Experts Explain the Risks Posed by the Lucky 13 Attack

Venafi and GlobalSign representatives share some insight on the matter

By on February 5th, 2013 19:01 GMT

Earlier today, we have learned that experts have identified a new attack method against the Transport Layer Security (TLS) and the Datagram TLS (DTLS) protocols. Dubbed Lucky 13, the attack can help cybercriminals gain access to sensitive information transmitted by regular users and organizations.

According to Ryan Hurst, GlobalSign's chief technology officer, the SSL protocol is not broken. However, despite the fact that it carries a new name (TLS), it’s still worth noting that it is almost 20 years old.

“Unlike other recent attacks, such as BEAST, Lucky Thirteen requires a server-side fix. This means that complete and effective protection against this attack will require all webservers to be updated or patched,” Hurst explained.

“That said, it is possible to mitigate the attack by removing CBC cipher suites, since the attack is against SSL/TLS’s use of CBC.”

The expert believes that organizations should not panic over this as long as they follow industry best practices when deploying SSL.

On the other hand, Jeff Hudson – the CEO of enterprise key and certificate management (EKCM) solutions provider Venafi – highlights the fact that the we’re witnessing a trend in new attacks that undermine the ability of businesses and government to control trust.

“In order to prepare and be in position to defend themselves against a Lucky 13 or any other attack on trust, organizations need to identify where they are using encryption and digital certificates,” Hudson told Softpedia.

“In this case, almost every secure protocol from HTTP to SMTP to LDAP relies on TLS or SSL to protect data and authenticate machines and people. The Lucky 13 attack is especially troubling since attackers can use it to gain knowledge of other sensitive information such as user IDs and passwords that are exchanged in early stages of communications that TLS and SSL are used to secure,” he added.

“You won’t know how to protect yourself and take action unless you know where deep inside of your data center, out to customers, and in the cloud you’re using encryption and digital certificate-based authentication.”

The expert believes that cybercriminals are well aware of the fact that many organizations rely on the security provided by protocols such as TLS and digital certificates and they will not hesitate to exploit these weaknesses.

Hudson stresses that it’s crucial for businesses and even governments to identify where digital certificates and encryption are being utilized in order to manage them efficiently.

“You can’t control trust until you know where security gaps exist. Just knowing about a ‘technical’ vulnerability isn’t enough, the only way organizations can reduce the risk of a successful Lucky 13 attack impacting them is to know where and how you’re using your most valuable security assets – encryption keys and digital certificates.”

Comments