Logjam: the latest TLS vulnerability explained

log-jam

Yesterday, a group from INRIA, Microsoft Research, Johns Hopkins, the University of Michigan, and the University of Pennsylvania published a deep analysis of the Diffie-Hellman algorithm as used in TLS and other protocols. This analysis included a novel downgrade attack against the TLS protocol itself called Logjam, which exploits EXPORT cryptography (just like FREAK).

First, let me start by saying that CloudFlare customers are not and were never affected. We don’t support non-EC Diffie-Hellman ciphersuites on either the client or origin side. We also won't touch EXPORT-grade cryptography with a 20ft stick.

But why are CloudFlare customers safe, and how does Logjam work anyway?

The image is "Logjam" as interpreted by @0xabad1dea.

Diffie-Hellman and TLS

This is a detailed technical introduction to how DH works and how it’s used in TLS—if you already know this and want to read about the attack, skip to “Enter export crypto, enter Logjam” below. If, instead, you are not interested in the nuts and bolts and want to know who’s at risk, skip to “So, what’s affected?”

To start a TLS connection, the two sides—client (the browser) and server (CloudFlare)—need to agree securely on a secret key. This process is called Continue reading

Health insurer CareFirst reveals cyberattack affecting 1.1 million

A large U.S. health insurer, CareFirst BlueCross BlueShield, has disclosed it fell victim to a cyberattack that affected about 1.1 million people.The attack, which occurred in June last year, targeted a single database that contained information about CareFirst members and others who accessed its websites and services, the company said Monday.The nonprofit has 3.4 million members, mostly around Maryland, Washington, D.C., and Northern Virginia.“We were the subject of a cyberattack,” a somber looking Chet Burrell, the company’s CEO, says in a video posted to its website.CareFirst said customer names, birth dates, user names, email addresses and subscriber ID numbers may have been stolen. The database did not contain Social Security numbers, medical claims or financial information, it said. And member passwords were encrypted and stored in a different system, CareFirst said.To read this article in full or to leave a comment, please click here

Fierce smartphone rivalry driving faster chip development, ARM CEO says

Heated competition in the smartphone and tablet markets has required chip makers to speed up the pace at which they release new processors, the CEO of ARM said in an interview this week.Following in the footsteps of Apple, rivals like Samsung and HTC are upgrading their flagship devices on a near yearly basis, adding better displays, faster chips and more memory to entice customers into buying their products.ARM designs the microprocessors used in most of those devices, and the increased competition means it’s having to push out faster, more power-efficient chips at a quicker pace, CEO Simon Segars said Tuesday.“We’re always going to be looking to deliver more performance, make the best use of manufacturing technology ... and deliver better system-wide efficiency,” he added.To read this article in full or to leave a comment, please click here

Senators stall vote to extend NSA phone records dragnet

Four U.S. senators ground the chamber’s business to a halt Wednesday in an effort to prevent lawmakers from voting on a bill to extend portions of the Patriot Act used to collect telephone and business records from the country’s residents.Time is running out for the Senate to extend the telephone records collection section of the Patriot Act before it expires at the end of the month. In an effort to block a vote, Senator Rand Paul, a Kentucky Republican, took control of the Senate floor in a filibuster mid-Wednesday, with Senators Ron Wyden, an Oregon Democrat, Mike Lee, a Utah Republican, and Martin Heinrich, a New Mexico Democrat, joining him later in the day.To read this article in full or to leave a comment, please click here

Senators stall vote to extend NSA phone records dragnet

Four U.S. senators ground the chamber’s business to a halt Wednesday in an effort to prevent lawmakers from voting on a bill to extend portions of the Patriot Act used to collect telephone and business records from the country’s residents.Time is running out for the Senate to extend the telephone records collection section of the Patriot Act before it expires at the end of the month. In an effort to block a vote, Senator Rand Paul, a Kentucky Republican, took control of the Senate floor in a filibuster mid-Wednesday, with Senators Ron Wyden, an Oregon Democrat, Mike Lee, a Utah Republican, and Martin Heinrich, a New Mexico Democrat, joining him later in the day.To read this article in full or to leave a comment, please click here

