The vulnerability of universitys cryptosystem and its susceptibility to attack

A nice hoax this is not true: AES, the United States government encryption standard is officially announced as broken in the practical sense. Inthe NSA launched a plan to [

The vulnerability of universitys cryptosystem and its susceptibility to attack

If you are from India and have ordered Burger in McDonald's, your personal details are at risk. There is no authentication or authorization check in API used in the application. Sending request to "http: The customer id is a sequential number. All an attacker needs to do is create a script and increase the number to dump all customer data.

The researchers reported the issue to McDelivery on 4th February, From 7th march, Fallible tried to contact the McDelivery to know the status.

However, there is no response from their side. The bug is still not fixed, at the time of writing. This feature allows a user to make online transactions after the identity of the customer is verified by putting the OTP password sent to the registered mobile number from the bank.

But who knew this security feature could be easily bypassed and lead to huge loss of money. A white-hat hacker, bug bounty hunter and web application security researcher, Neeraj Edwards shared his research on how he could easily bypass the OTP of one of the most popular bank, State Bank of India SBI and could make the transaction with any amount.

The transaction then will be completed without entering the OTP. Though after Edwards discovery, the vulnerability was patched but it was highly disappointing that the person who could have easily benefited from this vulnerability, but choose not to, was neither rewarded nor acknowledged for his work.

The vulnerability of universitys cryptosystem and its susceptibility to attack

The press too could not make this important news to the papers, thus keeping the public in dark and keeping the discoverer from any achievement.

DROWN attack risks millions of popular websites An international team of researchers warned that more than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a new, low-cost attack that decrypts sensitive communications in few hours.

The cybersecurity experts from universities in Israel, Germany and the US as well as a member of Google's security team found that more than 81, of top one million popular websites are vulnerable.

The researchers said many popular sites - including ones belonging to Samsung, Yahoo and a leading Indian bank - appeared to be vulnerable. The vulnerability allows everyone on the internet to browse the web, use e-mail, shop online and send instant messages without third-parties being able to read the communication.

It allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

While many security experts believed the removal of SSLv2 support from browser and e-mail clients prevented abuse of the legacy protocol, some misconfigured TLS implementations still tacitly support the legacy protocol when an end-user computer specifically requests its use.

Websites, mail servers, and other TLS-dependent services are at risk for this attack, and many popular sites are affected. In practice, older email servers would be more likely to have this problem than the newer computers typically used to power websites.

In addition, because many of the servers vulnerable to Drown were also affected by a separate bug, a successful attack could be carried out using a home computer. Though a fix has been issued but it will take time for many of the website administrators to protect their systems.Attacks There are 3 attacks methods: 1.

In a ciphertext only attack, the adversary has only the ciphertext a. The goal is to find the corresponding plaintext b. The adversary may also try to find the key 2. In a know plaintext attack, the adversary has the ciphertext and the plaintext that was enciphered.

a. The goal is to find the key 3. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA. The reasons for the intrinsic vulnerability of the Internet can be found in the engineering of its switches, routers and network connections, which are owned by the Internet Service Providers (ISPs) and by the communication carriers.

A Secure Cryptosystem based on Affine Transformation proved that his cryptosystem is vulnerable to the known-plaintext attack [9], the same vulnerability of the original Hill cipher.

Ismail et al. [5] tried to improve the Hill cipher's and its cryptanalysis. The proposed cryptosystem and its attributes, including evaluation of its. Susceptibility to code execution, elevation of privileges, memory corruption, buffer overflow, etc.

A more in-depth description of the two main web application attacks, SQL injection and cross-site scripting, can be found in the “ Building ‘attack-resistant’ application software ” web page. Aug 10,  · A group of researchers from Rice University and AT&T Labs have used off-the-shelf methods to carry out an attack on a known wireless encryption flaw -- .

‘Ten Commandments’ of Cyber Security Can Enhance Safety - [email protected]