Google Is Pushing New Cipher Suites - All About ChaCha20 and Poly1305

After the Snowden revelations, tech companies have been scrambling to find newer and stronger encryption schemes to boost confidence in encryption around the world as a way to safeguard your data from intrusion by advanced threats like governments. A lot of companies have moved to 2048-bit asymmetric keys and 256-bit symmetrical ciphers in an effort to strengthen current protocols against brute force attacks with enormous distributed networks like botnets or world-class supercomputers.

There also has been a large outcry for stronger protocols with fewer theoretical attacks against them. The most commonly used ciphers (RC4 and AES-CBC) have had practical attacks executed in the wild that demonstrated vulnerability.

New protocols are in the works such as AES in Galois Counter Mode, the Skein Hash Protocol, and Keccak but they are heavy protocols that require a lot of computing power to handle large amounts of data. They are heavy on devices with traditionally weaker or low power processors like smartphones and tablets.

> read more

The Tor Project Releases An Android Hardening Guide

The Tor Project has released an extensive guide for hardening your Android smartphone against intrusion. This is the first comprehensive guide we have seen for trying to stay anonymous on Android.

You can view all of the details here:

> read more

Apple Silently Removes Encryption For Email Attachments

The latest versions of iOS 7 have broken a feature for protecting e-mail attachments from intrusion and surveillance. The feature called 'data protection' uses a unique hardware encryption key in combination with a password to protect attachments. The latest versions of iOS 7 fail to work when you try to use the feature.

When reached for comment, Apple said it was aware of the issue and has ETA to fix it.

Having silently broken features that Apple is in no hurry to fix screams clandestine agency tampering, especially with leaked documents claiming a 100% success rate at breaking into iOS devices.

More information:

> read more

Internet Explorer Is Vulnerable To A New 0-Day Vulnerability

A new zero-day vulnerability is being exploited in Internet Explorer to attack Syrian dissidents. The vulnerability spans all versions of IE6 through IE11 and remains unpatched at this time. The CVE for this vulnerability called Use-After-Free is here. It is expected that now that the vulnerability is disclosed, more attackers will develop exploits for the browser.

To fix the vulnerability you can install EMET or disable flash. You can also install a browser that isn't terrible.

Credit goes out to FireEye for disclosing the exploit and mitigation techniques here.

> read more

Samsung Galaxy S5 Fingerprint Reader Compromised

A German security lab that was responsible for the iPhone fingerprint hack has gone public with information that the same hack works on the Samsung Galaxy S5 fingerprint reader. The process uses a lifted print over a fake finger made of rubber to fool the system into granting access to the phone.

The hack is more crucial for Android because the OS does not require a password at all if fingerprint security is configured. Apple iOS devices with fingerprint security still require a password each time the device is rebooted.

Even worse, the fingerprint reader on the S5 can be configured to work seamlessly with Paypal. So an attacker using the lifted print spoof would be able to directly access and move funds from a Paypal account that was configured to use the fingerprint reader.

Original Source (German):

> read more

The First Round of TrueCrypt Audits Finds No Vulnerabilities

TrueCrypt, the open-source disk and file system encryption tool that is popular among privacy advocates, has undergone its first round of security auditing. The audit, conducted by iSec, evaluated the bootloader and the Windows kernel driver. They found no significant vulnerabilities in the code that would lead to security concerns.

The second stage of the audit, which will comb through the actual code that handles the encryption, is next. If the iSec team is not able to find any vulnerabilities in the cryptographic code TrueCrypt will be reinforced as the most trusted full disk encryption solution.

The advantages will be:
Open-Source: Anyone can view all of the code supporting TrueCrypt and evaluate it for vulnerabilities and backdoors.

Peer-Reviewed: TrueCrypt will have the advantage of having a full security audit. A lengthy and expensive process where the code is reviewed line-by-line for vulnerabilities.

> read more

The OpenSSL Heartbleed Vulnerability

On April 7th, the discovery of the OpenSSL bug dubbed "Heartbleed" was disclosed through public channels. Researchers found that a crafted "heartbeat extension" packet could recover data from adjacent areas of memory on a client or server. This data, with luck, could be information pertaining to keys, certs, logins, passwords or other highly sensitive information.

Not only is the vulnerability serious, but the fact that it hits the OpenSSL library is even more concerning. This is because a huge number of apps, including the vast majority of web servers across the internet, rely on OpenSSL.

What the potential exploit is:

The faulty heartbeat extension implementation allows for the client to call for information in a block that is larger than the actual amount of information it is asking for. This allows the attacker to read data from unintended areas of memory.

> read more

Twitter Abandons Secure Private Messaging Project

Twitter, after making headlines for enabling encryption with perfect forward secrecy, has apparently abandoned the next stage of the project, which is to encrypt private messages within the service.

Without a reasonable explanation for this action, there is a lot of speculation as to why they would abandon a project that Twitter had already invested significant resources into. It could be a legal issue operating behind closed doors, it could be that they are overhauling the messaging system (again) and do not want to devote resources to message encryption until the overhaul is complete, or it could be technical hurdles.

The fact that they remain silent on the topic is troubling. One thing we have learned is that when a gag order is issued, companies remain silent about their actions, and aren't allowed to even acknowledge that any such order exists. Until a real explanation is given by Twitter it looks suspicious for them to drop a project that they are obviously passionate about, and had already been under way.

> read more

GnuTLS Flaw Exposes Hundreds of Apps to Intrusion on Windows/Linux/BSD

A critical vulnerability in GnuTLS has been discovered by the Red Hat Linux team that could cause bad certificates to be certified as good. The "bug" is eerily similar in nature to the "goto fail" SSL bug that was discovered for Apple iOS in January of this year. Conspiracy theories aside, this shows how hard it can be to create and maintain a strong security infrastructure.

Unfortunately GnuTLS is popular among free operating systems because there are concerns over licensing issues with the stronger OpenSSL library. It is often integrated into operating system core functions like updates and remote access, and it is sometimes used for web servers like Apache and Nginx.

The vulnerability is critical because it would allow an attacker with privileged network access to "man-in-the-middle" a vulnerable computer without the user knowing. This could be done to give servers with automated updates a bogus update that compromises the machine, for example.

> read more

Major iOS and OSX Flaw Discovered Spanning All Current Apple Devices

Update your iPhones and iPads! A new severe security vulnerability in iOS6, iOS7, and OSX Mavericks allows an attacker to intercept secure traffic and decrypt it using a man-in-the-middle attack. This impacts all Apple products including servers, workstations, notebooks, phones, tablets, and Apple TV.

The flaw, introduced in the iOS6 launch and only discovered on January 8th, makes it so that any application using Apples built-in SSL stack did not properly authenticate the source of a secure connection. This flaw also exists in OSX Mavericks and Apple is said to be working on an emergency patch.

As of this writing, the only way to ensure your secure connections are actually secure in OSX are to use browsers that do not use Apple's SSL stack. These browsers include Mozilla Firefox and Google Chrome. Safari is vulnerable until the new patch is released.

> read more