keys – Page 3 – SSL and internet security news

Another Intel Speculative Execution Vulnerability

June 11, 2020 infossl

exploits, hacking, hardware, intel, keys, Security technology, sidechannelattacks, vulnerabilities

Remember Spectre and Meltdown? Back in early 2018, I wrote: Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they — and the research into the Intel ME vulnerability — have shown researchers where to look, more is coming — and what they’ll find will be worse … Read More “Another Intel Speculative Execution Vulnerability” »

Securing Internet Videoconferencing Apps: Zoom and Others

April 30, 2020 infossl

aes, encryption, internetandsociety, keys, nsa, Security technology, securityengineering, videoconferencing

The NSA just published a survey of video conferencing apps. So did Mozilla. Zoom is on the good list, with some caveats. The company has done a lot of work addressing previous security concerns. It still has a bit to go on end-to-end encryption. Matthew Green looked at this. Zoom does offer end-to-end encryption if … Read More “Securing Internet Videoconferencing Apps: Zoom and Others” »

New SHA-1 Attack

January 8, 2020 infossl

academicpapers, certifications, cryptography, encryption, forgery, impersonation, keys, pgp, Security technology, sha1

There’s a new, practical, collision attack against SHA-1: In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with … Read More “New SHA-1 Attack” »

Mailbox Master Keys

January 6, 2020 infossl

keys, mail, operationalsecurity, Security technology, usps

Here’s a physical-world example of why master keys are a bad idea. It’s a video of two postal thieves using a master key to open apartment building mailboxes. Changing the master key for physical mailboxes is a logistical nightmare, which is why this problem won’t be fixed anytime soon. Powered by WPeMatico

Chrome Extension Stealing Cryptocurrency Keys and Passwords

January 3, 2020 infossl

blockchain, chrome, cryptocurrency, fraud, keys, passwords, Security technology, theft

A malicious Chrome extension surreptitiously steals Ethereum keys and passwords: According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk. Denley says that the extension sends the private keys of all wallets created or managed through its … Read More “Chrome Extension Stealing Cryptocurrency Keys and Passwords” »

TPM-Fail Attacks Against Cryptographic Coprocessors

November 15, 2019 infossl

academicpapers, cryptography, hardware, keys, Security technology, tpm

Really interesting research: TPM-FAIL: TPM meets Timing and Lattice Attacks, by Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger. Abstract: Trusted Platform Module (TPM) serves as a hardware-based root of trust that protects cryptographic keys from privileged system and physical adversaries. In this work, we per-form a black-box timing analysis of TPM 2.0 devices … Read More “TPM-Fail Attacks Against Cryptographic Coprocessors” »

NordVPN Breached

October 23, 2019 infossl

breaches, certificates, cryptography, disclosure, encryption, keys, Security technology, vpn

There was a successful attack against NordVPN: Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other servers in NordVPN’s network or for a variety of other sensitive purposes. The name of the … Read More “NordVPN Breached” »

Yubico Security Keys with a Crypto Flaw

July 1, 2019 infossl

cryptography, encryption, firmware, keys, randomnumbers, Security technology, securityengineering, securitytokens

Wow, is this an embarrassing bug: Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness of the cryptographic keys … Read More “Yubico Security Keys with a Crypto Flaw” »

MongoDB Offers Field Level Encryption

June 26, 2019 infossl

authentication, cryptography, encryption, hacking, keys, Security technology

MongoDB now has the ability to encrypt data by field: MongoDB calls the new feature Field Level Encryption. It works kind of like end-to-end encrypted messaging, which scrambles data as it moves across the internet, revealing it only to the sender and the recipient. In such a “client-side” encryption scheme, databases utilizing Field Level Encryption … Read More “MongoDB Offers Field Level Encryption” »

On Security Tokens

May 1, 2019 infossl

backups, keys, Security technology, securitytokens, twofactorauthentication

Mark Risher of Google extols the virtues of security keys: I’ll say it again for the people in the back: with Security Keys, instead of the *user* needing to verify the site, the *site* has to prove itself to the key. Good security these days is about human factors; we have to take the onus … Read More “On Security Tokens” »