FREAK attack on HTTPS

A new security hole to attach against HTTPS has been found! It called FREAK Attack. FREAK (Factoring RSA Export Keys) name called hole to force the equipment to spend a considerable outdated encryption – OpenSSL, iOS and OS X tricked into using weak 1990s-grade encryption keys. Well-planned man-between-the attack of the hacker could hijack a user’s traffic and for example steal password. Abuse is based on the so-called arbitration attack (Man-in-the-Middle, MitM). According to Washington Post “FREAK” flaw undermines security for Apple and Google usersusers of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites.

This flaw existed and still exists widely: More than one third of encrypted Web sites – including those bearing the “lock” icon that signifies a connection secured by SSL technology – proved vulnerable to attack in recent tests .

A successful attack is the number of boundary conditions, and most important of them are:

- You must have vulnerable OpenSSL library in your system (big was fixed in January)

Server must be incorrectly configured to support the weak RSA encryption keys.

– Attacker must be able to penetrate the data transfer between you and your target

The attack process: A vulnerable client (such as a web browser, smartphone or internet-of-thing gizmo) starts talking to a server (such as the machine behind a HTTPS website), and lists the encryption algorithms and key lengths it supports and those it prefers. An attacker able to intercept traffic between the client and the server can tamper with that message to say the client only wants weak-ass export-grade keys, such as a 512-bit RSA key. Due to bugs in OpenSSL and SecureTransport, if the server shrugs its shoulders and replies with a weak key, the client will accept it, and the encryption process begins.

This is again an old security bug. Security researchers are warning of a flaw in OpenSSL and Apple’s SecureTransport that’s a hangover from the days when the US government was twitchy and clueless about technology. This time the problem seems to originate from old security policies but had remained to be fixed for quite a bit of time: The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. The export-grade encryption had 512 bits, the maximum. This level of encryption gives very low security level at today’s computers as it can be cracked in several hours ($100 on Amazon Web Services, and a couple of hours computing). 512-bit keys used to be considered good enough 20 years ago, but 512-bit cryptography has been considered unacceptably weak for more than a decade. Even experts thought it had disappeared. But it turns that it had not completely disappeared – at least many web servers still seem to accept it.

It turns out the encryption used by OpenSSL and SecureTransport can be crippled by an attacker on your network: apps can be tricked into using weak encryption keys. A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204.

Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.

It is actually already fixed in OpenSLL source code: In January, OpenSSL released a patch for the bug, CVE-2015-0204, to sort out the issue, which it ranked as “low” severity. But it is not yet widely used.

If ix on the way to devices: Apple to release fix for “FREAK” flaw next week; Google providing patch to partners but rollout timeframe unknown. And not everything in Google devices are vulnerable: Google’s Chrome browser is not vulnerable to the FREAK bug, but the browser that comes built into most Android devices is vulnerable.

Are you running a web server with HTTPS in it? Maybe you should check out your server configuration. Websites that support RSA export cipher suites (e.g., TLS_RSA_EXPORT_WITH_DES40_CBC_SHA) are at risk to having HTTPS connections intercepted. If you run a web server, you should disable support for any export suites (instead of simply excluding RSA export cipher suites disable support for all known insecure ciphers). Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers. You can check whether your site is vulnerable using the SSL Labs’ SSL Server Test.

You can track the news on this issue at Tracking the FREAK Attack web site at https://freakattack.com/

 “There is an important lesson here about the consequences of crypto policy decisions: the NSA’s actions in the ‘90s to weaken exportable cryptography boomeranged on the agency, undermining the security of its own site twenty years later,” said Canadian security expert Professor Ed Felton. There is no way to know how widely the FREAK flaw has been used to hack Internet users, though “man-in-the-middle attacks” are popular among governments conducting online surveillance.

