Breaking SHA-1 has been a goal of security users for quite a while, so it's quite a feather in Google's cap to be first. (It's possible, though, that the NSA, Russians or others have had one that they've kept under wraps.) The team said that the collision "is one of the largest computations ever completed," so Google's cloud infrastructure was an indispensable part of that.

There's no great danger for users. Google Chrome, Microsoft's Edge, Firefox and all other major browsers flag HTTPS sites that use SHA-1 as insecure with a big red warning -- so very few use it for verifying digital content. The team won't release the attack (Dad-jokingly called "SHAttered") for 90 days, in order to give affected sites time to deal with it.

Also, even though Google has made it 100,000 times faster to crack an SHA-1 certificate, it would still require some serious computing horsepower to do so. Google says it requires 12 million GPUs a full year to brute force a certificate, while the SHA-1 "Shattered" attack takes just 110 GPUs. For now, however, you'd still need a supercomputer or server farm (or a bot farm) to crack one in a reasonable amount of time.

As a proof of concept, Google is hosting two PDFs with the different content but the same hash, and has supplied the public with a free detection app. It had a lot of motivation to be first with a collision. It led the movement to deprecate SHA-1 because it's advertising business relies heavily on secure sites and ad platforms -- making the discovery a giant "I told you so" of sorts.

Read more from the original source:
Google helps put aging SHA-1 encryption out to pasture - Engadget

People who take computer security seriously will acknowledge they need to encrypt data and create regular backups. Luckily, there are quite a few solutions that allowfor both things at the same time. Below is a brief list of tools specializing in data encryption. Do keep in mind this list is not complete, but merely serves as an indicator asto what one should look for in such a software solution.

Encrypting computer data and protecting the device in question can all be achieved by using the Digital Guardian software kit. Keeping sensitive information safe from harm is thenumber one priority. Moreover, the toolkit focuses on data activity and enforcing user policies. This is a quite powerful solution for both consumers and enterprises, albeit it is more tailored towards the latter.

Kryptel is one of the many consumer-oriented encryption tools that provides a lot of convenience. In a matter of a few clicks, users can easily encrypt thousands of files on their personal computer. Data-wiping security can be enabled as well, which may be a nifty feature for some users. The free tool offers all of this functionality, whereas the paid version adds a command-line interface and encrypted backups.

Open-source solutions in the way of data encryption are not hard to come by, yet few of them make a big name for themselves. Ciphershed is one of those rare exceptions, which is completely free of charge to use. It is capable of encrypting files and entire drives, as well as removable storage. It includes a wizard guiding both novice and advanced users through this entire process, which is appreciated by a lot of people. It is a very potent solution that will suit most peoples needs.

Three different versions of SecureDoc exist in the world today, one of which is designed specifically for the Windows operating system. SecureDoc offers encryption tools for computers, laptops, and removable media. Users can encrypt files, folders, and entire disks in a matter of clicks. The companys other two solutions focus on the Enterprise and Cloud sector, which are worth checking out as well.

Another open-source program available to consumers around the world goes by the name of AES Crypt. With a 256-bit encryption algorithm, AES Crypt is one of the most powerful free solutions to date. Encrypting data requires a file name and password, which is also used for decrypting information later on. AES Crypt works across Windows, Linux, and Mac OS X devices, AES Crypt has become somewhat of a standard among computer users over the past few years.

Last but not least, there is the VeraCrypt open-source encryption solution. Its main purpose is to protect files and computer systems against data theft and information leaks, both of which are very common threats these days. VeraCrypt can be used to encrypt hard drive partitions, as well as the entire system. Moreover, it is a powerful brute-force attack solution, which can go a long way in this day and age of cyber crime.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

More:
Top 6 Data Encryption Solutions - The Merkle

Google Project Zero researcher Tavis Ormandy recently reached out to content delivery network and Internet security services provider Cloudflare regarding a serious security issue he stumbled across in which corrupted web pages were being returned by some HTTP requests run through Cloudflare.

As explained by Cloudflares John Graham-Cumming, a minor coding error was causing their edge servers to run past the end of a buffer and return memory that contained private data including encryption keys, passwords, cookies, chunks of POST data and more.

