Welcome!

Government Cloud Authors: Elizabeth White, Pat Romanski, Dana Gardner, Liz McMillan, Gopala Krishna Behara

Press Release

BEAST Browser Security Threat Is Not as Fierce as It Looks

Context plays down risk of SSL vulnerability posed by Browser Exploit Against SSL/TLS.

Researchers at Context Information Security are playing down the level of risk to businesses and government organisations posed by BEAST, or Browser Exploit Against SSL/TLS. Recently disclosed by Thai Duong and Juliano Rizzo, the SSL vulnerability allows an attack on a browser to decrypt cookies and compromise HTTPS, giving access to encrypted website log-on credentials. But Context believes that hackers are very unlikely to use this complex attack and also provides some advice on how to further reduce the risks.

"In effect, BEAST is simply a practical way to exploit an existing theoretical vulnerability in older versions of TLS/SSL (TLSv1.0, SSLv3.0 and lower), commonly used for HTTPS connections," said Michael Jordon, research and development manager at Context. "For an attack to be effective, a vulnerable version of SSL using a block cipher must be used; network sniffing of the connection must be possible; and there also has to be a successful Java applet injection into the same origin of the web site."

Developers can already increase the complexity and mitigate the risk of malicious content being injected within the same origin through actions such as setting the HTTPOnly property that prevents applets or JavaScript to gain access to the cookie and prevent session hijacking. Therefore, in terms of risk, the BEAST attack is akin to not setting the HTTPOnly property on cookies that is not unusual among websites.

"If people are concerned about the BEAST attack, we suggest they first look to see if their HTTPOnly property is set properly. If it is not, then a BEAST attack would not be needed to deliver the same opportunities to hackers," says Jordon.

The major vendors of both browsers and server-side technologies have also announced that they are working on patches for TLS1.0. Within a controlled environment such as an internal network, it may be possible to upgrade all users and servers to products that support TLS 1.1/1.2. However, this could mean that some users may have difficulties accessing older web servers.

There are also a number of other areas in which the use of session hijacking can be reduced or made more complex, including transferrable session prevention; the use of effective logout and session timeout functions; regeneration of a new and unique cookie value per session; and adoption of one-time passwords.

"The BEAST vulnerability exists but there are simple steps that developers and security managers can take to mitigate the risks and with the number and complexity of mechanisms needed by an attacker, plus the number of greater value attacks that could take place in the same circumstances, we believe that it is unlikely that BEAST will be seen in the wild," concludes Jordon.

Details of Context's research into BEAST can be seen at: www.contextis.co.uk/research/blog/beast/

About Context

Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. Founded in 1998, the company's client base has grown steadily based on the value of its product-agnostic, holistic approach and tailored services combined with the independence, integrity and technical skills of its consultants. The company's client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. As best security experts need to bring a broad portfolio of skills to the job, Context staff offer extensive business experience as well as technical expertise to deliver effective and practical solutions, advice and support. Context reports always communicate findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report.

More Stories By NeonDrum News

NeonDrum is a targeted online news release distribution and monitoring service for PR professionals. Our mission is simple: to boost online coverage of your B2B news, help you to punch above your weight in the online channel, and get you seen, heard - and found - by the people that matter.

IoT & Smart Cities Stories
A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to great conferences, helping you discover new conferences and increase your return on investment.
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER gives detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPOalso offers sp...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. The IoT Global Network is a platform where you can connect with industry experts and network across the IoT community to build the successful IoT business of the future.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.