Cryptographers Are Getting Closer to Enabling Fully Private Internet Searches
This is really about how one can pull information from a public database without revealing anything about what you’ve accessed i.e. private information retrieval.
Three researchers (Wei-Kai Lin, Ethan Mook, and Daniel Wichs) have crafted a long-sought version of private information retrieval and extended it to build a more general privacy strategy. They discovered a secure way to preprocess a single-server database so anyone could pull information in secret.
They considered two approaches:
1. Multiple servers hosting the database: they tested with the case where the information in the database can be transformed into a mathematical expression, which the servers can evaluate to extract the information. They figured it might be possible to make that evaluation process more efficient. They toyed with an idea from 2011 when other researchers had found a way to quickly evaluate such an expression by preprocessing it, creating special, compact tables of values that allow you to skip the normal evaluation steps, this method however didn’t produce any improvements on the security of programs developed by 2 researchers in 2017 who had successfully built the first programs that could do this kind of private information retrieval, but they weren’t able to show that the programs were secure.
– Security is important to Cryptographers, so they would not proceed if they could not show that breaking the solution is as difficult as solving the hard problem.
2. Single server hosting the database: they tried a tool from 2011 that one of the researchers had worked on in the single-server case. With a carefully chosen polynomial, they saw that a single server could preprocess the polynomial based on the 2011 result — yielding the secure, efficient lookup scheme Wichs (one of the researchers) had pondered for years. After testing for security (where it breaks) without success, they discovered a secure way to preprocess a single-server database so anyone could pull information in secret.
In the real world, this is a labour-intensive task in which homomorphic encryption as a useful extension of the private lookup scheme could bring improvement.
Private information retrieval is the more fundamental problem, the authors’ solution is the “magical building block,” and their homomorphic encryption strategy is a natural follow-up.
For now, neither scheme is practically useful: Preprocessing currently helps at the extremes, when the database size balloons toward infinity but, deploying it means those savings can’t materialize, and the process would eat up too much time and storage space.
With future work to streamline the approach, an MIT cryptographer believes private lookups from giant databases may be within reach.
Insurance consulting and brokerage firm Keenan & Associates is informing more than 1.5 million individuals that their personal information was stolen in an August 2023 cyberattack.
https://www.securityweek.com/1-5-million-affected-by-data-breach-at-insurance-broker-keenan-associates/
The article reports that Keenan & Associates, an insurance consulting and brokerage firm, experienced a cyberattack in August 2023, during which the personal information of over 1.5 million individuals was compromised. This incident is significant because it highlights the growing threat of cyberattacks targeting sensitive personal data held by organizations.
The cyberattack occurred in August 2023. The exact nature of the attack (e.g., malware, phishing, ransomware) is not specified in the summary but presumably involved unauthorized access to Keenan & Associates’ systems or databases containing personal information. As a result of the cyberattack, the personal data of more than 1.5 million individuals was stolen. The breach has significant implications for the affected individuals, as their personal information is now in the hands of unauthorized parties.
Keenan & Associates is taking steps to inform the affected individuals about the data breach. This notification process is crucial for transparency and allows individuals to take necessary precautions to protect themselves from potential harm, such as monitoring their financial accounts and credit reports for suspicious activity. In addition to notifying affected individuals, Keenan & Associates likely implemented measures to address the security vulnerabilities that led to the breach.
In summary, the article highlights the severe consequences of cyberattacks on organizations and the importance of robust cybersecurity measures to protect sensitive personal data from unauthorized access and misuse. I
Nearly 35,000 PayPal accounts were compromised in a December 2022 credential stuffing attack, exposing users’ personal identifiable information like names, addresses, SSNs, and dates of birth. The attack highlights risks of password reuse as the breached info can enable further fraud. PayPal has reset passwords and added other protections but experts emphasize using unique passwords and multi-factor authentication to prevent these types of attacks that rely on validated credentials harvested in prior breaches. https://www.darkreading.com/cyberattacks-data-breaches/paypal-breach-exposed-pii-of-nearly-35k-accounts
Alpha Ransomware Group Launches Data Leak Site on the Dark Web https://www.infosecurity-magazine.com/news/alpha-ransomware-launches-data/
A new ransomware group named Alpha has emerged, launching its Dedicated/Data Leak Site (DLS) on the Dark Web with data from six victims. Despite being new, Alpha ransomware has been observed since May 2023, with a lower infection rate and no active samples for analysis. It appends a random 8-character alphanumeric extension to encrypted files and evolves its ransom notes over time. The DLS, titled “MYDATA,” is unstable, indicating the group is still setting up operations. Victims span various industries and countries. Netenrich senior threat analyst Rakesh Krishnan explains that DLSs are becoming common tactics for ransomware groups, banking on victims’ fear of reputational damage. Krishnan notes inconsistencies in Alpha’s ransom demands, suggesting a mix of talent and amateurism. Continued monitoring is essential to understand and mitigate this emerging threat.
750 million people from India got their information put out on the dark web for sale and it contained 1.8 TB worth of names, phone numbers, addresses, and aadhaar details which is a unique number for identification. The company that reported this sale was CloudSEK which is a mobile network subscriber. The cyber leak affected is estimated to affect 85 percent of the population and the threat actor is known as CyboDevil. Not only does it affect the population in a large way it also affects the subscribers of all major telecom providers in India.
Ooreofeoluwa Koyejo says
Cryptographers Are Getting Closer to Enabling Fully Private Internet Searches
This is really about how one can pull information from a public database without revealing anything about what you’ve accessed i.e. private information retrieval.
