Schneier on Security

DECEMBER 31, 2020

In what is surely an unthinking cut-and-paste issue, page 921 of the Brexit deal mandates the use of SHA-1 and 1024-bit RSA: The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information. x and inter-operates among all major e-mail software packages.

Encryption 362

Encryption Software 362

The Last Watchdog

OCTOBER 18, 2023

Enter attribute-based encryption ( ABE ) an advanced type of cryptography that’s now ready for prime time. ABE makes it much more difficult to fraudulently decrypt an asset in its entirety; it does this by pulling user and data attributes into the encryption picture — in a way that allows decryption to be flexible.

Encryption 264

Encryption Surveillance Internet Internet 264

Schneier on Security

NOVEMBER 12, 2024

I’ve been writing about the problem with lawful-access backdoors in encryption for decades now: that as soon as you create a mechanism for law enforcement to bypass encryption, the bad guys will use it too.

Encryption 307

Encryption Accountability Cybersecurity 307

Schneier on Security

OCTOBER 20, 2022

Long and interesting interview with Signal’s new president, Meredith Whittaker: WhatsApp uses the Signal encryption protocol to provide encryption for its messages. It doesn’t have your profile information and it has introduced group encryption protections. Signal knows nothing about who you are.

Encryption 63

Encryption 63

Daniel Miessler

DECEMBER 24, 2022

If you follow Information Security at all you are surely aware of the LastPass breach situation. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.

Password Management 364

Password Management Passwords Encryption Architecture 364

Security Affairs

NOVEMBER 15, 2024

The Glove Stealer malware exploits a new technique to bypass Chrome’s App-Bound encryption and steal browser cookies. Glove Stealer is a.NET-based information stealer that targets browser extensions and locally installed software to steal sensitive data. Gen Digital observed phishing campaigns distributing the Glove Stealer.

Encryption 123

Encryption Password Management Social Engineering Cryptocurrency 123

Schneier on Security

JANUARY 21, 2022

Key Findings: MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.

Surveillance 345

Surveillance Encryption Wireless Government 345

Schneier on Security

NOVEMBER 22, 2023

Instead of relying on Apple to verify the other person’s identity using information stored securely on Apple’s servers, you and the other party read a short verification code to each other, either in person or on a phone call.

Authentication 315

Authentication Encryption Accountability 315

Joseph Steinberg

JULY 20, 2022

There is little doubt that quantum computing will ultimately undermine the security of most of today’s encryption systems , and, thereby, render vulnerable to exposure nearly every piece of data that is presently protected through the use of encryption. Such an attitude is not alarmist – it is reality, whether we like it or not.

Risk 338

Risk Encryption Government Artificial Intelligence 338

Schneier on Security

JUNE 22, 2021

Once it’s enabled and you open Safari to browse, Private Relay splits up two pieces of information that — when delivered to websites together as normal — could quickly identify you. Those are your IP address (who and exactly where you are) and your DNS request (the address of the website you want, in numeric form).

DNS 297

DNS Encryption 297

Schneier on Security

DECEMBER 26, 2022

Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture.

Passwords 293

Passwords Encryption Backups Password Management 293

Schneier on Security

AUGUST 9, 2021

They received no test credentials, configuration details, or other information about the machine. They were not only able to get into the BitLocker-encrypted computer, but then use the computer to get into the corporate network. It’s the “evil maid attack.”

Encryption 363

Encryption Hacking 363

Krebs on Security

APRIL 11, 2024

On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that “certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)”

CISO 289

CISO Encryption Telecommunications Financial Services 289

SecureList

OCTOBER 4, 2024

To prevent anyone trying to disclose information about these channels and the fraudulent activity of their creators, the administrators disabled message forwarding, screenshots, and previews of these channels in the Telegram web-version. After that, the system reboots. Trojan.BAT.Agent.cix Trojan.BAT.Miner.id io gta-5rp.github[.]io/Windows/GTArp.zip

Scams 141

Scams Cryptocurrency Malware Software 141

Joseph Steinberg

APRIL 6, 2021

While ransomware may seem like a straightforward concept, people who are otherwise highly-knowledgeable seem to cite erroneous information about ransomware on a regular basis. Paying a demanded ransom may not get you your files back, and may not prevent a leak of your information.

Ransomware 352

Ransomware Computers and Electronics Backups Artificial Intelligence 352

Schneier on Security

AUGUST 10, 2021

And it breaks end-to-end encryption, despite Apple’s denials : Does this break end-to-end encryption in Messages? Notice Apple changing the definition of “end-to-end encryption.” Beware the Four Horsemen of the Information Apocalypse. A third party is alerted if the message meets a certain criteria.

Surveillance 363

Surveillance Encryption Accountability 363

Schneier on Security

DECEMBER 8, 2020

Here’s how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Traditional DNS is also unencrypted, and leaks user information to network operators.

DNS 342

DNS Encryption Internet Internet 342

Joseph Steinberg

JULY 21, 2022

And, of course, all versions of CyberSecurity For Dummies will also help guide you in the event that your information has already been compromised. Step-by-step instructions on how to create data backups and implement strong encryption. ? Basic information that every aspiring cybersecurity professional needs to know.

Cybersecurity 363

Cybersecurity Artificial Intelligence Backups Encryption 363

Krebs on Security

JUNE 7, 2021

In the process of doing so, I encountered a small snag: The FSB’s website said in order to communicate with them securely, I needed to download and install an encryption and virtual private networking (VPN) appliance that is flagged by at least 20 antivirus products as malware. Federal Bureau of Investigation (FBI). Image: Wikipedia.

