Category Archives: Cryptography

Security lessons from RSA

Posted on by

Stay safe online with these recommendations from IT and Crypto professionals at RSA, the premier security conference.

The RSA Conference, the flagship meetup for cryptography, information security, and IT experts from around the world, just wrapped on Feb. 28. I attended panels, talked to professionals about security, and learned a couple of new lessons about personal protection in the age of big data.

There were a lot of lessons from RSA, most of them concerning IT Professionals. Some were about enterprise-level security, and a few were on the relationship of government and big data. But what can the average consumer cull from these discussions? Read on, and take control of your online security and digital privacy.

Hackers are no more evil than the average netizens, nor are they loners. Hackers have their own social communities around their illicit activities. Whether they're trying to make money off stolen data (cyber-criminal), taking a stance (hacktivist), or just keeping tabs (surveillance), hackers have turned hacking into a business, and data is their sole interest. Most hackers work together to pull off sophisticated attacks, mostly on organizations, companies, government sites, or other hacking groups.

If your info is out there for the taking, then be ready to call your credit card company at a moment's notice. But present them with a little difficulty, and they might just go after another, softer target. It is a numbers game after all. So create tougher passwords (Longer is always better!), get a two-step authentication system, edit out personal info from your Facebook/Google+ pages, and don't tweet things that can be used to phish data.

Keep your passwords safe with these apps:

Unlike proprietary software, open-source software has the benefit of letting users customize their own security privileges and allows anyone to look into the source code and report any vulnerabilities or flaws.

Always try to get the latest updates for any programs you may have, even the ones you don't often use (even Flash). Patches are designed to cover security flaws and remove abuse potential. Introduce a little open-source software to your life, and find open alternatives to your favorite programs. A good way to start is by checking out these trusted open-source apps.

Additional open-source apps:

Remove apps that you no longer use but never bothered to delete. Uninstallers like Revo or IObit can make cleanup easier. Do you really need 20 Chrome Extensions or ten different MP3 converters?

Original post:
Security lessons from RSA

Massive Linux security flaw dwarfs Apple’s cryptography problems of just last week

Posted on by

A newly discovered bug in the popular GnuTLS library has the potential to dwarf Apples SSL encryption problems of just last week, thanks to a similar error with error checks and notifications. Thats quite a feat, considering that the Apple Goto Fail bug impacted millions of devices running both iOS and OS X, but the bug in GnuTLS looks like it will be far bigger. Over 200 applications have been identified that depend on GnuTLS and the actual list is likely much, much higher.

According to Ars Technica, the problem here is similar in type to the issue that tripped up Apple. In both cases, incorrect code short-circuited the functions that are supposed to verify whether or not a proper SSL certification has actually been presented. Red Hat found the error during a security audit and describes it thus: It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.

The good news is, patches are already in place for this problem. The bad news is, its going to take a long time to tease out exactly which products are affected. Because GnuTLS is open source, its not as if the organization has a checklist it can pull to contact every vendor that uses its software. Furthermore, the flaw may go all the way back to the initial code the organizations website states that anyone who uses certificate authentication in any version of GnuTLS is affected by the vulnerability.

The list of impacted software is enormous. Cryptographic code signing is thought to protect against exploits in most Linux distros, but Ciscos VPN software apparently relies on GnuTLS, to name just one company. Web hosts or online services that rely on GnuTLS will have to update their own software to guard users against man-in-the-middle attacks. Inevitably, there are going to be applications that arent ever updated, which will leave consumers vulnerable.

The fact that similar code errors have been found in critical software that secures a great deal of back-end infrastructure as well as personal devices hopefully means that more companies are examining the guts of their security code more thoroughly. The NSA revelations of the past 12 months have been light on technical details, but the NSA clearly has sophisticated access to certain systems thanks to security flaws and hidden capabilities. Hopefully patching issues like this removes a few arrows from the governments quiver though if the NSA was, in fact, aware of either bug, it would mean the government deliberately left consumers and businesses exposed to potential malware to suit its own purposes. That wouldnt surprise many people in todays climate, but it would be a far cry from the 1970s when the NSA deliberately improved the DES standard to better guard against a then-unknown attack vector it felt might emerge in the future.

