Security News

From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats. "Connections to TLS servers violating these new requirements will fail," Apple warned in its official note.

"It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the 'ssh-rsa' public key signature algorithm by default in a near-future release," said OpenSSH maintainer Damien Miller in the release notes for OpenSSH 8.3, echoing similar comments from the 8.2 release notes back in February. The OpenSSH team suggest users and administrators use alternative, more secure hashing algorithms including SHA-2 or the even older ssh-ed25519 or ECDSA as proposed in 2009.

"It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the 'ssh-rsa' public key signature algorithm by default in a near-future release," said OpenSSH maintainer Damien Miller in the release notes for OpenSSH 8.3, echoing similar comments from the 8.2 release notes back in February. The OpenSSH team suggest users and administrators use alternative, more secure hashing algorithms including SHA-2 or the even older ssh-ed25519 or ECDSA as proposed in 2009.

The US Department of Justice is once again taking Apple to task for not cooperating with device decryption requests, even after it announced that it had retrieved information from a pair of iPhones without Cupertino's help. "Thanks to the great work of the FBI - and no thanks to Apple - we were able to unlock Alshamrani's phones," said Attorney General Barr.

The US Department of Justice is once again taking Apple to task for not cooperating with device decryption requests, even after it announced that it had retrieved information from a pair of iPhones without Cupertino's help. "Thanks to the great work of the FBI - and no thanks to Apple - we were able to unlock Alshamrani's phones," said Attorney General Barr.

When is ICANN going to do something about the explosion of scammy domains spawned by the COVID-19 pandemic? We can't, the overseers of the internet said last Tuesday, throwing its hands in the air and telling domain registrars that they can - and should.

Microsoft says it managed to disrupt the Necurs botnet by taking control of the U.S.-based infrastructure that it has been using to conduct its malicious activities. Necurs is a peer-to-peer hybrid botnet that uses a Domain Generation Algorithm to ensure bots could always connect to a command and control server.

Researchers are warning that while LoRaWAN itself is perfectly secure, poor device security and user mistakes in configuration and implementation can still lead to hacks and widespread operational disruption. The application-layer security is responsible for confidentiality, with end-to-end encryption between the device and the application server, preventing third parties from accessing the application data being transmitted.

Despite the difficulties of identifying deepfakes, social media sites are recognizing the need to crack down on the manipulated, misleading videos. Facebook is banning deepfake videos, which stem from a technique of human-image synthesis based on artificial intelligence to create fake content.

Poor entropy in embedded devices leading to weaker certificates: study A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won't be an easy one to solve.…