Security Alerts & News
by Tymoteusz A. Góral

History
#1214 New attack that cripples HTTPS crypto works on Mac, Windows and Linux
A key guarantee provided by HTTPS encryption is that the addresses of visited websites aren't visible to attackers who may be monitoring an end user's network traffic. Now, researchers have devised an attack that breaks this protection.

The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD—short for Web Proxy Autodisovery—in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week's Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.

"People rely on HTTPS to secure their communication even when the LAN/Wi-Fi cannot be trusted (think public Wi-Fi/hotels/cafes/airports/restaurants, or compromised LAN in an organization)," Itzik Kotler, cofounder and CTO of security firm SafeBreach and one of the scheduled speakers, wrote in an e-mail. "We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks."
Read more
#1214 New attack that cripples HTTPS crypto works on Mac, Windows and Linux
#1213 KeySniffer vulnerability opens wireless keyboards to snooping
#1212 Unpatched smart lighting flaws pose IoT risk to businesses
#1211 Amazon Silk browser ignored SSL searches, failing to protect your privacy
#1210 Microsoft Authenticator – coming August 15th! Supports AzureAD & Microsoft acct!
#1209 In-the-wild Ransomware Protection Comparative Analysis 2016 Q3 (PDF)
#1208 Windows UAC bypass leaves systems open to malicious DLLs
#1207 O2 customer data sold on dark net
#1206 Facebook admits blocking WikiLeaks’ DNC email links, but won’t say why
#1205 New evidence suggests DNC hackers penetrated deeper than previously thought
#1204 NIST prepares to ban SMS-based two-factor authentication
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12