Researchers at Sophos have investigated so-called “metaparasites” – the scammers who scam other scammers.

Read More

Jen Ellis urges the cyber industry to take a leading role in shaping its future, during Black Hat Europe 2022

Read More

Malicious hackers, hell-bent on infiltrating an organisation, have no qualms about exploiting even the most tragic events.

Read more in my article on the Tripwire State of Security blog.

Read More

A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware.

Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets.

This is a huge problem. The whole system of authentication rests on the assumption that signing keys are kept secret by the legitimate signers. Once that assumption is broken, all bets are off:

Samsung’s compromised key is used for everything: Samsung Pay, Bixby, Samsung Account, the phone app, and a million other things you can find on the 101 pages of results for that key. It would be possible to craft a malicious update for any one of these apps, and Android would be happy to install it overtop of the real app. Some of the updates are from today, indicating Samsung has still not changed the key.

Read More

What is CRQC?

Widespread interest in quantum computing continues to expand as computer innovators, scientists, and technology industry leaders vie to position themselves at the top of the pack for quantum computing prowess.  As the buzz continues, I’d like to discuss Cryptographically Relevant Quantum Computers (CRQC) in simple terms.

A CRQC uses quantum mechanical phenomena to quickly solve difficult mathematical problems a classical computer cannot or would take years to complete; additionally, if or when a CRQC is achieved, it will have the calculation skill to break today’s public-key cryptography leaving web based digital communications compromised. 

One of the first lessons I learned from a cybersecurity architect is to never do the same thing when it comes to cybersecurity. Cybersecurity practices should continually change according to evolving threat applications and vulnerabilities. Nonetheless, for the last 30 plus years the US has relied on public-key cryptography to secure digital data globally. With the date looming for CRQC to hit the market, the US is now in a race to replace a decades old standard of encryption to protect vital data.

What is Y2Q?

Years to Quantum (Y2Q) refers to the unknown number of years before there is a CRQC. Quantum systems are now being used and select organizations are providing cloud-based access to these systems for testing and research purposes; however, quantum computers currently in use are not CRQC.  From this point forward we will refer to quantum systems that emerge post Y2Q as CRQC.

As quantum computing evolves and the technology for CRQC comes to reality, no single entity can pinpoint a precise date when CRQC will make an impact on the worlds IT infrastructure.  Speculation ranges from five to 25 years and various organizations have developed Y2Q countdown clocks, arbitrarily specifying date ranges up to 2034, as the deadline by which the world must upgrade its IT infrastructure to meet the Y2Q threat.

Conclusion

As the world awaits Y2Q, government entities and cybersecurity managers, along with medical, telecom and bank industries are generating play books/plans and contingencies to defend against CRQC. While CRQC will pose a considerable threat to enterprises in the future, a wide variety of contingencies are emerging to develop advanced CRQC solutions to alleviate the threat.

While the full range of quantum computer applications steadily grows, it is nevertheless clear that America’s continued technological and scientific leadership will be subject to its ability to sustain a competitive advantage in quantum computing information and systems. Critical infrastructure, security protocols, internet banking in addition to military and civilian communications could be threatened.

Is the United States postured to solidify its role as a world leader in its approach to Y2Q?

Read More