NIST may be on the brink of revealing which post-quantum computing encryption algorithms it is endorsing, solidifying commercial developments like QuProtect.

Cybersecurity experts are awaiting the imminent announcement from the National Institute for Standards (NIST) of its recommended post-quantum computing (PQC) encryption algorithms, an important milestone in a years-long process that started back in 2016 with 82 candidates. NIST has signaled it will reveal its decision imminently — possibly just before or during the RSA Conference in San Francisco in two weeks, amid a swirl of new activity in the field of quantum computing.

The PQC algorithms would join RSA and elliptic curve cryptography (ECC) as a new generation of NIST-recommended encryption standards. The PQC algorithms promise to enable encryption that is exponentially more powerful than current standards, which will become essential when quantum computers are available for commercial use.

Once NIST reveals which four algorithms it is endorsing, the next phase of drafting standards will begin. That process is expected to take roughly a year. But the pending decision will establish which algorithms to focus on. While the NIST selection will allow stakeholders to apply them to their offerings, many providers say that is just one part of the solution. Several startups focused on addressing PQC are now coming out of stealth. The latest came last Thursday, when QuSecure, a San Mateo, Calif.-based company formed three years ago, officially launched both itself and its first PQC product, called QuProtect. QuSecure describes QuProtect as an orchestration platform that can protect data in transit and at rest encrypted with the new PQC algorithms.

**A 'Perfect Storm' for Quantum Computing**

NIST's selection, until recently considered at least a year away, would come amid a perfect storm unfolding this month in quantum computing, all signaling that CISOs should accelerate their PQC strategies. Recent disclosures portend that quantum computing could become commercially available sooner than once thought likely. Notably, IBM two weeks ago revealed that it will release a 433-qubit processor called IBM Osprey by the end of this year, more than a threefold increase from IBM Eagle, a 127-qubit processor introduced in November 2021. IBM's updated roadmap calls for the introduction of a 1,000-qubit processor next year called IBM Candor. In three years, IBM plans to deliver a multi-cluster offering capable of exceeding 4,000 qubits.

"By 2025, we will have effectively removed the main boundaries in the way of scaling quantum processors up with modular quantum hardware and the accompanying control electronics and cryogenic infrastructure," Jay Gambetta, VP of quantum computing and an IBM Fellow, explained in a May 10 blog post. During that same week, D-Wave Systems announced the availability of its Advantage quantum computer via the Leap quantum cloud service, a part of the University of Southern California-Lockheed Martin Quantum Computing Center hosted at USC's Information Sciences Institute (ISI).

After the creation of Shor's algorithm in 1994, researchers realized that once quantum computers arrive with an abundant level of scale and precision, they will be able to break current forms of encryption. Besides RSA and ECC, quantum computers are expected to break the long-trusted Diffie-Hellman key exchange algorithm used for modern cryptographic communications including SSL, TLS, PKI, and IPsec.

Meanwhile, efforts to provide protections from quantum computing is accelerating. The recent White House directives emphasized that the government and industry should move forward with NIST's standards as well as calling for swift passage of the Bipartisan Innovation Act, legislation reintroduced last year as the Endless Frontier Act by US Senate Majority Leader Chuck Schumer, Senator Todd Young (R-IN), Representative Ro Khanna (D-CA), and Representative Mike Gallagher (R-WI). The bill seeks to boost funding in research and the advance of technology deemed critical to US national security, which includes artificial intelligence, PQC, and semiconductors.

Following the White House directive, the US House of Representatives Oversight and Government Reform Committee on May 11 unanimously passed the Quantum Computing Cybersecurity Preparedness Act, a bill proposed by US Representative Nancy Mace (R-SC) seeking to advance the migration of federal government IT systems with PQC capabilities. The legislation now sits before the House for consideration.

**Building QuProtect**

QuSecure was founded by chairman and COO Skip Sanzeri, CEO Dave Krauthamer, and chief product officer Rebecca Krauthamer, who is also a member of the World Economic Forum's Global Future Council on Quantum Computing.

Sanzeri tells Dark Reading that roughly 15 customers are now piloting QuProtect, including several branches of the US Department of Defense and large enterprise businesses. The only commercial customer QuSecure has permission to reference is Franklin Templeton, the New York-based diversified investment firm with roughly $1.5 trillion in assets under management as of April 30, which is best known for its large mutual funds. QuSecure is incubated within Franklin Templeton, which is also an investor in the company.

While Franklin Templeton declined to comment on its QuProtect pilot, Sanzeri says it is currently in beta there. "We are moving to the next step to a broader rollout," Sanzeri says. While Sanzeri said he was restricted in the amount of detail he could offer, it has established the quantum communications link between its servers and select institutional customers. The technology doesn't require the customers to add anything on their end, he says.