View original post here:
Massive Linux security flaw dwarfs Apple’s cryptography problems of just last week

Who is the reclusive billionaire creator of Bitcoin?

Posted on by

Satoshi was extremely active in the development of the open-source software which powers Bitcoin. But towards the end of 2010, perhaps sensing that the project had gathered enough momentum to survive his withdrawal, he started to fade away. The last thing anybody ever heard from him was in April 2011 when he emailed a Bitcoin contributor and said he had moved on to other things.

Because of his early involvement in bitcoin, Satoshi is thought to be extremely wealthy. New Bitcoins are "mined" by performing complex cryptographic calculations which also serve to authenticate transactions. In the early days Bitcoins were far easier to mine than they now are, and worth far less.

Security researcher Sergio Demian Lerner believes - but cant categorically prove - that Satoshi mined around 1,000,000BTC and has never spent any. At a price of $1,000 each, that would make him worth around a billion dollars - around the same as the GDP of the Seychelles.

Considering his immense wealth and integral role in launching one of the largest economic experiments ever conducted, its not surprising that lots of people have tried to uncover Satoshi's real identity.

The most recent of many theories comes from Josh Zerlan, chief operating officer of Butterfly Labs, the makers of specific hardware to mine bitcoins. Speaking to IBTimes UK at a bitcoin conference in India, he said: "One of the prevailing theories, I think has credibility, is that it was some group of people from financial sector that created this. They released it and stepped back and let it go. So, Satoshi Nakamoto is a group of people, I think, is a reasonable possibility." He names no names, or explains what their motivation would be.

The New Yorker published a piece pointing at two possible Satoshis, one of whom seemed particularly plausible: a cryptography graduate student from Trinity College, Dublin, who had gone on to work in currency-trading software for a bank and published a paper on peer-to-peer technology. The other was a Research Fellow at the Oxford Internet Institute, Vili Lehdonvirta. Both made denials.

Fast Company highighted an encryption patent application filed by three researchers - Charles Bry, Neal King and Vladimir Oksman - and a circumstantial link involving textual analysis of it and the Satoshi paper which found the phrase "...computationally impractical to reverse" in both. Again, it was flatly denied.

All three men also collaborated on a second paper backed by a Munich-based firm called Lantiq. The company was founded in 2009, the same year that the Bitcoin paper was first published, but did not answer phone calls or reply to emails when I tried to ask if there was any link.

This year two Israeli mathematicians wrote a paper claiming that there was a link between Satoshi Nakamoto, the mythical creator of Bitcoin, and Ross Ulbricht, who has been arrested and charged with running the underground online drugs market Silk Road. They claimed, after analysing the blockchain, that there was a financial link, but later issued a statement retracting it after their claims were debunked by a Reddit user.

But all of these accusations have gotten us no closer to the truth.

Read more:
Who is the reclusive billionaire creator of Bitcoin?

Wiliest Ways to Keep the NSA at Bay

Posted on by

"Whatever the level of cryptography you're using, the NSA can probably break into your home network, install keyloggers and grab whatever they want -- passwords, private PGP keys, screenshots, etc.," said Cyril Soler, a developer on the RetroShare project. "This is always easier than breaking the encryption." Their ability to do that is probably facilitated by backdoors.

The death of online privacy had already been proclaimed long before Edward Snowden landed in the international spotlight, but if it wasn't confirmed back then, Snowden's NSA revelations surely must have extinguished the last vestiges of hope in even the most die-hard optimists.

"We're in a predicament," Phil Zimmermann, Pretty Good Privacy creator and cofounder and president of Silent Circle, told LinuxInsider. "Everything we do on the Internet is being captured in a vast database -- it's a kind of Panopticon.

"We have to do something about this," added Zimmermann, an Internet Hall of Fame inductee. "We have to push back in policy space as well as use countermeasures like encryption."

Public policy changes rarely happen quickly, of course. In the meantime, those countermeasures are looking more and more like users' best bet.

"I'd recommend making phone calls with Silent Phone," Zimmermann suggested, and "for email, PGP, GnuPG or something like it."

As for other online activities, "there's a lot of things you do on the Internet that leak information," he added. "They're capturing your Web browsing."

SSL and TLS are both protocols Zimmermann recommended using.

