HTTPS-crippling attack threatens tens of thousands of Web and mail servers
http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/

Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.

The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they’re communicating over an unsecured, public channel.

The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad.

“Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,”

It wasn’t supposed to be this way

Ironically, Diffie-Hellman is supposed to provide an additional layer of protection because it allows the two connected parties to constantly refresh the cryptographic key securing Web or e-mail sessions. The so-called perfect forward secrecy that Diffie-Hellman makes possible significantly increases the work of eavesdropping because attackers must obtain the key anew each time it changes, as opposed to only once with other encryption schemes, such as those based on RSA keys. Logjam is significant because it shows that ephemeral Diffie-Hellman—or DHE—can be fatal to TLS when the export-grade ciphers are supported. Logjam is reminiscent of the FREAK attack that also allowed attackers to downgrade HTTPS connections to 512-bit cryptography.

A security flaw in New South Wales’ Internet voting system may have left as many as 66,000 votes vulnerable to interception and manipulation in a recent election, according to security researchers. Despite repeated assurances from the Electoral Commission that all Internet votes are “fully encrypted and safeguarded,” six days into online voting, Michigan Computer Science Professor J. Alex Halderman and University of Melbourne Research Fellow Vanessa Teague discovered a FREAK flaw that could allow an attacker to intercept votes and inject their own code to change those votes, all without leaving any trace of the manipulation.

But instead of taking the researchers’ message to heart, officials instead attacked the messengers.

The New South Wales (NSW) Internet voting system, iVote, was designed to make it easier for the disabled, residents not in NSW during voting hours, and rural residents 20 kilometers away from a polling location to vote. The problem is that the system was not ready to be one of the biggest online voting experiments in the world.

Sadly, NSW officials seemed more interested in protecting their reputations than the integrity of elections. They sharply criticized Halderman and Teague, rather than commending them, for their discovery of the FREAK attack vulnerability.

Criticizing Halderman and Teague for identifying security flaws in an Internet voting system is like criticizing your friend for pointing out that the lock on your front door doesn’t work.

As Verified Voting notes: “Current systems lack auditability; there’s no way to independently confirm their correct functioning and that the outcomes accurately reflect the will of the voters while maintaining voter privacy and the secret ballot.” Indeed, the researchers’ discovery was not the first indication that New South Wales was not ready for an Internet voting system.

Perhaps the Electoral Commission lashed out against Halderman and Teague because it has been forced to reckon with the potentially severe consequences of its flawed Internet voting system.

DETAILS ARE STARTING to emerge about the scope of vulnerability updates in the latest patch for the OpenSSL protocol, released without notice or details yesterday, despite some vulnerabilities being marked as “high severity”.

The first (CVE-2015-0291) could allow a denial-of-service attack to take place, said OpenSSL.

“If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server,” it said.

The second (CVE-2015-0204) relates to the FREAK flaw that has recently been doing the rounds. Originally it had been classed as low, but then it was decided that “recent studies have shown that RSA export cipher suites support is far more common”.

OpenSSL (Secure Socket Layer) is a widely used standard for encrypting traffic between websites and servers.

Fixes for OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf will be released today

Forthcoming OpenSSL releases
http://marc.info/?l=openssl-announce&m=142653572011212&w=2

While almost all the attention paid to the HTTPS-crippling FREAK vulnerability has focused on browsers, consider this: thousands of Android and iOS apps, many with finance, shopping, and medical uses, are also vulnerable to the same exploit that decrypts passwords, credit card details, and other sensitive data sent between handsets and Internet servers.

Security researchers from FireEye recently examined the most popular apps on Google Play and the Apple App Store and found 1,999 titles that left users wide open to the encryption downgrade attack. Specifically, 1,228 Android apps with one million or more downloads were vulnerable, while 771 out of the top 14,079 iOS apps were susceptible. Vulnerable apps were those that used—or in the case of iOS, could use—an affected crypto library and connected to servers that offered weak, 512-bit encryption keys. The number of vulnerable apps would no doubt mushroom when analyzing slightly less popular titles.

When these servers connect to vulnerable end-user devices, attackers with the ability to monitor a connection—say someone on an unsecured Wi-Fi network or a rogue employee at an Internet service provider—can capitalize on the vulnerability. By injecting malicious packets into the flow, the attacker can first cause the two parties to use a weak 512-bit encryption key while negotiating encrypted Web sessions. The adversary can then collect some of the resulting exchange and use cloud-based computing from Amazon or other services to factor the website’s underlying private key. From that point on, the attacker can masquerade as the official website, a coup that allows the data to be read or modified as it passes between the site and the end user over the unsecured network.

