Several CVEs have been released related to breaking or downgrading TLS streams, including the newest version – TLS 1.3.
The abridged version is that researchers have found ways to break TLS RSA key exchanges and downgrade TLS 1.3 to 1.2. These issues exist in most major TLS libraries including OpenSSL and Amazon s2n. The full details are available here.
For now, remediation consists of either supporting only TLS 1.3, so no downgrade attacks are possible, or using elliptic-curve algorithm variants over RSA.
Using TLS 1.3 only is typically not something major applications can do since legacy clients would be unsupported. However, using all elliptic-curve cryptography when setting up TLS doesn’t cause any backward compatibility issues.
Employees who use social media accounts as marketing or support tools should be extra cautious after news of this breach.
Attackers may take over accounts and pose as clients or employees to entice those controlling corporate accounts to divulge information or open malicious documents. (Read more about phishing attacks here.)
These types of scenarios should be incorporated into user awareness training. Do not trust anyone online simply based on who they purport to be.
As cybercriminals evolve their tactics in social engineering, we too must evolve our procedures in response and prevention. Learn more about social engineering trends and discover how to protect your organization against cybercriminals. Learn More →