Sign up for our Technology Newsletter 
AES Encryption Cracked
CRYPTOGRAPHY RESEARCHERS have identified a weakness in the Advanced Encryption Standard (AES) security algorithm that can crack secret keys faster than before.
The crack is the work of a trio of researchers at universities and Microsoft, and involved a lot of cryptanalysis – which is somewhat reassuring – and still does not present much of a real security threat.
Andrey Bogdanov, from K.U.Leuven (Katholieke Universiteit Leuven), Dmitry Khovratovich, who is full time at Microsoft Research, and Christian Rechberger at ENS Paris were the researchers.
Although there have been other attacks on the key based AES security system none have really come close, according to the researchers. But this new attack does and can be used against all versions of AES.
This is not to say that anyone is in immediate danger and, according to Bogdanov, although it is four times easier to carry out it is still something of an involved procedure.
Recovering a key is no five minute job and despite being four times easier than other methods the number of steps required to crack AES-128 is an 8 followed by 37 zeroes.
“To put this into perspective: on a trillion machines, that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key,” the Leuven University researcher added. “Because of these huge complexities, the attack has no practical implications on the security of user data.” Andrey Bogdanov told The INQUIRER that a “practical” AES crack is still far off but added that the work uncovered more about the standard than was known before.
“Indeed, we are even not close to a practical break of AES at the moment. However, our results do shed some light into the internal structure of AES and indicate where some limits of the AES design are,” he said.
He added that the advance is still significant, and is a notable progression over other work in the area.
“The result is the first theoretical break of the Advanced Encryption Standard – the de facto worldwide encryption standard,” he explained. “Cryptologists have been working hard on this challenge but with only limited progress so far: 7 out of 10 for AES-128 as well as 8 out of 12 for AES-192 and 8 out of 14 rounds for AES-256 were previously attacked. So our attack is the first result on the full AES algorithm.”
Get Ready For Email-Malware Spree
A sizeable uptick in malicious email attachments is just subsiding, but if history is any indicator,several smaller spikes are about to follow that use even more deceptive tactics than their predecessors.
The recent surge, fueled in large part by a flood of fake messages from UPS, is similar to one observed at the end of March in that the messages urge recipients to open an attachment that releases the malware on victims’ machines, according to Internet security firm Commtouch.
The earlier wave used a wide range of package-delivery services as senders, including FedEx and DHL, but the latest outbreak employs a wider variety of messages such as, “Dear client, recipient’s address is wrong”, “Dear User, Delivery Confirmation: FAILED”, and “Dear Client, We are not able to delivery [sic] the postal package”, according to the Commtouch blog.
All the messages then instruct the recipient to open the attachment that contains the malware, claiming it is an invoice or a form that needs to be filled out. “This time we see differences in the style of the emails – there is far more variation in the automatically-generated subjects, body and attachment names. Last time all the attachments were “UPS.exe” – this time there are many variations,” says Avi Turiel, director of product marketing at Commtouch in an email.
The attackers will evaluate the success of the attack by finding out how many recipients activated the malware, “Based on the infections vs. malware sent out they will probably try and figure out what they could improve in the next attack,” he says.
Does Linkedin Share User Data?
August 19, 2011 by admin
Filed under Around The Net
Comments Off on Does Linkedin Share User Data?
Linkedin has upset many of its 100 million users by opting them into a programme that reveals their personal details to advertisers without telling anyone about it.
Linkedin changed its privacy policy to allow it to display the names and pictures of users with ads. The system works by showing friends and colleagues who’ve followed a brand name, effectively making them an unwitting salesperson for that brand, since people are more likely to click such advertisements on the basis that it looks like someone they know is recommending them. In reality, the other person has no idea that their photo and name are being used to sell things.
It’s a clever approach to advertising, but an absolutely abyssmal approach to privacy, as Linkedin has decided to automatically opt-in all of its users without informing them of the change.
Users can opt out if they want, but the option is buried in the Settings page, a ploy similar to that used by Facebook to hide its privacy settings. The big problem here is that if users don’t know that their name and photo are being used in this way, then how can they opt out of it?