Sources:

‘FREAK’ flaw undermines security for Apple and Google users, researchers discover

Tracking the FREAK Attack

Kyberturvallisuuskeskus: Applen ja Androidin haavoittuvuudesta ei vaaraa suomalaisissa verkkopankeissa

FREAK Attack Threatens SSL Clients

OpenSSL, iOS and OS X tricked into using weak 1990s-grade encryption keys

SSL under attack: Apple, Android gear FREAK out, open up to spies

 

24 Comments

  1. Tomi Engdahl says:

    New FREAK Attack Threatens Many SSL Clients
    http://digital-era.net/new-freak-attack-threatens-many-ssl-clients/

    For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack.

    “The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today,” cryptographer Matthew Green of Johns Hopkins University wrote in a blog post explaining the vulnerability and its consequences.

    Reply
  2. Tomi Engdahl says:

    Attack of the week: FREAK (or ‘factoring the NSA for fun and profit’)
    http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html

    This is the story of how a handful of cryptographers ‘hacked’ the NSA. It’s also a story of encryption backdoors, and why they never quite work out the way you want them to.

    Reply
  3. Tomi Engdahl says:

    “FREAK” flaw in Android and Apple devices cripples HTTPS crypto protection
    Bug forces millions of sites to use easily breakable key once thought to be dead.
    http://arstechnica.com/security/2015/03/freak-flaw-in-android-and-apple-devices-cripples-https-crypto-protection/

    Security experts have discovered a potentially catastrophic flaw that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites, including AmericanExpress.com, Bloomberg.com, NSA.gov, and FBI.gov.

    In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site.

    Attackers who are in a position to monitor traffic passing between vulnerable end users and servers can inject malicious packets into the flow that will cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions.

    The weak 512-bit keys are a vestige of the 1990s, when the Clinton administration required weak keys to be used in any software or hardware that was exported out of the US.

    This bug causes them to accept RSA export-grade keys even when the client didn’t ask for export-grade RSA

    Content distribution service Akamai published a blog post on Monday that said a fix rolled out to its secure network ensures that FREAK attacks won’t work against the company’s internal (midgress) traffic or against communications (or forward traffic) to any origin websites. But the post went on to warn that many of Akamai-enabled websites may still be targeted.

    As word of the vulnerability spread, many website operators were scrambling to reconfigure their servers so they could no longer be downgraded to the easily broken export ciphers. No doubt, the number of affected websites will decrease in the coming hours and days

    Reply
  4. Tomi Engdahl says:

    Akamai Addresses CVE 2015-0204 Vulnerability
    https://blogs.akamai.com/2015/03/cve-2015-0204-getting-out-of-the-export-business.html

    The first part was to add several cipher suites that used small, easily breakable keys. These are all identified with the name EXP at the beginning.

    For example, EXP-DES-CBC-SHA. DES normally uses a 56-bit key (which is considered laughably weak these days), and EXP-DES is a variant that uses a 40-bit key — sixty-five thousand times weaker than “laughably weak”. (We’re using the common OpenSSL names, not the official names from the TLS RFC.)

    The second change is more problematic and, for technical purists, very “ugly.”

    When a client connects to a server, it encrypts part of its initial connection (known as the SSL handshake) using an RSA key from the server. In the export configuration this key is 512 bits.

    The problem is that, until CVE 2015-0204 was raised — and fixed — an OpenSSL client using strong ciphers (anything other than export) could be tricked into accepting such a weak key. An attacker connects to the web server with an export cipher and gets a message signed with the weak RSA key. He then cracks that key. The following day, for future connections from innocent browsers, he can act as a man in the middle (MiTM). The attacker will use the cracked key to connect to clients, who will accept it. The attacker will then have access to all communication between the client and server. A server that does not support the export ciphers will never use the export RSA key and never send it to a client. A client that has the CVE fixed will never accept such a key.

    To see if a website is vulnerable to the RSA weak key attack, you can use this OpenSSL command

    Reply
  5. Tomi Engdahl says:

    PATCH FREAK NOW: Cloud providers faulted for slow response
    Pitting 90s technology against modern hackers is ‘no contest’
    http://www.theregister.co.uk/2015/03/05/cloud_patching_freak_out_attack/

    Hundreds of cloud providers are still vulnerable to the serious FREAK cryptographic vulnerability.

    Skyhigh Networks found that 766 cloud services are still at risk 24 hours after FREAK was made public, based on an analysis of more than 10,000 different services.

