cryptographic Archives

AppWizard

July 21, 2025

How Free Android VPNs Improve HTTP Security in App Development (2025)

The integration of a free Android VPN is essential for mobile application developers to protect sensitive communications by creating an encrypted tunnel between a user's device and a secure server. VPNs enhance HTTP security by encrypting data, making it unreadable to unauthorized entities. They use various encryption protocols such as OpenVPN, WireGuard, and IKEv2/IPSec to secure HTTP connections. Free Android VPNs are cost-effective for developers, allowing secure testing across regions, maintaining security during remote work, and protecting data integrity in app testing. While some free VPNs may compromise user privacy, reputable providers offer secure options with no-log policies. Five recommended free Android VPNs for developers in 2025 include X-VPN, Proton VPN Free, Windscribe, TunnelBear, and Hideme, each with specific features suited for secure app development. Best practices for using free VPNs include verifying VPN protocols, enabling a kill switch, regularly auditing security settings, and using dedicated VPN profiles for app testing.

Winsage

July 17, 2025

Semperis Research Uncovers Critical Flaw in Windows Server 2025 Exposing Managed Service Accounts to Golden DMSA Attack

Semperis has identified a vulnerability in Windows Server 2025, termed Golden dMSA, which allows for high-impact attacks that enable cross-domain lateral movement and persistent access to managed service accounts in Active Directory. The vulnerability exploits a cryptographic flaw in the ManagedPasswordId structure, which has predictable components and limited combinations, making brute-force attacks feasible. Semperis researcher Adi Malyanker developed a tool named GoldenDMSA to help cybersecurity professionals understand and simulate this attack. Additionally, Semperis has uncovered other vulnerabilities, such as nOauth in Microsoft's Entra ID and BadSuccessor, a privilege escalation technique in Windows Server 2025. The company focuses on protecting enterprise identity services and offers various resources for the cybersecurity community.

Winsage

July 17, 2025

Semperis discovers critical flaw in Windows Server 2025

Researchers from Semperis have identified a significant design flaw in Windows Server 2025 that affects managed service accounts, allowing potential high-impact attacks and cross-domain lateral movement. The vulnerability is linked to a cryptographic weakness in the ManagedPasswordId structure, which has predictable components leading to only 1024 possible password combinations. Adi Malyanker developed a tool called GoldenDMSA to exploit this flaw, enabling exploration and simulation of the attack. Detecting related activities requires careful manual log configuration, and while attackers need a KDS root key to exploit the vulnerability, it is accessible only to highly privileged accounts. Semperis has classified this vulnerability as a moderate risk, urging organizations to conduct proactive security assessments.

Winsage

July 17, 2025

Windows Server 2025 Golden dMSA Attack Enables Authentication Bypass and Password Generation

A design flaw in Microsoft’s Windows Server 2025, known as “Golden dMSA,” allows attackers to bypass authentication and generate passwords for all managed service accounts across enterprise networks. This vulnerability exploits a weakness in delegated Managed Service Accounts (dMSAs), reducing cryptographic protections to a brute-force attack requiring only 1,024 attempts. Discovered by Semperis Security Researcher Adi Malyanker, the attack involves extracting cryptographic material from the Key Distribution Services (KDS) root key, enumerating dMSA accounts, guessing ManagedPasswordId attributes, and generating passwords. The KDS root keys do not expire, potentially granting indefinite access. The vulnerability is classified as moderate risk, requiring possession of a KDS root key, accessible only to privileged accounts. Detection of the attack is challenging, as no security events are logged by default when KDS root keys are compromised. Microsoft acknowledged the vulnerability on May 27, 2025, and stated that the features were not intended to protect against domain controller compromises.

Winsage

July 17, 2025

Windows Server 2025 flaw lets attackers persist in Active Directory

Semperis researchers have identified a significant design flaw in Windows Server 2025, known as 'Golden dMSA', which affects delegated Managed Service Accounts (dMSAs) and poses a risk of undetected attacks. This vulnerability allows attackers to gain persistent access to these accounts, facilitating cross-domain lateral movement and compromising resources within Active Directory. The flaw is rooted in a cryptographic issue related to the predictability of the ManagedPasswordId structure, which can be brute-forced due to its limited combinations. To help address this threat, a tool called GoldenDMSA has been developed to simulate the attack's logic for security professionals. Semperis recommends organizations using Windows Server 2025 to proactively assess their managed service accounts and identity infrastructure to mitigate the risks associated with this vulnerability.

