As Google, Apple and Microsoft scramble to patch a long missed security flaw it might be timely to remember how we got here. Way back at the latter end of the last century – the 1990s, when Netscape browser was all the rage and – SSL (Secure Socket Layer) encryption was brand-spanking-new, the U.S. government wanted control over export of “weapons grade” encryption.
Its theory was that domestic communications could benefit from stronger, 128-bit encryption, but ‘backdoors’ should be available to U.S. intelligence and law enforcement when it came to foreign communications, the concept of weaker, “export grade” encryption was born.
Turns out that this theory and it’s legacy backdoor, a vulnerability that we’ve come to know in recent days as ‘FREAK’ still exists in up to 30 percent of U.S. web servers. It’s a sad example of how zombie-security from the era that gave us grunge can come back and bite us on the posterior.
Meanwhile, Apple and Google are saying they’ve developed fixes/patches – though we note Apple has yet to deploy – to mitigate the ‘Freak’ security flaw. Initially thought to be immune, Microsoft released an advisory which warned hundreds of millions of Windows PC users are also vulnerable to the security vulnerability ::::
The weakness in web encryption technology could enable attackers to spy on communications of users of Apple’s Safari browser and Google’s Android browser, according to researchers who uncovered the flaw.
The vulnerability could allow attacks on Microsoft PCs that connect with servers configured to use encryption technology intentionally weakened to comply with US government regulations banning exports of the strongest encryption.
Apple spokesman Ryan James said the computer company had developed a software update to remediate the vulnerability, which would be pushed out this week.
Google spokeswoman Liz Markman said the company had also developed a patch, which it has provided to partners. She declined to say when users could expect to receive those upgrades.
Google typically does not directly push out Android software updates. Instead they are handled by device makers and mobile carriers.
Microsoft advised system administrators to employ a workaround to disable settings on Windows servers that allow use of the weaker encryption.
It said it was investigating the threat and had not yet developed a security update that would automatically protect Windows PC users from the threat.
“Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers,” Microsoft said.
“The FREAK attack was discovered by Karthikeyan Bhargavan at INRIA in Paris and the miTLS team. Further disclosure was coordinated by Matthew Green. This report is maintained by computer scientists at the University of Michigan, including Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman.”
Here’s the dirt: FREAK impacts code from the OpenSSL project, it seems that different browsers are affected differently: Safari and most Android-native browsers are vulnerable, but Chrome is not. These web clients all build on open source but make use of different versions of OpenSSL and employ different web application tool kits.
The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use the weaker export-grade encryption, which can then be decrypted or altered. Many Google and Apple devices are potentially affected, along with embedded systems. FREAK was originally discovered by researchers at INRIA, a computer science research organization headquartered in Paris.
Computer scientists at the University of Michigan are maintaining a site that details the history of the attack and provides useful tips on remediation. Here’s what they recommend:
“If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols other than RSA) and enable forward secrecy. Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers. You can check whether your site is vulnerable using the SSL Labs’ SSL Server Test.”
With additional web server fixes expected from a number of vendors, it appears the FREAK Attack story is far from over. It’s a useful reminder that a lot of legacy code, while largely vanished from memory, isn’t forgotten when it comes to the systems we continue to use every day.
Vulnerability Could Allow Hacks
The bug leaves users of Apple and Google devices vulnerable to cyberattack when visiting hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov. Whitehouse.gov and FBI.gov have been fixed, but NSA.gov remains vulnerable.
A group of nine researchers discovered that they could force web browsers to use a form of encryption that was intentionally weakened to comply with US government regulations that ban American companies from exporting the strongest encryption standards, according to the paper.
Once they caused the site to use the weaker export encryption standard, they were then able to break the encryption within a few hours.
That could allow hackers to steal data and potentially launch attacks on the sites themselves by taking over elements on a page, the newspaper reported.
Ms Markman said that Google advised all websites to disable support for the less-secure, export-grade encryption.
“Android’s connections to most websites, which include Google sites and others without export certificates, are not subject to this vulnerability,” she added.
The group of researchers who discovered the flaw dubbed it Freak, for “Factoring RSA-EXPORT Keys”
Footnote: Amusingly the original protocol SSL 1.0 was developed by Netscape, check the WIKI below.
FOR A FULL LIST OF VULNERABILITY CHECK: https://freakattack.com/
RELATED! Telco Says Data Retention is an Invite For Hackers
Telstra said an unintended consequence of the plan would be the creation of many highly attractive targets for hackers.
