Microsoft offers ideas for users to beat the BEAST threat

Microsoft is urging customers to update vulnerable versions of SSL to a newer one that is not susceptible to a recently published exploit called BEAST, but in the meantime it recommends steps that lessen the risk of being victimized.

The ultimate fix for the problem, known as Browser Exploit Against SSL/TLS (BEAST), upgrading to TLS 1.1, the latest version of the protocol. TLS is the official name for what is still frequently referred to as SSL. The problem is with TLS 1.0 and earlier SSL/TLS versions.

Data breach quiz 

But because that upgrade is time consuming and not all browsers - Firefox for instance - support TLS 1.1, Microsoft recommends instead reconfiguring the order in which older versions of SSL/TLS rank the cipher suites that the protocol negotiates between servers and clients.

BEAST decrypts secure-HTTP requests, communication between browsers and servers to set up HTTPS sessions such as those between banks and their online customers. BEAST is a Java script that exploits a weakness found when SSL uses block ciphers rather than stream ciphers.

The fix Microsoft recommends changing the order in which SSL/TLS negotiates cipher suites so that stream ciphers are considered first. It's not failsafe because there is no guarantee that the device at the other end will accept the stream cipher proposal.

BEAST was demonstrated by researchers Juliano Rizzo and Thai Duong who showed that it can decrypt authentication tokens and cookies from HTTPS requests. The bottom line is that attackers can hijack users' sessions. If the session is with a bank, for example, the attacker could steal the victim's funds.

The vulnerability has been known since 2004, but the consensus was that it couldn't be exploited. TLS 1.1, which addresses the vulnerability, was defined by the IETF in 2006, but has not been widely implemented because the risk was deemed low and changes it includes will break some Web sites.

The vulnerability BEAST exploits is unrelated to threats to SSL posed by recent attacks on SSL certificate authorities. In those cases, attackers issued false SSL certificates, enabling them to falsely authenticate servers and duping victims into thinking they were at genuine sites.

BEAST actually decrypts SSL traffic.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurityanti-malwareSSL

More about ASTIETFLANMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts