The staffer, who attended a briefing of State Department IT officials, said the officials told lawmakers that 60,000 emails were stolen from 10 different State Department accounts. Although the victims weren't named, all but one of them was working on East Asia and the Pacific, he said.

The staffer, who works for Senator Eric Schmitt, shared the details of the briefing on condition that he not be identified by name.

Allegations that China hacked the State Department - along with two dozen other, mostly still unidentified organizations - have strained an already tense U.S.-China relationship; Beijing has denied being behind the spying.

The hack has also refocused attention on Microsoft's outsize role in providing IT services to the American government.

"We need to harden our defenses against these types of cyberattacks and intrusions in the future," Schmitt said in a statement shared by the staffer in an email to Reuters following the briefing.

"We need to take a hard look at the federal government's reliance on a single vendor as a potential weak point," he said.

The U.S. State Department did not immediately return a message seeking comment. Schmitt’s office did not immediately respond to a request for an interview with him.

Source

U.S. cybersecurity authorities joined Japanese law enforcement agencies to warn about  China-backed threat group BlackTech’s exploitation of security loopholes in everyday networking equipment. 

The Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI, along with Japan's National Police Agency and its National Center of Incident Readiness and Strategy for Cybersecurity, have observed BlackTech operators modifying router firmware to obtain access to entire networks.

The hacks targeted government agencies, defense companies, telecommunications firms and more. 

"BlackTech activity targets a wide range of public organizations and private industries across the U.S. and East Asia," Eric Goldstein, CISA's executive assistant director for cybersecurity, said in a statement. 

U.S. authorities have previously warned of China-backed threat actors leveraging known flaws in routers and other networking gear to obtain access to target networks and then maintain access through stolen credentials and hijacked tools — a technique known as "living off the land." 

According to the current joint advisory, BlackTech often hacks subsidiary networks to leverage access to more sensitive targets. Many of the techniques used by BlackTech can be mitigated with existing updates to common networking firmware.

In January 2023, the U.S. and Japan signed an agreement updating their operational collaboration on cybersecurity issues and to enhance cybersecurity of industrial control systems.

Source

The security expert duo, Mysk, say that iOS 17 enables two specific settings related to sensitive locations. The first of these is called Significant Locations.

Here's what Apple's documentation states about the feature "Your iPhone and iCloud-connected devices will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you. This data is end-to-end encrypted and cannot be read by Apple. It is used to provide you with personalized services, such as predictive traffic routing, and to build better Memories in Photos."

In layman's terms, Significant Locations keeps a record of places that you have been to, which it learns based on GPS, and uses the data on your device to improve your experience with Maps, Calendar, Photos, etc. For example, it could be used for plotting a route to a place that you visit, with predictive traffic routing. That doesn't seem too bad, but it's not something everyone might find useful.

The other setting in question, is iPhone Analytics. Here's the Cupertino company's privacy policy related to the setting. It's basically telemetry data that your device sends to Apple's servers to help the company understand how you use your phone, and how it can improve the experience. Again, not everyone is going to be thrilled by sharing their usage data, even if no personal information is being sent to the servers.

I checked if these sensitive locations had been enabled on my iPhone. Significant Locations were indeed enabled for me, but the iPhone analytics were disabled. I remember that I had declined consent for analytics when my iPhone rebooted to install the update.

For the sake of my own privacy, I cannot share the image of the map publicly, but the phone knew which supermarket I visit frequently. As I mentioned earlier, the data from Significant Locations is stored on your device, and not shared with Apple. But it's still kind of creepy to have a list of the places I had been to, and the timestamps were not helping either.

The iPhone Analytics on the other hand, is indeed shared with Apple. As Mysk points out, sharing analytics reports with location information included in them could pose a privacy risk, regardless of whether the data is anonymous or not. Fortunately, you can disable both of these options quite easily.

How to disable sensitive locations in iOS 17

1. Open the Settings app.

2. Go to Privacy & Security.

3. Tap on Location Services.

4. Scroll down all the way to System Services.

5. Tap on Significant Locations. Disable the option, and tap on the Clear History button.

6. Go to the previous screen, and toggle iPhone Analytics off.

Privacy-sensitive options such as these should always be opt-in from the user's end, and not opt-out. Don't worry, you will still be able to use Maps, Food Delivery apps, check the weather, etc., even after disabling these sensitive locations settings.

Source

The researchers have demonstrated the effectiveness of this 'GPU.zip' attack by performing cross-origin SVG filter pixel-stealing attacks through the Chrome browser.

The researchers disclosed the vulnerability to impacted video card manufacturers in March 2023. However, as of September 2023, no affected GPU vendors (AMD, Apple, Arm, NVIDIA, Qualcomm) or Google (Chrome) have rolled out patches to address the problem.

The new flaw is outlined in a paper from researchers at the University of Texas at Austin, Carnegie Mellon University, University of Washington, and University of Illinois Urbana-Champaign and will appear in the 45th IEEE Symposium on Security and Privacy.

Leaking through compression

Generally, data compression creates distinct data-dependent DRAM traffic and cache utilization, which can be abused for leaking secrets, so software turns off compression when handling sensitive data.

The GPU.zip researchers explain that all modern graphic processor units, especially integrated Intel and AMD chips, perform software-visible data compression even when not explicitly asked.

Modern GPUs follow this risky practice as an optimization strategy, as it helps save on memory bandwidth and improve performance without software.

This compression is often undocumented and vendor-specific, and the researchers have found a way to exploit it to leak visual data from GPUs.

Specifically, they demonstrated an attack that extracts individual pixel data through a web browser on various devices and GPU architectures, as shown below.

The proof-of-concept attack demonstrates stealing the username from a Wikipedia iframe, which is possible within 30 minutes on Ryzen and 215 minutes on Intel GPUs, at accuracies of 97% and 98.3%, respectively.

The iframe hosts a cross-origin webpage whose pixels are isolated and turned into binary, meaning they're converted into two possible colours.

Next, these pixels are enlarged, and a specialized SVG filter stack is applied to create textures that are either compressible or not. By measuring the time taken for the texture to render, the researchers can deduce the original colour/state of the target pixel.

We have recently seen the application of SVG filters to induce data-dependent execution and the use of JavaScript to measure computation time and frequency to discern the pixel's colour on the "Hot Pixels" attack.

While Hot Pixels exploits data-dependent computation times on modern processors, GPU.zip hinges on undocumented GPU data compression to achieve similar results.

