Researchers hack NSA’s website with only $104 and 8 hours of Amazon’s cloud computing power using the #FREAK vulnerability
A group of researchers only needed $104 and 8 hours of Amazon’s cloud computing power and off course, FREAK to hack the NSA’s website. The researchers used NSA’s anti-encryption policies, which were the main reason for the newly disclosed internet flaw called FREAK, to make NSA’s own website a guinea pig.
The bug which was disclosed by Akamai and subsequently reported by Techworm on Monday allows any potential hacker to intercept a supposedly secure connection between people using Android or Apple devices and PC’s using Mac OS X and Safari browser. The websites vulnerable to this flaw may be in thousands including NSA.gov, FBI.gov and Whitehouse.gov.
Actually this isnt a flaw, it is a mis-implementation of encryption policies by United States and in a way NSA so that they could have a non-encrypted backdoor on every mobile. It would be stupid to assume that NSA created a massive security dark hole, that allows hackers to impersonate said website and steal confidential data like passwords and logins, without knowing it was doing that.
FREAK is a very good example of how governments across the world implement backdoors to spy on systems and create a Frankenstein monster which they now cant control. Echoing similar thoughts, Ed Felten, professor of computer science at Princeton University said freak was a, “good example of what can go wrong when government asks to build weaknesses into security systems.”
“In the current climate, it felt like the appropriate website to mount a man-in-the-middle attack on,” Said Bhargavan who is the member of the group that disclosed the bug.
What is FREAK
United States laws stipulated that US tech companies can export with weaker 512-bit keys outside the United States while allowing them to use the best and the strongest cryptographic encryption for domestic consumption.
However when the restrictions were dropped, tech companies who were still using the weaker 512-bit keys did not bother to upgrade to the latest encryption standards letting them become vulnerable to the MiTm flaw called FREAK.
Another group of researchers at University of Michigan performed a scan of the Internet to find out how many websites were susceptible to this NSA backdoor bug. According to Motherboard, as of Tuesday, they found more than 36% of websites that support web encryption (TLS or SSL) were vulnerable, including 12.2% of the top 1 millions websites in the world, including bloomberg.com, americanexpress.com, as well as the NSA website and the FBI’s site for anonymous tips.
“We didn’t think there’d be sites supporting this really ancient export cipher suites,” said Karthikeyan, who works for a French research group called Prosecco, which is part of Paris-based INRIA.
The researchers said that the bug also affected a Facebook website (connect.facebook.net) which hosts the script for Facebook’s “Like” and login button that are included in innumerable websites on the Internet.
However all is not lost. The major problem with any cyber criminal exploiting this vulnerability is that he/she and the target victim’s computer have to be on the same network. Also it has to be a insecure public network like a coffee shop or airport lounge and finally, the target has to be visiting the vulnerable website (there are quite a few out there) and using a vulnerable device.
Resource : Motherboard.