Security Alerts & News
by Tymoteusz A. Góral

History
#1264 HEIST: HTTP encrypted Information can be stolen through TCP-windows (PDF)
Over the last few years, a worryingly number of attacks against SSL/TLS and other secure channels have been discovered. Fortunately, at least from a defenders perspective, these attacks require an adversary capable of observing or manipulating network traffic. This pre-vented a wide and easy exploitation of these vulnerabilities. In contrast, we introduce HEIST, a set of techniques that allows us to carry out attacks against SSL/TLS purely in the browser. More generally, and surprisingly, with HEIST it becomes possible to exploit certain flaws in network protocols without having to sniff actual traffic.

HEIST abuses weaknesses and subtleties in the browser, and the underlying HTTP, SSL/TLS, and TCP layers. In particular, we discover a side-channel attack that leaks the exact size of any cross-origin response. This side-channel abuses the way responses are sent at the TCP level. Combined with the fact that SSL/TLS lacks length-hiding capabilities, HEIST can directly infer the length of the plaintext message. Concretely, this means that compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring a man-in-the-middle position. Moreover, we also show that our length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites.

Finally, we explore the reach and feasibility of exploiting HEIST. We show that attacks can be performed on virtually every web service, even when HTTP/2 is used. In fact, HTTP/2 allows for more damaging attack techniques, further increasing the impact of HEIST. In short, HEIST is a set of novel attack techniques that brings network-level attacks to the browser, posing an imminent threat to our online security and privacy.
Read more
#1270 Can you trust that invoice? Nigerian 419 scammers ply new wire-wire trade via compromised email
#1269 Italian malware is spying on Chinese Android users: But why?
#1268 Microsoft cranks up encryption in .Net framework
#1267 Fake Prisma apps found on Google Play
#1266 This ATM hack could allow thieves to make off with thousands
#1265 BlackHat2016: badWPAD – The doubtful legacy of the WPAD protocol
#1264 HEIST: HTTP encrypted Information can be stolen through TCP-windows (PDF)
#1263 Lack of encryption leads to large scale cookie exposure
#1262 Are smart city transport systems vulnerable to hackers?
#1261 Pokemon GO DDoS attacks postponed as PoodleCorp botnet suffers security breach
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12