The Wall Street Journal broke the news of the LogJam computer bug in web browsers that has the potential impact of making more than 20,000 websites unreachable.
Branden Spikes is founder, CEO and CTO of Spikes Security (www.spikes.com) which develops technology for secure online web browsing:
“It’s a good move for browsers to raise the bar on encryption key strength as compute power increases, and hackers gain access to botnets and cryptocurrency mining devices which make key cracking a bit too trivial for comfort. I think you can probably blame this archaic support for weak keys on the US cryptography export laws, which are hopefully well enough in our rear view mirror by now to move on.
What really concerns me about LogJam and vulnerabilities giving hackers access to encrypted web traffic is that it further exposes browsers to “watering hole” attacks. Imagine if attackers gain credentials and access to content authoring suites at popular websites, and use this access to maliciously customize trusted content to spread malware via drive-by without any need for phishing.
It’s great that browsers are getting patched to address this, but now the burden rests with users and IT professionals to distribute the patches. I think the task of updating billions of browsers on all platforms, including those browsers nested within mobile apps and IOT devices, might be daunting and take a long time. Suffice to say if LogJam gets exploited in the wild, we’re in for quite a busy summer. Centralized and efficient control of browsers should be top of mind for network administrators.”
Igor Baikalov, chief scientist, Securonix (www.securonix.com):
“The sensitivity to the number of impacted websites seems to be excessive. There are some organizations that either don’t care or don’t understand the implications of security vulnerabilities for their business. Just like some people who lock the door, but leave the key under the mat, these businesses employed secure protocol, but don’t bother to keep it secure. Let the market sort it out, and let’s push for stronger encryption.”
Ken Westin, senior security analyst, Tripwire (www.tripwire.com)
Like FREAK, the LogJam vulnerability takes advantage of legacy encryption standards imposed in the 90s by the U.S. government and tricks servers into using weaker 512-bit keys, which can be decrypted easily.
The vulnerability affects any server supporting DHE_EXPORT ciphers and all modern browsers.
Microsoft’s Internet Explorer was patched for this vulnerability last week and patches for Firefox, Chrome and Safari patches should be available soon.
Impact & Scope
This vulnerability is a flaw in the SSL protocol and has been present for more than 20 years, affecting HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS, so the vulnerability is very widespread.
However, to take advantage of this vulnerability, an attacker needs to be on the same network as the victim, such as on the same Wi-Fi network, so there is no indication of any remote exploit capability related to this vulnerability at this time.
Remediation
System administrators should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. The researchers who identified the vulnerability have provided a detailed guide “Guide to Deploying Diffie-Hellman for TLS,” as well as more technical details of the vulnerability on their website.
For more information visit HERE.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.