

Good to see Google are on the case to fix this before it becomes an everyday issue.  LEts hope the rest of the browser developer community can be quick to act.