Crypto-Gram
September 15, 2024
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
[email protected]
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is
available.
** *** ***** ******* *********** *************
In this issue:
If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.
NIST Releases First Post-Quantum Encryption Algorithms
New Windows IPv6 Zero-Click Vulnerability
The State of Ransomware
Hacking Wireless Bicycle Shifters
Story of an Undercover CIA Officer who Penetrated Al Qaeda
Surveillance Watch
Take a Selfie Using a NY Surveillance Camera
US Federal Court Rules Against Geofence Warrants
The Present and Future of TV Surveillance
Matthew Green on Telegram’s Encryption
Adm. Grace Hopper’s 1982 NSA Lecture Has Been Published
SQL Injection Attack on Airport Security
List of Old NSA Training Videos
Security Researcher Sued for Disproving Government Statements
Long Analysis of the M-209
YubiKey Side-Channel Attack
Australia Threatens to Force Companies to Break Encryption
New Chrome Zero-Day
Evaluating the Effectiveness of Reward Modeling of Generative AI
Systems
Microsoft Is Adding New Cryptography Algorithms
My TedXBillings Talk
Upcoming Speaking Engagements
** *** ***** ******* *********** *************
NIST Releases First Post-Quantum Encryption Algorithms
[2024.08.15] From the Federal Register:
After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization
Process. The public-key encapsulation mechanism selected was
CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+.
These algorithms are part of three NIST standards that have been finalized:
FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard
FIPS 204: Module-Lattice-Based Digital Signature Standard
FIPS 205: Stateless Hash-Based Digital Signature Standard
NIST press release. My recent writings on post-quantum cryptographic standards.
EDITED TO ADD: Good article:
One -- ML-KEM [PDF] (based on CRYSTALS-Kyber) -- is intended for
general encryption, which protects data as it moves across public
networks. The other two -- - ML-DSA [PDF] (originally known as CRYSTALS-Dilithium) and SLH-DSA [PDF] (initially submitted as Sphincs+) -- secure digital signatures, which are used to authenticate online identity.
A fourth algorithm -- FN-DSA [PDF] (originally called FALCON) -- is
slated for finalization later this year and is also designed for digital signatures.
NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future.
One of the sets includes three algorithms designed for general
encryption -- but the technology is based on a different type of math
problem than the ML-KEM general-purpose algorithm in today’s finalized standards.
NIST plans to select one or two of these algorithms by the end of 2024.
IEEE Spectrum article.
Slashdot thread.
** *** ***** ******* *********** *************
New Windows IPv6 Zero-Click Vulnerability
[2024.08.16] The press is reporting a critical Windows vulnerability
affecting IPv6.
As Microsoft explained in its Tuesday advisory, unauthenticated
attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets.
Microsoft also shared its exploitability assessment for this critical vulnerability, tagging it with an “exploitation more likely” label, which means that threat actors could create exploit code to “consistently
exploit the flaw in attacks.”
Details are being withheld at the moment. Microsoft strongly recommends patching now.
** *** ***** ******* *********** *************
The State of Ransomware
[2024.08.19] Palo Alto Networks published its semi-annual report on ransomware. From the Executive Summary:
---
* Origin: High Portable Tosser at my node (21:1/229.1)