Report: NSA paid RSA to make flawed crypto algorithm the default

Security company RSA was paid $10 million to use the flawed Dual_EC_DRBG pseudorandom number generating algorithm as the default algorithm in its BSafe crypto library, according to sources speaking to Reuters.

The Dual_EC_DRBG algorithm is included in the NIST-approved crypto standard SP 800-90 and has been viewed with suspicion since shortly after its inclusion in the 2006 specification. In 2007, researchers from Microsoft showed that the algorithm could be backdoored: if certain relationships between numbers included within the algorithm were known to an attacker, then that attacker could predict all the numbers generated by the algorithm. These suspicions of backdooring seemed to be confirmed this September with the news that the National Security Agency had worked to undermine crypto standards.

The impact of this backdooring seemed low. The 2007 research, combined with Dual_EC_DRBG's poor performance, meant that the algorithm was largely ignored. Most software didn't implement it, and the software that did generally didn't use it.

Read 4 remaining paragraphs | Comments

Android Tapsnake Mobile Scareware: Ads Push Antivirus

Recently, we have observed a series of mobile ads intended to scare users into believing that their device is infected with a threat called “Trojan: MobileOS/Tapsnake”.


Figure 1. Fake Tapsnake infection warnings

The malware alert is fake. Tapsnake is an older Android threat (we blogged about it in 2010 and detect it as Android.Tapsnake) that just happens to be mentioned in these ads to make them appear more authentic. We visited a site serving these ads using a brand new Android device with a fresh install and nothing on it and still received this alert. Users of Apple's iPhone have also reported seeing Tapsnake alerts, despite the fact that the threat doesn’t target iOS devices.


Figure 2. Scareware tactics target Android users

This type of warning is commonly associated with scareware, which originated on PCs. When users visit scareware websites, they are shown a warning that claims their computer or device is infected with malware. These scareware sites may then offer free downloads of fake antivirus software.

This is all a trick designed to convince the user to download an application.


Figure 3. Android Antivirus app offer

Symantec Security Response advises users not to install applications outside of trusted app stores. Instead, users should only trust well-known and reputable security software, such as Norton Mobile Security available on the Google Play app store. For general safety tips for smartphones and tablets, visit the Symantec Mobile Security website.

Critics: NSA agent co-chairing key crypto standards body should be removed (updated)

Security experts are calling for the removal of a National Security Agency employee who co-chairs an influential cryptography panel, which advises a host of groups that forge widely used standards for the Internet Engineering Task Force (IETF).

Kevin Igoe, who in a 2011 e-mail announcing his appointment was listed as a senior cryptographer with the NSA's Commercial Solutions Center, is one of two co-chairs of the IETF's Crypto Forum Research Group (CFRG). The CFRG provides cryptographic guidance to IETF working groups that develop standards for a variety of crucial technologies that run and help secure the Internet. The transport layer security (TLS) protocol that underpins Web encryption and standards for secure shell connections used to securely access servers are two examples. Igoe has been CFRG co-chair for about two years, along with David A. McGrew of Cisco Systems.

Igoe's leadership had largely gone unnoticed until reports surfaced in September that exposed the role NSA agents have played in "deliberately weakening the international encryption standards adopted by developers." Until now, most of the resulting attention has focused on cryptographic protocols endorsed by the separate National Institute for Standards and Technology. More specifically, scrutiny has centered on a random number generator that The New York Times, citing a document leaked by former NSA contractor Edward Snowden, reported may contain a backdoor engineered by the spy agency.

Read 13 remaining paragraphs | Comments

Cards stolen in massive Target breach flood underground “card shops”

Credit and debit card accounts stolen in the massive data breach that recently hit retail giant Target are flooding the underground markets frequented by criminals, who are paying as much as $100 per card, according to KrebsonSecurity reporter Brian Krebs.

In a post published Friday, Krebs said he first learned of the breach after a fraud analyst at a major bank said his team bought a large number of the bank's cards on a well-known "card shop." The analyst's team was then able to work its way backward and independently confirm Target had been breached. Krebs went on to break the story, and Target eventually confirmed that about 40 million cards may have been compromised during a breach that extended from November 27 to December 15. In Friday's post, Krebs continued:

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

Krebs's account is consistent with the findings of fraud prevention service Easy Solutions. On Thursday, the company reported that its Detect Monitoring Service (DMS) had recently sensed some unusual activity.

Read 3 remaining paragraphs | Comments