Category: Encryption

A group of Swiss researchers have published an impressive security analysis of Threema.

We provide an extensive cryptographic analysis of Threema, a Swiss-based encrypted messaging application with more than 10 million users and 7000 corporate customers. We present seven different attacks against the protocol in three different threat models. As one example, we present a cross-protocol attack which breaks authentication in Threema and which exploits the lack of proper key separation between different sub-protocols. As another, we demonstrate a compression-based side-channel attack that recovers users’ long-term private keys through observation of the size of Threema encrypted back-ups. We discuss remediations for our attacks and draw three wider lessons for developers of secure protocols.

From a news article:

Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta’s WhatsApp messenger. It’s among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.

The company is performing the usual denials and deflections:

In a web post, Threema officials said the vulnerabilities applied to an old protocol that’s no longer in use. It also said the researchers were overselling their findings.

“While some of the findings presented in the paper may be interesting from a theoretical standpoint, none of them ever had any considerable real-world impact,” the post stated. “Most assume extensive and unrealistic prerequisites that would have far greater consequences than the respective finding itself.”

Left out of the statement is that the protocol the researchers analyzed is old because they disclosed the vulnerabilities to Threema, and Threema updated it.

I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.

…within a few weeks of ChatGPT going live, participants in cybercrime forums—­some with little or no coding experience­—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks.

“It’s still too early to decide whether or not ChatGPT capabilities will become the new favorite tool for participants in the Dark Web,” company researchers wrote. “However, the cybercriminal community has already shown significant interest and are jumping into this latest trend to generate malicious code.”

Last month, one forum participant posted what they claimed was the first script they had written and credited the AI chatbot with providing a “nice [helping] hand to finish the script with a nice scope.”

The Python code combined various cryptographic functions, including code signing, encryption, and decryption. One part of the script generated a key using elliptic curve cryptography and the curve ed25519 for signing files. Another part used a hard-coded password to encrypt system files using the Blowfish and Twofish algorithms. A third used RSA keys and digital signatures, message signing, and the blake2 hash function to compare various files.

Check Point Research report.

ChatGPT-generated code isn’t that good, but it’s a start. And the technology will only get better. Where it matters here is that it gives less skilled hackers—script kiddies—new capabilities.

Joe Biden and his administration seems be on a forward thinking gear for quantum technology linked cyber attacks leading to data breaches. On December 21st,2022, the Senate passed a bipartisan bill to prevent data breaches emerging from quantum computing.

The Quantum Computing Cybersecurity Preparedness Act was made into a legislation that prevents usage of quantum computing technology in decrypting stolen information, as they can break any kind of cryptographic algorithms.

The latest bill also urges companies to maintain an inventory of all their IT assets that are vulnerable to quantum enabled data breaches and must maintain a progress sheet on migrating the digital infrastructure to post quantum cryptography.

Except for the National Security Systems, all other federal agencies are required to follow the inventory and the post quantum cryptography standards prescribed by NIST. And from May 2023, they need to follow guidelines prescribed for migration by Office of Management and Budget (OMB).

NOTE 1- According to a discussion on Reddit, a 128 bit encryption standard can take at least 3 months to break and a 256-bit key might take even longer. However, AES 256 is believed to be quantum resistant, as it can yield many brute force iterations.

NOTE 2- All these days, we were worried about protecting computer networks from cyber warfare. Now, security researchers are encouraging IT engineers to develop an infrastructure that is of quantum proof.

Perhaps it’s high- time to think about the deployment of quantum proof encryption on servers storing and processing financial, healthcare, retail and manufacturing info….isn’t it?

 

The post Biden administration passes bill against Quantum Computing Data Breaches appeared first on Cybersecurity Insiders.

Drug dealers come unstuck while using the Encrochat encrypted-messaging app, and we put the Lensa AI’s avatar-generation tool under the microscope. All this and more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault. Plus – don’t miss our featured interview with Rico Acosta, IT manager at Bitwarden.

