rsa
Latest
34 major tech companies are uniting to fight cyberattacks
Cyberattacks are a global issue that can cause havoc regardless of who's involved, and key members of the tech industry are uniting in a bid to fight these attacks. A group of 34 companies has signed the Cybersecurity Tech Accord, an agreement promising to defend customers around the world from hacks regardless of where they take place or who the perpetrator might be. They're promising to boost defenses for customers (including users' capacity to defend themselves), establish more partnerships to share threats and vulnerabilities, and -- importantly -- refuse to assist governments in launching cyberattacks.
The encryption many major companies rely on has a serious flaw
Researchers at Masaryk University in the Czech Republic uncovered a major security vulnerability in RSA keys generated by Infineon Technologies-produced chips. These chips are used in products manufactured by Acer, ASUS, Fujitsu, HP, Lenovo, LG, Samsung, Toshiba and Chromebook vendors, reports Bleeping Computer and the RSA keys generated by Infineon's chips are used in government-issued identity documents, during software signing, in authentication tokens, with message protection like PGP, in programmable smartcards and during secure browsing.
What to expect from the Engadget Experience, our immersive art + tech event
New mediums like augmented reality, virtual reality and artificial intelligence are pushing the boundaries of art, entertainment, gaming and performance -- but immersive media isn't always accessible. For one day only, we invite you to experience what happens at the outer limits of creativity. The first Engadget Experience is set to bring together some of the brightest minds in technology, art and entertainment next month, and we want you to be there. The agenda is nearly complete, and we're proud to say it's going to be a killer show.
How to adult at security
You're a grown-ass adult -- so stop using the same password for everything. Seriously, your cat's name followed by your birthday isn't fooling anybody. Don't be that guy (of any gender) who gets totally owned by ransomware. Pull up your big-person pants, walk with us through the baddies of threats and help yourself to our tips on how to totally adult your way through the nightmare that is modern computer security. Don't worry, you got this.
RSA security conference: 25 years of discontent and pranks
The first time I went anywhere near the RSA information security conference in San Francisco, it was by way of a prank. Two things I love to cover are computer crime and and enterprise security, so when I met friends for drinks at a downtown hotel bar during the conference one year they were genuinely surprised I'd never attended RSA. One of my drinking pals that night was Twitter's head of security, and he jokingly asked if I wanted to go to RSA -- right now.
The RSA keynotes: a cautionary tale
On Feb. 29th, thousands of cybersecurity professionals will flood San Francisco's Moscone Center for RSA Conference, one of the security industry's largest and most authoritative events. This week, RSA announced its 20 keynote speakers, and if you heard a weird noise coming from Twitter, that was the InfoSec community releasing an exasperated collective WTF. In a plot twist predicted by no one, three of RSA's coveted keynote spots have gone to two actors and a producer from the TV show CSI: Cyber.
Dell's buying EMC for $67 billion in the biggest tech deal ever
Dell has agreed to buy EMC Corporation for a deal worth $67 billion. While EMC isn't a household name, some of its products and subsidiaries are. In addition to selling cloud services, storage and analytic solutions to enterprise companies, EMC owns the security firm RSA and the virtualization solution VMware. The deal is huge -- it's being billed as the largest tech acquisition in history. EMC is probably worth twice as much as Dell itself right now, and has some 70,000 employees worldwide.
The $300 'PITA' steals encryption keys with radio waves
Your computer is leaking information. It's not from the usual suspects: WiFi, Bluetooth or ethernet, but from radio waves originating from your processor. Researchers at Tel Aviv University and Israel's Technion research institute have built a $300 device that captures those electromagnetic waves and uses them to decrypt RSA and ElGamal data from up to 19 inches away. The PITA (Portable Instrument for Trace Acquisition) device is the size of (you guessed it) a pita and was built using off-the-shelf parts and runs on four AA batteries. The stolen data can be saved to the onboard microSD card or sent via WiFi to the attacker's computer. The team demonstrated the hack by extracting the keys from GnuPG. Fortunately, GnuPG was updated when the research paper was published to thwart the delicious-sounding PITA.