    The average company is using 122 potentially vulnerable services. The two stats taken together imply that more popular cloud services are disproportionately affected by slow patching against FREAK.

    The FREAK (Factoring attack on RSA-Export Keys) vulnerability makes it possible for hackers to force browsers to use old ‘export-grade’ encryption and then decipher it in order to steal passwords and other personal information.

    Websites as well as cloud services are potentially at risk. OpenSSL patched the vulnerability in January, while characterising the flaw as “low risk”.

    Although there remains no particular evidence of actual attacks this assessment has been revised this week and the vulnerability is now been treated as serious and easy to exploit on vulnerable systems, if not critical.

    One in ten (9.7 per cent) of Alexa Top one million domain remain vulnerable (down from 12.2 per cent initially), according to a dedicated tracking site.

    “The impact of exploitation of this vulnerability is in the worst case (Java/CyaSSL), where a threat actor is able to perform a Man-in-the-Middle attacks, the ability to impersonate any server and force the connection to clear-text facilitating eaves dropping and content modification.”

    FREAK, much like the POODLE SSLv3 security vulnerability before it, underlines the point that many websites and web services allow user to fall back onto cryptographic protocols that are hopelessly insecure.

    Hawthorn commented: “The fact that base levels of encryption are still accessible on so many websites is alarming. In theory, these low levels allow any device to communicate with any website using the strongest encryption possible. However, no one is accessing their bank account from an Acorn Computer and FREAK serves as a timely reminder that they should be put out to pasture.”

    Reply
  6. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Stop the presses: HTTPS-crippling “FREAK” bug affects Windows after all — Microsoft advisory dramatically raises the number of vulnerable end-user devices. — Computers running all supported versions of Microsoft Windows are vulnerable to “FREAK,” a bug disclosed Monday that for more than a decade …

    Stop the presses: HTTPS-crippling “FREAK” bug affects Windows after all
    Microsoft advisory dramatically raises the number of vulnerable end-user devices.
    http://arstechnica.com/security/2015/03/stop-the-presses-https-crippling-freak-bug-affects-windows-after-all/

    Computers running all supported versions of Microsoft Windows are vulnerable to “FREAK,” a bug disclosed Monday that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between vulnerable end-users and millions of websites.

    Microsoft confirmed the vulnerability in an advisory published Thursday. A vulnerability-scanning service at FREAKAttack.com, a site that offers information about the bug, confirmed the advisory, showing that the latest version of IE 11 running on a fully patched Windows 7 machine was susceptible. Previously, it was believed that the Windows system was immune to the attacks.

    Microsoft Security Advisory 3046015
    10 out of 29 rated this helpful – Rate this topic
    Vulnerability in Schannel Could Allow Security Feature Bypass
    https://technet.microsoft.com/en-us/library/security/3046015

    Reply
  7. Tomi Engdahl says:

    Meanwhile, Android and Apple devices

    On Thursday, Google developers released an updated version of Chrome for Mac that can’t be forced to use the weak 512-bit cipher, effectively closing the FREAK hole when OS X users are on the Google browser. At the time this post was being prepared, Chrome for Android remained vulnerable, and Google officials have yet to provide any public estimate on when a fix would be available. Apple officials have said patches for OS X and iOS would be released next week. Microsoft’s advisory provided no estimate on when a patch would be available, either. In the interim, people on vulnerable devices should consider using Firefox, which over the past two days has consistently been labeled as safe by the FREAKAttack site.

    Source: http://arstechnica.com/security/2015/03/stop-the-presses-https-crippling-freak-bug-affects-windows-after-all/

    Reply
  8. Tomi Engdahl says:

    FREAKing hell: All Windows versions vulnerable to SSL snoop
    Relax! We’ve got a (server-knackering) workaround to sort things out, says Microsoft
    http://www.theregister.co.uk/2015/03/06/all_microsoft_windows_versions_vulnerable_to_freak/

    Microsoft says its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAK encryption-downgrade attack.

    This means if you’re using Windows, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel component to use weak encryption over the web.

