Today Microsoft has released Security Bulletin Advanced Notification for February 2014 Patch Tuesday. The notification dictates five bulletins out of which two have critical Remote Code Execution and rest are important in aspect to severity of security flaw.

A Remote Code Execution vulnerability has been found in Security software of Microsoft i.e. Forefront Protection 2010 for Exchange Server, but this time there will be no new bulletins for Internet Explorer.

Not only this, users of Windows 7, Windows Server 2008 R2, Windows 8 and Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1 are also advised to patch their systems in order to protect themselves from being a victim of malicious code which is exploiting Remote code execution vulnerability.

Except the remote code execution, Microsoft is going to release patches for privilege escalation, information disclosure, and denial of service security flaws in Windows operating system. Privilege escalation is also marked important for .NET framework of Microsoft.

In August 2013 advisory, Microsoft announced: “The availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to, certificates issued under roots in the Microsoft root certificate program. Usage of the MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”

On the coming patch Tuesday, Microsoft will deprecate MD5 hash for signing certificates for server authentication, code signing, and time stamping and will use SHA-2 for signing such certificates. But updates have already been released to test the impact of it for about six months.

For more details, you can read a report on the risks of using weak hash functions for signing the Digital Certificates.

Many Smartphone applications support, installation or app data storage to an external SD Card, that can be helpful in saving space on the internal memory, but also vulnerable to hackers.

Typically, an app that has permission to read and write data from an SD card has the permission to read all data on that card, including information written by other apps. This means that if you install a malicious application by mistake, it can easily steal any sensitive data from your Phone's SD Card.

To prevent the data from being misused by any other app, the best implementation is to encrypt the data, but that will drop the performance of the device.

On its 10th birthday, as a treat for mobile developers, Facebook has unveiled the source code of its Android security tool called 'Conceal' cryptographic API Java library, that will allow app developers to encrypt data on disk in the most resource efficient way, with an easy-to-use programming interface.

Smaller than other cryptography standards and built for speed, the Conceal might end up the best solution. "We saw an opportunity to do things better and decided to encrypt the private data that we stored on the SD card so that it would not be accessible to other apps" Facebook Software Engineer said in a blog post.

The tool is based on algorithms from OpenSSL, a common open source encryption system for the web:

Conceal is smaller and faster than existing Java crypto libraries, uses AES-GCM, an authenticated encryption algorithm that helps to detect any potential tampering with data. "We instead use AES-GCM which is an authenticated encryption algorithm that not only encrypts the data, but also computes a MAC of the data at the same time." he said.

The library also provides resources for storing and managing keys to protect against known weaknesses in the Android's random number generator. Conceal officially supports Android 2.3 and higher (Gingerbread). It will run on 2.2 (Froyo) phones as well.

The company is already using the tool with the primary Facebook app that runs on Android. Developers can access the Conceal API from GITHUB.

Science Fiction Movies always show the possible direction of the development of technology and gives us the opportunity to think about it. The U.S. Government is also trying to develop such technology that was introduced in movies like Star Trek and TERMINATOR i.e. Self destructing Network of computers, Sensors and other devices.

The agency of the United States Department of Defense which is responsible for funding the development of many technologies, Defense Advanced Research Projects Agency (DARPA) has handed over a contract to IBM for creating a microchip that will self-destruct remotely.

The project announced a year back, known as Vanishing Programmable Resources (VAPR), which is dedicated to developing a CMOS microchip that self-destructs when it receives a certain frequency of radio signal from military command, in order to fully destroy it and preventing it from being used by the enemy.

The U.S. Military uses all kinds of embedded systems and there are obviously concerns about American technology falling into the wrong hands. If Iran shoots a drone out of the sky, there could be all sorts of sensitive data and bleeding-edge technology that could then be collected, analyzed, and reverse-engineered.

"It is nearly impossible to track and recover every device, resulting in an unintended accumulation in the environment and potential unauthorized use and compromise of all intellectual property and technological advantage,” DARPA states.

This target will be achieved by using a fuse or a reactive metal layer initiate shattering when ‘glass substrate’ receives an external Radio Frequency (RF) signal. Once broken, the material would render the device's silicon chip into dust.

“IBM plans is to utilize the property of strained glass substrates to shatter as the driving force to reduce attached CMOS chips into Si and SiO2 powder. A trigger, such as a fuse or a reactive metal layer will be used to initiate shattering, in at least one location, on the glass substrate. An external RF signal will be required for this process to be initiated. IBM will explore various schemes to enhance glass shattering and techniques to transfer this into the attached Si CMOS devices.”

IBM has awarded £3.4 million to design a CMOS microchip that can be turned into silicon dust remotely. I Hope the new destruction technology would stay within the military infrastructure, and not extend their reach to devices like Smartphones and Personal Computers.

The National Institute of Standards and Technology (NIST) had published a document on Jan 2011 that the SHA-1 algorithm will be risky and should be disallowed after year 2013, but it was recently noticed by Netcraft experts that NIST.gov website itself were using 2014 dated SSL certificate with SHA-1 hashes.

"From January 1, 2011 through December 31, 2013, the use of SHA-1 is deprecated for digital signature generation. The user must accept risk when SHA-1 is used, particularly when approaching the December 31, 2013 upper limit. SHA-1 shall not be used for digital signature generation after December 31, 2013." NIST in the document.

Digital signatures facilitate the safe exchange of electronic documents by providing a way to test both the authenticity and the integrity of information exchanged digitally. Authenticity means when you sign data with a digital signature, someone else can verify the signature, and can confirm that the data originated from you and was not altered after you signed it.

