Follow Slashdot stories on Twitter


Forgot your password?
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Submission + - New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish (

msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction.

The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected tomorrow to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version this week as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks.

The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic--from a connection that is kept alive for a long period of time--to recover the session cookie.

Submission + - Snowden's Long Shadow Darkens NSA Reputation

Trailrunner7 writes: The massive data dump by the Shadow Brokers has become a kind of fun house mirror for the security industry. People come at it with all of their suppositions, biases, and baggage, and walk away with a distorted view of what’s actually there and what it means.

There are nearly as many opinions on what the apparent theft and release of a big pile of NSA tools, binaries, and exploits says about the agency and its methods as there are files in the dump itself. Most of them have their merits, and nearly all of them have focused on the NSA’s practice of finding, hoarding, and using vulnerabilities for offensive intelligence gathering purposes. Whether that’s a moral practice can and has been debated ad nauseam in the security community, and not just for the last couple of weeks. For decades.

But that’s the wrong line of thinking, at least in this case. One thing it has illuminated, though, is that perhaps the NSA isn’t as good at keeping its secrets as the agency’s officials would like us to believe. A big part of being an organization thats is tasked with keeping secrets is not only being able to defend them, but convincing people–both allies and adversaries–that you can defend them. For decades, most Americans didn’t even know the NSA existed, let alone what it did or how. That changed gradually as journalists put the pieces together, and the agency became known as the repository and defender of the country’s most valuable secrets.

That image was shattered the day that Edward Snowden walked out the door with a still-unknown amount of the NSA’s most closely guarded information on methods and capabilities. Apart from the damage that Snowden’s actions did to ongoing intelligence operations, it also let Americans and, more importantly, the world at large, know that the NSA could be gotten. That’s where the true long-term effects from his decision may be felt, and we’re beginning to see them even now.

Whoever stole the information in the Shadow Brokers cache–be it an insider or an outside attacker–did so with the knowledge that someone had done the same thing before. And now the NSA, once seen as inscrutable and possibly invincible, has gotten got not once, but twice.

Submission + - SPAM: Critical Flaw in GPG, Present since 1998, Fixed

Trailrunner7 writes: Researchers have uncovered a critical vulnerability in the GnuPG and Libgcrypt that has been around since 1998 and allows an attacker to predict output from the software’s random number generator under some conditions.

The vulnerability was discovered by a team from Karlsruhe Institute of Technology in Germany, and the people behind the GnuPG Project, who maintain both applications, say that users should install the fixed version of the software as soon as possible. The bug affects every version of both GnuPG and Libgcrypt.

"An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions,” the advisory from the GnuPG Project says.

Submission + - DataSploit, the Social Engineering Automation Framework

Trailrunner7 writes: Social engineering is a broad term applied to an ill-defined list of activities, and many of the techniques that criminals and white hats both use are developed ad hoc. But a new tool called DataSploit aims to pull together many of the reconnaissance activities into one framework that will gather large amounts of data on a target in a single place.

The tool is meant to help researchers and penetration testers gather intelligence on a given person or company, using things such as email addresses, domains, phone numbers, and other identifiers as the starting point. DatSploit automates the process of pulling together this information, which typically is a laborious manual task.

Submission + - Researchers: Strong Connection Between Shadow Brokers Dump and Equation Group

Trailrunner7 writes: The researchers who originally uncovered the Equation Group, a hacking team strongly believed to be tied to the NSA, says that the trove of offensive tools, exploits, and files apparently stolen from that group and dumped online this week has a “strong connection” to the Equation Group’s known toolsets.

Kaspersky’s researchers had a look at the tools dumped by Shadow Brokers, too, and found some very strong evidence that they came from the Equation Group’s arsenal. The Equation Group team uses a specific, unique implementation of the RC5 and RC6 ciphers, which is found in the Shadow Brokers dump.

“Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation,” Kaspersky researchers said.