    Intercepted HTTPS connections can be easily cracked, revealing sensitive details such as login cookies and banking information, but only if the website or service at the other end is still supporting 1990s-era cryptography (and millions of sites still are).

    “Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” Redmond says in an advisory.

    “Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.

    The bug (CVE-2015-1637) in Windows’ Secure Channel component is not thought to be under active attack by eavesdroppers at the time of writing.

    Microsoft Security Advisory 3046015
    https://technet.microsoft.com/en-us/library/security/3046015.aspx

    Reply
  9. Tomi Engdahl says:

    FREAK: Should you Freak out over the latest security scare?
    Analysis Whatever else it is, Freak is not chic
    http://www.theinquirer.net/inquirer/feature/2398276/freak-should-you-freak-out-over-the-latest-security-scare

    THE IDES OF MARCH have brought the technology industry a new demon, the Freak vulnerability that could put millions of internet users in the reach of malicious actors and bad parties.

    The security industry has guided us through the Freak show, as it does through all such incidents. While we are taken through panic posts and scare sendouts, so too are we treated to a more rounded take on things.

    So here you are. Freak: the day after version. It’s bad, but it isn’t as bad as Heartbleed, for example.

    “Is Freak something we should all be freaking out about? I don’t think so as it is far less of an issue than Heartbleed, but it is still worth taking note and fixing where present. The actual attack in the real world is difficult as it takes a number of steps,” said Gavin Millard, technical director at Tenable Network Security.

    Millard added, naturally, that something should be done to tackle Freak, explaining that this should be the case whenever a threat presents itself.

    “With all major bugs of this type, it is important that the affected systems are identified and updated when the patches are available to reduce the risk of this vulnerability being exploited,” he said.

    “OpenSSL has a patch available now, and the client updates should follow in the coming days.”

    “This is a potential vulnerability not just for websites but for cloud services, and our data shows that nearly 800 cloud services remain vulnerable.

    So what is it? Well Lancope CTO TK Keanini said that Freak is a “potentially catastrophic flaw” that “for more than a decade, has made it possible for attackers to decrypt HTTPS-protected traffic passing between Android or Apple devices and hundreds of thousands or millions of websites”.

    Keanini, like Millard, acknowledges that the Freak nut is a hard one to crack, but said that it is “not trivial to exploit” and not as bad as the easily exploited Heartbleed. He added that Freak is perhaps more about privacy than security.

    “Freak isn’t like Heartbleed or other widely exploited vulnerabilities in 2014. These other vulnerabilities could be exploited to provide direct access to servers or immediately unveil encrypted communication,” said Andy Manoske, senior product manager at AlienVault.

    “Freak ‘only’ allows you to significantly weaken the encryption used to protect a single protected ‘conversation’ (session). Attackers still need to break that encryption.

    “This isn’t a difficult task for someone experienced in cryptography and cryptanalysis, or who has access to cryptanalytic suites and the experience to properly use such tools.

    “Freak is more or less a hypothetical threat based on a series of very unusual conditions that are unlikely to affect most users of the internet. The attack also requires a sophisticated attacker with a set of tools and technology not in common use,

    Reply
  10. Tomi Engdahl says:

    Newly found online security flaw stems from 1990s
    http://phys.org/news/2015-03-newly-online-flaw-stems-1990s.html

    Green said in a blog post that even some sites maintained by the National Security Agency and FBI appeared to be vulnerable.

    “Since the NSA was the organization that demanded export-grade crypto, it’s only fitting that they should be the first site affected by this vulnerability,” Green said.

    Green and other researchers said the flaw stems from US government-imposed standards for encryption in software that was exported—a short-lived effort to allow the United States to be able to access software exported to unfriendly regimes.

    Even after it became legal to export strong encryption, the export mode feature was not removed from because some software still depended on it

    “The flaw is significant in itself, but it is also a good example of what can go wrong when government asks to build weaknesses into security systems,” said Felten in a blog post.

    “Many web sites are vulnerable to this attack, allowing an adversary in the network to spoof or spy on traffic to vulnerable sites.”

