By Deeba Ahmed
Fake Voicemail Phishing on the Rise: Check Point Reveals How Hackers are Exploiting Corporate Phone Systems.
This is a post from HackRead.com Read the original post: QR Code Scam: Fake Voicemails Target Users, 1000 Attacks in 14 Days

Discover how scammers employ QR codes and fake voicemails for credential harvesting, with over 1,000 attacks detected in the last 14 days.

Researchers at Check Point Harmony Email have discovered a surge in cyberattacks involving fake voicemails. According to the company’s report shared with Hackread.com, cybercriminals are exploiting corporate phone systems’ links to email servers, embedding malicious links in voicemail playbacks for credential harvesting.

Scammers are increasingly using voicemail as a lure to trick users into clicking on malicious links one of which is creating legitimate-looking voicemails. Since corporate phone systems are tied to email, scammers are using this to include a voicemail recording hyperlinked to a malicious page. In this case, 1,000 attacks have been reported during the last two weeks.

What happens in this attack is that through social engineering, scammers send QR codes with conditional routing based on the device, targeting any end-user. The email analyzed by Check Point researchers appeared to be sent by payment processor service Square. However, in reality, the name was only used to mislead users. 

Moreover, the email’s subject line contained a phone number, which was illegitimate when searched on Google. The email also includes an embedded MP3 player, containing the voicemail. It redirects users to a credential harvesting page when clicked.

One of the malicious emails used in the attack (Screenshot: Check Point)

This attack relies on user participation. Any successful phishing attack requires user input, except for zero-click attacks. Users must replay, click on links, or enter information for the attack to progress. This allows scammers to experiment with creative options, such as impersonating a reputable brand and using voicemails. They observe user behaviour and adjust their attacks accordingly, ensuring a successful phishing attack.

Hackread has been reporting a rise in the trend of combining voice and phishing, aka Vishing to trap unsuspecting users into giving away sensitive data. We earlier reported Check Point researchers identifying a vishing campaign targeting users in South Korea with a new Android malware, dubbed “FakeCalls.” Cybercriminals tricked users into sharing sensitive financial information through fake calls supposedly made by legitimate financial organizations. This is part of a growing global threat to mobile banking customers, using sophisticated social engineering techniques to make calls seem legitimate.

During the COVID-19 pandemic, email security firm IronScales discovered around 100,000 new phishing campaigns targeting companies using PBX telephone systems for communication and information sharing. These scams, targeting working-from-home employees from various sectors like engineering, real estate, IT, oil & gas, healthcare, financial services, and IT, involved voicemail email phishing.

Vishing, or voice phishing, involves using telephones to trick users into disclosing financial and personal information, such as account numbers and passwords. Fraudsters may claim compromised accounts, represent banks or law enforcement, or offer software installation assistance. Protecting yourself involves knowledge, hanging up if asked for personal information, and calling a reliable source. Security professionals can implement AI-based security, check and emulate all URLs, and use multiple layers of protection.

****RELATED ARTICLES****

1.  **Scammers Rake in $600K with Deepfakes and QR Codes**
2.  **New Vishing Attack Spreading FakeCalls Android Malware**
3.  **The Types of Phishing Attacks and How to Dodge All of Them**
4.  **Ringless Voicemail As A Personalized Customer Engagement Tool**
5.  **Hackers Exploit QR Codes with QRLJacking for Malware Distribution**

QR Code Scam: Fake Voicemails Target Users, 1000 Attacks in 14 Days

New research finds that Israel’s attacks on Gaza damaged hospitals and other medical facilities at the same rate as other buildings, potentially in violation of international law.

The world has witnessed a near-unprecedented and ongoing humanitarian crisis in Gaza during the first 129 days of the Israel-Hamas war. Despite their critical role in saving lives, hospitals and other health care facilities—which are protected under international law—have not been spared the widespread destruction in the Palestinian territory, according to new research.