A digital certificate is essentially a bit of information that tells the Web server is trusted. Digital signatures are usually applied to hash values that represent larger data.

A Cryptographic hash function like MD5 and SHA-1 can transform input of an arbitrary length to an output of a certain number of bits, typically 128 or 160 bits. The output is called the hash value.

SHA-1 is a hashing algorithm that is currently enjoying widespread adoption. SHA-1 is a 160-bit hash functions, whose job is to ensure the integrity of a given piece of data. Different data yield unique hash values, and any change to a given piece of data will result in a different hash value. This was designed by the National Security Agency (NSA) to be a part of the Digital Signature Algorithm.

But in 2005, Cryptographic weaknesses were discovered in SHA-1. Hashes are designed to minimize the probability that two different pieces of data yield the same hash values, but yes, it is possible that two different data can have the same hash value, according to Cryptographic hash collision theory. 

In February 2005, three female Chinese researchers - Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu have reduced the amount of time needed to find two documents with the same signature. Brute-force is the best way to find such collision points, where two messages can have the same hash value.

The Strength of digital signature is determined by the cryptographic key i.e. 160-bit for SHA-1. There are 2¹⁶⁰ possible SHA-1 hash values and mathematical theory of Chinese researchers tell us that the chances that any two different pieces of data computing to the same value should be about 1 in 2⁶⁹, and the process is about 2,000 times faster than brute force.

At that time, it was predicted that practically doing so would take thousands of years, but today with modern cloud computing technology, such crypto attacks would cost only $700,000, which is an affordable project for well funded hacking group or Intelligence agencies like the NSA, GCHQ.

So it is potentially possible to exploit the SHA-1 crypto hash to spoof any digital signatures, and this is the reason that SHA-1 is being phased out of most governmental applications, and that NIST has recommended that SHA-1 not be used after 2013.

"An attacker able to find SHA-1 collisions could carefully construct a pair of certificates with colliding SHA-1 hashes: one a conventional certificate to be signed by a trusted CA, the other a sub-CA certificate able to be used to sign arbitrary SSL certificates. By substituting the signature of the CA-signed certificate into the sub-CA certificate, certificate chains containing the attacker-controlled sub-CA certificate will pass browser verification checks. This attack is, however, made more difficult by path constraints and the inclusion of unpredictable data in the certificate before signing it."  Netcraft expert said.

For the use of digital signatures, we need the collision resistance property of the hash function. So, the latest Digital certificates of NIST are now verified by VeriSign, and using SHA-2 (SHA-256) with RSA in their certificates.

"In total, more than 98% of all SSL certificates in use on the Web are still using SHA-1 signatures. Netcraft's February 2014 SSL Survey found more than 256,000 of these certificates would otherwise be valid beyond the start of 2017 and, due to the planned deprecation of SHA-1, will need to be replaced before their natural expiry dates."

But not only NIST, other US government organizations are also using an outdated hashing algorithm, including Obamacare website healthcare.gov, donogc.navy.mil and several others.
However, in the same document, NIST also published a deadline of December 31, 2013 for switching over 1024 to 2048-bit certificate.

In February 2013, Symantec announced a multi-algorithm SSL certificates for Web servers that go beyond traditional crypto to include what’s known as the Elliptic Curve Cryptography (ECC) Digital Signature Algorithm (DSA).

ECC offers greater security as compared to other prevalent algorithms and 10,000 times harder to break than an RSA-bit key, i.e. Symantec ECC-256 certificates will offer equivalent security of a 3072-bit RSA certificate.

Since 2011, the collective hacking group, Anonymous and LulzSec were targeting both Government and law-enforcement websites of U.S and UK, by their own DDoS attack tactics which they used to communicate and plan on Chat rooms known as IRCs, but British intelligence agency GCHQ used their own weapon against them.

According to the recent Edward Snowden document, a division of Government Communications Headquarters (GCHQ), which is also very well known as the British counterpart of the NSA, had shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attacks, making the British government the first western government known to have conducted such an attack, NBC news reports.

The same DDoS technique the hackers use to take down government, political and industry websites, including the Central Intelligence Agency (CIA), Federal bureau of Investigation (FBI), the Serious Organized Crime Agency (SOCA), Sony News International and Westboro Baptist Church.

According to the PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, shows that there was a special GCHQ unit known as the Joint Threat Research Intelligence Group (JTRIG) launched an operation called ‘Rolling Thunder’ that perform massive DDOS attacks and uses other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.

JTRIG also infiltrated anonymous IRC chatrooms to trace hacktivists real identities and to help send them to the prison for stealing data and attacking several government websites.

The operation allowed JTRIG to identify GZero, whose real name was Edward Pearson, a British hacker of age 25 from New York, who was prosecuted and sentenced to 26 months in prison for stealing 8 million identities and information from 200,000 PayPal accounts.

Another hactivist Jake Davis, nick named Topiary, an 18-year-old member of Anonymous and LulzSec spokesman for Scotland, was arrested in July 2011 and was sentenced to 24 months in a youth detention center.

Today Jake tweeted that, "I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing" and "who are the real criminals?"

A slide headlined “DDOS” refers to the operation known as “Rolling Thunder” The conversation between two hacktivists quotes, “Was there any problem with the IRC [chat room] network?” asks one. “I wasn’t able to connect the past 30 hours.” “Yeah,” responds another. “We’re being hit by a syn flood. I didn’t know whether to quit last night, because of the DDOS.”

In a statement to NBC news, a GCHQ spokesperson said that “All of GCHQ's work is carried out in accordance with a strict legal and policy framework,” and that its activities were "authorized, necessary and proportionate."