Cryptography faces the threat of quantum technology
This news article is about how cryptologist Benjamin Wesolowski warns that advances in quantum computing could soon weaken current cryptography, which relies on problems too difficult for today’s computers to solve. For example, methods like the Diffie-Hellman protocol protect data because traditional computers can’t easily break its underlying math.
Quantum computers work differently and could potentially solve complex problems quickly, making our current encryption vulnerable. While quantum computers aren’t yet powerful enough to pose this risk, Wesolowski emphasizes the need to prepare now. He and other experts are exploring “post-quantum” cryptography, which includes new techniques like cryptographic lattices and isogeny based encryption, to protect data in a future with quantum technology.
Title: NIST Releases First 3 Finalized Post-Quantum Encryption Standards
This article discusses how the National Institute of Standards and Technology (NIST) introduced three new encryption standards in August 2024. These standards are designed to protect data against potential threats posed by quantum computers, which could potentially break current encryption methods. The goal is to safeguard sensitive information, such as confidential communications and online transactions, from future quantum-enabled attacks. NIST is urging organizations to begin adopting these post-quantum cryptographic standards to ensure continued data security and trust as technology evolves.
New Password Hack Attack—LastPass, Chrome, Facebook, Netflix, PayPal Users At Risk
This article talked about how threat actors are using fake reviews submitted in bulk to the LastPass Chrome web store app page to leverage trust in a completely malicious so-called support center. Users who call the fake support line will be asked about the product they are having issues with and ultimately directed to a site where their credentials can be exposed and stolen.
Article: Zoom Introduces quantum-safe Encryption
Zoom has introduced post-quantum end-to-end encryption for its Meetings platform, with plans to extend this advanced security feature to Zoom Phone and Zoom Rooms. This enhancement is designed to protect users from “harvest now, decrypt later” attacks, where hackers capture encrypted data to decrypt it once quantum computers become powerful enough. While Zoom initially launched end-to-end encryption in 2020, the post-quantum version uses Kyber 768, a quantum-resistant algorithm selected by NIST. This ensures only participants can access encryption keys, rendering intercepted data unreadable by Zoom’s servers. Other tech leaders like Signal and Google, have also started implementing quantum-proof encryption to future-proof user data.
Link: https://cybernews.com/security/zoom-introduces-quantum-safe-encryption/
Title: Experts Play Down Significance of Chinese Quantum “Hack”
There have been recent reports about Chinese researchers allegedly cracking military-grade encryption using quantum computing. The reports are based on a paper published by Shanghai University researchers, who used a D-Wave Advantage quantum computer to target specific algorithms which are used in AES encryption. However, experts have noted that the attack was performed on a much shorter key (22-bit key) than those used in practice today (2048 or 4096-bit keys). The article noted that while we should be cautious, we are still far from practical attacks that can threaten real-world encryption.
Cybersecurity oversight disclosures: what companies shared in 2024
This article focused on current regulatory requirements and best practices in cybersecurity risk disclosures, mainly for public companies. In the article is states that roughly 77% of Fortune 100 companies now report that their audit committees oversee cybersecurity. They emphasize this as board level engagement is now important for risk management. The article also mentions how we are shifting to stronger cybersecurity frameworks as threats continue to grow, things like incident response and third part management are continuously evolving as a result.
Google to buy nuclear power for AI datacenters in “world first” deal.
This is less relevant to what we are reading this week, but I am just using the opportunity to talk about it. While AI will inevitably present issues to us as security professionals as it becomes more accessible the main reason why I am fixated on this story is because of the precedent that it sets. While I am happy that we are finally looking toward nuclear power again it is quite frustrating to the environmental activist side of myself that AI is going to be the driver behind it.
Belle Tire recently fell victim to a cyberattack that exposed the personal information of tens of thousands of individuals. The breach notification letter indicates that the attackers downloaded a copy of the company’s data which included names, addresses, dates of birth, Social Security numbers or driver’s license. The attack, which occurred earlier this year, has raised concerns about the security measures in place to protect customer data. The company is currently working to address the breach and enhance its cybersecurity protocols.
New Android Banking Malware ‘ToxicPanda’ Targets Users with Fraudulent Money Transfers
This article describes the new malware found on android smartphones in Europe (Italy, Portugal, Spain) where apps disguising as legitimate apps have been able to gain elevated access to be able to access data on other apps and generate input mimicking a user. This type of malware has also been able to hijack One Time Passcodes (OTPs) sent as a form of Multi-Factor Authentication to gain access into more sensitive accounts such as banking accounts.