Thousands of Android and Apple apps could lose sensitive financial and privacy data through exposure to the FREAK vulnerability, researchers say.

The FREAK (Factoring RSA Export Keys) attack allowed sensitive data to be stolen before encrypted connections are secured by requesting weak export-grade 512-bit RSA keys.

FireEye researchers Yulong Zhang, Hui Xue, Tao Wei, and Zhaofeng Chen crawled the app stores and found 1228 Android offerings vulnerable to FREAK.

The apps had been downloaded 6.3 billion times in total.

“After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, we found 1228 of them are vulnerable to a FREAK attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers,” the team wrote in a report.

“An attacker may launch a FREAK attack using man-in-the-middle techniques to intercept and modify the encrypted traffic between the mobile app and backend server.

“The attacker can do this using well-known techniques such as ARP spoofing or DNS hijacking. Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside.”

They found 771 popular Apple apps of a pool of 14,079 were vulnerable on iOS versions below 8.2.

FREAK Out on Mobile
https://www.fireeye.com/blog/threat-research/2015/03/freak_out_on_mobile.html

Recent disclosure of the FREAK attack [1] raises security concerns on TLS implementations once again after Heartbleed [2]. However, freakattack.com devotes client-side security checks to various browsers only. In this blog, we examine iOS and Android apps for their security status against FREAK attacks as clients.

What if the key to your house was shared with 28,000 other homes?

That’s essentially what researchers with Royal Holloway of the University of London discovered last week while scanning the Internet to see how many servers and devices are still vulnerable to the Web security flaw known as “FREAK.”

They found that 9.7 percent of nearly 23 million hosts, or around 2.2 million, are still accepting 512-bit keys, a surprising number considering the seriousness of FREAK and that more than two weeks has passed since it was made public.

In one egregious example, 28,394 routers running a SSL VPN module all use the same 512-bit public RSA key.

That never should have happened.

The process for generating good, random prime numbers for public keys takes some effort, however. Software in devices such as routers need to have a good source of random bits in order to generate unique primes, which they often don’t, Paterson said.

What likely happened is that a manufacturer generated one key and then installed it on many, many devices.

“That’s just laziness on the part of a manufacturer,” Paterson said in a phone interview. “This is cardinal sin. This is just not how cryptography should be done.”

The danger is that an attacker could factor just one, 512-bit key and then potentially decrypt traffic exchanged by more than 28,000 devices that use the same key.

Four researchers, a zmap scan and a Friday afternoon have shown that while sys admins are cleaning the FREAK bug out of their Web servers, broadband routers remain a perpetual feast.

The boffins from Royal Holloway at the University of London – Martin Albrecht, Davide Papini, Kenneth Paterson and Ricardo Villanueva-Polanco – started with a scan of the IPv4 address space using zmap, to see how many TLS-supporting servers could still be asked to dip back to 512-bit ciphers.

“Of 22,730,626 hosts supporting TLS that we discovered, 2,215,504 offered export-grade RSA keys (all at 512 bits) when probed”, their paper states – a vulnerability rate which is lower than that reported when FREAK was first discovered.

That’s a good thing, since it suggests that sysadmins have been turning off support for “export-grade” encryption since FREAK was first discovered.

That’s also where the good news from the study ends, though, because the researchers made the stunning discovery that there are “large clusters of repeated moduli” – in other words, that some 512-bit RSA keys out there are repeated.

In the case of the key that turned up more than 28,000 times, the researchers say it was associated with an unnamed broadband router with an SSL VPN module – in other words, Vulture South guesses, we’re talking about the persistent stupidity among vendors of generating a single key and hard-coding it into the device.

Such vulnerabilities are not surprising to anyone familiar with the security of home-grade equipment – merely depressing.

Broadband routers: SOHOpeless and vendors don’t care
Basic net access device in millions of homes is an insult to IT
http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/

Cisco admins will be watching and waiting for fixes, with the company announcing that many of its OpenSSL implementations are carrying a bunch of post-POODLE fleas.

The list includes the notorious “FREAK” bug – CVE-2015-0204 – and Cisco’s advisory contains an exhaustive list of products vulnerable, not vulnerable, and still under investigation.

Windows IT shops figure to be in for some scrambling today. Not only was it revealed that a five-year-old patch for a vulnerability exploited by Stuxnet was incomplete and machines have been exposed since 2010, but today is also Patch Tuesday and the updated Stuxnet patch is one of 14 bulletins released by Microsoft.

Five of the bulletins are rated critical by Microsoft, and include another Internet Explorer rollup and a patch for the recently disclosed FREAK attack.