cryptography | Breaking Cybersecurity News | The Hacker News

Google has revealed that its AI-powered fuzzing tool, OSS-Fuzz, has been used to help identify 26 vulnerabilities in various open-source code repositories, including a medium-severity flaw in the OpenSSL cryptographic library. "These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets," Google's open-source security team said in a blog post shared with The Hacker News. The OpenSSL vulnerability in question is CVE-2024-9143 (CVSS score: 4.3), an out-of-bounds memory write bug that can result in an application crash or remote code execution. The issue has been addressed in OpenSSL versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl. Google, which added the ability to leverage large language models (LLMs) to improve fuzzing coverage in OSS-Fuzz in August 2023, said the vulnerability has likely been present in the codebase for two decades and that it "wo...

In the fast-paced digital world, trust is everything—but what happens when that trust is disrupted? Certificate revocations, though rare, can send shockwaves through your operations, impacting security, customer confidence, and business continuity. Are you prepared to act swiftly when the unexpected happens? Join DigiCert's exclusive webinar, " When Shift Happens: Are You Ready for Rapid Certificate Replacement? " , and discover how automation, crypto agility, and best practices can transform revocation challenges into opportunities for growth and resilience. Here's what you'll uncover: Revocations Uncovered: Understand why they happen, their ripple effects, and the role of post-quantum cryptography in mitigating risks. Automation to the Rescue: Learn how to minimize downtime and streamline certificate replacements with cutting-edge tools. Crypto Agility in Action: Stay ahead of evolving cryptographic standards with strategies that keep your organization secure and ...

Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...

Cybersecurity researchers have discovered a number of suspicious packages published to the npm registry that are designed to harvest Ethereum private keys and gain remote access to the machine via the secure shell (SSH) protocol. The packages attempt to "gain SSH access to the victim's machine by writing the attacker's SSH public key in the root user's authorized_keys file," software supply chain security company Phylum said in an analysis published last week. The list of packages identified as part of the campaign, which aim to impersonate the legitimate ethers package , are as follows - ethers-mew (62 downloads) ethers-web3 (110 downloads) ethers-6 (56 downloads) ethers-eth (58 downloads) ethers-aaa (781 downloads) ethers-audit (69 downloads) ethers-test (336 downloads) Some of these packages, most of which have been published by accounts named "crstianokavic" and "timyorks," are believed to have been released for testing purpose...

Cybersecurity researchers have discovered severe cryptographic issues in various end-to-end encrypted (E2EE) cloud storage platforms that could be exploited to leak sensitive data. "The vulnerabilities range in severity: in many cases a malicious server can inject files, tamper with file data, and even gain direct access to plaintext," ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong said . "Remarkably, many of our attacks affect multiple providers in the same way, revealing common failure patterns in independent cryptographic designs." The identified weaknesses are the result of an analysis of five major providers such as Sync, pCloud, Icedrive, Seafile, and Tresorit. The devised attack techniques hinge on a malicious server that's under an adversary's control, which could then be used to target the service providers' users. A brief description of the flaws uncovered in the cloud storage systems is as follows - Sync, in which a maliciou...

Google has announced that it will be switching from KYBER to ML-KEM in its Chrome web browser as part of its ongoing efforts to defend against the risk posed by cryptographically relevant quantum computers ( CRQCs ). "Chrome will offer a key share prediction for hybrid ML-KEM (codepoint 0x11EC)," David Adrian, David Benjamin, Bob Beck, and Devon O'Brien of the Chrome Team said . "The PostQuantumKeyAgreementEnabled flag and enterprise policy will apply to both Kyber and ML-KEM." The changes are expected to take effect in Chrome version 131, which is on track for release in early November 2024. Google noted that the two hybrid post-quantum key exchange approaches are essentially incompatible with each other, prompting it to abandon KYBER. "The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber," the company said. "As a result, the codepoint in TLS for hybrid post-quantum key exchange is ch...

