Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Submission + - Second Crypto Bug of the Day: Infineon TPM Chipsets Generate Insecure RSA Keys (bleepingcomputer.com)

An anonymous reader writes: Infineon TPM chipsets that come with many modern-day motherboards generate insecure RSA encryption keys that put devices at risk of attack. TPM stands for Trusted Platform Module (TPM), which is an international standard for secure cryptoprocessors that are used to store critical data such as passwords, certificates, and encryption keys.

According to a security alert issued by Infineon last week and research published today, a vulnerability in the Infineon TPM firmware results in the generation of weak RSA keys. The vulnerability allows for an attack on RSA1024 and RSA2048, and affects chips manufactured as early as 2012. RSA encryption works by encrypting data with a dual private and public key. The attack allows an attacker to determine the private key.

  Infineon issued a firmware update last week and has forwarded the update to motherboard vendors which are now working on integrating the Infineon TPM firmware update into all their products. Known affected vendors include Acer, ASUS, Fujitsu, HP, Lenovo, LG, Samsung, Toshiba, and other smaller Chromebook vendors. Both Microsoft and Google have issued "workarounds" as part of security updates, but fixing this attack surface will require manually patching the motherboard firmware of all affected vendors.

Submission + - With Rising Database Breaches, Two-Factor Authentication Also At Risk (hackaday.com)

szczys writes: As the number and frequency of password breaches rises, users are encouraged to use Two-Factor Authentication as an additional safeguard. This protects from an attacker listening in right now, but in many case a database breach will negate the protections of two-factor:

To fake an app-based 2FA query, someone has to know your TOTP password. That’s all, and that’s relatively easy. And in the event that the TOTP-key database gets compromised, the bad hackers will know everyone’s TOTP keys. How did this come to pass? In the old days, there was a physical dongle made by RSA that generated pseudorandom numbers in hardware. The secret key was stored in the dongle’s flash memory, and the device was shipped with it installed. This was pretty plausibly “something you had” even though it was based on a secret number embedded in silicon. (More like “something you don’t know?”) The app authenticators are doing something very similar, even though it’s all on your computer and the secret is stored somewhere on your hard drive or in your cell phone. The ease of finding this secret pushes it across the plausibility border into “something I know”, at least for me.

In the case of a database breach it may be years before the attack is disclosed to the user. During all of that time, if the TOTP keys were included in the breach it is the complexity of the passwords (and the regular changing of passwords) that will protect against a compromised account. In other words, 2FA is an enhancement to password security, but good password practices are far and away still the most important of security protocols. Despite constant warnings on this topic, there's no reason to believe users will start using and regularly changing strong passwords.

Submission + - WPA2 security flaw puts almost every Wi-Fi device at risk of eavesdropping (zdnet.com) 1

An anonymous reader writes: A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.

The bug, known as "KRACK" for Key Reinstallation Attack, exposes a fundamental flaw in WPA2, a common protocol used in securing most modern wireless networks. Mathy Vanhoef, a computer security academic, who found the flaw, said the weakness lies in the protocol's four-way handshake, which securely allows new devices with a pre-shared password to join the network.

That weakness can, at its worst, allow an attacker to decrypt network traffic from a WPA2-enabled device, hijack connections, and inject content into the traffic stream.

In other words: hackers can eavesdrop on your network traffic.

The bug represents a complete breakdown of the WPA2 protocol, for both personal and enterprise devices — putting every supported device at risk.

"If your device supports Wi-Fi, it is most likely affected," said Vanhoef, on his website.

Submission + - WPA2 has been cracked (theverge.com)

An anonymous reader writes: There is a new vulnerability and corresponding attack affecting the well known WPA2 protocol used for securing network access to wireless networks. The issue affects the protocol itself and is not related to a single product, as described by The Verge:

At about 7AM ET this morning, researchers revealed details of a new exploit called KRACK that takes advantage of vulnerabilities in Wi-Fi security to let attackers eavesdrop on traffic between computers and wireless access points. The exploit, as first reported by Ars Technica, takes advantage of several key management vulnerabilities in the WPA2 security protocol, the popular authentication scheme used to protect personal and enterprise Wi-Fi networks. “If your device supports Wi-Fi, it is most likely affected,” say researchers.

Submission + - WPA2: Broken with KRACK. What now? (alexhudson.com) 1

tallackn writes: On social media right now, strong rumours are spreading that the WPA2 encryption scheme has been broken in a fundamental way. What this means: the security built into WiFi is likely ineffective, and we should not assume it provides any security.

