AES mais fraco do que se pensava

Has the advanced encryption standard been broken or weakened?

Research emerged last week that claimed that the Advanced Encryption Standard (AES) was ‘broken'.
The cryptanalysis project, carried out by Andrey Bogdanov (from the Katholieke Universiteit Leuven in Belgium, visiting Microsoft Research at the time of obtaining the results), Dmitry Khovratovich (Microsoft Research) and Christian Rechberger (ENS Paris, visiting Microsoft Research) found a ‘clever' new attack that can recover a secret key four times more easily than originally anticipated by experts.

According to the research, weaknesses were identified in 2009 when AES was used to encrypt data under four keys that are related in a way controlled by an attacker. It found that while this attack was more intriguing from a mathematical point of view, what was interesting was that the attack applies to all versions of AES even if it used with a single key.

The research also claimed that finding an AES key is four times easier than previously believed, yet the effort to recover a key is still huge: the number of steps to find the key for AES-128 is an eight followed by 37 zeroes.

It said: “To put this into perspective: on a trillion machines that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key.”

artigo completo

Relatório da Kaspersky sobre ataques DDoS

DDoS attacks in Q2 2011

All statistical data presented in this report were obtained using Kaspersky Lab’s botnet monitoring system and Kaspersky DDoS Prevention.

The quarter in figures

  • The most powerful attack repelled by Kaspersky DDoS Prevention in Q2: 500 Mbps
  • The average power of the attacks repelled by Kaspersky DDoS Prevention: 70 Mbps
  • The longest DDoS attack in Q2: 60 days, 1 hour, 21 minutes and 9 seconds
  • The highest number of DDoS attacks against a single site in Q2: 218. 
relatório completo

Quem nos protege das CAs?

Another fraudulent certificate raises the same old questions about certificate authorities

"Earlier this year, an Iranian hacker broke into servers belonging to a reseller for certificate authority Comodo and issued himself a range of certificates for sites including Gmail, Hotmail, and Yahoo! Mail. With these certificates, he could eavesdrop on users of those mail providers, even if they use SSL to protect their mail sessions.

It's happened again. This time, Dutch certificate authority DigiNotar has issued a fraudulent certificate for google.com and all subdomains. As before, Gmail appears to be the target. The perpetrator also appears to be Iranian, with reports that the certificate has been used in the wild for man-in-the-middle attacks in that country. The certificate was issued on July 10th, and so could have been in use for several weeks prior to its discovery.

..."

artigo completo na ArsTechnica

Mais sobre a operação Shady Rat


Muito interessante no site da McAfee:
http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat

Relatório da McAfee:
http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf

"Concurso" de segurança da Microsoft

Computerworld - Microsoft today launched a $250,000 contest for researchers who develop defensive security technologies that deal with entire classes of exploits.

(...)

"Overall, it seemed to us that to take an approach to block entire classes was the best way to engage with the research community and protect customers," said Moussouris when asked by Computerworld why the company did not institute a bug bounty program instead.

(...)

The BlueHat Prize will award $200,000 to the first-place winner, $50,000 for second place, and a subscription to Microsoft's developer network as the third-place award. The three winners will be flown to next year's Black Hat by Microsoft, which will announce the contest results then.

Notícia da Computerworld: http://www.computerworld.com/s/article/9218845/Microsoft_kicks_off_250_000_security_contest?taxonomyId=85

Mais informações no site da Microsoft:
http://www.microsoft.com/security/bluehatprize/

Operação "Shady Rat"

Um artigo muito interessante na última Vanity Fair. Segundo ele, está a decorrer uma operação de grandes dimensões de roubo de informação de empresas de todo o mundo. Alegadamente a origem do ataque é a China.

Exclusive: Operation Shady rat—Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza

For at least five years, a high-level hacking campaign—dubbed Operation Shady rat—has infiltrated the computer systems of national governments, global corporations, nonprofits, and other organizations, with more than 70 victims in 14 countries. Lifted from these highly secure servers, among other sensitive property: countless government secrets, e-mail archives, legal contracts, and design schematics. Here, Vanity Fair’s Michael Joseph Gross breaks the news of Operation Shady rat’s existence—and speaks to the McAfee cyber-security expert who discovered it.