'Logjam' browser vulnerability fix will block thousands of websites
Researchers have discovered a new browser and website encryption vulnerability called Logjam, and there's good news and bad news. On the plus side, the vulnerability has largely been patched thanks to consultation with tech companies like Google, and updates are available now or coming soon for Chrome, Firefox and other browsers. The bad news is that the fix rendered many sites unreachable, including the main website at the University of Michigan, which is home to many of the researchers that found the security hole. Ironically, that site (which has since been patched) and other government and educational sites are supposed to be secure -- so what went wrong?
Racing to June 1: The fight to control the Patriot Act
If Defcon is the cultural Comic-Con of security conferences, then RSA is more like the business-focused Game Developers Conference (GDC), though largely packed with government-corporate attendees. At the midpoint of a long day during last month's RSA San Francisco 2015, the largest security conference in the United States (with a record-breaking 33,000 in attendance), Congressman Mike Rogers took the stage to debate in favor of renewing the Patriot Act's Section 215, sometimes called the "library records" provision. "Renewing the Patriot Act" at RSA was about one of our nation's most pivotal public pain points in recent history -- Section 215′s facilitation of bulk telephone record collection. Despite the high-profile nature of this debate and its critical timing, it was a bizarrely toothless, kind of clueless, softball argument that somehow managed to completely avoid discussing why the renewal of this section of the Patriot Act, right now, is such a big deal.
Researchers find another terrifying iOS flaw
It can't have escaped your attention that security experts have declared open season on Apple products over the last few weeks. At San Francisco's RSA conference, an even more terrifying exploit has been revealed that has the power to send your iPhone or iPad into a perpetual restart loop. Mobile security firm Skycure has discovered that iOS 8 has an innate vulnerability to SSL certificates that, when combined with another WiFi exploit, gives malicious types the ability to create "no iOS zones" that can render your smartphones and tablets unusable. Before you read on, grab a roll of tinfoil and start making a new case for your iPhone.
Security conference effectively bans booth babes from its show floor
The issue of booth babes -- scantily clad people attempting to lure unsuspecting buyers towards second-rate products -- has once again reared its head within the industry. This time out, cryptography and information security gathering RSA has effectively banned them, mandating that all attendees will wear clothing that's appropriate for a professional environment. According to a statement released to TechTarget, people will be unable to display "excessive cleavage," and won't be able to wear tank tops, tube tops, miniskirts or minidresses. RSA go on to say that any scantily dressed people found on the show floor would be asked to put on a sweater or leave.
Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible
Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge. Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones. Update: If you're wondering how he did it, Indutny has posted more details and the script on his blog. Image credit: snoopsmaus/Flickr
The NSA had an easier time breaking web encryption than previously thought
Internet security was turned on its ear in December when leaks revealed that the NSA had inserted a back door into a common encryption method from the RSA, a big security provider for remote work access and other major parts of the corporate web. However, it turns out that the vulnerability was worse than some thought. University researchers have shown evidence to Reuters that a second NSA-supplied tool, which sold as part of a security kit, let the intelligence agency crack the RSA's already susceptible encryption "tens of thousands of times faster" than usual. In other words, it was sometimes trivially easy for the NSA to compromise sites. It's not clear how much damage this tool did, though. The software was strictly optional, and not many people used it -- the RSA says it pulled the tool within the past six months, so it won't be a major concern in the future. Even so, the discovery suggests that the NSA effectively had free rein when snooping around some places online. [Image credit: Sam Dal Monte, Flickr]
Stephen Colbert explains Cloud Fog: 'part cloud, part fog, all security'
Stephen Colbert has a lot to say about online privacy, Edward Snowden and the NSA, and he shared his thoughts Friday evening at an Internet security conference in San Francisco. Privacy advocates had implored Colbert to skip the event, which was hosted by security giant RSA -- a company that reportedly took $10 million from the NSA to give the agency a back door into its software. Said Colbert: "I looked at the signatures on the online petition, then I looked at the signature -- my signature -- on the bottom of the contract saying I'd be here today, and my conscience was clear, as long as the check clears. Well, it's not actually a check. They gave me a Bitcoin voucher for Mt. Gox. And I'm sure it's going to be fine."
