HackDig : Dig high-quality web security articles for hackers

Serving up zero-knowledge proofs

By Jim Miller, Senior Cryptography Analyst Zero-knowledge (ZK) proofs are gaining popularity, and exciting new applications for this technology are emerging, particularly in the blockchain space. So we’d like to shine a spotlight on an interesting source of implementation bugs that we’ve seen—the Fiat Shamir transformation. A ZK proof can be either int
Publish At:2021-02-19 12:08 | Read:98 | Comments:0 | Tags:Cryptography Zero Knowledge

Free coffee! Dutch researcher hacks prepaid vending machines

byPaul DucklinDutch cybersecurity researcher Polle Vanhoof just published a fascinating and well-written paper about an exploitable hole he found in the payment system used in some Nespresso prepaid coffee machines.That’s actually much better news than it sounds.Vanhoof disclosed the flaw back in September 2020; has publicly praised Nespresso in his wr
Publish At:2021-02-04 12:13 | Read:160 | Comments:0 | Tags:Cryptography Vulnerability Crypto1 Mifare Nespresso NFC Vanh

GnuPG crypto library can be pwned during decryption – patch now!

byPaul DucklinBug hunter Tavis Ormandy of Google’s Project Zero just discovered a dangerous bug in the GNU Privacy Guard team’s libgcrypt encryption software.The libgcrypt library is an open-source toolkit that anyone can use, but it’s probably best known as the encryption library used by the GNU Privacy Guard team’s own widely deploy
Publish At:2021-01-30 23:01 | Read:203 | Comments:0 | Tags:Cryptography Vulnerability Exploit GNU Privacy Guard GnuPG G

S3 Ep15: Titan keys, Mimecast certs and Solarwinds [Podcast]

byPaul DucklinWe explain how two French researchers hacked the Google Titan security key product (but why you don’t need to panic), and dig into the Mimecast certificate compromise story to see what we can all learn from it.With Kimberly Truong, Doug Aamoth and Paul Ducklin.Intro and outro music: Edith Mudge.LISTEN NOWClick-and-drag on the soundwaves b
Publish At:2021-01-14 13:07 | Read:228 | Comments:0 | Tags:Podcast Cryptography hacking Naked Security Podcast side-cha

Naked Security Live – HTTPS: do we REALLY need it?

byPaul DucklinHere’s our latest Naked Security Live talk, explaining why HTTPS is vital, even if you’re publishing public data that isn’t confidential.Thats because HTTPS isn’t just about the confidentiality of the data you browse to – it’s also about improving your privacy in respect of what you chose to look at, when you
Publish At:2021-01-11 14:55 | Read:308 | Comments:0 | Tags:Audio and Video Cryptography Privacy Video crypto https Nake

Google Titan security keys hacked by French researchers

byPaul DucklinIn July 2018, after many years of using Yubico security key products for two-factor authentication (2FA), Google announced that it was entering the market as a competitor with a product of its own, called Google Titan.Security keys of this sort are often known as FIDO keys after the Fast IDentity Online Alliance, which curates the technical spe
Publish At:2021-01-11 11:01 | Read:189 | Comments:0 | Tags:Cryptography Google ecdsa FIDO hacking side-channel Titan se

Get back into the cybersecurity groove for 2021

byPaul DucklinA lot of technical articles, especially in the fields of computer science and information security, put you on the horns of a dilemma.To become an expert, you first need to read the article; yet to understand the article, you first need to be an expert.Well, here on Naked Security, we go out of our way to avoid this sort of “cybersecurity
Publish At:2020-12-31 09:49 | Read:353 | Comments:0 | Tags:Cryptography Privacy Security leadership Security threats se

Reverie: An optimized zero-knowledge proof system

Zero-knowledge proofs, once a theoretical curiosity, have recently seen widespread deployment in blockchain systems such as Zcash and Monero. However, most blockchain applications of ZK proofs make proof size and performance tradeoffs that are a poor fit for other use-cases. In particular, these protocols often require an elaborate trusted setup phase and op
Publish At:2020-12-14 09:26 | Read:249 | Comments:0 | Tags:Cryptography Internship Projects

S3 Ep10: Hacking iPhones, sunken Enigmas and double scams

byPaul DucklinIn this episode, we dig into research that figured out a way to steal data from iPhones wirelessly; we tell the fascinating story of how environmentalist divers in Germany came across an old Enigma cipher machine at the bottom of the Baltic sea; and we give you advice on how to talk to phone scammers.With Kimberly Truong, Doug Aamoth and Paul D
Publish At:2020-12-10 10:43 | Read:423 | Comments:0 | Tags:Apple iOS Podcast Privacy Spam Cryptography enigma Exploit h

S3 Ep3: Cryptography, hacking and pwning Chrome [Podcast]

byPaul DucklinThis week: the DOJ’s attempt to reignite the Battle to Break Encryption; the story of the Russian hackers behind the Sandworm Team; a zero-day bug just patched in Chrome; and (oh no!) why your vocabulary needs the word “restore” even more than it needs “backup”.Presenters: Kimberly Truong, Doug Aamoth and Paul Duck
Publish At:2020-10-23 08:18 | Read:627 | Comments:0 | Tags:Cryptography Google Google Chrome Podcast crypto Cybercrime

The ultimate guide to encryption key management

IntroductionIn cryptography, a key is a very important piece of information used to combine with an algorithm (a cipher) to transform plaintext into ciphertext (encryption).The first step of preventive security is not encryption; however, the proper management of a cryptographic key is essential. Key management includes the generating, using, storing,
Publish At:2020-10-13 09:47 | Read:447 | Comments:0 | Tags:Cryptography

Digicert revokes a raft of web security certificates

byPaul DucklinHere’s a bureaucratic nightmare that unfolded over the weekendDigicert is one of the Big Five commercial CAs, short for certificate authorities – companies that sign and vouch for the digital certificates that put the the S in HTTPS and the padlock in your browser’s address bar.As we’ve mentioned before, web certificates
Publish At:2020-07-13 11:32 | Read:659 | Comments:0 | Tags:Cryptography CA Digicert https TLS web certificate

Kinda sorta weakened version of EARN IT Act creeps closer

byLisa VaasThere are gut-churning tales of online child sexual abuse material (CSAM). Last week, when a bill designed to strip legal protection from online abusers sailed through the Senate Judiciary Committee, UC/Berkeley Professor Hany Farid passed on this example from investigators at the Department of Justice’s Child Exploitation and Obscenity Section:
Publish At:2020-07-08 08:00 | Read:883 | Comments:0 | Tags:Cryptography Government security Law & order #nobackdoors Ba

Security risks of outdated encryption: Is your data really secure?

IntroductionThey say that those who fail to learn history are doomed to repeat it. A salient factor in the defeat of Austria by Prussia in the 1866 Austro-Prussian war was the Prussian army’s standardization of the (then) modern, rapid firing, bolt-action Dreyse needle-gun. In contrast, the Austrian army persisted with the use of outdated (slow-loading
Publish At:2020-07-07 11:43 | Read:772 | Comments:0 | Tags:Cryptography

ECDSA: Handle with Care

The elliptic curve digital signature algorithm (ECDSA) is a common digital signature scheme that we see in many of our code reviews. It has some desirable properties, but can also be very fragile. For example, LadderLeak was published just a couple of weeks ago, which demonstrated the feasibility of key recovery with a side channel attack that reveals less t
Publish At:2020-06-11 08:31 | Read:677 | Comments:0 | Tags:Cryptography

Tools

Tag Cloud