While quantum computers have huge promise, they also risk introducing an unprecedented cybersecurity problem. Quantum computers will have the power to crack the encryption used to protect almost all of the world’s sensitive information, enabling them to smash through the encryption standards used today to protect workers’ most sensitive conversations, personal data, secure networks, and business transactions.

Research from the likes of Goldman Sachs, IonQ, and QC Ware shows the successfully improved performance of a specialized quantum algorithm on real hardware.

The Scale of Quantum Security Threat

Quantum computers will have the power to solve computational problems that were previously thought impossible, and while this presents many opportunities, it also poses a significant security risk as it renders traditional encryption methods – particularly RSA and ECC that are used to protect virtually all of the world’s sensitive information – obsolete. Modern computers would take years to crack the mathematical problems that underpin all modern encryption, but fully scalable quantum computers will be able to do it efficiently. This means that virtually every organization and the device is at risk.

The quantum threat is not just a worry for future data – it is also possible to store information now and decrypt it later. Companies are currently at risk of having data stolen now and stored for decryption once quantum computers have been fully developed. A recent report by Booz Allen Hamilton reveals the likelihood of major players in the quantum field, fostering information now that they plan to decrypt later. This outlines the importance of companies preparing for the threat as soon as possible, as security is already at risk.

Roadmaps laid out by experts have predicted that quantum computers will surface sometime this decade, but companies need to begin preparations now for implementing new cryptography to ensure their future data is protected. The threat of such an attack is credible and urgent enough that the NSA and other government agencies across the world have warned that ‘we must act now’ to prepare for it.

Designing New, Quantum-ready Encryption Standards

After the NSA’s warning on the quantum threat in 2015, the US Government’s National Institute of Standards and Technology (NIST) initiated a process to define new, quantum-ready cryptographic standards – known as post-quantum cryptography. Implementing these standards will be the biggest cryptography transition that has taken place in decades.

For the last 6 years, NIST has been in the process of identifying and standardizing post-quantum algorithms to establish a clear starting point to guide us toward a quantum-secure future, with the new algorithms replacing the current classical-security standards. With over 80 submissions from over six different continents, it has truly been a global effort followed closely by academia, industry, and government.

The NIST standardization process is coming to a conclusion in the coming weeks as NIST plans to pick a handful of diverse algorithms out of the remaining candidates.

How Can Companies Prepare for the Threat?

NIST is unequivocal that businesses should be preparing now, stating that “it is critical to begin planning for the replacement of hardware, software, and services that use public‐key algorithms now so that the information is protected from future attacks”.

Understanding the timeline for necessary post-quantum security is essential for ensuring the safety of the company. Businesses should consider the timeline in which they need to employ quantum-safe solutions and choose a strategy to gradually implement new cryptography – in some cases, a complete transition could take up to 5-10 years. CISOs should be aware of a realistic path to implementation which, for many companies, will likely involve integrating hybrid cryptography solutions. A number of offerings now exist that provide widely used public-key encryption and incorporate one of NIST’s finalist algorithms that will soon be established as a benchmark for protection against quantum attacks.

In terms of preparation, businesses should begin with a “quantum risk assessment” that consists of the following; a software/hardware cryptography audit, establishing what information needs to be kept confidential and for how long, identifying data that requires long term integrity, identifying what data privacy regulations need to be followed, review their infrastructure and flexibility, assess their crypto agility and the potential limitations on their infrastructure. Based on the outcome, a transition to the Post-Quantum Cryptography roadmap should be put in place. Organizations should keep the NIST guidelines in mind and follow their updates during the design and implementation phases of their PQC roadmap.

Changing the standards of a technology that is deeply embedded in our daily lives is a tremendous task that will take a lot of preparation and a long time to execute securely. We are changing the standards because we have to. Because the potential damage of the quantum threat to our society is wide-scale, it threatens all industries from finance and utilities to national intelligence. Speaking of which, intelligence agencies are taking the threat seriously, and have made it crystal clear that Post-Quantum Cryptography provides the best mitigation against the quantum threat. However, with the NIST standardization process coming to a conclusion by the end of this year, it’s time for companies and the whole supply chain of cybersecurity products, software, and hardware, to take action.

About the Author

Dr. Ali El Kaafarani is the CEO, Founder, and Researcher at the Mathematical Institute, University of Oxford, where he co-founded the cryptography group when he joined in 2015. Prior to that, Dr. El Kaafarani was a Research Engineer at the Cloud and Cybersecurity team at HP Labs. He holds a Ph.D. in cryptography from the University of Bath, U.K.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Preparing for the Quantum Threat: The Road Ahead to Quantum-secure Cryptography appeared first on CISO MAG | Cyber Security Magazine.

