Stories with Tag Computer Security

• Akira ransomware can be cracked with sixteen RTX 4090 GPUs in around ten hours

  permalink

  Posted: 2025-03-17 11:06:24

  Verbose tl;dr

  Researchers have demonstrated a method for cracking the Akira ransomware's encryption using sixteen RTX 4090 GPUs. By exploiting a vulnerability in Akira's implementation of the ChaCha20 encryption algorithm, they were able to brute-force the 256-bit encryption key in approximately ten hours. This breakthrough signifies a potential weakness in the ransomware and offers a possible recovery route for victims, though the required hardware is expensive and not readily accessible to most. The attack relies on Akira's flawed use of a 16-byte (128-bit) nonce, effectively reducing the key space and making it susceptible to this brute-force approach.

  A recent report by Tom's Hardware details a significant breakthrough in combating the Akira ransomware, a malicious software that encrypts victims' files and demands payment for their release. Researchers at Sophos, a cybersecurity firm, have discovered a vulnerability in Akira's encryption implementation that allows for the recovery of encrypted data without paying the ransom. This vulnerability stems from Akira's usage of a relatively weak encryption key generation process. While Akira nominally uses a 256-bit encryption key, providing a theoretically immense number of possible combinations, the actual key generation method produces keys significantly weaker than a true 256-bit key would suggest.

  This weakness allows for a brute-force attack, a method of systematically trying all possible keys until the correct one is found, to become a feasible decryption strategy. Sophos researchers leveraged the immense computational power of sixteen Nvidia RTX 4090 GPUs, high-end graphics cards renowned for their parallel processing capabilities, to perform this brute-force attack. Utilizing these GPUs, they were able to successfully crack the Akira encryption and recover the encrypted data in approximately ten hours.

  This timeframe represents a substantial reduction in decryption time compared to traditional methods, and it highlights the potential of utilizing powerful hardware for breaking relatively weak encryption. While ten hours might still be considered a significant duration in some scenarios, it is substantially faster than the potentially weeks or even months required by other methods or the alternative of succumbing to the ransom demands. The discovery of this vulnerability and the successful demonstration of its exploitability offers a glimmer of hope for victims of Akira ransomware attacks, providing a potential pathway to data recovery without financially supporting criminal enterprises. This breakthrough also underscores the importance of robust encryption key generation in ransomware development, and serves as a reminder of the ongoing cat-and-mouse game between cybersecurity professionals and malicious actors. The research by Sophos has significantly weakened the Akira ransomware's effectiveness and could potentially lead to future developments in combating similar threats.

  • ransomware
  • akira
  • Cybersecurity
  • GPU
  • RTX 4090
  • Encryption
  • Decryption
  • brute-force
  • cracking
  • Exploit
  • information security
  • Computer Security
  • Hardware Acceleration
  • Nvidia
  • parallel processing

  Summary of Comments ( 11 )
  https://news.ycombinator.com/item?id=43387188

  Verbose tl;dr

  Hacker News commenters discuss the practicality and implications of using RTX 4090 GPUs to crack Akira ransomware. Some express skepticism about the real-world applicability, pointing out that the specific vulnerability exploited in the article is likely already patched and that criminals will adapt. Others highlight the increasing importance of strong, long passwords given the demonstrated power of brute-force attacks with readily available hardware. The cost-benefit analysis of such attacks is debated, with some suggesting the expense of the hardware may be prohibitive for many victims, while others counter that high-value targets could justify the cost. A few commenters also note the ethical considerations of making such cracking tools publicly available. Finally, some discuss the broader implications for password security and the need for stronger encryption methods in the future.

  The Hacker News post titled "Akira ransomware can be cracked with sixteen RTX 4090 GPUs in around ten hours" has generated several comments discussing the implications of using powerful GPUs like the RTX 4090 for cracking encryption.

  Some users express skepticism about the practicality of this approach. One commenter questions the feasibility for average users, pointing out the significant cost of acquiring sixteen RTX 4090 GPUs. They suggest that while technically possible, the financial barrier makes it unlikely for most victims of ransomware. Another user echoes this sentiment, highlighting that the cost would likely exceed the ransom demand in many cases. They also raise the point that this method might only work for a specific vulnerability in Akira and wouldn't be a universal solution for all ransomware.