GPU.zip severity

GPU.zip impacts almost all major GPU manufacturers, including AMD, Apple, Arm, Intel, Qualcomm, and NVIDIA, but not all cards are equally affected.

The fact that none of the impacted vendors have decided to fix the issue by optimizing their data compression approach and limiting its operation to non-sensitive cases further raises the risk.

Although GPU.zip potentially impacts the vast majority of laptops, smartphones, tablets, and desktop PCs worldwide, the immediate impact on users is moderated by the complexity and time required to perform the attack.

Also, websites that deny cross-origin iframe embedding cannot be used for leaking user data through this or similar side-channel attacks.

"Most sensitive websites already deny being embedded by cross-origin websites. As a result, they are not vulnerable to the pixel stealing attack we mounted using GPU.zip," explains the researchers in a FAQ on the team's website.

Finally, the researchers note that Firefox and Safari do not meet all the criteria needed for GPU.zip to work, such as allowing cross-origin iframes to be loaded with cookies, rendering SVG filters on iframes, and delegating rendering tasks to the GPU.

Source

Canadian authorities and cybersecurity experts are on high alert, closely monitoring and strengthening defenses to protect other potential targets from similar attacks. Meanwhile, the Indian government has not yet issued an official statement regarding the threats or their alleged involvement in the death of the Canadian citizen.

Royal Ransomware Gang Goes Unnoticed in Dallas for a Month

In related cyber security news, the Royal ransomware gang, which attacked Dallas, Texas, earlier this year, went unnoticed in the city’s IT infrastructure for nearly a month, stealing personal information of more than 30,000 people. The city has designated US$8.5 million to recover and restore systems affected by the attack. The gang initially accessed the IT system through a service account.

This incident highlights the importance of regularly monitoring and updating security measures within an organization’s IT infrastructure to prevent significant data breaches. Additionally, city officials are urging other municipalities to invest in updating their cyber security protocols to mitigate the risks of future ransomware attacks and protect sensitive data.

Hinds County Grapples with Ongoing Ransomware Attack

Mississippi’s Hinds County is still dealing with a ransomware attack this month, preventing residents from paying property taxes, finalizing real estate transactions, or buying car tags since September 7th. The county’s officials are working diligently with cybersecurity experts to address the issue and restore normal operations as soon as possible. In the meantime, residents are urged to remain patient and vigilant as the authorities explore alternative solutions to facilitate these essential services.

AlphV Ransomware Gang Hacks Vehicle Equipment Manufacturer Clairon

The AlphV ransomware gang has taken responsibility for hacking Clairon, a producer of audio, video, and navigation equipment for vehicles from major manufacturers. It has posted screenshots of stolen documents as evidence. The cybercriminal group claims to have accessed confidential data, including financial records, employee information, and sensitive business documents. Clairon is working in collaboration with cybersecurity experts and law enforcement agencies to mitigate the breach’s impact and prevent further unauthorized data access.

Progress Software’s MOVEit Vulnerability Impacts More Organizations

The number of organizations impacted by the vulnerability in Progress Software’s MOVEit file transfer software continues to increase, now involving the U.S. National Student Clearing House and Financial Institution Service Corporation, four months after the initial exposure. These organizations are joining the growing list of affected parties, highlighting the far-reaching effects of the vulnerability on various sectors in the economy. As more companies discover the impact of this exposure on their systems and data, it emphasizes the criticality of addressing software vulnerabilities in a timely manner to prevent potential large-scale breaches.

Kannact Inc. Addresses Data Breach Impacting Thousands

Kannact Inc., a healthcare support company based in Oregon, is notifying close to 118,000 individuals about a data breach resulting from hacking its file transfer software. The company announced the breach in June but is still working to determine an accurate number of victims. In addition to potentially compromised personal information, the breach may have exposed sensitive medical data of the affected individuals. As a response, Kannact has been proactively implementing further security measures and working closely with law enforcement agencies to investigate the incident and minimize any potential damage.

Nigerian Individual Faces Sentencing for Business Email Scam

Lastly, a Nigerian individual faces sentencing by a U.S. judge in November on conspiracy charges associated with participation in a business email scam. The deceptive email messages tricked victims into transferring money. Furthermore, these fraudulent emails often impersonate high-level executives, leading unsuspecting employees to believe they are transferring funds for legitimate company purposes. To combat this growing issue, companies are implementing stricter security measures and raising awareness among staff members about the risks of business email scams.

Frequently Asked Questions

What is the Indian Cyber Force?

The Indian Cyber Force is a group of hackers from India who have recently issued threats to target Canadian websites in response to claims that the Indian government played a role in killing a Canadian citizen promoting an independent Sikh state.

What are Canadian authorities doing to prevent cyber-attacks from the Indian Cyber Force?

Canadian authorities and cybersecurity experts are on high alert, closely monitoring and strengthening defenses to protect potential targets from similar attacks.

How did the Royal Ransomware Gang infiltrate Dallas’ IT infrastructure?

The gang initially accessed the IT system through a service account and went unnoticed for nearly a month while stealing personal information of more than 30,000 people.

What are Hinds County officials doing to address the ongoing ransomware attack?

The county’s officials are working diligently with cybersecurity experts to address the issue and restore normal operations as soon as possible. They are also exploring alternative solutions to facilitate essential services for residents.

What data did the AlphV ransomware gang allegedly steal from Clairon?

The cybercriminal group claims to have accessed confidential data, including financial records, employee information, and sensitive business documents from Clairon, a producer of audio, video, and navigation equipment for vehicles.

How has Kannact Inc. responded to the data breach impacting thousands?

Kannact has been proactively implementing further security measures and working closely with law enforcement agencies to investigate the incident and minimize any potential damage caused by hacking its file transfer software.

What measures are companies taking to combat business email scams?

To combat business email scams, companies are implementing stricter security measures and raising awareness among staff members about the risks of fraudulent emails that trick victims into transferring money for illegitimate purposes.

Source

Nearly 1,500 US police departments operate drones but only about a dozen routinely dispatch them in response to 911 calls, according to ACLU research. Drone maker Skydio aims to see that change, with a new model launched last week called the X10. The goal, cofounder and CEO Adam Bry said during a launch event last week in San Francisco, is to “get drones everywhere they can be useful in public safety.”

