Tag: encryption

In a first, cryptographic keys protecting SSH connections stolen in new attack

For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established.

Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion of almost 200 unique SSH keys they observed in public Internet scans taken over the past seven years. The researchers suspect keys used in IPsec connections could suffer the same fate. SSH is the cryptographic protocol used in secure shell connections that allows computers to remotely access servers, usually in security-sensitive enterprise environments. IPsec is a protocol used by virtual private networks that route traffic through an encrypted tunnel.

The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host.

While the percentage is infinitesimally small, the finding is nonetheless surprising for several reasons—most notably because most SSH software in use—including OpenSSH—has deployed a countermeasure for decades that checks for signature faults before sending a signature over the Internet. Another reason for the surprise is that until now, researchers believed that signature faults exposed only RSA keys used in the TLS—or Transport Layer Security—protocol encrypting Web and email connections. They believed SSH traffic was immune from such attacks because passive attackers—meaning adversaries simply observing traffic as it goes by—couldn’t see some of the necessary information when the errors happened.

The researchers noted that since the 2018 release of TLS version 1.3, the protocol has encrypted handshake messages occurring while a web or email session is being negotiated. That has acted as an additional countermeasure protecting key compromise in the event of a computational error. Keegan Ryan, a researcher at the University of California San Diego and one of the authors of the research, suggested it may be time for other protocols to include the same additional protection.

Keep reading

5 WAYS TO PREPARE FOR THE ONLINE PRIVACY CRACKDOWN

The internet is about to change. In many countries, there’s currently a coordinated legislative push to effectively outlaw encryption of user uploaded content under the guise of protecting children. This means websites or internet services (messaging apps, email, etc.) could be held criminally or civilly liable if someone used it to upload abusive material. If these bills become law, people like myself who help supply private communication services could be penalized or put into prison for simply protecting the privacy of our users. In fact, anyone who runs a website with user-uploaded content could be punished the same way. In today’s article, I’ll show you why these bills not only fail at protecting children, but also put the internet as we know it in jeopardy, as well as why we should question the organizations behind the push.

Let’s quickly recap some of the legislation.

Keep reading

The EU Could Push its Private Message Ban as Early as Next Week

The EU is getting ever closer to pushing through the legislation known among critics as “chat control” – officially, Child Sexual Abuse Regulation, CSAR – and is hoping to reach a deal on this within the bloc as early as next week.

One of those who have been consistently opposed to the controversial upcoming rules, a German member of European Parliament (MEP) and lawyer Patrick Breyer, has reacted by warning once again that regardless of some minor changes if passed, the bill would effectively spell the end of proper encryption and private messaging in the EU.

Instead, the implication is, that CSAR would usher in the era of indiscriminate mass surveillance in this part of the digital space.

Warning that a recent “minor concession” the EU member-states have managed to agree on was a bid to finally come up with a majority and push the plans over the top, Breyer, referring to the proposal as “chat control 2.0,” calls it an “unprecedented” (at least for the EU) example of mass surveillance.

The summary of the regulation is that online services that provide messaging and chat would, going forward, have to implement automatic scanning of all private text and images – looking for potential abusive content, and then let the EU know about it.

There is no shortage of controversy and misgivings here, with two clearly standing out: once in place, what can this infrastructure be used for next (if politicians decide) – and the other, how are online platforms even supposed to make it work accurately and fairly, technically speaking?

Now, we are hearing that the EU Council is looking to “soften the blow,” at least rhetorically, but saying that the scanning would at first only apply to “previously classified CSAM (child sexual abuse material)” – but then later still expand it to everything.

Keep reading

9 Mysterious Undeciphered Codes and Inscriptions in History

From Neolithic tablets containing the oldest known system of writing, to a series of letters scrawled on the back of a dead man’s book, some of the most legendary undeciphered codes and texts remain a challenge for even the world’s best cryptographers, code breakers and linguists. Yet unravelling these mysterious puzzles remains as important as ever, since many of these enigmatic inscriptions could hold the keys to understanding civilizations that have long since faded into historic oblivion. Here we feature nine of the most fascinating undeciphered codes and inscriptions throughout history.