Linkedin could face legal trouble for this decision. Digital Trends reports it is likely that Linkedin broke Dutch privacy law, which requires user consent for employing user images with advertisements. It could also be brought up before the European Commission and the UK Information Commissioner’s Office (ICO).
Sprint To Debut Cloud Services
August 18, 2011 by admin
Filed under Smartphones
Comments Off on Sprint To Debut Cloud Services
Sprint will introduce cloud services to all sizes of businesses in the fourth quarter, a Sprint executive said on Wednesday.
A Sprint spokeswoman said more details would be announced at a later date, but confirmed the executive’s comments in an interview published Wednesday.
Paget Alves, head of Sprint business markets, said in the interview that Sprint’s offerings to businesses will include selling its network infrastructure as a service available on-demand.
Sprint will also offer software, security apps and Internet hosting.
Verizon and AT&T offer similar services, and Alves was said that the carriers are “in a unique position because our business is centered around the cloud.”
Sprint plans to offer services that rely on the company’s own data center, unlike Verizon, which is using capacity from Terremark, which Verizon purchased for $1.4 billion in January.
Accused Hacker Out On Bail In England
Comments Off on Accused Hacker Out On Bail In England
The accused ‘Topiary’, whose name is Jake Davis, was charged on Sunday and bailed by the courts yesterday. He was charged with five offences: Unauthorised access to a computer system, Encouraging or assisting offences, Conspiracy with others to carry out a Distributed Denial of Service Attack on the website of the Serious and Organised Crime Agency, Conspiracy to commit offences of Section 3 Computer Misuse Act 1990, and Conspiracy with others to commit offences of Section 3 Computer Misuse Act 1990 contrary to Section 1 of the Criminal Law Act 1977.
According to a report at the Guardian, his bail conditions are that Davis must wear an electronic tag, not access the internet, and not leave his house between 10pm and 7am.
Davis, who appeared outside court wearing sunglasses and holding a copy of “Free Radicals: The Secret Anarchy of Science” by Micheal Brooks and who allegedly authored the Rupert Murdoch is dead story that appeared on the hacked web site of the Sun newspaper, has already gained support on the internet in general and especially on Twitter.
HP Exec Claims Evidence Was Falsified
HP has been accused of producing “false and fabricated” evidence against a former sales executive who the firm claims stole confidential information.
Adrian Jones, who was a sales executive at HP, left the firm to join Oracle in February 2011. HP claims that Jones nabbed a load of confidential information between 10 and 11 February using a removable hard drive. Jones told the court that the hard drive was used by HP for backup and was never in his possession, saying that HP and its outside counsel have confirmed these facts.
Jones’ current employer Oracle said that the accusations leveled at its employee are simply not true, with Deborah Hellinger, a spokeswoman for Oracle telling Bloomberg, “The central allegation in HP’s employment lawsuit against Adrian Jones has turned out to be complete fiction…. If they did it knowingly then HP and their lawyers should be sanctioned. If they did it mistakenly then they simply owe Mr Jones an apology.”
HP is said to have probed Jones’ relationship with a female subordinate, for whom Jones allegedly arranged a 94 per cent pay rise and expensed travel that had no business purpose.
Jones’ case mirrors that of former HP CEO Mark Hurd who left the company after similar expense discrepances were brought to light. Hurd, a close friend of Oracle CEO Larry Ellison, then joined Oracle as co-president within weeks of leaving his post at HP.
HP and Oracle have been going at it hammer and tongs in a largely public row over Oracle’s decision to dump support for Intel’s Itanium architecture. The two companies are in various other legal battles as well, with HP claiming that Oracle had gone from being a partner to a “bitter antagonist”. We assume the next lawsuit will claim that Oracle stole HP’s lunch money and beat it up behind the bike shed, or perhaps the other way around.