A study published Monday in the _British Medical Journal Global Health_ from researchers at the Yale School of Public Health found that from October 7—the day Hamas launched an unexpected attack on Israel that left some 1,200 Israelis dead—to November 7, 2023, hospitals and health care facilities were damaged at the same rate as other buildings. The paper’s authors suggest that the Israel Defense Forces (IDF) did not take measures to ensure it did not strike these facilities, despite their protected status.

“This pattern of war, at least in this first month, looks like it was not really aligned with international humanitarian law,” says Danielle Poole, an associate research scientist at the Yale School of Public Health and lead author on the paper.

The United Nations Relief and Works Agency for Palestine Refugees in the Near East estimates that at the start of 2024, 85 percent of Gaza’s population, or some 1.9 million people, had been displaced by the conflict, and the Gaza Ministry of Health reports that at least 28,064 Palestinians were killed between October 7, 2023, and February 10, 2024. Human Rights Watch, a nonprofit watchdog organization, has characterized Israel’s attacks on health care facilities in Gaza as “apparently unlawful.”

Using high-resolution satellite imagery from the United Nations, data from the open source mapping platform OpenStreetMap, and known locations of medical facilities listed by the World Health Organization (WHO) and the United Nations Office for Coordination of Humanitarian Assistance, the researchers were able to identify damage to over 167,000 buildings during the first month of the conflict. Poole and her team found that 15,768 nonmedical structures and nine health care–related facilities suffered damage—about 9 percent in each case. The analysis also found that health care facilities were more likely than other buildings to have sustained severe damage or to have been destroyed completely.

“Already in this first month, their health system was severely compromised due to the conflict,” says Poole. As the researchers note in their report, the attacks on medical facilities “will undoubtedly have long-term effects on the health system through the severely decreased ability to provide necessary medical care to the population.”

Researchers ranked the damage done to buildings in four ascending categories: “possible damage,” “moderate damage,” “severe damage,” and “destroyed.” Poole says the numbers noted in her team’s report are conservative because they don’t count smaller medical facilities, like pharmacies or small clinics. “You wouldn't expect an artillery officer to know about the little pharmacy in the strip mall, even though those things are still protected” under international humanitarian law, she says.

IDF flares light up the sky above the Al-Shifa hospital on November, 6, 2023.Photograph: Ahmad Salem/Bloomberg/Getty Images

International humanitarian law prohibits attacks on hospitals and health care facilities, or against patients, doctors, and their means of transport, during a conflict. A health care facility can lose its protected status if it is used to “commit acts that are harmful to the enemy,” according to the International Committee of the Red Cross (ICRC).

“Hospitals have special protection status underneath the Geneva Conventions and the Law of Armed Conflict,” says Nathaniel Raymond, a human rights investigator and a coauthor of the study. “To intentionally strike a hospital, the protocol required is the most restrictive for any type of civilian infrastructure. An armed party to a conflict must ensure that the hospital is notified that it has lost protected status, and efforts are made to ensure the evacuation of those facilities prior to any kinetic strike. That is what the law requires.”

In a lengthy response to WIRED’s questions about what measures it has taken to prevent damage to health care facilities, the IDF defended its military operations. “A central feature of Hamas’ strategy is the exploitation of civilian structures for terror purposes,” says an IDF spokesperson. “It is against this context of widespread exploitation of medical facilities and intelligence indicating their knowledge and even participation in terror activities that Israel has apprehended and questioned individuals in Gaza, including medical staff. We reiterate that individuals found not to have been involved in terrorist activity are released after questioning.”

The IDF has alleged that Hamas was operating out of tunnels underneath Al-Shifa, the largest hospital in Gaza, thereby making it a legitimate target. IDF forces raided the hospital on November 15. The tunnels have not been proven to have had a military function, and the legality of that IDF military operation remains in dispute.