    Green said the most of the flaws “will soon be patched” but that the flaw is important at a time when the NSA is seeking to maintain access to encrypted software and devices for national security reasons.

    “The moral of this story is pretty simple: Encryption backdoors will always turn around and bite you in the ass,”

    Reply
  11. Tomi Engdahl says:

    OpenVPN FREAK Vulnerability
    https://immunesec.wordpress.com/2015/03/05/openvpn-freak-vulnerability/

    Make sure you’re updated to OpenVPN 2.3.6 which was released in January of last year.
    This release fixes a critical denial of service vulnerability in OpenVPN servers (CVE-2014-8104). The vulnerability can only be exploited by authenticated clients. Also note that confidentiality and authenticity of traffic are not affected.

    Reply
  12. Tomi Engdahl says:

    ‘FREAK’ security flaw left Apple, Android users exposed
    http://www.cnet.com/news/decade-old-freak-security-flaw-left-millions-exposed/

    Apple and Google working on fixes for the decade-old flaw, which researchers blamed on an abandoned US policy on encryption.

    Researchers have been alerting affected government and commercial websites for a few weeks in hopes of taking corrected measures before the vulnerability was publicized, the newspaper reported. Whitehouse.gov and FBI.gov have been repaired, but NSA.gov remains vulnerable, researchers told the newspaper.

    Millions at risk from ‘Freak’ encryption bug
    http://www.bbc.com/news/technology-31765672

    Microsoft has issued a security warning about a bug that could let attackers spy on supposedly secure communications.

    Called “Freak”, the bug was found in software used to encrypt data passing between web servers and web users.

    Initially the flaw was thought only to affect some users of Android and Blackberry phones and Apple’s Safari web browser.

    Microsoft’s warning suggests millions more may be at risk of losing data.

    Reply
  13. Tomi Engdahl says:

    FREAK: Security Rollback Attack Against SSL
    https://www.schneier.com/blog/archives/2015/03/freak_security_.html

    From Ars Technica:

    In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site.

    This is a general class of attack I call “security rollback” attacks. Basically, the attacker forces the system users to revert to a less secure version of their protocol. Think about the last time you used your credit card. The verification procedure involved the retailer’s computer connecting with the credit card company. What if you snuck around to the back of the building and severed the retailer’s phone lines? Most likely, the retailer would have still accepted your card, but defaulted to making a manual impression of it and maybe looking at your signature. The result: you’ll have a much easier time using a stolen card.

    Fixes are coming. Companies like Apple are quickly rolling out patches. But the vulnerability has been around for over a decade, and almost has certainly used by national intelligence agancies and criminals alike.

    This is the generic problem with government-mandated back doors, key-escrow, “golden keys,” or whatever you want to call them. We don’t know how to design a third-party access system that checks for morality; once we build in such access, we then have to ensure that only the good guys can do it. And we can’t. Or, to quote The Economist: “…mathematics applies to just and unjust alike; a flaw that can be exploited by Western governments is vulnerable to anyone who finds it.”

    Reply
  14. Tomi Engdahl says:

    OpenSSL audit kicks off for post-Heartbleed strengthening program
    We can rebuild him. We have the technology. We can make him better…stronger…faster
    http://www.theregister.co.uk/2015/03/10/openssl_audit/

    A major audit of the ubiquitous OpenSSL web security protocol is set to commence under a US$1.2 million industry commitment to harden open source technologies.

    OpenSSL is first off the rank under the Linux Foundation’s Core Infrastructure Initiative given its popularity and lack of in-depth security review.

    “OpenSSL has been reviewed and improved by the academic community, commercial static analyser companies, validation organisations, and individual review over the years but this audit may be the largest effort to review it, and is definitely the most public,” says security outfit Cryptography Services in post announcing their involvement in the audit.

    “Serious flaws in OpenSSL cause the whole Internet to upgrade, and in the case of flaws like Heartbleed and EarlyCCS, upgrade in a rush.

    “We know that with what may be the highest profile audit conducted on an open source piece of software, the internet is watching.”

    The audit organised by the Open Crypto Audit Project will first focus on TLS stacks examining protocol flow, state transitions, high-profile cryptographic algorithms, and memory management, the company says.