  Others discuss the broader implications of readily available GPU power. One comment points out the increasing accessibility of powerful hardware and its potential to empower both security researchers and malicious actors. They argue that this development underscores the ongoing "arms race" in cybersecurity, where advancements in technology benefit both sides. Another user suggests that this highlights the importance of robust encryption practices, as the increasing power of GPUs could eventually render weaker encryption methods vulnerable.

  A few comments delve into the technical aspects. One user questions the specific algorithm used by Akira and speculates on its susceptibility to brute-force attacks. Another user mentions the importance of key length and how it affects the time required for cracking, emphasizing that longer keys would significantly increase the difficulty even with powerful GPUs.

  One commenter points out the article's potentially misleading title. They clarify that the GPUs weren't cracking the encryption itself, but rather brute-forcing a password which was then used to decrypt the files. This distinction is important, as it implies a weakness in the implementation rather than the underlying encryption algorithm.

  Finally, a few users offer practical advice. One suggests using strong, unique passwords to protect against this type of attack, emphasizing the importance of basic security hygiene. Another user proposes that the best defense against ransomware remains regular backups, allowing victims to restore their data without paying the ransom.

  Overall, the comments reflect a mix of concerns about the practical implications of using GPUs for cracking ransomware, discussions about the broader cybersecurity landscape, and technical insights into the vulnerabilities highlighted by this specific case.

• Learn How to Break AES

  permalink

  Posted: 2025-03-04 17:25:51

  Verbose tl;dr

  The post "Learn How to Break AES" details a hands-on educational tool for exploring vulnerabilities in simplified versions of the AES block cipher. It provides a series of interactive challenges where users can experiment with various attack techniques, like differential and linear cryptanalysis, against weakened AES implementations. By manipulating parameters like the number of rounds and key size, users can observe how these changes affect the cipher's security and practice applying cryptanalytic methods to recover the encryption key. The tool aims to demystify advanced cryptanalysis concepts by providing a visual and interactive learning experience, allowing users to understand the underlying principles of these attacks and the importance of a full-strength AES implementation.

  The blog post, "Learn How to Break AES," by David Wong, presents a comprehensive, interactive tutorial demonstrating various cryptanalytic attacks against simplified versions of the Advanced Encryption Standard (AES). The tutorial is aimed at beginners and intermediate learners interested in practical cryptography, offering a hands-on approach to understanding the vulnerabilities of weakened cipher implementations.

  Wong begins by introducing the core concepts of AES, including its structure as a block cipher, the use of substitution-permutation networks (SPNs), and the different operations within each round: SubBytes (substitution using an S-box), ShiftRows (permutation of bytes within the state), MixColumns (mixing of columns within the state), and AddRoundKey (XORing the state with the round key).

  However, instead of tackling the full AES algorithm immediately, the tutorial uses progressively more complex, reduced-round variants of AES. This pedagogical approach allows learners to grasp the fundamentals of cryptanalysis before confronting the complexity of the full cipher. Each simplified version retains essential AES characteristics, making the learned techniques relevant to understanding the security of the full AES.

  The initial exercises focus on differential cryptanalysis, a powerful technique that exploits the propagation of differences between pairs of plaintexts and their corresponding ciphertexts. Through interactive challenges, users are guided to discover differential characteristics – specific input differences that lead to predictable output differences with a high probability. These characteristics are then leveraged to recover the secret key. The tutorial begins with a 1-round AES variant and progressively increases the number of rounds, illustrating how the complexity of differential cryptanalysis increases with the number of rounds.

  Following differential cryptanalysis, the tutorial delves into linear cryptanalysis. This attack exploits linear approximations of the cipher's operations to deduce information about the key. Similar to the differential cryptanalysis section, interactive exercises guide users through building linear approximations, evaluating their biases, and using these biases to retrieve key bits. Again, simplified AES versions are used to incrementally introduce the concepts and challenges associated with linear cryptanalysis.

  Throughout the tutorial, Wong emphasizes the importance of understanding the mathematical principles underlying each attack. Visualizations and interactive elements help users grasp the complex interactions between the different AES operations and how they contribute to the cipher's security. By breaking down the attacks into manageable steps and providing clear explanations, the tutorial enables learners to develop a practical understanding of cryptanalytic techniques and the strengths and weaknesses of simplified AES versions. While not directly addressing the full AES cipher, the tutorial builds a strong foundation for understanding the principles that contribute to the security of the full algorithm and the challenges involved in attempting to break it.

