#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

cryptography | Breaking Cybersecurity News | The Hacker News

Category — cryptography
How to Crack RC4 Encryption in WPA-TKIP and TLS

How to Crack RC4 Encryption in WPA-TKIP and TLS

Jul 17, 2015
Security researchers have developed a more practical and feasible attack technique against the RC4 cryptographic algorithm that is still widely used to encrypt communications on the Internet. Despite being very old, RC4 (Rivest Cipher 4) is still the most widely used cryptographic cipher implemented in many popular protocols, including: SSL (Secure Socket Layer) TLS (Transport Layer Security) WEP (Wired Equivalent Privacy) WPA (Wi-Fi Protected Access) Microsoft's RDP (Remote Desktop Protocol) BitTorrent and many more However, weaknesses in the algorithm have been found over the years, indicating that the RC4 needs to be wiped from the Internet. But, yet about 50% of all TLS traffic is currently protected using the RC4 encryption algorithm. Now, the situation got even worse, when two Belgian security researchers demonstrated a more practical attack against RC4, allowing an attacker to subsequently expose encrypted information in a much shorter amount of time t...
This Unbreakable Encryption Could Save the Internet

This Unbreakable Encryption Could Save the Internet

Jun 26, 2015
The Awareness to encrypt your private data, chat conversations as well as communication is booming like never before that soon the world will mark some day as the International Encryption Day . This may or may not be possible in future, but Toshiba is all set to create a next level of encryption technology that the firm claims is absolutely unbreakable and " completely secure from tapping ". The best way to ensure the complete security of the communication is to make use of a one-time key to decode encrypted data. However, the problem remains to transfer this key from one place to another safely when even mail carriers may be spying on you. Uncrackable Encryption Technology: The Quantum Cryptography System To get rid of this issue, Toshiba is creating a 'foolproof' Q uantum Cryptography System that uses photons sent over a custom-made fiber optic cable that is not connected to the Internet. Thus, anyone trying to intercept the user's d...
Cyber Story Time: The Boy Who Cried "Secure!"

Cyber Story Time: The Boy Who Cried "Secure!"

Nov 21, 2024Threat Detection / Pentesting
As a relatively new security category, many security operators and executives I've met have asked us "What are these Automated Security Validation (ASV) tools?" We've covered that pretty extensively in the past, so today, instead of covering the " What is ASV?" I wanted to address the " Why ASV?" question. In this article, we'll cover some common use cases and misconceptions of how people misuse and misunderstand ASV tools daily (because that's a lot more fun). To kick things off, there's no place to start like the beginning. Automated security validation tools are designed to provide continuous, real-time assessment of an organization's cybersecurity defenses. These tools are continuous and use exploitation to validate defenses like EDR, NDR, and WAFs. They're more in-depth than vulnerability scanners because they use tactics and techniques that you'll see in manual penetration tests. Vulnerability scanners won't relay hashes or combine vulnerabilities to further attacks, whic
Microsoft: All Windows versions Vulnerable to FREAK Vulnerability

Microsoft: All Windows versions Vulnerable to FREAK Vulnerability

Mar 06, 2015
Recently discovered FREAK  vulnerability that apparently went undetected for more than a decade is reportedly affecting all supported versions of Microsoft Windows, making the flaw more creepy than what we thought. FREAK vulnerability is a disastrous SSL/TLS flaw disclosed Monday that allows an attacker to force SSL clients, including OpenSSL, to downgrade to weaken ciphers that can be easily broken and then supposedly conduct Man-in-the-Middle attacks on encrypted HTTPS-protected traffic passing between vulnerable end-users and Millions of websites. Read our previous post to know more about FREAK vulnerability . FREAK IN MICROSOFT RESIDES IN SECURE CHANNEL Microsoft issued an advisory published Thursday warning Windows users that Secure Channel ( Schannel ) stack — the Windows implementation of SSL/TLS — is vulnerable to the FREAK encryption-downgrade attack , though it said it has not received any reports of public attacks. When the security glitch first dis...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Quantum Encryption Makes Credit Cards Fraud-Proof

