BREACHed in 30 seconds: your stuff isn't secure!

By Matt de Neef | Indeterminate Blog Team
The topic of this story originally appeared on ITWeb.co.za


If you’re planning to read this article, you’d probably want to sit down. If you’re already sitting, I’d suggest you close your other browser tabs. Go on, I’ll wait…You’re done? Good, now what I’m going to discuss may make you break out in somewhat of a cold sweat, so brace yourself. Literally. Jokes aside, there was some angst-inducing info we recently spotted on the ITWeb South Africa site.

uh, BREACH is worse...
Putting it bluntly, imagine this scenario: you’re on your favourite internet banking site, and because you’re a careful consumer you check the HTTP address you’re going to, type the URL yourself, and check for the green lock icon in your browser: “128-bit AES traffic security”. You lean back and relax a little because now you know that the information you’re going to input is safe from prying eyes. It’s HTTPS right? Wrong. A new kind of hacking technique, aptly named BREACH, can access your private secured data, like PINs, card numbers, login details, online shopping and internet banking transactions, and stream it to the person performing the breach. This hack method, which stands for “browser reconnaissance and exfiltration via adaptive compression of hypertext”, besides the technobabble name, is extremely dangerous because any encrypted connection between you and another server used to make sure nobody gets your information, is now insecure, plus it takes just 30 seconds for the shenanigans to happen.




Attacks like these usually get brought to light at the annual hacker expo. Don’t laugh, it actually exists, and it known as Black Hat. Here, the brightest (and possibly the darkest) minds in IT figure out how to violate every security measure in the computer world. Before you get angry about this, the Black Hat conference is actually very useful to computer companies because from the breaches these guys cause, new security measures can be implemented, simply because it’s easier to fix when you know where the problem is.
Ironically this hack, which [switching to geek] lets the attacker “manipulate data compression” in secure data streams to “exfiltrate pieces” of sensitive info, like bank account info, credit card numbers and so on. Guess what? BREACH is rumoured to be an extension of CRIME, another hack which lets a hacker “hijack” your browser and stream the info you put into it to their PC. Scary stuff!

The ultimate conference for hackers.
Want to hear something else scary? This BREACH attack was first demonstrated by researchers Angelo Prado and Yoel Gluck at the Black Hat conference, in none other than the Outlook Web Access system. In case you’re still too shocked to know what that means: Our UKZN email system’s login page is secure, but they managed to get any login info from that kind of page. It boils down to the fact that if BREACH were used on the campus network, a hacker could simply pick up all our email addresses and passwords and use them for anything he/she wanted. It extends to any other secure info, actually. Yeah, I’m as freaked out as you are!

Crawl away from your computer then, and go sit in your bomb-proof shelter, because at the moment there’s no solution. Okay fine, the attack has no solution but the BREACH method itself was done in an isolated environment so the hack shouldn’t affect us just yet. The mere fact that it’s possible raises questions on how we just throw our personal information at a random server just because there’s a “lock” icon.  Think about that!


Thanks for reading! Comment below or find us on our forums for some more hacking discussion!    This article uses source material from: http://www.itweb.co.za/index.php?option=com_content&view=article&id=66321