The new drone is capable of flying at speeds of 45 miles per hour and is small enough to fit into the trunk of a police car. It has infrared sensors that can be used to track people and fly autonomously in the dark. Four payload bays on the X10 can carry accessories like a speaker, spotlight, or a parachute for emergency landings. A 65X zoom camera can read a license plate from 800 feet away and follow a vehicle from a distance of 3 miles.

“I think mitigating or eliminating high-speed chases will be one of the major applications that we'll see with customers, largely based on that zoom camera,” Bry says.

New capabilities like those could encourage wider use of drones in law enforcement at a time when policy concerning their use is still developing. Tests by emergency responders and the US Federal Aviation Administration to extend drone flights beyond the operator’s line of sight and respond to 911 calls started in 2017. Civil liberties advocates say there is a lack of rules to limit drone use in sensitive contexts like protests or in concert with other forms of surveillance technology.

Skydio's X10 drone uses infrared sensors to track people and fly autonomously in the dark.

Courtesy of Skydio

When Skydio launched nearly a decade ago, it focused on selling drones to outdoor athletes interested in a machine something like an autonomous aerial GoPro, following them down a mountain or trail while capturing video. That began to change in 2020 when Skydio got picked as one of a handful of companies approved for off-the-shelf use by branches of the US military. Today Skydio’s customers include BNSF Railway, utility companies in California and Illinois, and law enforcement agencies like the NYPD.

At a press conference in July, New York mayor Eric Adams announced that his police department would begin controlling drone flight licenses for the city. While holding a Skydio remote control as a prop, he voiced support for using drones to stop high-speed car chases.

This month, at another news conference, Adams said New York is behind other police departments in drone deployment but will “become the leader in how to properly use drones.” He pledged to use more surveillance and technology following an increase in some measures of crime last year.

At the Skydio event last week, New York Police Department chief of patrols John Chell said he thinks drones can cut down on the need for helicopter deployments. In the near future he envisions the city police academy training recruits in how to pilot drones, placing at least one drone at each of the more than 70 precincts across New York, and drones launching autonomously to investigate alerts of potential gunshots heard by AI-powered tool ShotSpotter. Skydio introduced docks last year that house and charge drones and can enable autonomous take off.

The NYPD’s new interest in drones has drawn criticism from civil liberties groups like the ACLU and the Surveillance Technology Oversight Project, but also from less expected voices.

Curtis Sliwa founded New York neighborhood watch group Guardian Angels in 1979 to patrol city streets at a time of widespread concern about violent crime. Last month, he used his radio show to accuse the NYPD and Adams of using drones to intimidate the crowd while Sliwa spoke at a recent anti-immigration protest. An unsigned email from the NYPD sent in response to questions from WIRED says that a drone was deployed in Staten Island that month to assess pedestrian congestion, vehicular traffic, and other public safety concerns.

Ahead of the recent Labor Day holiday, one NYPD commissioner pledged to monitor large backyard gatherings using drones. At the Skydio event last week, Chell praised the NYPD for making 10 drone deployments over that holiday weekend, including at the J’Ouvert and West Indian Day celebrations, and the Electric Zoo music festival. He said they helped prevent retaliation following a shooting and contributed to officers apprehending three carjacking suspects. An NYPD spokesperson did not respond to requests for additional details about recent drone deployments.

The busy Labor Day for NYPD drones shows the department moving toward treating drones as first responders, says Daniel Schwarz, senior privacy and technology strategist at the New York Civil Liberties Union. The nonprofit says problematic use of police drones, including at protests in 15 cities after the 2020 death of George Floyd, shows legislation is needed to limit police use of the technology. The ACLU wants bans on drone use at protests and adding weapons to the craft, and guardrails to prevent drones being combined with other forms of surveillance technology like face recognition or ShotSpotter.

The X10 drone is can fly at speeds of 45 miles per hour and is compact enough to fit in the trunk of a police car.

Courtesy of Skydio

Drone deployments by police, like other forms of surveillance, risk falling into historical patterns of targeting certain groups. A 2021 analysis by Amnesty International of surveillance cameras throughout New York City found that they disproportionately threaten the civil liberties of people of colour.

A joint December 2021 report by the ACLU, the Electronic Frontier Foundation, and the Surveillance Technology Oversight Project, argues that drones allow covert surveillance. When flying hundreds of feet aloft the craft are virtually impossible to see or hear, and citizens have little hope of knowing what they are carrying.

As part of the rollout of the X10, Skydio announced a partnership with Axon, which makes Tasers and other police technology. Video from Skydio drones will be more closely integrated into the software Axon sells police departments for incident response and managing evidence.

Bry says Skydio is not working with Axon on weaponizing drones and that Skydio doesn’t support weaponizing drones or robots, but he added that it’s difficult to stop people from making hacks or custom modifications. Last year, Axon suggested using autonomous Taser-mounted drones to stop mass shootings, and the majority of the company’s AI Ethics board resigned in protest.

Source

Eighty-three percent of IT security professionals admit they or someone in their department has made errors due to burnout that have led to a security breach.

Eighty-five percent say they anticipate they will leave their role due to burnout; 24% say they'll leave cybersecurity entirely and 77% say stress levels at work directly affect their ability to keep customer data safe.

Additional findings include:

• 76% agree their IT leadership would not last one full day dealing with the number of alerts they manage.

• 45% of IT professionals felt their leadership hasn't responded proactively to employee burnout and wished their leaders would offer additional training, mentorship and development.

• 82% say they've been told stress and burnout is just a normal part of their job.

Read the full report here.

Source

"We've seen an increase in the number of crypto scams targeting UK consumers, so we have taken the decision to prevent the purchase of crypto assets on a Chase debit card or by transferring money to a crypto site from a Chase account," a spokesperson for the bank said.

Chase has become the latest lender in the UK to restrict customers' access to crypto amid long-running concerns over its use in online scams run by criminals.

JPMorgan has attracted more than 1.6 million customers to its Chase retail bank since launching the mobile app-based service in Britain two years ago, and plans to roll out the consumer bank in other international markets over time.

Chase informed customers of its planned policy change by email on Tuesday morning, the bank confirmed. Crypto media outlet Coindesk reported the move earlier on Tuesday.

In March, NatWest (NWG.L)imposed new limits on the daily and monthly amount customers can send to crypto exchanges, seeking to protect consumers from "crypto-criminals."

Spain's Santander said last year it would block UK customers from sending real-time payments to crypto exchanges as part of measures to protect customers from scams.

Source

We’re on track for 2023 to be a record breaking year for ransomware attacks targeting the U.S. public sector.