In addition, the Tor Web browser is "a good idea," he said. "I would recommend using Tor for visiting any website you would prefer to not have recorded."

On the road, if you're in a place where there may be a lot of interception, Tor or a VPN can help protect privacy, though not all VPNs are equally secure, noted Zimmermann.

Read the original:
Wiliest Ways to Keep the NSA at Bay

Apple reveals algorithm behind ‘encrypted’ iMessages

Posted on by

ANIWashington Last Updated:February 28, 2014 |17:52 IST

Apple has reportedly revealed exactly how secure its iMessage service is.

The iMessage service uses cryptography, which is nothing but a set of distinct codes assigned as specific keys for each message sent and received. According to Tech Crunch, Apple uses public-key cryptography, which is based on a principle that each message has two keys, one for input and other for pickup, and unless someone finds a copy of the pickup key, or find a weakness in the system, there is no way intercept.

When a user first enables iMessage, the device creates two sets of private and public keys: one set for encrypting data, and one set for signing data, and if these two keys ever don''t match up, red flags start going off. The public keys are sent to Apple's servers, while private keys are stored on the device.

When someone starts an iMessage conversation, they fetch a user's public key(s) from Apple's servers and before that message leaves the sender's device, it's encrypted into something that only the device knows how to decrypt.

A user gets one set of keys for each device they add to iCloud, and each iMessage is encrypted independently for each device and stored on Apple's servers accordingly.

The report said while some data like the timestamp and APN routing data is not encrypted, all of the independently encrypted/non-encrypted data is encrypted as a whole package, on the trips between a device and Apple's servers.

Apple doesn't have any backdoor access to the iMessages sitting on its servers, tucked into their many-layers-deep encryption. The company can't read them without a fairly insane amount of effort.

For more news from Business Today, follow us on Twitter @bt_india and on Facebook at facebook.com/BusinessToday

Read more:
Apple reveals algorithm behind 'encrypted' iMessages

Security researchers urge tech companies to explain their cryptographic choices

Posted on by

Fourteen prominent security and cryptography experts have signed an open letter to technology companies urging them to take steps to regain users trust following reports over the past year that vendors collaborated with government agencies to undermine consumer security and facilitate mass surveillance.

The researchers pointed out as alarming allegations that RSA, the security division of EMC, made a $10 million deal with the NSA to keep a compromised crypto algorithm the default setting in its security product long after the algorithms faults were revealed. RSA has denied such a deal.

The open letter was signed by well-known computer scientists, cryptographers, developers and security researchers. Among them are Matthew Green, assistant research professor at Johns Hopkins University; Tanja Lange, professor at Eindhoven University of Technology; Bruce Schneier; Roger Dingledine and Nick Mathewson of the Tor Project; Brian Warner and Zooko Wilcox-OHearn of the Tahoe-LAFS Project; Christopher Soghoian, principal technologist at the American Civil Liberties Union and Brendan Eich, CTO of Mozilla Corporation.

The letter was an initiative of the advocacy group Electronic Frontier Foundation and outlines 10 principles, both technical and legal, to which signatories believe technology companies should adhere.

The first principle has to with code integrity and has been expressed by security experts before. Theres no easy way to verify how an open cryptographic algorithm has been implemented in closed-source software, so the letters signatories urged companies to provide public access to source code whenever possible. If companies also distribute pre-compiled binary packages, they should adopt a reproducible build process so users can obtain the same binaries from the source code, the researchers said.

Both open and closed source software should be distributed with verifiable signatures from a trusted party and a path for users to verify that their copy of the software is functionally identical to every other copy (a property known as binary transparency), they said.

The second principle requires companies to be open about their cryptographic choices and to explain why certain algorithms and parameters were used in their software.

Make best efforts to fix or discontinue the use of cryptographic libraries, algorithms, or primitives with known vulnerabilities and disclose to customers immediately when a vulnerability is discovered, the researchers said.

Other principles outlined in the letter include:

This open letter follows another one sent by security and cryptography researchers to the U.S. government in January, deploring the NSAs surveillance activities. In that letter, researchers asked the U.S. government to reject society-wide surveillance and attempts to subvert security systems and instead adopt state-of-the-art privacy-preserving technology.

Read the original here:
Security researchers urge tech companies to explain their cryptographic choices