Syber Group
Toll Free : 855-568-TSTG(8784)
Subscribe To : Envelop Twitter Facebook Feed linkedin

Microsoft To Block SHA-1 Hashing

November 19, 2015 by  
Filed under Computing

Comments Off on Microsoft To Block SHA-1 Hashing

Software Giant Microsoft has joined Mozilla and will consider blocking the SHA-1 hashing algorithm on Windows to keep the US spooks from using it to spy on users computers.

Redmond had earlier said that Windows would block SHA-1 signed TLS (Transport Layer Security) certificates from January 1, 2017, but is now mulling moving up the date to June.

There have been concerns about the algorithm’s security as researchers have proven that a forged digital certificate that has the same SHA-1 hash as a legitimate one can be created. Users can then be tricked into interacting with a spoofed site in what is called a hash collision.

In October, a team of cryptoanalysts warned that the SHA-1 standard should be withdrawn as the cost of breaking the encryption had dropped faster than expected to US$75,000 to $120,000 in 2015 using freely available cloud computing.

Programme manager for Microsoft Edge Kyle Pflug wrote in his blog that Redmond will coordinate with other browser vendors to evaluate the impact of this timeline based on telemetry and current projections for feasibility of SHA-1 collisions.

Mozilla said in October that in view of recent attacks it was considering a cut-off of July 1, 2016 to start rejecting all SHA-1 SSL certificates, regardless of when they were issued, ahead of an earlier scheduled date of January 1, 2017.

Courtesy- http://www.thegurureview.net/computing-category/microsoft-to-block-sha-1-hashing.html

Facebook To Require Stronger Digital Signature

June 16, 2015 by  
Filed under Security

Comments Off on Facebook To Require Stronger Digital Signature

Facebook will require application developers to adopt a more secure type of digital signature for their apps, which is used to verify a program’s legitimacy.

As of Oct. 1, apps will have to use SHA-2 certificate signatures rather than ones signed with SHA-1. Both are cryptographic algorithms that are used to create a hash of a digital certificate that can be mathematically verified.

Apps that use SHA-1 after October won’t work on Facebook anymore, wrote Adam Gross, a production engineer at the company, in a blog post.

“We recommend that developers check their applications, SDKs, or devices that connect to Facebook to ensure they support the SHA-2 standard,” Gross wrote.

SHA-1 has been considered weak for about a decade. Researchers have shown it is possible to create a forged digital certificate that carries the same SHA-1 hash as legitimate one.

The type of attack, called a hash collision, could trick a computer into thinking it is interacting with a legitimate digital certificate when it actually is a spoofed one with the same SHA-1 hash. Using such a certificate could allow an attacker to spy on the connection between a user and an application or website.

Microsoft, Google, Mozilla and other organizations have also moved away from SHA-1 and said they will warn users of websites that are using a connection that should not be trusted.

The Certificate and Browser Forum, which developers best practices for web security, has recommended in its Baseline Requirements that digital certificate issuers stop using SHA-1 as of Jan. 1.

Source

Twitter To Allow Monet Tweets

October 22, 2014 by  
Filed under Around The Net

Comments Off on Twitter To Allow Monet Tweets

One of France’s largest banks is partnering with social network Twitter Inc. to allow its customers to transfer money via tweets.

The move by Groupe BPCE, France’s second largest bank by customers, coincides with Twitter’s own foray into the world of online payments as the social network seeks new sources of revenue beyond advertising.

Twitter is racing other tech giants Apple  and Facebook to get a foothold in new payment services for mobile phones or apps. They are collaborating and, in some cases, competing with banks and credit card issuers that have run the business for decades.

The bank said last month it was prepared to offer simple person-to-person money transfers via Twitter to French consumers, regardless of what bank they use, and without requiring the sender know the recipient’s banking details.

“(S-Money) offers Twitter users in France a new way to send each other money, irrespective of their bank and without having to enter the beneficiary’s bank details, with a simple tweet,” Nicolas Chatillon, chief executive of S-Money,  BPCE’s mobile payments unit, said in the statement.

Payment by tweets will be managed via the bank’s S-Money service, which allows money transfers via text message and relies on the credit-card industry’s data security standards.

BPCE and Twitter declined to provide further details ahead of a news conference in Paris later today to unveil the service.

Last month, Twitter started trials of its own new service, dubbed “Twitter Buy”,  to allow consumers to find and buy products on its social network.

The service embeds a “Twitter Buy” button inside tweets posted by more than two dozen stores, music artists and non-profits. Burberry, Home Depot, and musicians such as Pharrell and Megadeth are among the early vendors.

Twitter’s role to date has been to connect customers rather than processing payments or checking their identities.

Source

PoS Cyber Attacks Up In 2013

June 4, 2014 by  
Filed under Around The Net

Comments Off on PoS Cyber Attacks Up In 2013

A third of data intrusion investigated by security firm Trustwave last year involved compromises of point-of-sale (POS) systems and over half of all intrusions targeted payment card data.

Even though POS systems remained a significant target for attackers, as suggested by several high-profile data breaches disclosed by large retailers over the past six months, the largest number of data theft incidents last year actually involved e-commerce sites, Trustwave said Wednesday in a report that compiled data from 691 data breach investigations conducted by the company around the world.

E-commerce intrusions accounted for 54 percent of investigated data breaches and POS system intrusions accounted for 33 percent, Trustwave said. A separate report published by Verizon in April also pointed to Web application and PoS attacks as leading causes of security incidents with confirmed data disclosure last year.

According to Trustwave, over half of intrusions targeted payment-card data, with such data being stolen from e-commerce transactions in 36 percent of incidents and from POS transactions in 19 percent of attacks.

In Western Europe in particular, where countries have rolled out EMV — chip-and-PIN payment card transactions — cybercriminals shifted their focus from POS devices to e-commerce platforms, said John Yeo, EMEA Director at Trustwave. “EMV has changed the pattern of compromises when it comes to payment-card-specific data.”

However, a significant increase in the theft of sensitive, non-payment-card data, was also observed last year. This data includes financial credentials, personally identifiable information, merchant ID numbers and internal company communications, and was stolen in 45 percent of incidents, Trustwave said in the report.

Customer records containing personally identifiable information can possibly be used to perpetrate identity fraud and are sought after on the black market, so that’s why there’s been an uptick in attacks focusing on such data, Yeo said.

Only about a third of victim companies were able to self-detect data breaches, Trustwave found. In 58 percent of cases, breaches were identified by regulatory bodies, the credit card companies or merchant banks.

Source