These apps were downloaded from online marketplaces and sideloaded onto these smartphones, a capability android phones have where applications can be downloaded from unknown sources. Unsuspecting users would download seemingly ordinary applications without knowing of the Advanced Persistent Threat (APT) that would unfold. In some cases, these attacks would gain access into banking apps and accounts and generate fraudulent transactions.
FBI Warns Gmail, Outlook, AOL And Yahoo Users—Hackers Gain Access to Accounts
The FBI recently issued a warning to Gmail, Outlook, Yahoo, and AOL users regarding a surge in cybercriminals accessing email accounts, even those protected by multifactor authentication (MFA). These attacks often exploit session or “Remember Me” cookies, allowing hackers to bypass usernames, passwords, and MFA by stealing these cookies, often through phishing links and malicious websites. The FBI recommends clearing cookies, being cautious with “Remember Me” options, avoiding suspicious links, and monitoring recent logins. Google is also working on solutions to secure cookies. Meanwhile, passkeys, which link credentials to a user’s device, are gaining traction as a simpler and more secure alternative to passwords,
Bluefin and Datacap Systems have announced a partnership to deliver PCI Validated Point-to-Point Encryption (P2PE) to the hospitality industry across the U.S. and Canada, enhancing security and compliance for payments. This collaboration makes Datacap Bluefin’s preferred omnichannel payments provider for hospitality, aiming to reduce PCI DSS compliance requirements by over 70% and cut PCI control scope at the point-of-sale by more than 90%. By combining Bluefin’s encryption technology with Datacap’s payments solutions, the partnership will help protect hospitality businesses, which are highly vulnerable to data breaches, and allow them to streamline compliance.
Post-Quantum Cryptology: How Secure Memory Can Protect Against Vulnerabilities
Quantum advancements also create cybersecurity risks, prompting the need for post-quantum cryptography (PQC). Connected vehicles, with long product life cycles, are particularly vulnerable, and secure memory embedded with PQC could protect supply chains and sensitive data. Companies are advised to audit current security, assess valuable data, and ensure regular software updates. With quantum computing advancing rapidly, companies must plan to protect critical infrastructure against future quantum threats.
The Federal Trade Commission (FTC) has required Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a robust information security program in response to 3 data breaches from 2014-2020 that impacted more than 344 million customers. The root cause of the data breaches was the lack of security measures.
The first breach began in June 2014 and involved payment card information of more than 40,000 Starwood customers. The breach went undetected for 14 months until Starwood notified customers in November 2015 (after Marriot announced acquisition, coincidence?)
The second breach began around July 2014 and went undetected until September 2018. During that time, over 339 million Starwood guest account records were accessed, inlcuding 5.25 million unencrypted passport numbers.
The third breach, which went undetected from September 2018 until February 2020 and over 5 million guest records were compromised. The compromised records contained significant amounts of personal information, including names m,ailing addresses, email addresses, phone numbers, date of birth, and loyalty account information.
Christopher Williams says
Cryptography faces the threat of quantum technology
This news article is about how cryptologist Benjamin Wesolowski warns that advances in quantum computing could soon weaken current cryptography, which relies on problems too difficult for today’s computers to solve. For example, methods like the Diffie-Hellman protocol protect data because traditional computers can’t easily break its underlying math.
Quantum computers work differently and could potentially solve complex problems quickly, making our current encryption vulnerable. While quantum computers aren’t yet powerful enough to pose this risk, Wesolowski emphasizes the need to prepare now. He and other experts are exploring “post-quantum” cryptography, which includes new techniques like cryptographic lattices and isogeny based encryption, to protect data in a future with quantum technology.
https://news.cnrs.fr/articles/cryptography-faces-the-threat-of-quantum-technology
James Nyamokoh says
Title: NIST Releases First 3 Finalized Post-Quantum Encryption Standards
This article discusses how the National Institute of Standards and Technology (NIST) introduced three new encryption standards in August 2024. These standards are designed to protect data against potential threats posed by quantum computers, which could potentially break current encryption methods. The goal is to safeguard sensitive information, such as confidential communications and online transactions, from future quantum-enabled attacks. NIST is urging organizations to begin adopting these post-quantum cryptographic standards to ensure continued data security and trust as technology evolves.
