Category: Encryption

A hacker bursts the bubble of inflatable fetish fans, Hollywood celebrities unwittingly record videos in a Kremlin plot, and there's a particularly devious WordPress-related malware campaign. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.

Totally expected, but still good to hear:

Onstage at TechCrunch Disrupt 2023, Meredith Whittaker, the president of the Signal Foundation, which maintains the nonprofit Signal messaging app, reaffirmed that Signal would leave the U.K. if the country’s recently passed Online Safety Bill forced Signal to build “backdoors” into its end-to-end encryption.

“We would leave the U.K. or any jurisdiction if it came down to the choice between backdooring our encryption and betraying the people who count on us for privacy, or leaving,” Whittaker said. “And that’s never not true.”

By Istvan Lam, CEO of Tresorit

According to a new report from the UK’s cyber security agency, the National Cyber Security Centre (NCSC), the number of ‘hackers for hire’ is set to grow over the next five years, leading to more cyber attacks and increasingly unpredictable threats. A rise in spyware and other hacking tools is also anticipated, which will have a profound impact on the UK’s digital landscape.

Cyber threats are already a huge concern for UK businesses, with cyber-attacks on SMEs up 39 per cent last year from 2020, so it’s not surprising this news is adding even more anxiety. What’s more, the new assessment highlights that the threat will not only become greater but also less predictable as more hackers for hire are tasked with going after a broader range of targets, meaning any business, of any size and across any industry could be at risk.

With this in mind, businesses would do well to take proactive measures to protect their sensitive information and communications. End-to-end encryption software is vital in this regard, providing businesses with a secure and reliable way to protect their data and prevent cyber-attacks.

How can this software protect businesses against the threat of cyber-attacks? How is it designed to keep data safe at all times and why exactly should businesses take this extra step to ensure financial data, personal information and intellectual property are kept safe? Is it really essential, does it provide optimum protection and what other measures can businesses take to minimize cyber threats?

How exactly does end-to-end encryption work?

Although many businesses believe all encryption types offer end-to-end protection for data at all times, end-to-end encryption isn’t in fact the standard for all encryption types; often data will only be encrypted while it is being stored, or while it is in transit. End-to-end encryption means that every file and relevant file metadata on the device in question is encrypted using a unique randomly generated encryption key, and files can only be accessed with a user’s unique decryption key so that data is stored as safely as possible. End-to-end encryption also provides an added layer of security for businesses that use cloud-based storage and collaboration tools. Tresorit’s content collaboration platform, for example, offers businesses ultimate protection, as files stored in the cloud are encrypted before they are uploaded, making it extremely difficult for hackers to access them.

In other words, end-to-end software is designed to protect communication channels by encrypting messages at the sender’s device and decrypting them at the receiver’s device, making it almost impossible for hackers to intercept and decipher the messages. And with the ever-growing threat of cyber-attacks and hackers for hire, this ‘gold standard’ of encryption, which ensures utmost security and privacy for data at all times, is crucial.

How risky is it to go without?

Cyber-attacks are designed to cause maximum disruption, exploiting vulnerabilities within a business IT framework. Such attacks can result in the theft of commercially sensitive information or intellectual property, software or data destruction or deletion, thefts of funds, liability to third parties such as customers and supply chain partners and reputational damage.

Cyber security attacks such as data breach can be devastating and ultimately wipe out a company. End-to-end encryption can help prevent such breaches by making it virtually impossible for hackers to access sensitive information and with 43 per cent of UK businesses identifying a cyber security breach in the last year, organizations would do well to put this extra layer of protection in place.

What else can be done?

There are a number of other cybersecurity measures businesses can take other than end-to-end encryption, to minimize the risk of cyber threats. Organizations should ensure they implement regular security audits, run up-to-date antivirus software, use strong passwords, and put in place intrusion detection and prevention systems. Cyber security awareness training for employees is also vital for helping to reduce risks. Businesses should ensure employees are trained on a wide range of security topics such as how to respond to threat situations, Phishing and secure data handling.

The role of business leaders

Senior leaders of organizations have a huge responsibility when it comes to ensuring their business is cyber aware and ultimately cyber secure. They should be having essential discussions about cyber security with their organization’s technical experts and key stakeholders and should ensure that their company’s cyber security policy is communicated throughout the business with all staff given the necessary training. The NCSC has recently launched new resources as part of its Cyber Security Board Toolkit, to encourage senior leaders to treat cyber risks with the same importance as legal or financial risks and to make sure the potentially devastating consequences of an attack are filtered through the organization. It also includes a range of activities for organizations to participate in as well as key success indicators and materials to help organizations engage their staff on the topic.