Even as cyber threats become increasingly sophisticated, the number one attack vector for unauthorized access remains phished credentials ( Verizon DBIR, 2024 ). Solving this problem resolves over 80% of your corporate risk, and a solution is possible.  However, most tools available on the market today cannot offer a complete defense against this attack vector because they were architected to deliver probabilistic defenses. Learn more about the characteristics of Beyond Identity that allow us to deliver deterministic defenses.  The Challenge: Phishing and Credential Theft Phishing attacks trick users into revealing their credentials via deceptive sites or messages sent via SMS, email, and/or voice calls. Traditional defenses, such as end-user training or basic multi-factor authentication (MFA), lower the risk at best but cannot eliminate it. Users may still fall prey to scams, and stolen credentials can be exploited. Legacy MFA is a particularly urgent problem, given that ...

Popular enterprise services provider Zoom has announced the rollout of post-quantum end-to-end encryption (E2EE) for Zoom Meetings, with support for Zoom Phone and Zoom Rooms coming in the future. "As adversarial threats become more sophisticated, so does the need to safeguard user data," the company  said  in a statement. "With the launch of post-quantum E2EE, we are doubling down on security and providing leading-edge features for users to help protect their data." Zoom's post-quantum E2EE uses  Kyber-768 , which aims at security roughly equivalent to AES-192. Kyber was  chosen  by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) in July 2022 as the quantum-resistant cryptographic algorithm for general encryption. However, for post-quantum E2EE to be enabled by default, it  requires  all meeting participants to be on Zoom desktop or mobile app version 6.0.10 or higher. In the e...

Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm. The techniques have been collectively dubbed  Pathfinder  by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google. "Pathfinder allows attackers to read and manipulate key components of the branch predictor, enabling two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks," Hosein Yavarzadeh, the lead author of the  paper , said in a statement shared with The Hacker News. "This includes extracting secret images from libraries like libjpeg and recovering encryption keys from AES through intermediate value extraction." Spectre is the name given to a  class of side-channel attacks ...

The maintainers of the  PuTTY Secure Shell (SSH) and Telnet client  are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. The flaw has been assigned the CVE identifier  CVE-2024-31497 , with the discovery credited to researchers Fabian Bäumer and Marcus Brinkmann from the Ruhr University Bochum. "The effect of the vulnerability is to compromise the private key," the PuTTY project  said  in an advisory. "An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for." However, in order to obtain the signatures, an attacker will have to compromise the server for which the key is used to authenticate to. In a message posted on the Open Sou...

A new security shortcoming discovered in Apple M-series chips could be exploited to extract secret keys used during cryptographic operations. Dubbed  GoFetch , the vulnerability relates to a microarchitectural side-channel attack that takes advantage of a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. Apple was made aware of the findings in December 2023. Prefetchers are a hardware optimization technique that predicts what memory addresses a currently running program will access in the near future and retrieve the data into the cache accordingly from the main memory. The goal of this approach is to reduce the program's memory access latency. DMP is a type of prefetcher that takes into account the contents of memory based on previously observed access patterns when determining what to prefetch. This behavior makes it ripe for cache-based attacks that trick the prefetche...

Apple has announced a new post-quantum cryptographic protocol called  PQ3  that it said will be integrated into iMessage to secure the messaging platform against future attacks arising from the threat of a practical quantum computer. "With compromise-resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps," Apple  said . The iPhone maker described the protocol as "groundbreaking," "state-of-the-art," and as having the "strongest security properties" of any cryptographic convention deployed at scale. PQ3 is the latest security guardrail erected by Apple in iMessage after it switched from  RSA  to Elliptic Curve cryptography ( ECC ), and by protecting encryption keys on devices with the Secure Enclave in 2019. While the current algorith...

