Search this site  
Security Blog - Links

Be a Mentor


Mentor Someone New to IT - The IT-Ready Apprentice Program, a program of CompTIA’s Creating IT Futures Foundation, is looking for seasoned Professionals to guide our apprentices. Learn More.

SSL hacked by the BEAST?! Don’t lose sleep yet.

Home » Security » Security - Blog » SSL hacked by the BEAST?! Don’t lose sleep yet.

 

 

 

 

Security - Blog

SSL hacked by the BEAST?! Don’t lose sleep yet.

Rate This
Wed, Sep 28 2011 7:11 PM
  • Comments 2

The headlines are ominous: "Hackers break SSL encryption used by millions of sites. Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol..." But don't lose sleep yet.

Threatpost.com reports "Two researchers have developed a new attack on TLS 1.0/SSL 3.0 that enables them to decrypt client requests on the fly and hijack supposedly confidential sessions with sensitive sites such as online banking, e-commerce and payment sites."

Yes, it's true. Thai Duong and Juliano Rizzo exploited a decade-old TLS 1.0 with cipher block chaining (CBC) weakness in a browser environment. The attack is called BEAST (Browser Exploit Against SSL/TLS). It is a man-in-the-middle attack that uses JavaScript code, along with a packet sniffer, to decrypt secure cookies used in Web transactions.  

TLS 1.1 and 1.2 fixed the problem long ago, but most web servers and browsers still use TLS 1.0.

So why shouldn't you immediately panic? Well, the attack is difficult to carry out. For starters, the hacker must be on the same network as the victim, such as a broadband wireless network, to capture packets. Once packets have been captured, it takes approximately 10 minutes to decrypt the data.

As Imperial Violet points out, "it's a much less serious issue than a problem which can be exploited by having the victim merely visit a webpage."

So how can you protect yourself from the BEAST until developers upgrade server software (and some browsers) to TLS 1.1 or 1.2?

  • Secure your network. Implement security procedures to help combat unauthorized access, such as using WPA2 on a wireless network. If hackers can't access your network, they can't capture your local traffic.
  • Disable scripting on your browsers. If scripts can't run, the hack can't succeed. Microsoft has a TechNet article with advice. Firefox users can install the No Script plug-in.
  • If you're on a public network, such as a wireless network at Starbucks, do not engage in secure transactions unless scripting is disabled.

Do you have other solutions?

The researchers are sending a wake-up call to the industry. Ultimately, software vendors need to fix the issue and remove TLS 1.0 from the Internet altogether. As server software is updated to support TLS 1.1 and 1.2, this BEAST will fade into memory...

, , , , , , , , , , , , ,
Security Blog Comment List
Comments
  • Fri, Sep 30 2011 9:14 AM

    Nice article, Patrick. I noticed that The Register has an article where at least some people are saying that to avoid being affected by this issue that they should disable Java: www.theregister.co.uk/.../firefox_killing_java

  • Fri, Sep 30 2011 11:38 PM

    My company hasn't done anything about this yet but we're planning for it. Mostly relying on software providers to fix the problem and keeping our network secure as usual. Keeping close eye on it tho to make sure it doesn't get worse.

Page 1 of 1 (2 items)