766 cloud services are still at risk to the4 FREAK vulnerability, 24 hours after details of it were made public.
According to analysis data from Skyhigh Networks of 10,000 services, 766 cloud services are still at risk. Nigel Hawthorn, EMEA director of strategy at Skyhigh Networks, said that if the website or cloud service is built around Apache, then FREAK is a serious vulnerability. “Until patches are made, it’s a case of pitting 90s technology against modern hackers – which is no contest,” he said.
““I’m old enough to remember the early days of the internet, when encryption was pretty pitiful. The fact that base levels of encryption are still accessible on so many websites is alarming. In theory, these low levels allow any device to communicate with any website using the strongest encryption possible. However, no one is accessing their bank account from an Acorn Computer and FREAK serves as a timely reminder that they should be put out to pasture.
“This is a potential vulnerability not just for websites but also for cloud services and our data shows that nearly 800 cloud services remain vulnerable. We recommend enterprises check the services that their users are accessing – both sanctioned cloud services and shadow cloud services. We’re talking about a sizable portion of the internet that’s vulnerable, and a very real threat.”
Skyhigh confirmed that it has contacted each of the cloud providers affected and is working with them to ensure they are aware of their vulnerability and perform remediation. The company has also alerted any customers that use affected services.
Andrew Manoske, senior product manager at AlienVault, said that is an example of how this threat should be taken seriously, even though it “only” allows you to significantly weaken the encryption used to protect a single protected “conversation” (session).
“Attackers still need to break that encryption,” he said. “This isn’t a difficult task for someone experienced in cryptography and cryptanalysis – or who has access to cryptoanlaytic suites and the experience to properly use such tools. But that added step adds additional work, and likely dissuades attackers from employing it rather than other vulnerabilities whose exploitation offers quicker access to systems or information.”
Revealed on Tuesday, the FREAK (Factoring attack on RSA-EXPORT Keys) flaw uses an encryption protocol from the early 1990s to intercept vulnerable clients and servers, and force them to use ‘export-grade’ cryptography, which can then be decrypted.