When news about FREAK attack appeared in the media earlier this week it caused panic as it affects millions of people worldwide. Modern technology can use older technology as its building blocks and it’s wrongly assumed that as many others are doing the same nothing can go wrong. Sometimes using these building blocks cuts corners and if they become a very important part of the system they can’t be patched without causing other problems as software developers trying to fix the damage caused by FREAK attack have found out .
As we now know it was US Government policy that caused FREAK attack, we have to wonder what other security delights await us. Has US government policy past or present left us with more security headaches that will be uncovered by researchers or even worse, hackers.? Since one third of encrypted websites are vulnerable because of FREAK attack, what are the odds of other security issues suddenly making an unexpected appearance? Governments round the world should be doing security checks and research on all the technology that they use to make sure that no more issues like FREAK attack or Heart Bleed can occur. Anything that they find should be released into the public domain.
The building blocks I mentioned above can be lines of code or software that is used to create new software, websites or web applications. If a lot of people start using these building blocks we end up in a scenario where a hacker is like a kid in a candy store and they are not sure what to get first. It’s easy to assume that if your users have encryption enabled in the cloud or on their computer, smartphone or tablet that there is nothing to worry about. This is a misconception that has to be dealt with head on especially if the encryption uses the building blocks I mentioned.
Most users have no idea about encryption and if they are told something is secure or encrypted they tend to believe it and if other people are using it then it must be good. That is an assumption that should not be made for various reasons outlined below:
- How trustworthy is any encryption used by you or your clients?
- Is the encryption used, built from the ground up and 100% brand new?
- Not all security breaches are ever revealed.
- If security breaches are revealed it is not done in real time and normally months after they occurred.
- What contingency plans are in place to minimise any damage and data loss if a breach occurs?
Is FREAK attack the beginning of more security issues to be revealed because of outdated and old US government policies and also older code and software being used.