Should You "FREAK" Out About the Latest Internet Security Threat?
Last week, researchers discovered a widespread computer vulnerability dubbed FREAK. Many web browsers, as well as web servers, are at risk. That means your passwords, credit card numbers, social security numbers, absolutely ANYTHING you transfer between your computer and a website, could potentially be accessed and stolen by hackers.
It is hard to say how many systems are affected, because FREAK depends on the combination of web server and web client, such as Internet Explorer or Google Chrome. The FREAK exploit allows an attacker to unencrypt and glean all data transferred between a vulnerable server and client, even though it looks to be secured with https. Microsoft has yet to release an update for its operating systems, but one should be available within the next month. (That is my guess, although it MAY even be released in today’s 03/10/2015 monthly Windows Update list.)
Every year or so, a major Internet vulnerability is discovered and published in the security community. Although the vulnerability may have actually existed for years, once made public, it is only a matter of time before “hackers” are scanning the Internet for at-risk systems.
The last major vulnerability was in OpenSSL, which also enables encrypted communications with web servers. That vulnerability, called Heartbleed, was in the wild for quite a while before being patched last April with an updated version of OpenSSL. Heartbleed affected an estimated 66% of the world's web servers. (Please note: it is always up to system administrators to actually apply the patch once available.)
Luckily, there is a workaround for FREAK that can be implemented through group policy on Microsoft domain networks or on individual PCs on peer to peer networks by disabling the at-risk encryption options. Most web browsers also have specific workarounds or updates available. Some businesses may only be protecting their own information, while others may need to ensure patient or client data is kept secure.
A website has been setup for up-to-date details, links to more information, and a few self-test tools for the FREAK vulnerability at https://freakattack.com/
If you think you or your business may need to mitigate this latest Internet threat, or believe it may be time to perform overdue system maintenance or upgrades, please contact the Relia IT office at 256-415-7501.