Even in cases where the military has leveraged civilian structures, combatants are expected to exercise what IHL dubs “proportionality” and “precaution,” meaning that any attack should be done such that civilian harms do not outweigh the military benefit. “This does not mean there’s free license to attack,” ICRC chief legal officer Cordula Droege said in an ICRC video posted November 2 on X. “The party to the conflict has to do everything feasible in order to avoid or at least minimize harm to patients and medical staff.”

Although the destruction of health care facilities in Gaza is far more extensive, the WHO also recorded “33 attacks on health care in Israel during the violent events of October 7.” The WHO cautioned Hamas and Israel to remember “their obligation under international humanitarian law to respect the sanctity of, and actively protect, health facilities.” An independent UN Human Rights Council commission also says it is “collecting and preserving evidence of war crimes committed by all sides since 7 October 2023.”

The implications for Gaza’s health system have been disastrous. Even in the earliest weeks of the conflict, doctors warned that hospitals were running out of space to treat the wounded and were operating without access to anesthetics or even clean water. Hospitals and the health care system have also seen continued destruction. On January 3, the WHO estimated that only 13 of the 36 hospitals in Gaza remained operational. The WHO also says that instances of disease in Gaza have skyrocketed as access to health care, food, and clean water has plummeted.

Poole says she hopes the research leads to further investigations to “ascertain whether or not the medical complexes were getting distinction, proportionality, and precaution principles that protects them through IHL” throughout the course of the conflict.

“If the principle of distinction was being respected in this conflict, there would be a stark difference in our findings between special protected infrastructure—in this case, health facilities—and non-health facility infrastructure,” Raymond says. “What we find instead is that there is no difference.”

_Update: 2/12/2024, 8:40 am ET to clarify the description of the satellite material on which the researchers based their analysis._

Satellite Images Point to Indiscriminate Israeli Attacks on Gaza’s Health Care Facilities

Cyberattacks and criminal scams can impact anyone. But communities of color and other marginalized groups are often disproportionately impacted and lack the support to better protect themselves.

Talk about the promise and the peril of artificial intelligence is everywhere these days. But for many low-income families, communities of color, military veterans, people with disabilities, and immigrant communities, AI is a back-burner issue. Their day-to-day worries revolve around taking care of their health, navigating the economy, seeking educational opportunities, and upholding democracy. But their worries are also being amplified through advanced, persistent, and targeted cyberattacks.

Cyber operations are relentless, growing in scale, and exacerbate existing inequalities in health care, economic opportunities, education access, and democratic participation. And when these pillars of society become unstable, the consequences ripple through national and global communities. Collectively, cyberattacks have severe and long-term impacts on communities already on the margins of society. These attacks are not just a technological concern—they represent a growing civil rights crisis, disproportionately dismantling the safety and security for vulnerable groups and reinforcing systemic barriers of racism and classism. The United States currently lacks an assertive response to deter the continued weaponization of cyber operations and to secure digital access, equity, participation, and safety for marginalized communities.

Health Care

Cyberattacks on hospitals and health care organizations more than doubled in 2023, impacting over 39 million people in the first half of 2023. A late-November cyberattack at the Hillcrest Medical Center in Tulsa, Oklahoma, led to a system-wide shutdown, causing ambulances to reroute and life-saving surgeries to be canceled. These attacks impact patients' reliance and trust in health care systems, which may make them more hesitant to seek care, further endangering the health and safety of already vulnerable populations.

The scale and prevalence of these attacks weaken public trust—especially among communities of color who already have deep-rooted fears about our health care systems. The now-condemned Untreated Syphilis Study at Tuskegee, where researchers denied treatment to Black men without their knowledge or consent in order to observe the disease’s long-term effects, only ended 52 years ago. However, the study created a legacy of suspicion and mistrust of the medical community that continues today, leading to a decrease in the life expectancy of Black men and lower participation in medical research among Black Americans. The compounding fact that Black women are three to four times more likely, and American Indian and Alaska Native women are two times more likely, to die from pregnancy-related causes than White women only adds to mistrust.

