Hackers Crack Internet Encryption: Should You Be Worried?

BEAST is an exploit developed by security researchers to break the encryption used by most browsers and websites

Data encryption is the cornerstone of Internet security. Every time you log into your email account or sign into an online retailer like Amazon, chances are that your browser is establishing a secure connection to the server using an encryption technology called TLS (Transport Layer Security).

First developed in 1999 as an improvement over SSL (Secure Socket Layer) 3.0 encryption, TLS 1.0 is used as part of HTTPS encryption and is now the Web standard for data encryption. Almost all websites and browsers use TLS to secure information being transferred between you and the site, and now security researchers Thai Duong and Juliano Rizzo claim to have cracked TSL 1.0 encryption using just a traffic sniffer and a simple bit of JavaScript code.

Duong and Rizzo performed a live demonstration of the exploit, codenamed BEAST (Browser Exploit Against SSL/TLS), at the Ekoparty security conference in Buenos Aires during mid-September. While the details of the attack are highly technical, we now know it starts with a snippet of JavaScript code that infects your browser when you follow a suspicious link or visit a malicious website.

When BEAST infects your browser, it monitors the data you exchange with encrypted websites. It inserts blocks of plain-text into the data stream and attempts to decrypt those known blocks of plain-text by making educated guesses about the encryption key.

After enough time passes (roughly five to ten minutes, according to reports that Rizzo sent to The Register), BEAST inevitably guesses correctly and cracks the code on a byte’s worth of encrypted data, then uses that data to reverse-engineer the encryption key and decrypt the confidential data in the session cookie stored on your computer.

It’s a time-consuming process that exploits a known vulnerability in SSL 3.0/TLS 1.0 encryption. Prior to their public demonstration, the researchers responsible notified the developers of popular browsers like Firefox and Internet Explorer, and hopefully, the publicity surrounding this vulnerability encourages more server and browser developers to upgrade their encryption systems to take advantage of more recent protocols like TLS 1.1 or 1.2, both of which remain theoretically immune to a block-wise chosen-plaintext attack like BEAST. Microsoft has already promised to patch Windows to protect users against BEAST, and Kaspersky Lab Expert Kurt Baumgartner believes Chrome users have little to worry about as the Chromium source code was patched to protect against this exploit three months ago.

That’s possible because TLS 1.1 has been available since 2006, yet most websites and browsers do not support it due to the time and effort required to update all of their services (like browser extensions in Chrome or the Facebook Connect API) to authenticate data using a different encryption method. Until they do, the only surefire way to protect yourself against an exploit like BEAST is to avoid malware by developing safe browsing habits. Never open unsolicited mail or click on links you don’t trust, be careful about the data you share on social networks and change your passwords often.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackerssecurityencryption

More about Amazon Web ServicesASTFacebookKasperskyKasperskyMicrosoftSocket

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Alex Wawro

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place