Thursday, September 19, 2013

Reuters: Technology News: Snowden disclosures prompt warning on widely used computer security formula

Reuters: Technology News
Reuters.com is your source for breaking news, business, financial and investing news, including personal finance and stocks. Reuters is the leading global provider of news, financial information and technology solutions to the world's media, financial institutions, businesses and individuals. // via fulltextrssfeed.com 
Pay Off Debt Faster

Tackle your debt and protect your credit with our free online tools.
From our sponsors
Snowden disclosures prompt warning on widely used computer security formula
Sep 20th 2013, 03:56

RSA SecureID electronic keys are pictured in a photo illustration taken in Singapore June 8, 2011. REUTERS/Michael Caronna

RSA SecureID electronic keys are pictured in a photo illustration taken in Singapore June 8, 2011.

Credit: Reuters/Michael Caronna

By Joseph Menn

SAN FRANCISCO | Thu Sep 19, 2013 11:56pm EDT

SAN FRANCISCO (Reuters) - In the latest fallout from Edward Snowden's intelligence disclosures, a major U.S. computer security company warned thousands of customers on Thursday to stop using software that relies on a weak mathematical formula developed by the National Security Agency.

RSA, the security arm of storage company EMC Corp, told current customers in an email that a toolkit for developers had a default random-number generator using the weak formula, and that customers should switch to one of several other formulas in the product.

Last week, the New York Times reported that Snowden's cache of documents from his time working for an NSA contractor showed that the agency used its public participation in the process for setting voluntary cryptography standards, run by the government's National Institute of Standards and Technology, to push for a formula that it knew it could break.

NIST, which accepted the NSA proposal in 2006 as one of four systems acceptable for government use, this week said it would reconsider that inclusion in the wake of questions about its security.

But RSA's warning underscores how the slow-moving standards process and industry practices could leave many users exposed to hacking by the NSA or others who could exploit the same flaw for years to come.

RSA had no immediate comment. It was unclear how the company could reach all the former customers of its development tools, let alone how those programmers could in turn reach all of their customers.

Developers who used RSA's "BSAFE" kit wrote code for Web browsers, other software, and hardware components to increase their security. Random numbers are a core part of much modern cryptography, and the ability to guess what they are renders those formulas vulnerable.

The NSA-promoted formula was odd enough that some experts speculated for years that it was flawed by design. A person familiar with the process told Reuters that NIST accepted it in part because many government agencies were already using it.

But after the Times report, NIST said it was inviting public comments as it re-evaluated the formula.

"If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible," NIST said on September 10.

Snowden, who is wanted on U.S. espionage charges and is living in temporary asylum in Russia, disclosed secret NSA programs involving the collection of telephone and email data.

(Reporting by Joseph Menn; Editing by Eric Beech)

  • Link this
  • Share this
  • Digg this
  • Email
  • Reprints

You are receiving this email because you subscribed to this feed at blogtrottr.com.

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions

0 comments:

Post a Comment

 
Great HTML Templates from easytemplates.com.