Erosion of trust also extends to low-income people. Over a million young patients at Lurie Children's Surgical Foundation in Chicago had their names, Social Security numbers, and dates of birth exposed in an August 2023 breach. The hospital treats more children insured by Medicaid—an economic hardship indicator—than any other hospital in Illinois. Once breached, a child’s personal data could be used to commit identity fraud, which severely damages credit, jeopardizes education financial aid, and denies employment opportunities. While difficult for anyone, children from financially insecure households are least equipped to absorb or overcome these economic setbacks.

Economic Opportunity

Identity theft is not the only way cyberattacks exploit hard times. Cyberattacks also go after financially vulnerable individuals—and they are getting more sophisticated. In Maryland, hackers targeted Electronic Benefits Transfer cards—used to provide public assistance funds for food—to steal more than $2 million in 2022 and the first months of 2023. That’s an increase of more than 2,100 percent compared to the $90,000 of EBT funds stolen in 2021. Maryland’s income limit to qualify for the government’s food assistance program is $39,000 for a family of four in 2024, and only if they have less than $2,001 in their bank account. Unlike a credit card, which legally protects against fraudulent charges, EBT cards don’t have fraud protections. Efforts to help the victims are riddled with red tape: reimbursements are capped at two months of stolen benefits, and only within a specific time period.

Cybercriminals also target vulnerable populations, especially within older age groups. Since the last reporting in 2019, 40 percent of Asian Pacific Islander Desi Americans (APIDAs) aged 50 and older have reported experiencing financial fraud, with one-third of those victims losing an average of $15,000. From 2018 through 2023, Chinese Embassy Scam robocalls delivered automated messages and combined caller ID spoofing, a method where scammers disguise their phone display information, targeting Chinese immigrant communities. This resulted in more than 350 victims across 27 US states and financial losses averaging $164,000 per victim for a total of $40 million. And for five years, this scam just kept going. As these scams evolve, groups now face increasingly sophisticated AI-assisted calls, where scammers use technology to convincingly mimic loved ones' voices, further exploiting vulnerabilities, particularly among older adults—many of whom live on fixed incomes or live with economic insecurity.

While social movements have fought to promote economic equity, cybercriminals undermine these efforts by exacerbating financial vulnerabilities. From the 1960s La Causa movement advocating for migrant worker rights to the Poor People’s Campaign mobilizing across racial lines, activists have worked to dismantle systemic barriers, end poverty, and push for fair wages. Current attacks on financial systems, however, often target the very groups these movements aim to empower—perpetuating the disparities that advocates have fought against. Digital scams and fraud incidents disproportionately impact those least equipped to recover—including natural disaster victims, people with disabilities, older adults, young adults, military veterans, immigrant communities, and lower-income families. By stealing essential resources, cybercriminals compound hardships for those already struggling to make ends meet or those experiencing some of the worst hardships of their lives—pushing groups deeper into the margins.

Education Access

Education is another area where cybercrime has soared. One of the worst hacks of 2023 exploited a flaw in a file transfer software called MOVEit that multiple government entities, nonprofits, and other organizations use to manage data across systems. This includes the National Student Clearinghouse, which serves 3,600 colleges, representing 97 percent of college students in the US, to provide verification information to academic institutions, student loan providers, and employers.

Attacks on educational systems are devastating at all levels. A top target for ransomware attacks last year was K-12 schools. While the complete data is not available yet, by August 2023 ransomware attacks (where hackers lock an organization’s data and demand payment for its release) hit at least 48 US school districts—three more than in all of 2022. Schools already have limited resources, and cybersecurity can be expensive, so many have few defenses against sophisticated cyberattacks.