VPN Security

In order to thwart the rising security incidents and help organizations improve their VPN security defenses against cyberattacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) jointly released a Cybersecurity Information Sheet detailing on selecting and hardening remote access VPN solutions. NSA stated that it released the cybersecurity information sheet to help secure the Department of Defense, National Security Systems, and the Defense Industrial Base.

The agencies stated that VPN servers become entry points for threat actors to penetrate critical networks. Multiple nation-states advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices.

Exploitation of vulnerabilities in VPN networks enable bad actors to

• Steal credentials.
• Remotely execute code.
• Weaken encrypted traffic’s cryptography.
• Hijack encrypted traffic sessions.
• Monitor sensitive data from the device.
• Perform large-scale compromise to the corporate network.

 How to Select Remote Access VPN Solutions

• Avoid selecting non-standard VPN solutions, including a class of products referred to as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs
• Refer to the National Information Assurance Partnership (NIAP) Product Compliant List for validated VPNs
• Carefully read vendor documentation to ensure potential products support IKE/IPsec VPNs
• Identify whether the product uses SSL/TLS in a proprietary or non-standards-based VPN protocol when unable to establish an IKE/IPsec VPN
• Check whether the product supports strong authentication credentials and protocols and disables weak certificates and protocols by default
• Ensure the product includes protection against intrusions, such as the use of signed binaries or firmware images, a secure boot process that verifies boot code before it runs, and integrity validation of runtime processes and files

How to Harden Remote Access VPN Solutions

• Use tested and validated VPN products from the NIAP product list
• Employ robust authentication methods like multi-factor authentication (MFA)
• Apply patches and updates regularly
• Reduce the VPN’s attack surface by disabling non-VPN-related features
• Configure strong cryptography and authentication
• Run on strictly necessary features
• Protect and monitor access to and from the VPN
• Secure the network entrance

“Remote access VPNs are entryways into corporate networks and all the sensitive data and services they have. This direct access makes them prized targets for malicious actors. Keep malicious actors out by selecting a secure, standards-based VPN and hardening its attack surface. This is essential for ensuring a network’s cybersecurity,” the agencies said in an advisory.

The post CISA and NSA Jointly Release VPN Cybersecurity Information Sheet appeared first on CISO MAG | Cyber Security Magazine.

In his blog post dated June 16, Brian Krebs, Editor of KrebsOnSecurity, reported that the Ukraine Cyber Police arrested six people from the CLOP ransomware group. The gang reportedly extorted more than half a billion dollars from victims.

Ransomware attacks are now an everyday occurrence. A report from Cybersecurity Ventures estimated a ransomware attack on businesses every 11 seconds in 2021.

While there are numerous debates about whether impacted companies should be paying the ransom, we could soon have legislation for this. Last year, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) published an advisory informing the public that the payment of ransom demanded by cybercriminals may be a violation of U.S. law.

For sure, there will be more ransomware attacks in the coming months. The adversaries see this as a lucrative opportunity, more so now, when the pandemic has office workers at home, with weak security on their home networks. Ransomware gangs are getting more organized with affiliate programs. They now offer Ransomware-as-a-Service — case in point, the DarkSide ransomware group that brought Colonial Pipeline to its knees. Read more about this in an article in the Insight section: “The Vulnerabilities that Open the Door to Ransomware.” 

We’re happy to announce that the July 2021 issue is CISO MAG’s fourth-anniversary issue, which includes interviews with a diverse and rich mix of topics and conversations that include 5G security, encryption and cryptography, incident response, vulnerability disclosure, API security, IoT device security, backup strategies, insider threats, and the latest cyberthreats.

We hope you enjoy reading all the interviews and stories in this issue.

To get a copy Subscribe Now!

The post Fighting Back Against Ransomware (We’ve Had Enough) appeared first on CISO MAG | Cyber Security Magazine.

Researchers at Intel Labs have found a way to process encrypted data sets without the need to first decrypt them. However, there are a few challenges to overcome before the technology becomes mainstream. Homomorphic Encryption is a new cryptosystem that allows applications to perform computation directly on encrypted data, without exposing the data itself. The technology is emerging as a leading method to protect the privacy of data when delegating computation.

Federated Learning can solve the challenges of sharing large data sets between entities. It uses machine learning tools to offer valuable insights from the data.

In this episode, we have Rosario Cammarota (“Ro”) – Principal Engineer at Intel Labs, and Jason Martin – Principal Engineer in the Security Solutions Lab and manager of the Secure Intelligence Team at Intel Labs.  They explain how Federated Learning and Homomorphic Encryption are solving data challenges in health care research – and the possible applications in other industries.

