Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 5 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

IBM blocks attack in SSL/TLS – The Bar Mitzvah attack

by The Gurus
April 27, 2015
in Opinions & Analysis
Share on FacebookShare on Twitter

IBM recently issued a security bulletin for a newly discovered security vulnerability – a weak cryptography algorithm in the SSL/TLS protocol stack–that could allow hackers to steal data. That vulnerability was discovered by Itsik Mantin, director security research at Imperva.
The Bar Mitzvah attack uses “a 13-year-old vulnerability of RC4 that is based on huge classes of RC4 weak keys.” Mantin demonstrates how the vulnerability “can be used to mount several partial plaintext recovery attacks on SSL-protected data when RC4 is the cipher of choice, recovering part of secrets such as session cookies, passwords, and credit card numbers.”
Despite the well-known problems with the RC4 cipher, it is still used to protect 30 percent of SSL traffic, Mantin says, “likely amounting to billions of TLS connections every day.” (TLS refers to a more advanced version of Secure Sockets Layer encryption, and is essentially a new name for SSL.) It is clear that it’s time to stop using RC4.
That’s exactly what IBM recommends doing in its security bulletin on the matter. Instead of issuing a patch or a PTF that removes RC4 from the various SSL/TLS implementations on IBM i, IBM’s workaround recommends disabling RC4.
Mantin adds “As known for quite many years, RC4 is a weak encryption algorithms and the fact that it is still used in situations where there are safer alternatives (in TLS for example), is quite surprising.
Several researches in the recent years, the Bar-Mitzvah attack being the most recent one, had bridged the gap between cipher vulnerabilities and actual attacks on actual usages of RC4, and to the understanding in the industry that using RC4 in TLS exposes the protected data to leakage in several scenarios.
IBM follows other companies (Microsoft, Imperva and others) and standardization bodies (IETF issuing RFC 7465) in taking action to remove RC4 from the permissible ciphers list in TLS connections.”

FacebookTweetLinkedIn
Tags: Bar Mitzvah attackCyber SecuritycybersecurityEncryptionHeartbleedIBMImpervainformation securityMicrosoftRC4SSLTLSVulnerability
ShareTweetShare
Previous Post

Over half of outsourcing budgets are being spent on reducing IT costs, not business benefits

Next Post

SendGrid email service hacked, used to steal credentials

Recent News

london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023
JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information