EMC’s Data Breach Cost $66 Million
Between April and June 2011, EMC spent $66 million handling the fallout from a March cyber attack against its systems, which resulted in the compromise of information relating to the SecurID two-factor authentication sold by EMC’s security division, RSA.
That clean-up figure was disclosed last week during an EMC earnings call, by David Goulden, the company’s chief financial officer. It doesn’t include post-breach expenses from the first quarter, when EMC began investigating the attack, hardening its systems, and working with customers to prevent their being exploited as a result of the attacks.
In spite of the breach, EMC reported strong second-quarter financial results, earning consolidated revenue of $4.85 billion, which is an increase of 20% compared with the same period one year ago. Meanwhile, second-quarter GAAP net income increased by 28% from the same period last year, to reach $546 million. The company saw large growth in its information infrastructure and virtual infrastructure products and services, including quarterly revenue increases of 19% for its information storage group.
Those results led executives to increase their financial outlook for 2011 and predict consolidated revenue in excess of $19.8 billion, which would be a 16% increase from EMC’s 2010 revenues of $17 billion.
SpyEye Poses Risk To Banking Defenses
Financial institutions are facing more trouble from SpyEye, a piece of malicious software that steals money from customers online bank accounts, according to new research from security vendor Trusteer.
SpyEye is a dastardly piece of malicious software: it can harvest credentials for online accounts and also initiate transactions as a person is logged into their account, literally making it possible to watch their bank balance drop by the second.
In its latest versions, SpyEye has been modified with new code designed to evade advanced systems banks have put in place to try and block fraudulent transactions, said Mickey Boodai, Trusteer’s CEO.
Banks are now analyzing how a person uses their site, looking at parameters such as how many pages a person looks at on the site, the amount of time a person spends on a page and the time it takes a person to execute a transaction. Other indicators include IP address, such as if a person who normally logs in from the Miami area suddenly logs in from St. Petersburg, Russia.
SpyEye works fast, and can automatically and quickly initiate a transaction much faster than an average person manually on the website. That’s a key trigger for banks to block a transaction. So SpyEye’s authors are now trying to mimic — albeit in an automated way — how a real person would navigate a website.
AMD Ships One Million Llano Processors
It appears that AMD has successfully managed to ship one million Llano chips in the second quarter, which is weeks ahead of the official launch.
AMD released the news during its earnings conference call. Where interim CEO Thomas Seifert said demand for Llano was strong. “We expect Llano ramp to outpace the Brazos ramp,” he noted.
If you look back at AMD’s Brazos launch, they managed to ship around one million units ahead of its scheduled launch, in the fourth quarter of 2010. Conversely, introducing Llano will be a bit more challenging, because AMD is planning to offer many varieties of mobile and desktop SKUs; including affordable dual- and triple-core processors. Therefore, Llano is expected to outpace Brazos very soon. AMD also made mention in their earnings call that total APU shipments for the quarter hit seven million. That said, so 6 million of them were Brazos processors.
It is believed that AMD Llano chip will take 50 percent of their total CPU shipments by the end of the year. In the first quarter of 2012, the Llano is expected to garner over 60 percent of their shipments.
Defense Dept. IT Is ‘Stone Age’
U.S. Marine Corps Gen. James “Hoss” Cartwright, vice chairman of the Joint Chiefs of Staff, issued a stinging critique of the Defense Department’s IT systems and said he sees much room for improvement.
Cartwright, who was speaking at the FOSE information technology conference in Washington,DC, said the DOD is sending increasing amounts of data, such as video, to soldiers on the battlefield, and it’s beginning to build an architecture “that starts to take us where we need to be.” But Cartwright quickly tempered that.
“Quite frankly, my feeling is — at least being a never-satisfied person — the department is pretty much in the Stone Age as far as IT is concerned,” Cartwright said.
Cartwright cited problems with proprietary systems that aren’t connected to anything else and are unable to quickly adapt to changing needs. “We have huge numbers of data links that move data between proprietary platforms — one point to another point,” he said.
The most striking example of an IT failure came during the second Gulf War, where the Marines and the Army were dispatched in southern Iraq.