    It will cover a sufficient amount of the codebase to be a “useful component” in the wider effort to secure OpenSSL.

    First results of the audit are expected around July. The audit begins on the back of OpenSSL code reviews completed last month launched engineer Matt Caswell says on the realisation that coding was “very unusual”, “inconsistently applied” and not formally defined.

    Reply
  15. Tomi Engdahl says:

    Michael Mimoso / Threatpost:
    Microsoft Patches Old Stuxnet Bug, FREAK Vulnerability
    https://threatpost.com/microsoft-patches-old-stuxnet-bug-freak-vulnerability/111565

    Windows IT shops figure to be in for some scrambling today. Not only was it revealed that a five-year-old patch for a vulnerability exploited by Stuxnet was incomplete and machines have been exposed since 2010, but today is also Patch Tuesday and the updated Stuxnet patch is one of 14 bulletins released by Microsoft.

    Five of the bulletins are rated critical by Microsoft, and include another Internet Explorer rollup and a patch for the recently disclosed FREAK attack.

    Reply
  16. Tomi Engdahl says:

    Cisco FREAKs out, starts epic OpenSSL bug-splat
    Happy weekend, network admins
    http://www.theregister.co.uk/2015/03/13/cisco_freaks_out_starts_epic_openssl_bugsplat/

    Cisco admins will be watching and waiting for fixes, with the company announcing that many of its OpenSSL implementations are carrying a bunch of post-POODLE fleas.

    The list includes the notorious “FREAK” bug – CVE-2015-0204 – and Cisco’s advisory contains an exhaustive list of products vulnerable, not vulnerable, and still under investigation.

    Reply
  17. Tomi Engdahl says:

    Pub O’clock probe finds thousands of repeated 512-bit RSA keys
    FREAK-finding expedition finds one key on 28,000 hosts … who sells this rubbish?
    http://www.theregister.co.uk/2015/03/17/freakscan_turns_up_thousands_of_repeated_512bit_rsa_keys/

    Four researchers, a zmap scan and a Friday afternoon have shown that while sys admins are cleaning the FREAK bug out of their Web servers, broadband routers remain a perpetual feast.

    The boffins from Royal Holloway at the University of London – Martin Albrecht, Davide Papini, Kenneth Paterson and Ricardo Villanueva-Polanco – started with a scan of the IPv4 address space using zmap, to see how many TLS-supporting servers could still be asked to dip back to 512-bit ciphers.

    “Of 22,730,626 hosts supporting TLS that we discovered, 2,215,504 offered export-grade RSA keys (all at 512 bits) when probed”, their paper states – a vulnerability rate which is lower than that reported when FREAK was first discovered.

    That’s a good thing, since it suggests that sysadmins have been turning off support for “export-grade” encryption since FREAK was first discovered.

    That’s also where the good news from the study ends, though, because the researchers made the stunning discovery that there are “large clusters of repeated moduli” – in other words, that some 512-bit RSA keys out there are repeated.

    In the case of the key that turned up more than 28,000 times, the researchers say it was associated with an unnamed broadband router with an SSL VPN module – in other words, Vulture South guesses, we’re talking about the persistent stupidity among vendors of generating a single key and hard-coding it into the device.

    Such vulnerabilities are not surprising to anyone familiar with the security of home-grade equipment – merely depressing.

    Broadband routers: SOHOpeless and vendors don’t care
    Basic net access device in millions of homes is an insult to IT
    http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/

    Reply
  18. Tomi Engdahl says:

    Researchers find same RSA encryption key used 28,000 timer
    http://www.itworld.com/article/2897775/researchers-find-same-rsa-encryption-key-used-28000-times.html

    What if the key to your house was shared with 28,000 other homes?

    That’s essentially what researchers with Royal Holloway of the University of London discovered last week while scanning the Internet to see how many servers and devices are still vulnerable to the Web security flaw known as “FREAK.”

    They found that 9.7 percent of nearly 23 million hosts, or around 2.2 million, are still accepting 512-bit keys, a surprising number considering the seriousness of FREAK and that more than two weeks has passed since it was made public.

