Blog

How to Protect Yourself from the BEAST Attack

By

January 30, 2012

Comments are Disabled

Software & Security

Picture this: You open your web browser, login to your bank account… and an eavesdropper hijacks your web browser, sees everything in your account, makes fraudulent transactions, and even changes the password. It sounds pretty scary right? There are ways to defend against this attack, and I’ll give you a quick rundown.

Let’s begin by finding out how this works, so we can better understand how to defend against it. BEAST was released in September 2011, and specifically exploits SSL v3 and TLS v1 (the security technology that gives you a secure connection to a website, such as https://). When you visit a website without a secure connection, a hacker can inject Javascript to eavesdrop into your web browser session and wait for you to login to a targeted secure website. For example, a hacker may be targeting Gmail, so they will wait for you to login at https://www.gmail.com, and then hijack your account. They may start malicious attacks immediately by changing your account password, or they may function in the background sending out spam emails.

Based on what we know about BEAST, there are ways to keep your accounts safe:

1) Upgrade your web browser. The latest web browsers now support TLS1.1 and TLS1.2, which have fixed the security holes found in SSL SSL v3 and TLS v1.

2) Disable Javascript. The exploit must use Javascript, so disabling it will prevent all attacks. Unfortunately, it will probably turn off important functionality in many of the websites you visit.

3) Close your browser often. The hacker must complete the attack within one browser session. Meaning, if you close your browser, they have to start over. So leaving your browser open for long periods of time just makes their job easier.

4) Go directly to secure sites. Do not access non-secure websites, do not collect $200! Just kidding on that last part. When you wish to login to a secure account, open your browser and go straight to that website using https://. Do not make any detours to non-secure websites, and that means you should even avoid http://www.google.com.

5) Use incognito or private browsing. Some browsers have a “private browsing” feature which allows you to visit websites without saving cookies. When you open an “incognito” tab, the browser essentially treats that tab as a new browser session. Again, exercise the same caution as above with your new browser tab.

6) Check that your accounts are hosted on a secure server. Most of the bigger name companies (like Google, Bank of America, etc) have already upgraded their SSL certificates to the latest technology. However, many small businesses have not caught the security wave just yet. It is estimated that 90% of websites are still vulnerable. So to ensure your account is safe, you might check with the webmaster to ensure that their website has the latest security.

What can website owners do to protect their customers from this security exploit? Make sure your website uses the latest security technology TLS1.1 or TLS1.2, and scan your website regularly for PCI Compliance. If you need assistance in securing your website, please contact JT Website Design for an evaluation.

Latest posts by JT Website Design Inc. (see all)
 

Comments are closed.