The Hidden Injustice of Cyberattacks

Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

**Moodle Improper Access Control vulnerability**

Moderate severity GitHub Reviewed Published Feb 12, 2024 to the GitHub Advisory Database • Updated Feb 12, 2024

GHSA-5p2x-8427-9fgp: Moodle Improper Access Control vulnerability

When it comes to access security, one recommendation stands out above the rest: multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. However, it's important to remember that MFA isn't foolproof. It can be bypassed, and it often is. 
If a password is compromised, there are several options

When it comes to access security, one recommendation stands out above the rest: multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. However, it's important to remember that MFA isn't foolproof. It can be bypassed, and it often is.

If a password is compromised, there are several options available to hackers looking to circumvent the added protection of MFA. We'll explore four social engineering tactics hackers successfully use to breach MFA and emphasize the importance of having a strong password as part of a layered defense.

**1\. Adversary-in-the-middle (AITM) attacks**

AITM attacks involve deceiving users into believing they're logging into a genuine network, application, or website. But really, they're giving up their information to a fraudulent lookalike. This lets hackers intercept passwords and manipulate security measures, including MFA prompts. For instance, a spear-phishing email may arrive in an employee's inbox, posing as a trusted source. Clicking on the embedded link directs them to a counterfeit website where hackers collect their login credentials.

While MFA should ideally prevent these attacks by requiring an additional authentication factor, hackers can employ a technique known as '2FA pass-on.' Once the victim enters their credentials on the fake site, the attacker promptly enters the same details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and readily approves, unwittingly granting the attacker complete access.

This is a common tactic for threat groups such as _Storm-1167_, who are known for crafting fake Microsoft authentication pages to harvest credentials. They also create a second phishing page that mimics the MFA step of the Microsoft login process, prompting the victim to put in their MFA code and grant the attackers access. From there, they gain access to a legitimate email account and can use it as a platform for a multi-stage phishing attack.

**2\. MFA prompt bombing**

This tactic takes advantage of the push notification feature in modern authentication apps. After compromising a password, attackers attempt to login which sends an MFA prompt to the legitimate user's device. They rely on the user either mistaking it for a genuine prompt and accepting it or becoming frustrated with continuous prompts and accepting one to stop the notifications. This technique, known as MFA prompt bombing, poses a significant threat.

In a notable incident, hackers from the _0ktapus_ group compromised an Uber contractor's login credentials through SMS phishing, then continued with the authentication process from a machine they controlled and immediately requested a multi-factor authentication (MFA) code. They then impersonated an Uber security team member on Slack, convincing the contractor to accept the MFA push notification on their phone.

**3\. Service desk attacks**

Attackers deceive helpdesks into bypassing MFA by feigning password forgetfulness and gaining access through phone calls. If service desk agents fail to enforce proper verification procedures, they may unknowingly grant hackers an initial entry point into their organization's environment. A recent example was the MGM Resorts attack, where the _Scattered Spider_ hacker group fraudulently contacted the service desk for a password reset, giving them a foothold to log in and launch a ransomware attack.

Hackers also try to exploit recovery settings and back-up procedures by manipulating service desks to circumvent MFA. _0ktapus_ have been known to resort to targeting an organization's service desk if their MFA prompt bombing proves unsuccessful. They'll contact service desks claiming their phone is inoperable or lost, then request to enroll in a new, attacker-controlled MFA authentication device. They can then exploit the organization's recovery or backup process by getting a password reset link sent to the compromised device. Concerned about service desk security gaps? Learn how to secure yours.

**4\. SIM swapping**

Cybercriminals understand MFA often relies on cell phones as a means of authentication. They can exploit this with a technique called a 'SIM swap', where hackers deceive service providers into transferring a target's services to a SIM card under their control. They can then effectively take over the target's cell service and phone number, letting them intercept MFA prompts and gain unauthorized access to accounts.

After an incident in 2022, Microsoft published a report detailing the tactics employed by the threat group _LAPSUS$_. The report explained how _LAPSUS$_ dedicates extensive social engineering campaigns to gaining initial footholds in target organizations. One of their favored techniques is targeting users with SIM-swapping attacks, along with MFA prompt bombing, and resetting a target's credentials through help desk social engineering.

