Freak Attack: What You Need To Know

TLS640Remember the Heartbleed vulnerability in SSL/TLS (Security protocols for the Internet)?  There is a newly discovered vulnerability called the Freak Attack that was making the rounds in the cryptography talk circles on the night of March 3, 2015. RSA Export sites are highly vulnerable to this bug and that’s quite a number of sites (into the millions) including many government sites, not the least of which was the NSA site, the IRS, the whitehouse.gov and the FBI tip reporting site. Even the site that supports the Facebook “like” button (connect.facebook.net) was vulnerable. If you run a server,  you were being told to disable support for any export suites.

You can read more about what happened here: http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/

Patches are getting rolled out so this should be closed up soon. But what’s interesting (and also appropriate) according to Matt Green, cryptographer and Research Professor at Johns Hopkins University is that this latest vulnerability was really a result of some decisions made in the 80’s to weaken cryptography so that the NSA could “access” information it deemed it needed but that would give a grade of passable security to be used commercially.  You can read about how China now wants to do the same .  In that regard, it seemed fitting to a number of us that the NSA site was the first affected.

What’s being done

4 things. 1) Apple and Google have released patches so the TLS vulnerability will be addressed. 2) US CERT has issued a vulnerability release with actionables. 3) This headline: Outdated Encryption Keys Leave Phones Vulnerable to Hackers  Note: this is the second article in the last few days that I have observed pointedly spelling out “National Security Agency” in every instance its mentioned which obviousness points to the current negative connotations of the acronym “NSA”. It also leads one to ask: who made the request to the news agencies to spell it out, (if it was made), and 4) It looks like its showdown time between the big techs and the Gov on this issue. Because if they (the security folks) lose, there is no way any of us providing security can honestly assure you of a high uptime or protection

How to protect your Windows system, well sort of…

You can test your browser support and if you haven’t already tested your Windows system for FreakAttack, (Specifically your IE browser) Here’s the link where you can do that: https://freakattack.com/clienttest.html  My advice?  It would also be a good time to say goodbye to IE and switch to Chrome or FireFox. Because MS only has a workaround for some systems as of their security update as of yesterday. Your system has to have a Group Policy Editor for the work around to, uh, work. But, hey, if you have Group Policy Editor, here’s the fix:
1) Tap on the Windows-key and type gpedit.msc and hit enter.
2) Use the left sidebar to navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
3) Double-click on SSL Cipher Suite Order.
4) Switch the policy to “enabled”.
5) Copy the Cipher suite order from Microsoft’s advisory page to the clipboard, and paste it into the SSL Cipher Suites form.
6) Click ok and restart your computer.

Of course, once you do this, Windows won’t connect to systems that have unsupported ciphers (not on the list you have added to Group Policy Editor) You can disable this in future if needed. Take my advice – switch to Chrome

Image source: Bounceweb.com

Speak Your Mind

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.