The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: cryptography

NIST Announces First Four Quantum-Resistant Cryptographic Algorithms

NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
July 06, 2022Ravie Lakshmanan
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has  chosen  the first set of quantum-resistant encryption algorithms that are designed to "withstand the assault of a future quantum computer." The post-quantum cryptography ( PQC ) technologies include the  CRYSTALS-Kyber  algorithm for general encryption, and  CRYSTALS-Dilithium ,  FALCON , and  SPHINCS+  for digital signatures. "Three of the selected algorithms are based on a family of math problems called structured lattices, while SPHINCS+ uses hash functions," NIST, which kicked off the standardization process in January 2017,  said  in a statement. Cryptography, which underpins the security of information in modern computer networks, derives its strength from the difficulty of solving mathematical problems — e.g., factoring large composite integers — using traditional computers. Quantum computers, should they mature enough, pose a  huge impact  on the current pu

Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service

Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service
June 22, 2022Ravie Lakshmanan
A new piece of research from academics at ETH Zurich has identified a number of critical security issues in the MEGA cloud storage service that could be leveraged to break the confidentiality and integrity of user data. In a paper titled " MEGA: Malleable Encryption Goes Awry ," the researchers point out how MEGA's system does not protect its users against a malicious server, thereby enabling a rogue actor to fully compromise the privacy of the uploaded files. "Additionally, the integrity of user data is damaged to the extent that an attacker can insert malicious files of their choice which pass all authenticity checks of the client," ETH Zurich's Matilda Backendal, Miro Haller, and Kenneth G. Paterson said in an analysis of the service's cryptographic architecture. MEGA, which  advertises  itself as the "privacy company" and claims to provide user-controlled end-to-end encrypted cloud storage, has more than 10 million daily active users, w

Microsoft Warns of "Cryware" Info-Stealing Malware Targeting Crypto Wallets

Microsoft Warns of "Cryware" Info-Stealing Malware Targeting Crypto Wallets
May 18, 2022Ravie Lakshmanan
Microsoft is warning of an emerging threat targeting internet-connected cryptocurrency wallets, signaling a departure in the use of digital coins in cyberattacks. The tech giant dubbed the new threat "cryware," with the attacks resulting in the irreversible theft of virtual currencies by means of fraudulent transfers to an adversary-controlled wallet. "Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as  hot wallets ," Berman Enconado and Laurie Kirk of the Microsoft 365 Defender Research Team  said  in a new report.  "Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them." Attacks of this kind are not theoretical. Earlier this year, Kaspersky  disclosed  a financially-motivated campaign staged by the North Korea-based Lazarus Gr

QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices

QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices
March 31, 2022Ravie Lakshmanan
Taiwanese company QNAP this week revealed that a selected number of its network-attached storage (NAS) appliances are affected by a recently-disclosed bug in the open-source OpenSSL cryptographic library. "An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS," the company  said  in an advisory published on March 29, 2022. "If exploited, the vulnerability allows attackers to conduct denial-of-service attacks." Tracked as  CVE-2022-0778  (CVSS score: 7.5), the issue relates to a bug that arises when parsing security certificates to trigger a denial-of-service condition and remotely crash unpatched devices. QNAP, which is currently investigating its line-up, said it affects the following operating system versions – QTS 5.0.x and later QTS 4.5.4 and later QTS 4.3.6 and later QTS 4.3.4 and later QTS 4.3.3 and later QTS 4.2.6 and later QuTS hero h5.0.x and later QuTS hero h4.5.4 and later, and QuTScloud c5.0.x To date, t

Researchers Demonstrate New Side-Channel Attack on Homomorphic Encryption

Researchers Demonstrate New Side-Channel Attack on Homomorphic Encryption
March 03, 2022Ravie Lakshmanan
A group of academics from the North Carolina State University and Dokuz Eylul University have demonstrated what they say is the "first side-channel attack" on homomorphic encryption that could be exploited to leak data as the encryption process is underway. "Basically, by monitoring power consumption in a device that is encoding data for homomorphic encryption, we are able to read the data as it is being encrypted," Aydin Aysu, one of the authors of the study,  said . "This demonstrates that even next generation encryption technologies need protection against side-channel attacks." Homomorphic Encryption is a  form of encryption  that allows certain types of computation to be performed directly on encrypted data without having to decrypt it in the first place. It's also meant to be privacy-preserving in that it allows sharing of sensitive data with other third-party services, such as data analytics firms, for further processing while the underlyin

