One of the ways to defeat fraud in banking is to use out-of-band communications with the account holder. That usually means sending an SMS text. But a new family of malware aims to defeat that.Read More >
Key leakage via side channel attacks, were the attacker "listens" to fluctuations in voltage as the encryption takes place, is well known. Recently, German researchers found that a faulty processor might also leak secrets during encryption. Known as transient faults, these were considered hard to produce … until now.
At last week's Black Hat Briefing in Las Vegas, Valeria Bertacco, associate professor of electrical engineering and computer science at University of Michigan and her team, found a way to produce transient faults on Linux servers they built running an Open SSL library and RSA encryption. The team found several ways for the server to fail: by altering the voltage; by changing the temperature of the chips; by over-clocking (it shortens the time to traverse the logic cloud); and natural particles that change internal signals. She demonstrated these adverse conditions on a Leon3 SPARC system using OpenSSL 0.9.8i ’s fixed Window Exponentiation algorithm.Read More >
Recently a researcher from SensePost posted a technique that can be used to defeat RSA’s software based SecurID tokens. The research shows that one of the key components to the number generation can be easily accessed from the local system and copied. To access this file the attacker must be the administrator or the actual user. It is important to note that this only applies to the software-based tokens, not the hardware based ones that are commonly seen on people’s key chains.
What is important here is that encryption is not a magic security tool. Even the most robust encryption algorithm can have security vulnerabilities in key generation or key storage, rendering it insecure. It is also important to note that securing the endpoint still remains a major concern at every level.Read More >
For over a decade, Nortel Networks Ltd. was compromised by individuals using a Chinese IP address. With just seven passwords, copies of business plans, reports and emails wound their way overseas. Now the concern is that the malware used to access the company's secrets may have spread to other players in the telecommunications industry.Read More >
With a witty title, the academic paper "Ron Was Wrong, Whit Was Right" is sure to stir controversy int he days going into the annual RSA conference in San Francisco later this month. "Ron" is Ron Rivest, the "R" in the RSA algorithm, while "Whit" is Whit Diffe, author of the Diffe-Hellman algorithm. Both are gentleman are the authors of popular public key encryption systems, however researchers now say that "RSA is significantly riskier than for \single-secret" ones such as ElGamal or (EC)DSA which are based on Diffe-Hellman."Read More >
A data breach at Lockheed Martin recently claimed a rare feat: A May 31st front page story in the Wall Street Journal. Over the Memorial Day weekend, Lockheed Martin issued a press release re-assuring employees and customers that none of its sensitive data was stolen. But what made it newsworthy was that the breach, which appears to be related to an March data breach at EMC/RSA specifically affecting the SecureID tokens used by Lockheed Martin, points to a growing trend that criminal hackers in 2011 are not necessarily in business for the money: information for information's sake is also valuable, enabling criminals to leverage one big attack to commit another.Read More >