A new innovative & soon to be cash use forcing technique in cyber security will be the guest of honor at the 2012 Argentina’s Ekoparty Security Conference this month. CRIME created by J. Rizzo & T. Duong, attacks the security shortcomings in TLS, intercepts the HTTPS connections and captures sensitive information entered when shopping online, such as bank account information, credit card #, name & address. Millions of worldwide online business, shopping sites & banks use SSL/TLS to encrypt such info sent by punters from their browsers. Rizzo & Duong are also the evil geniuses who developed the infamous BEAST attack that shattered SSL/TLS encryption.
Juicy details are being closely guarded until the grand presentation at Ekoparty. But that didn’t stop this ninja spy for learning that CRIME exploits cryptographic weaknesses present in protocol. The exposed info gives more than enough hints to decrypt a user’s “protected” cookies, paving a path for the attacker to pose as their victims and hijack secure connections to sites.
BEAST strike was lessened by redirecting webservers to use the RC4 cipher-suite instead of AES. CRIME allows miscreants to run in man-in-the-middle-style raids and isn’t relying on cipher-suites.
Chrome and Firefox are not persistent to CRIME, Google developers and Mozilla have acknowledge the problem and are trying to have patches available in coming weeks. Duong who is an information security engineer at Google also worked with Rizzo to create ASP.NET” Padding oracle” exploit which forced Microsoft to send out an emergency security patch for the well-known frame work.
Ekoparty 2012 will be on September 19th, 20th, 21th, 2012 in Buenos Aires.
Our first Story on BEAST (link)