Category Archives: Cryptography

TrueCrypt security audit back on track after silence and uncertainty

Posted on by

An effort to search for cryptographic flaws in TrueCrypt, a popular disk encryption program, will resume even though the software was abandoned by its creators almost a year ago.

For years TrueCrypt has been the go-to open-source tool for people looking to encrypt files on their computers, especially since its one of the few solutions to allow encrypting the OS volume.

In October 2013, cryptography professor Matthew Green and security researcher Kenneth White launched a project to perform a professional security audit of TrueCrypt. This was partly prompted by the leaks from former U.S. National Security Agency contractor Edward Snowden that suggested the NSA was engaged in efforts to undermine encryption.

Green and Whites Open Crypto Audit Project started accepting donations and contracted iSEC Partners, a subsidiary of information assurance company NCC Group, to probe critical parts of the TrueCrypt code for software vulnerabilities. The firm found some issues, but nothing critical that could be described as a backdoor. Their report, published in April 2014, covered the first phase of the audit.

Phase two was supposed to involve a formal review of the programs encryption functions, with the goal of uncovering any potential errors in the cryptographic implementationsbut then the unexpected happened.

In May 2014, the developers of TrueCrypt, who had remained anonymous over the years for privacy reasons, abruptly announced that they were discontinuing the project and advised users to switch to alternatives.

This threw our plans for a loop, Green said in a blog post Tuesday. We had been planning a crowdsourced audit to be run by Thomas Ptacek and some others. However in the wake of TC pulling the plug, there were questions: Was this a good use of folks time and resources? What about applying those resources to the new Truecrypt forks that have sprung up (or are being developed?)

Truecrypt.

Now, almost a year later, the project is back on track. Ptacek, a cryptography expert and founder of Matasano Security, will no longer lead the cryptanalysis and the effort will no longer be crowdsourced. Instead, phase two of the audit will be handled by Cryptography Services, a team of consultants from iSEC Partners, Matasano, Intrepidus Group, and NCC Group.

The cost of professional crypto audits is usually very high, exceeding the $70,000 the Open Crypto Audit Project raised through crowdfunding. To keep the price down, the project had to be flexible with its time frame and work around Cryptography Services other engagements.

Read more:
TrueCrypt security audit back on track after silence and uncertainty

Apple, Google users at risk from FREAK flaw

Posted on by

A major security flaw has been discovered in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic protocols, leaving users of Google and Apple devices open to attack when visiting purportedly secure websites.

Technology companies are now rushing to put out fixes for the FREAK attack, disclosed by researchers today.

The vulnerability in the SSL/TLS secure communications protocols allows attackers to intercept HTTPS connections between vulnerable clients and servers - which researchers revealed included web browsers on Android and Apple smartphones.

Attackers could then force the site to downgrade to weak, so-called "export-grade" cryptography, which could be easily cracked in order to decrypt web traffic, in turn allowing attackers to steal passwords and other sensitive information.

The flaw has been around since the late 1990s, stemming from a former US government policy which had banned the export of strong encryption.

The policy - which was ditched in 1999 - meant weaker "export-grade" products were shipped to customers outside of the US.

However, the weaker keys continued to be used by software companies after the policy was canned, going unnoticed until it was discovered this year by thegroup of cryptographers at INRIA, Microsoft Research and IMDEA.

The "FREAK name stands for 'factoring attack on RSA-EXPORT keys'. The keys used in the export-grade encryption had a length of 512 bits - which is considered incredibly weak in the current age thanks to rapid increases in computing power - allowing attackers to easily guess the key.

"This bug causes them to accept RSA export-grade keys even when the client didn't ask for export-grade RSA," cryptographer Matthew Green wrote in ablog post.

"The impact of this bug can be quite nasty: it admits a 'man in the middle' attack whereby an active attacker can force down the quality of a connection, provided that the client is vulnerable and the server supports export RSA."

See the original post:
Apple, Google users at risk from FREAK flaw

Massive FREAK security flaw breaks HTTPS in Android, Apple devices

Posted on by

A recently announced security flaw, dubbed FREAK (Factoring RSA Export Keys) has significant implications for Android and Apple devices that connect to other websites via HTTPS and offers an object lesson in why deliberately weakening cryptographic standards to allow for backdoors or other forms of protection is such an emphatically bad idea.

To understand the problem, we need to cover a bit of history. Back in the early 1990s, the US government treated cryptography as a matter of national security. This resulted in a split system, in which the US used one level of cryptography for domestic software, but internationally distributed programs might set a different encryption level for programs that would be deployed overseas. Netscape, for example, was distributed in both a 128-bit and a 40-bit version.

This left cryptography standards developers stuck between a rock and a hard place. Any software suite or implementation standard had to be able to support both a strong version of a standard and a weak version, with the NSA or other governmental agency demanding the weak version be available to ensure national security. If you follow security even at the most tangential level, youre undoubtedly aware that government and industry bodies periodically adopt stronger security standards as cracking methods become more sophisticated and computers become more powerful. Old computer ciphers that wouldve taken decades or centuries to decode when they debuted can now be cracked in minutes, in some cases.