The QuProtect communications channels can run on servers on premises and in the cloud, Sanzeri adds. Eventually, it will run on network switches as well, according to Sanzeri, who says QuSecure has been in talks with players including Cisco, Fortinet, Juniper Networks, and Palo Alto Networks. "The switch providers are very standards based," Sanzeri says. "And one of the reasons why they haven't necessarily adopted this yet, across the board is because NIST hasn't finalized their standards. But once they do, then I think the switch providers will all come along nicely."

QuProtect provides a secure communications channel designed to protect any node on a network and is designed to use any of the NIST-approved PQC algorithms. Sanzeri claims QuSecure is the first company that is offering a complete PQC platform. "There are some point solutions out there that might be focusing on, say, quantum random number generation, or possibly just on cryptography," Sanzeri says. "And we think that is fine. However, it's not enough. If you're going to protect the enterprise, you need to be able to protect holistically."

Vincent Berk, chief strategy officer of QuantumXchange, which provides software that uses PQC keys shared on two specific endpoints, disputes QuSecure's claim of being the only company developing a complete offering. "To claim you're the first one that brings post quantum cryptographic solutions to the entire world, I can make that exact same claim for QuantumXchange, and we can start bickering over what we consider post quantum hard," Berk says.

Nevertheless, Berk, who joined QuantumXchange earlier this year after serving as CTO and chief security architect at Riverbed Technology, believes the QuSecure has a viable offering. "What I think they're doing a great job of is they're trying to make it as easy as possible to get you to know that you can trust your new cryptographic algorithms are working for you," Berk adds.

QuSecure Carves Out Space in Quantum Cryptography With Its Vision of a Post-RSA World

The PyPI "pymafka" package is the latest example of growing attacker interest in abusing widely used open source software repositories.

Public repositories of open source code are a critical part of the software supply chain that many organizations use to build applications. They are therefore an attractive target for adversaries seeking to distribute malware to a mass audience.

The latest case in point is a malicious package for distributing Cobalt Strike on Windows, macOS, and Linux systems, which was uploaded to the widely used Python Package Index (PyPI) registry for Python application developers. The "pymafka" package has a name that's very similar to "PyKafka," a popular Apache Kafka client for Python that has been downloaded more than 4.2 million times so far.

More than 300 users were tricked into downloading the malicious package, thinking it was the legitimate code, before researchers at Sonatype discovered the issue and reported it to the PyPI registry. It has since been removed, but applications that incorporated the malicious script remain a threat.

**Second Typosquatting Incident in a Month**

The incident marks the second typo-squatting incident involving the Apache Kafka project that Sonatype researchers uncovered this month. Earlier, they discovered a package on PyPI that had the same name as a Kafka-related Python project on GitHub called "karaspace." Though the malicious package on PyPI had the same name as the legitimate project, it was designed to steal IP addresses, user names, and other information for fingerprinting devices on which the package was installed.

In a blog Friday, Sonatype described pymafka as designed to detect the platform on which it is installed and then embed an OS-appropriate version of a Cobalt Strike beacon on the device. Cobalt Strike is often used maliciously for lateral movement within a target network environment.  

Sonatype said it observed the executables being downloaded from an IP address associated with cloud-hosting provider Vultr. Once installed on a system, the beacon attempts to communicate with a China-based IP address assigned to Alibaba. 

"Less than a third of antivirus engines detected the samples as malicious at the time of our submission to VirusTotal, although that's still a better detection rate than the zero-detections seen in some of our earlier discoveries," according to Sonatype.

**Blind Trust**

The pymafka incident is the latest in a growing number of security incidents involving PyPI and other public repositories. For instance, last November researchers from JFrog discovered 11 malicious Python packages on PyPI. In July, they discovered malicious PyPI packages attempting to steal credit-card data and other information from some 30,000 systems on which the packages had been installed. The same month, a Japanese researcher reported a security issue that gave attackers a way to remotely execute malicious code on the registry.  

"Developers are blindly trusting repositories and installing packages from these sources, assuming they are secure," JFrog warned last year. "Sometimes malware packages are allowed to be uploaded to the package repository, giving malicious actors the opportunity to use repositories to distribute viruses and launch successful attacks on both developer and \[continuous integration/continuous delivery\] CI/CD machines in the pipeline."

Concerns over the growing attacker interest in public repositories have prompted several security initiatives at PyPI in recent years. These include the addition of two-factor authentication as a log-in option and API tokens for uploading software to the registry, a dependency resolver to ensure the pip package installer installs the right versions of package dependencies, and creating databases of known Python vulnerabilities in PyPI projects.