Keep reading

Police Seek a Radio Silence That Would Mute Critics in the Press

As a freelance journalist many years ago, I was walking the streets of Brooklyn, looking for a juicy story, anything that I could get into print. I was coming up empty. So I did what anyone would do in that situation. I had lunch.

Halfway through my Jamaican jerk chicken, I heard several gunshots, and in a flash, a man ran by the restaurant. I threw my money on the table and headed to the scene. When I got there a bystander pointed me toward the spent shells. I looked around and talked to witnesses. As one young man pontificated to me about poverty and unemployment leading to crime, I noticed that the cops weren’t there yet. But a photographer from the Daily News was.

That was because, like any good crime reporter, he was listening to police radio and responding to 911 calls, hoping to catch fresh crime footage, fires and other colorful photos that editors love. He’s not alone. Journalists around the country do this, as does anyone who is simply interested in cops, firefighters and other emergency services. Police scanners aren’t cheap, but they are readily available at many electronics retailers.

Keep reading

The UK passes massive online safety bill

The UK’s Online Safety Bill is ready to become law. The bill, which aims to make the UK “the safest place in the world to be online,” passed through the Houses of Parliament on Tuesday and imposes strict requirements on large social platforms to remove illegal content. It will be enforced by UK telecom regulatory agency Ofcom.

Additionally, the Online Safety Bill mandates new age-checking measures to prevent underage children from seeing harmful content. It also pushes large social media platforms to become more transparent about the dangers they pose to children, while also giving parents and kids the ability to report issues online. Potential penalties are also harsh: up to 10 percent of a company’s global annual revenue. The bill has been reworked several times in a multiyear journey through Parliament.

But not only does online age verification raise serious privacy concerns — the bill could also put encrypted messaging services, like WhatsApp, at risk. Under the terms of the bill, encrypted messaging apps would be obligated to check users’ messages for child sexual abuse material.

Depending on how the rule is enforced, this could essentially break apps’ end-to-end encryption promise, which prevents third parties — including the app itself — from viewing users’ messages. In March, WhatsApp refused to comply with the bill and threatened to leave the UK rather than change its encryption policies. It joined Signal and other encrypted messaging services in protesting the bill, leading UK regulators to attempt to assuage their concerns by promising to only require “technically feasible” measures.

Keep reading

U.K. Government Finally Admits It Can’t Scan for Child Porn Without Violating Everybody’s Privacy

The U.K. government finally acknowledges that a component of the Online Safety Bill that would force tech companies to scan data and messages for child porn images can’t be implemented without violating the privacy rights of all internet users and undermining the data encryption tools that keep our information safe.

And so the government is backing down—for now—on what’s been called the “spy clause.” Using the justification of fighting the spread of child sexual abuse material (CSAM), part of the Online Safety Bill would have required online platforms to create “backdoors” that the British government could use to scan messages between social media users. The law also would’ve allowed the government to punish platforms or sites that implement end-to-end encryption and prevent the government from accessing messages and data.

While British officials have insisted that this intrusive surveillance power would be used only to track down CSAM, tech and privacy experts have warned repeatedly that there’s no way to implement a surveillance system that could be used only for this particular purpose. Encryption backdoors allow criminals and oppressive governments to snoop on people for dangerous and predatory purposes. Firms like Signal and WhatsApp threatened to pull their services from the U.K. entirely if this bill component moved forward.

Keep reading

Researchers find deliberate backdoor in police radio encryption algorithm

For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. But now it’s finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its viscera and found serious flaws, including a deliberate backdoor.

The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or reroute trains.

Researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services, such as the C2000 communication system used by Dutch police, fire brigades, ambulance services, and Ministry of Defense for mission-critical voice and data communications. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times.

Three Dutch security analysts discovered the vulnerabilities—five in total—in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.