These attacks, which includes both traditional encrypt-and-extort and newer data theft-only attacks, know the public sector is an easy target: It’s no secret that local governments have small IT budgets and limited cybersecurity resources. At the same time, these entities often hold data that is extremely valuable, be it housing information or student and patient records.

“When add to that the lack of funding that they have for security, they make an easy target,” said Allan Liska, threat intelligence analyst at Recorded Future, said during a panel at TechCrunch Disrupt on Thursday. This panel looked at what the public sector can do to fight back against ransomware attacks — and how the U.S. government can help.

Fighting back is no easy task. MK Palmore, former FBI agent and director in Google Cloud’s Office of the CISO, said that while public sector organizations are rapidly expanding their digital footprints, many are adding a huge amount of complexity to their environments that often only a small number of security practitioners are responsible for protecting.

“That challenge can be relatively insurmountable,” said Palmore, speaking on stage.

This challenge is made even more difficult by the supply-chain risk posed to public sector organizations, many of which rely heavily on third-party tools and outside contractors.

“Organizations have to do due diligence, which gets to be pretty challenging due to issues like limited workforce and the unwillingness of organizations to adopt tools that would allow this to be automated,” said Liska. “You also have to think about your data supply chain, which we saw in particular with the MOVEit breach. Understanding where and how your data is being stored, who has your data, and so on is an additional challenge.”

What first steps should public sectors implement to overcome these challenges to successfully fend off ransomware attacks? According to both Liska and Palmore, moving away from a Windows environment.

“I’ve never seen a mass ransomware attack and an all Mac network,” said Liska. Palmore added that “there have been zero documented instances of ransomware being able to proliferate against a Chromebook.”

Organizations also need to make sure they are not adding unnecessary tools to their environment, according to Liska. “I think that’s something that we as security vendors have failed our customers; our answer to every problem has been to create a tool, so you wind up with a hundred different tools in your organization.”

Ultimately, however, it’s key that public sector organizations don’t take on these challenges alone. The U.S. federal government has made strides in its fight back against ransomware in recent months, with the launch of the K12 cyber resiliency effort and the announcement of more security funding for state governments.

The feds also helped to tackle the wider ransomware problem with a number of successful takedowns, such as Qakbot, and sanctions against ransomware operators from some of the most notorious gangs.

Liska said that while largely symbolic due to the fact that most of these operators are based in Russia and cannot be extradited to the U.S., these sanctions do act as a deterrent. “It doesn’t necessarily stop the attack and it doesn’t stop the data from being sold or used for malicious purposes, but it does make it less profitable to be a ransomware actor,” he said.

Palmore said that while the U.S. has made strides, more can be done to help cash and talent-strapped public sector entities. “Public private partnerships have proven to historically help solve really intractable problems like the one that we’re facing with ransomware, so there needs to be a lot more cooperation from private sector entities participating with government.”

“When I was in government, 32 years worth of time, we always felt like we could just hire to solve problems, but we’re in an environment where we can’t count on just bringing additional personnel resources to the table. Technology is going to play a key role, government is going to play a key role — it’s an all hands on deck effort,” said Palmore.

Source

Months after the initial MOVEit cybersecurity incident, new victims are still being confirmed, with BORN Ontario, a Canadian government-funded birth registry, the latest big agency to confirm falling victim to the Cl0p ransomware group.

As per a press statement, the hackers stole data on 3.4 million people who sought pregnancy care, addressed fertility issues, as well as data on healthcare services provided to newborns and small children (roughly two million children).

The data stolen was collected from January 2010 until the incident in May 2023.

Clop strikes again

Furthermore, hackers took names, birth dates, postal addresses, and postal codes, as well as health card numbers. They also stole dates of care and service, lab test results, pregnancy risk factors, type of birth, procedures, and pregnancy and birth outcomes and associated care.

The attack seems extensive and the data extremely valuable, especially for those interested in identity theft and phishing. 

While BORN Ontario laid the blame for the hack on Clop, the Russian threat actor that compromised the secure file transfer service MOVEit last spring, Clop is yet to list this organization on its leak site. So far, hundreds of victims have been added to the site. 

At the same time, the organization’s spokespersons seem to be quiet on the matter. When reached out to by TechCrunch, BORN Ontario spokesperson Tammy Kuepfer did not return any requests for comment. The organization did say it notified the police as well as Ontario’s privacy watchdog, the Information and Privacy Commissioner (IPC). This organization also did not comment on the news, other than saying that it was notified of the incident on June 14. 

Whether or not BORN received a ransom demand, and if it paid it or not - remains to be seen.

Via TechCrunch

Source

If you’re a LastPass user, be on guard for phishing emails in your inbox. Hackers are launching waves of malicious messages impersonating the password manager. 

LastPass this week warned users about the threat, saying the first wave of phishing emails began on Sept. 13. “Our customers began reporting a pervasive and convincing phishing campaign. The campaign had global reach and targeted a variety of sectors, including 87 of our own employees,” the company wrote in a blog post.

(Credit: LastPass)

The phishing emails look like they're coming from LastPass, and ask the recipient to update their personal information immediately or risk having certain features deactivated. But in reality, the emails are fake and come from the domain “marketing@sbito.co[.]th,” if you look closely. 

Still, the phishing email looks convincing enough to potentially to trick some users into clicking a link embedded in the message. Doing so leads to a hacker-controlled login site at “customer-lastpass[.]su” that looks like it can steal any password and multi-factor authentication codes submitted to the portal.

(Credit: Malwarebytes)

The phishing emails also try to exploit the recent security struggles facing LastPass, which suffered a massive breach last year. The company has since been requiring users to reset their multi-factor authentication codes to bolster security across the platform.  

Antivirus provider Malwarebytes initially warned the public about the phishing threat on Sept. 14. LastPass says it also partnered with PhishLabs to disrupt the attacks by requesting that website providers shut down the internet domains powering the phishing campaign. 

“Unfortunately, the threat actors materialized again on September 19th when a similar subdomain for the credential phishing site was registered, and several new domains for the phishing emails were leveraged,” LastPass says. 

Hence, users should be careful when opening any emails that seem to come from LastPass. Double-check the sender address to verify the email’s legitimacy. You can also mouse over the links in the email before clicking them, which will reveal the web address for each one. Emails asking you to submit sensitive information are an immediate red flag that something is off.

Those who want to report a suspicious email can forward it to abuse@lastpass.com.

Source

There’s a new gang on the dark web that claims it’s breached all of Sony’s systems in a ransomware attack.