100 Million Samsung Galaxy Phones Affected with Flawed Hardware Encryption Feature

100 Million Samsung Galaxy Phones Affected with Flawed Hardware Encryption Feature
February 28, 2022Ravie Lakshmanan
A group of academics from Tel Aviv University have disclosed details of now-patched "severe" design flaws affecting about 100 million Android-based Samsung smartphones that could have resulted in the extraction of secret cryptographic keys. The shortcomings are the result of an analysis of the cryptographic design and implementation of Android's hardware-backed Keystore in Samsung's Galaxy S8, S9, S10, S20, and S21 flagship devices, researchers Alon Shakevsky, Eyal Ronen, and Avishai Wool  said . Trusted Execution Environments ( TEEs ) are a secure zone that provide an isolated environment for the execution of Trusted Applications (TAs) to carry out security critical tasks to ensure confidentiality and integrity. On Android, the hardware-backed  Keystore  is a system that facilitates the creation and storage of cryptographic keys within the TEE, making them more difficult to be extracted from the device in a manner that prevents the underlying operating system fr

Critical Bug in Mozilla's NSS Crypto Library Potentially Affects Several Other Software

Critical Bug in Mozilla’s NSS Crypto Library Potentially Affects Several Other Software
December 02, 2021Ravie Lakshmanan
Mozilla has rolled out fixes to address a critical security weakness in its cross-platform Network Security Services ( NSS ) cryptographic library that could be potentially exploited by an adversary to crash a vulnerable application and even execute arbitrary code. Tracked as CVE-2021-43527, the flaw affects NSS versions prior to 3.73 or 3.68.1 ESR, and concerns a  heap overflow  vulnerability when verifying digital signatures such as  DSA  and  RSA-PSS  algorithms that are encoded using the  DER  binary format. Credited with reporting the issue is Tavis Ormandy of Google Project Zero, who codenamed it " BigSig ." "NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures," Mozilla  said  in an advisory published Wednesday. "Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted." NSS is a

Google Discloses Severe Bug in Libgcrypt Encryption Library—Impacting Many Projects

Google Discloses Severe Bug in Libgcrypt Encryption Library—Impacting Many Projects
February 01, 2021Ravie Lakshmanan
A "severe" vulnerability in GNU Privacy Guard (GnuPG)'s Libgcrypt encryption software could have allowed an attacker to write arbitrary data to the target machine, potentially leading to remote code execution. The flaw, which affects version 1.9.0 of libgcrypt, was discovered on January 28 by Tavis Ormandy of Project Zero, a security research unit within Google dedicated to finding zero-day bugs in hardware and software systems. No other versions of Libgcrypt are affected by the vulnerability. "There is a  heap buffer overflow  in libgcrypt due to an incorrect assumption in the block buffer management code," Ormandy  said . "Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs." GnuPG addressed the weakness almost immediately within a day after disclosure, while urging users to  stop using  the vulnerable version. The latest version can be dow

Researchers Discover TPM-Fail Vulnerabilities Affecting Billions of Devices

Researchers Discover TPM-Fail Vulnerabilities Affecting Billions of Devices
November 13, 2019Mohit Kumar
A team of cybersecurity researchers today disclosed details of two new potentially serious CPU vulnerabilities that could allow attackers to retrieve cryptographic keys protected inside TPM chips manufactured by STMicroelectronics or firmware-based Intel TPMs. Trusted Platform Module (TPM) is a specialized hardware or firmware-based security solution that has been designed to store and protect sensitive information from attackers even when your operating system gets compromised. TMP technology is being used widely by billion of desktops, laptops, servers, smartphones, and even by Internet-of-Things (IoT) devices to protect encryption keys, passwords, and digital certificates. Collectively dubbed as TPM-Fail , both newly found vulnerabilities, as listed below, leverage a timing-based side-channel attack to recover cryptographic keys that are otherwise supposed to remain safely inside the chips. CVE-2019-11090 : Intel fTPM vulnerabilities CVE-2019-16863 : STMicroelectronics

IEEE P1735 Encryption Is Broken—Flaws Allow Intellectual Property Theft

IEEE P1735 Encryption Is Broken—Flaws Allow Intellectual Property Theft
November 07, 2017Mohit Kumar
Researchers have uncovered several major weaknesses in the implementation of the Institute of Electrical and Electronics Engineers (IEEE) P1735 cryptography standard that can be exploited to unlock, modify or steal encrypted system-on-chip blueprints. The IEEE P1735 scheme was designed to encrypt electronic-design intellectual property (IP) in the hardware and software so that chip designers can protect their IPs from hackers and other prying eyes. Majority of mobile and embedded devices include a System-on-Chip (SoC), a single integrated circuit that can consist of multiple IPs—a collection of reusable design specifications—like a radio-frequency receiver, an analogue-to-digital converter, a digital signal processing unit, a graphics processing unit, a cryptographic engine, from different vendors. Therefore, these licensed IPs are quite valuable to their vendors, so to protect them from being reverse engineered after being sold, the IEEE developed the P1735 standard to encryp

Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices

Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices
October 17, 2017Swati Khandelwal
If you think KRACK attack for WiFi is the worst vulnerability of this year, then hold on… ...we have got another one for you which is even worse. Microsoft, Google, Lenovo, HP and Fujitsu are warning their customers of a potentially serious vulnerability in widely used RSA cryptographic library produced by German semiconductor manufacturer Infineon Technologies. It's noteworthy that this crypto-related vulnerability (CVE-2017-15361) doesn't affect elliptic-curve cryptography and the encryption standard itself, rather it resides in the implementation of RSA key pair generation by Infineon's Trusted Platform Module (TPM). Infineon's Trusted Platform Module (TPM) is a widely-used, dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and is used for secured crypto processes. This 5-year-old algorithmic vulnerability was discovered by security researchers at Masaryk University in the Czech Republic, who have relea

Researchers Crack 1024-bit RSA Encryption in GnuPG Crypto Library

Researchers Crack 1024-bit RSA Encryption in GnuPG Crypto Library
July 04, 2017Mohit Kumar
Security boffins have discovered a critical vulnerability in a GnuPG cryptographic library that allowed the researchers to completely break RSA-1024 and successfully extract the secret RSA key to decrypt data. Gnu Privacy Guard (GnuPG or GPG) is popular open source encryption software used by many operating systems from Linux and FreeBSD to Windows and macOS X. It's the same software used by the former NSA contractor and whistleblower Edward Snowden to keep his communication secure from law enforcement. The vulnerability, labeled CVE-2017-7526 , resides in the Libgcrypt cryptographic library used by GnuPG, which is prone to local FLUSH+RELOAD side-channel attack. A team of researchers — from Technical University of Eindhoven, the University of Illinois, the University of Pennsylvania, the University of Maryland, and the University of Adelaide — found that the "left-to-right sliding window" method used by the libgcrypt library for carrying out the mathematics o

Tim Berners-Lee, Inventor of the Web, Wins $1 Million Turing Award 2016

Tim Berners-Lee, Inventor of the Web, Wins $1 Million Turing Award 2016
April 05, 2017Swati Khandelwal
Sir Tim Berners-Lee — the inventor of the World Wide Web — has won this year's A.M. Turing Award, which is frequently described as the "Nobel Prize of Computing," by the Association for Computing Machinery (ACM). Turing Award is named after Alan Mathison Turing , the British mathematician and computer scientist who was a key contributor to the Allied cryptanalysis of German Enigma cipher and German "Tunny" encoding machine in World War II. The ACM announced the 2016 Turing Award on Tuesday, which also includes the top prize of $1 Million that has been awarded to Sir Berners-Lee, who is long known for inventing World Wide Web, which becomes a way for scientists to share information on the Internet. "I'm humbled to receive the namesake award of a computing pioneer who showed that what a programmer could do with a computer is limited only by the programmer themselves," Sir Berners-Lee said on receiving the award.  "It's an hon

NIST Calls Development of Quantum-Proof Encryption Algorithms

NIST Calls Development of Quantum-Proof Encryption Algorithms
December 22, 2016Mohit Kumar
Quantum Computers – Boon or Bane? Quantum computers can perform operations much more quickly and efficiently even with the use of less energy than conventional computers, but that's bad news for encryption — a process which scrambles data according to a massively complex mathematical code. In theory, quantum computers can break almost all the existing encryption algorithms used on the Internet today due to their immense computing power. Quantum computers are not just in theories; they're becoming a reality. With countries like China that holds the top two position in the world's most powerful supercomputers (Sunway TaihuLight and Tianhe-2), followed by the United States' Titan, the day is not far when Quantum computers will work on an industrial scale. Although it's hard to move quantum computing to an industrial scale, it has become a matter of concern for the United States' National Institute of Standards and Technology (NIST) over the fact that

