Archive for the ‘encryption’ Category

New Attack exploiting serious Bluetooth weakness can intercept sensitive data

August 17th, 2019
New Attack exploiting serious Bluetooth weakness can intercept sensitive data

Enlarge

Researchers have demonstrated a serious weakness in the Bluetooth wireless standard that could allow hackers to intercept keystrokes, address books, and other sensitive data sent from billions of devices.

Dubbed Key Negotiation of Bluetooth—or KNOB for short—the attack forces two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection. Attackers within radio range can then use commodity hardware to quickly crack the key. From there, attackers can use the cracked key to decrypt data passing between the devices. The types of data susceptible could include keystrokes passing between a wireless keyboard and computer, address books uploaded from a phone to a car dashboard, or photographs exchanged between phones.

KNOB doesn’t require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating system they run on, making the attack almost impossible to detect without highly specialized equipment. KNOB also exploits a weakness in the Bluetooth standard itself, making it likely the vulnerability affects just about every device that’s compliant with the specification. The researchers have simulated the attack on 14 different Bluetooth chips—including those from Broadcom, Apple, and Qualcomm—and found all of them to be vulnerable.

Read 19 remaining paragraphs | Comments

Posted in Biz & IT, bluetooth, encryption, firmware, Man in the middle | Comments (0)

238 Google Play apps with >440 million installs made phones nearly unusable

June 4th, 2019
238 Google Play apps with >440 million installs made phones nearly unusable

Enlarge (credit: NurPhoto | Getty Images)

If the prevalence of abusive Google Play apps has left you numb, this latest report is for you. Carefully concealed adware installed in Google-approved apps with more than 440 million installations was so aggressive that it rendered mobile devices nearly unusable, researchers from mobile security provider Lookout said Tuesday.

BeiTaAd, as the adware is known, is a plugin that Lookout says it found hidden in emojis keyboard TouchPal and 237 other applications, all of which were published by Shanghai, China-based CooTek. Together, the 238 unique apps had a combined 440 million installs. Once installed, the apps initially behaved normally. Then, after a delay of anywhere between 24 hours and 14 days, the obfuscated BeiTaAd plugin would begin delivering what are known as out-of-app ads. These ads appeared on users' lock screens and triggered audio and video at seemingly random times or even when a phone was asleep.

"My wife is having the exact same issue," one person reported in November in this thread discussing BeiTaAd. "This will bring up random ads in the middle of phone calls, when her alarm clock goes off or anytime she uses any other function on her phone. We are unable to find any other information on this. It is extremely annoying and almost [makes] her phone unusable."

Read 7 remaining paragraphs | Comments

Posted in adware, Android, Biz & IT, encryption, google play, obfuscation | Comments (0)

Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords

April 11th, 2019
Artist's impression of wireless hackers in your computer.

Enlarge / Artist's impression of wireless hackers in your computer. (credit: TimeStopper/Getty Images)

The next-generation Wi-Fi Protected Access protocol released 15 months ago was once hailed by key architects as resistant to most types of password-theft attacks that threatened its predecessors. On Wednesday, researchers disclosed several serious design flaws in WPA3 that shattered that myth and raised troubling new questions about the future of wireless security, particularly among low-cost Internet-of-things devices.

While a big improvement over the earlier and notoriously weak Wired Equivalent Privacy and the WPA protocols, the current WPA2 version (in use since the mid 2000s) has suffered a crippling design flaw that has been known for more than a decade: the four-way handshake—a cryptographic process WPA2 uses to validate computers, phones, and tablets to an access point and vice versa—contains a hash of the network password. Anyone within range of a device connecting to the network can record this handshake. Short passwords or those that aren’t random are then trivial to crack in a matter of seconds.

