Now that SSL has been cracked, watch out

Organizations can ignore the BEAST attack against SSL today, but the tools behind the exploit will only continue to evolve

Page 2 of 3

Two additional preconditions do severely limit the success of this particular attack: First, the attacker must be able to get a target user's browser to run special JavaScript coding -- and the coding must originate from the same "origin" as the targeted HTTPS site. Most of today's browsers don't allow JavaScript originating from one location to impact another HTTP/HTTPS stream.

But it isn't impossible for the precondition to be in place. Attackers routinely run malicious JavaScript on websites that we fully trust. Often this is done by the attacker exploiting a weakness in the website or, even more common these days, by placing a malicious advertisement on the website that runs their rogue JavaScript code.

What makes it difficult is coordinating it all: The attacker must know what HTTPS websites the victim will be visiting and inject malicious JavaScript beforehand. Plus, the attacker has to establish that man-in-the-middle connection. That's a fairly challenging set of preconditions to create and coordinate.

From there, the attacker has to hope that the user keeps his or her targeted session active as the BEAST conducts its crypto-attack against the HTTPS cookie. That doesn't take long. Still, if the user logs out of the HTTPS-attacked website or closes the browser completely (and doesn't simply close the HTTPS website, which is more common), the attacker may be able to decode the encrypted cookie, but it is unlikely to be useful in future, new connections unless the cookie is poorly implemented.

Again, this is not impossible. If I'm a bad guy trying to break into a particular company, I could hang out in coffee shops and watering holes that are near the targeted company's main offices. You can figure out what sites the company employees are visiting by walking by their screens over a few days and learning where they surf. There's a good chance that many will frequently many of the same websites, including popular social media sites and common company sites.

The attacker can then exploit one of those websites, including buying legitimate ads that they then inject their malicious JavaScript into. After that, the hard part is over: The attacker simply needs to launch a man-in-the-middle attack against the common public, free networks in the area and wait for one of the company employees to visit the exploited site. Alternatively, an attacker can use another browser exploit that circumvents the same-origin protection policies. After that, the BEAST attack can be launched and, if lab tests are accurate, is likely to be successful.

But far easier attacks that accomplish the same goals already exist. Attackers are in many, if not most, of the world's networks already, and they didn't need complicated attacks with multiple preconditions. They are already in deep without using the BEAST attack. They used social engineering Trojans, fake antivirus programs, or programs that took advantage of unpatched software. Right now, Adobe and Java products are heavily targeted.

| 1 2 3 Page 2
New! Download the State of Cybercrime 2017 report