Following a demonstration of an attack from Mathy Vanhoef and Frank Piessens of the University of Leuven, that showed a weakness in the RC4 algorithm, Carl Leonard, Principal Security Analyst, Raytheon | Websense, commented on the decrypting cookies in just 52 hours.
Carl Leonard, Principal Security Analyst, Raytheon | Websense :
“When fundamental weaknesses like that discovered in the RC4 algorithm are made public, businesses need to sit up, listen and take effective action. RC4, designed almost 30 years ago, has been shown to be vulnerable to attack, exposing businesses to real threats which could potentially expose intellectual property and financial data by decrypting a cookie in just 52 hours.
Given the time frame, and with 44 of the top 100 Alexa sites still supporting RC4 and currently susceptible, RC4 has again proven to be a highly unreliable method to achieve secure data encryption. Webmasters need to recognise the seriousness of this weakness. We strongly recommend webmasters move away from the use of RC4. Successful attacks could see organisations experience negative brand perception, reduced customer confidence and could ultimately affect their bottom line. End-users can help themselves by using the latest OS and browser combinations.”[su_box title=”About Websense” style=”noise” box_color=”#336588″]
Websense, Inc. is a global leader in protecting organisations from the latest cyber-attacks and data theft. Websense TRITON® comprehensive security solutions unify web security, email security, mobile security and data loss prevention (DLP) at the lowest total cost of ownership. More than 11,000 enterprises rely on Websense TRITON security intelligence to stop advanced persistent threats, targeted attacks and evolving malware. Websense prevents data breaches, intellectual property theft and enforces security compliance and best practices. A global network of channel partners distributes scalable, unified appliance and cloud-based Websense TRITON solutions.[/su_box]
Principal Security Analyst
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.