    In one egregious example, 28,394 routers running a SSL VPN module all use the same 512-bit public RSA key.

    That never should have happened.

    The process for generating good, random prime numbers for public keys takes some effort, however. Software in devices such as routers need to have a good source of random bits in order to generate unique primes, which they often don’t, Paterson said.

    What likely happened is that a manufacturer generated one key and then installed it on many, many devices.

    “That’s just laziness on the part of a manufacturer,” Paterson said in a phone interview. “This is cardinal sin. This is just not how cryptography should be done.”

    The danger is that an attacker could factor just one, 512-bit key and then potentially decrypt traffic exchanged by more than 28,000 devices that use the same key.

    Reply
  19. Tomi Engdahl says:

    Sensitive apps with 6.3 BILLION downloads found open to FREAK
    Banking, medical, and privacy apps join shoddy cipher list
    http://www.theregister.co.uk/2015/03/18/freaky_apps_litter_top_spots_in_apple_android_app_stores/

    Thousands of Android and Apple apps could lose sensitive financial and privacy data through exposure to the FREAK vulnerability, researchers say.

    The FREAK (Factoring RSA Export Keys) attack allowed sensitive data to be stolen before encrypted connections are secured by requesting weak export-grade 512-bit RSA keys.

    FireEye researchers Yulong Zhang, Hui Xue, Tao Wei, and Zhaofeng Chen crawled the app stores and found 1228 Android offerings vulnerable to FREAK.

    The apps had been downloaded 6.3 billion times in total.

    “After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, we found 1228 of them are vulnerable to a FREAK attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers,” the team wrote in a report.

    “An attacker may launch a FREAK attack using man-in-the-middle techniques to intercept and modify the encrypted traffic between the mobile app and backend server.

    “The attacker can do this using well-known techniques such as ARP spoofing or DNS hijacking. Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside.”

    They found 771 popular Apple apps of a pool of 14,079 were vulnerable on iOS versions below 8.2.

    FREAK Out on Mobile
    https://www.fireeye.com/blog/threat-research/2015/03/freak_out_on_mobile.html

    Recent disclosure of the FREAK attack [1] raises security concerns on TLS implementations once again after Heartbleed [2]. However, freakattack.com devotes client-side security checks to various browsers only. In this blog, we examine iOS and Android apps for their security status against FREAK attacks as clients.

    Reply
  20. Tomi Engdahl says:

    HTTPS-crippling FREAK exploit affects thousands of Android and iOS apps
    Attackers can use FREAK to steal passwords for finance, shopping, or medical apps.
    http://arstechnica.com/security/2015/03/https-crippling-freak-exploit-hits-thousands-of-android-and-ios-apps/

    While almost all the attention paid to the HTTPS-crippling FREAK vulnerability has focused on browsers, consider this: thousands of Android and iOS apps, many with finance, shopping, and medical uses, are also vulnerable to the same exploit that decrypts passwords, credit card details, and other sensitive data sent between handsets and Internet servers.

    Security researchers from FireEye recently examined the most popular apps on Google Play and the Apple App Store and found 1,999 titles that left users wide open to the encryption downgrade attack. Specifically, 1,228 Android apps with one million or more downloads were vulnerable, while 771 out of the top 14,079 iOS apps were susceptible. Vulnerable apps were those that used—or in the case of iOS, could use—an affected crypto library and connected to servers that offered weak, 512-bit encryption keys. The number of vulnerable apps would no doubt mushroom when analyzing slightly less popular titles.

    When these servers connect to vulnerable end-user devices, attackers with the ability to monitor a connection—say someone on an unsecured Wi-Fi network or a rogue employee at an Internet service provider—can capitalize on the vulnerability. By injecting malicious packets into the flow, the attacker can first cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions. The adversary can then collect some of the resulting exchange and use cloud-based computing from Amazon or other services to factor the website’s underlying private key. From that point on, the attacker can masquerade as the official website, a coup that allows the data to be read or modified as it passes between the site and the end user over the unsecured network.