As The Register explains, in laymans terms, one can think of it as sitting down at a restaurant at a supposedly clean table. In addition to being handed a menu, you also receive the contents of the previous diners wallet or purse.

Ormandy notes that once they understood what they were seeing and realized the implications, they immediately reached out to Cloudflares security team which wasted little time in getting to work. Graham-Cumming said that because theyre a service, bugs can go from being reported to fixed in minutes to hours instead of months. In this instance, they were able to mitigate the issue in just 47 minutes and wrap up a global fix in under seven hours.

On Twitter, Ormandy said that the issue has been going on for months with affected clients including 1Password (passwords are not compromised in their case however), Uber, FitBit and OKCupid, among others.

Graham-Cumming said they have not found any evidence of malicious exploits or other reports of its existence. Nevertheless, its probably a good idea to go through and change all of your online passwords. Again.

A list of notable sites and services potentially affected by "Cloudbleed" follows below:

Lead photo courtesy Getty Images

Link:
Cloudflare bug leaked encryption keys, passwords and more - TechSpot

Threats to the security of your online data are everywhere and growing increasingly sophisticated. Yet despite the complex nature of online security, there are basic steps that any developer can and should take when working with a database-as-a-service (DBaaS). The foundation of your security policy should include the use of Secure Socket Layer (SSL), the standard online security technology for encrypting data as it moves between two points.

If you follow a separation of concerns approach with respect to your database and application, there are several reasons why you will want to use SSL when your application communicates with its MySQL database. You can stop intruders from viewing your data as it passes back and forth between your application and your database. You can stop someone from hijacking your connection and altering what gets sent up and down your pipe. You can also increase your level of confidence that youre conversing with the right people or systems.

In order to successfully use SSL with your MySQL database, its helpful to understand its evolution.

Early generations of personal computers were not designed with security in mind. It was assumed that only intended users would have physical access to their machines, so as long as they locked up their floppies, security was covered. Then the widespread adoption of the Internet rapidly changed the state of digital security and introduced new challenges for software developers.

Because early computer-to-computer communications were accomplished through a simple pipe, generally referred to as a socket, which passed raw data back and forth, simple programs like TELNET, one of the earliest terminal programs, passed all data through this network pipe including sensitive information like a users name and password. Once hackers began to tap into and exploit the relaxed security conditions of these early network pipes, it became clear that a more secure solution was required. In response, Netscape introduced a technology called Secure Sockets Layer (SSL), which provided a way to encrypt data in the pipe. SSL evolved over the years to become part of Transport Layer Security (TLS), which includes a more generic and secure form of the protocol, however, TLS is also commonly referred to as SSL.

To get started with SSL, you need a basic understanding of Public Key Infrastructure (PKI) and cryptography. With PKI, a Certificate Authority (CA) issues digital keys know as certificates. These certificates include long streams of numbers that are based on very complex mathematical systems designed to be extremely hard to decode.

Certificates use a bit of software magic that makes them useless to intruders. Even if intruders swiped your key, it would not by itself be enough for them to decrypt your SSL connections and either eavesdrop on your communications or inject data into the pipe. They might be able to establish their own secure pipe to your database but would still need your MySQL username and password to view or change data.

To enhance security further, certificates can be stamped with a server name or other information. Attempts to use that certificate may then require verification of the encrypted information contained in the stamp. This could stop someone who steals your key from being able to establish a secured connection to your database.

There are a few basic points to using SSL with your MySQL database.

You can find detailed instructions on the topic of configuring MySQL to use secure connectionsin the official MySQL documentation.

If youre new to SSL, getting all this to work is a detailed process. Youll need to know the type of certificate, its encryption method, and whether it requires server names to be validated. Certificates also have expiration dates, and repudiation, a mechanism to report them as invalid. The issuer can check if your certificate is valid at the time of the transaction.

So SSL gives you a secure pipe. If others get your private certificate they can have a secure pipe too, but if they dont know your MySQL username and password then they are still not in and cant read your secure connections. If you want to lock things down further, you can stamp your certificate with information that must be validated before the certificate can be used.