One of WPA3’s most promoted changes was its use of “Dragonfly,” a completely overhauled handshake that its architects once said was resistant to the types of password guessing attacks that threatened WPA2 users. Known in Wi-Fi parlance as the Simultaneous Authentication of Equals handshake, or just SAE for short, Dragonfly augments the four-way handshake with a Pairwise Master Key that has much more entropy than network passwords. SAE also provides a feature known as forward secrecy that protects past sessions against future password compromises.

Read 18 remaining paragraphs | Comments

Posted in Biz & IT, encryption, exploits, vulnerabilities, wi-fi, wi-fi protected access, WPA, WPA2, WPA3 | Comments (0)

Firefox Send lets you send files up to 2.5GB with time and download limits

March 13th, 2019

Mozilla has publicly launched its Firefox Send file-sharing service after a lengthy testing period. It allows you to send files via a link to anyone and set conditions for access like a time period or number of downloads before the file expires.

Firefox Send can handle files as large as 2.5GB. When the Test Pilot period for the service began in August of 2017, the limit was 1GB; that limit still applies until you sign in with your Firefox account (opening an account is free).

You can set a limit to how many times the file can be downloaded before it is deleted from the servers: one, two, three, four, five, 20, 50, or 100 times. You can also set a time limit before deletion—seven days, one day, one hour, or five minutes. Finally, you can set a password of your choice for access to the file. After you go through this brief process, you'll get a link to send to the recipient to download the file.

Read 6 remaining paragraphs | Comments

Posted in encryption, file sharing, Firefox, Firefox Send, Mozilla, Tech, Web Browsers | Comments (0)

Google Created Faster Storage Encryption for All Low-End Devices

February 8th, 2019
Google has launched a new encryption algorithm that has been built specifically to run on mobile phones and smart IoT devices that don't have the specialized hardware to use current encryption methods to encrypt locally stored data efficiently. Encryption has already become an integral part of our everyday digital activities. However, it has long been known that encryption is expensive, as

Posted in #opGreece, Android encryption, data encryption, Disk encryption, encryption, encryption algorithm, encryption software, file encryption, IoT security | Comments (0)

Digital exchange loses $137 million as founder takes passwords to the grave

February 2nd, 2019
Black-and-white photo of a human skull in a graveyard.

Enlarge (credit: Jakub T. Jankiewicz / Flickr)

A cryptocurrency exchange in Canada has lost control of at least $137 million of its customers’ assets following the sudden death of its founder, who was the only person known to have access the the offline wallet that stored the digital coins. British Columbia-based QuadrigaCX is unable to access most or all of another $53 million because it’s tied up in disputes with third parties.

The dramatic misstep was reported in a sworn affidavit that was obtained by CoinDesk. The affidavit was filed Thursday by Jennifer Robertson, widow of QuadrigaCX’s sole director and officer Gerry Cotten. Robertson testified that Cotten died of Crohn’s disease in India in December at the age of 30.

Following standard security practices by many holders of cryptocurrency, QuadrigaCX stored the vast majority of its cryptocurrency holdings in a “cold wallet,” meaning a digital wallet that wasn’t connected to the Internet. The measure is designed to prevent hacks that regularly drain hot wallets of millions of dollars (Ars has reported on three such thefts here, here, and here.)

Read 6 remaining paragraphs | Comments

Posted in Biz & IT, cold wallet, cryptocurrency, encryption, passwords | Comments (0)

Signal app to Australia: Good luck with that crypto ban

December 15th, 2018
Grafitti urging people to use Signal, a highly-enctypted messaging app, is spray-painted on a wall during a protest on February 1, 2017 in Berkeley, California.

Enlarge / Grafitti urging people to use Signal, a highly-enctypted messaging app, is spray-painted on a wall during a protest on February 1, 2017 in Berkeley, California. (credit: Elijah Nouvelage/Getty Images)

Signal, one of the most secure messaging apps, essentially told Australia this week that its attempts to thwart strong crypto are rather cute.

"By design, Signal does not have a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles, or group avatars," Joshua Lund, a Signal developer wrote. "The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us. In most cases now we don’t even have access to who is messaging whom."

