CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions

The new attack on TLS developed by researchers Juliano Rizzo and Thai Duong takes advantage of an information leak in the compression ratio of TLS requests as a side channel to enable them to decrypt the requests made by the client to the server. This, in turn, allows them to grab the user’s login cookie and then hijack the user’s session and impersonate her on high-value destinations such as banks or e-commerce sites.

Demo of the CRIME TLS Attack

Security researchers Juliano Rizzo and Thai Duong have developed a new attack called CRIME on the TLS protocol that uses the compression ratio in TLS requests as a side channel to gather information that enables them to decrypt the requests and extract users’ cookies.

The University of Miami Hospital (UMH) has begun to notify patients for the second time this year that some of their personal information may be at risk after the health care institution was hit with a data breach in July. According to a letter being sent to patients this month, two employees at the hospital were found “inappropriately accessing” patients’ “face sheets,” documents that give doctors a quick glance at patients’ information.

The developer behind the notorious Black Hole exploit kit has released a new version of the software, adding in several new features designed to prevent security researchers from getting access to new exploits or reverse-engineering the kit’s inner workings. Conveniently, the pricing for Black Hole has stayed the same, so hackers get more value for the same amount of money.

The Microsoft security team shipped just two bulletins – resolving as many holes – in the September, 2012 edition of Patch Tuesday.The patches will supply fixes for two ‘important’ rated bugs, one in Microsoft Developer Tools and the other in Micrososft Server Software. If unpatched, both could lead to elevation of privileges.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.