Security

You're taking the p... Linux encryption app Cryptkeeper has universal password: 'p'

Give 'p's a chance... no?


Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: "p".

The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem's command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated 'p' keypress – instead, it sets passwords for folders to just that letter.

Cryptkeeper's developer appears to have abandoned the project. Luckily, it's not used by that many people – although it makes the bug no less tragically hilarious. It essentially executes this code to pass parameters to encfs:

write (fd[1], "p\n", 2);
write (fd[1], password, strlen (password));
write (fd[1], "\n", 1);

However, encfs is executed with the -S switch which means it's supposed to read the password from stdin without a prompt. Previously, encfs was bugged and didn't quite do this. A bugfix corrected its operation to match its documentation – which made it incompatible with Cryptkeeper's assumptions.

So that's why Cryptkeeper sets all its directory passwords to "p": encfs was updated and that broke Cryptkeeper's interface.

Debian developer Simon McVittie has recommended the app be punted out of the Linux distro entirely.

"It looks as though cryptkeeper makes assumptions about encfs' command-line interface that are no longer valid," McVittie says in a bug report thread.

Cryptkeeper ... Type "p" for pwned.

"I also notice that cryptkeeper does not check what write() and close() return during its interactions with encfs, which seems very likely to lead to undesired results.

"I have recommended that the release team remove this package from stretch: it currently gives a false sense of security that is worse than not encrypting at all." ®

Send us news
44 Comments

Telegram adds paid tier as it cracks 700 million users

Without so much as a mention of encryption, but with a pastel-hued emoji-heavy nod to ‘sustainable monetization’

Messaging app Telegram, which came to prominence for offering end-to-end encryption that irritated governments, has celebrated passing 700 million active monthly users with a pastel-hued announcement: a paid Premium tier of service.

A Sunday post celebrates the 700 million user milestone by announcing a $4.99/month tier. The Premium tier distinguishes itself from the freebie plebeian tier with the ability to upload 4GB files, unthrottled downloads that come as fast as users' carriers will allow, and the chance to follow up to 1000 channels, create up to 20 chat folders each containing up to 200 chats, and to run four accounts in the Telegram app.

Paying punters will also get exclusive stickers and reactions and won't see ads once they sign up to hand over coin each month.

Continue reading

Protecting data now as the quantum era approaches

Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

Continue reading

Cheers ransomware hits VMware ESXi systems

Now we can say extortionware has jumped the shark

Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

"ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

Continue reading

Europe proposes tackling child abuse by killing privacy, strong encryption

If we're gonna go through this again, can we just literally go back in time?

Proposed European regulations that purport to curb child abuse by imposing mass surveillance would be a "disaster" for digital privacy and strong encryption, say cybersecurity experts.

A number of options have been put forward for lawmakers to mull that aim to encourage or ensure online service providers and messaging apps tackle the "detection, removal, and reporting of previously-known and new child sexual abuse material and grooming."

These options range from voluntary detection and reporting of child sexual abuse material (CSAM) and grooming, to legally mandating that service providers find and report such material using whatever detection technology they wish — essentially scanning all private communications and, if necessary, breaking end-to-end (E2E) encryption for everyone.

Continue reading

Biden orders new quantum push to ensure encryption isn't cracked by rivals

Domestic action and international collaboration to make sure you-know-who – OK, China – doesn't get ahead of the game

US president Joe Biden issued two directives on Wednesday aimed at ensuring the nation – and like-minded friends – remain ahead of other countries in the field of quantum computing. Especially as applied to cryptography.

The first directive, an Executive Order, creates a National Quantum Initiative Advisory Committee comprising up to 26 experts from industry, academia, and federal laboratories – all appointed by the president and under the authority of the White House. The committee is an enhancement to the National Quantum Initiative Act – a 2018 law that provides $1.2 billion and a plan for advancing quantum tech.

The other directive is a memorandum designed to promote US leadership in quantum computing while mitigating risks to cryptographic systems.

Continue reading

Kaspersky cracks Yanluowang ransomware, offers free decryptor

Step one, get some scrambled files back. Steps two through 37...

Kaspersky has found a vulnerability in the Yanluowang ransomware encryption algorithm and, as a result, released a free decryptor tool to help victims of this software nasty recover their files.

Yanluowang, named after a Chinese deity and underworld judge, is a type of ransomware that has been used against financial institutions and other firms in America, Brazil, and Turkey as well as a smaller number of organizations in Sweden and China, Kaspersky said yesterday. The Russian security shop said it found a fatal flaw in the ransomware's encryption system and those afflicted can get a free fix to restore their scrambled data.

Symantec's threat hunters uncovered this Windows ransomware strain in the fall and said unknown fiends have been using it to infect US corporations since at least August 2021.

Continue reading

Cooler heads needed in heated E2EE debate, says think tank

RUSI argues for collaboration, while others note all 'scans' compromise secure encryption

End-to-end encryption (E2EE) has become a global flashpoint in the ongoing debate between the security of private communications versus the need of law enforcement agencies to protect the public from criminals.

The Register has written at length about this increasingly strident back-and-forth that is seeing proponents of both sides more entrenched in their beliefs.

London-based think tank the Royal United Services Institute (RUSI) released a report [PDF] this week laying out the contours of the privacy-vs-safety debate, weighing the needs and exploring possible solutions.

Continue reading

OpenSSH takes aim at 'capture now, decrypt later' quantum attacks

Guarding against the forever almost-here crypto-cracking tech

OpenSSH 9 is here, with updates aimed at dealing with cryptographically challenging quantum computers.

The popular open-source SSH implementation aims to provide secure communication in a potentially unsecure network environments. While version 9 is ostensibly focused on bug-fixing, there are some substantial changes lurking within that could catch the unwary, most notably, the switch from the legacy SCP/RCP protocol to SFTP by default.

The OpenSSH group warned the change was coming earlier this year, with a deprecation notice in February's version 8.9 release. Experimental support for transfers using the SFTP protocol as a replacement for the SCP/RCP protocol turned up in version 8.7 in August 2021 with the warning: "It is intended for SFTP to become the default transfer mode in the near future."

Continue reading

IBM powers up cloud service for managing crypto keys

As in encryption, not coins, thankfully

IBM has unveiled a cloud-based key management service that should make it easier for organizations to manage encryption keys across complex multi-cloud hybrid environments, as well as on-premises.

The new support comes in the form of the Unified Key Orchestrator, a multi-cloud key management product sold as a managed service as part of IBM's Cloud Hyper Protect Crypto Services.

Many organizations have by now adopted a multi-cloud strategy, hosting workloads in the most advantageous location, whether that is in a public cloud or in the organization's own datacenter.

Continue reading

Dems propose privacy-respecting digital dollar

ECASH Act calls for Treasury to develop electronic currency, no blockchain required

House Democrats on Monday plan to introduce a law bill that calls for the development of an electronic version of the US dollar that has the same legal status and privacy expectations as physical currency.

The bill, titled Electronic Currency and Secure Hardware (ECASH) Act, would direct the US Treasury Department to establish a program to coordinate the development and implementation of e-cash and the technology necessary to support it, such as cryptographic hardware.

Sponsored by Rep Stephen Lynch (D-MA), Chairman of the Task Force on Financial Technology, and by Rep Jesús "Chuy" García (D-IL), who serves on the Committee on Financial Services, the ECASH Act represents a response to recent calls by the US Federal Reserve and the Biden administration to promote the development of digital assets.

Continue reading