AppWizard

July 8, 2025

Jack Dorsey builds offline messaging app Bitchat that works without Wi-Fi or mobile network

Jack Dorsey, co-founder of Twitter and CEO of Block, has launched Bitchat, a messaging application that operates independently of the internet or mobile networks, using Bluetooth mesh networking for secure and anonymous communication. The app, currently in beta testing, does not require phone numbers, email addresses, or user accounts, allowing encrypted messages to be transmitted directly between nearby devices. Messages are end-to-end encrypted and disappear by default, with no data stored on a central server. Bitchat also features group chat rooms, mentions using @handles, and password-protected conversations. A store-and-forward mechanism allows messages to be saved and delivered later. Dorsey plans to integrate Wi-Fi Direct support to enhance communication range and speed. The whitepaper discusses potential use cases for Bitchat, including disaster response and community coordination.

AppWizard

July 8, 2025

Bitchat Bluetooth Messaging App: Works Without Internet Or Phone Numbers; Check Privacy Features, Range, And How It Works

Jack Dorsey has introduced a messaging application named Bitchat, which operates without an internet connection or mobile network by utilizing Bluetooth technology. Users do not need to provide a phone number, email, or create an account. Bitchat employs end-to-end encryption, and messages disappear by default, with no data stored on central servers. The app is available in beta through TestFlight, and a technical whitepaper is accessible on GitHub. Bitchat uses a decentralized peer-to-peer system, allowing nearby devices to exchange messages directly, with the capacity to temporarily store messages for offline users. The app can extend Bluetooth's typical range of 100 meters up to 300 meters by relaying messages through multiple devices. Privacy features include opt-in-only bridging, channel-level permission controls, and cryptographic identity isolation.

Winsage

July 7, 2025

Should you replace your Windows 10 PC on Prime Day? Here’s how to know

Amazon's Prime Day event is from July 8th to July 11th, offering significant discounts on devices. Windows 10 support will end in October, prompting users to either continue with unsupported systems, purchase a year's support, or buy a new model. To check if a PC can be upgraded to Windows 11, users can use the free PC Health Check app, which identifies unmet hardware requirements. A key requirement for Windows 11 is a Trusted Platform Module (TPM), but many devices fail to qualify due to outdated processors rather than TPM absence. If a PC does not qualify for the upgrade, users should consider purchasing a new device, especially with Prime Day deals approaching.

Winsage

June 26, 2025

The Great Migration Starts Here

Organizations must transition to Windows 11 Pro by October 14, 2025, as Windows 10 will no longer receive security updates, increasing vulnerability to cyber threats. The upgrade is complimentary for eligible Windows 10 devices, but compatible hardware is necessary to utilize enhanced security and performance features. Windows 11 Pro PCs include built-in security tools like Windows Hello, BitLocker encryption, and TPM 2.0. Windows AI PCs feature intelligent tools like Windows Copilot for improved efficiency, while Copilot+ PCs, launching in mid-2024, will have dedicated AI processors for advanced capabilities. Security features such as Secure Boot, Virtualization-Based Security, and BitLocker encryption are integral to Windows 11 Pro devices, mitigating risks of malware and unauthorized access. Upgrading to Windows 11 Pro enhances device stability and aligns with sustainability goals through energy-efficient designs.

Winsage

June 11, 2025

Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws

On June 2025 Patch Tuesday, Microsoft released security updates for 66 vulnerabilities, including one actively exploited and one publicly disclosed zero-day vulnerability. The updates addressed ten "Critical" vulnerabilities, with eight being remote code execution vulnerabilities and two related to elevation of privileges. The breakdown of vulnerabilities includes 13 Elevation of Privilege, 3 Security Feature Bypass, 25 Remote Code Execution, 17 Information Disclosure, 6 Denial of Service, and 2 Spoofing vulnerabilities. The actively exploited zero-day vulnerability is CVE-2025-33053, a WebDAV Remote Code Execution vulnerability, while the publicly disclosed zero-day is CVE-2025-33073, a Windows SMB Client Elevation of Privilege vulnerability. Other companies also released updates in June 2025, including Adobe, Cisco, Fortinet, Google, HPE, Ivanti, Qualcomm, Roundcube, and SAP, addressing various vulnerabilities across their products.