Concerns over software supply-chain security has prompted other, more strategic initiatives as well. Earlier this month, the National Institute of Standards and Technology (NIST) updated its cybersecurity guidance with new recommendations for addressing risks in the software supply chain. MITRE, too, has released a prototype framework called System of Trust that organizations can use to evaluate the security practices of service providers and suppliers in the software supply chain.

Malicious Python Repository Package Drops Cobalt Strike on Windows, macOS & Linux Systems

Analysts have seen a massive spike in malicious activity by the XorDdos trojan in the last six months, against Linux cloud and IoT infrastructures .

Cybercriminal use of the Linux Trojan known as XorDdos is on the rise, according to a new report, which found a 254% increase in malicious activity against Linux endpoints using the malware over the last six months. 

It was first discovered in 2014, and the Microsoft 365 Defender Research Team explained in a recent blog post that the XorDdos Trojan targets Linux cloud and Internet of Things (IoT) endpoints, and deploys botnets to carry out distributed denial-of-service (DDoS) attacks. 

The team added that the attacks fit a wider trend of attacks targeting Linux-based systems. 

"By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out DDoS attacks," the team wrote in describing the rise of the XorDdos Trojan. "DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux Trojan XorDdos Attacks Surge, Targeting Cloud, IoT

A culture of trust, combined with tools designed around employee experience, can work in tandem to help organizations become more resilient and secure.

The modern workplace is changing at a pace never seen before in history. A lot of this stemmed from COVID and remote work necessities, with 74% of CFOs noting they've adopted some kind of telecommuting policies due to coronavirus challenges. Now, more than ever, the employee experience (EX) is critical for keeping us connected and productive. That applies not just from a company growth perspective, but from a cybersecurity one.  

EX is a combination of three things: Policies, environment/culture, and tools. The key to addressing all three lies in empathy, as discussed in the book _Empathy In Action: How to Deliver Great Customer Experiences at Scale_, by Tony Bates and Dr. Natalie Petouhoff. In their book, the two position empathy as a business strategy. It’s also something that we can use to address cybersecurity.

The cybersecurity field isn’t always rewarding. It can be a relatively thankless and stressful position. COVID hasn't helped, with 70% of cybersecurity professionals reporting consistently high stress levels of cybersecurity professionals reporting consistently high stress levels. Mental health issues and even suicides are increasing among those who work in these environments. We must address the issue empathetically not just to protect systems but to save lives.

**Creating a Frictionless Office Environment Through Zero Trust  
**Zero trust is a bit misleading, because it's a technology methodology and a policy that's all about enabling EX. With zero trust in place, access is denied as the baseline. So how does that build EX? To understand, we have to compare zero trust to the traditional office network.

This is made up of company devices, software, and workers on a separate network from the Internet. Everything touching that network has been rigorously vetted to gain a "trusted" status that allows it to connect without question. Workers are expected to adhere to strict controls, confining them to certain devices, software, and practices.

This is where shadow IT rears its head. Inevitably workers end up routing around trusted devices and software to get their jobs done, creating untrustworthy networks of tools.

To respond, the industry — led by Google — came out with zero trust. Enterprises just assume everyone — software, devices, and people — are bad actors until proven otherwise. This creates a much simpler world to defend. And simpler, easier, and more streamlined experience is what EX is all about.

Zero trust is also a means of simplifying policy, which can bleed into the next point: building a blameless culture.

**Stopping Threats With a Blameless Culture**

Some 43% of employees admit to making an error at work that compromised cybersecurity. It's highly unlikely that cybersecurity professionals at those companies have corresponding reports for all those incidents. People do not like to admit when they do something wrong. They especially don't like to admit it when there are potential repercussions like job loss, demotions, or other disciplinary measures.

Meanwhile, when responding to a threat, cybersecurity professionals need clear information. They will not get this in a culture of fear. That culture of fear expands to IT and cybersecurity professionals responding to incidents, as well.

With a blameless culture, there is clear transparency of the events going on at the time of a security incident. Individuals, unafraid of repercussions, come forward with key information and increase the likelihood of resolution.

Blameless culture leads right back to EX. It does not mean a complete lack of accountability, nor does it excuse any malicious action. Zero trust is about how you create open cultures that enhance the resilience of your business. Much of that centers on the tools provided to workers.

**Empowerment Through Software Enablement**  
Software tools, especially in today’s tech-connected world, set the foundation for the employee experience. There are dozens of examples of technology improving employee productivity and happiness. The most effective, based on a Forrester study, tend to target two things:  

*   **Everyday productivity gains:** Tasks that employees have to tackle every single day are the ones where they see the most benefit when technology is deployed.