Three researchers (Wei-Kai Lin, Ethan Mook, and Daniel Wichs) have crafted a long-sought version of private information retrieval and extended it to build a more general privacy strategy. They discovered a secure way to preprocess a single-server database so anyone could pull information in secret.
They considered two approaches:
1. Multiple servers hosting the database: they tested with the case where the information in the database can be transformed into a mathematical expression, which the servers can evaluate to extract the information. They figured it might be possible to make that evaluation process more efficient. They toyed with an idea from 2011 when other researchers had found a way to quickly evaluate such an expression by preprocessing it, creating special, compact tables of values that allow you to skip the normal evaluation steps, this method however didn’t produce any improvements on the security of programs developed by 2 researchers in 2017 who had successfully built the first programs that could do this kind of private information retrieval, but they weren’t able to show that the programs were secure.
– Security is important to Cryptographers, so they would not proceed if they could not show that breaking the solution is as difficult as solving the hard problem.
2. Single server hosting the database: they tried a tool from 2011 that one of the researchers had worked on in the single-server case. With a carefully chosen polynomial, they saw that a single server could preprocess the polynomial based on the 2011 result — yielding the secure, efficient lookup scheme Wichs (one of the researchers) had pondered for years. After testing for security (where it breaks) without success, they discovered a secure way to preprocess a single-server database so anyone could pull information in secret.
In the real world, this is a labour-intensive task in which homomorphic encryption as a useful extension of the private lookup scheme could bring improvement.
Private information retrieval is the more fundamental problem, the authors’ solution is the “magical building block,” and their homomorphic encryption strategy is a natural follow-up.
For now, neither scheme is practically useful: Preprocessing currently helps at the extremes, when the database size balloons toward infinity but, deploying it means those savings can’t materialize, and the process would eat up too much time and storage space.
With future work to streamline the approach, an MIT cryptographer believes private lookups from giant databases may be within reach.
https://www.wired.com/story/cryptographers-fully-private-internet-searches-cybersecurity-databases-privacy/
https://www.quantamagazine.org/cryptographers-devise-an-approach-for-total-search-privacy-20231106/
Celinemary Turner says
Insurance consulting and brokerage firm Keenan & Associates is informing more than 1.5 million individuals that their personal information was stolen in an August 2023 cyberattack.
https://www.securityweek.com/1-5-million-affected-by-data-breach-at-insurance-broker-keenan-associates/
The article reports that Keenan & Associates, an insurance consulting and brokerage firm, experienced a cyberattack in August 2023, during which the personal information of over 1.5 million individuals was compromised. This incident is significant because it highlights the growing threat of cyberattacks targeting sensitive personal data held by organizations.
The cyberattack occurred in August 2023. The exact nature of the attack (e.g., malware, phishing, ransomware) is not specified in the summary but presumably involved unauthorized access to Keenan & Associates’ systems or databases containing personal information. As a result of the cyberattack, the personal data of more than 1.5 million individuals was stolen. The breach has significant implications for the affected individuals, as their personal information is now in the hands of unauthorized parties.
Keenan & Associates is taking steps to inform the affected individuals about the data breach. This notification process is crucial for transparency and allows individuals to take necessary precautions to protect themselves from potential harm, such as monitoring their financial accounts and credit reports for suspicious activity. In addition to notifying affected individuals, Keenan & Associates likely implemented measures to address the security vulnerabilities that led to the breach.
In summary, the article highlights the severe consequences of cyberattacks on organizations and the importance of robust cybersecurity measures to protect sensitive personal data from unauthorized access and misuse. I
Yannick Rugamba says
Nearly 35,000 PayPal accounts were compromised in a December 2022 credential stuffing attack, exposing users’ personal identifiable information like names, addresses, SSNs, and dates of birth. The attack highlights risks of password reuse as the breached info can enable further fraud. PayPal has reset passwords and added other protections but experts emphasize using unique passwords and multi-factor authentication to prevent these types of attacks that rely on validated credentials harvested in prior breaches. https://www.darkreading.com/cyberattacks-data-breaches/paypal-breach-exposed-pii-of-nearly-35k-accounts
Bo Wang says
Alpha Ransomware Group Launches Data Leak Site on the Dark Web
https://www.infosecurity-magazine.com/news/alpha-ransomware-launches-data/
A new ransomware group named Alpha has emerged, launching its Dedicated/Data Leak Site (DLS) on the Dark Web with data from six victims. Despite being new, Alpha ransomware has been observed since May 2023, with a lower infection rate and no active samples for analysis. It appends a random 8-character alphanumeric extension to encrypted files and evolves its ransom notes over time. The DLS, titled “MYDATA,” is unstable, indicating the group is still setting up operations. Victims span various industries and countries. Netenrich senior threat analyst Rakesh Krishnan explains that DLSs are becoming common tactics for ransomware groups, banking on victims’ fear of reputational damage. Krishnan notes inconsistencies in Alpha’s ransom demands, suggesting a mix of talent and amateurism. Continued monitoring is essential to understand and mitigate this emerging threat.
Jon Stillwagon says
https://www.securityweek.com/data-of-750-million-indian-mobile-subscribers-sold-on-hacker-forums/
750 million people from India got their information put out on the dark web for sale and it contained 1.8 TB worth of names, phone numbers, addresses, and aadhaar details which is a unique number for identification. The company that reported this sale was CloudSEK which is a mobile network subscriber. The cyber leak affected is estimated to affect 85 percent of the population and the threat actor is known as CyboDevil. Not only does it affect the population in a large way it also affects the subscribers of all major telecom providers in India.