Crack for Charity — GCHQ launches 'Puzzle Book' Challenge for Cryptographers

Crack for Charity — GCHQ launches 'Puzzle Book' Challenge for Cryptographers
October 15, 2016Mohit Kumar
The UK's Signals Intelligence and Cyber Security agency GCHQ has launched its first ever puzzle book, challenging researchers and cryptographers to crack codes for charity. Dubbed " The GCHQ Puzzle Book ," the book features more than 140 pages of codes, puzzles, and challenges created by expert code breakers at the British intelligence agency. Ranging from easy to complex, the GCHQ challenges include ciphers and tests of numeracy and literacy, substitution codes, along with picture and music challenges. Writing in the GCHQ Puzzle Book's introduction, here's what GCHQ Director, Robert Hannigan says: "For nearly one hundred years, the men and women of GCHQ, both civilian and military, have been solving problems. They have done so in pursuit of our mission to keep the United Kingdom safe. GCHQ has a proud history of valuing and supporting individuals who think differently; without them, we would be of little value to the country. Not all are geniuses

Researchers Demonstrated How NSA Broke Trillions of Encrypted Connections

Researchers Demonstrated How NSA Broke Trillions of Encrypted Connections
October 12, 2016Swati Khandelwal
In the year 2014, we came to know about the NSA's ability to break Trillions of encrypted connections by exploiting common implementations of the Diffie-Hellman key exchange algorithm – thanks to classified documents leaked by ex-NSA employee Edward Snowden. At that time, computer scientists and senior cryptographers had presented the most plausible theory: Only a few prime numbers were commonly used by 92 percent of the top 1 Million Alexa HTTPS domains that might have fit well within the NSA's $11 Billion-per-year budget dedicated to "groundbreaking cryptanalytic capabilities." And now, researchers from University of Pennsylvania, INRIA, CNRS and Université de Lorraine have practically proved how the NSA broke the most widespread encryption used on the Internet. Diffie-Hellman key exchange (DHE) algorithm is a standard means of exchanging cryptographic keys over untrusted channels, which allows protocols such as HTTPS, SSH, VPN, SMTPS and IPsec to negotia

Oops! Microsoft Accidentally Leaks Backdoor Keys to Bypass UEFI Secure Boot

Oops! Microsoft Accidentally Leaks Backdoor Keys to Bypass UEFI Secure Boot
August 10, 2016Swati Khandelwal
It's True  —  There is no such backdoor that only its creator can access. Microsoft has accidentally leaked the Secret keys that allow hackers to unlock devices protected by UEFI ( Unified Extensible Firmware Interface ) Secure Boot feature. What's even worse? It will be impossible for Microsoft to undo its leak. Secure Boot is a security feature that protects your device from certain types of malware, such as a rootkit, which can hijack your system bootloader, as well as, Secure Boot restricts you from running any non-Microsoft operating system on your device. In other words, when Secure Boot is enabled, you will only be able to boot Microsoft approved ( cryptographically signature checking ) operating systems. However, the Golden Keys disclosed by two security researchers, using alias MY123 and Slipstream , can be used to install non-Windows operating systems, say GNU/Linux or Android, on the devices protected by Secure Boot. Moreover, according to the blog pos

How to Crack Android Full Disk Encryption on Qualcomm Devices

How to Crack Android Full Disk Encryption on Qualcomm Devices
July 01, 2016Mohit Kumar
The heated battle between Apple and the FBI provoked a lot of talk about Encryption – the technology that has been used to keep all your bits and bytes as safe as possible. We can not say a lot about Apple's users, but Android users are at severe risk when it comes to encryption of their personal and sensitive data. Android's full-disk encryption can be cracked much more easily than expected with brute force attack and some patience, affecting potentially hundreds of millions of mobile devices. And the worst part: There may not be a full fix available for current Android handsets in the market. Google started implementing Full Disk Encryption on Android by default with Android 5.0 Lollipop. Full disk encryption (FDE) can prevent both hackers and even powerful law enforcement agencies from gaining unauthorized access to device's data. Android's disk encryption, in short, is the process of encoding all user's data on an Android device before ever wri

How to Steal Secret Encryption Keys from Android and iOS SmartPhones

How to Steal Secret Encryption Keys from Android and iOS SmartPhones
March 04, 2016Mohit Kumar
Unlike desktops, your mobile devices carry all sorts of information from your personal emails to your sensitive financial details. And due to this, the hackers have shifted their interest to the mobile platform. Every week new exploits are discovered for iOS and Android platform, most of the times separately, but the recently discovered exploit targets both Android as well as iOS devices. A team of security researchers from Tel Aviv University , Technion and The University of Adelaide has devised an attack to steal cryptographic keys used to protect Bitcoin wallets, Apple Pay accounts, and other highly sensitive services from Android and iOS devices. The team is the same group of researchers who had experimented a number of different hacks to extract data from computers. Last month, the team demonstrated how to steal sensitive data from a target air-gapped computer located in another room. Past years, the team also demonstrated how to extract secret decryption key
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.