Researchers have discovered a vulnerability that has been around since the 1990s. Called the “FREAK” for Factoring attack on RSA-EXPORT Keys, the security flaw allows hackers to conduct a “man-in-the-middle” attack and decrypt encrypted messages. The flaw affects Apple’s, Google’s, and other devices that use unpatched OpenSSL, reports the Washington Post:
The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.
Researchers discovered in recent weeks that they could force browsers to use the weaker encryption, then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook “Like” button.
The problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have called for technology companies to provide “doors” into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.
You can see if you have to worry by visiting freakattack.com which will tell you if you are or not. Expect many, many fixes to be released by many vendors in the days to come because now that this is disclosed, you can bet that the bad guys are taking advantage of it.
Related
This entry was posted on March 4, 2015 at 11:40 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
FREAK Vulnerability Disclosed… Affects Many Vendors
Researchers have discovered a vulnerability that has been around since the 1990s. Called the “FREAK” for Factoring attack on RSA-EXPORT Keys, the security flaw allows hackers to conduct a “man-in-the-middle” attack and decrypt encrypted messages. The flaw affects Apple’s, Google’s, and other devices that use unpatched OpenSSL, reports the Washington Post:
The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.
Researchers discovered in recent weeks that they could force browsers to use the weaker encryption, then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook “Like” button.
The problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have called for technology companies to provide “doors” into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.
You can see if you have to worry by visiting freakattack.com which will tell you if you are or not. Expect many, many fixes to be released by many vendors in the days to come because now that this is disclosed, you can bet that the bad guys are taking advantage of it.
Share this:
Like this:
Related
This entry was posted on March 4, 2015 at 11:40 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.