http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
I'm glad I never used paypal...even if it means no PPV streams for me.
I'm glad I never used paypal...even if it means no PPV streams for me.
Warning..Paypal, other online sites have been hacked
- Thread starter pwd72s
- Start date
Relax, no one has been hacked. This is an exploit of the way secure transactions on the internet are exchanged. Note that it is a type of man-in-the-middle attack, and requires an additional bit of access for the attacker, which is normally not easily gotten.
Interestingly, 'paypal' isn't our biggest worry. Your bank accounts are equally susceptible (basically anything that displays the little lock in your browser) using this attack.
At the moment, no one has been affected, no password changing is necessary/helpful, etc.
I imagine that browsers will start using TLS 1.1 (which as you saw wasn't affected), which has been out since 2006! Interestingly, Internet Explorer 8 (Win 7 only!)and Opera both support TLS 1.2, though I suspect Chrome/Firefox have made this a priority now.
Interestingly, 'paypal' isn't our biggest worry. Your bank accounts are equally susceptible (basically anything that displays the little lock in your browser) using this attack.
At the moment, no one has been affected, no password changing is necessary/helpful, etc.
I imagine that browsers will start using TLS 1.1 (which as you saw wasn't affected), which has been out since 2006! Interestingly, Internet Explorer 8 (Win 7 only!)and Opera both support TLS 1.2, though I suspect Chrome/Firefox have made this a priority now.
Last edited:
Glad I could help 
This is definitely a situation where the media is taking it out of context. Until you see computer people freaking out, you can remain calm. It is like the old joke T-shirt: "Bomb Squad Technician. If you see me running, try to keep up". If we aren't running, there isn't anything to worry about!
This is definitely a situation where the media is taking it out of context. Until you see computer people freaking out, you can remain calm. It is like the old joke T-shirt: "Bomb Squad Technician. If you see me running, try to keep up". If we aren't running, there isn't anything to worry about!
Glad I could help
Keane:
Thank you for interceding on this one. Yes, people are freaking out about what is in essence an EXTREMELY DIFFICULT attack to perform. It assumes a perfect scenario where the attacker has access to the traffic (i.e. via an exploited system that happens to be in the path of your traffic), as well as all the tools and time it takes to decrypt the traffic.
Trust me on this, folks knowledgeable enough to perform this attack ain't after your $400 cue purchase using PayPal. Rather, this type of attack is used for government information warfare. (Much like the RSA attack that folks like Keane and I know about, which was much more serious and affected the security of Lockheed Martin and many other government contractors/entities [i.e. affected the security of our country], but you guys here on AZB probably never heard about, because it doesn't affect you.)
And, there's already a fix for this -- Transport Layer Security (TLS) version 1.1 (which as mentioned has been out since 2006, and is supported in Microsoft Internet Explorer v8), as well as TLS v1.2, which is found in Opera, and will be found in all versions of browsers here shortly. Yes, there's an issue with *websites* supporting TLS v1.1/v1.2, but you can bet your sweet bippie that the Payment Card Industry (PCI, which all vendors accepting payment have to comply to the specifications of) will include mandatory changes to support TLS v1.1 as a minimum, otherwise they fail PCI compliance, and thus government audits. Take this from someone who performs security audits and ethical hacking. If you fail PCI Compliance, you get your credit-card-taking privileges removed from you post-haste, no ifs/ands/buts.
Although I'm keeping my eye on this one, I'm not shaking in my boots. I've seen these type of exploits announced before, where people were freaking out, and it almost always turned out to be a non-starter.
-Sean <-- sitting in his Bomb Squad T-shirt, glass of wine in one hand, pencil and pad in the other.
Last edited:
paypal
I love it!!! Way better than my credit card service, in every respect. But I do try and get the money out I don't like it sitting in there, not because of hackers...because of my husband...he always seems to find a way to spend it I'm a weird wife...my favorite thing to do is make money I have fun doing that...I don't care about the spending part.
I love it!!! Way better than my credit card service, in every respect. But I do try and get the money out I don't like it sitting in there, not because of hackers...because of my husband...he always seems to find a way to spend it
I'm a weird wife...my favorite thing to do is make money I have fun doing that...I don't care about the spending part.
Last edited:
why worry about arcane risks?
Sean,
I agree with what you are saying. The folks that need to take care of the issues are no doubt beavering away in OT but truth is there are dozens of far greater risks we take every day. Use your card at a restaurant? Almost any small business for that matter, the risk is far greater. We don't need to use paypal or even credit cards on the internet to be at risk, all of the people with our bank account and credit card information use the internet and some have sloppy security.
Capital One bank sent me an e-mail, I forget about what. Included in the e-mail was a link to my online banking sign-in page. Not this pilgrim! I called them and verified they had done something that silly and pointed out that it was an open invitation to spoofers and a damned foolish thing to do. The person I talked to was of course a low level peon and I'm not sure even grasped what I was trying to tell them. Your customers shouldn't be using links in e-mails to log in. Were I inclined I'd have already built my cap 1 spoof page.
The t-shirt thing reminded me of another bomb type t-shirt. It showed a nuke plant with a mushroom cloud over it. The caption read, "The Ultimate Error Message." The plant had no sense of humor about the t-shirt, wearing one was a way to get an instant escort to the gate and then security would escort you to your desk or work area in a day or two to clean your stuff out!
Hu
Sean,
I agree with what you are saying. The folks that need to take care of the issues are no doubt beavering away in OT but truth is there are dozens of far greater risks we take every day. Use your card at a restaurant? Almost any small business for that matter, the risk is far greater. We don't need to use paypal or even credit cards on the internet to be at risk, all of the people with our bank account and credit card information use the internet and some have sloppy security.
Capital One bank sent me an e-mail, I forget about what. Included in the e-mail was a link to my online banking sign-in page. Not this pilgrim! I called them and verified they had done something that silly and pointed out that it was an open invitation to spoofers and a damned foolish thing to do. The person I talked to was of course a low level peon and I'm not sure even grasped what I was trying to tell them. Your customers shouldn't be using links in e-mails to log in. Were I inclined I'd have already built my cap 1 spoof page.
The t-shirt thing reminded me of another bomb type t-shirt. It showed a nuke plant with a mushroom cloud over it. The caption read, "The Ultimate Error Message." The plant had no sense of humor about the t-shirt, wearing one was a way to get an instant escort to the gate and then security would escort you to your desk or work area in a day or two to clean your stuff out!
Hu
Glad I could help
The media taking something out of context? NE-VERRR!