The Federal Government has cited national security as one of the reasons for its plan to force telcos and internet companies to store customer metadata for two years.
A parliamentary committee investigating the bills also heard concerns from Australia’s intelligence agency watchdog that ASIO could keep metadata indefinitely.
Under the metadata retention scheme, Telstra, and all other national telcos and internet companies, would be forced to store customer metadata for two years.
Telstra said the data would be kept in a database, ready to be given to law enforcement on request ::Read the full article »»»»
RELATED! NSA WREAKS HAVOC!
In a pickle once again, the US National Security Agency – NSA – has apparently hacked into communications links used by the planets largest techs, Google and Yahoo. According to documents leaked by former NSA contractor Edward Snowden the tech-behemoths security was breached in transit between data-centres.
It seems the more this pot gets stirred, the more sludge surfaces, weak restrictions on the NSA’s overseas activities are apparently used to exploit major US companies’ data to a much greater extent than previously thought, The Washington Post reported. It however remains unclear how the NSA accessed the links.
Like other major tech-behemoths, Yahoo and Google constantly send data over shared and exclusive international fibre-optic telecommunication lines. The newly disclosed NSA program, operated with the UK’s spy agency GCHQ – Government Communications Headquarters – jointly amassing 181 MILLION individual records, in just one 30-day splurge, according to the Post.
The head of the NSA, General Keith Alexander, said: “To my knowledge, this never happened.” WinkWink Nudge Nudge :: Read the full article »»»»
RELATED! UPDATE! Chinese Military Hack Attacks Might Originate in NORTH KOREAN
Last month we reported that security experts from Mandiant believed a Chinese military unit was responsible for multiple hack attacks on US companies. Mandiant released a report that identified ‘Unit 61398′ as the most likely source of attacks on at least US 141 organisations, “across a diverse set of industries beginning as early as 2006″.
“The nature of ‘Unit 61398’s’ work is considered by China to be a state secret; however, we believe it engages in harmful ‘Computer Network Operations’,” Mandiant said in the report. “It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.”
The Mandiant report said that Unit 61398 is located in Shanghai’s Pudong district, China’s financial and banking hub, and staffed by perhaps thousands of people proficient in English as well as computer programming and network operations.
There are now suspicions that the facility might be shared with North Korean backed hackers? An unnamed source from South Korea’s presidential office was quoted by the Yonhap news agency as saying the discovery of the IP address indicated Pyongyang was responsible for the attack on Wednesday. A previous attack on a South Korean newspaper that the government in Seoul traced back to North Korea also used a Chinese IP address :: Read the full article »»»»
RELATED! APPLE HACKED
However, the tech-giant says the invaders malware was repelled before any data was able to be plundered.
Apple says a “small number” of its computer systems were infected, but they were isolated from it’s main network.
Apple is working with law enforcement to hunt down the hackers, who appear to be tied to a series of recent cyber attacks on US companies.
The malicious software, or malware, took advantage of a vulnerability in a Java program used as a “plug-in” for web-browsing programs :: Read the full article »»»»
Secure Sockets Layer (SSL), is a cryptographic protocol designed to provide communications security over a computer network.
SSL uses X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties.
This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication.
Several versions of the protocol are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging, and voice-over-IP (VoIP). An important property in this context is forward secrecy, so the short-term session key cannot be derived from the long-term asymmetric secret key.
As a consequence of choosing X.509 certificates, certificate authorities and a public key infrastructure are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates.
While this can be more beneficial than verifying the identities via a web of trust, the 2013 mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a security standpoint, allowing man-in-the-middle attacks (MITM).
In the Internet Protocol Suite, SSL encrypts the data of network connections in the application layer. In OSI model equivalences, SSL is initialized at layer 5 (session layer) and works at layer 6 (the presentation layer).
The session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.
SSL 1.0, 2.0 and 3.0
Netscape developed the original SSL protocol. Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in February 1995, “contained a number of security flaws which ultimately led to the design of SSL version 3.0”. SSL version 3.0, released in 1996, represented a complete redesign of the protocol, produced by Paul Kocher working with Netscape engineers Phil Karlton and Alan Freier. Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a historical document in RFC 6101.
Dr. Taher Elgamal is recognized as the “father of SSL”.
As of 2014 the 3.0 version of SSL is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.