 |
|
Carnegie Mellon system thwarts Internet eavesdropping
August 26, 2008Available as free download for Firefox browser
PITTSBURGH-The growth of shared Wi-Fi and other wireless computer networks has increased the risk of eavesdropping on Internet communications, but researchers at Carnegie Mellon University's School of Computer Science and College of Engineering have devised a low-cost system that can thwart these "Man-in-the-Middle" (MitM) attacks.
The system, called Perspectives, also can protect against attacks related to a recently disclosed software flaw in the Domain Name System (DNS), the Internet phone book used to route messages between computers.
The researchers - David Andersen, assistant professor of computer science, Adrian Perrig, associate professor of electrical and computer engineering and public policy, and Dan Wendlandt, a Ph.D. student in computer science - have incorporated Perspectives into an extension for the popular Mozilla Firefox v3 browser than can be downloaded free of charge at www.cs.cmu.edu/~perspectives/firefox.html.
Perspectives employs a set of friendly sites, or "notaries," that can aid in authenticating Web sites for financial services, online retailers and other transactions requiring secure communications. By independently querying the desired target site, the notaries can check whether each is receiving the same authentication information, called a digital certificate, in response. If one or more notaries report authentication information that is different than that received by the browser or other notaries, a computer user would have reason to suspect that an attacker has compromised the connection.
Certificate authorities, such as VeriSign, Comodo and GoDaddy, already help authenticate Web sites and reduce the risk of MitM attacks. The Perspectives system provides an extra measure of security in those cases but will be especially useful for the growing number of sites that do not use certificate authorities and instead use less expensive "self-signed" certificates.
"When Firefox users click on a Web site that uses a self-signed certificate, they get a security error message that leaves many people bewildered," Andersen said. Once Perspectives has been installed in the browser, however, it can automatically override the security error page without disturbing the user if the site appears legitimate.
The system also can detect if one of the certificate authorities may have been tricked into authenticating a bogus Web site and warn the Firefox user that the site is suspicious. "Perspectives provides an additional level of safety to browse the Internet," Perrig said. "To the security conscious user, that is a significant comfort."
Andersen said the increased use of wireless connections to the Internet has increased the risk of MitM attacks. These occur when an attacker tricks a computer user into believing that the user has established a secure link with a target site, such as a bank. In actuality, the computer user is communicating with the attacker's computer, which can eavesdrop as it relays communications between the user and the target site.
"It's very, very, very easy for someone to convince you to go through their computer" when making connections through public Wi-Fi, Andersen said. A user who thinks he is linked to an airport or coffee shop "hot spot," for instance, might actually be linked to a laptop of someone just a few seats away. "A lot of people wouldn't even know they've been attacked," he added.
Most Internet communications, such as to standard hypertext transfer protocol (HTTP) sites, are unsecured, but those involving encryption over a secured socket layer (SSL) and those using secure shell (SSH) protocol, which involves the use of a login and password, require that sites authenticate themselves with a digital certificate containing a so-called public key, which is used for encryption.
The exchange of this security information typically occurs without the computer user being aware of it. But when something isn't quite right, a dialogue box such as "Unable to verify the identity of XYZ.com as a trusted site" is displayed by the Web browser.
"Most users don't have a clue about what to do in those cases," Wendlandt said. "A lot of them just shrug and go ahead with the connection, potentially opening themselves up to attack."
A vulnerability disclosed in July in the DNS software poses a different problem for computer users, but one that also is addressed by Perspectives. The software flaw could enable an attack against an Internet Service Provider (ISP) that would cause the ISP to connect users with a malicious site instead of the legitimate site they were seeking. "With Perspectives, even if a client's ISP has fallen victim to the attack, the client will be able to detect that the public key received from the fake site is inconsistent with the results returned from the notaries," Wendlandt said.
Carnegie Mellon University
The researchers - David Andersen, assistant professor of computer science, Adrian Perrig, associate professor of electrical and computer engineering and public policy, and Dan Wendlandt, a Ph.D. student in computer science - have incorporated Perspectives into an extension for the popular Mozilla Firefox v3 browser than can be downloaded free of charge at www.cs.cmu.edu/~perspectives/firefox.html.