Submission + - New Wave Of Targeted Attacks Focus On Industrial Organizations (

An anonymous reader writes: Kaspersky Lab researchers discovered a new wave of targeted attacks against the industrial and engineering sectors in 30 countries around the world. Dubbed Operation Ghoul, these cybercriminals use spear-phishing emails and malware based on a commercial spyware kit to hunt for valuable business-related data stored in their victims’ networks. Operation Ghoul is only one among several other campaigns that are supposedly controlled by the same group. The group is still active, and in total more than 130 organizations from 30 countries, including Spain, Pakistan, United Arab Emirates, India, Egypt, United Kingdom, Germany, Saudi Arabia and other countries, were successfully attacked by this group.

Submission + - Serious Flaws in iMessage Crypto Allow for Message Decryption

Trailrunner7 writes: New research from a team at Johns Hopkins University shows that there are serious problems with the way Apple implemented encryption on its iMessage system, leaving it open to retrospective decryption attacks that can reveal the contents of all of a victim’s past iMessage texts.

The iMessage system, like much of what Apple does, is opaque and its inner workings have not been made available to outsiders. One of the key things that is known about the system is that messages are encrypted from end to end and Apple has said that it does not have the ability to decrypt users’ messages. The researchers at JHU, led by Matthew Green, a professor of computer science at the school, reverse engineered the iMessage protocol and discovered that Apple made some mistakes in its encryption implementation that could allow an attacker who has access to encrypted messages to decrypt them.

Submission + - Cache Attacks on Android Devices Can Steal Crypto Keys, Virtually Any Data

Trailrunner7 writes: Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor’s TrustZone secure execution environment.

The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.

Based on our techniques, we demonstrate covert channels that outperform state-of-the-art covert channels on Android by several orders of magnitude. Moreover, we present attacks to monitor tap and swipe events as well as keystrokes, and even derive the lengths of words entered on the touchscreen,” the researchers wrote

Submission + - Widespread Linux Flaw Allows TCP Session Hijacking, Data Injection

Trailrunner7 writes: The TCP implementation in all Linux systems built since 2012 has a serious flaw that can allow an attacker to terminate or inject data into a session between any two vulnerable machines on the Internet. The bug could also be used to end encrypted connections or downgrade the privacy of connections run through Tor or other anonymity networks.

The vulnerability was introduced in Linux 3.6 and an attacker does not need to be in a man-in-the-middle position in order to exploit it. The researchers at the University of California Riverside who discovered the flaw say that it results from an attackers ability to infer the TCP sequence numbers for the packets flowing between two hosts.

Submission + - How InMobi Abused iOS and Android APIs to Track Mobile Users

Trailrunner7 writes: As Apple and Google add better privacy protections to their mobile platforms, advertising firms have had to get more and more creative with how they display ads to users and track them as they move around the physical world as well as the Internet.

One of the companies that has been at the center of this is InMobi, a major mobile ad company, that offers products to clients that allow them to geo-target users and show them targeted ads. The FTC in June reached a settlement with InMobi over the company’s practices, charging that the company tracked consumers, specifically children, without their consent. InMobi said that it obtains consent from users before geotracking them, but the FTC found that wasn’t true, and the commission has now detailed exactly how the tracking worked.

According to the FTC’s investigation, InMobi was able to circumvent privacy protections on both iOS and Android that prevent apps from using APIs to track users without their permission. The company did this by constructing its own geocoded database.

Submission + - Apple Launches iOS Bug Bounty

Trailrunner7 writes: Vulnerabilities in iPhone hardware and software are among the more valuable bugs there are especially those that give an attacker full access to the device. Apple knows this as well as anyone, and today the company announced that it is starting an invitation-only bug bounty program that will pay up to $200,000 for the most critical iPhone bugs.