Source: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
Nelson Ezeatuegwu says
New Password Hack Attack—LastPass, Chrome, Facebook, Netflix, PayPal Users At Risk
This article talked about how threat actors are using fake reviews submitted in bulk to the LastPass Chrome web store app page to leverage trust in a completely malicious so-called support center. Users who call the fake support line will be asked about the product they are having issues with and ultimately directed to a site where their credentials can be exposed and stolen.
https://www.forbes.com/sites/daveywinder/2024/11/02/new-password-hack-attack-chrome-facebook-netflix-paypal-users-at-risk/
Neel Patel says
Article: Zoom Introduces quantum-safe Encryption
Zoom has introduced post-quantum end-to-end encryption for its Meetings platform, with plans to extend this advanced security feature to Zoom Phone and Zoom Rooms. This enhancement is designed to protect users from “harvest now, decrypt later” attacks, where hackers capture encrypted data to decrypt it once quantum computers become powerful enough. While Zoom initially launched end-to-end encryption in 2020, the post-quantum version uses Kyber 768, a quantum-resistant algorithm selected by NIST. This ensures only participants can access encryption keys, rendering intercepted data unreadable by Zoom’s servers. Other tech leaders like Signal and Google, have also started implementing quantum-proof encryption to future-proof user data.
Link: https://cybernews.com/security/zoom-introduces-quantum-safe-encryption/
Ericberto Mariscal says
Title: Experts Play Down Significance of Chinese Quantum “Hack”
There have been recent reports about Chinese researchers allegedly cracking military-grade encryption using quantum computing. The reports are based on a paper published by Shanghai University researchers, who used a D-Wave Advantage quantum computer to target specific algorithms which are used in AES encryption. However, experts have noted that the attack was performed on a much shorter key (22-bit key) than those used in practice today (2048 or 4096-bit keys). The article noted that while we should be cautious, we are still far from practical attacks that can threaten real-world encryption.
Link: https://www.infosecurity-magazine.com/news/experts-play-down-chinese-quantum/
Vincenzo Macolino says
Cybersecurity oversight disclosures: what companies shared in 2024
This article focused on current regulatory requirements and best practices in cybersecurity risk disclosures, mainly for public companies. In the article is states that roughly 77% of Fortune 100 companies now report that their audit committees oversee cybersecurity. They emphasize this as board level engagement is now important for risk management. The article also mentions how we are shifting to stronger cybersecurity frameworks as threats continue to grow, things like incident response and third part management are continuously evolving as a result.
https://www.ey.com/en_us/board-matters/cyber-disclosure-trends
Benjamin Rooks says
Google to buy nuclear power for AI datacenters in “world first” deal.
This is less relevant to what we are reading this week, but I am just using the opportunity to talk about it. While AI will inevitably present issues to us as security professionals as it becomes more accessible the main reason why I am fixated on this story is because of the precedent that it sets. While I am happy that we are finally looking toward nuclear power again it is quite frustrating to the environmental activist side of myself that AI is going to be the driver behind it.
https://www.theguardian.com/technology/2024/oct/15/google-buy-nuclear-power-ai-datacentres-kairos-power#:~:text=Google-,Google%20to%20buy%20nuclear%20power,datacentres%20in%20'world%20first'%20deal&text=Google%20has%20signed%20a%20%E2%80%9Cworld,in%20use%20of%20artificial%20intelligence.
Brittany Pomish says
Belle Tire Cyberattack Exposes Tens of Thousands
Belle Tire recently fell victim to a cyberattack that exposed the personal information of tens of thousands of individuals. The breach notification letter indicates that the attackers downloaded a copy of the company’s data which included names, addresses, dates of birth, Social Security numbers or driver’s license. The attack, which occurred earlier this year, has raised concerns about the security measures in place to protect customer data. The company is currently working to address the breach and enhance its cybersecurity protocols.
https://cybernews.com/news/belle-tire-data-breach-exposed-thousands/
Gbolahan Afolabi says
New Android Banking Malware ‘ToxicPanda’ Targets Users with Fraudulent Money Transfers
This article describes the new malware found on android smartphones in Europe (Italy, Portugal, Spain) where apps disguising as legitimate apps have been able to gain elevated access to be able to access data on other apps and generate input mimicking a user. This type of malware has also been able to hijack One Time Passcodes (OTPs) sent as a form of Multi-Factor Authentication to gain access into more sensitive accounts such as banking accounts.