After way too many years, Apple is finally encrypting iCloud backups:

Based on a screenshot from Apple, these categories are covered when you flip on Advanced Data Protection: device backups, messages backups, iCloud Drive, Notes, Photos, Reminders, Safari bookmarks, Siri Shortcuts, Voice Memos, and Wallet Passes. Apple says the only “major” categories not covered by Advanced Data Protection are iCloud Mail, Contacts, and Calendar because “of the need to interoperate with the global email, contacts, and calendar systems,” according to its press release.

You can see the full list of data categories and what is protected under standard data protection, which is the default for your account, and Advanced Data Protection on Apple’s website.

With standard data protection, Apple holds the encryption keys for things that aren’t end-to-end encrypted, which means the company can help you recover that data if needed. Data that’s end-to-end encrypted can only be encrypted on “your trusted devices where you’re signed in with your Apple ID,” according to Apple, meaning that the company—or law enforcement or hackers—cannot access your data from Apple’s databases.

Note that this system doesn’t have the backdoor that was in Apple’s previous proposal, the one put there under the guise of detecting CSAM.

Apple says that it will roll out worldwide by the end of next year. I wonder how China will react to this.

To all those who are using various communication platforms with a thought that they are encrypted and so are free from prying eyes, here’s a news piece that needs your attention. It is not true that all communication platforms with such encryption claims are operating in-real as said.

One such platform is ‘Encrochat’, the one that was used in the UK till 2020. The platform claiming to offer chats enriched with encryption was not operating as said and led to the arrest of its users.

‘Encrochat’ was being used by two drug traffickers who made a mistake of sending a photo to one another along with a dog( maybe the dog was supposed to be a passcode). And to their misfortune, the National Crime Agency (NCA) intercepted the chat to nab the criminals leading to their arrests.

Going deep into the case, two criminals- Danny Brown-55 and Stefan Baldauf -62 were caught by the law enforcement and were sentenced to 26 and 28 years’ imprisonment, respectively. They were arrested when the NCA launched a crackdown on EncroChat network, widely used by criminals since 2016.

During its start days, the company claimed that it was highly anonymous and so won the trust of over 60,000 users worldwide, of whom 10k were from UK.

NCA somehow took control of the network and nabbed over 746 criminals. Though it is unclear how the law enforcement infiltrated the network?

Coming back to the topic, the two criminals had a communication in which one party sent a picture to another and this is where they made a mistake. Though they managed to conceal their identity by using pseudonyms in chats, they paid little attention to mask the identity of their dog. As a result, a phone number engraved on the locket in its neck led to the owner and then the criminals sending them to the prison.

Now, the essence that has to be learnt from this entire story is that never believe in firms that boost themselves about offering encrypted chats or a secured communication-line. As we never know how best they are in keeping their word or who is screening the servers in their data centers to read & analyze the info flowing through.

 

The post Fake encryption claims in chats leads to Criminals Arrest appeared first on Cybersecurity Insiders.

Diplomatic code cracked after 500 years:

In painstaking work backed by computers, Pierrot found “distinct families” of about 120 symbols used by Charles V. “Whole words are encrypted with a single symbol” and the emperor replaced vowels coming after consonants with marks, she said, an inspiration probably coming from Arabic.

In another obstacle, he used meaningless symbols to mislead any adversary trying to decipher the message.

The breakthrough came in June when Pierrot managed to make out a phrase in the letter, and the team then cracked the code with the help of Camille Desenclos, a historian. “It was painstaking and long work but there was really a breakthrough that happened in one day, where all of a sudden we had the right hypothesis,” she said.

Brian Krebs writes about how the Zeppelin ransomware encryption scheme was broken:

The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects.

“If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!” they wrote. “The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key.”

Unit 221B ultimately built a “Live CD” version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys.

A company offered recovery services based on this break, but was reluctant to advertise because it didn’t want Zeppelin’s creators to fix their encryption flaw.

Technical details.