    Reply
  21. Tomi Engdahl says:

    OpenSSL patch has 14 fixes including two biggies, but no Heartbleed
    But quick patching is still essential
    http://www.theinquirer.net/inquirer/news/2400597/openssl-gets-patch-for-mysterious-high-severity-issue

    DETAILS ARE STARTING to emerge about the scope of vulnerability updates in the latest patch for the OpenSSL protocol, released without notice or details yesterday, despite some vulnerabilities being marked as “high severity”.

    The first (CVE-2015-0291) could allow a denial-of-service attack to take place, said OpenSSL.

    “If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server,” it said.

    The second (CVE-2015-0204) relates to the FREAK flaw that has recently been doing the rounds. Originally it had been classed as low, but then it was decided that “recent studies have shown that RSA export cipher suites support is far more common”.

    OpenSSL (Secure Socket Layer) is a widely used standard for encrypting traffic between websites and servers.

    Fixes for OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf will be released today

    Forthcoming OpenSSL releases
    http://marc.info/?l=openssl-announce&m=142653572011212&w=2

    Reply
  22. Tomi Engdahl says:

    Farbod Faraji / Electronic Frontier Foundation:
    New South Wales Attacks Researchers Who Found Internet Voting Vulnerabilities
    https://www.eff.org/deeplinks/2015/04/new-south-wales-attacks-researchers-who-warned-internet-voting-vulnerabilities

    A security flaw in New South Wales’ Internet voting system may have left as many as 66,000 votes vulnerable to interception and manipulation in a recent election, according to security researchers. Despite repeated assurances from the Electoral Commission that all Internet votes are “fully encrypted and safeguarded,” six days into online voting, Michigan Computer Science Professor J. Alex Halderman and University of Melbourne Research Fellow Vanessa Teague discovered a FREAK flaw that could allow an attacker to intercept votes and inject their own code to change those votes, all without leaving any trace of the manipulation.

    But instead of taking the researchers’ message to heart, officials instead attacked the messengers.

    The New South Wales (NSW) Internet voting system, iVote, was designed to make it easier for the disabled, residents not in NSW during voting hours, and rural residents 20 kilometers away from a polling location to vote. The problem is that the system was not ready to be one of the biggest online voting experiments in the world.

    Sadly, NSW officials seemed more interested in protecting their reputations than the integrity of elections. They sharply criticized Halderman and Teague, rather than commending them, for their discovery of the FREAK attack vulnerability.

    Criticizing Halderman and Teague for identifying security flaws in an Internet voting system is like criticizing your friend for pointing out that the lock on your front door doesn’t work.

    As Verified Voting notes: “Current systems lack auditability; there’s no way to independently confirm their correct functioning and that the outcomes accurately reflect the will of the voters while maintaining voter privacy and the secret ballot.” Indeed, the researchers’ discovery was not the first indication that New South Wales was not ready for an Internet voting system.

    Perhaps the Electoral Commission lashed out against Halderman and Teague because it has been forced to reckon with the potentially severe consequences of its flawed Internet voting system.

    Reply
  23. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Logjam crypto vulnerability affects tens of thousands of web and mail servers, browsers being updated with fix — HTTPS-crippling attack threatens tens of thousands of Web and mail servers — Diffie-Hellman downgrade weakness allows attackers to intercept encrypted data.

    HTTPS-crippling attack threatens tens of thousands of Web and mail servers
    http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/

    Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

    The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they’re communicating over an unsecured, public channel.

    The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad.

    “Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,”

    It wasn’t supposed to be this way

    Ironically, Diffie-Hellman is supposed to provide an additional layer of protection because it allows the two connected parties to constantly refresh the cryptographic key securing Web or e-mail sessions. The so-called perfect forward secrecy that Diffie-Hellman makes possible significantly increases the work of eavesdropping because attackers must obtain the key anew each time it changes, as opposed to only once with other encryption schemes, such as those based on RSA keys. Logjam is significant because it shows that ephemeral Diffie-Hellman—or DHE—can be fatal to TLS when the export-grade ciphers are supported. Logjam is reminiscent of the FREAK attack that also allowed attackers to downgrade HTTPS connections to 512-bit cryptography.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*