The stealer malware known as  LummaC2  (aka Lumma Stealer) now features a new anti-sandbox technique that leverages the mathematical principle of trigonometry to evade detection and exfiltrate valuable information from infected hosts. The method is designed to "delay detonation of the sample until human mouse activity is detected," Outpost24 security researcher Alberto Marín  said  in a technical report shared with The Hacker News. Written in the C programming language, LummaC2 has been sold in underground forums since December 2022. The malware has since  received   iterative updates  that make it harder to analyze via control flow flattening and even allow it to deliver additional payloads. The current version of LummaC2 (v4.0) also requires its customers to use a  crypter  as an added concealing mechanism, not to mention prevent it from being leaked in its raw form. Another noteworthy update is the reliance on trigonometry to detect ...

Most people are barely thinking about basic cybersecurity, let alone post-quantum cryptography. But the impact of a post-quantum world is coming for them regardless of whether or not it's keeping them up tonight.  Today, many rely on encryption in their daily lives to protect their fundamental digital privacy and security, whether for messaging friends and family, storing files and photos, or simply browsing the web. The question experts have been asking for a long time, with their eye on the advances in quantum computing, is, "How long before these defenses fail?"  The ticking clock of quantum computing One set of researchers is already sounding the alarms,  claiming  that they've found a way to break 2048-bit RSA encryption with a quantum computer. While the claims may be premature, they hint toward a scary future that is perhaps closer than we once thought. Breaking RSA encryption would represent a massive privacy and security vulnerability for virtually every...

Google has announced the general availability of client-side encryption (CSE) for Gmail and Calendar, months after  piloting the feature  in late 2022. The data privacy controls enable "even more organizations to become arbiters of their own data and the sole party deciding who has access to it," Google's Ganesh Chilakapati and Andy Wen  said . To that end, users can send and receive emails or create meeting events within their organizations or to other external parties in a manner that's encrypted "before it reaches Google servers." The company is also making available a decrypter utility in beta for Windows to decrypt client-side encrypted files and emails exported via its Data Export tool or Google Vault. macOS and Linux versions of the decrypter are expected to be released in the future. The development follows the  rollout of CSE  to other products such as Google Drive, Docs, Slides, Sheets, and Meet. The solution, the tech behemoth said, is ai...

The U.S. National Institute of Standards and Technology (NIST) has announced that a family of authenticated encryption and hashing algorithms known as Ascon will be standardized for  lightweight cryptography  applications. "The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators," NIST  said . "They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles." Put differently, the idea is to adopt security protections via lightweight cryptography in devices that have a "limited amount of electronic resources." That said, NIST still recommends the Advanced Encryption Standard ( AES ) and SHA-256 for general use. Ascon is  credited  to a team of cryptographers from the Graz University of Technology, Infineon Technologies, Lamarr Security Researc...

The U.S. National Institute of Standards and Technology (NIST), an agency within the Department of Commerce,  announced  Thursday that it's formally retiring the SHA-1 cryptographic algorithm. SHA-1 , short for Secure Hash Algorithm 1, is a 27-year-old  hash function  used in cryptography and has since been  deemed   broken  owing to the risk of  collision attacks . While hashes are designed to be irreversible – meaning it should be impossible to reconstruct the original message from the fixed-length enciphered text – the lack of collision resistance in SHA-1 made it possible to generate the same hash value for two different inputs. In February 2017, a group of researchers from CWI Amsterdam and Google  disclosed  the first practical technique for producing collisions on SHA-1, effectively undermining the security of the algorithm. "For example, by crafting the two colliding PDF files as two rental agreements with different rent, i...

The U.S. Department of Health and Human Services (HHS) has cautioned of ongoing Royal ransomware attacks targeting healthcare entities in the country. "While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal," the agency's Health Sector Cybersecurity Coordination Center (HC3)  said  [PDF]. "The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data." Royal ransomware, per  Fortinet FortiGuard Labs , is said to be active since at least the start of 2022. The malware is a 64-bit Windows executable written in C++ and is launched via the command line, indicating that it involves a human operator to trigger the infection after obtaining access to a targeted environment. Besides deleting volume shadow copies on the system, Royal utilizes the OpenSSL cryptographic library ...