According to a September 25 article from Australian cybersecurity publication Cyber Security Connect, the PlayStation maker was cracked open by Ransomed.vc, a new outfit of hackers that’s only been operating since September—though the publication suggests the gang has connections to previous dark web forums and groups. Cyber Security Connect reports that the hack allegedly unearthed screenshots of Sony’s internal log-in page, an internal PowerPoint presentation outlining test bench details, several Java files, and a document tree of the entire leak housing 6,000 files.

“We have successfully [compromised] all of [Sony’s] systems,” Ransomed.vc proclaimed. “We won’t ransom them! We will sell the data. Due to Sony not wanting to pay. DATA IS FOR SALE. WE ARE SELLING IT.”

Within those 6,000 files are supposedly a bevy of documentation, including unknown “build log files,” a swath of Java resources, and HTML data.

Many of the files are reportedly in Japanese. While Ransomed.vc hasn’t listed a price for the data, the group left contact details for Sony to get in touch and listed a “post date” of September 28, which might be when Ransomed.vc will just post it all.

Interestingly, Ransomed.vc seems to be a ransomware operator and a ransomware-as-a-service organization. That means that alongside these large-scale hacks of major corporations, Ransomed.vc (which VGC claims operates out of Russia and Ukraine) also reportedly works with the EU’s general data protection and regulation (GDPR) and other data privacy laws to report vulnerabilities in company systems and violations in the laws. According to Cyber Security Connect, the group is leveraging laws to reportedly bully victims into submission.

Sony has not publicly commented on the breach or the nature of Ransomed.vc’s impact on the company just yet. Kotaku reached out to Sony for a statement.

This isn’t the first time Sony has been hacked. Back in 2011, the company’s PlayStation Network suffered a massive breach that saw some 77 million registered accounts compromised and online features totally inoperable. It was so bad that Sony not only had to explain to Congress what happened but also began giving away games and money a few years later as compensation. Less than 6,000 files may not seem as egregious as that PSN hack, but a hack is a hack all the same, so here’s hoping Sony can batten down the hatches ASAP.

Source

Cybersecurity researchers from ESET have discovered a new, sophisticated piece of malware targeting government organizations in the Middle East. 

The malware is dubbed Deadglyph, and apparently is the work of Stealth Falcon APT, a state-sponsored threat actor allegedly from the United Arab Emirates (UAE). This group is also known among some researchers as Project Raven, or FruityArmor, BleepingComputer reports, and targets political activists, journalists, dissidents, and similar individuals. 

In its technical writeup, ESET’s researchers explained that Deadglyph is a modular piece of malware, capable of receiving additional modules from its command & control (C2) server, depending on what the operators look to grab from the target endpoint. The modules can use both Windows and custom Executor APIs, meaning the threat actors can use at least a dozen functions. Some of them include loading executable files, accessing Token Impersonation, running encryption, hashing, and more.

Multiple modules

ESET analyzed three modules - a process creator, an information collector, and a file reader. The collector, for example, can tell the threat actors which operating system the victim is using, which network adapters the endpoint has, which software and drivers it has installed, and more. The researchers believe up to 14 modules are available. 

There is no word on potential targets, other than the malware was found on a device belonging to a government firm. Earlier reports, however, describe Stealth Falcon as a decade-old threat actor (in operation since at least 2012) that targets political activists and journalists - not government employees. 

In 2019, ESET analyzed one of StealthFalcon’s campaigns, concluding that the targets, although small in number, were scattered around the world - in UAE, Saudi Arabia, Thailand, and the Netherlands. In the latter, though, the group targeted a diplomatic mission of a Middle Eastern country. 

At the moment there is no information on how the hackers managed to infiltrate the target devices. For now, IT teams can only use indicators of compromise published here. 

Via BleepingComputer

Source

LockBit is malicious software requiring financial payment in exchange for decryption. This cyber threat frequently exploits organizations with larger networks rather than mass consumers.

According to the company’s latest data, one in six ransomware attacks on US federal segments were traced back to LockBit.

These attacks were carried out against 47 percent of new victims in the second half of 2022.

“Better-Informed’ Solutions Needed

The data revealed that ransomware infiltration of smaller organizations has surged compared to usual attacks on “big game” targets, as they are presumed to have lesser cybersecurity capabilities.

Trend Micro wrote that US organizations remain prime targets of ransomware operators. The most victims were recorded in the first half of 2023, accounting for almost half of all ransomware attacks.

The figure represents a 69.94 percent increase compared to the second half of last year, with the UK and Canada having the most number of attacks.

The most targeted elements during 2023’s first half were the retail, transportation, and banking sectors, while the IT, manufacturing, and healthcare sectors were second.

“Threat actors continue to innovate, target more victims, and cause significant financial and reputational damage,” Trend Micro Threat Intelligence VP Jon Clay stated.

“Organizations of all sizes must prioritize and enhance their cybersecurity posture.”

“Our report should help network defenders, policymakers, and other stakeholders make better-informed decisions in the ongoing fight against ransomware.”

Source

YOU’VE PROBABLY HEARD the story: A young buck comes into a new job full of confidence, and the weathered older worker has to show them the ropes—only to find out they’ll be unemployed once the new employee is up to speed. This has been happening among humans for a long time—but it may soon start happening between humans and artificial intelligence.

Countless headlines over the years have warned that automation isn’t just coming for blue-collar jobs, but that AI would threaten scores of white-collar jobs as well. AI tools are becoming capable of automating tasks and sometimes entire jobs in the corporate world, especially when those jobs are repetitive and rely on processing data. This could affect everyone from workers at banks and insurance companies to paralegals and beyond.

Carl Frey, an economist at Oxford University, coauthored a landmark study in 2013 that claimed AI could threaten nearly 50 percent of US jobs in the coming decades. Frey says that he doesn’t think new AI tools like ChatGPT are going to automate jobs in this way because they still require human involvement and are often unreliable. Still, many of the underlying factors that were outlined in that paper remain pertinent today.

Considering the rapid pace at which AI is advancing, it’s hard to predict how it could soon be utilized and what it will be capable of.

Then there’s the issue of how it’s being incorporated into daily work and how it’s being trained. Enter corporate spyware, invasive monitoring apps that allow bosses to keep close tabs on everything their employees are doing—collecting reams of data that could come into play here in interesting ways. Corporations, which are monitoring their employees on a large scale, are now having workers utilize AI tools more frequently, and many questions remain regarding how the many AI tools that are currently being developed are being trained.

