Hackers expose weakness in visiting trusted sites

LAS VEGAS (AP) — A powerful new type of Internet attack works like a telephone tap, except it operates between computers and Web sites they trust.

Hackers at the Black Hat and DefCon security conferences have revealed a serious flaw in the way Web browsers weed out untrustworthy sites and block anybody from seeing them.

If a criminal infiltrates a network, he can set up a secret eavesdropping post and capture credit card numbers, passwords and other sensitive data flowing between computers on that network and sites their browsers have deemed safe.

In an even more nefarious plot, an attacker could hijack the auto-update feature on a victim’s computer, and trick it into automatically installing malware pulled in from a hacker’s Web site. The computer would think it’s an update coming from the software manufacturer.

The attack was demonstrated by three hackers. Independent security researcher Moxie Marlinspike presented alone, while Dan Kaminsky, with Seattle-based security consultancy IOActive Inc., and security and privacy researcher Len Sassaman presented together.