Senators stall vote to extend NSA phone records dragnet

U.S. Senator Rand Paul spoke on the chamber's floor for more than nine hours Wednesday during a filibuster to prevent lawmakers from voting on a bill to extend portions of the law used by the National Security Agency to collect telephone and business records from the country's residents.Paul, a Kentucky Republican, continued to talk on the Senate floor at 10:25 p.m. EST, after taking control of the chamber earlier in the day. Nine other senators joined him for short stretches throughout the day, including Ron Wyden, an Oregon Democrat, Mike Lee, a Utah Republican, and Martin Heinrich, a New Mexico Democrat.Time is running out for the Senate to extend the section of the Patriot Act that the NSA uses as authorization to collect telephone and other business records. Section 215 of the Patriot Act expires at the end of the month, and lawmakers are scheduled to take an extended Memorial Day break next week.To read this article in full or to leave a comment, please click here

Senators stall vote to extend NSA phone records dragnet

U.S. Senator Rand Paul spoke on the chamber's floor for more than nine hours Wednesday during a filibuster to prevent lawmakers from voting on a bill to extend portions of the law used by the National Security Agency to collect telephone and business records from the country's residents.Paul, a Kentucky Republican, continued to talk on the Senate floor at 10:25 p.m. EST, after taking control of the chamber earlier in the day. Nine other senators joined him for short stretches throughout the day, including Ron Wyden, an Oregon Democrat, Mike Lee, a Utah Republican, and Martin Heinrich, a New Mexico Democrat.Time is running out for the Senate to extend the section of the Patriot Act that the NSA uses as authorization to collect telephone and other business records. Section 215 of the Patriot Act expires at the end of the month, and lawmakers are scheduled to take an extended Memorial Day break next week.To read this article in full or to leave a comment, please click here

Racist query terms in Google Maps trigger the White House in results

Google Maps lists the White House among top search results for certain queries containing racist terms against African-Americans.The Washington Post first reported the issue after a reader alerted the newspaper that entering a well-known racial slur while Google Maps is focused on the nation’s capital yielded the White House as the first result. The result comes up when using Google’s mobile Maps app, as well as its Maps website.Regardless of the user’s location within Maps, a search for another racially insulting term against blacks listed the Underground Railroad TV station in Chicago as the top result, with the White House coming in second. Other similarly racist query terms also gave the White House as the top result, along with the Jim Crow Museum of Racist Memorabilia in Big Rapids, Michigan.To read this article in full or to leave a comment, please click here

Bigger, better, faster: What does Wave 2 of 802.11ac have in store?

"Bigger, better, faster" is a mantra with which many of us are now familiar. Even if it isn't something we have printed on a t-shirt, it can be how we strive to live without often realizing it. Improvement is a part of life. You don't have to look hard to see examples of certain things that have already realized their great potential for improvement. But what about things we take for granted, like wireless?  Wireless is all around us, but it's something we take for granted. Sometimes it’s harder to find a business or public location without Wi-Fi than it is to find one with it. So can wireless actually advance? Whether it's in the boardroom or the living room, we have expectations of buttery-smooth audio and video. As the number of wireless devices grows at a profound rate, how can we shore up the wireless network to provide service to all that’s connected? Wireless AC may be the light at the end of the tunnel. With Wave 1 speeds of 1.3Gbps (your mileage may vary) we're offered a chance to handle the larger amount of requests constantly bombarding our access points (APs). Still, the struggle in dense environments Continue reading

Building a Fully Automated Ubuntu Installation Process

Recently on Twitter, I mentioned that I had managed to successfully create a fully automated process for installing Ubuntu Server 14.04.2, along with a method for bootstrapping Ansible. In this post, I’m going to describe the installation process I built and the components that went into making it work. I’ll discuss the Ansible bootstrap process in a separate post. I significantly doubt that there is anything new or unique here, but hopefully this information will prove helpful to others facing similar challenges.