Put all of this together and there’s the potential that companies could use data they’ve harvested from workers—by monitoring them and having them interact with AI that can learn from them—to develop new AI programs that could actually replace them. If your boss can figure out exactly how you do your job, and an AI program is learning from the data you’re producing, then eventually your boss might be able to just have the program do the job instead.

“When it comes to monitoring workflows, I do think that’s going to be a way we automate a lot of this stuff,” Frey says. “What you might be able to do is take some of those foundational models and train them on some of the data you have internally and fine-tune them, or you could train a model from scratch just with your internal data.”

David Autor, a professor of economics at MIT, says he also thinks AI could be trained in this way. While there is a lot of employee surveillance happening in the corporate world, and some of the data that’s collected from it could be used to help train AI programs, simply learning from how people are interacting with AI tools throughout the workday could help train those programs to replace workers.

“They will learn from the workflow in which they’re engaged,” Autor says. “Often people will be in the process of working with a tool, and the tool will be learning from that interaction.”

Whether you’re training an AI tool directly by interacting with it throughout the day, or the data you’re producing while you work is simply being used to create an AI program that can do the work you’re doing, there are multiple ways in which a worker could inadvertently end up training an AI program to replace them. Even if the program doesn’t end up being incredibly effective, a lot of companies might be happy with an AI program that’s good enough because it doesn’t require a salary and benefits.

“I think there are a lot of discretionary white-collar jobs where you’re kind of using a mixture of hard information and soft information and trying to make advanced decisions,” Autor says. “People aren’t that good at that, machines aren’t that good at that, but probably machines can be pretty much as good as people.”

Autor says he doesn’t see a “labor market apocalypse” coming. Many workers won’t be entirely replaced but will simply have their jobs changed by AI, Autor says, while some workers will certainly be made redundant by advancements in AI. The problem there, he says, is what happens to those workers after they’re no longer able to find a well-paying job with the education and skill sets they have.

“It’s not that we’re going to run out of work. It’s much more that people are doing something they’re good at, and that thing goes away. And then they end up doing a kind of generic activity that everybody’s good at, which means it pays very little—food service, cleaning, security, vehicle driving,” Autor says. “These are low-paying activities.”

Once someone’s automated out of a well-paying job, they can end up slipping through the cracks. Autor says we’ve seen this happen in the past.

“The hollowing out of manufacturing and office work over the past 40 years has definitely put downward pressure on the wages of people who would do that type of work, and it’s not because they’re doing it now at a lower rate of pay. It’s because they’re not doing it,” Autor says.

Frey says politicians will need to offer solutions to those who fall through the cracks to prevent the destabilization of the economy and society. That would likely include offering social safety net programs to those affected. Frey has written extensively on the effects of the first Industrial Revolution, and he says there are lessons to be learned there. In Britain, for example, there was a program called the Poor Laws, where people who were harmed by automation were given financial relief.

“What you see back then is a lot of social unrest. Wages are stagnant or falling for a large part of the population. You have riots,” Frey says. “If you look at the places where the Poor Laws were more generous, there was less social unrest and less upheaval. Using welfare systems to compensate people who lose out is something we’ve done for a long time and should continue to do.”

Many people would also benefit from being retrained for other work, but Autor says the US has never been very good at retraining people, so there’d have to be some work done to create effective retraining programs. He says technology might actually be able to help there because people could be retrained using helpful new digital tools.

There was a lot of hype surrounding ChatGPT and similar AI tools when they came out. That hype has since died down a bit, suggesting to some that maybe these tools won’t be as useful as they were promised to be. Perhaps they won’t be taking everybody’s jobs. However, at the rate at which AI is advancing, there’s no saying where things could be in five to 10 years—or even next year.

Vincent Conitzer, a professor of computer science at Carnegie Mellon University, says people shouldn’t underestimate what these AI tools may soon be capable of. They may be somewhat limited in their use now, but that could change relatively rapidly and end up being as disruptive as some have warned it could be.

“I worry about this being a ‘boiling frog’ kind of scenario, where we see amazing advances in AI but then don’t immediately see them take over people’s jobs, and [people] conclude there wasn’t all that much to worry about, and we accept the new technology as the new normal but not all that impressive after all,” Conitzer says. “Meanwhile, gradually but quickly, the world and the job market do adjust to the new technologies in complex ways, and at some point we realize large societal problems have emerged.”

Source

Source

There may have been different messages, depending on the web browser used. Firefox users, for instance, may have seen a “you need to update your browser to view the content” notification and an “update Firefox” button on the page.

We reacted quickly to the security issue and have resolved it. The investigation is still ongoing and we are still in the process of validating the site’s databases and content.

We would like to ask anyone who interacted with the malicious content to scan their systems with up to date antivirus software. Some options include Bitdefender Antivirus Free, Avast Free Antivirus or the built-in Microsoft Defender on Windows.

We will share additional information on the issue once we have completed the investigation.

Source

In an email, LastPass states that "all master passwords must meet a 12-character minimum".  Customers who use master passwords with less than 12 characters will be required to update them, according to the company.

To better understand the change, it is necessary to look back to 2018. Back then, LastPass changed the minimum length of the master password to 12 characters. All new accounts, created after the change landed in the year, needed to set master passwords with 12 or more characters.

What LastPass did not do at the time was require older accounts to change their master passwords. LastPass was founded in 2008. Users who created accounts between 2008 and 2018 may have created them using master passwords with less than 12 characters.

Since LastPass did not make the new master password limit mandatory in 2018, users could continue to use shorter master passwords to sign-in to the service.

Shorter passwords are considered weak, as brute forcing attacks take less time to reveal the password. Passwords that use 6 characters, for instance, are brute forced near instantly, even if they user numbers, upper and lower case letters and symbols.

A 12 character password that uses the very same mix of characters may take years to brute force.

Failing to enforce the minimum password length was not the only blunder. LastPass did change the number of PBKDF2 iterations to 100100 from the previous limit of 5000, but it did not enforce the change either.

The LastPass hack(s) of the past years put older accounts at a much greater risk of being cracked than newer accounts.

Now comes the change that LastPass should have enforced in 2018: all LastPass customers who use a master password with less than 12 characters will be required to change it.

LastPass recommends that users set up "account recovery" before making changes. This is the only way of regaining access to an account if the master password can't be remembered.

Existing users will see a prompt with instructions to update the master password, if their password is less than 12 characters in length.

