HackDig : Dig high-quality web security articles for hackers

S3 Ep3: Cryptography, hacking and pwning Chrome [Podcast]

byPaul DucklinThis week: the DOJ’s attempt to reignite the Battle to Break Encryption; the story of the Russian hackers behind the Sandworm Team; a zero-day bug just patched in Chrome; and (oh no!) why your vocabulary needs the word “restore” even more than it needs “backup”.Presenters: Kimberly Truong, Doug Aamoth and Paul Duck
Publish At:2020-10-23 08:18 | Read:229 | Comments:0 | Tags:Cryptography Google Google Chrome Podcast crypto Cybercrime

The ultimate guide to encryption key management

IntroductionIn cryptography, a key is a very important piece of information used to combine with an algorithm (a cipher) to transform plaintext into ciphertext (encryption).The first step of preventive security is not encryption; however, the proper management of a cryptographic key is essential. Key management includes the generating, using, storing,
Publish At:2020-10-13 09:47 | Read:279 | Comments:0 | Tags:Cryptography

Digicert revokes a raft of web security certificates

byPaul DucklinHere’s a bureaucratic nightmare that unfolded over the weekendDigicert is one of the Big Five commercial CAs, short for certificate authorities – companies that sign and vouch for the digital certificates that put the the S in HTTPS and the padlock in your browser’s address bar.As we’ve mentioned before, web certificates
Publish At:2020-07-13 11:32 | Read:414 | Comments:0 | Tags:Cryptography CA Digicert https TLS web certificate

Kinda sorta weakened version of EARN IT Act creeps closer

byLisa VaasThere are gut-churning tales of online child sexual abuse material (CSAM). Last week, when a bill designed to strip legal protection from online abusers sailed through the Senate Judiciary Committee, UC/Berkeley Professor Hany Farid passed on this example from investigators at the Department of Justice’s Child Exploitation and Obscenity Section:
Publish At:2020-07-08 08:00 | Read:515 | Comments:0 | Tags:Cryptography Government security Law & order #nobackdoors Ba

Security risks of outdated encryption: Is your data really secure?

IntroductionThey say that those who fail to learn history are doomed to repeat it. A salient factor in the defeat of Austria by Prussia in the 1866 Austro-Prussian war was the Prussian army’s standardization of the (then) modern, rapid firing, bolt-action Dreyse needle-gun. In contrast, the Austrian army persisted with the use of outdated (slow-loading
Publish At:2020-07-07 11:43 | Read:516 | Comments:0 | Tags:Cryptography

ECDSA: Handle with Care

The elliptic curve digital signature algorithm (ECDSA) is a common digital signature scheme that we see in many of our code reviews. It has some desirable properties, but can also be very fragile. For example, LadderLeak was published just a couple of weeks ago, which demonstrated the feasibility of key recovery with a side channel attack that reveals less t
Publish At:2020-06-11 08:31 | Read:459 | Comments:0 | Tags:Cryptography

The mystery of the expiring Sectigo web certificate

byPaul DucklinThere’s a bit of a kerfuffle in the web hosting community just at the moment over an expired web security certificate from a certificate authority called Sectigo, formerly Comodo Certificate Authority.Expired certificates are a problem because they cause the web server that relies on them to show up as “invalid” to any program
Publish At:2020-06-02 14:55 | Read:603 | Comments:0 | Tags:Cryptography chain of trust openssl Sectigo SSL TLS

Detecting Bad OpenSSL Usage

by William Wang, UCLA OpenSSL is one of the most popular cryptographic libraries out there; even if you aren’t using C/C++, chances are your programming language’s biggest libraries use OpenSSL bindings as well. It’s also notoriously easy to mess up due to the design of its low-level API. Yet many of these mistakes fall into easily identifi
Publish At:2020-05-29 15:31 | Read:626 | Comments:0 | Tags:Cryptography Internship Projects Program Analysis

Verifying Windows binaries, without Windows

TL;DR: We’ve open-sourced a new library, μthenticode, for verifying Authenticode signatures on Windows PE binaries without a Windows machine. We’ve also integrated it into recent builds of Winchecksec, so that you can use it today to verify signatures on your Windows executables! As a library, μthenticode aims to be a breeze to integrate: It’s written in cr
Publish At:2020-05-27 09:28 | Read:626 | Comments:0 | Tags:Cryptography Reversing

Reinventing Vulnerability Disclosure using Zero-knowledge Proofs

We, along with our partner Matthew Green at Johns Hopkins University, are using zero-knowledge (ZK) proofs to establish a trusted landscape in which tech companies and vulnerability researchers can communicate reasonably with one another without fear of being sabotaged or scorned. Over the next four years, we will push the state of the art in ZK proofs beyon
Publish At:2020-05-24 08:07 | Read:494 | Comments:0 | Tags:Cryptography DARPA Press Release Vulnerability

Breaking the Ice: A Deep Dive Into the IcedID Banking Trojan’s New Major Version Release

The IcedID banking Trojan was discovered by IBM X-Force researchers in 2017. At that time, it targeted banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites, mainly in the U.S. IcedID has since continued to evolve, and while one of its more recent versions became active in late-2019, X-Force researchers have identifi
Publish At:2020-04-01 07:12 | Read:936 | Comments:0 | Tags:Fraud Protection Malware Threat Research Banking Malware Ban

Crypto-Risk: Your Data Security Blind Spot

For many years — almost since the beginning of secure internet communications — data security professionals have had to face the challenge of using certificates, the mechanism that forms the basis of Transport Layer Security (TLS) communications. Certificates facilitate secure connections to websites (represented by the “s” in “https”
Publish At:2020-03-23 10:45 | Read:900 | Comments:0 | Tags:Data Protection Risk Management Apple Business Continuity Ce

Report calls for web pre-screening to end UK’s child abuse ‘explosion’

byLisa VaasA UK inquiry into child sexual abuse facilitated by the internet has recommended that the government require apps to pre-screen images before publishing them, in order to tackle “an explosion” in images of child sex abuse.The No. 1 recommendation from the independent inquiry into child sexual abuse (IICSA) report, which was published o
Publish At:2020-03-16 08:53 | Read:1062 | Comments:0 | Tags:Cryptography Facebook Instagram Law & order Privacy Snapchat

PXJ Ransomware Campaign Identified by X-Force IRIS

Ransomware has become one of the most profitable types of malware in the hands of cybercriminals, with reported cybercrime losses tripling in the last five years, according to the FBI. A constant flow of new and reused code in this realm continues to flood both consumers and organizations who fight to prevent infections, respond to attacks and often resort t
Publish At:2020-03-12 09:13 | Read:1068 | Comments:0 | Tags:Malware Threat Intelligence Cryptography Cybercrime Encrypti

Let’s Encrypt issues one billionth free certificate

byDanny BradburyLast week was a big one for non-profit digital certificate project Let’s Encrypt – it issued its billionth certificate. It’s a symbolic milestone that shows how important this free certificate service has become to web users.Publicly announced in November 2014, Let’s Encrypt offers TLS certificates for free. These cert
Publish At:2020-03-02 09:21 | Read:1010 | Comments:0 | Tags:Cryptography ACME Automated Certificate Management Environme