News & Updates

“VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software.”

The security researcher Jean-Baptiste Bédrune from Quarkslab and the cryptographer Marion Videau  have discovered a number of security vulnerabilities in the popular encryption platform VeraCrypt. A new audit of the disk-encryption software revealed the existence of eight critical, three medium, and 15 low -severity vulnerabilities.

VeraCrypt is a project based on TrueCrypt 7.1a and maintained by IDRIX, it was launched after the shocking shut down of the TrueCrypt project in 2014.

The experts analyzed the VeraCrypt version 1.18 of the platform and the DCS EFI Bootloader 1.18 (UEFI), their analysis was focused on the new features introduced since the security audit of TrueCrypt conducted in April 2015.


One of the most important features implemented by VeraCrypt 1.18 is the UEFI support, its code is in a separate repository, named VeraCrypt-DCS (Disk Cryptography Services). This new module is considered much less mature than the rest of the project, some parts are still incomplete or not implemented at all.

“As explained in The Length of the Password Can Be Computed When Encryption Is Activated, on startup, keystrokes are stored in a specific buffer of the BIOS Data Area. A parallel can be drawn to UEFI: each driver has its own buffer containing the keystrokes. The address of this buffer is not known, and fully depends on the implementation. The password supplied by the user is read character per character with the GetKey function of the VeraCrypt bootloader.” “It is difficult to make sure the driver implementation will erase the buffer containing the keystrokes.”

They discovered that boot passwords in UEFI mode could be retrieved by an attacker because the application fails to erase passwords when changed by users.

“The data handled by the boot loader are rarely erased. The user password is properly cleared at startup. However, when a user changes his password, the Password structures containing the new password will not be erased (see the SecRegionChangePwd function in DcsInt / DcsInt.c). TrueCrypt’s developers and VeraCrypt’s have carefully checked if sensitive data was correctly cleared in memory. This level of care has not been taken into DCS yet.” reads the audit report published by the experts.

Other critical issues are related to the implementation of the GOST 28147-89 symmetric block cipher which is known to be affected by implementation errors.

“Remove GOST 28147-89 and more generally any 64-bit block cipher from the list of available block ciphers” states the report.

Critical, medium and many low-risk severity vulnerabilities have been solved with the VeraCrypt release version 1.9. Anyway, a number of flaws remain unfixed due to the high complexity of patching activities.

“All the vulnerabilities that have been taken into account have been correctly fixed (except a minor missing fix for one of them). In particular, the problem leading to a privilege escalation discovered by James Forshaw in the TrueCrypt driver just after the OCAP audit has been solved. Vulnerabilities which require substantial modifications of the code or the architecture of the project have not been fixed.” states the report.

Such kind of audits is very important for the users’ security, they allow to speedup the process of finding and fixing the bugs.

“VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software,” the Open Source Technology Improvement Fund says of the audit.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – VeraCrypt, encryption)

The post Security audit reveals critical flaws in VeraCrypt, promptly fixed with a new release appeared first on Security Affairs.

Source: Security affairs

The group calling itself The Shadow Brokers who hacked the NSA-linked Equation Group announced the launch of a crowdfunding campaign for the stolen arsenal.

This summer the hacker group Shadow Brokers hacked the NSA-linked group known as the Equation Group and leaked 300 Mb of hacking tools, exploits, and implants.

The Shadow Brokers launched an all-pay auction for the full archive containing the entire arsenal of the Equation Group. Early October, The Shadow Brokers have complained that no one has offered money for their precious archive.

Shadow Brokers hacked Equation Group

The auction received offers for less than two bitcoins, so the hacker group decided to launch a crowdfunding.

The Shadow Brokers team has collected bids for a total of 1.76 bitcoins (roughly $1,100), but the dreaded team was expecting to earn as far as $1 million.

But probably we misunderstood the intent of the hackers because the hackers’ crowdfunding campaign aims to raise 10,000 bitcoins (roughly $6.4 million).