The current name being seen for this is “KRACK”: Key Reinstallation AttaCK. If this is true, it means third parties will be able to eavesdrop on your network traffic: what should be a private conversation could be listened in to.

Submission + - Pentagon Turns to High-Speed Traders to Fortify Markets Against Cyberattack (wsj.com)

Templer421 writes: Dozens of high-speed traders and others from Wall Street are helping the Pentagon study how hackers could unleash chaos in the U.S. financial system.

The Department of Defense’s research arm over the past year and a half has consulted executives at high-frequency trading firms and quantitative hedge funds, and people from exchanges and other financial companies, participants in the discussions said. Officials described the effort as an early-stage pilot project aimed at identifying market vulnerabilities.

The Defense Advanced Research Projects Agency, or Darpa, began the initiative before the revelations of attacks on Equifax Inc. and the Securities and Exchange Commission brought public scrutiny of risks to U.S. market infrastructure.

Submission + - Ask Slashdot: Should I really be concerned about internal browser security?

Shadoefax writes: I use Firefox and have recently turned off automatic updates (don't want Fx v57 — I want all of my old extensions). People have said this is a bad idea because I won't be getting any security updates. I have McAfee antivirus installed and it is supposed to protect me from malicious web content.

My question is this: Is Firefox (or Chrome, Edge, IE, Opera, etc.) any better with security than using McAfee (or Symantec, Kaspersky, Avast!, etc.)? I know that Firefox only updates every six weeks or so, but my McAfee updates much more frequently.

Submission + - SPAM: Airbus Corruption Scandal May Lead Straight to the Top 2

schwit1 writes: Airbus CEO Tom Enders, 58, speaks of a past that Airbus has long sought to deny, years in which the company partly relied on bribes as it rose to become the world's second-largest airplane manufacturer, after Boeing. And Enders speaks of a present in which all of that is beginning to come out — a situation that poses grave dangers to the company he runs.

At issue are potential multibillion-euro fines and multibillion-euro losses. Indeed, the very survival of Airbus, with its 134,000 employees and its annual turnover of 67 billion euros ($78.6 billion), could be at stake. Hence, the message from Enders to all those who haven't yet got the message, to those who think they can just carry on as before, including the bribery: "Leave this company rather than make us take you out of the company. Because we're in a dead serious situation, dear colleagues."

Link to Original Source

Submission + - US Dept. of Education Makes Ivanka Trump's K-12 CS Agenda a Top Priority

theodp writes: One underappreciated power political leaders within federal agencies have, explains Politico, is federal grant-making, funneling money to organizations that favor a certain policy agenda. On Thursday, Dept. of Education Secretary Betsy DeVos began to wield this power, releasing proposed priorities for competitive grant programs, including Promoting Science, Technology, Engineering, and Math (STEM) Education, With a Particular Focus on Computer Science. The move comes after President Trump issued a presidential memorandum directing the Education Department to invest a minimum of $200 million in grant funding each year to expand STEM and computer science education in schools, part of a $1.3 billion public-private effort that is being spearheaded by Trump's daughter Ivanka, who tech-bankrolled Code.org revealed they have met with "many times" since the election. Interestingly, the just-published Federal Register backgrounder justifies the need for K-12 CS by citing and linking to the same Google-provided factoid ("9 out of 10 parents surveyed by Gallup say they want computer science taught at their child's school") that President Obama used to pitch his ultimately-unfunded $4B K-12 CS for All initiative. Hey, if the Google-Gallup education 'research' ("Among parents, 91% wanted their children to learn CS") is good enough for ACM publication, it's good enough for government work, right?

Submission + - 8.5 Ton Chinese Space Station 'Tiangong 1' Is Going To Crash To Earth (cnbc.com) 1

dryriver writes: China launched a space laboratory named Tiangong 1 into orbit in 2011. The space laboratory was supposed to become a symbol of China's ambitious bid to become a space superpower. After 2 years in space, Tiangong 1 started experiencing technical failure. Last year Chinese officials confirmed that the space laboratory had to be scrapped. The 8.5 ton heavy space laboratory has begun its descent towards Earth and is expected to crash back to Earth within the next few months. Most of the laboratory is expected to burn up in earth's atmosphere, but experts believe that pieces as heavy as 100 Kilograms (220 Pounds) may survive re-entry and impact earth's surface. Nobody will be able to predict with any precision where those chunks of space laboratory will land on Earth until a few hours before re-entry occurs.The chance that anyone would be harmed by Tiangong-1's debris is considered unlikely

Slashdot Top Deals

God made the integers; all else is the work of Man. -- Kronecker

Working...