Enterprise data is only safe if encryption is working, yet cryptography in the enterprise is routinely taken for granted and rarely evaluated or checked.
The Securities and Exchange Commission’s (SEC) recent regulations, requiring organizations to disclose any major cybersecurity incidents, could catalyze a much-needed shift in perspective and prompt enterprises to take more proactive action to manage cryptographic risk by adopting more forward-thinking practices and policies.
The government has started taking an active role in preparing and protecting federal networks for these uncertain, quantum times. Beyond the SEC, mandates like the National Security Memorandum 8 and 10 and the passing of the Quantum Computing Cybersecurity Preparedness Act, require the adoption of quantum-resistant algorithms by all federal agencies. This will soon see government suppliers and partners under pressure to match these requirements.
A quantum computer will have the power to break today’s encryption standards, creating an unprecedented threat to the security of our nation, global economy, and digital infrastructure.
NIST has sponsored the PQC project to determine the standards and migration guidelines needed to augment and ultimately replace asymmetric key encryption methods.
The PQC migration will be a major undertaking and require the largest global cryptographic transition in the history of computing. NIST warns another 5 years to 15 years will be needed after final standards are published (expected in 2024) for a full transition to be complete. This means organizations that don’t begin to act now could be putting their critical systems and long-duration data at risk of compromise.
Corporate governance should include cryptographic risk management and quantum preparedness as a component of data security and risk mitigation. Officers and directors need to take proactive measures to mitigate the risk of both present-day cryptographic vulnerabilities and a quantum-crypto assault. Here’s why:
The quantum threat is very real. But what remains concerning is the weakening of existing cryptography due to a lack of awareness, planning, board oversight, and accountability. But this will change as organizations feel the pressure from an evolving regulatory environment to start investing in protecting their most valuable assets from the risks brought by the continued advancement of mathematics and computing.
Title: SEC charges SolarWinds CISO with fraud for misleading investors before major cyberattack
The Securities and Exchange Commission (SEC) plans to charge SolarWinds’ Chief Information
Security Officer, Timothy Brown, with fraud for allegedly lying and misleading investors about the company’s cybersecurity practices and known risks. The charges are related to SolarWinds’ role in a cyberattack attributed to the Russian Foreign Intelligence Service, where malware was inserted into a version of the company’s Orion IT monitoring application, enabling Russian operatives to compromise high-value targets. The SEC alleges that SolarWinds and Brown ignored cybersecurity risks and misrepresented their security controls to investors. Brown faces charges related to fraud and internal control failures. SolarWinds and Brown contest the charges and plan to defend their positions in court. The SEC previously issued Wells notices to SolarWinds executives, indicating potential enforcement action.
The CEO of the Canadian cryptocurrency exchange QuadrigaCX, Gerry Cotten, passed away, leaving the company in a dire situation. Cotten was the sole holder of cryptographic keys to access $137 million in cold storage cryptocurrencies, with an additional $53 million frozen due to disputes with a bank and payment processors. The exchange’s customers are owed $190 million but cannot be paid due to the inaccessible funds. The company is seeking protection from creditors while attempting to recover the lost assets. Cotten’s widow, Jennifer Robertson, has his encrypted laptop and USB but lacks the credentials to access the keys. A 30-day stay has been granted to QuadrigaCX to search for the lost cryptocurrencies, shielding the company from customer lawsuits. This incident highlights the risks associated with centralized control of cryptocurrency funds and the lack of industry standards for safeguarding digital assets. Some customers speculate about the legitimacy of Cotten’s death, while the cryptocurrency community expresses concern about the state of the industry.