“TheShadowBrokers is being bored with auction so no more auction. Auction off. Auction finish. Auction done. No winners. So who is wanting password? TheShadowBrokers is publicly posting the password when receive 10,000 btc (ten thousand bitcoins). Same bitcoin address, same file, password is crowdfunding. Sharing risk. Sharing reward. Everyone winning.” reads the announcement published by the group.

But unfortunately, the crowdfunding campaign is not obtaining the expected results.

Who is the behind the Shadow Brokers crew?

Some experts speculate it is a group of Russian state-sponsored hackers, government, other believe that it is a group of hackers that has simply found the arsenal that was mistakenly left unattended by an employee or a contractor on a remote server.

The ShadowBrokers hackers then have discovered the server and raided it.

“NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.” reported the Reuters.

“That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them.”

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  The Equation Group, Shadow Brokers)

The post Shadow Brokers launched a crowdfunding campaign to raise 10,000 bitcoins appeared first on Security Affairs.

Source: Security affairs

Amy Goodman stands with her lawyer, Tom Dickson, outside the Morton County Courthouse. (credit: Democracy Now)

A North Dakota prosecutor’s controversial case against journalist Amy Goodman is over.

On Friday, North Dakota prosecutor Ladd Erickson drew national criticism from press freedom groups when he filed charges claiming that Goodman had participated in a riot when she filmed Native Americans protestors clashing with police and guards in September. The Native Americans were protesting the beginning of construction work on the Dakota Access Pipeline.

District Judge John Grinsteiner dismissed Erickson’s charges against Goodman. The charges Erickson brought Friday were a substitute for his earlier criminal trespassing charge against Goodman, which he withdrew.

Read 8 remaining paragraphs | Comments


Last week, the British Health and Safety Executive (HSE) fined one of the production companies behind Star Wars: The Force Awakens $1.95 million (£1.6 million) for failing to protect its employees. The accusation was launched by the British regulatory agency after Harrison Ford’s leg was broken by a hydraulic door on the movie’s set.

Foodles Production, a British subsidiary of Disney, was sued by the HSE in February, and the production company admitted guilt in July. The incident took place in 2014, when Ford was 71, and he had to be airlifted to a nearby hospital for treatment. In a July notice, the HSE stated that the weight of the hydraulic door that crushed Ford’s leg “was comparable to the weight of a small car.” The attorney prosecuting the case against Foodles claimed that a production crew operator, believing the cast was in full rehearsal when it was not, accidentally engaged the hydraulic door while Ford was in its path. According to the attorney, the only reason the actor didn’t sustain more injuries was because the operator hit an emergency stop button.

In a notice last week, the British regulator explained: “HSE’s investigation found that there was no automatic emergency cut off, to protect those on set, instead relying on the reactions of the prop operator(s) to bring the door to a stop.”

Read 1 remaining paragraphs | Comments


Enlarge / It’s all fun and games until Ringo goes Neanderthal on you. (credit: Caveman)

Genital warts, or human papillomavirus (HPV), isn’t just a disease of the modern world and its newfangled sexual mores. In fact, various strains of HPV plagued our ancestors long before Homo sapiens evolved. A new study in Molecular Biology and Evolution reveals that when the ancestors of Neanderthals and Denisovans left Africa over 500,000 years ago, they were already carrying a variant of HPV. The early humans who remained in Africa had their own variants of HPV, too. As the two populations evolved, their cancer-causing wart viruses evolved with them–until that fateful moment when Homo sapiens and Neanderthal came together, as it were.

A group of researchers in France and Spain used a common statistical modeling method to trace the evolutionary origins of today’s HPV. By looking at mutated regions in the virus, which occur regularly over time, the researchers discerned that HPV’s origins go back almost half a million years. The question was, how did various strains of HPV (including the extremely carcinogenic HPV16) make their way around the world? Currently, we see almost no HPV16 in Sub-Saharan Africa, while it’s incredibly common elsewhere.

