James

Researchers at Ecole Polytechnique Fédérale de Lausanne have combined silver nanostructures with polarised light to yield a range of brilliant colours, which can be used to encode messages. The polarisations are used as keys and the message is encrypted in a quaternary colour subset. https://onlinelibrary.wiley.com/doi/10.1002/adom.202202165 https://www.sciencedaily.com/releases/2023/02/230213120701.htm

Lightweight Authenticated Encryption & Hashing Ascon is a family of authenticated encryption and hashing algorithms designed to be lightweight and easy to implement, even with added countermeasures against side-channel attacks. Ascon has been selected as new standard for lightweight cryptography in the NIST Lightweight Cryptography competition (2019–2023). Ascon has also been selected as the primary choice for lightweight authenticated encryption in the final portfolio of the CAESAR competition (2014–2019). ascon.iaik.tugraz.at www.bleepingcomputer.com/news/security/us-nist-unveils-winning-encryption-algorithm-for-iot-data-protection/

Security researcher Paul Moore discovered the Eufy Doorbell Dual camera’s feed could be accessed via a web browser by simply knowing the right URL, and no password was required. Moore said camera videos encrypted with AES-128 are using a simple key that can be broken with relative ease, and the app was uploading thumbnails to the cloud, before sending them to people’s mobile apps as notifications, the camera was uploading facial recognition data to its AWS cloud without encryption. In a blog post Eufy (owned by Anker) addressed these claims, confirming some of them, but denying others. www.techradar.com/news/anker-admits-eufy-camera-security-issues community.security.eufy.com/t/to-our-eufy-security-customers-and-partners/3568215

Peter Eckersley, one of the original founders of Let’s Encrypt, passed away at CPMC Davies Hospital in San Francisco on 2nd September 2022. He had been diagnosed with cancer on 31 August, but died of complications during pre-operative preparations to treat the disease. https://community.letsencrypt.org/t/peter-eckersley-may-his-memory-be-a-blessing/183854 https://nakedsecurity.sophos.com/2022/09/04/peter-eckersley-co-creator-of-lets-encrypt-dies-at-just-43/ https://en.wikipedia.org/wiki/Peter_Eckersley_(computer_scientist)

A cipher key was written in the form of a defined monomer sequence, dissolved in isopropanol and mixed with glycerol and soot. This created an ink that was used to write a letter. The 256-bit cipher key was successfully recovered by the recipient of the letter by extracting with dichloromethane and following instructions for sequencing. https://pubs.acs.org/doi/pdf/10.1021/acscentsci.2c00460

Microsoft SEAL prior to v3.6 using the Brakerski/Fan-Vercauteren (BFV) protocol is vulnerable to a power-based side-channel attack. Aydin Aysu at North Carolina State University demonstrated that by monitoring power consumption in a device that is encoding data for homomorphic encryption, you can read the data as it is being encrypted. https://securityboulevard.com/2022/06/researchers-demonstrate-they-can-steal-data-during-homomorphic-encryption/

Microsoft SEAL is an open-source homomorphic encryption library that enables running computations directly on encrypted data. A cloud provider does not have unencrypted access to the data they are storing and computing on. SEAL comes with two homomorphic encryption schemes. BFV allows modular arithmetic on encrypted integers. CKKS allows additions and multiplications on encrypted real or complex numbers, but yields only approximate results. https://www.microsoft.com/en-us/research/project/microsoft-seal/

VeraCrypt 1.25.9 was released February 19th 2022. Downloads are available from https://www.veracrypt.fr/en/Downloads.html for Windows, Mac, Linux (CentOs, Debian, Ubuntu, OpenSUSE), Raspberry Pi and FreeBSD.

The Treasury has announced that it will regulate some cryptocurrencies as part of a wider plan to make the UK a hub for digital payment companies. Separately, the Treasury said it will ask The Royal Mint to create a Non-Fungible Token (NFT). The Treasury has not yet confirmed which stablecoins will be regulated, however well-known ones include Tether and Binance USD. https://www.bbc.co.uk/news/business-60983561

CentOS 8 is EOL and no longer supported, so an encryption vulnerability poses a challenge. The LUKS (Linux Unified Key Setup) issue stems around the re-encryption process during key change and weakens security for an encrypted block device. CVE-2021-4122 https://thehackernews.com/2022/01/patching-centos-8-encryption-bug-is.html

POODLE means Padding Oracle on Downgraded Legacy Encryption. It allows an attacker to eavesdrop on encrypted HTTPS communications using the SSL 3.0 protocol. To protect a server against POODLE attacks you can disable SSL 3.0, or TLS 1.1 and TLS 1.2. The POODLE vulnerability was discovered by Google in 2014, reference CVE-2014-3566. Additional information is available from https://www.makeuseof.com/what-is-the-poodle-attack/