The technology is not widely used in the US, where other radio standards are more commonly deployed. But Caleb Mathis, a consultant with Ampere Industrial Security, conducted open source research for WIRED and uncovered contracts, press releases, and other documentation showing TETRA-based radios are used in at least two dozen critical infrastructures in the US. Because TETRA is embedded in radios supplied through resellers and system integrators like PowerTrunk, it’s difficult to identify who might be using them and for what. But Mathis helped WIRED identify several electric utilities, a state border control agency, an oil refinery, chemical plants, a major mass transit system on the East Coast, three international airports that use them for communications among security and ground crew personnel, and a US Army training base.

Carlo Meijer, Wouter Bokslag, and Jos Wetzels of Midnight Blue in the Netherlands discovered the TETRA vulnerabilities—which they’re calling TETRA:Burst—in 2021 but agreed not to disclose them publicly until radio manufacturers could create patches and mitigations. Not all of the issues can be fixed with a patch, however, and it’s not clear which manufacturers have prepared them for customers. Motorola—one of the largest radio vendors—didn’t respond to repeated inquiries from WIRED.

Keep reading

UK Home Secretary Uses Idea of Keeping Children Safe as a Justification To Demand Ban on Private Messaging

It would be extremely refreshing to hear a government official in the UK, or in a number of other countries, make a, “think of the encryption” plea – which would show they understand the very fundamentals of a safe and privacy-preserving internet.

But instead, we are getting more and more “think of the children” platitudes – as always, designed not to actually do that, but mask other, controversial and unpopular policies.

This time, it is UK’s Home Secretary Suella Braverman who claims that her opposition to Facebook’s slow-moving, alleged attempt to make a number of its products safe via implementing end-to-end encryption has to do with fears that children might get abused online.

Any tech-literate person would present the big picture, and argue quite the opposite, but Braverman is either not one of those, or elects to pretend not to be, in order to serve a policy that is staunchly anti-encryption, for a whole different reason – summed up, that technology stands severely annoyingly, no doubt, in the way of governments’ wholesale mass surveillance of everybody on the internet.

And what better place to twist the narrative about fears of awful things like child grooming and sexual abuse – perversely juxtaposed with actually improving internet security, i.e., encryption – than a get-together of the (in)famous “Five Eyes,” held in one eager member – New Zealand.

Braverman made an effort to write to Facebook CEO Mark Zuckerberg and, ignoring the reality of what an internet without encryption would turn into, tried, no doubt, above all to pull at her constituents’ heartstrings:

“As a mother to young children,” the politician stomped her feet, “I won’t stand by idly and watch this happen,” The Daily Mail reported.

“This” would be – platforms like Facebook Messenger and Instagram Direct introducing secure communications, so that third parties – be they criminals, malign (foreign) actors, or (sometimes (effectively malign) domestic law enforcement – cannot just swoop in and use personal information in any way they please, including to directly harm those participating, children included, by gaining unfettered access to all their data.

Keep reading

These ‘Psychedelic Cryptography’ Videos Have Hidden Messages Designed to Be Seen While Tripping

A new competition focused on “Psychedelic Cryptography” has awarded cash prizes to artists who made videos encoded with hidden messages that can be most easily deciphered by a person who is tripping on psychedelic substances, such as LSD, ayahuasca, or psilocybin mushrooms.

Qualia Research Institute (QRI), a California-based nonprofit group that researches consciousness with backing from tech investors and experts, announced the winners of its Psychedelic Cryptography (PsyCrypto) contest last week. The goal of the exercise was “to create encodings of sensory information that are only meaningful when experienced on psychedelics in order to show the specific information-processing advantages of those states,” according to the original contest page, which was posted in March.

Artist Raimonds Jermaks clinched the first and second place prizes in the contest for videos entitled “Can You See Us?” and “ We Are Here. Let’s Talk.” The third prize went to Rūdolfs Balcers for the video “The Key.” The contest entries were judged by members of QRI’s international phenomenologist network, and evaluated based on their effectiveness, specificity, and aesthetic value.

The winning videos play on the common psychedelic experience of seeing radiant “tracers,” which are trails of colors and afterimages that linger in the visual field. The winning artists used this effect to write out tracer-based messages that are incomprehensible to a sober person, but that can be understood while tripping.  

Keep reading