via Crypto shocker: four of every 1,000 public keys provide no security (updated):
An astonishing four out of every 1,000 public keys protecting webmail, online banking, and other sensitive online services provide no cryptographic security, a team of mathematicians has found. The research is the latest to reveal limitations in the tech used by more than a million Internet sites to prevent eavesdropping.
Which is bad – collisions are supposed to be rare, or else it’s much easier to guess the key.
“Our only conclusion is that there is not just one cause for all of these problems,” Hughes said. “This leads to our conclusion that unless you can totally trust your random number generator, RSA is not a good algorithm to choose.”
I thought computer RNGs couldn’t be trusted to be random.
via Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers: Scientific American:
One of the primary methods of creating zombies is by getting computer users to unwittingly infect their computers by opening e-mails and Web pages containing malware. “If you look at the way RSA was penetrated, it was not terribly sophisticated, nothing on the order of Stuxnet, which was probably the most sophisticated attack we’ve seen in recent memory,” says Anup Ghosh, a research professor and chief scientist at George Mason University’s Center for Secure Information Systems. “Most of these attacks are executed using conventional exploits. What’s different is they’re using these exploits in new ways.”
And, unfortunately, they are also quite successful when using the same old attacks in the same old way.
Start with a good security policy, and educate your users so that they follow it. People can work around any technological hurdle to compromise a system and get their jobs done.
This is colossally bad for RSA and users of their SecurID tokens:
RSA Security is to replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.
SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.
The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorthm, and a seed value used to initialize the token. Each token has a different seed, and it’s this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.
via RSA finally comes clean: SecurID is compromised.