Microsoft confirms that most production versions of Windows are susceptible to the FREAK vulnerability in schannel (secure channel), where an attacker can force a downgrade in the SSL and then perform a man-in-the-middle attack. I last reported that FREAK only affected Google Android and Apple iPhone browsers.
Microsoft does suggest a work-around with a modification to the GPO (Found here), which doesn’t fix the problem but will lessen the likelihood a little.
Perhaps its because Government servers are strong hacker and espionage targets.
The New York Times reports that Hillary Clinton used only her personal email (hdr22@clintonemail.com) address while serving as Secretary of State. As others have reported, a hacker calling him or herself “Guccifer” claims to have compromised the email account of former Clinton aide, revealing memos that Blumenthal purportedly wrote to then-Secretary of State Hillary Clinton about Benghazi and other matters.
Hilary’s habit of conducting official business through her personal email address came to light during the Benghazi investigation. As part of an inquiry into whether the former First Lady violated federal requirements, Clinton’s advisers handed over some 55,000 of her personal emails to State Department officials recently, but these were picked by those advisers, so it’s unknown exactly how large her personal email archive could be. It’s also unknown whether or not she used encryption or any security measures to protect those highly sensitive communications.
Researchers disclosed a new SSL/TLS vulnerability — the FREAK attack. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered.
The ssl3_get_key_exchange function allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.
If a server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.
Read more here.
Without getting breached, that they know of, Toys’Я’Us has seen numerous attempts to break into user accounts so they initiated a hard reset of all user accounts with a friendly email for users to create strong passwords.
It almost sounds like a phishing campaign, but it’s not!
Or is it?
Badguys are hitting up customers in Great Britain with phishing campaigns for the popular Netflix service. They are using a similar domain name called Netfixx, hoping people don’t catch the URL.
The form asks for name and card numbers. The website also captures the visitor’s IP address and if the visitor tries to go back to the page, it fails to load.
According to Reuters, the ride company, Uber, was breached and around 50,000 names and driver’s licenses of current and former employees was disclosed.
The breach happened in May of 2014 but wasn’t discovered until September 2014.
Uber also filed a lawsuit in a federal court in San Francisco on Friday against the unnamed individual who accessed the company’s files. Such litigation can be used to help uncover who committed the breach.
Thus, someone did it, they know who it was, but there aren’t details made public yet.
The director of the U.S. National Security Agency, Michael Rogers, wants access to encrypted data on computers and other devices.
He’s working on developing a framework that will enhance investigations.
This functionality should be enabled by software manufacturers, but hopefully will only be available to US government and not all those other nation states.
I’m surprised this isn’t going the China route.
Read more at IT World.
China’s new counter terrorism law will require technology firms to hand over encryption keys and install security “backdoors”.
Once source says “You are no longer allowed a VPN that’s secure, you are no longer able to transmit financials securely, or to have any corporate secrets. By law, nothing is secure.”
Read more on Reuters.
The FCC has adopted net neutrality effectively banning “throttling”!
![CarmeloWalsh[.]com](https://www.carmelowalsh.com/wp-content/uploads/2025/03/cropped-20250226_105950000_iOS.jpg)