SSL provides a great method to prevent spoofing or sniffing a connection but is not a panacea for complete network security in all cases. That said, it does close off many avenues of attack and is highly recommend for use in all cases where it can be deployed. If you do decide to run without the protection of SSL, make sure you understand and are prepared to manage the downstream repercussions.

Topics:

ssl certificates ,mysql ( 5 ) ,security

Excerpt from:
Using SSL for In-Transit Data Encryption to Improve MySQL Security - DZone News

Softwares biggest advantage is that innovations can be rapidly adopted. But thats also its biggest downfall: Its incredibly difficult for everyone to move on after that software is no longer deemed safe. SHA-1 is the latest example in a long list of technologies that needs to be abandoned ASAP.

Cryptographic hash functions are used to encrypt traffic and protect the contents of online communications, to locate data records in hash tables, to build caches for large data sets, to find duplicate records, to manage code repositories, and a variety of other uses cases. Whether its validating an update or a credit card transaction, chances are SHA-1 is still in use.

Browsers and websites use hash functions by creating a unique fingerprint and digitally signing each chunk of data to prove that a message has not been altered or tampered with when it passes through various servers. When the Certificate Authority and Browser Forum published their Baseline Requirements for SSL in 2011, the SHA-1 cryptographic hash algorithm was essentially deprecated. They identified security weaknesses in SHA-1 and recommended that all certificate authorities (CAs) transition away from SHA-1 based signatures, with a full sunset date of January 1, 2016. The U.S. National Institute of Standards and Technology banned the use of SHA-1 by U.S. federal agencies back in 2010.

Unfortunately, SHA-1 is still in use today. This is despite years of warnings from network security experts saying SHA-1 is becoming easier and easier to hack due to consistent advancements in computing technology.

Useful hash functions tend to be collision-resistant, which means that it is very hard to find two pieces of data that will generate the same hash value, in part accomplished by generating very large hash values (SHA-1 generates 160-bit values). As computational power increases and as attacks on the mathematical underpinnings improve, collision resistance eventually shatters.

After two years of research by the CWI Institute in Amsterdam andGoogle, the duo this week announced the first SHA-1 collision. In short, they proved it is possible for an attacker to craft a collision that deceives systems relying on SHA-1 into accepting a malicious file in place of its safe counterpart.

Google created a PDF prefix specifically crafted for generating two documents with arbitrary distinct visual contents, but that would hash to the same SHA-1 digest. The company used its cloud infrastructure to compute the collision:

That might seem impractical, but it is more than 100,000 times faster than a brute force attack on SHA-1. Google released the two PDFs that have identical SHA-1 hashes but different content. Following its own vulnerability disclosure policy, the company will wait 90 days before releasing code that allows anyone to create a pair of PDFs that hash to the same SHA-1 sum.

Do not wait 90 days. Ditch SHA-1 now.

ProBeat is a column in which Emil rants about whatever crosses him that week.

View post:
ProBeat: SHA-1 encryption is shattered, so stop using it - VentureBeat

The movement to encrypt the web has reached a milestone. As of earlier this month, approximately half of Internet traffic is now protected by HTTPS. In other words, we are halfway to a web safer from the eavesdropping, content hijacking, cookie stealing, and censorship that HTTPS can protect against.

Mozilla recently reported that the average volume of encrypted web traffic on Firefox now surpasses the average unencrypted volume.

Google Chromes figures on HTTPS usage are consistent with that finding, showing that over 50% of of all pages loaded are protected by HTTPS across different operating systems.

This milestone is a combination of HTTPS implementation victories: from tech giants and large content providers, from small websites, and from users themselves.

Starting in 2010, EFF members have pushed tech companies to follow crypto best practices. We applauded when Facebook and Twitter implemented HTTPS by default, and when Wikipedia and several other popular sites later followed suit. Google has also put pressure on the tech community by using HTTPS as a signal in search ranking algorithms and, starting this year, showing security warnings in Chrome when users load HTTP sites that request passwords or credit card numbers.

