(get it in RSS or Atom)

Anatomy of a LOGJAM - another TLS vulnerability, and what to do about it

We've had BEAST, Lucky Thirteen, BREACH, BEAST, POODLE, Heartbleed and, it's LOGJAM.

Paul Ducklin explains, and tells you what you can do about it.

FreeBSD and the YARNBUG - more trouble at the Random Number Mill

How do you test your random number generator?

How do you determine, in an ordered way, that a sequence of numbers is entirely disordered?

With difficulty!

SSCC 154: Fraud, viruses, patches and encryption (in that order!) [PODCAST]

Where does your country sit on the fraud list? Just how much can you trust SMSes on Android? Is Apple serious enough about iOS security? And will Google's End-To-End email encryption plugin save the world?

Find out with Chet and Duck in this week's Chet Chat podcast...

WhatsApp mobile messaging app in the firing line again over cryptographic blunder


Popular mobile messaging software WhatsApp is in the firing line again for another security SNAFU.

A Dutch researcher has pointed out that its session encryption breaks a cardinal rule: a one-time pad is supposed to be a *one* time pad!

Android random number flaw implicated in Bitcoin thefts


Bitcoin is in the news again.

Seems that a random number problem on the Android platform is letting crooks get away with cryptographic fraud to make off with other people's BTCs...

Rooting SIM cards - BlackHat speaker says he may be able to "own your phone" with a text message


Mobile security researcher Karsten Nohl says he'll explain at the BlackHat conference how he can remotely "own" mobile phones with a single text message.

Paul Ducklin looks at what Nohl has said so far, and ponders how hard this might be to sort out...

Monday review - the hot 18 stories of the week


Missed any stories in the past seven days?

Here's our weekly roundup, just in case...

AusSHIRT 2013 - the #sophospuzzle instructions in full

The AusCERT 2013 conference has started, so the AusSHIRT 2013 #sophospuzzle is officially live.

See if you can transform the code on the T-shirt and win a prize!

(You don't have to be at the conference to enter.)

IBM takes a big new step in cryptography: practical homomorphic encryption

IBM just released an open source software package called HELib.

HE stands for *homomorphic encryption*, and HELib is an important cryptographic milestone.

Paul Ducklin explains why...

Beware of encryption companies bearing gifts!


An iPhone messaging app that claims to be "totally secure" is offering a £10,000 prize to anyone who can intercept a message from it.

Paul Ducklin wonders how you are supposed to win the prize if the app really is "totally secure"...

Can freezing an Android device crack its encryption keys?

Will chilling an Android phone to -15°C freeze the encryption keys into memory? And if so, can you use a modified version of Android to dig them out?

German researchers had a crack at it - Paul Ducklin takes a look at how things turned out.

SSCC 102 - Probably the best 15 minute security podcast you'll hear today

Sophos security Chet Chat podcast 102

Have your joined thousands of others, and become a loyal listener to the "Chet Chat" yet?

Here's the latest Naked Security podcast, Sophos Security Chet Chat 102, discussing a range of recent and newsworthy topics from the world of computer security.

Monday review - the hot 27 stories of the week

Monday review - the hot 24 stories of the week

Just in case you missed any of our stories last week, here's a little recap.

Boffins 'crack' HTTPS encryption in Lucky Thirteen attack

The security of web transactions is again in the spotlight as a pair of UK cryptographers take aim at TLS.

Like 2011's much-talked-about BEAST attack, it has a groovy name: Lucky Thirteen.

Do programmers understand the meaning of PRIVATE?

Public-key encryption relies on a pair of cryptographic keys, one public and the other private.

You'd think that programmers would be able to tell which one to keep private and which one to make public, wouldn't you?

Kim Dotcom's coders hacking on Mega's cryptography even as we speak - true "perpetual beta" style

Kim Dotcom's new venture, Mega, wants to shield itself from accusations of failing to take action against piracy.

It does so by using cryptography to make sure it doesn't see, and indeed cannot tell, what you've uploaded. But you have to get the crypto right...

Kim Dotcom takes issue with critics taking issue with his new MEGA service

The party-time news of the past weekend was the launch of Kim Dotcom's comeback file sharing service, Mega.

Crypto critics have already taken issue with some aspects of Mega's implementation, and Dotcom has taken issue right back at them...

Windows passwords: "Dead in Six Hours" - paper from Oslo password hacking conference

Windows passwords: "Dead in Six Hours" - paper from Oslo password hacking conference

The total number of Windows passwords you can construct using eight keyboard characters is vast: one followed by 16 zeros, or near enough.

Gone in six hours.

Plus you get to heat your house at the same time.

Monday review - the hot 23 stories of the week

Monday revies - the hot 23 stories of the week

It's weekly summary time.

Here's everything we've written in the last seven days.

VIDEO: How to solve the Skyfall #sophospuzzle

VIDEO: How to solve the Skyfall #sophospuzzle

By popular demand, here is a video showing you how to solve the Skyfall #sophospuzzle.

In James Bond style: recover a stolen file, decrypt it, use it to identify a famous person, find out where he was incarcerated, and geolocate the prison...