Lund is referring to a recent law passed in Australia that will fine companies that do not comply with government demands for encrypted data up to AUS$10 million.

Read 3 remaining paragraphs | Comments

Posted in crypto, encryption, Policy, Signal | Comments (0)

Australia passes new law to thwart strong encryption

December 6th, 2018
Large room full of well-dressed men and women.

Enlarge / The Member for Sydney Tanya Plibersek speaks as the Labor party stay for the end of parliament in the House of Representatives at Parliament House on December 06, 2018, in Canberra, Australia. (credit: Tracey Nearmy/Getty Images)

On Thursday, the Australian parliament approved a measure that critics say will weaken encryption in favor of law enforcement and the demands of government.

The new law, which has been pushed for since at least 2017, requires that companies provide a way to get at encrypted communications and data via a warrant process. It also imposes fines of up to A$10 million for companies that do not comply and A$50,000 for individuals who do not comply. In short, the law thwarts (or at least tries to thwart) strong encryption.

Companies who receive one of these warrants have the option of either complying with the government or waiting for a court order. However, by default, the orders are secret, so companies would not be able to tell the public that they had received one.

Read 13 remaining paragraphs | Comments

Posted in apple, australia, encryption, Policy | Comments (0)

Sennheiser discloses monumental blunder that cripples HTTPs on PCs and Macs

November 28th, 2018
Sennheiser discloses monumental blunder that cripples HTTPs on PCs and Macs

Enlarge (credit: Sennheiser)

Audio device maker Sennheiser has issued a fix for a monumental software blunder that makes it easy for hackers to carry out man-in-the-middle attacks that cryptographically impersonate any big-name website on the Internet. Anyone who has ever used the company’s HeadSetup for Windows or macOS should take action immediately, even if users later uninstalled the app.

To allow Sennheiser headphones and speaker phones to work seamlessly with computers, HeadSetup establishes an encrypted Websocket with a browser. It does this by installing a self-signed TLS certificate in the central place an operating system reserves for storing browser-trusted certificate authority roots. In Windows, this location is called the Trusted Root CA certificate store. On Macs, it’s known as the macOS Trust Store.

A few minutes to find, years to exploit

The critical HeadSetup vulnerability stems from a self-signed root certificate installed by version 7.3 of the app that kept the private cryptographic key in a format that could be easily extracted. Because the key was identical for all installations of the software, hackers could use the root certificate to generate forged TLS certificates that impersonated any HTTPS website on the Internet. Although the self-signed certificates were blatant forgeries, they will be accepted as authentic on computers that store the poorly secured certificate root. Even worse, a forgery defense known as certificate pinning would do nothing to detect the hack.

Read 8 remaining paragraphs | Comments

Posted in audio, Biz & IT, encryption, HTTPS, Sennheiser, Superfish, TLS, transport layer security | Comments (0)

Police decrypt 258,000 messages after breaking pricey IronChat crypto app

November 7th, 2018
Police decrypt 258,000 messages after breaking pricey IronChat crypto app

Enlarge (credit: Brian Smithson / Flickr)

Police in the Netherlands said they decrypted more than 258,000 messages sent using IronChat, an app billed as providing end-to-end encryption that was endorsed by National Security Agency leaker Edward Snowden.

In a statement published Tuesday, Dutch police said officers achieved a “breakthrough in the interception and decryption of encrypted communication” in an investigation into money laundering. The encrypted messages, according to the statement, were sent by IronChat, an app that runs on a device that cost thousands of dollars and could send only text messages.

“Criminals thought they could safely communicate with so-called crypto phones which used the application Ironchat,” Tuesday’s statement said. “Police experts in the east of the Netherlands have succeeded in gaining access to this communication. As a result, the police have been able to watch live the communication between criminals for some time.”

Read 10 remaining paragraphs | Comments

Posted in Biz & IT, cryptography, encryption, messengers, Policy | Comments (0)