Arqit has announced the release of the first version of its QuantumCloud service. The software enables customers to secure the communications channels and data of any cloud, edge or end-point device. The launch of Arqit satellites in 2023 will replace terrestrial systems as the root source of randomness in QuantumCloud. https://finance.yahoo.com/news/arqit-releases-quantumcloud-deliver-stronger-042000026.html

And now you can’t. However Musk has suggested he may change his mind again if Bitcoin has better eco-considerations. https://www.cnbc.com/2021/06/14/bitcoin-btc-soars-after-musk-says-tesla-could-accept-the-crypto-again.html

A crypto flaw has been found in the GPRS (2G) mobile data standard. The researchers (Christof Beierle, et al) said the vulnerability in the GEA/1 algorithm is unlikely to have been an accident, and was probably created as a backdoor for law enforcement. Instead of 64-bit protection it only provides 40-bit and is vulnerable to downgrade attacks. GEA/1, GEA/2 and GEA/3 are known to have weaknesses. https://eprint.iacr.org/2021/819 https://abcnews.go.com/Business/wireStory/security-flaw-found-2g-mobile-data-encryption-standard-78309008 https://www.theregister.com/2021/06/17/gprs_encryption_backdoor/

Arqit has announced it will develop a satellite-based quantum technology encryption network for the United States, Japan, Canada, Italy, Belgium and Austria. Known as the Federated Quantum System (FQS) the satellites will distribute quantum keys to data centres using a protocol called ARQ19. The FQS satellites will be assembled at the National Satellite Test Facility in Harwell near Oxford and launched by Virgin Orbit in 2023. Commercial partners include BT, Sumitomo Corporation, Northrop Grumman, Leonardo, QinetiQ Space N.V., qtlabs and Honeywell. Italy, Belgium and Austria are also partners in a European quantum communications network called EuroQCI. https://www.prnewswire.com/news-releases/international-partners-and-government-agencies-join-arqits-federated-quantum-system-301310846.html https://spacenews.com/governments-ally-for-federated-quantum-encryption-satellite-network/

VeraCrypt 1.24-Update8 (November 28th 2020)has been released for MacOSX 10.9 and later. It fixes compatibility issues with macOS Big Sur, especially on Apple Silicon M1 with macFUSE 4.0.x.

DiskCryptor has been modified by the Mamba ransomware. The FBI have advised that if any of the DiskCryptor files are detected prior to the second reboot, attempts should be made to determine if the myConf.txt is still accessible. If so, then the password can be recovered without paying the ransom. https://www.aha.org/system/files/media/file/2021/03/fbi-tlp-white-report-mamba-ransomware-weaponizing-diskcryptor-3-23-21.pdf

DiskCryptor is a free and open-source full disk encryption system for Microsoft Windows. It allows a PC’s entire hard drive or individual partitions to be encrypted, including where the OS is installed. DiskCryptor uses either AES-256, Twofish, Serpent or a combination of cascaded algorithms in XTS mode to carry out encryption. DiskCryptor has not been updated since 2014. VeraCrypt is now used as an alternative.

Elon Musk has tweeted that US orders for new Tesla cars can now be secured with the equivalent of a $100 deposit in Bitcoin, with other countries following soon. Bitcoin paid to Tesla will be retained as Bitcoin, not converted to fiat currencies.

Microsoft has announced that Microsoft teams will offer End-to-End Encryption. The initial preview will be limited to 1:1 unscheduled calls, but Microsoft plans to expand this to scheduled calls and online meetings over time. https://www.techradar.com/uk/news/microsoft-teams-is-finally-getting-end-to-end-encryption-and-bunch-of-other-security-upgrades https://www.theverge.com/2021/3/2/22308915/microsoft-teams-end-to-end-encryption-support-e2ee

Libgcrypt is a general-purpose crypto module developed for GNU Privacy Guard (GnuPG or GPG), a free software implementation of the OpenPGP standard. The Libgcrypt update to v1.9.0 was released on 19th January 2021. It included faster implementations for Poly1305 and ChaCha, and improved use of AES-NI to speed up AES-XTS (6 times faster). https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000453.html Unfortunately Google Project Zero researcher Tavis Ormandy reported a severe flaw in this update. The identified bug is a heap buffer overflow and it's considered rather serious because it's easily exploitable. Previous versions are not affected. Upgrading to v1.9.1 is recommended.