**You can't fully rely on MFA – password security still matters**

This wasn't an exclusive list of ways to bypass MFA. There are several others ways too, including compromising endpoints, exporting generated tokens, exploiting SSO, and finding unpatched technical deficiencies. It's clear that setting up MFA doesn't mean organizations can forget about securing passwords altogether.

Account compromise still often starts with weak or compromised passwords. Once an attacker obtains a valid password, they can then shift their focus towards bypassing the MFA mechanism. Even a strong password can't protect users if it's been compromised through a breach or password reuse. And for most organizations, going fully passwordless won't be a practical option.

With a tool like Specops Password Policy, you can enforce robust Active Directory password policies to eliminate weak passwords and continuously scan for compromised passwords resulting from breaches, password reuse, or being sold after a phishing attack. This ensures that MFA serves as an additional layer of security as intended, rather than being solely relied upon as a silver-bullet solution. If you're interested in exploring how Specops Password Policy can fit with your organization's specific needs, please contact us.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

4 Ways Hackers use Social Engineering to Bypass MFA

“This eruption of violence had been brewing for years, through successive economic collapses, pandemics, and the utter dysfunction that had become American life.” An exclusive excerpt from 2054: A Novel.

2054, Part VI: Standoff at Arlington

Microsoft said it's introducing Sudo for Windows 11 as part of an early preview version to help users execute commands with administrator privileges.
"Sudo for Windows is a new way for users to run elevated commands directly from an unelevated console session," Microsoft Product Manager Jordi Adoumie said.
"It is an ergonomic and familiar solution for users who want to elevate a command

Operating System / Technology

Microsoft said it's introducing Sudo for Windows 11 as part of an early preview version to help users execute commands with administrator privileges.

"Sudo for Windows is a new way for users to run elevated commands directly from an unelevated console session," Microsoft Product Manager Jordi Adoumie said.

"It is an ergonomic and familiar solution for users who want to elevate a command without having to first open a new elevated console."

Sudo, short for superuser do, is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, usually a user with elevated permissions (e.g., administrator).

The feature is available for Windows 11 builds 26045 and later. It can be enabled by heading to Settings > System > For Developers, and setting "Enable sudo" to On.

Sudo for Windows comes with three options: run applications in a new elevated console window, run the elevated process in the current window but with the input stream (stdin) closed, and in inline mode.

"The inline configuration option runs the elevated process in the current window and the process is able to receive input from the current console session," Redmond warns in its documentation.

"An unelevated process can send input to the elevated process within the same console windows or get information from the output in the current windows in this configuration."

Microsoft said it's also in the process of open-sourcing the project on GitHub, urging other users to contribute to the initiative as well as report issues and file feature requests.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Introduces Linux-Like 'sudo' Command to Windows 11

Two researchers have improved a well-known technique for lattice basis reduction, opening up new avenues for practical experiments in cryptography and mathematics.

_The original version of_ _this story_ _appeared in_ Quanta Magazine_._

In our increasingly digital lives, security depends on cryptography. Send a private message or pay a bill online, and you’re relying on algorithms designed to keep your data secret. Naturally, some people want to uncover those secrets—so researchers work to test the strength of these systems to make sure they won’t crumble at the hands of a clever attacker.

One important tool in this work is the LLL algorithm, named after the researchers who published it in 1982—Arjen Lenstra, Hendrik Lenstra Jr. and László Lovász. LLL, along with its many descendants, can break cryptographic schemes in some cases; studying how they behave helps researchers design systems that are less vulnerable to attack. And the algorithm’s talents stretch beyond cryptography: It’s also a useful tool in advanced mathematical arenas such as computational number theory.

Over the years, researchers have honed variants of LLL to make the approach more practical—but only up to a point. Now, a pair of cryptographers have built a new LLL-style algorithm with a significant boost in efficiency. The new technique, which won the Best Paper award at the 2023 International Cryptology Conference, widens the range of scenarios in which computer scientists and mathematicians can feasibly use LLL-like approaches.

