Friday, August 2, 2013

Hacking expert says mobile firms moved fast to fix security flaw?

23 hours ago

Man on phone

Getty Images

LAS VEGAS ?? A well-known security expert said mobile carriers have quickly protected customers from a security bug that he revealed 10 days ago and that he estimated had put more than 500 million phones at risk of cyber attacks.?

Karsten Nohl, chief scientist with Berlin's Security Research Labs, led a research team at the German firm that figured out a way to remotely gain control of and also clone some mobile SIM cards.?

"Pretty much every carrier we have spoken to has fixed it," Nohl said in advance of a talk late Wednesday afternoon at the Black Hat hacking conference in Las Vegas.?

The team was the first to accomplish the hacking feat, which has long been a Holy Grail of mobile hackers. The tiny, highly secured devices are located in phones and allow operators to identify and authenticate subscribers as they use networks.?

He discussed that three-year research effort late Wednesday afternoon in one of the most anticipated talks at Black Hat, a conference where some 7,000 security professionals gathered to hear about the latest risks posed by hacking.?

Nohl said at a news conference prior to that talk that he would not be able to demonstrate part of his technique for attacking SIM cards because he had prepared to show it on SIMs from five carriers, but that all five carriers had made changes to prevent them from being hacked.?

Nohl is a so-called "white hat," or a hacker who figures out how to attack things in a bid to find vulnerabilities so that companies can fix bugs before criminals can exploit them.?

He told Reuters that he was pleased that they had implemented the fix before his demonstration because that means they are ahead of criminal hackers, who could use compromised SIMs to commit financial crimes or engage in electronic espionage.?

Nohl said that carriers have used methods to fix the bug in SIM cards without having to physically replace them, which would have been quite costly.?

He said he was not sure whether all carriers around the world have fixed the bug, but that he had checked with many major carriers and that they had gone ahead and taken care of the security problem.?

Copyright 2013 Thomson Reuters.

Source: http://feeds.nbcnews.com/c/35002/f/663301/s/2f684d64/sc/21/l/0L0Snbcnews0N0Ctechnology0Chacking0Eexpert0Esays0Emobile0Efirms0Emoved0Efast0Efix0Esecurity0Eflaw0E6C10A814147/story01.htm

Florida Gulf Coast Golf Channel Andy Enfield La Salle University Denny Hamlin My Chemical Romance Olympus Has Fallen

Posted by at No comments:

Thursday, August 1, 2013

Google beefs up its SSL keys to 2048-bits

Google has announced overnight that the company will be updating its SSL certificates to 2048-bit keys, up from the current 1024-bits, and changing the search giant's certificate chain.

The task is already underway and is expected to be completed over the coming months.

Modern systems should have no issue with the update, so long as its SSL root certificates are not hardcoded. Google cites a couple of instances where systems could run into trouble ? this include phones, printers, set-top boxes, and cameras.

"The first is people who are using a very old home-compiled version of OpenSSL with an out-of-date CA [certificate authority] database. Then there are instances of embedded-client software with (against the best advice of all the experts) hard-coded certificate logic, perhaps for reasons of saving space." wrote Google developer advocate, Tim Bray.

For devices that will not be able to connect to Google HTTPS services due to having hard-coded root certificates, a firmware update will be needed.

Rather than handover the root certificate to be embedded, Google instead is recommending that any hardware that needs updating, move to a mechanism where the device will be able to update new root certificates on the fly.

"Certificates can change on a moment?s notice, and software that uses them must be prepared to deal with that," says the Google Internet Authority FAQ.

"The only way to do this correctly is to build software that understands that Roots can change, and can adapt to that."

The company says that such mechanisms are needed for situations, not only where individual certificates are compromised, but also where certificate authorities themselves are compromised, have to revoke all their signed root certificates.

In 2011, a Dutch CA named DigiNotar filed for bankruptcy after an attacker was able to create a false certificate for *.google.com and conduct a man-in-the-middle attack. DigiNotar's certificates, which were used by the Dutch government, were subsequently rejected and the company liquidated.

Last week, CNet revealed that the FBI and NSA had attempted to obtain encryption master keys, which if given up to the authorities, would allow them to decrypt the contents of SSL communications.

Source: http://www.zdnet.com/google-beefs-up-its-ssl-keys-to-2048-bits-7000018778/

Presidential Polls California Propositions Electoral College chuck pagano A Gay Lesbian daylight savings time 2012 Where To Vote

Posted by at No comments:
Subscribe to: Posts (Atom)