It states: "The in-product prompt will be your final notice before you will be forced to logout and set a new master password.

Act today to avoid potential account lockouts or delays in support requests that may occur when this change is enforced."Most users may want to set passwords with more than 12 characters. While this may make the passwords less easy to remember, it improves brute force protections significantly.

Now You: which password manager do you use, if any?

Source

Two bugs were found in the WebKit browser engine (CVE-2023-41993) and the Security framework (CVE-2023-41991), enabling attackers to bypass signature validation using malicious apps or gain arbitrary code execution via maliciously crafted webpages.

The third one was found in the Kernel Framework, which provides APIs and support for kernel extensions and kernel-resident device drivers. Local attackers can exploit this flaw (CVE-2023-41992) to escalate privileges.

Apple fixed the three zero-day bugs in macOS 12.7/13.6, iOS 16.7/17.0.1, iPadOS 16.7/17.0.1, and watchOS 9.6.3/10.0.1 by addressing a certificate validation issue and through improved checks.

"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7," the company revealed in security advisories describing the security flaws.

The list of impacted devices encompasses older and newer device models, and it includes:

• iPhone 8 and later
• iPad mini 5th generation and later
• Macs running macOS Monterey and newer
• Apple Watch Series 4 and later

All three zero-days were found and reported by Bill Marczak of the Citizen Lab at The University of Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group.

While Apple has yet to provide additional details regarding the flaws' exploitation in the wild, Citizen Lab and Google Threat Analysis Group security researchers have often disclosed zero-day bugs abused in targeted spyware attacks targeting high-risk individuals, including journalists, opposition politicians, and dissidents.

Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064), also fixed by Apple in emergency security updates earlier this month and abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus commercial spyware.

Since the start of the year, Apple has also patched:

• two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
• three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
• three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
• two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
• and another WebKit zero-day (CVE-2023-23529) in February

Source

Passkeys are linked to specific devices, such as computers, tablets, or smartphones, and have a crucial role in reducing the risk of data breaches by providing protection against phishing attacks and blocking unauthorized access attempts.

They facilitate access to apps and online services through personal identification methods like PINs or biometric authentication, including fingerprints and facial recognition.

Moreover, passkeys also significantly enhance user experience and security by eliminating the need to memorize and manage distinct passwords for each website and app.

GitHub introduced passkey support in July as part of a public beta passwordless authentication push. 

"Since the launch of passkeys in beta in July, tens of thousands of developers have adopted them. Now, all users on GitHub.com can use passkeys to protect their account," said GitHub's Staff Product Manager Hirsch Singhal, on Thursday.

"This continues our commitment to securing all contributors with 2FA by the end of 2023 and strengthening security across the platform—without compromising user experience."

To register one or multiple passkeys, open your account's security settings and click the "Add a passkey" option. If you have previously configured security keys, you may also see an "Upgrade" option, provided they can be used as passkeys.

This comes on the heels of a concerted move by Apple, Google, and Microsoft to improve support for passkeys across their platforms.

Microsoft announced today that it will allow users to securely log into apps and websites using passkeys saved on their mobile devices, starting with the upcoming September 26 Windows 11 22H2 update.

Google also announced support for allowing Chrome 118 users to sign into websites using passkeys created on iOS devices and synced via the iCloud keychain to their Mac devices.

Today's announcement also comes after GitHub made two-factor authentication (2FA) mandatory for all active developers starting March 13.

Over the years, the company also strengthened account security by implementing sign-in alerts, two-factor authentication, and blocking compromised password usage.

Source

Generative AI and Fire TVs

Amazon announced the Fire TV Stick 4K Max (2nd Gen) with Wi-Fi 6E on Wednesday for $60.

Amazon

 

Amazon also demoed ways that Fire TV devices with generative AI could help users find digital content. It had been previously reported that Amazon was exploring some of these features, such as Alexa making movie and TV show recommendations based on prompts like "search for the movie with that guy who played the lawyer in Breaking Bad" or drilling down on options with filters like "show me action movies," followed by "show me ones I don't have to pay for," and "show me ones I haven't seen yet." To make these recommendations, the Fire TV devices pull from various sources of movie and TV content, including IMDB, and on users' Fire TV profile and viewing habits.

 

Amazon said new Fire TV AI features, including the ability to upload family photos and add filters to them, will arrive via an over-the-air update later this year.

 

On their own, these planned features make sense. Finding content amid today's streaming wars has become tedious, and I've previously pointed to Fire TV devices as being a potential lifeline for Alexa revenue. But I'm resistant to handing over even more of my viewing habits to Amazon. Amazon has always claimed not to sell customer data, but that data can still be used to make business decisions, to disclose non-user-specific trends with third parties, and for targeted marketing. 

Alexa the chatbot

Alexa is also evolving into a chatbot that uses voice input, a camera, and presence detection sensors to chat with users and provide information quickly. There's a lot of emphasis on Alexa having a personality, embodied through a more expressive voice and the chatbot having opinions like a favorite sports team. It should also be able to have back-and-forth conversations and create content, like poems, with specific or even changing cues.

 

"[Alexa has] always been a bit more transactional than we would like, but that was a limit of the technology, not the vision," Limp said on stage.

 

Limp's demo appeared to show Alexa draft a note inviting people over and including details (like that there will be barbecue chicken) from its previous conversation with Limp. It then seemingly sent the note to Limp's phone, likely to the Alexa app.

 

Alexa's chatbot features will be available as "an early preview" in the coming weeks. They're triggered when a user says, "Alexa, let's chat" and ends when they say, "Exit."

Source

The notification warns that the hacker gained unauthorized access to Pizza Hut Australia systems storing sensitive info for customers who made online orders, as well as partial financial data and encrypted account passwords.

"We became aware in early September of a cyber security incident where an unauthorized third party accessed some of the company's data," reads the notice sent to customers.

"We have confirmed that the data impacted relates to customer record details and online order transactions held on our Pizza Hut Australia customer database."

The information that has been exposed to the network intruders includes the following:

• Full name
• Delivery address
• Delivery instructions
• Email address
• Phone number
• Masked credit card data
• Encrypted passwords for online accounts

The restaurant chain, which operates in 260 locations in Australia, says recipients of its notices "may wish to consider" updating their password despite being "one-way encrypted" in the database.

Moreover, the notice urges customers to stay vigilant for phishing attacks and suspicious links sent to them via unsolicited communications.