  • AES
  • Cryptography
  • Cryptanalysis
  • Block Cipher
  • Security
  • Breaking AES
  • Advanced Encryption Standard
  • Cipher
  • Decryption
  • Encryption
  • Computer Security
  • Cybersecurity

  Summary of Comments ( 24 )
  https://news.ycombinator.com/item?id=43257583

  Verbose tl;dr

  HN commenters discuss the practicality and limitations of the "block breaker" attack described in the article. Some express skepticism, pointing out that the attack requires specific circumstances and doesn't represent a practical break of AES. Others highlight the importance of proper key derivation and randomness, reinforcing that the attack exploits weaknesses in implementation rather than the AES algorithm itself. Several comments delve into the technical details, discussing the difference between a chosen-plaintext attack and a known-plaintext attack, as well as the specific conditions under which the attack could be successful. The overall consensus seems to be that while interesting, the "block breaker" is not a significant threat to AES security when implemented correctly. Some appreciate the visualization and explanation provided by the article, finding it helpful for understanding block cipher vulnerabilities in general.

  The Hacker News post "Learn How to Break AES" (linking to an article about breaking weak AES implementations) generated several comments discussing various aspects of AES security and the article's content.

  Several commenters focused on clarifying the nuances of the article's title, emphasizing that the article wasn't about breaking AES itself, but rather exploiting weaknesses in implementations of AES. They pointed out that AES as a cryptographic standard remains strong, and the attacks described targeted specific vulnerabilities in how the algorithm was used, like poor key generation, weak modes of operation, or side-channel attacks. One commenter specifically called out the importance of distinguishing between theoretical and practical attacks, noting that the article's focus was on practically exploitable weaknesses.

  There's discussion about the different types of vulnerabilities exploited, including the use of ECB mode and its inherent insecurity due to leaking information about block patterns. Commenters highlighted how ECB mode should be avoided and recommended safer alternatives like CBC or CTR mode. Related to this, a commenter pointed out the susceptibility of some encryption implementations to padding oracle attacks, where the attacker can deduce information about the plaintext by observing how the system handles padding in encrypted blocks.

  Some comments delve into specific techniques mentioned in the article, such as using known plaintext to break the encryption. One commenter details the process of cribbing, where an attacker with access to both ciphertext and plaintext can potentially recover the key or decrypt other messages.

  Another line of discussion explored the real-world implications of these attacks, with examples like exploiting vulnerabilities in embedded systems or insecure web applications. A commenter highlighted the importance of proper key management and secure random number generation to prevent these types of exploits.

  Finally, a few comments offered additional resources for learning more about cryptography and AES security, including links to books, articles, and tools for analyzing cryptographic implementations.

• Hacker infects 18,000 "script kiddies" with fake malware builder

  permalink

  Posted: 2025-01-25 13:47:52

  Verbose tl;dr

  A hacker tricked approximately 18,000 aspiring cybercriminals ("script kiddies") by distributing a fake malware builder. Instead of creating malware, the tool actually infected their own machines with a clipper, which silently replaces cryptocurrency wallet addresses copied to the clipboard with the attacker's own, diverting any cryptocurrency transactions to the hacker. This effectively turned the tables on the would-be hackers, highlighting the risks of using untrusted tools from underground forums.

  In a fascinating display of digital vigilantism, an unidentified individual, potentially operating under the alias "SkilledStunna," has reportedly compromised the systems of approximately 18,000 aspiring malware creators, often derisively referred to as "script kiddies." These individuals, typically lacking advanced coding skills, rely heavily on pre-built malicious software tools and readily available scripts to carry out cyberattacks. The hacker achieved this infiltration by distributing a counterfeit malware construction kit disguised as legitimate software. This deceptive tool, masquerading as a genuine malware builder, was promoted and disseminated through various online platforms frequented by these novice hackers.

  Unbeknownst to the recipients, the downloaded software package contained a hidden payload. Instead of empowering them to create malware, the program surreptitiously infected their own systems. This cleverly crafted attack delivered a potent dose of ironic justice, turning the tables on those seeking to exploit vulnerabilities for malicious purposes. The malicious payload embedded within the fake builder acted as a self-propagating worm, further spreading the infection within the targeted community.

