June 19, 2013

You are here: Home / Archives for Cryptography

In Brief: Microsoft, Google and Mozilla all block digital certificate issued by intermediate certificate authority of TURKTRUST

January 4, 2013 by

turktrust_logo(LiveHacking.Com) –  Microsoft, Google and Mozilla have all removed the trust of certificates issued by an intermediate certificate authority (CA) linking back to TURKTRUST Inc. What has happened is that TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org), the first of which was used to issue a fraudulent digital certificate for *.google.com.

Intermediate CA certificates carry the same authority as CA, so anyone who has one can use it to create a certificate for any website. Fraudulent certificate can be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

“TURKTRUST told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” wrote Google.

Google is also considering an update to Chrome which will no longer indicate Extended Validation status for certificates issued by TURKTRUST. Mozilla has suspended the TURKTRUST root certificate. TURKTRUST subsequently asked Mozilla to include a newer root certificate and their request was initially approved. However, due to the mis-issued  intermediate CA certificates, Mozilla has decided to suspend inclusion of the new root certificate for now.

Filed Under: Cryptography, Google, Microsoft, Mozilla, News, Security Tagged With: , , , ,

NASA says it will encrypt data from now on after its latest laptop loss

November 16, 2012 by

(LiveHacking.Com) – Keeping software up to date, installing firewalls and using intrusion detection systems are all excellent ways to boost security however little can be done to tackle the human error aspect. A few days ago NASA employees were told of a laptop theft from a locked car in an email message from Richard Keegan Jr., associate deputy administrator at NASA.

It turns out that the laptop held personally identifiable information of “at least” 10,000 NASA employees and contractors. The laptop was password protected however it did not use disk encryption. This means that the information on the laptop is easily accessible to the thieves. NASA is working with data breach specialist, ID Experts, who be providing identity theft monitoring services to the individuals at risk. NASA will be picking up the bill for ID Expert’s help.

Now NASA has ordered that all laptops must be encrypted and until the process is complete, staff are not allowed to remove NASA laptops containing sensitive information from any of its facilities. With immediate effect laptops containing information about the international sale or transport of weapons, nuclear equipment or other materials are only allowed to leave NASA if the relevant data is encrypted. Also included in the category of sensitive data is any information about NASA’s human resources.

Computerworld spoke with John Pescatore, an analyst with Gartner Inc., who said that “the compromise isn’t surprising considering that NASA has the lowest portable device encryption rate among all federal agencies. According to a report released in March by the White House Office of Management and Budget, only 41% of NASA-owned portable devices meet the encryption requirements of the Federal Information Security Management Act (FISMA).”

According to the BBC, NASA was warned in 2009 that it was not taking enough steps to sufficiently protect information and had reported the loss or theft of 48 of its mobile computing devices between April 2009 and April 2011.

NASA’s chief information officer, Linda Cureton, who gave the order to encrypt says wanted the maximum possible number of laptops to be encrypted by this week and has set a target  that all laptops will be encrypted within a month. Also employees have been banned from storing sensitive data on mobile phones, tablets and other portable devices.

“Some NASA systems house sensitive information which, if lost or stolen, could result in significant financial loss, adversely affect national security, or significantly impair our Nation’s competitive technological advantage,” said Paul K. Martin, Inspector General, National Aeronautics and Space Administration, in testimony given in February  “In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems.”

Filed Under: Cryptography, News, Security Tagged With: ,

Many Android apps open to man-in-the-middle attacks due to weak SSL usage

October 23, 2012 by

After injecting a virus signature database via a MITM attack over broken SSL, the AntiVirus app recognized itself as a virus and recommended to delete the detected malware.

Security researchers from the Leibniz University of Hanover and the computer science department at the Philipps University of Marburg have tested 13,500 popular free Android apps and found that 8.0% of these apps contain SSL/TLS implementations that are vulnerable to  Man-in-the-Middle (MITM) attacks.

The researchers created a tool called MalloDroid which is designed to detect potential vulnerabilities against MITM attacks. The tool performs static code analysis to analyze the networking API calls and extract valid HTTP(S) URLs, check the validity of the SSL certificates of all the extracted HTTPS hosts; and  identify apps that contain non-default trust managers. Running the tool on the 13,500 samples showed that 1,074 of the apps exhibited some kind of potential vulnerability.

From this 1,074 app a further 100 apps were picked for manual audit to investigate different SSL problem  including the accepting of all SSL certificates regardless of their validity. This manual audit revealed that 41 of the apps were vulnerable to MITM attacks due to SSL misuse.

A particularly embarrassing case the researchers found that the Zoner AntiVirus app updated its virus signatures via a broken SSL connection. As the developers considered the connection to be secure and couldn’t be tampered with there is no built-in verification or validation of the signature files downloaded. This meant that the team was able to insert its own signatures files. In one test they added the signature for the anti-virus app itself. The app then proceeded to recognize itself as malware and recommended that itself be to deleted. The Zoner AntiVirus app has been downloaded more than 500,000 times!