On October 31st, Mr. Cooper Group encountered a cyber-attack. Mr. Cooper Group is one of the largest mortgage servicers in the nation with a servicing portfolio of roughly $500 billion alongside more than 3 million customers. They were able to detect that a third party gained access to certain Mr. Cooper systems then initiate response protocols such as containment and shutting down the systems exposed during the incident. Apparently, systems connected to clients and partners were not affected, however, since the issue is currently causing homebuyer’s issues with making payments, we still have yet to know if this is completely accurate. Customers are not seeing penalties for late payments and if customer data is, in fact, impacted then Mr. Cooper will provide identity protection services to customers. In addition to this, Mr. Cooper must continue business as normally as possible and is accepting payments in various other ways such as phone, mail, one-time web payment, Western Union® Quick Collect®, and MoneyGram® ExpressPayment®. This definitely puts more of a burden on their call center, administrative, IT and Accounting teams.
I know some folks who have been impacted by this breach and the connection to Mr. Cooper’s site is insecure because the link to the frequently asked questions (FAQs) about the cyberattack is blocked by some internet browsers. This is definitely causing a system error and availability error for clients. Availability of their account information and availability of data breach updates.
This article goes over how cryptography and enterprise data is taken for granted and rarely evaluated until something happens. It also shows how the public key encryption (PKE) may be coming to an end as the mathematics and computing power that are becoming mainstream. It also goes over what we have seen about cybersecurity awareness in this class, top executives Turing a blind eye towards it until something happens. The Securities and Exchange Commissions (SEC) are racing organizations to disclose any cybersecurity incidents which makes me think that even the SEC isn’t prepared for the quantum era on cryptography. I personally feel that the business world is not prepared for the quantum era as the government is just starting to take an active role e in preparing and protecting federal networks for the quantum times.
It also shows the NIST has sponsored the Post-Quantum Cryptography (PQC) to come up with standards and guidelines need to replace current systems and asymmetric key encryption methods which reiterates what the professor and this in the news articles states that you need to stay up to date with the cyber standards and news.
Article: Quantum Computing and the Future of Cryptography & Blockchain Security
The article that I chose this week covers how advances in computing, especially quantum computing, can impact data encryption and security. The article focuses on crypto blockchains and their current encryption protocols, specifically ECDSA and SHA. These methods are effective in the current age but the advent of quantum computing can pose a severe threat. The sharp increase in the computing speed of devices can cause a risk to encryption protocols by allowing devices to attempt to crack encryption keys much faster. These advances could undermine things like Moore’s Law and others and drastically alter the way that we handle security and encryption down the line.
The ransomware gang LockBit is claiming responsibility of breaching Boeing’s network and stole what is described as a “significant amount” of sensitive information. LockBit had threated to leak the data online if Boeing did not reach out.
Since the writing of this post, the message has been removed but the article does not say whether Boeing complied with LockBit’s request. But this happens this typically means that the victim has paid the ransom or complied with the hacker’s request. LockBit has managed to extort almost $91 million since 2020 and has no plans of slowing down.
Title: Atlassian Bug Escalated to 10, All Unpatched Instances Vulnerable
Link: https://www.darkreading.com/vulnerabilities-threats/atlassian-bug-escalated-10-unpatched-instances-vulnerable
Summary: There’s a serious security problem with Atlassian Confluence which is used for collaboration and software development. Hackers are exploiting this flaw to launch ransomware attacks, the issue is severe rated as the maximum 10 CVSS, affecting all versions of the software, except the cloud-based ones. If not fixed it can allows hackers to access sensitive information and disrupt services.
Mr. Cooper Mortgage Company was breached on October 31st. The mortgage company had to take their systems offline to try to contain the breach. Thus blocking millions of customers from paying their mortgages online. Customer’s loan accounts/loan statuses have not been updated since the breach. The investigation is still ongoing and the attackers have yet to take responsibility.
According to a new report, BlueNoroff, a North Korea-linked group has been linked to a new macOS malware (ObjCShellz). The new malware is based on financial crimes and targets banks and cryptocurrency sectors to evade sanctions. The malware is a remote shell written in Objective-C, is being distributed through social engineering.
In this technological renaissance, we are witnessing unparalleled evolutions. Microsoft astutely notes that ‘the progress of ubiquitous computing and ambient intelligence revolutionises virtually every facet of work and life.’ As fresh innovations and distributed technologies accelerate globally, comprehending the prospective security infringements becomes absolutely critical.
