Security News (92 Posts)

<< Next - First ... 5 6 7 8 9 ... Last - Previous >>

MD5 Security Flaws

In case you were in any doubts about the security flaws of MD5, in recent days, 2 implementations of MD5 have been shown to have severe security issues.

1) The md5crypt password scrambler used in many Unix based distributions has been deemed as “unsafe” by its author (in fact this has been known for some time now).

2) MD5 collisions were used in the recent Flame malware to bypass Microsoft Update signature certificates.

The sole use of MD5 as a security vector must be avoided.


An interesting timeline representation of the CloudFlare’s hack

CloudFlare is an interesting young company, a few years old, as introduced in this Bloomberg article. Although it is tempting to just describe it as being similar to Akamaibecauseit provides web acceleration and DOS protection through the use of a Content Distributed Network (CDN), it is also different. As explained by its founder, Matthew Price, it can understand, analyse and protect all requests to a website, not just a subset. It also has a different price model starting with a free offering and generally being much less expensive than the competition even with its pro/business/enterprise options.

In a nutshell, CloudFlare appears to be a service that can help optim...

Flame and the DEB93D trail

In the last few weeks there has been a lot of noise about what looks like the latest State sponsored malware, Flame. You can find a lot of information about it from Kaspersky and also from the CrySyS lab who seems to have done some parallel investigation and call it differently (sKyWIper).

This malware is quite interesting for several reasons:
1) It seems to focus on stealing information rather than being directly disruptive.
2) It has been active for 5+ years and has remained undetected until now.
3) It has an option to delete itself, but in doing so leaves one file. a ~DEB93D.tmp file.
4) It is modular and can/has been used to intercept Microsoft update using fake certificates t...

Apple in Denial

Note: Many of the security articles I have written about Apple on this blog are negative and the reader could think I do not like Apple. This is actually very far from the truth, I am a big Apple fan; but I am also a security professional and I do not agree with their overall security strategy.

The title of this post is inspired directly from an Article I read on ZDnet, discussing the latest security threat that infected an estimated half a million Mac with malware: “BackDoor.Flashback.39″.

Mac Trojans are evolving and becoming more frequent, last August a Mac Trojan (Bash/Qhost.WB)was found in a fake Flash updater that once installed would redirect google search results to “bad sites”, then in September another Mac Trojan ( >>[READ MORE]

Satellite phones encryption attacked

About a month ago, Arts Technica ran an article about the encryption standards used by satellite phones that have been broken.

This is yet another exemple of a proprietary encryption system which appears to have been weakly designed and implemented.
Although they have only been able to break the communication from the Satellite to the phone and not the other way around, it should still be of concern for anyone using those phones to transmit sensitive information without additional security.
Even if the audio codec still needs to be reversed engineered, this should be the easy part of this attack!

Someone is likely to get a great PhD as the paper exposing this issuewas co-written by such student.


John Nash on Cryptography

John Nash is a famous mathematician whose life inspired the Hollywood movie “A beautiful Mind”. However, summerizing his life through that light hearted movie would be very inadequate!

So, this genius mathematician who worked in game theory, differential geometry, and partial differential equations as well as winning a Nobel Prize in 1994 appears to also have had some great insights into modern cryptography… back in the 1950s!

As seen in this article, NSA recently released a series of documents related to letters/conversationa between the NSA and Nash in 1955, where the mathematician made an unsuccessful but noted attempt to communicate his own take on a crypto machine.

If anything, reading at the hand written...

Bringing Your Own Device, a Security challenge.

There is an increasing level of noise in the enterprise about Bringing Your Own Device (BYOD). That you like it or not, it is most probably happening right now within your company unless your are “lucky enough” to be able to enforce strict controls as to what devices are allowed and able to access your data.

For a true BYOD concept, meaning with no restrictions on what that device might be, there are only 2 possible way to enable it:

1) To allow network access to your data/application directly from any devices
2) To make your data/application available from the Internet, and the easiest incarnation of that is through web applications.

With the first approach, focusing on the network access, the positives are that you can have more control over the environment from which the data/application is accessed from. Such as enforcing a minimum set of security controls and quarantine non compliant devices. The negatives, though, are the need for a ...

Koobface, The dangerous game of naming and shaming

There has been wide coverage of the naming and shaming of the supposedly perpetrators behind the Koobface botnet that has affected Facebook and other social sites for a few years.

The gang leader was first named on Dancho Danchev’s blog, then the Facebook’s security team threaten and did reveal the gang’s real identity, the New York times even ran an article on it and finally Sophos published another in-depth look at how they also discovered their identity. In between, many other sites jumped in to share that information.

I am slightly uncomfortable with this approach.

It appeared to have worked in this instance as the bonnet Command & Centre has been turned off, and it also appears they named the right perso...

Most websites are vulnerable to a hash collision DOS attack

By websites, I should really have said Web Applications, but the end result is the same: A server which is serving pages on the Internet could see its CPU usage increasing to a level making that server unusable for a few minutes or more. All that from a relatively small specially crafted malicious HTTP request.

This vulnerability exists in most languages used to develop web applications: PHP, ASP.Net, Java, Python, Ruby, etc. And it has been known to exist in theory since 2003!

Last week, Alexander Klink and Julian Wälde explained at the 28th Chaos Communication Congress in Germany how exactly the theory became reality and the impact on the different web application languages were affected.

The core of the issue is the way hash lists have been implemented in those languages. By “Hash” they both refer to a specific type of data structure and the cryptographic function. A >>[READ MORE]

Encrypting DNS queries with DNSCrypt from OpenDNS

OpenDNS has just release a beta software to enable encryption of DNS queries called: DNSCrypt.

Not encrypting DNS queries can lead to two main type of attacks, as described by OpenDNS:
First, it prevents man-in-the-middle attacks which can cause malicious DNS responses to be used to trick you into visiting a dangerous website or send traffic to an unintended third party. Second, it prevents snooping by your ISP or any other intermediary who might want to sniff your DNS traffic to see what domains you are resolving.

DNSCrypt can significantly increase a user web security as until now there was no way to encrypt DNS queries. As stated by OpenDNS, DNSCrypt should be seen as complementary to Domain Name System Security Extensions (DNSSEC) because the later is not use to encrypt DNS queries, but to provide authenticat...