Before I continue, allow me to briefly discuss why I didn’t use a system like Cobbler instead of putting together my own system. Cobbler is a great tool. For me, though, this was also about deepening my own knowledge. I wanted to better understand the various components involved and how they interacted, and I didn’t feel I would really be able to do that with a “prebuilt” system like Cobbler. If you are more interested in getting something up and running as opposed to learning more about how it works (and that’s OK), then I’d recommend you skip this post and go download Cobbler. If, on the other hand, you want to make this into more Continue reading

Alcatel-Lucent uses SDN to meld IP, optical services

Alcatel-Lucent this week extended its carrier SDN product line with an automation and network control system designed to accelerate service provisioning from multivendor IP and optical infrastructure.The company’s Network Services Platform combines Alcatel-Lucent’s SDN-based software with its 5260 service-aware management system, Service Router operating system and the 1830 Photonic Service Switch GMPLS routing engine algorithms from Bell Labs. It also has a REST API interface to the Nuage Networks Virtual Services Platform SDN controller for data center networks so the IP/MPLS/optical network can be quickly provisioned based on the needs of data center interconnection and virtual machine mobility.To read this article in full or to leave a comment, please click here

Alcatel-Lucent uses SDN to meld IP, optical services

Alcatel-Lucent this week extended its carrier SDN product line with an automation and network control system designed to accelerate service provisioning from multivendor IP and optical infrastructure.The company’s Network Services Platform combines Alcatel-Lucent’s SDN-based software with its 5260 service-aware management system, Service Router operating system and the 1830 Photonic Service Switch GMPLS routing engine algorithms from Bell Labs. It also has a REST API interface to the Nuage Networks Virtual Services Platform SDN controller for data center networks so the IP/MPLS/optical network can be quickly provisioned based on the needs of data center interconnection and virtual machine mobility.To read this article in full or to leave a comment, please click here

Hot stuff: The coolest drones

DronesImage by Northrop Grumman/Chad Slattery/Handout via ReutersThe world of drones – military and public – is changing so fast it’s hard to keep up with the changes. Here we take a look at some of the most recent advancements, such as getting drones to fly as a group, deliver orders in restaurants and take advanced technology into space. Read on:To read this article in full or to leave a comment, please click here

Hot stuff: The coolest drones

DronesImage by Northrop Grumman/Chad Slattery/Handout via ReutersThe world of drones – military and public – is changing so fast it’s hard to keep up with the changes. Here we take a look at some of the most recent advancements, such as getting drones to fly as a group, deliver orders in restaurants and take advanced technology into space. Read on:To read this article in full or to leave a comment, please click here

Mailing List

I’m switching the updates mailing list to mailchimp so I can post emails with more “stuff” from time to time that’s not posted on the blog. The signup is under the “hamburger menu” on the top left corner.

The post Mailing List appeared first on 'net work.

E-paper display gives payment cards a changing security code

By embedding an e-paper display in the back of credit and debit cards, payment specialist Oberthur Technologies hopes to make online fraud a lot more difficult. An upcoming test in France will show if the underlying technology can cut it.Using payment cards with an embedded chip makes payments more secure in physical stores, but it’s still relatively easy for criminals to copy card details and use them online. Oberthur’s Motion Code technology replaces the printed 3-digit CVV (Card Verification Value) code, usually found on the back of the card, with a small screen, where the code changes periodically.Today, any criminal who has seen a card or overheard the owner dictating the CVV code can make an unauthorized purchases online or by phone. With Motion Code, because the CVV changes from time to time, the time a fraudster has to act is reduced.To read this article in full or to leave a comment, please click here

1 3,490 3,491 3,492 3,493 3,494 3,853