EFFs Encrypt the Web Report also played a big role in tracking and encouraging specific practices. Recently other organizations have followed suit with more sophisticated tracking projects. For example, Secure the News and Pulse track HTTPS progress among news media sites and U.S. government sites, respectively.

But securing large, popular websites is only one part of a much bigger battle. Encrypting the entire web requires HTTPS implementation to be accessible to independent, smaller websites. Lets Encrypt and Certbot have changed the game here, making what was once an expensive, technically demanding process into an easy and affordable task for webmasters across a range of resource and skill levels.

Lets Encrypt is a Certificate Authority (CA) run by the Internet Security Research Group (ISRG) and founded by EFF, Mozilla, and the University of Michigan, with Cisco and Akamai as founding sponsors. As a CA, Lets Encrypt issues and maintains digital certificates that help web users and their browsers know theyre actually talking to the site they intended to. CAs are crucial to secure, HTTPS-encrypted communication, as these certificates verify the association between an HTTPS site and a cryptographic public key. Through EFFs Certbot tool, webmasters can get a free certificate from Lets Encrypt and automatically configure their server to use it.

Since we announced that Lets Encrypt was the webs largest certificate authority last October, it has exploded from 12 million certs to over 28 million. Most of Lets Encrypts growth has come from giving previously unencrypted sites their first-ever certificates.

A large share of these leaps in HTTPS adoption are also thanks to major hosting companies and platforms--like WordPress.com, Squarespace, and dozens of others--integrating Lets Encrypt and providing HTTPS to their users and customers.

Unfortunately, you can only use HTTPS on websites that support it--and about half of all web traffic is still with sites that dont. However, when sites partially support HTTPS, users can step in with the HTTPS Everywhere browser extension.

A collaboration between EFF and the Tor Project, HTTPS Everywhere makes your browser use HTTPS wherever possible. Some websites offer inconsistent support for HTTPS, use unencrypted HTTP as a default, or link from secure HTTPS pages to unencrypted HTTP pages. HTTPS Everywhere fixes these problems by rewriting requests to these sites to HTTPS, automatically activating encryption and HTTPS protection that might otherwise slip through the cracks.

Our goal is a universally encrypted web that makes a tool like HTTPS Everywhere redundant. Until then, we have more work to do. Protect your own browsing and websites with HTTPS Everywhere and Certbot, and spread the word to your friends, family, and colleagues to do the same. Together, we can encrypt the entire web.

Go here to read the rest:
We're Halfway to Encrypting the Entire Web - EFF

Technology trade association techUK has called on government ministers to cut export red tape on products incorporating encryption in order to make the UK more competitive, as a separate white paper urges the European Commission to revise its stance on cybersecurity export controls.

With the digital economy responsible for roughly a quarter of the UKs exports, the nations firms cant afford the lengthy license approvals process needed for many products containing encryption, techUK argued.

With export procedures significantly more liberal in other countries, this is impacting the competitiveness of UK firms, according to the body.

It argued for an Open General Export Licence to cover specific comms equipment alongside clear guidance to help industry better understand which items require licensing.

The news comes as industry group Digital Europe launched a new positioning paper calling on the European Commission to modify its proposals to tighten restrictions on the export of so-called dual-use technologies.

Like the Wassenaar Arrangement, the proposals are designed to limit the export of technologies such as intrusion software, to repressive regimes which may use them to monitor dissidents and activists.

However, the Commissions proposals could create legal uncertainty and problems for harmonization across Europe thanks to poor definitions for terms like cyber-surveillance technologies, licensing criteria, and Intangible Technology Transfers, techUK argued.

Poorly defined catch-all controls and technical assistance will actually work to restrict the ability of firms to export tools to enhance cybersecurity without safeguarding human rights around the world, it added.

Whats more, the proposals arent even in line with the Wassenaar Arrangement, and feature a newly created category, Annex 1 category 10, which will make it difficult for exporters to align with the countries theyre dealing with, the tech group said.

This area continues to prove a major stumbling block around the world, with the negotiators failing to find a breakthrough last year in discussions on the 41-country Wassenaar pact despite the US leading efforts to agree on new language.

Read this article:
Tech Firms Urge Government to Cut Encryption Red Tape - Infosecurity Magazine