Cryptography


New attack produces quicker SHA-1 collisions

From The H Security

Australian researchers have described a new and faster way of provoking collisions of the SHA-1 hash algorithm. With their method, a collision can be found using only 252 attempts. This makes practical attacks feasible and could have an impact on the medium-term use of the algorithm in digital signatures.

Crypto flaws becoming a killer for Web applications

One of the few things that most people in the security community seem to agree on is that there is a dire need for better security around Web applications. That need begins with the lack of security training for most Web developers and extends through the inconsistent use of Web-application testing, both pre-deployment and post-deployment. But one issue that has been overlooked for years probably belongs at the top of the list of Web application security woes: the haphazard use of cryptography.

Timing attack in Google Keyczar library

By Nate Lawson, Root Labs
I recently found a security flaw in the Google Keyczar crypto library. The impact was that an attacker could forge signatures for data that was “signed” with the SHA-1 HMAC algorithm (the default algorithm).
Firstly, I’m really glad to see more high-level libraries being developed so that programmers don’t have to work directly with algorithms. Keyczar is definitely a step in the right direction. Thanks to all the people who developed it. Also, thanks to Stephen Weis for responding quickly to address this issue after I notified him (Python fix and Java fix).


By Matt Keil, Palo Alto Networks
In the previous article, I talked a bit about how employees are using external proxies to hide web activity from the prying eyes of the IT department. This article discusses the use of encrypted tunnel applications to hide from detection. To someone like myself (an admitted web 1.2 kinda guy), using one of these applications seems a bit extreme. They all require the installation of a client software – but once installed, they virtually guarantee that corporate security won’t see (or stop) you from using your favorite application.

From The New York Times (John Markoff)

The small cadre of experts who spend their time doing the meticulous, painstaking work of tracing cyber attacks is increasingly relying on a combination of advanced technical tools and old-fashioned intelligence-gathering techniques to track down the people and organizations responsible for the attacks. These investigators for years have been relying almost exclusively on custom software programs to do their work, but the changing nature and increased sophistication of the attacks has forced a change in these tactics.

Benjamin Jun of Cryptography Research talks about anti-counterfeiting measures in embedded technology at RSA 2009. In this segment Jun talks about the dangers of criminal hackers abusing diabetes monitors.

From Information Week (George Hulme)
The Cloud Security Alliance (CSA) made its inaugural splash at last week’s RSA Security Conference 2009 in San Francisco. The group kicked off an ambitious white paper [cloudsecurityalliance.org] that attempts to define everything from the architecture of cloud services to the impact of cloud services on litigation and encryption. It was a herculean effort to try to get this off the ground. And there is still much more work to do — especially in the one area the group left out.  Read the full story [informationweek.com]

Last week, after I dropped clues that the cover of this year’s Verizon Data Breach Investigations Report contained a cryptographic challenge, several readers immediately jumped on the challenge.
In this blog post, Veracode’s Chris Eng provides a fun walk-through of how he decoded the pattern of 1s and 0s on the report’s cover and used a combination of Google searches and hidden clues to solve the puzzle.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.