LogJam: Latest internet vulnerability putting your confidential information at risk
First there was Heartbleed, then Poodle, Shellshock, and Freak, and now we have LogJam - the latest vulnerability to be uncovered which is threatening our online security.
The bug is very similar to the Freak flaw uncovered in March 2015 which affected the cryptographic protocols which are used to secure online communications.
What is LogJam?
LogJam, detailed by researchers this week, is a vulnerability which could allow hackers to monitor secure online communications by taking advantage of a deliberately weakened security protocol which is a legacy of the 1990s (see more on this below).
This means that should hackers (or government agencies) wish to do so, they could monitor and capture you private emails, passwords, banking credentials, and much more, despite websites, mail servers and VPNs using the "secure" HTTPS standard.
How does LogJam work?
Many websites and mail servers exchange what is known as a Diffie-Hellman encryption key when they are communicating with end users and the LogJam researchers have discovered that these keys are not as secure as previously thought.
The flaw would allow an attacker to downgrade the encryption protocol used in secure online communications (known as TLS) to 512-bit "export-grade" cryptography which is relatively easier to crack.
But that's not the only problem...
The researchers also found that the vast majority of servers reset the same few long numbers to generate their Diffie-Hellman keys which means hackers could simply focus on these numbers to crack the encryption.
How many websites are affected by LogJam?
According to the researchers, 8.4% of the top million domains on the internet are affected, which makes LogJam a pretty big problem. The researchers go further, suggesting that if the most common 1024-bit number used to generate Diffie-Hellman keys has been cracked (by, say, a nation state) then up to 18% of the top one million domains are at risk.
Unlike Freak which only affected certain web browsers, LogJam affects all browsers including Chrome, Internet Explorer, Firefox and Safari.
Has LogJam been exploited?
We can't say for certain yet if the LogJam vulnerability has been exploited in the wild, but in their white paper on the flaw, the researchers suggest that the US government could have exploited it:
"We estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break."
Can it be fixed?
Yes, the fix is relatively easy. Just stop using the weaker Diffie-Hellman encryption keys and reject anything less that 1024-bit. The problem is that while browsers can easily block these (as most are now doing), it requires those in charge of websites and servers to manually tweak the settings of vulnerable services which could take some time.
How do I check if I am vulnerable to LogJam attack?
Simply visit this website on your browser and it will tell you if you are vulnerable.
Why does LogJam exist?
The problem dates back to the early 1990s when the US government decided that it wanted to weaken the encryption standards on products being shipped overseas by US companies.
It required the companies to downgrade the encryption being used from strong RSA grade encryption to "export-grade" encryption. At the time this "export-grade" encryption was still relatively strong, requiring a supercomputer to be able to crack the 512-bit encryption key, meaning only the US government were likely to be able to exploit the vulnerability.
However with the rapid advance in computing, this is no longer the case, and with access to huge computing power through the likes of Amazon's cloud computing service AWS, anyone could potentially exploit the LogJam bug.
What do the experts say about LogJam?
Ivan Ristic, from Qualys, says LogJam is a reminder that supporting outdated security methods is not best practice:
LogJam is yet another reminder that supporting obsolete cryptography is never a good idea. Even though TLS provides a negotiation mechanism that should in theory enable modern clients to communicate using only strong security, in practice there are ways to abuse either the clients or the protocol and perform downgrade attacks.
Ken Simpson, CEO of MailChannels calls LogJam an "extreme threat" to your cyber-security:
Organisations cannot afford to rest on their laurels when it comes to cyber-security. Hackers are constantly seeking to exploit vulnerabilities; Heartbleed, FREAK and now LogJam all take advantage of cybersecurity complacency. The LogJam attack on common implementations of Diffie-Hellman is an extreme threat to security and privacy. In all likelihood, nation state actors are already using this attack to snoop encrypted VPN, email and web connections. Companies need to ensure they constantly examine their own digital defences keeping security software up-to-date and as this attack highlights, patching flaws before hackers take advantage.
Bob West from CipherCloud points out the dangers of deliberately putting backdoors into our systems:
LogJam is the latest significant flaw that undermines the security of the internet. It is a cautionary tale for our lawmakers and leaders who are under pressure by government groups to weaken encryption. As stated in this letter to President Obama, diluting the strength of encryption for one group creates a vulnerability that can be exploited by any group. Human rights, privacy and the resilience of our economy will be the casualties if back doors are created in encryption solutions.
© Copyright IBTimes 2024. All rights reserved.