*   **Daily stress:** Barriers to their ability to do their jobs stem from technology that is outdated or difficult to understand. Technology that is easy to use eliminates this stress.

Software that meets these standards is well designed and enhances tasks. It does not create new ones. When building these tools and enterprise capabilities, it's important to take that EX into account. That should occur regardless of whether that tool is aimed at a business analyst seeking revenue guidance or cybersecurity experts on the hunt for vulnerabilities.

A culture of trust, combined with tools designed around EX, work together to help organizations become resilient. When viewed through an empathetic lens, it's easier to establish the right policies and technology to help workers be happier, healthier, and more productive.

Why the Employee Experience Is Cyber Resilience

Next I.T. is the sixth and largest acquisition to date for Valeo Networks.

ROCKLEDGE, Fla. and MUSKEGON, Mich., May 23, 2022 /PRNewswire/ -- Valeo Networks, a leading Managed Security Service Provider (MSSP), today announced the acquisition of Next I.T., a Michigan-based Managed Service Provider (MSP). Financial terms are not being released.

A recognized and highly respected MSP, Next I.T. is the sixth and largest acquisition to date for Valeo Networks and further supports its goal of building a national network of IT and cybersecurity experts to comprehensively support and protect its client base.

The company will continue to operate as DBA Next I.T. (A Valeo Networks Company), and maintain its current Michigan office locations in Muskegon, Kalamazoo, and Traverse City. The Next I.T. team consists of Microsoft Certified Engineers, Cisco Certified Engineers, and certified technicians in both HP and Dell. They specialize in providing IT solutions for clients across a wide range of industries, including manufacturing, non-profits, and healthcare.

"We are thrilled to welcome Next I.T. to the Valeo Networks family," said Travis Mack, CEO, Valeo Networks. "Their deep skill set and broad expertise will be an excellent fit within our organization, as we continue to advance our nationwide growth strategy. As with each of our divisions, we will partner with Next I.T. to strengthen resources and capabilities in cybersecurity, managed services, cloud solutions, and compliance."

"I am excited for Next I.T. to join Valeo Networks and be part of a larger organization," said Eric Ringelberg, CEO, Next I.T. "With as much as we have grown over the past twenty-one years and having robust IT services in place, this was the natural next step for our continued growth. The Valeo leadership team really stood out to me in offering a true partnership, holding the same values, and having a track record of keeping its acquired companies intact. I look forward to accelerating Next I.T.'s growth throughout the Midwest region with the resources, capital backing, and collaboration that Valeo Networks provides."

**About Next I.T.  
**Next I.T., an award-winning Managed Service Provider (MSP), specializes in industry-specific solutions that leverage technology, increase productivity, and reduce risk for small and medium-sized businesses. It offers a full line of computer hardware, telecommunication equipment, and the professional expertise with remote capabilities to install and service systems. Next I.T. is headquartered in Muskegon, MI, with additional branches in Kalamazoo and Traverse City. For more information, visit www.next-it.net.

**About Valeo Networks  
**Valeo Networks is a full-service, award-winning Managed Security Service Provider (MSSP) that serves State, County, Municipal markets; small-to-medium businesses (SMBs); and non-profit organizations. Firmly seated in the top 5% of revenue generating MSSPs nationwide—making it one of the largest MSSPs nationally—Valeo Networks provides solutions in the areas of cybersecurity, compliance, cloud, network infrastructure, and managed IT services. With over 20 years of industry experience, Valeo Networks is headquartered in Rockledge, FL, with additional locations nationwide. Learn more at www.valeonetworks.com.

Valeo Networks Acquires Next I.T.

IronKey Vault Privacy 80 External SSD safeguards against brute-force attacks and BadUSB with digitally-signed firmware.

_**Fountain Valley, CA – May 23, 2022 –**_ Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., a world leader in memory products and technology solutions, today announced the release of the newest addition to its encrypted lineup, **IronKey Vault Privacy 80 External SSD** (VP80ES). This marks Kingston’s first innovative OS-independent external SSD with **touch-screen** and **hardware-encryption** for data protection.

Using IronKey VP80ES is as innate as unlocking a smartphone and simple drag & drop file transfers. Featuring an intuitive color touch-screen and FIPS 197 certified with XTS-AES 256-bit encryption, VP80ES is designed to protect data while also being user-friendly. The drive is ideal to safeguard against Brute Force attacks and BadUSB with digitally-signed firmware for users from small-to-medium businesses (SMB) to content creators. Its military-grade security measures make it greatly superior over using the internet and Cloud services for securing important company information, documents, or high-res images and videos.

