Enlarge / 750,000 Estonian cards that look like this use a 2048-bit RSA key that can be factored in a matter of days. (credit: Steve Jurvetson ) A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers. The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it’s located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest. The flaw is the one Estonia’s government obliquely referred to last month when it warned that 750,000 digital IDs issued since 2014 were vulnerable to attack . Estonian officials said they were closing the ID card public key database to prevent abuse. Last week, Microsoft , Google , and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-target individuals and organizations. Read 18 remaining paragraphs | Comments
Read the original post:
Millions of high-security crypto keys crippled by newly discovered flaw
schwit1 shares a report from ScienceAlert: The brain-dwelling parasite Toxoplasma gondii is estimated to be hosted by at least 2 billion people around the world, and new evidence suggests the lodger could be more dangerous than we think. While the protozoan invader poses the greatest risk to developing fetuses infected in the womb, new research suggests the parasite could alter and amplify a range of neurological disorders, including epilepsy, Alzheimer’s, and Parkinson’s, and also cancer. “This study is a paradigm shifter, ” says one of the team, neuroscientist Dennis Steindler from Tufts University. “We now have to insert infectious disease into the equation of neurodegenerative diseases, epilepsy, and neural cancers.” The findings are part of an emerging field of research looking into how T. gondii, which is usually transmitted to humans via contact with cat faeces (or by eating uncooked meat), produces proteins that alter and manipulate the brain chemistry of their infected hosts. Read more of this story at Slashdot. 
From a Reuters report, shared by a few readers on Twitter: Germany’s BSI federal cyber agency said on Friday that the threat posed to German firms by recent cyber attacks launched via a Ukrainian auditing software was greater than expected, and some German firms had seen production halted for over a week. Analyses by computer experts showed that waves of attacks had been launched via software updates of the M.E.Doc accounting software since April, the BSI said in a statement. Read more of this story at Slashdot. 
An anonymous reader quotes a report from The Guardian: The world’s first floating windfarm has taken to the seas in a sign that a technology once confined to research and development drawing boards is finally ready to unlock expanses of ocean for generating renewable power. After two turbines were floated this week, five now bob gently in the deep waters of a fjord on the western coast of Norway ready to be tugged across the North Sea to their final destination off north-east Scotland. The ~$256 million Hywind project is unusual not just because of the pioneering technology involved, which uses a 78-meter-tall underwater ballast and three mooring lines that will be attached to the seabed to keep the turbines upright. It is also notable because the developer is not a renewable energy firm but Norway’s Statoil, which is looking to diversify away from carbon-based fuels. Read more of this story at Slashdot. 
Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle ‘attack vector’ as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. “By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device, ” they write. Read more of this story at Slashdot.