Federally Chartered Banks and Thrifts May Participate in Independent Node Verification Networks and Use Stablecoins for Payment Activities https://www2.occ.gov/news-issuances/news-releases/2021/nr-occ-2021-2.html WASHINGTON—The Office of the Comptroller of the Currency (OCC) today published a letter clarifying national banks’ and federal savings associations’ authority to participate in independent node verification networks (INVN) and use stablecoins to conduct payment activities and other bank-permissible functions. “While governments in other countries have built real-time payments systems, the United States has relied on our innovation sector to deliver real-time payments technologies. Some of those technologies are built and managed by bank consortia and some are based on independent node verification networks such as blockchains,” said Acting Comptroller of the Currency Brian P. Brooks. “The President’s Working Group on Financial Markets recently articulated a strong framework for ushering in an era of stablecoin-based financial infrastructure, identifying important risks while allowing those risks to be managed in a technology-agnostic way. Our letter removes any legal uncertainty about the authority of banks to connect to blockchains as validator nodes and thereby transact stablecoin payments on behalf of customers who are increasingly demanding the speed, efficiency, interoperability, and low cost associated with these products.” The agency letter concludes a national bank or federal savings association may validate, store, and record payments transactions by serving as a node on an INVN. Likewise, a bank may use INVNs and related stablecoins to carry out other permissible payment activities. In deploying these technologies, a bank must comply with applicable law and safe, sound, and fair banking practices. Engaging in INVN within the federal banking system may enhance the efficiency, effectiveness, and stability of payments activities and achieve the benefits of real-time payments already enjoyed in other countries. For example, such activities may be more resilient than other payment networks because of the decentralized nature of INVNs, which allows a comparatively large number of nodes to verify transactions in a trusted manner. An INVN also limits tampering or adding inaccurate information to the database because information is only added to the network after consensus is reached among the nodes validating the information. Banks must also be aware of potential risks when conducting INVN-related activities, including operational risks, compliance risk, and fraud. New technologies require enough technological expertise to ensure banks can manage these risks in a safe and sound manner. Banks have experience with managing such risks, which are similar to those of other electronic activities expressly permitted for banks, including providing electronic custody services, acting as a digital certification authority, and providing data processing services. Among the compliance risks, banks should guard against potential money laundering activities and terrorist financing by adapting and expanding their compliance programs to ensure compliance with the reporting and recordkeeping requirements of the Bank Secrecy Act and to address the particular risks of cryptocurrency transactions. Banks should develop and implement new activities consistently with sound risk management practices and should align with banks’ overall business plans and strategies.

The FBI has confirmed that the Zodiac Killer’s 340-character cipher sent to the San Francisco Chronicle 51 years ago has been cracked. David Oranchak, Sam Blake and Jarl Van Eycke used the AZdecrypt software to help them solve the puzzle. “I hope you are having lots of fun in trying to catch me. I am not afraid of the gas chamber because it will send me to paradice (sic) all the sooner because I now have enough slaves to work for me” A guide to the methods used is available on YouTube... https://www.youtube.com/watch?v=-1oQLPRE21o

Flaws with the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) were found in 2007. Dan Shumow and Niels Ferguson, pointed out that using it with elliptic curve points generated by the NSA could allow encryption to be broken. Juniper Networks discovered unauthorized VPN-decryption code inside its NetScreen firewall firmware in 2015. It was attributed to Juniper’s decision to use the NSA-designed Dual EC Pseudorandom Number Generator. The backdoor had likely been added to Juniper products as far back as 2008 at the request of a ‘customer’. In 2018, US Senator Ron Wyden’s staffers were told by the NSA that it had backfired when a foreign government exploited the weak encryption scheme in Jupiter’s ScreenOS. A ‘lessons learned‘ report had been written but Wyden’s spokesperson Keith Chu told Reuters that the NSA now claims it can’t find the file. Sources: https://www.reuters.com/article/us-usa-security-congress-insight-idUSKBN27D1CS https://cacm.acm.org/magazines/2018/11/232227-where-did-i-leave-my-keys/fulltext https://www.theregister.com/2020/10/28/nsa_backdoor_wyden/ https://www.theregister.com/2020/06/10/congress_juniper_letter/ https://www.theregister.com/2015/01/14/nsa_sorry_we_borked_nist_encryption_well_sorry_we_got_caught/

Zoom announced today that it will offer End-to-End Encryption https://blog.zoom.us/zoom-rolling-out-end-to-end-encryption-offering/ Extract: Zoom meetings and webinars by default use AES 256-bit GCM encryption for audio, video, and application sharing (i.e., screen sharing, whiteboarding) in transit between Zoom applications, clients, and connectors. In a meeting without E2EE enabled, audio and video content flowing between users’ Zoom apps is not decrypted until it reaches the recipients’ devices. However, the encryption keys for each meeting are generated and managed by Zoom’s servers. In a meeting with E2EE enabled, nobody except each participant – not even Zoom’s servers – has access to the encryption keys being used to encrypt the meeting.