Quantum Encryption Makes Credit Cards Fraud-Proof

Dec 17, 2014
Credit card frauds are very common these days – today a data breach occurs in retailer's shop, online shopping site or banking site and at the next moment millions of cards appears in the underground black market – how simple is that for cyber criminals nowadays. But imagine if there is no possible way to hack credit cards and ID cards. Seems like next to impossible, but quantum cryptography ensures that stealing people's personal data will soon be very difficult for hackers and cyber thieves due to an extra layer of verification. SECURE FRAUD-PROOF CREDIT CARDS The research at the University of Twente in Enschede, Netherlands has suggested that " fraud-proof " credit cards are possible to develop using Quantum Physics that will protect users' financial and personal information from hackers. Security researchers describe this extra layer of verification as Quantum-Secure Authentication (QSA) of a " classical multiple-scattering key ." With the...
GCHQ Releases 'Cryptoy' App for Kids to Teach Encryption

GCHQ Releases 'Cryptoy' App for Kids to Teach Encryption

Dec 14, 2014
British government surveillance agency GCHQ – counterpart of NSA – has fired-up another debate over the Internet by launching Android application to encourage teenagers to tackle emerging cybersecurity threats. The newly launched Android app , dubbed " Cryptoy ", was developed by STEM (science, technology, engineering and maths) students on an industrial year placement at GCHQ. The Cryptoy app was highly appreciated and liked by GCHQ at the Cheltenham Science Festival that they made it available to download today. The app is designed mainly to tempt youngsters between the ages of 14 and 16 into trying their hand in cryptography and code-breaking, but can be used by anyone interested in cryptography. According to GCHQ , Cryptoy app will help users to understand basic encryption methods, teach the codes of the past, and create their own encrypted messages. The app allows users to share these encoded messages by using four code-breaking techniques – Shift, Subs...
Researcher Found TextSecure Messenger App Vulnerable to Unknown Key-Share Attack

Researcher Found TextSecure Messenger App Vulnerable to Unknown Key-Share Attack

Nov 03, 2014
Do you use  TextSecure Private Messenger  for your private conversations? If yes, then Are you sure you are actually using a Secure messaging app? TextSecure , an Android app developed by Open WhisperSystems , is completely open-source and claims to support end-to-end encryption of text messages. The app is free and designed by keeping privacy in mind. However, while conducting the first audit of the software, security researchers from Ruhr University Bochum found that the most popular mobile messaging app is open to an Unknown Key-Share attack . After Edward Snowden revealed state surveillance programs conducted by the National Security Agency, and meanwhile when Facebook acquired WhatsApp , TextSecure came into limelight and became one of the best alternatives for users who want a secure communication. " Since Facebook bought WhatsApp , instant messaging apps with security guarantees became more and more popular ," the team wrote in the paper titled,...
Unmasking Google Users With a New Timing Attack

Unmasking Google Users With a New Timing Attack

Sep 10, 2014
Researcher has discovered a new Timing attack that could unmask Google users under some special conditions. Andrew Cantino, the vice president of engineering at Mavenlink, detailed his attack in a blogpost st week. According to him, the attack could be used by an attacker to target a particular person or organization. A cyber criminal could share a Google document with an email address, un-checking the option by which Google sends the recipient a notification. TIMING ATTACK USED TO DE-MASK TOR USER'S IDENTITY Now, using timing attack exploit technique, a cyber criminal could figure out when someone logged into any one of the shared addresses visits the their site, Cantino said. An attacker could even use this attack in spear phishing campaigns or even could unmask the identity of Tor users if they're logged in to Google while using the Tor browser . Timing attack can allow to unmask targeted Google users as they browse the web. Cantino said the attack is straightforwa...
Cryptography Expert Says, 'PGP Encryption is Fundamentally Broken, Time for PGP to Die'

Cryptography Expert Says, 'PGP Encryption is Fundamentally Broken, Time for PGP to Die'

Aug 19, 2014
A Senior cryptography expert has claimed multiple issues with PGP email encryption - an open source end-to-end encryption  to secure email. Before continuing, I would like to clarify that covering this topic doesn't mean you should stop using PGP encryption , instead we are bringing to you what Security researcher has argued about its fundamental implications.  PGP or Pretty Good Privacy , a program written in 1991, uses symmetric public key cryptography and hashing that allow both Privacy and Security , as well as Authenticity . Privacy and Security ensure users to exchange messages securely and Authenticity proves the origin of those messages. But PGP is a complicated multi-step process, which requires users to keep track of the public keys of other users in order to communicate. Despite clumsiness of the PGP implementation, the popular Internet giants such as Google and Yahoo! have looked forward to integrate it into their popular email services. A respected research p...
Microsoft issues Emergency Windows Update to Block Fake SSL Certificates

