Beta Brain - Oh, Look, Yet Another Cyber Vulnerability!
Maybe we should just stop writing about these since they no longer seem news and look more like a rerun of older posts. But creating awareness of the importance of the security of your data is worth the risk of sounding repetitive.
A new vulnerability, LogJam, was discovered by researchers at Microsoft and a number of US and French universities. The LogJam attack vulnerability would allow an attacker to decrypt secured communications. It affects the Transport Layer Security protocols that web sites, VPN servers and mail servers use to encrypt traffic.
Researchers say that the Diffie-Hellman key exchange can be compromised by a “man-in-the-middle” attack. The Diffie-Hellman key exchange is a popular cryptographic algorithm used by a browser and a server to agree on a shared key and negotiate a secure connection for communication. It was until now considered highly secure because the key is not static, it can be refreshed or changed. To be able to spy on such traffic, an attacker must determine each new key. But researchers say that by intercepting the communication, a hacker could downgrade the encryption level so that it can be easily cracked. This means they could ensure a 512-bit key was used rather than a more complicated one.
Even though this security flaw is being treated as severe, many security experts are stating that its reach is limited, as the hacker would have to be on the same network as the target to be able to exploit it. Web-browser makers have agreed on fixing this vulnerability by making sure their software block 512-bit or weaker encryption keys.
Microsoft patched the vulnerability in Internet Explorer browsers last week. Patches for Chrome, Firefox and Safari are in development and should be out in the next “few days”.
What do you need to do?
If you use a browser:
Make sure you have the most recent version of your browser installed, and check for updates frequently. Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack.
If you’re a sys admin:
Make sure any TLS libraries you use are up-to-date and that you reject Diffie-Hellman Groups smaller than 1024-bit.
You can read more about LogJam in the researchers’ blog.