Security Alerts & News
by Tymoteusz A. Góral

History
#687 Breaking Steam client cryptography
Older versions of Steam allow an attacker who observes a client connecting to Steam to read sensitive information sent over the network. This allows the attacker to take over the account, bypass SteamGuard, and sometimes view plain-text passwords.

But how? Steam encrypts its entire network connection (at least the Steam-specific parts; there are some suspicious plaintext HTTP requests going around) with AES-256-CBC. And the AES key used (hereafter “session key”) is generated securely on the client, encrypted with RSA-1024 and a hardcoded public key, and sent to Steam; an eavesdropper can’t get at the session key.

RSA and AES aren’t broken- but Steam was.
Read more
#691 Samsung Smart Home flaws let hackers make keys to front door
#690 Chrome overtakes Internet Explorer for most popular desktop browser
#689 Secret US spy court approved every surveillance request in 2015
#688 Google patches more trouble in Mediaserver
#687 Breaking Steam client cryptography
#686 Verizon's 2016 Data Breach Investigations Report
#685 Eurocops get new cyber powers to hunt down terrorists, criminals
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12