Tag Archives: man-in-the-middle

Schneier on Security: Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0

While Rizzo and Duong believe BEAST is the first attack against SSL 3.0 that decrypts HTTPS requests, the vulnerability that BEAST exploits is well-known; BT chief security technology officer Bruce Schneier and UC Berkeley’s David Wagner pointed out in a 1999 analysis of SSL 3.0 that “SSL will provide a lot of known plain-text to the eavesdropper, but there seems to be no better alternative.” And TLS’s vulnerability to man-in-the middle attacks was made public in 2009. The IETF’s TLS Working Group published a fix for the problem, but the fix is unsupported by SSL.

The comments following the article have quite a bit of interesting information, at Schneier on Security: Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0.

Researchers’ typosquatting snarfed 20GB of Fortune 500 e-mails

Talk about an easy exploit:

Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.

The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

via Researchers’ typosquatting snarfed 20GB of Fortune 500 e-mails.