encryption | Breaking Cybersecurity News | The Hacker News

A 19-year-old vulnerability has been re-discovered in the RSA implementation from at least 8 different vendors—including F5, Citrix, and Cisco—that can give man-in-the-middle attackers access to encrypted messages. Dubbed ROBOT ( Return of Bleichenbacher's Oracle Attack ), the attack allows an attacker to perform RSA decryption and cryptographic operations using the private key configured on the vulnerable TLS servers. ROBOT attack is nothing but a couple of minor variations to the old Bleichenbacher attack on the RSA encryption protocol. First discovered in 1998 and named after Swiss cryptographer Daniel Bleichenbacher, the Bleichenbacher attack is a padding oracle attack on RSA-based PKCS#1 v1.5 encryption scheme used in SSLv2. Leveraging an adaptive chosen-ciphertext attack which occurred due to error messages by SSL servers for errors in the PKCS #1 1.5 padding, Bleichenbacher attack allows attackers to determine whether a decrypted message is correctly padded.

Researchers have uncovered several major weaknesses in the implementation of the Institute of Electrical and Electronics Engineers (IEEE) P1735 cryptography standard that can be exploited to unlock, modify or steal encrypted system-on-chip blueprints. The IEEE P1735 scheme was designed to encrypt electronic-design intellectual property (IP) in the hardware and software so that chip designers can protect their IPs from hackers and other prying eyes. Majority of mobile and embedded devices include a System-on-Chip (SoC), a single integrated circuit that can consist of multiple IPs—a collection of reusable design specifications—like a radio-frequency receiver, an analogue-to-digital converter, a digital signal processing unit, a graphics processing unit, a cryptographic engine, from different vendors. Therefore, these licensed IPs are quite valuable to their vendors, so to protect them from being reverse engineered after being sold, the IEEE developed the P1735 standard to encryp

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

No doubt your Internet Service Provides (ISPs), or network-level hackers cannot spy on https communications. But do you know — ISPs can still see all of your DNS requests, allowing them to know what websites you visit. Google is working on a new security feature for Android that could prevent your Internet traffic from network spoofing attacks. Almost every Internet activity starts with a DNS query, making it a fundamental building block of the Internet. DNS works as an Internet's phone book that resolves human-readable web addresses, like thehackernews.com, against their IP addresses. DNS queries and responses are sent in clear text (using UDP or TCP) without encryption, which makes it vulnerable to eavesdropping and compromises privacy. ISPs by default resolve DNS queries from their servers. So when you type a website name in your browser, the query first goes to their DNS servers to find the website's IP address, which eventually exposes this information (metada

Microsoft today announced built-in support for Cortana—an artificial intelligence-powered smart assistant—in Skype messenger on Android as well as iOS devices. What purpose does it serve? Microsoft wants its AI-based smart assistance to understand your conversations and help you with quick suggestions, ideas and information right inside your chat window. "Cortana can also help you organize your day—no need to leave your conversations. Cortana can detect when you're talking about scheduling events or things you have to do and will recommend setting up a reminder, which you will receive on all your devices that have Cortana enabled," Skype said in a blog post . In other words, it typically means — Microsoft's Cortana can now read your private Skype conversations. Should You Worry About Your Privacy? Yes, Cortana needs continuous monitoring of your private chats in order to come up with useful suggestions such as movie bookings, travel plans, nearby restaura

How much does your privacy cost? It will soon be sold for half a Million US dollars. A controversial company specialises in acquiring and reselling zero-day exploits is ready to pay up to US$500,000 for working zero-day vulnerabilities targeting popular secure messenger applications, such as Signal, Telegram and WhatsApp. Zerodium announced a new pricing structure on Wednesday, paying out $500,000 for fully functional remote code execution (RCE) and local privilege escalation (LPE) vulnerabilities in Signal, WhatsApp, iMessage, Viber, Facebook Messenger, WeChat, and Telegram. The payouts for all these secure messengers have been increased after tech companies introduced end-to-end encryption in their apps, making it more difficult for anyone to compromise their messaging platforms. The same payout is offered for remote code execution and local privilege escalation security flaws in default mobile email applications. Launched in 2015, Zerodium is a Washington, DC-based p

Security researchers have discovered a new method to decrypt satellite phone communications encrypted with the GMR-2 cipher in "real time" -- that too in mere fractions of a second in some cases. The new attack method has been discovered by two Chinese security researchers and is based on previous research by German academicians in 2012, showing that the phone's encryption can be cracked so quickly that attackers can listen in on calls in real time. The research, disclosed in a paper published last week by the security researchers in the International Association for Cryptologic Research, focused on the GMR-2 encryption algorithm that is commonly being used in most modern satellite phones, including British satellite telecom Inmarsat, to encrypt voice calls in order to prevent eavesdropping. Unlike previous 2012 research by German researchers who tried to recover the encryption key with the help of 'plaintext' attacks, the Chinese researchers attempted