Perspectives employs a set of friendly sites, or "notaries," that can aid in authenticating Web sites for financial services, online retailers and other transactions requiring secure communications. By independently querying the desired target site, the notaries can check whether each is receiving the same authentication information, called a digital certificate, in response. If one or more notaries report authentication information that is different than that received by the browser or other notaries, a computer user would have reason to suspect that an attacker has compromised the connection.
Certificate authorities, such as VeriSign, Comodo and GoDaddy, already help authenticate Web sites and reduce the risk of MitM attacks. The Perspectives system provides an extra measure of security in those cases but will be especially useful for the growing number of sites that do not use certificate authorities and instead use less expensive "self-signed" certificates.
"When Firefox users click on a Web site that uses a self-signed certificate, they get a security error message that leaves many people bewildered," Andersen said. Once Perspectives has been installed in the browser, however, it can automatically override the security error page without disturbing the user if the site appears legitimate.
The system also can detect if one of the certificate authorities may have been tricked into authenticating a bogus Web site and warn the Firefox user that the site is suspicious. "Perspectives provides an additional level of safety to browse the Internet," Perrig said. "To the security conscious user, that is a significant comfort."
Andersen said the increased use of wireless connections to the Internet has increased the risk of MitM attacks. These occur when an attacker tricks a computer user into believing that the user has established a secure link with a target site, such as a bank. In actuality, the computer user is communicating with the attacker's computer, which can eavesdrop as it relays communications between the user and the target site.
"It's very, very, very easy for someone to convince you to go through their computer" when making connections through public Wi-Fi, Andersen said. A user who thinks he is linked to an airport or coffee shop "hot spot," for instance, might actually be linked to a laptop of someone just a few seats away. "A lot of people wouldn't even know they've been attacked," he added.
Most Internet communications, such as to standard hypertext transfer protocol (HTTP) sites, are unsecured, but those involving encryption over a secured socket layer (SSL) and those using secure shell (SSH) protocol, which involves the use of a login and password, require that sites authenticate themselves with a digital certificate containing a so-called public key, which is used for encryption.
The exchange of this security information typically occurs without the computer user being aware of it. But when something isn't quite right, a dialogue box such as "Unable to verify the identity of XYZ.com as a trusted site" is displayed by the Web browser.
"Most users don't have a clue about what to do in those cases," Wendlandt said. "A lot of them just shrug and go ahead with the connection, potentially opening themselves up to attack."
A vulnerability disclosed in July in the DNS software poses a different problem for computer users, but one that also is addressed by Perspectives. The software flaw could enable an attack against an Internet Service Provider (ISP) that would cause the ISP to connect users with a malicious site instead of the legitimate site they were seeking. "With Perspectives, even if a client's ISP has fallen victim to the attack, the client will be able to detect that the public key received from the fake site is inconsistent with the results returned from the notaries," Wendlandt said.