Along with its ease of use and hardware encryption, VP80ES offers additional features for data protection, like **Multi-Password (Admin/User) Option** with **PIN/Passphrase modes** and **Configurable Password Rules**. With Admin option, choose between numeric PIN or Passphrase modes, set Configurable Password Rules, or enable extended security options like maximum number of shared password attempts, minimum password length of 6-64 characters, alphanumeric password rules, auto-timeout to lock drive, randomize touch-screen layout and Secure-Erase to ensure maximum protection of your important files. The Admin password can be used to restore data and access should the User password be forgotten. For additional peace of mind, VP80ES’ Brute Force attack protection crypto-erases the drive if the Admin and User passwords are entered incorrectly 15 times1 in a row by default.

Don’t fear forgetting your password, though: with the use of the ‘space’ character it can be easier to remember a passphrase as a list of words, a memorable quote, or lyrics from a favorite song. Otherwise, the PIN pad can be used to unlock VP80ES, just as you would on a mobile device. To reduce failed login attempts and frustration, tap the “eye” button to view the password as entered. VP80ES is bundled with a neoprene travel case and two USB 3.2 Gen 1 adapter cables to easily connect to USB Type-C®2 or Type-A supporting computers and other devices, making it the perfect companion that enables portable productivity and convenience when you need secured data and content on-the-go.

“As more and more people continue to work from home and outside of company firewalls, we want to provide higher capacity options of user-friendly military-grade security for small and medium businesses to complement our existing encrypted USB drives,” said Richard Kanadjian, encrypted business manager, Kingston. “IronKey Vault Privacy 80ES does just that. Between the color touch-screen, the myriad security features, and its small form factor, users can truly control their data in their own hands.”

Kingston IronKey Vault Privacy 80 External SSD is available in 480GB, 960GB, and 1920GB capacities and is backed by a limited three-year warranty, free technical support and legendary Kingston reliability.

For more information visit kingston.com.

**IronKey Vault Privacy 80 External SSD**

**Part Number**

**Capacity**

IKVP80ES/480G

480GB IronKey VP80ES

IKVP80ES/960G

960GB IronKey VP80ES

IKVP80ES/1920G

1920GB IronKey VP80ES

**Kingston IronKey Vault Privacy 80 External SSD Features and Specifications****:**

*   **Safeguard Important Data with FIPS 197 Certified XTS-AES 256-bit Encryption:** Built-in protections against BadUSB, Brute Force attacks and Common Criteria EAL5+ certified secure microprocessor.3
*   **Unique Intuitive Touch-screen:** Protecting your data is easy with the intuitive, user-friendly color touch-screen.
*   **Enable Multi-Password (Admin/User) Option with PIN/Passphrase modes:** Multi-Password Option for Data Recovery with Admin access.
*   **Configurable Password Rules:** Manage the number of password attempts, minimum password length of 6-64 characters, and numeric or alphabet password rules.
*   **Extended Security Options:** Adjustable auto-timeout to lock drive, randomize touch-screen layout and Secure-Erase the drive to wipe out all passwords and encryption key.
*   Dual Read-Only (Write-Protect) Mode Settings: Defend against cybersecurity threats from compromised systems using two levels of Read-only protection
*   **Interface:** USB 3.2 Gen 1
*   **Connector:** Type-C
*   **Package Includes:** Neoprene travel case, USB 3.2 Gen 1 C-to-C cable,

USB 3.2 Gen 1 C-to-A cable

*   **Capacities4:** 480GB, 960GB, 1920GB
*   **Speed:** Up to 250MB/s read, 250MB/s write
*   **Dimensions:** 122.5 mm x 84.2 mm x 18.5 mm
*   **Operating Temperature:** 0°C to 45°C
*   **Storage Temperature:** \-20°C to 60°C
*   **Compatibility:** USB 3.0/USB 3.1/USB 3.2 Gen 1
*   **Warrant/Support5:** Limited 3-year warranty
*   **Compatible with:** OS-independent:

Microsoft Windows®, macOS®, Linux®, Chrome OS™ or any system that supports a USB mass storage device.

1 Brute Force attack protection crypto-erase adjustable from 10-30 password attempts

2 USB Type-C® and USB-C® are registered trademarks of USB Implementers Forum.

3 Hardware Certified with built-in protection mechanisms designed to defend against external tampering and physical attacks.

4 Some of the listed capacity on a flash storage device is used for formatting and other functions and thus is not available for data storage. As such, the actual available capacity for data storage is less than what is listed on the products. For more information, go to Kingston's Flash Memory Guide.