Security boffins have discovered a critical vulnerability in a GnuPG cryptographic library that allowed the researchers to completely break RSA-1024 and successfully extract the secret RSA key to decrypt data. Gnu Privacy Guard (GnuPG or GPG) is popular open source encryption software used by many operating systems from Linux and FreeBSD to Windows and macOS X. It's the same software used by the former NSA contractor and whistleblower Edward Snowden to keep his communication secure from law enforcement. The vulnerability, labeled CVE-2017-7526 , resides in the Libgcrypt cryptographic library used by GnuPG, which is prone to local FLUSH+RELOAD side-channel attack. A team of researchers — from Technical University of Eindhoven, the University of Illinois, the University of Pennsylvania, the University of Maryland, and the University of Adelaide — found that the "left-to-right sliding window" method used by the libgcrypt library for carrying out the mathematics o

After being threatened with a ban in Russia , end-to-end encrypted Telegram messaging app has finally agreed to register with new Russian Data Protection Laws, but its founder has assured that the company will not comply to share users' confidential data at any cost. Russia's communications watchdog Roskomnadzor had recently threatened to block Telegram if the service did not hand over information required to put the app on an official government list of information distributors. The Russian government requirement came following terrorists' suicide bombings that killed 15 people in Saint Petersburg in April in which terrorists allegedly used the Telegram 's app to communicate and plot attacks. "There is one demand, and it is simple: to fill in a form with information on the company that controls Telegram," said Alexander Zharov, head of Roskomnadzor.  "And to officially send it to Roskomnadzor to include this data in the registry of organizers

Russia has threatened to ban Telegram end-to-end encrypted messaging app, after Pavel Durov, its founder, refused to sign up to the country's new data protection laws. Russian intelligence service, the FSB, said on Monday that the terrorists that killed 15 people in Saint Petersburg in April had used the Telegram encrypted messaging service to plot their attacks. According to the new Russian Data Protection Laws, as of January 1, all foreign tech companies have been required to store the past six months' of the personal data of its citizens and encryption keys within the country; which the company has to share with the authorities on demand. "There is one demand, and it is simple: to fill in a form with information on the company that controls Telegram," Alexander Zharov said, head of communications regulator Roskomnadzor (state communications watchdog). "And to officially send it to Roskomnadzor to include this data in the registry of organizers of d

Prime Minister Theresa May wants tech companies, like Facebook, Apple, and Google, to create controversial 'backdoors' for police, but even somewhere she knows that it's not that easy as it sounds. The Civil Liberties, Justice and Home Affairs Committee of the European Parliament has released a draft proposal [ PDF ] for new laws on privacy and electronic communications, recommending end-to-end (E2E) encryption on all communications and forbidding backdoors that offer access to law enforcement. "The protection of confidentiality of communications is also an essential condition for the respect of other related fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, and freedom of expression and information," the draft reads. Draft Says, Your Security is Our Top Priority According to the draft, EU citizens need more protection, not less and they need to know that the "confidentiality and safety" of their

The Dutch police arrested four suspects on Tuesday on suspicion of money laundering and involvement in selling custom encrypted BlackBerry and Android smartphones to criminals. The Dutch National High Tech Crime Unit (NHTCU), dedicated team within the Dutch National Police Agency aims to investigate advanced forms of cyber crimes, carried out investigation and found that the phone brand "PGPsafe" was selling customized BlackBerry and Android smartphones with the secure PGP-encrypted network to the "possible criminal end users." PGP (Pretty Good Privacy) is an open source end-to-end encryption standard that can be used to cryptographically sign emails, documents, files, or entire disk partitions in order to protect them from being spied on. Selling custom security-focused encrypted phones does not involve any crime itself, but Dutch police have discovered evidence, which indicates over the years such phones had been sold to organized criminals involved in

Joining the line with rival chat apps WhatsApp, Viber, Facebook Messenger, and Signal, the Telegram instant messaging service has finally rolled out a much-awaited feature for the new beta versions of its Android app: Voice Calling . And what's interesting? Your calls will be secured by Emojis, and quality will be better using Artificial Intelligence. No doubt the company brought the audio calling feature quite late, but it's likely because of its focus on security — the voice calls on Telegram are by default based on the same end-to-end encryption methods as its Secret Chat mode to help users make secure calls. Unlike Signal or WhatsApp, Telegram does not support end-to-end encryption by default; instead, it offers a 'Secret Chat' mode, which users have to enable manually, to completely secure their chats from prying eyes. However, the voice calling feature in Telegram supports end-to-end encryption by default, enabling users to secure their chats in a way

