New Banking Trojan Hijacks Out-Of-Band Mobile SMS

By Robert Vamosi | 7/1/13 2:57 AM

One of the ways to defeat fraud in banking is to use out-of-band communications with the account holder. That usually means sending an SMS text. But a new family of malware aims to defeat that.

Read More >

Red Balloon Security Gets Off The Ground At RSA

By Robert Vamosi | 2/22/13 1:57 AM

Printers and VoIP phones are about to get a shot in the arm--literally, defensive code injected into their system to secure them from potential hacks.

Read More >

Chip Malfunctions Reveal Private Keys

By Robert Vamosi | 7/30/12 5:27 AM

Key leakage via side channel attacks, were the attacker "listens" to fluctuations in voltage as the encryption takes place, is well known. Recently, German researchers found that a faulty processor might also leak secrets during encryption. Known as transient faults, these were considered hard to produce … until now.

At last week's Black Hat Briefing in Las Vegas, Valeria Bertacco, associate professor of electrical engineering and computer science at University of Michigan and her team, found a way to produce transient faults on Linux servers they built running an Open SSL library and RSA encryption. The team found several ways for the server to fail: by altering the voltage; by changing the temperature of the chips; by over-clocking (it shortens the time to traverse the logic cloud); and natural particles that change internal signals. She demonstrated these adverse conditions on a Leon3 SPARC system using OpenSSL 0.9.8i ’s fixed Window Exponentiation algorithm.

Read More >

BYOGG - Beware Your Own Google Glasses

By Robert Vamosi | 7/3/12 4:08 AM

One of the underlying themes of my book When Gadgets Betray Us is that cool gadgets beget new security concerns. Apparently someone at RSA agrees.

Read More >

RSA SecurID Software Token Vulnerability Found

By Robert Vamosi | 5/24/12 5:53 AM

Recently a researcher from SensePost posted a technique that can be used to defeat RSA’s software based SecurID tokens. The research shows that one of the key components to the number generation can be easily accessed from the local system and copied. To access this file the attacker must be the administrator or the actual user. It is important to note that this only applies to the software-based tokens, not the hardware based ones that are commonly seen on people’s key chains.

What is important here is that encryption is not a magic security tool. Even the most robust encryption algorithm can have security vulnerabilities in key generation or key storage, rendering it insecure. It is also important to note that securing the endpoint still remains a major concern at every level.

Read More >

Nortel's Assets May Contain Seeds of Chinese Hacking

By Robert Vamosi | 2/23/12 7:28 AM

For over a decade, Nortel Networks Ltd. was compromised by individuals using a Chinese IP address. With just seven passwords, copies of business plans, reports and emails wound their way overseas. Now the concern is that the malware used to access the company's secrets may have spread to other players in the telecommunications industry.

Read More >

Generation Flaw Found in RSA Keys

By Robert Vamosi | 2/15/12 2:21 AM

With a witty title, the academic paper "Ron Was Wrong, Whit Was Right" is sure to stir controversy int he days going into the annual RSA conference in San Francisco later this month. "Ron" is Ron Rivest, the "R" in the RSA algorithm, while "Whit" is Whit Diffe, author of the Diffe-Hellman algorithm. Both are gentleman are the authors of popular public key encryption systems, however researchers now say that "RSA is significantly riskier than for \single-secret" ones such as ElGamal or (EC)DSA which are based on Diffe-Hellman."

Read More >

RSA To Replace SecurID Tokens

By Robert Vamosi | 6/7/11 6:44 AM

Almost two months after a data breach at RSA compromised the SecurID token-based authentication product from RSA, the company has admitted the compromise was more extensive and is offering customers replacement tokens.

Read More >

Cybercrimes Go Mainstream

By Robert Vamosi | 5/31/11 7:18 AM

A data breach at Lockheed Martin recently claimed a rare feat: A May 31st front page story in the Wall Street Journal. Over the Memorial Day weekend, Lockheed Martin issued a press release re-assuring employees and customers that none of its sensitive data was stolen. But what made it newsworthy was that the breach, which appears to be related to an March data breach at EMC/RSA specifically affecting the SecureID tokens used by Lockheed Martin, points to a growing trend that criminal hackers in 2011 are not necessarily in business for the money: information for information's sake is also valuable, enabling criminals to leverage one big attack to commit another.

Read More >

RSA co-founder to keynote RFIDsec

By Robert Vamosi | 5/9/11 9:12 AM

RSA co-founder Adi Shamir will provide the opening keynote at the 7th Workshop on RFID Security and Privacy 2011. The event will be held in Amherst, Massachusetts June 26- 28, 2011. Mocana is one of the sponsors.

Read More >