Dennis Fisher talks with Joe Grand of Grand Idea Studio about the design for this year’s DEFCON badge, the secret feature he added that no one has uncovered yet and his research on hacking smart parking meters.
Browsing Category: Cryptography
The cryptographic underpinnings of the Internet are beginning to show some serious wear, and the outlook for better days ahead is not particularly rosy. In just the last week there has been news of major new attacks on perhaps the two most widely used encryption technologies: SSL and AES. We’ve heard talk of cracks in both protocols before, but this time, even the most conservative observers are worried.
From Network World (Michael Cooney)
Researchers at IBM have developed software that uses optical character recognition and screen scraping to identify and cover up confidential data.
According to IBM the driving idea behind the MAGEN (Masking Gateway for Enterprises) system is to prevent data leakage and allow the sharing of data while safeguarding sensitive business data. Read the full story [Network World].
It’s been quite a week in the world of cryptography. For a field in which advancements are measured in the smallest of terms and major breakthroughs can take decades, the three big news stories involving cryptography in the last few days comprise an epochal event.
Dennis Fisher talks with Jon Callas, CTO of PGP, about the history of cryptography, the evolution of PGP itself and the future of cloud security.
Dennis Fisher talks with Nate Lawson of Root Labs about the proliferation of crypto flaws in Web applications and the market for hardware security bugs.
Threatpost editors Ryan Naraine and Dennis Fisher talk about the problems with developers implementing their own crypto libraries in Web applications, the short list of names for the cybersecurity czar job and the possibility of a full-scale hacker bracket competition.
Australian researchers have described a new and faster way of provoking collisions of the SHA-1 hash algorithm. With their method, a collision can be found using only 252 attempts. This makes practical attacks feasible and could have an impact on the medium-term use of the algorithm in digital signatures.
One of the few things that most people in the security community seem to agree on is that there is a dire need for better security around Web applications. That need begins with the lack of security training for most Web developers and extends through the inconsistent use of Web-application testing, both pre-deployment and post-deployment. But one issue that has been overlooked for years probably belongs at the top of the list of Web application security woes: the haphazard use of cryptography.
By Nate Lawson, Root Labs
I recently found a security flaw in the Google Keyczar crypto library. The impact was that an attacker could forge signatures for data that was “signed” with the SHA-1 HMAC algorithm (the default algorithm).
Firstly, I’m really glad to see more high-level libraries being developed so that programmers don’t have to work directly with algorithms. Keyczar is definitely a step in the right direction. Thanks to all the people who developed it. Also, thanks to Stephen Weis for responding quickly to address this issue after I notified him (Python fix and Java fix).