5 Limited 3-year warranty. See kingston.com/wa for details.

**Kingston can be found on**:

YouTube Instagram

Facebook LinkedIn

Twitter Kingston Is With You

**About Kingston Technology Company, Inc.**

From big data, to laptops and PCs, to IoT-based devices like smart and wearable technology, to design-in and contract manufacturing, Kingston helps deliver the solutions used to live, work and play. The world’s largest PC makers and cloud-hosting companies depend on Kingston for their manufacturing needs, and our passion fuels the technology the world uses every day. We strive beyond our products to see the bigger picture, to meet the needs of our customers and offer solutions that make a difference. To learn more about how Kingston Is With You, visit Kingston.com.

Kingston Digital Releases Touch-Screen Hardware-Encrypted External SSD for Data Protection

What subsequent protections do you have in place when your first line of defense goes down?

News that Okta was hacked by the Lapsus$ group in January has caused serious waves in the identity security space.

With the company considered a pillar of security, the confirmed hack of Okta has led many to question the wisdom of being so dependent on their identity manager. Interestingly, many are asking how to move past having a single source of truth for our access control that can also be a single source of failure.

For an industry focused on zero trust, there's a lot of faith put into a couple of security pillars. So what happens when they get knocked? Does the rest of our security infrastructure come crashing down?

**Identity at the Center of Security  
**For many organizations, Okta is the go-to for everything access security when it comes to identity.

These identity providers (IdPs) help organizations manage their identity directories, offer authentication services like single sign-on and multifactor authentication (MFA), and generally make it easier for dealing with the on- and offboarding of employees in the organization.

All great things.

The problem comes when we place way too much trust in any one solution because it can become a single point of failure.

The question becomes: What do you have in place to pick up the baton of security when the first line of defense goes down?

**Guarding the Guardians  
**Even under normal circumstances, we only see the access that we have provisioned ourselves through our IdPs or identity governance and administration (IGA) tools.

If our IdP is compromised, and therefore untrusted, then how are we validating the information that it is providing?

What we need is additional layers of security and visibility. There should be a segregation of duties between the infrastructure that manages our access and the tools that validate that access.

Our tools have to tell us not only what we think we have, but what are really facts in the field that can impact our security.

The way to achieve this is through extensive connectivity with all your organization's apps and services. It is not enough to have visibility in your AWS if your users are also utilizing GitHub, Google Docs, and many other cloud services that businesses depend on for day-to-day work.

We need to see all of the activity happening not only with our identities, but also from the asset side to see which nonfederated (local IAM/external users/service principals) are accessing our assets.

If we can understand how access privileges are being used, then we can pick up on suspicious activity and reduce our exposure with least privilege.

Credentials will be compromised and accounts taken over. Here are three ways we can limit the damage and make it harder for hackers to reach their objectives.

**1. Reduce Your Exposure  
**Avoid those self-inflicted wounds by plugging basic holes in your security. Make sure that every admin user has MFA enabled. It's not perfect, but it is a helpful barrier to make them work harder and can prevent 99.9% of the attacks.

Revoke unused privileges. If an identity has not used a privilege in 30 or 60 days, then they probably do not need it for their day-to-day work.

Perform periodic access reviews where managers and app owners have to approve or revoke access privileges for employees and others. Provide them with the sufficient data to make accurate decisions and avoid rubber stamping. Do these periodically to ensure that everyone has the right baseline level of access.

**2\. Continuously Monitor For Issues  
**Once you have a secure baseline of access privileges, you have to continuously monitor that it stays that way.

The way to do it is with policies that can be monitored and alerted on if violations occur. For example if a new admin is created or an access privilege has not been used in 30 days.

Setting enforceable guardrails will enable you to respond quickly and avoid privilege sprawl or risky exposures.

**3. Secure Your Supply Chain  
**Make sure that everyone in your supply chain or other partners are keeping to your standards.

If a mistake or failure to follow best practices on the part of your third party-vendor impacts your customers, it becomes your responsibility to inform them of your expectations and enforce them.

You can pick your metaphor, but a defense-in-depth approach requires that we not put all of our eggs in one product basket or another. Every solution has its limitations and can only play a part in the overall security array.

While authentication and IdP tools are essential first steps, they provide identity and access infrastructure. We need to ask what's happening in the infrastructure and monitor it to become more resilient and ensure that a mistake with a single vendor will not leave us exposed.

After the Okta Breach, Diversify Your Sources of Truth

In a new phishing tactic, faux chatbots establish a conversation with victims to guide them to malicious links, researchers say.

Phishing emails intended to look like a DHL communications are now coming loaded with a new twist — a version of a chatbot that helps drive targets to malicious links, according to a new report.

That is to say, it behaves like a chatbot, but behind the scenes, the scripts are pre-programed to respond with stock phrases based on a victim's answer, according to researchers at Trustwave who reported the phishing campaign tactic. But the effect is the same — targets think they're talking to a live DHL representative.