By the end of their research the team had managed to capture credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts.

The total cumulative number of installs of all the MITM vulnerable apps is between 39.5 and 185 million users, according to the download numbers from Google’s Play Store.

Filed Under: Android, Cryptography Tagged With: , , ,

In brief: RSA launches new system which splits credentials over two servers

October 11, 2012 by

(LiveHacking.Com) – RSA has launched a new distribution system which splits credentials over two servers. The idea being that if one server is hacked the attackers only gains access to half of the stored information (password etc). The system called “RSA Distributed Credential Protection” scrambles, randomizes and splits passwords into multiple locations.

As part of the system, administrators can re-randomize and re-split log-in data if a breach is suspected. This means that unless the hackers manage to break into both servers before the re-hashing, the stolen data would be useless.

“DCP scrambles, randomizes and splits sensitive credentials, passwords and Pins and the answers to life or challenge questions into two locations,” said the RSA’s mananger Liz Robinson.

The product however isn’t open source but is rather a commercial offering. RSA expect that DCP will be ready before the end of the year. It will cost about $150,000 per licence which RSA says is less than the cost of “an expensive lawsuit.”

Filed Under: Cryptography, News Tagged With: , ,

In brief: New free eBook released to those with no prior experience to protect privacy in a digital world

October 8, 2012 by

(LiveHacking.Com) – The CryptoParty, a new, decentralized, global initiative aimed at introducing basic cryptography tools to the general public, has released its first handbook. The CryptoParty Handbook is designed to help those with no prior experience to protect their basic human right to Privacy in the online world.

The book covers a variety of topics like passwords, browsing, email encryption, VPNs, hard disk encryption and secure file sharing. In each of these areas the book describes the dangers to privacy and recommends which open source tools to use.

By recommending open source tools, rather than commercial tools, the authors hope that users will start to take their online privacy seriously without needing to spend money on sometimes expensive software products.

The CryptoParty Handbook is the brainchild of Marta Peirano and Adam Hyde who came up with the idea after the first Berlin CryptoParty, held on the 29th of August, 2012. Others including Julian Oliver and Danja Vasiliev, co-organisers of the Berlin CryptoParty (along with Marta) were very enthusiastic about the book. It was written in the first 3 days of October 2012 at Studio Weise7, Berlin. Approximately 20 people were involved in its creation, some more than others, some local and some far (Melbourne in particular).

Filed Under: Book, Cryptography, News, Uncategorized Tagged With: ,

In brief: NIST declares Keccak winner of Secure Hash Algorithm (SHA-3) competition

October 4, 2012 by

(LiveHacking.Com) – The National Institute of Standards and Technology (NIST) has announced the winner of its five-year competition to select a new cryptographic hash algorithm. At the end of 2007, NIST announced a free-for-all competition to find the next Secure Hash Algorithm (known as SHA-3). Now after five years, 64 entries and three rounds of eliminations, there is a winner: Keccak. Pronounced “catch-ack”, it was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors.

Hash algorithms are widely-used to creates “fingerprints”, or “message digests” of a file. The marks of a good hash algorithm are that any change in the original data will change the digest, and for any given file it must be infeasible for a forger to create a different file with the same hash. NIST liked Keccak because of its elegant design and its ability to run well on many different computing devices.

NIST received sixty-four entries in total. Fifty-one were selected as first-round candidates, and this was narrowed down to fourteen second-round candidates in July 2009. On December 9, 2010, NIST announced five third-round candidates – BLAKE, Grøstl, JH, Keccak and Skein.

“Keccak has the added advantage of not being vulnerable in the same ways SHA-2 might be,” says NIST computer security expert Tim Polk. “An attack that could work on SHA-2 most likely would not work on Keccak because the two algorithms are designed so differently. The Internet as we know it is expanding to link devices that many people do not ordinarily think of as being part of a network. SHA-3 provides a new security tool for system and protocol designers, and that may create opportunities for security in networks that did not exist before.”

Filed Under: Cryptography, News Tagged With: , ,

In brief: Google adds OAuth 2.0 support for IMAP/SMTP and XMPP

September 19, 2012 by

(LiveHacking.Com) – Google has been a long time proponent of using OAuth 2.0 for its services and APIs. Now it has extended its use of the open standard authorization mechanism by adding OAuth 2.0 support for IMAP/SMTP and XMPP.

It was just over a year ago that Google announced its recommendation that OAuth 2.0 become the standard authentication mechanism for itsAPIs. Using it has several security benefits including access to Google’s two-factor authentication process.