The post Episode #8: Intel Labs’ Breakthrough Research on Data Privacy and Encryption Technologies appeared first on CISO MAG | Cyber Security Magazine.

By Brian Pereira, Principal Editor, CISO MAG

Speaking at Intel Labs Day on December 3, Jason Martin,  Principal Engineer, Secure Intelligence at Intel Labs, explained Intel’s Confidential Computing initiative.

“Today encryption is being used to protect data while it is being sent across the network and while it is stored. But data can still be vulnerable when it is being used. Confidential Computing allows data to be protected while in use,” said Martin.

There are three tenets to Intel Labs’  Confidential Computing:

1. Data confidentiality –  to protect secrets from exposure.
2. Execution integrity – to protect the computation from being changed.
3. Attestation –  to verify the hardware and software are genuine, and not fake.

Trusted execution environments provide a mechanism to perform confidential computing. They’re designed to minimize the set of hardware and software you need to trust to keep your data secure.

“To reduce the software that you must rely on, you need to ensure that other applications, or even the operating system, can’t compromise your data, even if malware is present. Think of it as a safe that protects your valuables even from an intruder in the building,” said Martin.

In the early 2000s Intel Labs began research in ways to isolate applications using a combination of hardware access control techniques and encryption in order to provide confidentiality and integrity. The latest example of putting the capabilities of confidentiality, integrity and attestation together, to protect data in use, is Intel Software Guard Extensions.

All this will protect data on a single computer.

But what if you have multiple systems and data sets and with different owners? How can we support multiple parties to collaborate in a secure way with their sensitive data?

This is where Federated Learning comes in.

RELATED STORY:

Google Cloud Levels-up Confidential Computing with Latest Updates

What is Federated Learning?

Martin explained: “In many industries such as retail, manufacturing, health care, and financial services, the largest data sets are locked up in what is called data silos. These data silos may exist to address privacy concerns or regulatory challenges, or in some cases, the data is just too large to move. However, these data silos create obstacles, when using machine learning tools to gain valuable insights from the data.”

Take medical imaging, for instance. Machine learning has made advances in identifying key patterns in MRIs such as the location of brain tumors. However, getting multiple entities to collaborate in the processing/computation of the data is an inhibiting factor, due to data privacy concerns. Patient data and medical records are protected by standards like HIPAA.

Intel Labs has been collaborating with the Center for Biomedical Image Computing and Analytics at the University of Pennsylvania Perelman School of Medicine (Penn Medicine) — on federated learning.

“In our federated tumor segmentation project, we are co-developing technology to train artificial intelligence models to identify brain tumors,” informed Martin.

With federated learning, Intel’s scientists can split the computations, such that each hospital trains the local version of the algorithm on their data at the hospital. And the hospitals can send what they learn to a central aggregator. This combines the models from each hospital into a single model without sharing the data.

However, this poses another challenge. When the computation is split in this manner, you increase the risk of tampering with the computation. To tackle this, each hospital uses confidential computing. This protects the confidentiality of the machine learning model. Intel Labs and the hospitals also use integrity and attestation, to ensure that the data and model are not manipulated at the hospital level.

Penn Medicine and Intel Labs published a paper on Federated Learning in the medical imaging domain. The study demonstrated that the federated learning method could train a deep learning model, with 99% accuracy of the same model trained with the traditional non-private method.

The combined research also showed that institutions did on average 17% better when trained in the federation, compared to training with their own validation data (2.6%).

Work on this continues and will eventually enable a federation of over 40 international health care and research institutions to collaborate on creating new state-of-the-art AI models, without sensitive patient data leaving the hospitals.

Keep track of Intel Labs’ progress on Federated Learning here: Intel Labs Day 2020 | Intel Newsroom

About the Author

Brian Pereira is the Principal Editor of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

The post Federated Learning Can Solve Security and Data Privacy Challenges: Intel Labs appeared first on CISO MAG | Cyber Security Magazine.

“Many organizations currently utilize IP Security and Virtual Private Networks to connect remote sites and enable telework capabilities. These connections use cryptography to protect sensitive information that traverses untrusted networks. To protect this traffic and ensure data confidentiality, it is critical that these VPNs use strong cryptography. This guidance identifies common VPN misconfigurations and vulnerabilities,” NSA said in the advisory.

