Security Experts:

The BEAST - Security Hype from the Net?

The Internet Represents Enormous Complexity, And One of The Most Profitable Vehicles For Commerce And Crime The World Has Ever Seen.

In September of 2011, two security research guys, Juliano Rizzo and Thai Duong, presented a paper at the ekoparty Security Conference in Buenos Aires, Argentina. While the technical aspects of their paper go beyond the understanding of all but hard-core security geeks, the underlying security ramifications are far simpler and deeper than just the SSL vulnerability the two reported.

Let’s start with a simplistic description of the security issue they presented, aptly named BEAST (Browser Exploit Against SSL/TLS).

Internet Security VulnerabilitiesAt the heart of Internet security, whether it be financial information, personal privacy or national secrecy, is the transmission of data in an encrypted form. The data that originates from your home or office computer will pass through many ‘nodes’ along its way to a server across the country. At each node, someone could easily sniff out your information if it is not protected in some fashion.

The technology that provides this protection is called SSL (Secure Sockets Layer), or its more mature sibling, Transport Layer Security (TLS). Each of these is a well-defined set of rules that allows a browser and a server to negotiate a security protocol that both will agree on and use. As the Internet has matured, SSL and TLS protocols have grown in sophistication and complexity, with each new version theoretically becoming far more difficult to break. Until Rizzo and Duong released their September 2011 paper, the innate security of SSL and TLS was taken for granted.

The BEAST attack described by the authors revealed a security flaw that breaks underlying encryption algorithms. A de-geeked description of this starts with the fact that protected data is sent using a ‘key’ that only the browser and server should know. And, to make it even harder to crack, each new packet of data uses a new key that was encoded in the previous packet.

The BEAST attack ‘tricks’ the browser into revealing a packet’s contents in plain text (no encryption). With this plain text data, a little bit of work and a lot of calculations, a BEAST attacker can guess the first ‘key,’ and from there the entire set of protected packets.

A recent report based on data from a Trustworthy Internet Movement (TIM) project called SSL Pulse indicated an alarming 90 percent susceptibility rate among web sites to BEAST-like attacks. This means that almost all of the world’s most popular web sites are targets for unauthorized decryption of protected data.

Despite the media hoopla, the fortunate truth is that the attack requires a relatively rare combination of browser and server protocol negotiation, and the processing time required to decrypt data is still prohibitive.

The real concern is not that cyber thieves are using the SSL/TSL vulnerabilities – but that these weaknesses exist across the entire spectrum of web sites and pose potential security problems.

The World’s Greatest Invention at Risk?

The far more interesting aspect of the BEAST vulnerability conversation is not the fact that the BEAST exists, but rather that it points out the complexity of the Internet – so complex and changing that researchers (and criminals) continue to probe ways to exploit its inherent flaws.

Therein lies the problem. The Internet not only represents enormous complexity, but also one of the most profitable vehicles for commerce and crime the world has ever seen.

Cyber crime is a multi-billion dollar industry, fueling its own sub-economies and research efforts in order to grow. This is compounded by the fact that cyber crime can be executed anonymously from countries where cyber criminals are seldom prosecuted and sometimes even encouraged.

Technological complexity never comes without flaws. For every new component put in place, there will be numerous special conditions or unforeseen secondary effects that its creators never considered. It is these flaws that cyber criminals take advantage of – often with the ability to extract money from users of the Internet.

The Internet version of the Perfect Storm should now be apparent. We have one of the most important technological and commercial entities ever created, the Internet, with its inherent usage anonymity making it one of the safest crime opportunities in history. We then combine this with a constant introduction of exploitable technology flaws as the Internet evolves. Rather than be a surprise, the cyber crime industry should be viewed as inevitable.

The Internet will continue its enormous growth; consequently, the cyber wars between its creators and those who wish to exploit it will follow. Thus, the security vulnerability represented by the BEAST should not be viewed as a major crime risk, rather as just one of hundreds, if not thousands, of Internet flaws that will soon to be discovered (or introduced) in the near future.

No, the BEAST is not an indicator of the inevitable death of the Internet – nor should consumers and businesses shy away from its use because of the security problems that surround it. With all of its flaws, the Internet is and will continue to be a significant force in the global economy and connectivity.

Subscribe to the SecurityWeek Email Briefing
view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.