Alt-week 12.21.13: Rainbow sun, edible batteries and the world's toughest encryption cracked by a microphone
Alt-week takes a look at the best science and alternative tech stories from the last seven days. When constructing a feature whose very reason for being is to explore the most far out aspects of our universe, it's fair to say that we're leaning towards the red pill. But that doesn't mean there's nothing here for those of the blue persuasion. We think you'll love the rainbow sun, for example -- until you realize, technically that's very real too. This is alt-week.
Computers share their secrets if you listen
Be afraid, friends, for science has given us a new way in which to circumvent some of the strongest encryption algorithms used to protect our data -- and no, it's not some super secret government method, either. Researchers from Tel Aviv University and the Weizmann Institute of Science discovered that they could steal even the largest, most secure RSA 4,096-bit encryption keys simply by listening to a laptop as it decrypts data. To accomplish the trick, the researchers used a microphone to record the noises made by the computer, then ran that audio through filters to isolate the vibrations made by the electronic internals during the decryption process. With that accomplished, some cryptanalysis revealed the encryption key in around an hour. Because the vibrations in question are so small, however, you need to have a high-powered mic or be recording them from close proximity. The researchers found that by using a highly sensitive parabolic microphone, they could record what they needed from around 13 feet away, but could also get the required audio by placing a regular smartphone within a foot of the laptop. Additionally, it turns out they could get the same information from certain computers by recording their electrical ground potential as it fluctuates during the decryption process. Of course, the researchers only cracked one kind of RSA encryption, but they said that there's no reason why the same method wouldn't work on others -- they'd just have to start all over to identify the specific sounds produced by each new encryption software. Guess this just goes to prove that while digital security is great, but it can be rendered useless without its physical counterpart. So, should you be among the tin-foil hat crowd convinced that everyone around you is a potential spy, waiting to steal your data, you're welcome for this newest bit of food for your paranoid thoughts.
Deutsche Telekom and RSA team on hack-resistant internet connections
It's easy to find security experts who can safeguard corporate internet connections against cyber attacks. However, it's hard to get someone who can stop attacks before they do any damage -- and that's where Deutsche Telekom hopes to make a difference. It's partnering with the security gurus at RSA on services that will include both early detection of attacks as well as "clean pipe" internet connections, which route data through hack-resistant lines. While the German provider isn't divulging its pricing just yet, it's targeting small- and medium-sized businesses willing to pay a fixed monthly fee; the toughened internet access is likely to be (relatively) affordable when it launches early next year. It's certainly well-timed. When many Europeans are already nervous about digital intruders, we wouldn't be surprised if Deutsche Telekom lands quite a few early customers.
Ridley Scott to co-produce sci-fi short films for Machinima
While Machinima has spread its wings beyond its namesake game engine-based movies, the company has only occasionally broken out of its familiar video game template. Those horizons are about to get wider through a collaboration with Ridley Scott's production house, RSA. Scott and RSA president Jules Daly will serve as executive producers for a project generating 12 short sci-fi films for Machinima's channels, with the directors culled from among RSA's superstar ranks. In theory, it's a win-win scenario: Machinima gets professionally-made movies to diversify its library, while directors can explore ideas that wouldn't necessarily be approved for a full-length feature. There's a hope for District 9-style regular movies co-developed with Machinima if all goes well, but we'd advise patience when the partnership hasn't even chosen its directors. It will take some time before we're catching a sci-fi mini-drama from the comfort of our living rooms. [Image credit: Gage Skidmore, Flickr]
AMD, Intel and RSA team up, form the Cyber Security Research Alliance
Sure, it's not the first elite cybercrime-fighting team we've heard of, it's also not everyday you hear the likes of Intel, Lockheed Martin and AMD buddying up on research. The companies are looking to address the "complex problems" in cyber security, with the private, non-profit group (which also includes Honeywell and RSA/EMC) aiming to work somewhere between government-funded security research and commercial products already out there. The Cyber Security Research Alliance is already in talks with NIST, and plans to launch a security research symposium early next year. The CSRA will also start tracking cyber security R&D, "prioritize" those aforementioned challenges, and hopefully come together for the greater good.
