Cryptography


IBM Shows Off Way to Hide Confidential Data Online

From Network World (Michael Cooney)
Researchers at IBM have developed software that uses optical character recognition and screen scraping to identify and cover up confidential data.
According to IBM the driving idea behind the MAGEN (Masking Gateway for Enterprises) system is to prevent data leakage and allow the sharing of data while safeguarding sensitive business data. Read the full story [Network World].

New AES Attack, 200-Year-Old Cipher Key Big Week in Crypto

It’s been quite a week in the world of cryptography. For a field in which advancements are measured in the smallest of terms and major breakthroughs can take decades, the three big news stories involving cryptography in the last few days comprise an epochal event.


Threatpost editors Ryan Naraine and Dennis Fisher talk about the problems with developers implementing their own crypto libraries in Web applications, the short list of names for the cybersecurity czar job and the possibility of a full-scale hacker bracket competition.
[audio http://www.threatpost.com/sites/default/files/newswrap_4.mp3]

One of the few things that most people in the security community seem to agree on is that there is a dire need for better security around Web applications. That need begins with the lack of security training for most Web developers and extends through the inconsistent use of Web-application testing, both pre-deployment and post-deployment. But one issue that has been overlooked for years probably belongs at the top of the list of Web application security woes: the haphazard use of cryptography.

By Nate Lawson, Root Labs
I recently found a security flaw in the Google Keyczar crypto library. The impact was that an attacker could forge signatures for data that was “signed” with the SHA-1 HMAC algorithm (the default algorithm).
Firstly, I’m really glad to see more high-level libraries being developed so that programmers don’t have to work directly with algorithms. Keyczar is definitely a step in the right direction. Thanks to all the people who developed it. Also, thanks to Stephen Weis for responding quickly to address this issue after I notified him (Python fix and Java fix).

By Matt Keil, Palo Alto Networks
In the previous article, I talked a bit about how employees are using external proxies to hide web activity from the prying eyes of the IT department. This article discusses the use of encrypted tunnel applications to hide from detection. To someone like myself (an admitted web 1.2 kinda guy), using one of these applications seems a bit extreme. They all require the installation of a client software – but once installed, they virtually guarantee that corporate security won’t see (or stop) you from using your favorite application.

From The New York Times (John Markoff)

The small cadre of experts who spend their time doing the meticulous, painstaking work of tracing cyber attacks is increasingly relying on a combination of advanced technical tools and old-fashioned intelligence-gathering techniques to track down the people and organizations responsible for the attacks. These investigators for years have been relying almost exclusively on custom software programs to do their work, but the changing nature and increased sophistication of the attacks has forced a change in these tactics.

07/21/18 8:00
How #cyberinsurance changes the conversation around risk: https://t.co/a6hKWUWuNG

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.