Browsing Category: Cryptography

Categories: Cryptography, Web Security

One of the few things that most people in the security community seem to agree on is that there is a dire need for better security around Web applications. That need begins with the lack of security training for most Web developers and extends through the inconsistent use of Web-application testing, both pre-deployment and post-deployment. But one issue that has been overlooked for years probably belongs at the top of the list of Web application security woes: the haphazard use of cryptography.

Read more...

Categories: Cryptography

By Nate Lawson, Root Labs
I recently found a security flaw in the Google Keyczar crypto library. The impact was that an attacker could forge signatures for data that was “signed” with the SHA-1 HMAC algorithm (the default algorithm).
Firstly, I’m really glad to see more high-level libraries being developed so that programmers don’t have to work directly with algorithms. Keyczar is definitely a step in the right direction. Thanks to all the people who developed it. Also, thanks to Stephen Weis for responding quickly to address this issue after I notified him (Python fix and Java fix).

Read more...

Categories: Cryptography

By Matt Keil, Palo Alto Networks
In the previous article, I talked a bit about how employees are using external proxies to hide web activity from the prying eyes of the IT department. This article discusses the use of encrypted tunnel applications to hide from detection. To someone like myself (an admitted web 1.2 kinda guy), using one of these applications seems a bit extreme. They all require the installation of a client software – but once installed, they virtually guarantee that corporate security won’t see (or stop) you from using your favorite application.

Read more...

Categories: Cryptography

From The New York Times (John Markoff)

The small cadre of experts who spend their time doing the meticulous, painstaking work of tracing cyber attacks is increasingly relying on a combination of advanced technical tools and old-fashioned intelligence-gathering techniques to track down the people and organizations responsible for the attacks. These investigators for years have been relying almost exclusively on custom software programs to do their work, but the changing nature and increased sophistication of the attacks has forced a change in these tactics.

Read more...

Categories: Cryptography

From Information Week (George Hulme)
The Cloud Security Alliance (CSA) made its inaugural splash at last week’s RSA Security Conference 2009 in San Francisco. The group kicked off an ambitious white paper [cloudsecurityalliance.org] that attempts to define everything from the architecture of cloud services to the impact of cloud services on litigation and encryption. It was a herculean effort to try to get this off the ground. And there is still much more work to do — especially in the one area the group left out.  Read the full story [informationweek.com]

Read more...

Categories: Cryptography

Last week, after I dropped clues that the cover of this year’s Verizon Data Breach Investigations Report contained a cryptographic challenge, several readers immediately jumped on the challenge.
In this blog post, Veracode’s Chris Eng provides a fun walk-through of how he decoded the pattern of 1s and 0s on the report’s cover and used a combination of Google searches and hidden clues to solve the puzzle.

Read more...