  The compromised systems were subjected to several intrusive actions. The malicious software reportedly exfiltrated sensitive data, including saved login credentials stored in web browsers and Discord tokens, providing the attacker with access to potentially numerous online accounts. Furthermore, the malware established persistence on the infected machines, ensuring continued access and control for the perpetrator. The attacker claims to have collected a vast amount of sensitive information, potentially including personally identifiable information and evidence of other illicit activities.

  This incident highlights the inherent risks associated with downloading and utilizing untrusted software, especially from unregulated sources. It serves as a stark reminder that even those seeking to engage in malicious activities are themselves vulnerable to exploitation. The attacker's actions, while ethically ambiguous, underscore the prevalence of deceptive practices within the cybercriminal underground and the ease with which even inexperienced individuals can fall victim to sophisticated attacks. The incident also exposes the potential for such vigilante actions to disrupt, albeit temporarily, the activities of low-skilled malicious actors. While the long-term impact of this particular incident remains to be seen, it undeniably sheds light on the dynamic and often ironic landscape of the cybersecurity world.

  • Cybersecurity
  • Malware
  • hacking
  • Script Kiddies
  • Fake Malware Builder
  • information security
  • cybercrime
  • social engineering
  • Security Research
  • internet security
  • Threat Actors
  • digital security
  • Computer Security

  Summary of Comments ( 18 )
  https://news.ycombinator.com/item?id=42821611

  Verbose tl;dr

  HN commenters largely applaud the vigilante hacker's actions, viewing it as a form of community service by removing malicious actors and their potential harm. Some express skepticism about the 18,000 figure, suggesting it's inflated or that many downloads may not represent active users. A few raise ethical concerns, questioning the legality and potential collateral damage of such actions, even against malicious individuals. The discussion also delves into the technical aspects of the fake builder, including its payload and distribution method, with some speculating on the hacker's motivations beyond simple disruption.

  The Hacker News post titled "Hacker infects 18,000 'script kiddies' with fake malware builder," linking to a BleepingComputer article, generated a substantial discussion with a variety of perspectives.

  Several commenters focused on the irony and poetic justice of the situation. They found humor in aspiring malware creators becoming victims themselves, highlighting the lack of technical skills among this group. Some saw it as a form of natural selection within the hacking community. The term "script kiddie" itself was discussed, with some arguing that it accurately described the targeted individuals, while others felt it was derogatory.

  The technical aspects of the fake malware builder were also dissected. Commenters speculated on the methods used to distribute the fake tool, likely through forums and shady online communities frequented by those seeking such software. The payload of the fake builder, which collected system information, was analyzed, with some questioning its effectiveness and the potential risks to the victims.

  Some commenters raised ethical concerns. While acknowledging the irony, they questioned the vigilante justice aspect of the hacker's actions. They debated the legality and morality of infecting others' computers, even if those individuals had malicious intent. The potential for collateral damage, such as infecting innocent users who may have downloaded the fake builder out of curiosity or by mistake, was also mentioned.

  A few commenters expressed skepticism about the reported number of infected users, suggesting it might be inflated. Others discussed the broader implications of this incident for cybersecurity and the prevalence of malware creation tools online. Some pointed out the need for better education and awareness to prevent individuals from falling prey to such scams and from pursuing illegal activities.

  Finally, some commenters offered practical advice, such as emphasizing the importance of verifying the source of any software downloaded online and using reputable antivirus solutions. They also recommended learning legitimate programming and cybersecurity skills instead of engaging in malicious activities.

• DoubleClickjacking: A New type of web hacking technique

  permalink

  Posted: 2025-01-14 04:44:06

  Verbose tl;dr

  DoubleClickjacking is a clickjacking technique that tricks users into performing unintended actions by overlaying an invisible iframe containing an ad over a legitimate clickable element. When the user clicks what they believe to be the legitimate element, they actually click the hidden ad, generating revenue for the attacker or redirecting the user to a malicious site. This exploit leverages the fact that some ad networks register clicks even if the ad itself isn't visible. DoubleClickjacking is particularly concerning because it bypasses traditional clickjacking defenses that rely on detecting visible overlays. By remaining invisible, the malicious iframe effectively hides from security measures, making this attack difficult to detect and prevent.