Global giant Microsoft is advising organisations to begin preparing for potential cyberattacks based on quantum technology
In light of the rapidly advancing quantum technology, Microsoft has recently recommended organisations to start gearing up to counter potential cyberattacks. This strategy is aimed at amplifying the comprehension of organisations’ readiness to mitigate such impending threats.
To facilitate this, Microsoft urges businesses to participate in a specially designed questionnaire. This insightful instrument will enable Microsoft and organisations to evaluate their current cybersecurity resilience, identify potential vulnerabilities and devise robust solutions. More importantly, it can elucidate pathways to gain expert assistance when needed. Thus, through collaborative efforts, we can navigate through this technological epoch securely.
Marc Greenberg says
Cryptography is dying—long live cryptography
Enterprise data is only safe if encryption is working, yet cryptography in the enterprise is routinely taken for granted and rarely evaluated or checked.
The Securities and Exchange Commission’s (SEC) recent regulations, requiring organizations to disclose any major cybersecurity incidents, could catalyze a much-needed shift in perspective and prompt enterprises to take more proactive action to manage cryptographic risk by adopting more forward-thinking practices and policies.
The government has started taking an active role in preparing and protecting federal networks for these uncertain, quantum times. Beyond the SEC, mandates like the National Security Memorandum 8 and 10 and the passing of the Quantum Computing Cybersecurity Preparedness Act, require the adoption of quantum-resistant algorithms by all federal agencies. This will soon see government suppliers and partners under pressure to match these requirements.
A quantum computer will have the power to break today’s encryption standards, creating an unprecedented threat to the security of our nation, global economy, and digital infrastructure.
NIST has sponsored the PQC project to determine the standards and migration guidelines needed to augment and ultimately replace asymmetric key encryption methods.
The PQC migration will be a major undertaking and require the largest global cryptographic transition in the history of computing. NIST warns another 5 years to 15 years will be needed after final standards are published (expected in 2024) for a full transition to be complete. This means organizations that don’t begin to act now could be putting their critical systems and long-duration data at risk of compromise.
Corporate governance should include cryptographic risk management and quantum preparedness as a component of data security and risk mitigation. Officers and directors need to take proactive measures to mitigate the risk of both present-day cryptographic vulnerabilities and a quantum-crypto assault. Here’s why:
The quantum threat is very real. But what remains concerning is the weakening of existing cryptography due to a lack of awareness, planning, board oversight, and accountability. But this will change as organizations feel the pressure from an evolving regulatory environment to start investing in protecting their most valuable assets from the risks brought by the continued advancement of mathematics and computing.
https://www.fastcompany.com/90965687/cryptography-is-dying-long-live-cryptography
Chidi Okafor says
Title: SEC charges SolarWinds CISO with fraud for misleading investors before major cyberattack
The Securities and Exchange Commission (SEC) plans to charge SolarWinds’ Chief Information
Security Officer, Timothy Brown, with fraud for allegedly lying and misleading investors about the company’s cybersecurity practices and known risks. The charges are related to SolarWinds’ role in a cyberattack attributed to the Russian Foreign Intelligence Service, where malware was inserted into a version of the company’s Orion IT monitoring application, enabling Russian operatives to compromise high-value targets. The SEC alleges that SolarWinds and Brown ignored cybersecurity risks and misrepresented their security controls to investors. Brown faces charges related to fraud and internal control failures. SolarWinds and Brown contest the charges and plan to defend their positions in court. The SEC previously issued Wells notices to SolarWinds executives, indicating potential enforcement action.
Link – https://therecord.media/solarwinds-ciso-sec-charged
Ikenna Alajemba says
A data breach at the genetic testing and ancestry company 23andMe resulted in the black market sale of at least one million data profiles of people with Ashkenazi Jewish heritage and hundreds of thousands of individuals with Chinese ancestry, authorities said Tuesday as they announced an inquiry.
https://abcnews.go.com/US/connecticut-attorney-general-presses-23andme-data-breach-answers/story?id=104510476#:~:text=A%20data%20breach%20at%20the%20genetic%20testing%20and,authorities%20said%20Tuesday%20as%20they%20announced%20an%20inquiry.
