BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

fringe: Your health, tax, and search data siphoned

From: security curmudgeon <jericho () attrition org>
Date: Wed, 24 Mar 2010 18:11:14 +0000 (UTC)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.theregister.co.uk/2010/03/23/side_channel_attacks_web_apps/

By Dan Goodin in San Francisco
The Register
23rd March 2010

Google, Yahoo, Microsoft's Bing, and other leading websites are leaking 
medical histories, family income, search queries, and massive amounts of 
other sensitive data that can be intercepted even when encrypted, computer 
scientists revealed in a new research paper.

Researchers from Indiana University and Microsoft itself were able to 
infer the sensitive data by analyzing the distinct size and other 
attributes of each exchange between a user and the website she was 
interacting with. Using man-in-the-middle attacks, they could glean the 
information even when transactions were encrypted using the Secure Sockets 
Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access protocol.

"Our research shows that surprisingly detailed sensitive user data can be 
reliably inferred from the web traffic of a number of high-profile, 
top-of-the-line web applications" offered by Google, Yahoo, and Bing as 
well as the leading online providers of tax, health and investments 
services, which the researchers didn't name.

"An eavesdropper can infer the medications/surgeries/illnesses of the 
user, her annual family income and investment choices and money 
allocations, even though the web traffic is protected by HTTPS. We also 
show that even in a corporate building that deploys the up-to-date 
WPA/WPA2 wi-fi encryptions, a stranger without any credential can sit 
outside the building to glean the query words entered into employees' 
laptops, as if they were exposed in plain text in the air."

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
Previous By Date Next
Previous By Thread Next

Current thread: