• Content count

  • Joined

  • Last visited

  • Days Won


Everything posted by James

  1. VeraCrypt 1.17

    VeraCrypt 1.21, released in July 2017, added support for FreeBSD.
  2. VeraCrypt 1.17

    VeraCrypt 1.17 now supports Unicode passwords. Optimisation of key derivation functions has cut mount/boot times in half. VeraCrypt solves many vulnerabilities and security issues found in TrueCrypt. It can can load TrueCrypt volumes, and convert TrueCrypt containers and non-system partitions to the VeraCrypt format. VeraCrypt carries out many more iterations than TrueCrypt with negligible performance impact. System requirements are: Windows XP and newer. MacOSX 10.6 and newer. OSXFuse must be installed with MACFuse compatibility mode activated. Linux x86 (32-bit and 64-bit) versions with kernel 2.6 and newer.
  3. The Lloyds Banking Group (Lloyds Bank, Bank of Scotland, Halifax and MBNA) has blocked the ability for its customers to purchase crypto-currencies with a credit card (according to a report in The Telegraph). It is concerned about the level of customer debt set against falling values in cryptocurrency. However debit card purchases are not excluded.
  4. Facebook has announced a change to its advertising policy restricting the advertising of cryptocurrency. It now says Facebook Ads must not promote ‘financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings and cryptocurrency.’
  5. A vulnerability in RSA encryption affects about 3% of all web servers including leading web sites such as Facebook and PayPal. In 1998 Daniel Bleichenbacher, a Swiss cryptographer, identified a problem with the implementation of RSA PKCS #1 v1.5 and it was never fully fixed. Hanno Böck, Juraj Somorovsky, and Craig Young discovered the flaw, to be known as ROBOT, which stands for Return Of Bleichenbacher’s Oracle Threat. It can be used to exploit servers running older ciphers. Servers that are vulnerable to a DROWN attack, forcing a downgrade to older ciphers, are also vulnerable. The researchers recommend to fully deprecate RSA encryption based key exchanges in TLS (ciphers that start with TLS_RSA). Further information is available from https://eprint.iacr.org/2017/1189.pdf
  6. Mini Crypto Chip

    The US Air Force has a new encryption chip called Mini Crypto. It took two years to develop and is now ready for production. The chip is a self-contained encryption engine that generates its own session-based key. It is suitable for communications equipment that is usually carried by one person, such as scouts, and does not require safeguarding from falling into the wrong hands. Further information from http://www.aviationtoday.com/2017/10/04/usaf-encryption-chip-ready-production/
  7. KSK, ZSK, RZM for the DNS

    ICANN has postponed the rollout until the first quarter of 2018 at the earliest.
  8. KSK = Key Signing Key ZSK = Zone Signing Key RZM = Root Zone Maintainer DNS = Domain Name System (or Server) The KSK will be used to sign the root zone for the first time on October 11, 2017 at 1600 UTC. The KSK is used to sign the ZSK, which is used by the root zone maintainer (RZM) to DNSSEC-sign the root zone of the Domain Name System. The change will upgrade the ZSK to a 2048-bit RSA key to improve security for resolving domain names. For more information see https://automated-ksk-test.research.icann.org/
  9. Burger King has launched its own crypto-currency, called WhopperCoin. They are offered in reward for purchases. 1700 WhopperCoins can be redeemed for a Whopper burger. The BlockChain is being managed by Waves: http://wavescommunity.com/blt-with-dlt-have-it-your-way-with-whoppercoin-on-waves/ (n.b. the Waves web site doesn’t use HTTPS, rather odd considering their area of expertise)
  10. A European Parliament committee is proposing that end-to-end encryption can be used by the public. They submitted a proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications.
  11. IBM has announced new hardware that supports full encryption and said ‘IBM fully supports the need for governments to protect their citizens from evolving threats. Weakening encryption technology, however, is not the answer. Encryption is simply too prevalent and necessary in modern society.’
  12. VeraCrypt 1.17

    VeraCrypt 1.20 comes with 64-bit processor optimizations for all supported operating systems. The developers have improved the implementation for SHA-512 and SHA-256 which results in a 33% speed increase on 64-bit systems. Additionally, a 64-bit optimized assembly implementation of Twofish and Camelia is included in VeraCrypt 1.20 which makes Camelia 2.5 times faster if AES-NI is supported by the processor, or 30% faster if it is not. Other major changes for all operating systems include the use of Address Space Layout Randomization (ASLR) for improved security, and the integration of a local HTML user guide instead of a PDF document. (source: ghacks.net)
  13. Siteground has embraced the momentum of Let’s Encrypt by adding a one-click installation service. Shared hosting customers on entry level hosting packages can now take advantage of free HTTPS security certificates for all their domains, including Add-On domains. There is no cost involved for installation, and no requirement for a fixed IP, representing a double saving on previous security certificate arrangements. Setting up (via cPanel) takes less than 2 minutes.
  14. Let’s Encrypt has just issued its hundred millionth digital certificate. They estimate the number of web sites protected by Let’s Encrypt is between 17 million and 46 million.
  15. Fox‑IT has extracted AES-256 encryption keys using $200 of standard electronics parts to measure electromagnetic radiation. At a distance of one metre sniffing the keys over the air took five minutes. At 30cm the extraction time is cut down to just 50 seconds. By using a test rig for calibration they mapped out power consumption related to individual bytes, resulting in 8192 guesses at the encryption key. They said (PDF) their technique is suitable for attacking network encryption appliances.
  16. WannaCry Ransomware

    The US Computer Emergency Readiness Team (US-CERT) has published an Alert (TA17-132A) with the indicators associated with WannaCry ransomware. WannaCry, WCry, or Wanna Decryptor, was discovered on 12th May 2017. It is believed that WannaCry is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft has released a security update for the MS17-010 vulnerability. How it works…
  17. A draft version of UK legislation was leaked to the Open Rights Group on 4th May 2017. The document shows the extent of surveillance compliance that Internet Service Providers will be required to provide, including real-time access to customer communications and removal of encryption from their data.
  18. The Internet Society has lobbied the G20 to adopt a fully encrypted Internet, and advocates the use of strong encryption despite issues faced by law enforcement. CEO Kathryn Brown doesn’t hold back, and asks G20 nations to embrace encryption because the digital economy “will only continue to thrive and generate opportunities for citizens if the Internet is strong, secure, and trusted.” “Strong encryption is an essential piece to the future of the world’s economy” is marked out in bold letters before going on to say “the Internet Society believes it should be the norm for all online transactions. It allows us to do our banking, conduct local and global business, run our power grids, operate, communications networks, and do almost everything else. Encryption is a technical building block for securing infrastructure, communications and information. It should be made stronger and universal, not weaker. However, rather than being recognized as the way to secure our online transactions or our conversations, all too often the debate focuses on the use of encryption as a way to thwart law enforcement. To undermine the positive role of encryption in the name of security could have devastating consequences.” And to ensure the Internet Society’s viewpoint is clearly understood the article is rounded off with a 3-point manifesto… If the G20 countries are serious about strengthening their economies and continuing to deliver economic and social prosperity to their citizens in future, there are three key principles they should endorse and implement immediately: 1. Encryption is an important technical foundation for trust in the digital economy and should be the norm. All users (whether government, business or individual) should use encryption to protect infrastructure, communications and the privacy and integrity of their data. Encryption technologies should be strengthened, not weakened. 2. The security of the digital economy is a shared responsibility that needs the expertise and experience of all stakeholders, across border and across disciplines. It is an urgent need that will require open, inclusive collaboration. 3. Users’ rights should be at the heart of any decisions related to the digital economy. They are both the customers and the contributors to the success of the digital economy.
  19. Sir Tim Berners-Lee spoke to the BBC following the news that he has been given the Turing Award. Sir Tim said giving the authorities a back door to encryption would have serious consequences. Moves to undermine encryption would be a “bad idea” and represent a massive security breach. If you break encryption other people (e.g. terrorists) may end up getting better at it than you are. Sir Tim also criticised the UK and USA on privacy matters, such as the UK's recent Investigatory Powers Act… “The idea that all ISPs should be required to spy on citizens and hold the data for six months is appalling.” He was shocked by the USA scraping laws preventing internet service providers from selling user data.
  20. Minister for Digital and Culture Matt Hancock has given a speech at the Institute of Directors Conference in London. He said that encryption and cyber security are a crucial part of our modern economy. He said both are at the heart of the Government’s National Cyber Security Strategy (NCSC). They are aware that one in three small firms, and two in three large businesses experienced a cyber breach or attack in the past year. He said the the costs of a successful attack can be huge because over 95% of businesses have internet access, over 60% of employees use computers at work, and the internet is used daily by over 80% of adults - and four out of five people in the UK bought something online in the past year.
  21. Samuel Weiser and his team have demonstrated a side-channel attack on Intel SGX that they call Prime+Probe. They can extract 96% of a 4096-bit RSA private key from a single Prime+Probe trace and achieve full key recovery from only 11 traces within 5 minutes.
  22. Yahoo! has revealed that it only used an MD5 hashing to protect the passwords of the 1 billion users accounts that were hacked in 2013. They have subsequently upgraded to using bcrypt encryption but it does little to restore public confidence knowing that MD5 was still in place as late as 2013 when weaknesses were found in MD5 over 20 years ago. Jeffrey Goldberg at AgileBits told The Register ‘What mattered is that it was not salted’. Ty Miller at Threat Intelligence said it was ‘negligent of an organisation such as Yahoo! ... to be using such an outdated and ineffective control to protect the passwords.’ Alternatives to MD5 include PBKDF2, bcrypt and Argon2 - it is difficult to understand why MD5 wasn’t replaced sooner.
  23. Fhoosh, founded in 2012 by Eric Tobias and Linda Eigner, has raised $2 million in venture funding from Volta Global to get its software to market. Fhoosh’s new method of encryption doesn’t degrade network performance. Jeff Evans, managing director of Volta Global, said “Fhoosh has developed a novel, proprietary solution to enable enhanced safety, security and speed all at once.” Eric Tobias claims that if network defenses are breached, the attackers will uncover unusable data, finding “data dust instead of data diamonds.”
  24. The Register reports on a weakness with the Device Encryption Key (DEK) used on Android. The DEK is encrypted using the owner’s PIN or password and an encrypted block of data called the KeyMaster Key Blob. The blob is located in the protected TrustZone. However Gal Beniamini has discovered bugs in the management app running the TrustZone that create a privilege-escalation vulnerability. Once the blob has been acquired it only requires brute force on the PIN or password to obtain decrypted access. Unfortunately the patching process depends on the hardware vendor, so it may be some time before the known bugs are patched. Even though Google has already patched the Nexus it will only remain secure until further privilege-escalation bugs are identified, and more are only to be expected. Ultimately it is the methodology that allows this weakness to prevail.
  25. Android Full Disk Encryption

    A recent article by The Register highlights the unfinished nature of Android’s encryption. There is a TODO comment in the source code regarding the removal of encryption keys from memory. //https://android.googlesource.com/platform/system/vold/+/master/Ext4Crypt.cpp bool e4crypt_lock_user_key(userid_t user_id) { if (e4crypt_is_native()) { // TODO: remove from kernel keyring } else if (e4crypt_is_emulated()) {