Carnegie Mellon University
Cancer could be caught before it develops
An article published in the journal BMC Medical Informatics and Decision Making describes the creation of the first comprehensive listing and classification of precancers, drawn from the medical literature. Using this classification, the precancers have been organized into groups that share similar biologic profiles and, hopefully, similar treatments. Precancers precede invasive cancers. They are localized changes in tissue - lesions - identifiable by their morphologic structure. During carcinogenesis, when normal cells are transformed into cancerous cells, it is possible to identify precancers. Treating or removing precancerous cells at this early stage could prevent the prolonged, painful
More Internet Browser Current Events and Internet Browser News Articles
 | The Internet: The Missing Manual by J. D. Biersdorfer, David Pogue The Internet is almost synonymous with change--that's one of its charms, and one of its headaches. You may think you know the Internet, but are you really up to speed on internet telephones, movie and TV downloading, blogging, gaming, online banking, dating, and photosharing?This utterly current book covers:Getting Online. Readers will have all the information they need to decide what kind of... |
 | Microsoft Internet Explorer 7 Quick Reference Card - Handy Durable Tri-Fold MS IE 7 Web Browser Tip & Tricks Guide. 6 Total Pages. Stores Easily. Ultimate Reference for Shortcuts, Tips & Cheats for Internet Explorer 7 Browser (Software Quick Reference Cards) Windows Internet Explorer 7 Quick Start Card -- Six tri-folded pages of Windows Internet Explorer 7 instruction -- BrainStorm's Windows Internet Explorer 7 Quick Start Cards give Internet browers a quick and tangible reference to help them get the most out of their Web browsing experience. It includes instructions on standard Internet browsing tasks as well as instruction on the following new... |
 | Steal This Computer Book 3: What They Won't Tell You About the Internet by Wallace Wang This offbeat, non-technical book looks at what hackers do, how they do it, and how you can protect yourself. The third edition of this bestseller (over 150,000 copies sold) adopts the same informative, irreverent, and entertaining style that made the first two editions a huge success. Thoroughly updated, this edition also covers rootkits, spyware, web bugs, identity theft, hacktivism, wireless... |
 | Programming Microsoft Internet Explorer 5 (Microsoft Programming Series) by Scott Roberts This professional-level resource demonstrates how to quickly bring browser functionality to business applications using the Internet Explorer 5 development platform. Readers investigate core techniques for exploiting version 5 enhanced programmability-including scripting with DHTML, hosting the WebBrowser control, and adding functionality with HTCs (HTML components) and HTAs (HTML applications).... |
 | Windows Internet Explorer 7, Illustrated Essentials (Illustrated Series) by Donald I. Barker, Katherine T. Pinard Part of the Illustrated Series, this text offers a quick, visual, step-by-step approach for learning basic Web browser skills using Microsoft Internet Explorer... |
 | Learn How to Program Using Any Web Browser by Harold Davis Learn How to Program Using Any Web Browser is a book about general principles of good programming practice for complete novices. Whether you're a a twelve just starting to get curious about what makes a computer workor an office worker who has been using computer applications for years, and would like to spend some time delving deeper into what makes them tick, this book is for you. Learn How... |
 | Finding Your Family on the Internet: The Ultimate Guide to Online Family History Research by Michael Otterson This beginner's guide to finding family history online takes readers through a simple, step-by-step process to help fill the gaps and holes in one's family network. Complete with a section of reviewed and recommended genealogy websites, this resource provides guidance on how to maximize the benefits of the Internet while avoiding less-than-reputable and unreliable sites. Peppered with amusing but... |
 | Internet Information Services (IIS) 7.0 Resource Kit by Mike Volodarsky, Olga Londer, Brett Hill, Bernard Cheah, Steve Schofield, Carlos Aguilar Mares, Kurt Meyer, Microsoft IIS Team Get the definitive reference for deploying, configuring, and supporting IIS 7.0 with insights from a Microsoft Most Valuable Professional (MVP) and IIS experts at Microsoft. You get 800 pages of in-depth technical guidance on using IIS 7.0 to help enable users to easily host and manage Web sites, create Web-based business applications, and extend file, print, media, and communication services to... |
 | Internet Explorer 6 for Dummies by Doug Lowe Internet Explorer 6 For Dummies covers the essentials new PC or IE users need to know about hooking up to the Internet for Web browsing, e-mail, and other tasks. This guide includes coverage of getting on the Internet, Web browsing with IE, e-mail with Outlook Express, customizing IE, and creating Web pages. Most important, it covers the enhanced features of the new version including the updated... |
 | Microsoft Internet Explorer 6 Resource Kit (Pro-Resource Kit) by Microsoft Corporation Internet Explorer 6.0 offers dramatic performance, reliability, and usability improvements, making it the fastest, easiest, most cost-effective Web browser for organizations to deploy, manage, and support. The MICROSOFT INTERNET EXPLORER 6.0 RESOURCE KIT provides comprehensive information and tools for this browser-straight from the Microsoft Internet Explorer development team. It includes... |
| © 2008 BrightSurf.com |