Approximately one year ago Juliano Rizzo and Thai Duong (the so-called BEASTie Boys) discovered a way to break SSL Encryption by mean of their BEAST attack (Browser Exploit Against SSL/TLS).
Their attack exploited a design flaw of the SSL/TLS 1.0 protocols (or better of the CBC cipher-suites, such as AES and 3DES), allowing to decrypt an encrypted conversation by sniffing the traffic and injecting a known pattern in the encryption channel. At that time the research had a considerable impact, given the wide usage of SSL/TLS in millions of websites providing secure online services.
As TLS 1.2 was not vulnerable, it was told, when possible, to migrate to this version of the protocol, but since its adoption is still far from being common, it was suggested, as Google did, to use a cipher not involving CBC mode, as for instance RC4.
After one year, at the Ekoparty Conference in Argentina, the two researchers are going to unveil a new attack against SSL/TLS dubbed CRIME. Few details are currently available: the two researchers are not revealing exactly which feature of SSL/TLS is responsible for the CRIME Attack (except that the specific feature used in this attack has not been a major subject of security research until now). In any case the new attack works much like the BEAST attack: once they have a man-in-the-middle position on a given network, they can sniff HTTPS traffic and launch the attack.
The good news is that, although both Mozilla Firefox and Google Chrome are vulnerable to the attack. the browser vendors have developed patches for the issue that will be released in the next few weeks.
The first half of March is gone, and here it is the Timeline of the main Cyber Attacks for this period, a timeline which shows, once again, a month characterized by Hacktivism, and in particular by cyber attacks carried on in retaliation for the arrests of the LulzSec members, among which, particularly meaningful, is the one perpetrated against a Security Firm: Panda Security.
As far as hacktivism is concerned, March has also seen the rise of a new hacking collective called The Consortium, who hacked Digital Playground, an adult porn site, acquiring 72,000 user accounts.
Other remarkable events include the attacks to several Vatican Websites, the theft of Michael Jackson’s catalogue from Sony, and the Cyber attack to British Pregnancy Advisory Service which allowed the alleged attacker, to illegally obtain 10,000 records.
Last but not least, James Stavridis, the NATO Admiral, has fallen indirect victim of a Social Poisoning Cyber Attack allegedly perpetrated by chinese hackers, as also BBC has fallen victim of a sophisticated Cyber Attacks from Iran.
The references are after the jump and, as always, the timeline does not include the events related to Middle East Cyberwar, object of a dedicated timeline.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) and follow @pausparrows on Twitter for the latest updates.
- 720,733 hits since November 2010
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
About This Blog
In this blog I express my personal opinion, which does not necessarily reflects the opinion of my organization, about events and news or interest, concerning information security, winking to mobile world and, why not, to some curious personal event.
Every information is reported with its source.
Anyone intending to use information contained in my post is free to do so, provided that mention my blog in your article.
Top Posts & Pages
- List Of Hacked Celebrities Who Had (Nude) Photos Leaked
- 2012 Cyber Attacks Statistics
- 1-15 February 2014 Cyber Attacks Timeline
- 2013 Cyber Attacks Timeline Master Index
- August 2013 Cyber Attacks Statistics
- 2013 Cyber Attacks Statistics
- 2013 Cyber Attacks Statistics (Summary)
- 2012 Cyber Attacks Timeline Master Index
- A (Graphical) World of Botnets and Cyber Attacks
- Next Generation Firewalls and Web Applications Firewall Q&A
- Web Security For Advanced Malware And Persistent Threats info.lastline.com/blog/web-secur… - 5 days ago
- @lazy_daemon @malm0u53 @unibirmingham @lastlineinc You can find it in the project main page together with the report: c2report.org - 5 days ago
- An Interesting #infographic from the same project promoted by @unibirmingham in collaboration with @lastlineinc http://t.co/OlrisuUkNZ - 5 days ago
- Command & Control, Understanding, Denying and Detecting: c2report.org/report.pdf - 5 days ago
- RT @lastlineinc: The New Age Of The Security Startup - @TechCrunch article featuring Lastline: hub.am/1dnTBGu http://t.co/9oOZUVgMH9 - 6 days ago
- 1-15 February 2014 Cyber Attacks Timeline wp.me/p14J6X-2xl - 1 week ago
- RT @lastlineinc: @RSAConference is far from over. Come meet our team at booth 2537 to talk everything security! http://t.co/mQNB8cbQtw - 1 week ago
- @lastlineinc named Best Security Startup at the Annual Info Security 2014 Global Excellence Industry Awards info.lastline.com/blog/lastline-… - 1 week ago
- RT @lastlineinc: Kicking off @RSAConference with 5 wins, including Best New Security Start-Up @infosecuritypg Excellence Awards: http://t.c… - 2 weeks ago
- @lastlineinc announces Interoperability with @hpsecurity TippingPoint lastline.com/company/press-… - 2 weeks ago