Quantum cryptography might not be the security secret weapon that the industry has been hoping for. In theory Quantum cryptography might allow you to encrypt a message in such a way that it would never be read by anyone. But recently methods that were once thought to be fundamentally unbreakable have been shown to be anything but.
Physicist Renato Renner from the Institute of Theoretical Physics in Zurich said the problem was that systems were not being built correctly. In 2010, for instance, that a hacker could blind a detector with a strong pulse, rendering it unable to see the secret-keeping photons.
Renner also said that there are many other problems. Photons are generated using a laser tuned to such a low intensity that it’s producing one single photon at a time. There is a certain probability that the laser will make a photon encoded with your secret information and then a second photon with that same information. All an enemy has to do is steal that second photon and they could gain access to your data.
He told Wired that if there were better control over quantum systems than we have with today’s technology then perhaps quantum cryptography could be less susceptible to problems, but such advances are at least 10 years away.
Thanks to a faulty encryption component that failed to encrypt data, the PHP Group advised, as did security organisation the Sans Institute, that users resist their immediate temptation to update to PHP version 5.3.7, which was released on 18 August, and wait instead for the PHP 5.3.8 update.
Today, and earlier than expected, the group alerted users that it was releasing the PHP 5.3.8 update and had fixed the critical encryption bug as well as one other that could have caused SSL connections to hang.
The earlier release, PHP version 5.3.7, fixed many more issues and included 90 bug fixes and performance enhancements as well as at least six security updates, except of course the obvious one that caused the replacement update.
The group added that the PHP 5.2 series is no longer supported and urged all users to upgrade to PHP 5.3.8.
Kaspersky weighed in on Shady RAT, claiming that McAfee didn’t do the right thing by going public about the long-running intrusion into networks of governments, companies and non-profit organizations and that the move was alarmist. Now McAfee’s Phyllis Schneck, VP and CTO of McAfee’s Global Public Sector division has said that Kaspersky is “missing the point”.
Schneck defended McAfee’s decision to publicize Shady RAT by asking, “Would it be alarmist to let a bank know that someone has just walked out with a wad of cash while they weren’t paying attention?” Kaspersky also claimed the attack wasn’t particularly sophisticated, but Schneck said that the level of sophistication is not the point here. “It’s not the sophistication of the attack that’s important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture.”
Kaspersky also claimed that Shady RAT is a botnet, something that Schneck categorically says is incorrect. Instead she labeled Shady RAT as a successful persistent threat and said it “was only as advanced as it needed to be”.
McAfee claims that it knows of 72 organizations that were affected by Shady RAT, which was a prolonged attack on many operations that the firm claims stole a large amount of data.
Whether Schneck or Kaspersky are correct about whether Shady RAT as a botnet is really beside the point. For Kaspersky to claim McAfee’s move was alarmist is a bit rich, as all security companies promote fears of doom and gloom to sell their products and services.
The fundamental question remains, why did it take a security vendor five years to find out about Shady RAT? Kaspersky’s firm and McAfee might better focus on protecting their customers rather than taking pot shots at each other.
The crack is the work of a trio of researchers at universities and Microsoft, and involved a lot of cryptanalysis – which is somewhat reassuring – and still does not present much of a real security threat.
Andrey Bogdanov, from K.U.Leuven (Katholieke Universiteit Leuven), Dmitry Khovratovich, who is full time at Microsoft Research, and Christian Rechberger at ENS Paris were the researchers.
Although there have been other attacks on the key based AES security system none have really come close, according to the researchers. But this new attack does and can be used against all versions of AES.
This is not to say that anyone is in immediate danger and, according to Bogdanov, although it is four times easier to carry out it is still something of an involved procedure.
Recovering a key is no five minute job and despite being four times easier than other methods the number of steps required to crack AES-128 is an 8 followed by 37 zeroes.
“To put this into perspective: on a trillion machines, that each could test a billion keys per second, it would take more than two billion years to recover an AES-128 key,” the Leuven University researcher added. “Because of these huge complexities, the attack has no practical implications on the security of user data.” Andrey Bogdanov told The INQUIRER that a “practical” AES crack is still far off but added that the work uncovered more about the standard than was known before.
“Indeed, we are even not close to a practical break of AES at the moment. However, our results do shed some light into the internal structure of AES and indicate where some limits of the AES design are,” he said.
He added that the advance is still significant, and is a notable progression over other work in the area.
“The result is the first theoretical break of the Advanced Encryption Standard – the de facto worldwide encryption standard,” he explained. “Cryptologists have been working hard on this challenge but with only limited progress so far: 7 out of 10 for AES-128 as well as 8 out of 12 for AES-192 and 8 out of 14 rounds for AES-256 were previously attacked. So our attack is the first result on the full AES algorithm.”
Bogdanov added that the crack works on all versions of AES and dispelled some myths about the technology as well.
“Unlike previous results on AES, we do not need any related keys which was a very strong and unrealistic assumption about the power of the attacker,” he explained.
“Our attacks work in the classical single-key setting and, thus, apply in every context, however, with huge complexities so far. The practical consequence is that the effective key length of AES is about 2 bits shorter than expected – it is more like AES-126, AES-190, and AES-254 instead of AES-128, AES-192, and AES-256. We think it is a significant step toward the understanding of the real security of AES.”
The attack has been confirmed by the creators of AES, Dr Joan Daemen and Professor Dr Vincent Rijmen, who also applauded it.
“TDL-4,” the name for both the bot Trojan that infects PCs and the ensuing collection of compromised computers, is “the most sophisticated threat today,” said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.
“[TDL-4] is practically indestructible,” Golovanov said and others agree.
“I wouldn’t say it’s perfectly indestructible, but it is pretty much indestructible,” said Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, in an interview today. “It does a very good job of maintaining itself.”
Golovanov and Stewart based their assessments on a variety of TDL-4’s traits, all which make it an extremely tough character to detect, delete, suppress or eradicate.
Because TDL-4 installs its rootkit on the Master Boot Record (MBR), it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.
Further,what makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.
“The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,” said Roel Schouwenberg, senior malware researcher at Kaspersky, “The TDL guys are doing their utmost not to become the next gang to lose their botnet.”
Schouwenberg cited several high-profile botnet take-downs — which have ranged from a coordinated effort that crippled Conficker last year to 2011’s FBI-led take-down of Coreflood — as the motivation for hackers to develop new ways to keep their armies of hijacked PCs in the field.
“Each time a botnet gets taken down it raises the bar for the next time,” noted Schouwenberg. “The truly professional cyber criminals are watching and working on their botnets to make them more resilient against takedowns or takeovers.”