After clicking, the victim's browser opens a PDF file with another link asking the person to "Fix delivery," the Trustwave team reported. The chatbot will ask the victim to confirm a delivery address and tracking number, and it will even present a fake CAPTCHA to make everything seem legitimate. Eventually, the target will be asked to enter in login credentials and credit card information, which is promptly harvested.

Because chatbots are widely used by brands to interact with customers online, end users aren't suspicious of interacting with them, the Trustwave team added — making this a perfect social-engineering ploy.

"This is what the perpetrators of this phishing campaign are trying to capitalize on," the chatbot phishing report added. "Aside from spoofing the target brand on the phishing email and website, the chatbot-like component \[is what\] slowly lures the victim to the actual phishing pages."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Chatbot Army Deployed in Latest DHL Shipping Phish

Organizations that deploy updates only after a vulnerability is disclosed apply far fewer updates and do so at a lower cost than those that stay up to date on all of their software, university researchers say.

Analysis has surfaced what many would consider a surprising insight: Organizations that always update to the newest versions of all of their software have roughly the same risk of being compromised in cyber-espionage campaigns as those that apply only specific updates after a vulnerability is disclosed.

A quantitative look at data from 350 advanced persistent threat (APT) campaigns between 2008 and 2020 by researchers from University of Trento, Italy, shows that organizations with a purely reactive software update strategy had roughly the same risk exposure to advanced cyberattacks as those that keep up to date on everything. This is despite the fact that the subjects deployed only 12% of the updates that organizations that always updated immediately did.

The data shows that the same holds true for organizations that might apply updates to patch vulnerabilities based on information they have received in advance — for example, by paying for information about zero-days. Even these entities do not have a significant advantage over those that patch only on a reactive basis when it comes to breach risk, the study shows.  

**Why Reactive Patching Might Be OK for APTs  
**Though this flies in the fact of conventional wisdom, the study results reflect two realities: 1) APTs tend to be reactionary themselves, and 2) time-to-patch metrics matter.

In analyzing some 350 campaigns dating back to 2008 (including information on vulnerabilities exploited, attack vectors, and affected software products), researchers found that APTs targeted publicly disclosed vulnerabilities more often than they did zero-days, overall. They also tended to frequently share or target the same known vulnerabilities in their campaigns.

In all, the researchers identified 86 different APT groups exploiting a total of 118 unique vulnerabilities in their campaigns between 2008 and 2020. Just eight of these threat groups used exclusive vulnerabilities in their campaigns: Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus, and Rancor.

That means there's an opportunity for IT teams to prioritize those bugs that are known to be APT favorites, in order to eliminate most of the risk of compromise.  

**Risk Remains Roughly the Same  
**Organizations that can apply software updates as soon as they're released naturally still face the lowest odds of being compromised, the study showed. However, the need to do regression testing before applying an update means that entities often take far longer to update their software. It's here that the researchers found little difference in risk exposure between those that apply all software updates, those that apply on a reactive basis, and those that update based on information they might have received in advance of others.

After all, the advantage of receiving vulnerability information in advance goes away completely the longer an organization takes to act upon the information.

For example, organizations that applied all software updates within one month of the updates being released were roughly at between five and six times higher risk of being compromised than organizations that updated immediately. That number was lower than (but not significantly so) for those that patched on a reactive basis (roughly between five-and-a-half to seven times higher risk); and those acting upon advance information (approximately between five and seven times higher).

The researchers found that organizations which acted on a reactive basis deployed far fewer updates than those that applied all updates. "Waiting to update when a CVE is published presents eight times fewer updates," the researchers said. "Thus, if an enterprise cannot keep up with the updates and needs to wait before deploying them, it can consider being simply reactive \[as an alternative\]."

**A Critical Issue  
**The issue of patch prioritization has become increasingly critical for resource- and time-strapped IT departments and security organizations. The growing use of open source components — many with vulnerabilities in them — has only exacerbated the problem. A study that Skybox Research Lab conducted last year showed a total of 20,175 vulnerabilities were disclosed in 2021. Another study by Kenna Security showed that nearly 95% of all enterprise assets contain at least one exploitable vulnerability. The trend has heightened interest in risk-based patch prioritization and pushed the US Cybersecurity and Infrastructure Agency to publish a catalog of exploited vulnerabilities so organizations know on which ones to focus first.

For its part, the University of Trento study specifically focused on the effectiveness and cost of different software update strategies for five widely used enterprise software products: Office, Acrobat Reader, Air, JRE, and Flash Player for the Windows OS environment.

"In summary, for the broadly used products we analyzed, if you cannot keep updating always and immediately (e.g., because you must do regression testing before deploying an update), then being purely reactive on the publicly known vulnerable releases has the same risk profile than updating with a delay, but costs significantly less," the researchers said.