Final thoughts

With a growing number of hackers for hire marketplace and an ever-increasing risk of cyber threats, businesses should take heed and ensure they’ve put the highest standard of security and protection in place for their company’s data and information. Cyber-attacks can have deadly consequences and can mean the end of the road for many businesses, so not only should companies embrace end-to-end encryption but they should take time to assess the range of cyber security protection measures they have in place, so that no stone is left unturned. Business leaders have a huge role to play when it comes to ensuring their organization can protect itself from, respond to and recover from a cyber-attack, data breach or service outage.

The post Rising Threat of ‘Hackers for Hire’ – How End-to-End Encryption Software Safeguards Businesses appeared first on Cybersecurity Insiders.

I just read an article complaining that NIST is taking too long in finalizing its post-quantum-computing cryptography standards.

This process has been going on since 2016, and since that time there has been a huge increase in quantum technology and an equally large increase in quantum understanding and interest. Yet seven years later, we have only four algorithms, although last week NIST announced that a number of other candidates are under consideration, a process that is expected to take “several years.

The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market. It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time.

Yes, the process will take several years, and you really don’t want to rush it. I wrote this last year:

Ian Cassels, British mathematician and World War II cryptanalyst, once said that “cryptography is a mixture of mathematics and muddle, and without the muddle the mathematics can be used against you.” This mixture is particularly difficult to achieve with public-key algorithms, which rely on the mathematics for their security in a way that symmetric algorithms do not. We got lucky with RSA and related algorithms: their mathematics hinge on the problem of factoring, which turned out to be robustly difficult. Post-quantum algorithms rely on other mathematical disciplines and problems­—code-based cryptography, hash-based cryptography, lattice-based cryptography, multivariate cryptography, and so on­—whose mathematics are both more complicated and less well-understood. We’re seeing these breaks because those core mathematical problems aren’t nearly as well-studied as factoring is.

[…]

As the new cryptanalytic results demonstrate, we’re still learning a lot about how to turn hard mathematical problems into public-key cryptosystems. We have too much math and an inability to add more muddle, and that results in algorithms that are vulnerable to advances in mathematics. More cryptanalytic results are coming, and more algorithms are going to be broken.

As to the long time it takes to get new encryption products to market, work on shortening it:

The moral is the need for cryptographic agility. It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required.

Whatever NIST comes up with, expect that it will get broken sooner than we all want. It’s the nature of these trap-door functions we’re using for public-key cryptography.

Seems that there is a deliberate backdoor in the twenty-year-old TErrestrial Trunked RAdio (TETRA) standard used by police forces around the world.

The European Telecommunications Standards Institute (ETSI), an organization that standardizes technologies across the industry, first created TETRA in 1995. Since then, TETRA has been used in products, including radios, sold by Motorola, Airbus, and more. Crucially, TETRA is not open-source. Instead, it relies on what the researchers describe in their presentation slides as “secret, proprietary cryptography,” meaning it is typically difficult for outside experts to verify how secure the standard really is.

The researchers said they worked around this limitation by purchasing a TETRA-powered radio from eBay. In order to then access the cryptographic component of the radio itself, Wetzels said the team found a vulnerability in an interface of the radio.

[…]

Most interestingly is the researchers’ findings of what they describe as the backdoor in TEA1. Ordinarily, radios using TEA1 used a key of 80-bits. But Wetzels said the team found a “secret reduction step” which dramatically lowers the amount of entropy the initial key offered. An attacker who followed this step would then be able to decrypt intercepted traffic with consumer-level hardware and a cheap software defined radio dongle.

Looks like the encryption algorithm was intentionally weakened by intelligence agencies to facilitate easy eavesdropping.

Specifically on the researchers’ claims of a backdoor in TEA1, Boyer added “At this time, we would like to point out that the research findings do not relate to any backdoors. The TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption.”

And I would like to point out that that’s the very definition of a backdoor.

Why aren’t we done with secret, proprietary cryptography? It’s just not a good idea.

Details of the security analysis. Another news article.

Back in 2020, law enforcement agents across Europe had a major breakthrough in their fight against organised crime. They managed to crack into EncroChat - a secure encrypted messaging service which ran on modified Android phones, that promised "worry-free secure communications". But investigators managed to gain full control of EncroChat's infrastructure, and could read users' supposedly-encrypted messages in real-time.