Microsoft issues Emergency Windows Update to Block Fake SSL Certificates

Jul 11, 2014
Today, Microsoft has issued an emergency update for almost all versions of Windows and also for Microsoft devices running Windows Phone 8 and 8.1 to secure users from attacks that abuse the latest issued rogue SSL certificates, which could be used to impersonate Google and Yahoo! websites. A week after the search engine giant Google spotted and blocked unauthorized digital certificates for a number of its domains that could result in a potentially serious security and privacy threat, Microsoft has responded back to block the bogus certificates from being used on its software as well. " Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates, " said Dustin Childs, group manager of response communications. The fake digital certificates , issued by the National Informatics Centre (NIC) of India - a unit of India's Ministry of Communications and Infor...
miniLock - Open Source File Encryption Tool from CryptoCat Developer

miniLock - Open Source File Encryption Tool from CryptoCat Developer

Jul 06, 2014
It's the age of surveillance what made the Use of Encryption so widely that it has become a need of law enforcement agencies, cyber criminals as well as every individual. But, encryption is not so easy. To solve this problem, a 23-year old Cryptocat developer Nadim Kobeissi is ready to release a simple solution to deliver strong encryption at the HOPE hacker conference in New York later this month, which may soon come as an extension for Google Chrome web browser, Wired reported . The encryption program is dubbed as miniLock , which is a free and open-source browser plugin designed to let anyone encrypt and decrypt files in seconds using a drag-and-drop interface with practically unbreakable cryptographic protection. " The tagline is that this is file encryption that does more with less, " says Kobeissi, activist and security consultant. " It's super simple, approachable, and it's almost impossible to be confused using it. " Drag-and-drop interface here means, miniL...
Microsoft Boosts Encryption for Outlook Webmail and OneDrive

Microsoft Boosts Encryption for Outlook Webmail and OneDrive

Jul 02, 2014
After the wide chain of scandals over US global snooping that seriously damaged the trust on the top U.S. Tech companies, Google and Yahoo! came forward and took initiative to provide more secure, encrypted and NSA-proofed service in an effort to gain their reputation again among its users. Now, Microsoft has also announced several improvements to the encryption used in its online cloud services in order to protect them from cyber criminals, bad actors and prying eyes. The company effort detailed in a blog entry by Matt Thomlinson, Microsoft's Vice President of Trustworthy Computing Security. MICROSOFT'S COMMITMENT Last December, Microsoft promised to protect its users data from government snooping by expanding encryption across its services, reinforcing legal protections for its customers' data and enhancing the transparency of its software code, making it easier for the customers to reassure themselves that its products contain no backdoors. Yesterday's announc...
Cisco Open Sources Experimental Small Domain Block Cipher

Cisco Open Sources Experimental Small Domain Block Cipher

Jun 23, 2014
In cryptography, Block ciphers such as AES or DES are a symmetric key cipher operating on fixed-length groups of bits, called blocks, and typically operate on large input data blocks i.e. 64 or more than 128, 256 bits. Block cipher encrypts Plain-text to Cipher-text by applying cryptographic key and algorithm to a block of data at once as a group rather than to one bit at a time, so that identical blocks of text do not get encrypted the same way. However, some applications need smaller blocks, and possibly non-binary blocks. So, to fulfil this need Cisco is providing a  small block cipher , what it calls "FNR" (Flexible Naor and Reingold), but currently it is an experimental block cipher rather a production software. Sashank Dara , software engineer at the security technology group Cisco , says in a detailed explanation that FNR is a flexible length small domain block cipher for encrypting objects that works without the need for padding, as happens in the traditi...
ProtonMail: 'NSA-Proof' End-to-End Encrypted Email Service