Securing Virtual Private Networks

For a secure VPN, NSA recommended certain guidelines, including:

• Reduce the VPN gateway attack surface
• Verify that the cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliant
• Avoid using default VPN settings
• Remove unused or non-compliant cryptography suites
• Apply vendor-provided updates for VPN gateways and clients

“VPNs are essential for enabling remote access and securely connecting remote sites, but without proper configuration, patch management, and hardening, VPNs are vulnerable to attack,” the advisory added.

Mitigating Attack Surface

The advisory stated that VPN gateways can be accessed directly from the internet and are exposed to network scanning, zero-day vulnerabilities, and brute force attacks. In order to defend against these vulnerabilities, NSA urged network administrators to execute traffic filtering rules, which include:

• Restrict all traffic to the VPN gateway, limiting access to only UDP port 500, UDP port 4500, and ESP
• When possible, limit accepted traffic to known VPN peer IP addresses. Remote access VPNs present the issue of the remote peer IP address being unknown and therefore it cannot be added to a static filtering rule
• If traffic cannot be filtered to a specific IP address, NSA recommends an Intrusion Prevention System (IPS) in front of the VPN gateway to monitor for undesired IPsec traffic and inspect IPsec session negotiations

“VPNs are essential for enabling remote access and connecting remote sites securely. However, without the proper configuration, patch management, and hardening, VPNs are vulnerable to many different types of attacks. To ensure that the confidentiality and integrity of a VPN is protected, reduce the VPN gateway attack surface, always use CNSSP 15- compliant cryptography suites, avoid using vendor defaults, disable all other cryptography suites, and apply patches in a timely manner,” the NSA concluded.

The post NSA Issues Guidelines on Securing Virtual Private Networks appeared first on CISO MAG | Cyber Security Magazine.

eTD is a proprietary Visa solution under its Payment Fraud Disruption (PFD) program. It scans the internet to identify malicious code on merchant payment pages and provides threat notification so that affected merchants can quickly take remedial measures. During one such routine scanning procedure carried out in September, researchers stumbled upon Pipka JavaScript skimmer on a North American merchant website. According to Visa, this merchant website was earlier infected with another JavaScript skimmer Inter – and hence was specifically under eTD’s scanner.

What’s New?

After its execution, Pipka JavaScript skimmer can remove itself from the HTML code of the compromised website, thereby decreasing the likelihood of detection. Visa says that it has not seen anything like this before and it’s a proof that cybercriminals are getting more sophisticated in the way they are carrying out attacks by the day.

What does it extract?

Pipka enables configuration of form fields that allows extraction of payment card details such as payment account number, expiration date, CVV, and cardholder name and address, from the checkout pages of the targeted eCommerce website.

How does it extract?

According to PFD, the skimmer checks the payment account number form field and injects Pipka in various locations of the targeted website. Once executed, it collects the data from the configured form fields and perform a base64 encoding on it. This encoded data is further encrypted using ROT13 cipher. The ROT13 cipher is a substitution cipher with a specific key where the letters of the alphabet are offset 13 places.

For example, all ‘A’s are replaced with ‘N’s, all ‘B’s are replaced with ‘O’s, and so on. For more clarification refer the below substitution key:

ABCDEFGHIJKLMNOPQRSTUVWXYZ

↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓

NOPQRSTUVWXYZABCDEFGHIJKLM

It can also be thought of as a Caesar cipher with a shift of 13.

Further, Pipka checks if the data string was previously sent to avoid data duplication. If the data string is unique, then data is fetched and sent to a command and control (C2) server. Pipka’s self-cleaning begins as soon as the initial script loads. This is exactly the reason why it is so difficult to detect its presence on a compromised web page.

What are its effects?

Sam Cleveland, senior analyst at Visa’s PFD team, says Visa presently is unable to provide any information on payment card fraud or theft related to Pipka. “Visa does not have this information to share due to this being an ongoing investigation,” Cleveland says. But as per the payment card information harvested, cybercriminals can carry out financial frauds and identity theft related crimes.

What mitigation measures can be taken?

Visa has listed the following measures and asked eCommerce websites to strictly adhere to it:

• Implement recurring checks in eCommerce environments for potential communications with the C2 servers
• Be vigilant about the code integrated into eCommerce environments via service providers.
• Keep a close eye on the Content Delivery Networks (CDN)
• Regularly scan and test eCommerce sites for vulnerabilities or malware
• Ensure third-party services and other integrations are all upgraded and patched
• Exercise access control to Admin users

Visa also informed its merchants to contact them immediately in case the Pipka JavaScript skimmer does infect their website even after taking preventive measures.

The post “Pipka” JavaScript Skimmer Targets Ecommerce Websites appeared first on CISO MAG | Cyber Security Magazine.