“When clients use OAuth 2.0, they never ask users for passwords. Users have tighter control over what data clients have access to, and clients never see a user’s password, making it much harder for a password to be stolen. If a user has their laptop stolen, or has any reason to believe that a client has been compromised, they can revoke the client’s access without impacting anything else that has access to their data,” said Ryan Troll from Google’s Application Security Team.

Google has alos announced that it will deprecate the older authentication mechanisms such as XOAUTH for IMAP/SMTP and X-GOOGLE-TOKEN and SASL PLAIN for XMPP.

Filed Under: Cryptography, Google, News Tagged With: ,

In brief: Chip and pin random numbers not random enough

September 12, 2012 by

(LiveHacking.Com) – A vulnerability in the chip and pin payment system has been discovered by Cambridge University researchers. The chip and pin system is used throughout Europe and much of Asia, and is starting to be introduced in North America too.

As part of the system the payment card contains a chip that understands the system’s authentication protocol. As part of the protcol the point-of-sale (POS) terminals or the ATMs need to generate a random number for each transaction. However the team have discovered that some POSs and ATMs merely  used counters, timestamps or home-grown algorithms to generate this number.

The vulneravility leaves the system open to “pre-play” attacks which are indistinguishable from card cloning attacks.

The team’s research was presented at a cryptography conference in Leuven, Belgium, on Tuesday.

“If you can predict [the UN], you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location,” said researcher Mike Bond in a blog post. ”You can as good as clone the chip. It’s called a pre-play attack.”

The Cambridge team have been in contact with leading banks to explain the risks to them, but they discovered that some had been “explicitly aware of the problem for a number of years”.

“The sort of frauds we’re seeing are easily explained by this, and by no other modus operandi we can think of,” researcher Prof Ross Anderson told the BBC. ”For example, a physics professor from Stockholm last Christmas bought a meal for some people for 255 euros ($326, £200), and just an hour and a half later, there were two withdrawals of 750 euros made from a nearby cash machine used by what appears to have been a clone of his card.”

Filed Under: Cryptography, News, Security Tagged With: , ,

Microsoft releases MS-CHAP v2 authentication security advisory

August 22, 2012 by

(LiveHacking.com) - A few weeks ago, at Defcon 20, Moxie Marlinspike and David Hulton gave a presentation on cracking MS-CHAPv2 and subsequently integrated the techniques presented into the CloudCracker service.

MS-CHAP2 is an old authentication protocol which Microsoft introduced with NT4.0 SP4 and Windows 98. Today the protocol is still widely used for PPTP VPNs, as well as in WPA2 Enterprise environments.

Using the new techniques presented at Defcon 20, David Hulton’s PicoComputing built a box, using FPGAs, which can crack MS-CHAP2 in at most 24 hours and often in just half that amount of time.

As a response to this, Microsoft has released a security advisory called “Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure.” The advisory notifies Microsoft customers of the known cryptographic weaknesses in the MS-CHAP v2 protocol.

To exploit the weaknesses and obtain user credentials, the attacker has to be able to intercept the victim’s MS-CHAP v2 handshake by performing man-in-the-middle attacks or by intercepting open wireless traffic.

Microsoft offers two workarounds (suggested actions):

1. Secure your MS-CHAP v2/PPTP based tunnel with PEAP (see Microsoft Knowledge Base Article 2744850)

2. Use a more secure VPN tunnel - Microsoft recommends using L2TP, IKEv2, or SSTP VPN tunnels in conjunction with MS-CHAP v2 or EAP-MS-CHAP v2 for authentication.

For more information on these, see the following links:

 

Filed Under: Cryptography, Microsoft, News Tagged With: , ,

AMD and Philips hacked by r00tbeer

August 21, 2012 by

(LiveHacking.Com) – A hacking group known as r00tbeer has claimed to have hacked AMD’s blog and broken into several small sites belonging to Philips. The hackers, whose Twitter account was only created a few days ago, tweeted:

#AMD - R.I.P http://blogs.amd.com , database will be released in few minutes. #r00tbeersec

And then the next day tweeted:

http://www.philips.com  Database dumps - http://www.mediafire.com/?********** … includes 197,000+ emails. RT/Share. #r00tbeersec

During the AMD hack, the hacking group defaced the website and stole a database. AMD has since taken its blog down, replacing it with a message stating that it is undergoing “routine maintenance”.

It is believed that AMD was using WordPress to host its blogs and although the WordPress user database was stolen and subsequently leaked onto the Internet, the passwords in the database should be hard to crack as WordPress uses the strong password hashing framework phpass.

As for the attack on Philips, the gang stolen a few small SQL databases from the  Dutch technology giant and leaked them in full online. Included in the online dump was nearly 200,000 email addresses which will no doubt be used for sending spam!

It does appear that Philips have been a little careless with regards to security as some of the databases dumped contained passwords using simple MD5 hashing and no salting. One database even used plain text to store the passwords.

 

 

Filed Under: Attack, Attacks, Cryptography Tagged With: , ,
«Older Posts