These apps were downloaded from online marketplaces and sideloaded onto these smartphones, a capability android phones have where applications can be downloaded from unknown sources. Unsuspecting users would download seemingly ordinary applications without knowing of the Advanced Persistent Threat (APT) that would unfold. In some cases, these attacks would gain access into banking apps and accounts and generate fraudulent transactions.
https://thehackernews.com/2024/11/new-android-banking-malware-toxicpanda.html
Aisha Ings says
FBI Warns Gmail, Outlook, AOL And Yahoo Users—Hackers Gain Access to Accounts
The FBI recently issued a warning to Gmail, Outlook, Yahoo, and AOL users regarding a surge in cybercriminals accessing email accounts, even those protected by multifactor authentication (MFA). These attacks often exploit session or “Remember Me” cookies, allowing hackers to bypass usernames, passwords, and MFA by stealing these cookies, often through phishing links and malicious websites. The FBI recommends clearing cookies, being cautious with “Remember Me” options, avoiding suspicious links, and monitoring recent logins. Google is also working on solutions to secure cookies. Meanwhile, passkeys, which link credentials to a user’s device, are gaining traction as a simpler and more secure alternative to passwords,
https://www.forbes.com/sites/zakdoffman/2024/11/03/fbi-warns-gmail-outlook-aol-yahoo-users-hackers-gain-access-to-accounts/
Andrea Baum says
Bluefin and Datacap Partner to Deliver PCI-Validated Point-to-Point Encryption (P2PE) Processing to Hospitality Businesses
https://www.businesswire.com/news/home/20241031625090/en/Bluefin-and-Datacap-Partner-to-Deliver-PCI-Validated-Point-to-Point-Encryption-P2PE-Processing-to-Hospitality-Businesses
Bluefin and Datacap Systems have announced a partnership to deliver PCI Validated Point-to-Point Encryption (P2PE) to the hospitality industry across the U.S. and Canada, enhancing security and compliance for payments. This collaboration makes Datacap Bluefin’s preferred omnichannel payments provider for hospitality, aiming to reduce PCI DSS compliance requirements by over 70% and cut PCI control scope at the point-of-sale by more than 90%. By combining Bluefin’s encryption technology with Datacap’s payments solutions, the partnership will help protect hospitality businesses, which are highly vulnerable to data breaches, and allow them to streamline compliance.
Cyrena Haynes says
Post-Quantum Cryptology: How Secure Memory Can Protect Against Vulnerabilities
Quantum advancements also create cybersecurity risks, prompting the need for post-quantum cryptography (PQC). Connected vehicles, with long product life cycles, are particularly vulnerable, and secure memory embedded with PQC could protect supply chains and sensitive data. Companies are advised to audit current security, assess valuable data, and ensure regular software updates. With quantum computing advancing rapidly, companies must plan to protect critical infrastructure against future quantum threats.
Source: https://www.electronicdesign.com/technologies/embedded/quantum-computing/article/55236010/winbond-preparing-for-post-quantum-cryptography-and-future-cyber-threats
Dawn Foreman says
https://www.ftc.gov/news-events/news/press-releases/2024/10/ftc-takes-action-against-marriott-starwood-over-multiple-data-breaches
FTC Takes Action Against Marriott and Starwood Over Multiple Data Breaches
The Federal Trade Commission (FTC) has required Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a robust information security program in response to 3 data breaches from 2014-2020 that impacted more than 344 million customers. The root cause of the data breaches was the lack of security measures.
The first breach began in June 2014 and involved payment card information of more than 40,000 Starwood customers. The breach went undetected for 14 months until Starwood notified customers in November 2015 (after Marriot announced acquisition, coincidence?)
The second breach began around July 2014 and went undetected until September 2018. During that time, over 339 million Starwood guest account records were accessed, inlcuding 5.25 million unencrypted passport numbers.
The third breach, which went undetected from September 2018 until February 2020 and over 5 million guest records were compromised. The compromised records contained significant amounts of personal information, including names m,ailing addresses, email addresses, phone numbers, date of birth, and loyalty account information.