Articles about crypto

backdoor_648. Pic via Shutterstock

GCHQ bod tells privacy advocates: Most of our work is making sure we operate within the law

Privacy advocates, journalists and a representative from GCHQ squared off in a debate on surveillance in Cambridge today. The heavyweight exchange of ideas between Cambridge security engineering professor Ross Anderson and Ian Levy, technical director of the National Cyber Security Centre, the assurance arm of GCHQ, took place …
John Leyden, 29 May 2018

Never mind the WPA2 drama... Details emerge of TPM key cockup that hits tonnes of devices

RSA keys produced by smartcards, security tokens, laptops, and other devices using cryptography chips made by Infineon Technologies are weak and crackable – and should be regenerated with stronger algorithms. In short, Infineon TPMs – aka trusted platform modules – are used in countless computers and gadgets to generate RSA …
John Leyden, 16 Oct 2017
Woman stares at laptop screen, shocked. Pic by shutterstock

HSBC biz banking crypto: The case of the vanishing green padlock and... what domain are we on again?

HSBC has been faulted for redirecting business customers to a website that is not obviously secure. Rob Jonson, director of Hobbyist Software, who alerted us to the issue, was concerned that he'd fallen victim to a phishing scam. I logged into my HSBC business account, and the site failed to give me any info. Then I looked …
John Leyden, 8 Sep 2017

GTFO of there! Security researchers turn against HTTP public key pinning

Security researchers have endorsed industry guru Scott Helme's vote of no confidence in a next-generation web crypto technology. Helme said he was "giving up on HPKP" after experimenting with the tech and ultimately finding it too cumbersome for mainstream use even among security-conscious organisations. HTTP Public Key …
John Leyden, 25 Aug 2017
Silhouette of spy discerning password from code uses a command on graphic user interface

Good Lord: Former UK spy boss backs crypto

A former boss at UK domestic spy arm MI5 has cautioned against a crackdown on encrypted messaging apps. Lord Evans, who retired in 2013, told BBC Radio 4’s Today programme (link here) that he did not support encryption restrictions despite acknowledging cryptography had been an obstacle in investigating terrorist cases, saying …
John Leyden, 11 Aug 2017

Five-eyes nations want comms providers to bust crypto for them

This week's five-eyes meeting has issued its communique, promising to get the tech sector to solve the problems of online terrorism and encrypted communications. As is the way of political communiques, there's a carefully-crafted lack of detail (sufficient, for example, for plausible deniability) about what exactly is planned …
Amber Rudd

Ex-military and security firms oppose Home Sec in WhatsApp crypto row

UK government ministers calling for increased surveillance abilities in the wake of last Wednesday's terrorist attack have encountered opposition from a somewhat unexpected quarter. Home Secretary Amber Rudd went on TV at the weekend to say it was "completely unacceptable" that authorities were unable to look at the encrypted …
John Leyden, 27 Mar 2017
Tripping over

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p". The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: …
Darren Pauli, 31 Jan 2017

Alleged ISIS member 'wore USB cufflink and trained terrorists in encryption'

A Cardiff man said to be a member of ISIS and who is alleged to have trained terrorists in the use of encryption will be put on trial in March. Samata Ullah, 33, was charged earlier this month with six terrorism offences. Today at the Old Bailey Mr Justice Holroyde remanded Ullah in custody until 17 November, according to the …
Gareth Corfield, 28 Oct 2016

Ageing GSM crypto cracked on commodity graphics rig

The crypto scheme applied to second generation (2G) mobile phone data can be hacked within seconds, security researchers have demonstrated. The work by researchers from the Agency for Science, Technology and Research (A*STAR), Singapore shows that breaking the A5/1 stream cipher used by 2G is possible using commodity hardware …
John Leyden, 24 Oct 2016
Zombie rising from the grave

Zombie crypto stalks smart grids

The Open Smart Grid Protocol's custom RC4 encryption has been cracked – again. OSGP was called out last year for rolling its own crypto, based on the deprecated RC4. At the time, the OSGP Alliance said it would implement better security, but the RC4 zombie is still shambling around, according to German researchers Linus …

Boffins boost IETF crypto efforts

A pair of German engineers want to give a push to the adoption of new crypto in the IETF by pushing the curves in RFC 7748 into hardware. RFC 7748, here, is a research-level document that describes proposed new elliptic curves for use in applications like Transport Layer Security (TLS). Moving from research to the real world …

Critical flaw in Pidgin, Adium's Off The Record chat lib. Patch ASAP

Security researchers have discovered a critical vulnerability in libotr, a software library used in chat apps to send and receive encrypted messages. Several instant messengers – including ChatSecure, Pidgin, Adium and Kopete – are affected by the remote-code execution bug in libotr, which was discovered by Markus Vervier at …
John Leyden, 10 Mar 2016
Rose and Jack drowning scene Titanic. Pic: Fox pictures

Cloud sellers who acted on Heartbleed sink when it comes to DROWN

Response to the critical web-crypto-blasting DROWN vulnerability in SSL/TLS by cloud services has been much slower than the frantic patching witnessed when the Heartbleed vulnerability surfaced two years ago. DROWN (which stands for Decrypting RSA with Obsolete and Weakened eNcryption) is a serious design flaw that affects …
John Leyden, 8 Mar 2016

Awoogah – brown alert: OpenSSL preps 'high severity' security fixes

Developers behind the widely used OpenSSL encryption library have warned that they will issue fixes for a mix of bugs next Tuesday (1 March). The patches will land right in the middle of the RSA Conference, infosec marketing's version of the Superbowl. It's understood the bugs are significant (as in, patch as soon as you can …
John Leyden, 25 Feb 2016

Go full SHA-256 by June or get locked out, say payments bods Bacs

Online businesses in the UK will have to update their systems and adopt SHA-2 before June in order to avoid losing access to vital payment and money transfer services. Failure to change before a 13 June deadline will leave merchants unable to use Bacs Payment Schemes Limited (Bacs) to make salary or supplier payments or to …
John Leyden, 17 Feb 2016
A family listening to a crystal radio set

Stray electronic-magnetic leaks used to harvest PC crypto keys

Israeli security researchers have been able to extract encryption keys from a nearby computer by analysing stray electromagnetic radiation. The attack by computer scientists from Tel Aviv University shows that TEMPEST-style side channel attacks are no longer just the preserve of Mission Impossible and three-letter spy agencies …
John Leyden, 16 Feb 2016

Crimestoppers finally revamps weak crypto. Take your time guys

UK crime tip-off service Crimestoppers has revamped its weak website crypto after months of running a system that relied upon obsolete protocols. Crimestoppers "secure" form was previously insecure – rating an “F” in tests using the industry standard SSL Labs service last month – chiefly because of the site’s use of the SSLv2 …
John Leyden, 20 Nov 2015

Create a news alert about crypto, or find more stories about crypto.

Biting the hand that feeds IT © 1998–2018