Ultimately, Pizza Hut says the incident only impacts a small number of its customers, and the Office of the Australian Information Commissioner (OAIC) has been fully informed about the situation.

The exact number of impacted customers was disclosed via a statement from a Pizza Hut spokesperson to The Guardian, stating that the incident affected 193,000 people.

Past incidents

At the start of September 2023, DataBreaches reported that the notorious data broker 'ShinyHunters' made claims about stealing the data of 1 million customers of Pizza Hut Australia.

The threat actor alleged they gained access via an unprotected Amazon Web Services (AWS) endpoint between July and August 2023, accessing a database with 30 million orders.

Pizza Hut Australia never responded to these allegations, so it is unclear whether the two incidents are in any way related.

Earlier this year, in January 2023, the owner of Pizza Hut, Yum! Brands, was targeted by a ransomware attack that forced the closure of three hundred locations in the United Kingdom.

In April 2023, the firm confirmed that the threat actors had stolen employee information from its networks, albeit it found no evidence that customers were affected by the data breach.

Source

Like AV-Comparatives, AV-TEST, which is another anti-malware assessment company, has also published its latest findings recently. The new report, as usual, evaluates various anti-malware solutions in terms of Protection, Performance, and Usability.

Overall, despite being amongst fairly popular anti-virus products, Malwarebytes scored the lowest in the protection category, when compared to other popular anti-malware solutions like Avast/AVG, Microsoft Defender, and Kaspersky, among others, as it scored 5.5 out of 6 points.

You can view the scores obtained in terms of percentages as well as out of 6 points in each of the three categories, and also the certificates awarded to each product, in the two images below (click on them to zoom):

The reason for the lower score seems to be its failure to perform as well as the others against 0-day samples. AV-TEST notes that Malwarebytes scored lower than the industry average of 99.6% detection rate at 98.5% and 99.6% in May and June 2023 tests respectively.

Speaking of Malwarebytes, another area where it seems to suffer is in system resource utilization at least in one of the tested scenarios. In the Performance section of the test, which measures the "average influence of the product on computer speed in daily usage", the software was clocked in at 17% in the "Slower launch of standard software applications" sub-category in May 2023. To Malwarebytes' credit though, the June result is much better as it was down to nearly half at just 9% which is right around the industry average of 10%.

Others like Defender, Kaspersky, and Norton, among others. also exhibited some of these symptoms under specific circumstances. Kaspersky for example was really slow when "launching popular websites" as it was at 20% in both May and June as compared to the industry-average of 14%.

Microsoft Defender, interestingly, was really bad in the "installation of frequently-used applications" while at the same time, it was outstanding in the "launch of standard software applications" category. As you can see in the image below, Microsoft's product was at 17% in May 2023 and got worse at 21% in June, against the industry average of 14%. Norton exhibited similar behavior with 24% and 20% in May and June respectively.

In case you are wondering about the winners, the best performances were put up Avast/AVG, McAfee, and Bitdefender. You can find the full test results and details on this page on AV-TEST's website.

Source

Free Download Manager is a popular cross-platform download manager that offers torrenting, proxying, and online video downloads through a user-friendly interface.

Last week, Kaspersky revealed that the project's website was compromised at some point in 2020, redirecting a portion of Linux users who attempted to download the software to a malicious site.

This site dropped a trojanized FDM installer for Linux that installed a Bash information stealer and a backdoor that established a reverse shell from the attacker's server.

Even though many users reported peculiar behavior after installing the malicious installer, the infection remained undetected for three years until Kaspersky's report was published.

Free Download Manager's response

With the matter gaining attention, FDM investigated and discovered that Kaspersky's and other's reports about the compromise of their site had been ignored due to an error in their contact system.

"It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software," explained the security announcement on FDM's site.

"Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed."

"Intriguingly, this vulnerability was unknowingly resolved during a routine site update in 2022."

The developers say that the site was breached through website vulnerability, allowing the attackers to introduce a malicious code that changed the download page for a small percentage of visitors.

Today, FDM released a script that will scan Linux computers to check if they were infected with the info-stealer malware from this campaign.

The script is available from here, and running it is a two-step process from a terminal:

chmod +x linux_malware_check.sh
./linux_malware_check.sh

Users should note that the scanner script will only identify if the malware is installed by looking for the presence of some files on the system, but it does not remove them.

Hence, if the scanner finds anything, users must manually remove the malware or use additional security tools to locate and uproot the malware files. 

FDM's recommended action is to reinstall the system.

Source

Quantum computers that use qubits (superpositions of 0 and 1) have the potential to be much more powerful and faster than current systems, allowing them to perform computations that would typically take years in a short time.

While Quantum computers are not a threat yet, large tech firms and other stakeholders are already preparing for their game-changing advent.

One of the threats this emerging technology poses is to weaken current encryption schemes, allowing protected data to be decrypted quickly and gaining access to encrypted secrets.

Predictions on when powerful enough quantum computers might emerge vary from 5 years to never. Nonetheless, we already face the risk of "harvest now, decrypt later," making the adoption of quantum-resistant algorithms important.

Quantum-resistant E2EE

For communication apps, like Signal, that use end-to-end encryption to protect communication between two parties, the concern is that encrypted communications can be intercepted and deciphered to expose the contents of the communication.

Signal explains that its "X3DH" (Extended Triple Diffie-Hellman) key agreement protocol has been upgraded to "PQXDH" (Post-Quantum Extended Diffie-Hellman), which incorporates quantum-resistant secret key generation mechanisms for Signal's end-to-end encryption (E2EE) specification.

Specifically, PQXDH uses both X3DH's elliptic curve key agreement protocol and a post-quantum key encapsulation mechanism called CRYSTALS-Kyber.

CRYSTALS-Kyber is a NIST-approved quantum-resistant cryptographic algorithm suitable for general encryption and speedy operations that require a quick exchange of small encryption keys.

"We believe that the key encapsulation mechanism we have selected, CRYSTALS-Kyber, is built on solid foundations, but to be safe, we do not want to simply replace our existing elliptic curve cryptography foundations with a post-quantum public key cryptosystem," explains Signal.

"Instead, we are augmenting our existing cryptosystems such that an attacker must break both systems in order to compute the keys protecting people's communications."

Signal emphasizes that the transition to PQXDH is just the initial move toward achieving quantum-resistant E2EE.

Over the coming years, further upgrades and adaptations will be rolled out to fill data security gaps or address emerging challenges from ongoing research.

Source