Alyanna Inocentes says
A Crypto Exchange CEO Dies—With the Only Key to $137 Million
https://www.wired.com/story/crypto-exchange-ceo-dies-holding-only-key/
The CEO of the Canadian cryptocurrency exchange QuadrigaCX, Gerry Cotten, passed away, leaving the company in a dire situation. Cotten was the sole holder of cryptographic keys to access $137 million in cold storage cryptocurrencies, with an additional $53 million frozen due to disputes with a bank and payment processors. The exchange’s customers are owed $190 million but cannot be paid due to the inaccessible funds. The company is seeking protection from creditors while attempting to recover the lost assets. Cotten’s widow, Jennifer Robertson, has his encrypted laptop and USB but lacks the credentials to access the keys. A 30-day stay has been granted to QuadrigaCX to search for the lost cryptocurrencies, shielding the company from customer lawsuits. This incident highlights the risks associated with centralized control of cryptocurrency funds and the lack of industry standards for safeguarding digital assets. Some customers speculate about the legitimacy of Cotten’s death, while the cryptocurrency community expresses concern about the state of the industry.
Ashley A. Jones says
Mr. Cooper Detects a Breach
On October 31st, Mr. Cooper Group encountered a cyber-attack. Mr. Cooper Group is one of the largest mortgage servicers in the nation with a servicing portfolio of roughly $500 billion alongside more than 3 million customers. They were able to detect that a third party gained access to certain Mr. Cooper systems then initiate response protocols such as containment and shutting down the systems exposed during the incident. Apparently, systems connected to clients and partners were not affected, however, since the issue is currently causing homebuyer’s issues with making payments, we still have yet to know if this is completely accurate. Customers are not seeing penalties for late payments and if customer data is, in fact, impacted then Mr. Cooper will provide identity protection services to customers. In addition to this, Mr. Cooper must continue business as normally as possible and is accepting payments in various other ways such as phone, mail, one-time web payment, Western Union® Quick Collect®, and MoneyGram® ExpressPayment®. This definitely puts more of a burden on their call center, administrative, IT and Accounting teams.
I know some folks who have been impacted by this breach and the connection to Mr. Cooper’s site is insecure because the link to the frequently asked questions (FAQs) about the cyberattack is blocked by some internet browsers. This is definitely causing a system error and availability error for clients. Availability of their account information and availability of data breach updates.
URL: Mortgage firm blames cyberattack for outage | kare11.com – https://www.kare11.com/article/news/local/breaking-the-news/mortgage-giant-mr-cooper-blames-cyberattack-outage-impacting-millions-customers/89-76d5caee-9127-40e7-afef-7287f1c5008f
Jeffrey Sullivan says
Emerging synergies: Leveraging AI to bolster post-quantum cryptographic security | Federal News Network
https://federalnewsnetwork.com/commentary/2023/07/emerging-synergies-leveraging-ai-to-bolster-post-quantum-cryptographic-security/
This article goes over how cryptography and enterprise data is taken for granted and rarely evaluated until something happens. It also shows how the public key encryption (PKE) may be coming to an end as the mathematics and computing power that are becoming mainstream. It also goes over what we have seen about cybersecurity awareness in this class, top executives Turing a blind eye towards it until something happens. The Securities and Exchange Commissions (SEC) are racing organizations to disclose any cybersecurity incidents which makes me think that even the SEC isn’t prepared for the quantum era on cryptography. I personally feel that the business world is not prepared for the quantum era as the government is just starting to take an active role e in preparing and protecting federal networks for the quantum times.
It also shows the NIST has sponsored the Post-Quantum Cryptography (PQC) to come up with standards and guidelines need to replace current systems and asymmetric key encryption methods which reiterates what the professor and this in the news articles states that you need to stay up to date with the cyber standards and news.
