• CRYPTO-GRAM, September 15, 202 Part 1

    From Sean Rima@21:1/229.1 to All on Tue Oct 1 21:52:06 2024

    Crypto-Gram
    September 15, 2024

    by Bruce Schneier
    Fellow and Lecturer, Harvard Kennedy School
    schneier@schneier.com
    https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page.

    Read this issue on the web

    These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is
    available.

    ** *** ***** ******* *********** *************
    In this issue:

    If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

    NIST Releases First Post-Quantum Encryption Algorithms
    New Windows IPv6 Zero-Click Vulnerability
    The State of Ransomware
    Hacking Wireless Bicycle Shifters
    Story of an Undercover CIA Officer who Penetrated Al Qaeda
    Surveillance Watch
    Take a Selfie Using a NY Surveillance Camera
    US Federal Court Rules Against Geofence Warrants
    The Present and Future of TV Surveillance
    Matthew Green on Telegram’s Encryption
    Adm. Grace Hopper’s 1982 NSA Lecture Has Been Published
    SQL Injection Attack on Airport Security
    List of Old NSA Training Videos
    Security Researcher Sued for Disproving Government Statements
    Long Analysis of the M-209
    YubiKey Side-Channel Attack
    Australia Threatens to Force Companies to Break Encryption
    New Chrome Zero-Day
    Evaluating the Effectiveness of Reward Modeling of Generative AI
    Systems
    Microsoft Is Adding New Cryptography Algorithms
    My TedXBillings Talk
    Upcoming Speaking Engagements

    ** *** ***** ******* *********** *************
    NIST Releases First Post-Quantum Encryption Algorithms

    [2024.08.15] From the Federal Register:

    After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization
    Process. The public-key encapsulation mechanism selected was
    CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+.

    These algorithms are part of three NIST standards that have been finalized:

    FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard
    FIPS 204: Module-Lattice-Based Digital Signature Standard
    FIPS 205: Stateless Hash-Based Digital Signature Standard

    NIST press release. My recent writings on post-quantum cryptographic standards.

    EDITED TO ADD: Good article:

    One -- ML-KEM [PDF] (based on CRYSTALS-Kyber) -- is intended for
    general encryption, which protects data as it moves across public
    networks. The other two -- - ML-DSA [PDF] (originally known as CRYSTALS-Dilithium) and SLH-DSA [PDF] (initially submitted as Sphincs+) -- secure digital signatures, which are used to authenticate online identity.

    A fourth algorithm -- FN-DSA [PDF] (originally called FALCON) -- is
    slated for finalization later this year and is also designed for digital signatures.

    NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future.

    One of the sets includes three algorithms designed for general
    encryption -- but the technology is based on a different type of math
    problem than the ML-KEM general-purpose algorithm in today’s finalized standards.

    NIST plans to select one or two of these algorithms by the end of 2024.

    IEEE Spectrum article.

    Slashdot thread.

    ** *** ***** ******* *********** *************
    New Windows IPv6 Zero-Click Vulnerability

    [2024.08.16] The press is reporting a critical Windows vulnerability
    affecting IPv6.

    As Microsoft explained in its Tuesday advisory, unauthenticated
    attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets.

    Microsoft also shared its exploitability assessment for this critical vulnerability, tagging it with an “exploitation more likely” label, which means that threat actors could create exploit code to “consistently
    exploit the flaw in attacks.”

    Details are being withheld at the moment. Microsoft strongly recommends patching now.

    ** *** ***** ******* *********** *************
    The State of Ransomware

    [2024.08.19] Palo Alto Networks published its semi-annual report on ransomware. From the Executive Summary:

    ---
    * Origin: High Portable Tosser at my node (21:1/229.1)