Collaborate Disseminate
There’s a new, practical, collision attack against SHA-1: In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 261.2rather than264.7,… Continue reading New SHA-1 Attack
Here’s a physical-world example of why master keys are a bad idea. It’s a video of two postal thieves using a master key to open apartment building mailboxes. Changing the master key for physical mailboxes is a logistical nightmare, which is why this problem won’t be fixed anytime soon…. Continue reading Mailbox Master Keys
A malicious Chrome extension surreptitiously steals Ethereum keys and passwords: According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk. Denley says that the extension sends the private keys of all wallets created or managed through its interface to a third-party website… Continue reading Chrome Extension Stealing Cryptocurrency Keys and Passwords
IoT devices are using weak digital certificates that could expose them to attack, according to a study released over the weekend. Continue reading Researchers discover weakness in IoT digital certificates
A keen-eyed commenter pointed us to a homemade bottle organ that plays like a piano. The complexity gets turned up with foot-powered bellows and custom keys, but the magic of [Mike] and [Simon Haisell]’s garage-built instrument is not lost in the slightest. We also have the video below the break …read more
Really interesting research: TPM-FAIL: TPM meets Timing and Lattice Attacks, by Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger. Abstract: Trusted Platform Module (TPM) serves as a hardware-based root of trust that protects cryptographic keys from privileged system and physical adversaries. In this work, we per-form a black-box timing analysis of TPM 2.0 devices deployed on commodity computers. Our… Continue reading TPM-Fail Attacks Against Cryptographic Coprocessors
There was a successful attack against NordVPN: Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other servers in NordVPN’s network or for a variety of other sensitive purposes. The name of the third certificate suggested it could… Continue reading NordVPN Breached
There was a successful attack against NordVPN: Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other … Continue reading NordVPN Breached
Earlier this month, I made fun of a company called Crown Sterling, for…for…for being a company that deserves being made fun of. This morning, the company announced that they "decrypted two 256-bit asymmetric public keys in approximately 50 seconds from a standard laptop computer." Really. They did. This keylength is so small it has never been considered secure. It was… Continue reading Crown Sterling Claims to Factor RSA Keylengths First Factored Twenty Years Ago
Wow, is this an embarrassing bug: Yubico is recalling a line of security keys used by the U.S. government due to a firmware flaw. The company issued a security advisory today that warned of an issue in YubiKey FIPS Series devices with firmware versions 4.4.2 and 4.4.4 that reduced the randomness of the cryptographic keys it generates. The security keys… Continue reading Yubico Security Keys with a Crypto Flaw