Cryptography

Dennis Fisher talks with Ryan Naraine, the founding editor of Threatpost, about the Security Analyst Summit in San Juan, the reason why so many talks at security conferences sound the same and why surprise talks are so valuable.

Dennis Fisher talks with cryptographer and PGP inventor Phil Zimmermann about the specter of mobile eavesdropping, his new venture Silent Circle and how the threat landscape has changed in recent years.

Of all the problems that entrepreneur Kim Dotcom has faced in the last decade, including several arrests, insider trading charges and even a raid on his New Zealand home involving black helicopters and dozens of agents in body armor, the criticism of the cryptography employed by his new Mega cloud-storage service would seem to be fairly low on the list. However, Dotcom is taking that criticism rather personally, if the €10,000 reward he’s offering to anyone who can break the service’s crypto is any indication.

An unusual new strain of ransomware makes good on its threat, doing what the majority of other varieties only claim to do. The Trojan actually encrypts data on infected machines, effectively rendering certain files inaccessible to users on compromised computers in order to block removal.

Following a trail cut several years ago by Google and Microsoft, Yahoo has now given users of its webmail service the option of using an SSL connection for their sessions. The HTTPS option is not enabled by default, but users can turn it on with a couple of clicks.

The series of missteps and failures that led to a Turkish government-related agency eventually ending up with a valid wild card certificate for Google domains began in June 2011 when the TURKTRUST certificate authority began preparing for an audit of its systems and started moving some certificate profiles from production systems to test systems. Two months later, a pair of subordinate certificates–which carried the full power and inherited trust of TURKTRUST’s root certificate as far as most browsers were concerned–were issued, and one of them later was used by a Turkish government transportation and utility agency to create an attacker’s holy grail: a valid certificate enabling him to intercept encrypted Google traffic.

Highway traffic systems deployed across the United States could be open exploit via what a group of researchers has deemed an “insufficient entropy vulnerability” in the systems’ software.