Happy Holidays from SSL.com! We hope that you’ve all had a happy and prosperous 2019 and are looking forward to big things in 2020 (as are we)! In our final roundup of the year, we’ll be talking about:
- A “secure” messaging app that turned out to be a tool for government spying
- Cisco’s self-signed certificate expiration issue
- New records for RSA key factoring and discrete logarithm computation
And when you’re finished here, please also check out our new article on what certificate authorities (CAs) do and how hard it is to be one!
Messaging App ToTok is U.A.E. Spy Tool
On December 22, the New York Times reported that a popular messaging app ToTok is also a spying tool used by the United Arab Emirates (U.A.E.) government to “try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.” Emirati citizens were attracted to the app because the U.A.E. blocks the functionality of encrypted messaging applications such as WhatsApp and Skype.
ToTok was revealed to the Times to be a spying tool by both U.S. officials who had seen a classified intelligence assessment, and an anonymous digital security expert who said he had gotten the information from “senior Emirati officials.” The app, which bills itself as “secure” despite making no claims of end-to-end encryption, was also widely promoted by Chinese telecom company Huawei.
Both Apple Google have already removed ToTok from their app stores, but the app has already been downloaded millions of times by users.
Self-signed certificates on many Cisco devices about to expire
Cisco’s field notice FN-70498 (December 20, 2019) warns users that self-signed X.509 certificates on devices running affected releases of Cisco IOS or IOS XE software will expire at midnight on January 1, 2020. Additionally, new self-signed certificates cannot be created on these devices after this date unless a software upgrade is applied.
After updating the device’s software, any self-signed certificates must be regenerated and exported to any devices requiring it in their trust store.
Cisco notes that:
This issue affects only self-signed certificates that were generated by the Cisco IOS or Cisco IOS XE device and applied to a service on the device. Certificates that were generated by a Certificate Authority (CA), which includes those certificates generated by the Cisco IOS CA feature, are not impacted by this issue.
Following Cisco’s announcement, Rapid7 Labs used Sonar scan data to identify “over 80,000 Cisco devices that will likely be impacted by this expending expiration issue.” Could yours be among them?
New RSA Key-Cracking Record
Dan Goodin at Ars Technica reports that a team of researchers led by Emmanuel Thomé of France’s National Institute for Computer Science and Applied Mathematics have set new records by factoring the “largest RSA key size ever computed and a matching computation of the largest-ever integer discrete logarithm.” The records consist of the factoring of RSA-240 (795 bits) and the computation of a discrete logarithm of the same size.
These records are not due solely to Moore’s Law (the tendency for the number of transistors in ICs to double every two years), as the computational speed gains are greater than would be predicted by incremental hardware improvements alone. Instead, the researchers credit improvements in the software implementation of the Number Field Sieve algorithm used to perform the calculations:
To demonstrate the boost in efficiency, the researchers ran their software on hardware that was identical to that used to compute the 768-bit discrete logarithm in 2016. They found that using the old hardware to sieve the record 795-bit size would take 25% less time than it took the same equipment to perform the 768-bit DLP computation.
