Ninety-five per cent of the world's smartphones in use today have been wide open to a decade-old flaw that would have enabled attackers to steal passwords and other sensitive data.

The security flaw, dubbed "Freak", would have exposed visitors to US government websites - and possibly many more - to drive-by attacks. The websites that exploited the flaw included Whitehouse.gov, NSA.gov and FBI.gov.

News of the flaw was made public when internet company Akamai revealed in a corporate blog for customers that it was working to provide a fix. The flaw was discovered following last year's discovery of a catastrophic flaw in OpenSSL.

"The problem is that, until CVE 2015-0204 was raised - and fixed - an OpenSSL client using strong ciphers (anything other than export) could be tricked into accepting such a weak key. An attacker connects to the web server with an export cipher and gets a message signed with the weak RSA key, wrote Akamai's Rich Salz.

He continued: "He then cracks that key. The following day, for future connections from innocent browsers, he can act as a man in the middle. The attacker will use the cracked key to connect to clients, who will accept it. The attacker will then have access to all communication between the client and server. A server that does not support the export ciphers will never use the export RSA key and never send it to a client. A client that has the CVE fixed will never accept such a key."

The security flaw was found by a team of researchers from Microsoft and IT security organisations in the US, France and Spain. It was the result of a ban on US exports of "strong" encryption until the late 1990s, which saw much weaker security standards adopted in widely used software instead. The use of that software continued as a result of inertia in the IT industry, even after the US export ban was lifted.

"Researchers discovered in recent weeks that they could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook 'Like' button," reported the Washington Post.

John Hopkins University cryptographer Matthew Green, one of the researchers who helped uncover the flaw, said that it demonstrated the folly of governments attempt to mandate backdoors into secure software so that they could eavesdrop on people's online and communications activities.

Weakening security, he said, added complexity that attackers with nefarious intent could - and would - exploit. "When we say this is going to make things weaker, we're saying this for a reason."

The name "Freak" stands for "factoring related attack on RSA keys" and describes how the attack works against the Data Encryption Standard (DES) when one system authenticates with another.

See more here:
Encryption flaw opened Android and Apple smartphones to online drive-by attacks

By Megan Williams, contributing writer

You and your healthcare IT clients could be facing even more legislation around healthcare data, and this time, its about encryption.

Currently, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act do not contain mandates around encryption, but that may soon change. The Senate Health, Education, Labor, and Pensions committee is rethinking its approach to encryption in their efforts to revisit HIPAA, according to FierceHealthIT.

The legislation is coming up on its 20-year anniversary, and many in the industry feel regulations around encryption dont properly address the new security threats that are becoming so common in the healthcare sector.

HITECH

The answer to HIPAAs lack of focus on encryption came in 2009 in the form of the HITECH Act, which, much like todays Meaningful Use initiatives, placed incentives around encryption, and avoided imposing a rigid solution across the industry. Indiana University law professor, Nicolas Terry told the AP, that it seemed like a reasonable balance at the time, but that recent events may have proven the compromise unworkable.

Basically, the industry hasnt gone for the incentives in big enough ways. Over 40 percent of healthcare employees arent using full-disk, or file-level encryption devices at work, according to a Forrester research report, leaving huge segments of the industry vulnerable, just as attacks are increasing, and growth in security-testing concepts like the Internet of Things are taking off.

The current chair of the HIMSS Privacy And Security Policy Task Force doesnt believe much will happen, though, before the next presidential election.

On a smaller level, states like New Jersey have taken the lead, and enacted legislation requiring health insurance companies to encrypt patient information, according to NJ.com. All insurance companies using data containing personal information must either protect that data by encryption, or by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.

Where Encryption Falls Short

See the original post:
Will HIPAA Require Encryption?