New attack steals SSNs, e-mail addresses, and more from HTTPS pages

Approach exploits how HTTPS responses are delivered over transmission control protocol.

Enlarge / A demo planned for Wednesday will show how an ad hosted on nytimes.com could attack other HTTPS-protected sites. (credit: Vanhoef, Van Goethem)

The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don't have the ability to monitor a targeted end user's Internet connection.

The exploit is notable because it doesn't require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit. As its name suggests, the HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol, one of the Internet's most basic building blocks.

Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas.

Read 12 remaining paragraphs | Comments

Eurocops get new cyber powers to hunt down terrorists, criminals

Rules give legal certainty to unit tackling online terrorist propaganda, extremism.

(credit: [puamelia])

Europe’s police agency Europol has been given enhanced cyber powers to track down terrorists and other criminals.

The new governance rules were approved by the European Parliament’s civil liberties committee on Thursday by a massive majority. MEPs claimed that the new powers come with strong data protection safeguards and democratic oversight.

Last November, the draft rules were given the green light by the European Union's 28 member states. Now the panel's politicos have overwhelmingly thrown their weight behind the measures, by 40 votes to three, with two abstentions.

Read 6 remaining paragraphs | Comments

Clever bank hack allowed crooks to make unlimited ATM withdrawals

Banking malware is using techniques once reserved for state-sponsored hacking gangs.

(credit: Tax Credits)

To appreciate how malware targeting banks and other financial institutions is adopting sophisticated techniques once reserved for state-sponsored spies using so-called advanced persistent threats, consider the recently discovered Metel crimeware package.

It contains more than 30 separate modules that can be tailored to the computer it's infecting. One of the most powerful components automatically rolls back ATM transactions shortly after they're made. As a result, people with payment cards from a compromised bank can withdraw nearly unlimited sums of money from ATMs belonging to another bank. Because the Metel module repeatedly resets card balances, the criminals never pass the threshold that would normally freeze the card. Last year, the rollback scheme caused an unnamed bank in Russia to lose millions of rubles in a single night.

Metel usually gains an initial foothold by exploiting vulnerabilities in browsers or through spear phishing e-mails that trick employees to execute malicious files. Members of the Metel hacking gang then use legitimate software used by server administrators and security researchers to compromise other PCs in an attempt to further burrow into the targeted network. They will often patiently work this way until they gain control over a system with access to money transactions, for example, PCs used by call center operators or IT support.

Read 4 remaining paragraphs | Comments

Anti-gangster law invoked to score stiff sentence against two-bit cyberthief

RICO helped take down the Gambino crime family. Now, it’s being used online.

Federal prosecutors have secured an unusually stiff sentence against a low-level identity thief by invoking the same law used to target bosses of the Gambino crime family and Los Angeles street gangs.

On Thursday, David Ray Camez, 22, was sentenced to serve 20 years in prison and pay $20 million in restitution for his participation in carder.su, a website that allowed people to collaborate on crimes involving identity theft, computer malware, and other types of online graft. He was already serving a seven-year sentence for the same acts when he and 38 others were charged in a 2012 indictment. The indictment alleged violations of the Racketeering Influenced Corrupt Organizations (RICO) Act, which allows for harsh criminal and civil penalties for acts that are part of an ongoing criminal enterprise.

Under RICO, it didn't matter that Camez's conduct was an infinitesimal small part of the illegal acts carried out on carder.su; or that he was just 17 or 18-years-old when he was caught purchasing or possessing counterfeit drivers licenses, credit and gift cards, and equipment for manufacturing counterfeit cards. During sentencing, prosecutors provided evidence establishing the site, with an estimated 5,500 members as of 2011, was responsible for losses totaling $50 million. Feds also established that carder.su was a criminal enterprise engaged in large-scale trafficking of compromised credit cards and identities. The showings were some of the many factors under RICO that allowed for increased penalties for Camez, who went by the online aliases "Bad Man" and "doctorsex."

Read 2 remaining paragraphs | Comments