The researchers had two working assumptions: either early humans brought HPV with them out of Africa, and new strains evolved in populations that split off from each other outside Africa; or early humans acquired the ancestral strain of HPV16 from Neanderthals and Denisovans they encountered. After modeling the likelihood of different scenarios, the researchers concluded that the latter fit the facts. They write:

Read 3 remaining paragraphs | Comments


Enlarge / Excerpt of an FBI interview report detailing a Judicial Watch deal with a defense contractor to search for hacked Clinton files.

More records from the Federal Bureau of Investigation’s review of Hillary Clinton’s e-mail practices have been released through the FBI’s Freedom of Information Act site, including interviews with a number of individuals related to the security of the server. One of them was an employee of a defense contractor who claimed he was funded by Judicial Watch to investigate whether Clinton was hacked.

In the interview, the individual, whose name was redacted, claimed that he used the services of Dark Horse Data, a company owned by former Deputy Undersecretary of Defense for Intelligence Reginald Hyde, to search for e-mails associated with Clinton’s personal account. The company focuses on “specialized data acquisition for both US and International customers” and has provided database intelligence analysis to the US government.

The credibility of that information, however, is certainly in doubt. Hyde denied that his company was involved in any such task, telling Ars Technica in a phone interview that he “was quite astounded to learn” of the assertion in the FBI documents and saying that it was like “being asked how your day on Mars was. My company was categorically not involved in this.”

Read 4 remaining paragraphs | Comments


Enlarge / Photographer : Luke Sharrett / Bloomberg (credit: Getty | Bloomberg)

As leading health experts gathered in Washington Monday to discuss the dramatic rise in obesity and type 2 diabetes over the last three decades, PepsiCo Inc. announced goals to slightly reduce added sugars in beverages—a significant driver of the health crises.

According to its new “sustainability agenda,” PepsiCo is giving itself until 2025 to cut back production of beverages that pack more than 100 calories from added sugars in a 12 ounce serving. (Added sugars are those added during food production and processing that are not naturally included in foods, such as the natural sugars found in milk and fruits.) Currently, about 60 percent of PepsiCo’s beverages contain more than 100 calories from added sugars; the company’s goal is to get that down to 33 percent in the next nine years. The efforts, the company said, will help “meet changing consumer needs.”

High-calorie culprits include the company’s flagship beverage, Pepsi, which contains 150 calories and 41 grams of sugar (or about 10.25 teaspoons) in a 12 ounce can. PepsiCo’s Mountain Dew contains 170 calories and 46 grams of sugar in a 12 ounce serving. And Starbucks Frappuccino coffee drink, also made by the company, contains 290 calories and 46 grams of sugar in a 13.7 fluid ounce serving.

Read 7 remaining paragraphs | Comments



A website used to fund the campaigns of Republican senators was infected with malware that for more than six months collected donors’ personal information, including full names, addresses, and credit card data, a researcher said.

The storefront for the National Republican Senatorial Committee was one of about 5,900 e-commerce platforms recently found to be compromised by malicious skimming software, according to researcher and developer Willem de Groot. He said the NSRC site was infected from March 16 to October 5 by malware that sent donors’ credit card data to attacker-controlled domains. One of the addresses—jquery-code[dot]su—is hosted by dataflow[dot]su, a service that provides so-called bulletproof hosting to money launderers, sellers of synthetic drugs and stolen credit card data, and other providers of illicit wares or services.

De Groot said it’s not clear how many credit cards were compromised over the six months the site was infected. Based on data from TrafficEstimates, the NRSC site received about 350,000 visits per month. Assuming 1 percent of those visits involved the visitor using a credit card, that would translate to 3,500 transactions per month, or about 21,000 transactions over the time the site was compromised. Assuming a black market value of $4 to $21 per compromised card, the crooks behind the hack may have generated revenue of $600,000.

Read 4 remaining paragraphs | Comments


Don’t worry — Julian Assange is alive and kicking! But his Internet connection is dead.

Earlier today, Wikileaks tweeted that its co-founder, Julian Assange, had his internet connection intentionally cut by an unidentified “state party.”

The non-profit organization said it had “activated appropriate contingency plans,” giving no further explanation.

The tweet came after Wikileaks posted a