The government eventually lifted most of these requirements, thus allowing foreign connections to be secured by the same methods that domestic software used. Unfortunately, SSL was defined during the time period when these restrictions existed. The largest key US companies were allowed to distribute outside the US was a 512-bit RSA key. For reference, the Komodia software we covered extensively over the past few weeks used 1024-bit keys and was broken in hours; current best practice is to use 2048-bit keys.

Matthew Green, a cryptographer and researcher at Johns Hopkins University, summarizes the problem as follows:

It turns out that some modern TLS clients including Apples SecureTransport and OpenSSL have a bug in them. This bug causes them to accept RSA export-grade keys even when the client didnt ask for export-grade RSA. The impact of this bug can be quite nasty: It admits a man in the middle attack whereby an active attacker can force down the quality of a connection, provided that the client is vulnerable and the server supports export RSA.

Now, none of this would be a problem if export-RSA had actually been phased out on schedule. Remember, were talking about a security standard based on requirements that were lifted decades ago; Netscape was developing SSL before some of you were born. (Yes, thats depressing).

Unfortunately, scans show that the export-RSA standard is apparently still supported by up to 36.7% of the sites serving browser-trusted certifications, including Content Distribution Networks (CDNs) like Akamai. Affected websites include NSA.gov, Whitehouse.gov, irs.gov, and tips.FBI.gov, but government sites are far from the only sites affected a full list of the affected Top 10,000 sites is available here. Crack the 512-bit key, and youve got a perfect man-in-the-middle scenario.

The NSAs RSA encryption can be broken and data changed with this method

It turns out, it costs about $104 worth of Amazon EC2 server time to break a 512-bit RSA key, which makes this kind of flaw eminently practical for certain types of targeted attacks. Apple is expected to patch the problem by next week, but Android users are, in Greens words, screwed. Firefox is reportedly protected for both OS X and Android, so concerned users should consider using that browser (Google is patching Chrome for Mac to make it immune as well).

See original here:
Massive FREAK security flaw breaks HTTPS in Android, Apple devices

SafeLogic’s "Kosher Data Encryption" at @CloudExpo | @SafeLogic [#Cloud]

Posted on by

By Elizabeth White

Article Rating:

Reads:

Cryptography has become one of the most underappreciated, misunderstood components of technology. It's too easy for salespeople to dismiss concerns with three letters that nobody wants to question. Yes, of course, we use AES.'

But what exactly are you trusting to be the ultimate guardian of your data? Let's face it - you probably don't know. An organic, grass-fed Kobe steak is a far cry from a Big Mac, but they're both beef, right? Not exactly. Crypto is the same way. The US government requires all federally deployed technology to meet minimum standards. For encryption, if it hasn't been certified to meet the FIPS 140-2 benchmark, it is considered the equivalent of exposing your data in plain text. That's how crucial it is.

In cloud environments, when you are already showing a great deal of trust to relinquish physical control of your infrastructure, encryption should be verified to meet high benchmarks. There is simply no reason to accept mystery meat here.

In his session at 16th Cloud Expo, Ray Potter, CEO and co-founder of SafeLogic, will explain the significance of FIPS 140-2, FISMA and FedRAMP for cryptographic modules, and discuss compliance and validation from end-user and vendor perspectives. He will also discuss:

So the next time it comes up, you'll know all the right questions to ask your butcher.

Speaker Bio Ray Potter is the CEO and co-founder of SafeLogic. Previously, he founded Apex Assurance Group and led the Security Assurance program at Cisco Systems. Ray currently lives in Palo Alto and enjoys cycling and good bourbon, although not at the same time.

Read the rest here:
SafeLogic's "Kosher Data Encryption" at @CloudExpo | @SafeLogic [#Cloud]

‘I thought he was just a great kid, and had real potential’

Posted on by

In the months before a 17-year-old at Prince William Countys Osbourn Park High School was taken out of his home in handcuffs, accused of helping terrorists, he seemed to be doing the same thing as all his peers: lining up references for his college applications.

The boy did not yet know where he wanted to go or what he wanted to study economics, computer science and cryptography were just three ideas he floated to a former teacher. But with above-average intelligence and a strong desire to learn new things, he seemed destined for success, those who knew him said.

I thought he was just a great kid and had real potential, said Bruce Averill, a former teacher at the Governors School @ Innovation Park in Manassas who had the youth in a college-level chemistry course.

Federal authorities saw the teen differently. By their account, the youngster successfully helped a man not much older than himself travel to Syria and join the Islamic State. The teen, officials said, is believed to have used online contacts to help make arrangements for the mans trip. He is also believed to have involved another 17-year-old Osbourn Park student in his plot.

The case is still in its infancy the teen was taken into custody Feb. 27 and charged as a juvenile but is already drawing attention from law enforcement officials and lawmakers on Capitol Hill. On Thursday, Rep. Barbara Comstock (R-Va.) sent a letter to FBI Director James B. Comey asking for a briefing. She said in an interview that she was concerned about a spate of cases in which the Islamic State seemed to have successfully wooed youths in the United States.

