ASV Reports: The BEAST Inside

Many of our ASV customers are seeing scan reports making reference to a “BEAST” attack susceptibility. But what is it, and more importantly, how can you fix it?

The bad news is that our ASV scan report is informing you that the strong encryption on your “secure” web server could be rendered useless and your customers accounts could therefore be compromised. That should be enough to give any of you sleepless nights, but the good news is that a configuration change is probably all that is needed to mitigate this particular attack.

I’ll post a more technical follow-up which includes technical fix information. In the meantime, here’s the background story for those of you who are interested.

About a year ago, two researchers discovered weaknesses in the encryption used on the majority of web sites. Further to their research, they released a tool that claimed to be capable of forcibly decrypting the confidential communication between a user and a web site. As an example, they showed how the tool could be used to break into a connection with PayPal, exposing information that was previously thought to be securely transmitted. As you can imagine, it caused a bit of a stir in the information security community.

The researchers were Thai Duong and Juliano Rizzo, and their tool was “Browser Exploit Against SSL/TLS” – BEAST for short.

Using the BEAST tool to actually break in to secure connections is somewhat tricky, and requires a number of supporting factors to be in play (the web server needs to be configured in a certain way, the attacker needs to be able to access the network traffic emanating from the user, and the vulnerable user needs to be tricked into loading the BEAST tool via a web link of some kind)

However, these factors are in no way insurmountable if the attacker is sufficiently motivated and equipped. Given the fact that there are still many web sites that are configured in a way that would enable a BEAST attack on the user, we should assume that BEAST remains at least potentially viable for the foreseeable future.

Reference: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

https://www.ambersail.com/pci-dss-vulnerability-penetration-testing/

https://www.ambersail.com/cyber-essentials/

https://www.ambersail.com/pci-dss-penetration-test-policy/

https://www.ambersail.com/penetration-test-versus-vulnerability-scan/

One Comment

Leave a Reply