Andrew Young says
Article: Quantum Computing and the Future of Cryptography & Blockchain Security
The article that I chose this week covers how advances in computing, especially quantum computing, can impact data encryption and security. The article focuses on crypto blockchains and their current encryption protocols, specifically ECDSA and SHA. These methods are effective in the current age but the advent of quantum computing can pose a severe threat. The sharp increase in the computing speed of devices can cause a risk to encryption protocols by allowing devices to attempt to crack encryption keys much faster. These advances could undermine things like Moore’s Law and others and drastically alter the way that we handle security and encryption down the line.
Article Link: https://www.itnewsafrica.com/2023/11/quantum-computing-and-the-future-of-cryptography-blockchain-security/
Erskine Payton says
Erskine Payton
In the News Article- Unit 11
MIS 5206
Temple University
Boeing confirms cyberattack amid LockBit ransomware claims
https://www.bleepingcomputer.com/news/security/boeing-confirms-cyberattack-amid-lockbit-ransomware-claims/
The ransomware gang LockBit is claiming responsibility of breaching Boeing’s network and stole what is described as a “significant amount” of sensitive information. LockBit had threated to leak the data online if Boeing did not reach out.
Since the writing of this post, the message has been removed but the article does not say whether Boeing complied with LockBit’s request. But this happens this typically means that the victim has paid the ransom or complied with the hacker’s request. LockBit has managed to extort almost $91 million since 2020 and has no plans of slowing down.
Alex Ruiz says
Title: Atlassian Bug Escalated to 10, All Unpatched Instances Vulnerable
Link: https://www.darkreading.com/vulnerabilities-threats/atlassian-bug-escalated-10-unpatched-instances-vulnerable
Summary: There’s a serious security problem with Atlassian Confluence which is used for collaboration and software development. Hackers are exploiting this flaw to launch ransomware attacks, the issue is severe rated as the maximum 10 CVSS, affecting all versions of the software, except the cloud-based ones. If not fixed it can allows hackers to access sensitive information and disrupt services.
Akiyah says
Mr. Cooper Mortgage Company was breached on October 31st. The mortgage company had to take their systems offline to try to contain the breach. Thus blocking millions of customers from paying their mortgages online. Customer’s loan accounts/loan statuses have not been updated since the breach. The investigation is still ongoing and the attackers have yet to take responsibility.
News Article: https://www.cybersecuritydive.com/news/mr-cooper-cyberattack/699090/
Article on the incident: https://incident.mrcooperinfo.com/
Akintunde Akinmusire says
https://thehackernews.com/2023/11/n-korean-bluenoroff-blamed-for-hacking.html
N. Korea’s BlueNoroff Blamed for Hacking macOS Machines with ObjCShellz Malware
According to a new report, BlueNoroff, a North Korea-linked group has been linked to a new macOS malware (ObjCShellz). The new malware is based on financial crimes and targets banks and cryptocurrency sectors to evade sanctions. The malware is a remote shell written in Objective-C, is being distributed through social engineering.
Michael Obiukwu says
In this technological renaissance, we are witnessing unparalleled evolutions. Microsoft astutely notes that ‘the progress of ubiquitous computing and ambient intelligence revolutionises virtually every facet of work and life.’ As fresh innovations and distributed technologies accelerate globally, comprehending the prospective security infringements becomes absolutely critical.
Global giant Microsoft is advising organisations to begin preparing for potential cyberattacks based on quantum technology
In light of the rapidly advancing quantum technology, Microsoft has recently recommended organisations to start gearing up to counter potential cyberattacks. This strategy is aimed at amplifying the comprehension of organisations’ readiness to mitigate such impending threats.
To facilitate this, Microsoft urges businesses to participate in a specially designed questionnaire. This insightful instrument will enable Microsoft and organisations to evaluate their current cybersecurity resilience, identify potential vulnerabilities and devise robust solutions. More importantly, it can elucidate pathways to gain expert assistance when needed. Thus, through collaborative efforts, we can navigate through this technological epoch securely.
https://cybermagazine.com/articles/microsoft-warns-about-quantum-computing-cyber-threats