We want to intercede and get engaged on this before it gets worse, Comstock said.

James R. Clapper Jr., director of national intelligence, said recently that about 180 Americans have gone or tried to go to Syria since the conflict there began, although not all had nefarious intentions. Late last month, after three Brooklyn men were arrested on charges that they planned to travel to Syria to join the Islamic State, Michael Steinbach, the FBIs assistant director of the counterterrorism division, briefed a congressional subcommittee about the problem.

FBI spokesman Chris Allen said the bureau and the Department of Homeland Security also recently issued a bulletin to local law enforcement officials about the continuing trend of Western youth being inspired by [the Islamic State] to travel to Syria to participate in conflict.

Allen said authorities are concerned about recruitment efforts made by the Islamic State particularly through social media engagement, and we urge the public to remain vigilant and report any suspicious activity to law enforcement.

The case in Virginia seems to be yet another example of the phenomenon, although much remains unclear. The teen is charged as a juvenile as prosecutors navigate the process to move the case to adult court. The man he helped travel has not been publicly charged.

Continued here:
‘I thought he was just a great kid, and had real potential’

SK Telecom Participates in Mobile World Congress 2015

Posted on by

BARCELONA, Spain - SK Telecom (NYSE: SKM) announced its participation in the 2015 GSMA Mobile World Congress to be held from March 2 to 5, at Fira Gran Via, Barcelona, Spain.

Under the theme of "Journey to the New World of Innovation," SK Telecom will showcase advanced network technologies aimed at accelerating the evolution towards 5G; introduce 5G platforms in five different areas, namely IoT, location-based service, intelligence, commerce and Big Data; and unveil new consumer-centric IoT devices, or Lifeware, developed to bring innovative changes to people's daily lives.

Advanced Technologies to Accelerate Evolution to 5G

SK Telecom will demonstrate 7.5Gbps data transmission through 3D Beamforming technology using millimeter wave (mmWave)* frequency bands. Due to saturation and fragmentation of frequency resources in bands below 6GHz being used today for mobile telecommunications, technologies that enable the utilization of mmWave frequency bands will play an important part in realizing early commercialization of 5G.*Millimeter-wave (mmWave) refers to electromagnetic waves with a frequency of 30GHz to 300GHz, and wavelength between 1mm to 10mm.

The company will also showcase new telecommunications technologies, including Fast Data Platform for Network, T Oven and Quantum Cryptography System to enhance the completeness of the 5G network system.

Fast Data Platform is an innovative platform that prevents service quality degradation by collecting and analyzing Big Data generated by the network, and T OVEN is a technology capable of orchestrating a virtualized network.

Quantum Cryptography System is by far the best data security technology as it uses quantum mechanics to prevent hacking of data in transit unlike the traditional data security technology that uses a cryptography algorithm based on prime factorization. The system, once commercialized, will open a new paradigm in security of national backbone network, financial network and medical information network.

Five Different 5G Platforms in Areas of IoT, Location-based Service, Intelligence, Commerce and Big Data

At this year's MWC exhibition, SK Telecom will also suggest how people's lives will be transformed in the 5G era through innovative platforms designed to maximize the value of the 5G network.

Mobius, an open IoT platform based on one M2M standards, offers advanced connectivity of devices, systems, and services that goes beyond machine-to-machine communications (M2M). SK Telecom will demonstrate SK Planet's Weather Pong, a real-time weather information system that provides weather updates and forecasts through sensors installed in SK Telecom base stations.

Read more:
SK Telecom Participates in Mobile World Congress 2015

FREAK show: Apple and Android SSL WIDE OPEN to snoopers

Posted on by

Security researchers are warning of a flaw in OpenSSL and Apple's SecureTransport a hangover from the days when the US government was twitchy about the spread of cryptography.

It's a flaw that allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections if you use a vulnerable browser such as Safari.

Apple's SecureTransport is a library used by applications on iOS and OS X, including Safari for iPhones, iPads and Macs. OpenSSL is open source, and used by Android browsers, and many other things.

OpenSSL and SecureTransport encrypt connections to online banking, webmail, and other HTTPS websites, and so much else on the internet, to thwart eavesdroppers.

It turns out the encryption used by OpenSSL and SecureTransport can be crippled by an attacker on your network: apps can be tricked into using weak encryption keys, allowing determined miscreants to pluck login cookies and other sensitive information out of your SSL-protected traffic.

"A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204," according to freakattack.com, a website explaining the security flaw.

"Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites."

You can visit freakattack.com to check if your web browser is vulnerable. Reg readers have told us that Google Chrome for OS X prior to version 41.0.2272.76, BlackBerry OS 10.3, and Internet Explorer 11 in the Windows 10 Technical Preview, are flagged up as vulnerable.

Back in the early 1990s, the US government banned Americans from selling software overseas unless the code used so-called "export cipher suites" that involved encryption keys no longer than 512 bits.

At the time, this was supposed to ensure that Uncle Sam exported relatively weak encryption to the rest of the world, and kept the stronger stuff for itself.

Read more:
FREAK show: Apple and Android SSL WIDE OPEN to snoopers