(credit: martinak15 ) The cost and time required to break 512-bit RSA encryption keys has plummeted to an all-time low of just $75 and four hours using a recently published recipe that even computing novices can follow. But despite the ease and low cost, reliance on the weak keys to secure e-mails, secure-shell transactions, and other sensitive communications remains alarmingly high. The technique, which uses Amazon’s EC2 cloud computing service , is described in a paper published last week titled Factoring as a Service . It’s the latest in a 16-year progression of attacks that have grown ever faster and cheaper. When 512-bit RSA keys were first factored in 1999, it took a supercomputer and hundreds of other computers seven months to carry out. Thanks to the edicts of Moore’s Law – which holds that computing power doubles every 18 months or so – the factorization attack required just seven hours and $100 in March, when “FREAK,” a then newly disclosed attack on HTTPS-protected websites with 512-bit keys , came to light. In the seven months since FREAK’s debut, websites have largely jettisoned the 1990s era cipher suite that made them susceptible to the factorization attack. And that was a good thing, since the factorization attack made it easy to obtain the secret key needed to cryptographically impersonate the webserver or to decipher encrypted traffic passing between the server and end users. But e-mail servers, by contrast, remain woefully less protected. According to the authors of last week’s paper, the RSA_EXPORT cipher suite is used by an estimated 30.8 percent of e-mail services using the SMTP protocol , 13 percent of POP3S servers . and 12.6 percent of IMAP-based e-mail services . Read 6 remaining paragraphs | Comments
See more here:
Breaking 512-bit RSA with Amazon EC2 is a cinch. So why all the weak keys?
The study’s estimate of the proportion of known “insecure,” “maybe secure” and “secure” devices over time. (credit: androidvulnerabilities.org ) It’s easy to see that the Android ecosystem currently has a rather lax policy toward security, but a recent study from the University of Cambridge put some hard numbers to Android’s security failings. The conclusion finds that “on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities.” Data for the study was collected through the group’s ” Device Analyzer ” app, which has been available for free on the Play Store since May 2011. After the participants opted into the survey, the University says it collected daily Android version and build number information from over 20,400 devices. The study then compared this version information against 13 critical vulnerabilities (including the Stagefright vulnerabilities ) dating back to 2010. Each individual device was then labeled “secure” or “insecure” based on whether or not its OS version was patched against these vulnerabilities, or placed in a special “maybe secure” category if it could have gotten a specialized, backported fix. As for why so many Android devices are insecure, the study found that most of the blame sits with OEMs. The group states that “the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.” Along with the study, the University of Cambridge is launching ” AndroidVulnerabilities.org ,” a site that houses this data and grades OEMs based on their security record. The group came up with a 1-10 security rating for OEMs that it calls the “FUM” score. This algorithm takes into account the number of days a proportion of running devices has no known vulnerabilities ( F ree), the proportion of devices that run the latest version of Android ( U pdate), and the mean number of vulnerabilities not fixed on any device the company sells ( M ean). The study found that Google’s Nexus devices were the most secure out there, with a FUM score of 5.2 out of 10. Surprisingly, LG was next with 4.0, followed by Motorola, Samsung, Sony, and HTC, respectively. Read 3 remaining paragraphs | Comments 