ProtonMail: 'NSA-Proof' End-to-End Encrypted Email Service

May 26, 2014
The Edward Snowden revelations triggered a large-scale movement worldwide towards deploying encryption across the Internet for secure services, which is something the government agencies like NSA and GCHQ have targeted repeatedly, as exemplified by abruptly shutting down Lavabit , a Texas-based Encrypted Email Service. In response, a group of young developers at the European Organization for Nuclear Research (CERN) has launched a new email service which offers end-to-end encryption and securing communications that could put an end to government snooping and will keep away our personal data from prying eyes. PROTONMAIL - AN END-to-END ENCRYPTED EMAIL This new encrypted email service, called ProtonMail is a super-secure email service created in collaboration with the scientists from Harvard, the Massachusetts Institute of Technology and the European research lab CERN. ProtonMail offers a user-friendly experience with full "end-to-end" encryption . It encrypts the data on the browser...
NIST Removes Dual_EC_DRBG Random Number Generator from Recommendations

NIST Removes Dual_EC_DRBG Random Number Generator from Recommendations

Apr 23, 2014
The National Institute of Standards and Technology (NIST) has announced to abandon the controversial  Dual Elliptic Curve Deterministic  Random Bit Generator,  better known as  Dual_EC_DRBG in the wake of allegations that the National Security Agency. Back in December, Edward Snowden leaks revealed that RSA received $10 million bribe from NSA under a secret contract to implement their flawed cryptographic algorithm Dual_EC_DRBG in its bSafe Security tool as the default protocol in its products for keeping Encryption Weak . In response to the accusations on NSA and RSA, and despite RSA denied all the accusations. without wasting time NIST issued an announcement recommending against using Dual_EC_DRBG and abandon the cryptographic algorithm from its revised guidance provided in the Recommendation for Random Number Generation Using Deterministic Random Bit Generators ( NIST Special Publication 800-90A, Rev.1 ). But it didn't remove it from its rand...
TrueCrypt is Secure; Encryption Tool cleared the First Phase of Security Audit

TrueCrypt is Secure; Encryption Tool cleared the First Phase of Security Audit

Apr 15, 2014
Is TrueCrypt Audited Yet? Yes, In Part!  One of the world's most-used open source file encryption software trusted by tens of millions of users - TrueCrypt is being audited by a team of experts to assess if it could be easily exploited and cracked. Hopefully it has cleared the first phase of the audit and given a relatively clean bill of health. TrueCrypt is a free, open-source and cross-platform encryption program available for Windows, OSX and Linux that can be used to encrypt individual folders or encrypt entire hard drive partitions including the system partition.  The program is also capable to do some amazing things, such as can create a hidden operating system on a computer, essentially an OS within an OS where users can keep their most secret files. EVERYONE HAS SOMETHING TO HIDE TrueCrypt developers are anonymous and used the aliases " ennead " and " syncon ", perhaps to avoid unwelcome attention from their own governments. But when we talk about ...
Billions of Smartphone Users affected by Heartbleed Vulnerability

Billions of Smartphone Users affected by Heartbleed Vulnerability

Apr 13, 2014
Heartbleed has left a worst impression worldwide affecting millions of websites and is also supposed to put millions of Smartphones and tablets users at a great risk. Heartbleed is a critical bug ( CVE-2014-0160 ) in the popular OpenSSL cryptographic software library, that actually resides in the OpenSSL's implementation of the TLS/DTLS heartbeat extension, which allows attackers to read portions of the affected server's memory, potentially revealing users data such as usernames, passwords, and credit card numbers, that the server did not intend to reveal. OpenSSL is a widely-used cryptographic library which implements the SSL and TLS protocol and protects communications on the Internet, and mostly every websites use either SSL or TLS, even the Apache web server that powers almost half of the websites over internet utilizes OpenSSL. But to assume that the users using desktop browsers to visit websites are vulnerable to the Heartbleed bug, will be wrong. Despite 40...
NSA denies Report that Agency knew and exploited Heartbleed Vulnerability

NSA denies Report that Agency knew and exploited Heartbleed Vulnerability

Apr 12, 2014
The Bloomberg claimed that the U.S. National Security Agency (NSA) knew about the most critical Heartbleed flaw and has been using it on a regular basis to gather " critical intelligence " and sensitive information for at least past two years and decided to keep the bug secret, citing two sources ' familiar with the matter '. In response to the above report, NSA has issued a ' 94 character' statement today denying the claims that it has known about the Heartbleed bug since two years and that it has been using it silently for the purpose of surveillance. " NSA was not aware of the recently identified Heartbleed vulnerability until it was made public ," the U.S. intelligence agency said on its Twitter feed . Heartbleed is one of the biggest Internet vulnerabilities in recent history that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Int...
Expert Insights / Articles Videos
Cybersecurity Resources