Antivirus 336

Antivirus VPN Encryption Malware 336

Schneier on Security

NOVEMBER 1, 2022

The tools can slow their data connections to a crawl, break the encryption of phone calls, track the movements of individuals or large groups, and produce detailed metadata summaries of who spoke to whom, when, and where. Neither the CRA nor Iran’s mission to the United Nations responded to a requests for comment.).

Surveillance 353

Surveillance Telecommunications Mobile Encryption 353

Schneier on Security

NOVEMBER 15, 2022

Even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO’s technical review of the application, and two of the outside experts. But it risks giving the Egyptian government permission to read users’ emails and messages.

Spyware 327

Spyware Technology Encryption Government 327

Schneier on Security

AUGUST 8, 2022

The idea is to standardize on both a public-key encryption and digital signature algorithm that is resistant to quantum computing, well before anyone builds a useful quantum computer. Fun fact: Those three algorithms were broken by the Center of Encryption and Information Security, part of the Israeli Defense Force.

Encryption 358

Encryption Architecture Engineering Information Security 358

Krebs on Security

JANUARY 11, 2021

The company says an incident at a third-party cloud provider may have exposed customer account information and credentials used to remotely manage Ubiquiti gear. This data may include your name, email address, and the one-way encrypted password to your account (in technical terms, the passwords are hashed and salted).

Passwords 355

Passwords Authentication Firmware Accountability 355

Schneier on Security

SEPTEMBER 30, 2020

a hospital patient in desperate need of an immediate operation whose records are locked up); Payment can avoid being fined for losing important data; Payment means not losing highly confidential information; and Payment may mean not going public with the data breach. When confronted with a ransomware attack, the options all seem bleak.

Ransomware 336

Ransomware Data breaches Banking Encryption 336

Schneier on Security

MARCH 30, 2021

It includes: instant messenger messages and database files; call logs and phone contacts; Whatsapp messages and databases; pictures and videos; all of your text messages; and information on pretty much everything else that is on your phone (it will inventory the rest of the apps on your phone, for instance).

Malware 306

Malware Manufacturing Encryption Government 306

Schneier on Security

FEBRUARY 11, 2022

Under-resourced Information Security Managers were not performing their business as usual role (including a NIST-based cybersecurity review of systems) but were working on evaluating security controls for the COVID-19 vaccination system. The antivirus server was later encrypted in the attack).

Antivirus 318

Antivirus Hacking Ransomware CISO 318

Krebs on Security

SEPTEMBER 5, 2023

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults, as well as other personal information.

Cryptocurrency 362

Cryptocurrency Passwords Encryption Accountability 362

Troy Hunt

MARCH 18, 2024

Per the linked story, social security numbers and dates of birth exist on most rows of the data in encrypted format, but two supplemental files expose these in plain text. The above example simply didn't have plain text entries for the encrypted data.

Data breaches 343

Data breaches Encryption Identity Theft InfoSec 343

Troy Hunt

SEPTEMBER 17, 2020

I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. Now let's try the mobile app: What's the encryption story there?

VPN 357

VPN Phishing DNS Encryption 357

Joseph Steinberg

JANUARY 4, 2023

The term Zero Trust refers to a concept, an approach to information security that dramatically deviates from the common approach of yesteryear; Zero Trust states that no request for service is trusted, even if it is issued by a device owned by the resource’s owner, and is made from an internal, private network belonging to the same party.

Architecture 361

Architecture Artificial Intelligence Encryption Cybersecurity 361

Krebs on Security

APRIL 12, 2021

Someone is selling account information for 21 million customers of ParkMobile , a mobile parking app that’s popular in North America. Gemini shared a new sales thread on a Russian-language crime forum that included my ParkMobile account information in the accompanying screenshot of the stolen data.

Mobile 363

Mobile Passwords Accountability Cybercrime 363

Schneier on Security

MARCH 31, 2024

It was well before 2001, when we created the Workshop on Economics and Information Security. I know I was at the Fast Software Encryption workshop in December 1993, another conference he created. There I presented the Blowfish encryption algorithm. I can’t remember when I first met Ross.

Surveillance 331

Surveillance Engineering Encryption Government 331

Schneier on Security

NOVEMBER 8, 2023

The first is organizational decoupling: dividing private information among organizations such that none knows the totality of what is going on. The second is functional decoupling: splitting information among layers of software.

Encryption 297

Encryption Authentication Government Software 297

Fox IT

DECEMBER 10, 2024

One of the most popular requests has been the capability to use Dissect in combination with common disk encryption methods like Microsoft’s BitLocker or its Linux equivalent LUKS. Please check the updated documentation on the Dissect Docs page for more information. With the release of Dissect version 3.17

Encryption 98

Encryption Architecture 98

Krebs on Security

JUNE 15, 2024

“He stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds,” Murcia Today wrote. LastPass said criminal hackers had stolen encrypted copies of some password vaults, as well as other personal information.

Hacking 311

Hacking Phishing Cybercrime Passwords 311

Schneier on Security

FEBRUARY 22, 2022

Government, in turn, must provide more timely and comprehensive threat information while simultaneously treating industry as a vital partner. Still, its contours are already clear: the private sector must prioritize long-term investments in a digital ecosystem that equitably distributes the burden of cyberdefense.

Cybersecurity 336

Cybersecurity Surveillance Marketing Encryption 336

The Last Watchdog

SEPTEMBER 10, 2024

Instead of traditional methods that rely on storing and matching biometrics, SenseCrypt eID utilizes acts of encryption and decryption for registration and authentication, with no public/private keys stored anywhere. Unlike other solutions available in the market, the QR codes generated do not contain any biometric data.

Computers and Electronics 278

Computers and Electronics Encryption Government Authentication 278