Google announced its plans to punish Symantec by gradually distrusting its SSL certificates after the company was caught improperly issuing 30,000 Extended Validation (EV) certificates over the past few years. The Extended Validation (EV) status of all certificates issued by Symantec-owned certificate authorities will no longer be recognized by the Chrome browser for at least a year until Symantec fixes its certificate issuance processes so that it can be trusted again. Extended validation certificates are supposed to provide the highest level of trust and authentication, where before issuing a certificate, Certificate Authority must verify the requesting entity's legal existence and identity. The move came into effect immediately after Ryan Sleevi, a software engineer on the Google Chrome team, made this announcement on Thursday in an online forum . "This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, c

The Dutch police have managed to decrypt a number of PGP-encrypted messages sent by criminals using their custom security-focused PGP BlackBerry phones and identified several criminals in an ongoing investigation. PGP, or Pretty Good Privacy, an open source end-to-end encryption standard that can be used to cryptographically sign emails, files, documents, or entire disk partitions in order to protect them from being spied on. You'll be surprised to know how the police actually decrypted those PGP messages. In April last year, the Dutch Police arrested a 36-year-old man on suspicion of money laundering and involvement in selling customized BlackBerry Phones with the secure PGP-encrypted network to criminals that were involved in organized crimes. At the time, the police also seized a server belonging to Ennetcom, the company owned by Danny Manupassa, which contains data of end-to-end encrypted communications belong to a large number of criminal groups. Later, in Januar

SHA-1, Secure Hash Algorithm 1, a very popular cryptographic hashing function designed in 1995 by the NSA, is officially dead after a team of researchers from Google and the CWI Institute in Amsterdam announced today submitted the first ever successful SHA-1 collision attack. SHA-1 was designed in 1995 by the National Security Agency (NSA) as a part of the Digital Signature Algorithm. Like other hashes, SHA-1 also converts any input message to a long string of numbers and letters that serve as a cryptographic fingerprint for that particular message. Collision attacks appear when the same hash value (fingerprint) is produced for two different messages, which then can be exploited to forge digital signatures, allowing attackers to break communications encoded with SHA-1. The explanation is technologically tricky, but you can think of it as attackers who surgically alters their fingerprints in order to match yours, and then uses that to unlock your smartphone. The researchers h

Texas-based Encrypted Email Service ' Lavabit ,' that was forced to shut down in 2013 after not complying with a court order demanding access to SSL keys to snoop on Edward Snowden's emails , is relaunching on Friday. Lavabit CEO Ladar Levison had custody of the service's SSL encryption key that could have helped the government obtain Snowden's password. Although the FBI insisted it was only after Snowden's account, that was the key to the kingdom that would have helped the FBI agents obtain other users' credentials as well. But rather than complying with the federal request that could compromise the communications of all of its customers, Levison preferred to shut down his encrypted email service, leaving its 410,000 users unable to access their email accounts. Now, Levison has announced that he is reviving Lavabit with a new architecture that fixes the SSL problem — which according to him, was the biggest threat — and includes other privacy-enhancin

What is a backdoor? By definition: "Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data, " either the backdoor is in encryption algorithm, a server or in an implementation, and doesn't matter whether it has previously been used or not. Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that suggests WhatsApp has a backdoor that "could allow" an attacker, and of course the company itself, to intercept your encrypted communication. The story involving the world's largest secure messaging platform that has over a billion users worldwide went viral in few hours, attracting reactions from security experts, WhatsApp team, and Open Whisper Systems, who partnered with Facebook to implement end-to-end encryption in WhatsApp. Note: I would request readers to read complete article before reaching out for a conclusion. And also, suggestions and opinions are

Important Update — Most Security Experts argued, " It's not a backdoor, rather it's a feature ," but none of them denied the fact that, if required, WhatsApp or a hacker can intercept your end-to-end encrypted chats. Read detailed explanation on arguments in my latest article. Most people believe that end-to-end encryption is the ultimate way to protect your secret communication from snooping, and it does, but it can be intercepted if not implemented correctly. After introducing " end-to-end encryption by default " last year, WhatsApp has become the world's largest secure messaging platform with over a billion users worldwide. But if you think your conversations are completely secure in a way that no one, not even Facebook, the company that owned WhatsApp, can intercept your messages then you are highly mistaken, just like most of us and it's not a new concept. Here's the kick: End-to-end encrypted messaging service, such as WhatsApp and Te