Partial Patching Still Provides Strong Protection Against APTs

New versions of QKD use separate wavelengths on the same fiber, improving cost and efficiency, but distance is still a challenge.

The emergence of quantum computing and its ability to solve computations with incredible speed by harnessing the fundamental properties of quantum mechanics could revolutionize our world. But what does this quantum future mean for data security?

As quantum computing evolves from the test lab to the real world, this unprecedented new form of computing power has massive implications for current forms of encryption and public-key cryptography (PKC), such as Rivest–Shamir–Aleman (RSA) and elliptic curve cryptography (ECC). Against the processing capabilities of quantum computing, which can analyze vast sets of data orders of magnitude faster than current digital computers, these forms of encryption will essentially become vulnerable to bad actors.

In the coming post-quantum future, cryptography solutions built on the rules of quantum physics are essential to ensure that sensitive digital information is distributed safely and securely across the forthcoming quantum Internet. One of the pillars of this more secure quantum computing future is called quantum key distribution (QKD), which uses basic properties of physics to derive encryption keys for secure encryption between two locations simultaneously.

**Tapping the Power of Photons**

At the physical level, the data bits sent during key exchanges for today's common encryption techniques, such as RSA and ECC, are encoded using large pulses of photons or changes in voltages. With QKD, everything is encoded on a single photon, relying on quantum mechanical properties that allow detection and prevent successful eavesdropping. Quantum objects exist in a state of superposition where the value for a property of the object can be described as a set of probabilities for different values.

The transmission of the encoded photons occurs over what's known as the quantum channel. A separate channel, referred to as the classical channel, established between the two endpoints handles clock synchronization, key sifting, or other data exchange; this channel could be any conventional data communication channel.

**Multiple Varieties of QKD**

A number of implementations and protocols for QKD are emerging as the technology evolves. For example, discrete variable QKD (DV-QKD) is used in many commercial QKD systems today. A DV-QKD system consists of two endpoints: a sender and a receiver. The quantum connection between these endpoints could be free space or dark fiber. In this case, the sender encodes a bit value, 0 or 1, on a single photon by controlling the phase or polarization of the photon. A separate data connection between the two endpoints is used to communicate information about the quantum measurements and timing.

While initial QKD implementations consisted of separate dedicated fibers for the quantum and data channels, new versions can use separate wavelengths for each channel on the same fiber, leading to more cost-effective deployments and efficiencies.

Other implementations include continuous variable QKD (CV-QKD) and entanglement. With CV-QKD, the sender applies a random source of data to modulate the position and momentum quantum states of the transmission. Entanglement QKD, meanwhile, leverages quantum phenomena where two quantum particles are generated in a way in which they share quantum properties; no matter how far apart they may later separate, a measurement of a property on each will result in the same values.

**Challenges Ahead for QKD**

Distance remains a constraint on implementing QKD over fiber because the individual photons being transmitted will be absorbed over distance. The laser strength is attenuated to create the individual photons, and standard telecom equipment cannot be used to repeat or strengthen the signal. In general, between 60 miles and 90 miles is the practical limit.

Methods to extend the distance include trusted exchange, twin field QKD, and quantum repeaters.

*   Trusted exchanges act as a repeater — receiving the optical signals, converting them to digital, and then converting them back to optical. Trusted exchanges must be secured to prevent an intruder from reading the transmission while it is in digital form.
*   Twin field QKD adds a midpoint node that receives signals from both endpoint nodes, increasing the distance between endpoints to potentially hundreds of miles.
*   Quantum repeaters could eventually break the distance barriers of QKD over fiber, providing a function similar to repeaters in telecommunications today: to amplify or regenerate data signals so they can be transferred from one terminal to another.

Advancements in single photon sources and low-noise detectors will further improve the viable distances for QKD.

**What's Next for QKD**

QKD has significant value in a quantum world due to its ability to enable symmetric key sharing between endpoints and identify when eavesdropping on the quantum channel is occurring. Before it can be broadly implemented by carriers, however, QKD must be supportable in a carrier environment, providing the availability and reliability their customers expect.

For example, disruption of the quantum channel can result in the loss of real-time key material; however, having a secure key storage associated with QKD allows key material to continue to be distributed while investigation of quantum channel outage is occurring. This also means that approaches and capabilities to troubleshoot and manage QKD equipment and services must be developed.

Since QKD relies on quantum mechanics, the observing state will impact the quantum system, and this in itself poses challenges to troubleshooting and management. As the technology continues to evolve and improve, QKD implementations on smaller mobile devices such as drones may eventually become possible. No matter how QKD evolves, it looks to be a promising solution for securing communications on the quantum Internet.

Source

DARKReading