  The blog post by Paulo Syibelo introduces "DoubleClickjacking," a novel web-based attack vector that exploits the trust users place in double-clicking actions. The core vulnerability lies in the way websites handle these double-clicks, often assigning them different functions than single clicks. Syibelo argues that attackers can manipulate this behavior to trick users into performing unintended actions with potentially severe consequences.

  The attack typically involves overlaying a seemingly innocuous element, such as a button or link, over a legitimate website element. This overlay is transparent or visually disguised to blend seamlessly with the underlying content. When the user believes they are interacting with the visible element through a double-click, they are actually triggering an action on the hidden, underlying element controlled by the attacker. This deception allows attackers to bypass security measures that rely on single-click confirmations, such as transaction authorizations or sensitive data modifications.

  Syibelo provides a hypothetical scenario involving a banking application. An attacker could overlay a fake "View Transaction Details" button over a legitimate "Transfer Funds" button. An unsuspecting user, accustomed to double-clicking to view details, would inadvertently initiate a fund transfer without their explicit consent. This highlights the potential for financial loss and data breaches through DoubleClickjacking.

  The blog post further emphasizes the insidious nature of this attack. Traditional clickjacking protection mechanisms, which focus on preventing single-click hijacking, are ineffective against DoubleClickjacking. Syibelo suggests that the inherent trust users have in double-clicking contributes to the vulnerability, as they are less likely to scrutinize the action compared to a single click, especially if the visual cues appear legitimate.

  While the blog post doesn't offer concrete solutions to mitigate DoubleClickjacking, it serves as a crucial awareness piece, highlighting a potential security gap in web applications and urging developers to consider the implications of double-click functionality. The post concludes by emphasizing the need for further research and the development of robust countermeasures to protect against this emerging threat. Syibelo stresses that as web interactions become more complex, understanding and addressing vulnerabilities like DoubleClickjacking are vital for maintaining online security.

  • DoubleClickjacking
  • Web Hacking
  • Cybersecurity
  • Clickjacking
  • UI Redressing
  • Online Security
  • Malware
  • Browser Security
  • internet security
  • User Interface Attacks
  • Web Attacks
  • Computer Security

  Summary of Comments ( 90 )
  https://news.ycombinator.com/item?id=42693748

  Verbose tl;dr

  Hacker News users discussed the plausibility and impact of the "DoubleClickjacking" technique described in the linked article. Several commenters expressed skepticism, arguing that the described attack is simply a variation of existing clickjacking techniques, not a fundamentally new vulnerability. They pointed out that modern browsers and frameworks already have mitigations in place to prevent such attacks, like the X-Frame-Options header. The discussion also touched upon the responsibility of ad networks in preventing malicious ads and the effectiveness of user education in mitigating these types of threats. Some users questioned the practicality of the attack, citing the difficulty in precisely aligning elements for the exploit to work. Overall, the consensus seemed to be that while the described scenario is technically possible, it's not a novel attack vector and is already addressed by existing security measures.

  The Hacker News post titled "DoubleClickjacking: A New type of web hacking technique" linking to an article on paulosyibelo.com has generated several comments discussing the validity and novelty of the described attack.

  Several commenters point out that this is not a new technique, and is in fact a variant of clickjacking which has been known for a long time. They argue that the article's framing of "DoubleClickjacking" is misleading, as it's simply clickjacking with a double-click trigger, rather than a single click. Some commenters provide links to older resources and discussions about clickjacking, demonstrating the established nature of this type of attack.

  One commenter questions the practical exploitability of this particular double-click variant. They argue that legitimate uses of double-click on the web are relatively rare, and therefore the opportunities for malicious exploitation are limited. They suggest that tricking a user into double-clicking something unintentionally is significantly more difficult than a single click.

  Another commenter discusses the mitigations against clickjacking, such as the X-Frame-Options header, and emphasizes the importance of developers using these protections. They highlight that the vulnerability lies in the vulnerable website's lack of proper defenses, rather than a novel attack vector.

  The discussion also touches upon the user's role in preventing such attacks. One comment suggests being cautious about interacting with embedded content, especially from untrusted sources, regardless of the specific clickjacking technique employed.

  Overall, the comments express skepticism about the "newness" of DoubleClickjacking, clarifying that it's a variation of a well-known attack. They highlight the importance of existing security measures and developer awareness in mitigating these kinds of threats. The practicality of exploiting a double-click scenario is also debated, with some suggesting its limited applicability compared to traditional clickjacking.