Pushed to the edges by efficient EDRs, threat actors are forced to use living-off-the-land techniques

Read More

I just read an article complaining that NIST is taking too long in finalizing its post-quantum-computing cryptography standards.

This process has been going on since 2016, and since that time there has been a huge increase in quantum technology and an equally large increase in quantum understanding and interest. Yet seven years later, we have only four algorithms, although last week NIST announced that a number of other candidates are under consideration, a process that is expected to take “several years.

The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market. It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time.

Yes, the process will take several years, and you really don’t want to rush it. I wrote this last year:

Ian Cassels, British mathematician and World War II cryptanalyst, once said that “cryptography is a mixture of mathematics and muddle, and without the muddle the mathematics can be used against you.” This mixture is particularly difficult to achieve with public-key algorithms, which rely on the mathematics for their security in a way that symmetric algorithms do not. We got lucky with RSA and related algorithms: their mathematics hinge on the problem of factoring, which turned out to be robustly difficult. Post-quantum algorithms rely on other mathematical disciplines and problems­—code-based cryptography, hash-based cryptography, lattice-based cryptography, multivariate cryptography, and so on­—whose mathematics are both more complicated and less well-understood. We’re seeing these breaks because those core mathematical problems aren’t nearly as well-studied as factoring is.

[…]

As the new cryptanalytic results demonstrate, we’re still learning a lot about how to turn hard mathematical problems into public-key cryptosystems. We have too much math and an inability to add more muddle, and that results in algorithms that are vulnerable to advances in mathematics. More cryptanalytic results are coming, and more algorithms are going to be broken.

As to the long time it takes to get new encryption products to market, work on shortening it:

The moral is the need for cryptographic agility. It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required.

Whatever NIST comes up with, expect that it will get broken sooner than we all want. It’s the nature of these trap-door functions we’re using for public-key cryptography.

Read More

Some scams make a telltale sound—rinnng, rinnng! Yup, the dreaded robocall. But you can beat them at their game.   

Maybe it’s a call about renewing an extended warranty on your car (one you don’t have). Or maybe the robocaller offers up a debt relief service with a shockingly low rate. Calls like these can get annoying real quick. And they can also be scams. 

In the U.S., unwanted calls rank as the top consumer complaint reported to the Federal Communications Commission (FCC). Partly because scammers have made good use of spoofing technologies that serve up phony caller ID numbers. As a result, that innocent-looking phone number might not be innocent at all.  

Whether the voice on the other end of the smartphone is recorded or an actual person, the intent behind the call is likely the same—to scam you out of your personal information, money, or both. Callers such as these might impersonate banks, government agencies, insurance companies, along with any number of other organizations. Anything that gives them an excuse to demand payment, financial information, or ID numbers.  

And some of those callers can sound rather convincing. Others, well, they’ll just get downright aggressive or threatening. One of the most effective tools these scam calls use is a sense of urgency and fear, telling you that there’s a problem right now and they need your information immediately to resolve whatever bogus issue they’ve come up with. That right there is a sign you should take pause and determine what’s really happening before responding or taking any action.  

Avoid and stop robocalls with these tips  

Whatever form these unwanted calls take, there are things you can do to protect yourself and even keep you from getting them in the first place. These tips will get you started:  

1) Don’t pick up—and if you do, don’t say “yes”  

This straightforward piece of advice can actually get a little tricky. We mentioned spoofing, and certain forms of it can get rather exact. Sophisticated spoofing can make a call appear to come from someone you know. Yet more run-of-the-mill spoofing will often use a form of “neighbor spoofing.” The scammers will use a local area code or the same prefix of your phone number to make it seem more familiar. In short, you might answer one of these calls by mistake. If you do answer, never say “yes.” Similarly sophisticated scammers will record a victim’s voice for use in other scams. That can include trying to hack into credit card accounts by using the company’s phone tree. Recordings of slightly longer lengths can also lead to voice cloning using AI-driven tools. In fact, three seconds of audio is all it takes in some cases to clone a voice with up to 70% accuracy. 

2) Use your phone’s and carrier’s call blocking features  

Apple and Android phones have features you can enable to silence calls from unknown numbers. Apple explains call silencing here, and Android users can silence spam calls as well. Note that these settings might silence calls you otherwise might want to take. Think about when your doctor’s office calls or the shop rings you with word that your car is ready. Cell phone carriers offer blocking and filtering services as well. Carriers often offer this as a basic service by default. Yet if you’re unsure if you’re covered, contact your carrier.  

3) Don’t return calls from unknown numbers  

So, let’s say you let an unknown call go through to voicemail. The call sounds like it’s from a bank or business with news of an urgent matter. If you feel the need to confirm, get a legitimate customer service number from a statement, bill, or website of the bank or business in question so you can verify the situation for yourself. Calling back the number captured by your phone or left in a voicemail can play right into the hands of a scammer.  

4) Don’t give in to pressure  

As you can see, scammers love to play the role of an imposter and will tell you there’s something wrong with your taxes, your account, or your bank statement. Some of them can be quite convincing, so if you find yourself in a conversation where you don’t feel comfortable with what’s being said or how it’s being said, hang up and follow up the bank or business as called out above. In all, look out for pressure or scare tactics and keep your info to yourself.    

5) Sign up for your national do not call registry  

Several nations provide such a service, effectively a list that legitimate businesses and telemarketers will reference before making their calls. While this might not prevent scammers from ringing you up, it can cut down on unsolicited calls in general. For example, the U.S., Canada, and the UK each offer do not call registries.  

6) Clean up your personal data online 

Scammers and spammers got your number somehow. Good chance they got it from a data broker site. Data brokers collect and sell personal information of thousands and even millions of individuals. They gather them from public sources, public records, and from third parties as well—like data gathered from smartphone apps and shopping habits from supermarket club cards. And for certain, phone numbers are often in that mix. Our Personal Data Cleanup can help. It scans some of the riskiest data broker sites and shows you which ones are selling your personal info. From there, it guides you through the removal process and can even manage the removal for you in select plans.  ​ 

What about call blocker apps? 

Hop onto the app stores out there and you’ll find several call blocking apps, for free or at low cost. While these apps can indeed block spam calls, they might have privacy issues. Which is ironic when you’re basically trying to protect your privacy with these apps in the first place. 

These apps might collect information, such as your contact list, usage data, and other information about your phone. As with any app, the key resides in the user agreement. It should tell you what information the app might collect and why. It should also tell you if this information is shared with or sold to third parties.  

What’s at risk? Should the app developers get hit with a data breach, that information could end up in the wild. In cases where information is sold to analytics companies, the information might end up with online data brokers. 

Pay particularly close attention to free apps. How are they making their money? There’s a fine chance that data collection and sale might generate their profits. At some expense to your privacy. 

Given that your privacy is at stake, proceed with caution if you consider this route. 

Blocking scammers and their calls 

A quieter phone is a happy phone, at least when it comes to annoying robocalls. 

While blocking 100% of them remains an elusive goal, you can reduce them greatly with the steps mentioned here. Thankfully, businesses, legislators, and regulatory agencies have taken steps to make it tougher for scammers to make their calls. A combination of technology and stiffer penalties has seen to that. Taken all together, these things work in your favor and can help you beat robocallers at their game.  

The post Beat Robocallers at Their Game appeared first on McAfee Blog.

Read More