Skip to main content

New Browser Hack Can Spy On Eight Out Of Ten PCs






A group of Columbia University security researchers have uncovered a new and insidious way for a hacker to spy on a computer, Web app or virtual machine running in the cloud without being detected. Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack.
The exploit, which the researchers are calling “the spy in the sandbox,” requires little in the way of cost or time on the part of the attacker; there’s nothing to install and no need to break into hardened systems. All a hacker has to do is lure a victim to an untrusted web page with content controlled by the attacker. Once there, the software inside the bogus content launches a program that  manipulates how data moves in and out of a victim PC’s cache, which is the part of the CPU that serves as the intermediary between the high-speed central processor and the lower-speed random access memory or RAM.

The exploit then records the time it takes for the victim’s PC to run various operations in the cache memory, using the browser’s own high-resolution timers (we’re talking nanoseconds here). By studying the time it takes for memory access to take place, the hacker can get an accurate picture about a user’s browser history, keystrokes and mouse movements. The attack is more for spying than theft: it doesn’t steal any data or passwords or corrupt the victim’s machine.

The “spy in the sandbox” is what’s known as a side-channel attack, which is one of the older tricks in the hacker’s black bag. Such an attack usually involves interpreting what’s going inside a computer guts by measuring physical outputs such as sound, electromagnetic radiation or power consumption. In the 1980s, Soviet spies reportedly were suspected of having planted tiny microphones inside IBM Selectric typewriters to record the striking of the type ball as it hit paper to determine which key was pressed. Other old-school side-channel hacks include filming and analyzing the blinking lights on old modems or external hard drives. Bad guys have since used side-channel attacks to steal pay TV streams and cars and break into phones.
Modern-day side-channel attacks now take the form of reading the activity of processors, memory or networking ports. The recent and massive shift of computing to cloud services such as Amazon EC2 or Microsoft Azure initially raised fears that hackers would be able to spy among virtual machines shared on the same servers (which is how clouds get their cost efficiencies), but apart from research done in 2009 showing that it is hypothetically possible for one virtual machine to spy on another by studying how it uses computing cycles, so far there haven’t been any publicly confirmed side-channel attacks by bad guys in the cloud. Amazon tried to downplay the 2009 report by researchers at MIT and UC-San Diego.

While it’s difficult to launch a side-channel attacks in a secured cloud, it would be far easier on the open web. A handful of security researchers have already proven various techniques, a recent one of which used a radio receiver to steal cryptographic keys from a computer sitting a few feet away. Yuval Yarom, a researcher from the University of Adelaide, Australia, last year presented a way to use a cache memory side-channel attack to steal a victim’s Bitcoin secret key after observing about 25 Bitcoin transactions.
The Columbia researchers, Yossef Oren, Vasileios Kemerlis, Simha Sethumadhavan and Angelos Keromytis, used the same technical method as Yarom but focused on how such an attack could be built into a simple Web page to hit the most amount of users as possible—without being detected.

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Disney Discovers How To 3D Print with Fabric

We have seen 3D printers produce objects from plastic and even metal. But the Magic Kingdom is living up to its name with the announcement that it has designed a 3D printer capable of printing with fabric. A group of researchers at Cornell University, Carnegie Mellon and Disney Research unveiled the invention in a paper last weekend. According to the researchers, the device is capable of forming precise, but soft and deformable 3D objects from layers of off-the-shelf fabric. Among the objects the research team produced were a fabric bunny, a Japanese doll, a touch sensor made of fabric, and a smartphone case with an embedded conductive fabric coil for wireless  power   reception. Touch-Sensitive, Wireless Power To form each object, the printer uses a single sheet of fabric to create each layer of the object. The printer cuts this sheet along the 2D contour of the layer using a laser cutter and then bonds it to previously printed layers using a heat sensitive adh...
Post a Comment
Read more

Top Link Shortening Websites to Make Money Online

While there are many ways to make money online, I believe making money by URL Shortening is one of the best for newbies. Just shorten URL, people click on it and you make money. Quite fantastic, isn’t it? Today I am going to present before you the top legit URL shortening website that you should choose to make money online. I have taken care of many factors before ranking them, like Page Rank, Alexa Rank, My Experience etc. I’ll keep on updating the list when it is needed. Before jumping to the Shorteners I would like to explain the factors on which ‘Top Legit Shorten URL and Make Money Online Sites’ list is based: Page Rank:  Page Rank is the one factor that Google uses to rank websites on their search results. Page Rank of a site can be anything between 0 and 10. Page Rank is generally given on the basis of quality of site and backlinks it has got. Alexa Rank:  Alexa Rank shows the relative popularity of website over internet. Less is the Alexa Rank, more the si...
1 comment
Read more

Comcast Deal May Be Dead, But Cable Consolidation Will Go On

Even if Comcast's $45.2 billion bid for Time Warner Cable is dead, consolidation among the companies that pipe in our TV, phone and Internet will carry on. Combining the No. 1 and No. 2 U.S. cable companies would have put nearly 30 percent of TV and about 55 percent of broadband subscribers under one roof, along with NBCUniversal. That appeared to be too much concentration for regulators. Bloomberg News and The New York Times both said Thursday that Comcast is planning to drop its bid, citing unidentified people with knowledge of the matter. Comcast and Time Warner Cable declined to comment on the reports. But cable companies are likely to keep merging as online video options proliferate, the number of cable and satellite TV subscribers slips and costs rise for the shows, sports and movies piped to subscribers. At the same time, there will be more competition for young customers seeking stand-alone Internet and mobile video offerings and cheaper TV channel packages. T...
Post a Comment
Read more