|
|
|
New JavaScript hacking tool can intercept PayPal, other secure sessions |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
New JavaScript hacking tool can intercept PayPal, other secure sessionsPar SecurityLe [2011-09-21] à 18:05:27
Présentation : On Friday, a pair of security researchers will present a hacking tool which they claim decrypts secure Web requests to sites using the Transport Layer Security 1.0 protocol and SSL 3.0, allowing a person or program to hijack sessions with financial websites and other services. Juliano Rizzo and Thai Duong are unveiling their Browser Exploit Against SSL TLS tool, dubbed BEAST, at the Ekoparty security conference in Buenos Aires. The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text sent by the target's browser into the encrypted request stream to determine the shared key. The code can be injected into the user's browser through JavaScript associated with a malicious advertisement distributed through a Web ad service or an IFRAME in a linkjacked site, ad, or other scripted elements on a webpage. Using the known text blocks, BEAST can then use information collected to decrypt the target's AES-encrypted requests, including encrypted cookies, and then hijack the no-longer secure connection. That decryption happens slowly, however BEAST currently needs sessions of at least a half-hour to break cookies using keys over 1,000 characters long. The attack, according to Duong, is capable of intercepting sessions with PayPal and other services that still use TLS 1.0 which would be most secure sites, since follow-on versions of TLS aren't yet supported in most browsers or Web server implementations. While Rizzo and Duong believe BEAST is the first attack against SSL 3.0 that decrypts HTTPS requests, the vulnerability that BEAST exploits is well-known BT chief security technology officer Bruce Schneier and UC Berkeley's David Wagner pointed out in a 1999 analysis of SSL 3.0 that SSL will provide a lot of known plain-text to the eavesdropper, but there seems to be no better alternative. And TLS's vulnerability to man-in-the middle attacks was made public in 2009. The IETF's TLS Working Group published a fix for the problem, but the fix is unsupported by SSL. Read the comments on this post Les mots clés de la revue de presse pour cet article : javascript paypal Les videos sur SecuObs pour les mots clés : javascript Les éléments de la revue Twitter pour les mots clé : javascript paypal Les derniers articles du site "Security" :- Using ASAN as a protection- Execute without read- Together, we can make a difference- Internet Bug Bounty issues its first 10,000 reward- vtable protections fast and thorough - Exploiting 64-bit Linux like a boss- Exile for the BBC Micro some elegant solutions- Using ASAN as a protection- Execute without read- Together, we can make a difference- Internet Bug Bounty issues its first 10,000 reward- vtable protections fast and thorough - Exploiting 64-bit Linux like a boss
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