The announcement was a long time coming, as many of the larger security, software, and hardware companies have had bounty programs for years. Microsoft, Google, Facebook, and many others have well-established reward programs for researchers, but Apple had been resistant to the idea. On Thursday at the Black Hat conference here, Ivan Krstic, the head of Apple’s security engineering and architecture team, said the program would begin in September and would initially be by invitation only.

Submission + - Researchers Bypass EMV Card Protections

Trailrunner7 writes: Chip-and-pin or EMV cards have been touted as a more secure alternative to traditional cards, but security researchers have found several methods for bypassing the security of these systems by abusing flaws in the point of interaction devices.

Nir Valtman and Patrick Watson demonstrated several techniques for getting around the security on pinpad devices, allowing them to capture the track data, CVV code and other key information needed to use a card number later for fraudulent transactions. By replacing key libraries and files on the pinpad device and using some other techniques to handle the communications protocol the devices use, Valtman and Watson were able to defeat the protection offered by EMV cards.

Valtman and Watson demonstrated several different attack methods during their talk, using both passive and active man-in-the-middle attacks to inject their modified files onto the target pinpad device. They key weakness that allowed them to do this is the lack of authentication to pinpad devices, the small terminals that consumers use to enter PINs during payment transactions. Once their files are on the device, the pair then is able to capture the card track data and eventually the CVV number.

Submission + - Mysterious, ice-buried Cold War military base may be unearthed by climate change (

sciencehabit writes: It sounds like something out of a James Bond movie: a secret military operation hidden beneath the Greenland Ice Sheet. But that’s exactly what transpired at Camp Century during the Cold War. In 1959, the U.S. Army Corps of Engineers built the subterranean city under the guise of conducting polar research—and scientists there did drill the first ice core ever used to study climate. But deep inside the frozen tunnels, the corps also explored the feasibility of Project Iceworm, a plan to store and launch hundreds of ballistic missiles from inside the ice.

The military ultimately rejected the project, and the corps abandoned Camp Century in 1967. Engineers anticipated that the ice—already a dozen meters thick—would continue to accumulate in northwestern Greenland, permanently entombing what they left behind. Now, climate change has upended that assumption. New research suggests that as early as 2090, rates of ice loss at the site could exceed gains from new snowfall. And within a century after that, melting could begin to release waste stored at the camp, including sewage, diesel fuel, persistent organic pollutants like PCBs, and radiological waste from the camp’s nuclear generator, which was removed during decommissioning.

Submission + - Kaminsky: We Need an NIH for Cybersecurity

Trailrunner7 writes: The security field needs an NIH-like organization for the deep study of defensive and offensive techniques and technology to help fix the systemic problems facing the industry, a prominent security researcher says.

Dan Kaminsky, a longtime researcher, said the Internet is plagued by a number of serious issues right now, problems that threaten the future of the network. The approaches that the security industry and the technology community as a whole have taken to solving these problems have largely failed, he said. He proposed a new method that involves the establishment of an independent organization that would use scientific methods to study and help solve the big technical and security issues.

“We need something like NIH for cyber and it needs to have good and stable funding,” Kaminsky said in his keynote at the Black Hat conference Wednesday. “I want an organization dedicated to the extended study of our field.”

Submission + - Stealing Money From Venmo Users Over SMS

Trailrunner7 writes: Mobile payments services have become a popular choice for consumers, but security researchers have been finding plenty of vulnerabilities in them, and Venmo is the latest one to take a hit.

A researcher was able to uncover a number of weaknesses in the Venmo mobile payment system recently, some of which enabled him to steal money from users, regardless of whether their devices were locked or open. The vulnerabilities have to do with the way that the system handles SMS notifications, and, combined with Siri commands and other methods, the flaws allow an attacker to force a victim to make a payment through the Venmo app.

Researcher Martin Vigo found that an attacker could steal nearly $3,000 a day through this method, and could even do so remotely by brute forcing the short code that Venmo sends users when a charge notification comes through SMS.

Slashdot Top Deals

Backed up the system lately?