Hackers at the Black Hat and DefCon security conferences this weekend in Las Vegas demonstrated a hack that works much like a phone tap does, the Associated Press reports.
If a criminal infiltrates a network, he can set up a secret eavesdropping post and capture credit card numbers, passwords and other sensitive data flowing between computers on that network and sites their browsers have deemed safe.
In an even more nefarious plot, an attacker could hijack the auto-update feature on a victim's computer, and trick it into automatically installing malware pulled in from a hacker's Web site. The computer would think it's an update coming from the software manufacturer.
The problem lies with Secure Sockets Layer (SSL) certificates, which validate that a Web site is trustworthy. Browsers like Internet Explorer and Firefox check to see if a Web site has a valid SSL certificate when a user visits it, meaning the Web address matches the Web address on the certificate bought by the Web site. Browsers will either block the site or notify the user that the Web site may not be trustworthy if the certificate is no longer valid or if the Web addressed entered doesn't match the one on the certificate.
Hackers at BlackHat and DefCon have found an exploitable flaw in SSL certificates.
Many SSL certificate companies will allow people to attach a programming symbol called a "null character" into the Web address onto the certificates they receive. Web browsers generally ignore that symbol. They stop reading at that symbol when they're checking the Web address on a certificate.
The trick in the latest type of attack is that all a criminal would need to do is put the name of a legitimate Web site before that character, and the browser will believe that the site it's visiting — which is under the criminal's control — is legitimate.
The criminal could then forward the traffic onto the legitimate site, and spy on everything the victim does on that site.
By inserting himself between the Web user sending personal information and the Web site receiving it, a hacker can steal all the information he wants.
Jeff Moss,a former hacker who was appointed to the Homeland Security Department's advisory council this summer, said the hack, while difficult to pull off, has enormous implications for data security.
"If you can get in the middle, you can get everything," he said. "It's a big, giant wake-up call for the industry."
Photo by vissago/Flickr