“It was really exciting,” said Chris Peikert, a cryptographer at the University of Michigan who was not involved in the paper. The tool has been the focus of study for decades, he said. “It’s always nice when a target that has been worked on for so long … shows that there’s still surprises to be found.”

LLL-type algorithms operate in the world of lattices: infinite collections of regularly spaced points. As one way of visualizing this, imagine you’re tiling a floor. You could cover it in square tiles, and the corners of those tiles would make up one lattice. Alternatively, you could choose a different tile shape—say, a long parallelogram—to create a different lattice.

A lattice can be described using its “basis.” This is a set of vectors (essentially, lists of numbers) that you can combine in different ways to get every point in the lattice. Let’s imagine a lattice with a basis consisting of two vectors: \[3, 2\] and \[1, 4\]. The lattice is just all the points you can reach by adding and subtracting copies of those vectors.

That pair of vectors isn’t the lattice’s only basis. Every lattice with at least two dimensions has infinitely many possible bases. But not all bases are created equal. A basis whose vectors are shorter and closer to right angles with one another is usually easier to work with and more useful for solving some computational problems, so researchers call those bases “good.” An example of this is the pair of blue vectors in the figure below. Bases consisting of longer and less orthogonal vectors—like the red vectors—can be considered “bad.”

Illustration: Merrill Sherman/Quanta Magazine

  
This is a job for LLL: Give it (or its brethren) a basis of a multidimensional lattice, and it’ll spit out a better one. This process is known as lattice basis reduction.

What does this all have to do with cryptography? It turns out that the task of breaking a cryptographic system can, in some cases, be recast as another problem: finding a relatively short vector in a lattice. And sometimes, that vector can be plucked from the reduced basis generated by an LLL-style algorithm. This strategy has helped researchers topple systems that, on the surface, appear to have little to do with lattices.

In a theoretical sense, the original LLL algorithm runs quickly: The time it takes to run doesn’t scale exponentially with the size of the input—that is, the dimension of the lattice and the size (in bits) of the numbers in the basis vectors. But it does increase as a polynomial function, and “if you actually want to do it, polynomial time is not always so feasible,” said Léo Ducas, a cryptographer at the national research institute CWI in the Netherlands.

In practice, this means that the original LLL algorithm can’t handle inputs that are too large. “Mathematicians and cryptographers wanted the ability to do more,” said Keegan Ryan, a doctoral student at the University of California, San Diego. Researchers worked to optimize LLL-style algorithms to accommodate bigger inputs, often achieving good performance. Still, some tasks have remained stubbornly out of reach.

The new paper, authored by Ryan and his adviser, Nadia Heninger, combines multiple strategies to improve the efficiency of its LLL-style algorithm. For one thing, the technique uses a recursive structure that breaks the task down into smaller chunks. For another, the algorithm carefully manages the precision of the numbers involved, finding a balance between speed and a correct result. The new work makes it feasible for researchers to reduce the bases of lattices with thousands of dimensions.

Past work has followed a similar approach: A 2021 paper also combines recursion and precision management to make quick work of large lattices, but it worked only for specific kinds of lattices, and not all the ones that are important in cryptography. The new algorithm behaves well on a much broader range. “I’m really happy someone did it,” said Thomas Espitau, a cryptography researcher at the company PQShield and an author of the 2021 version. His team’s work offered a “proof of concept,” he said; the new result shows that “you can do very fast lattice reduction in a sound way.”

The new technique has already started to prove useful. Aurel Page, a mathematician with the French national research institute Inria, said that he and his team have put an adaptation of the algorithm to work on some computational number theory tasks.

LLL-style algorithms can also play a role in research related to lattice-based cryptography systems designed to remain secure even in a future with powerful quantum computers. They don’t pose a threat to such systems, since taking them down requires finding shorter vectors than these algorithms can achieve. But the best attacks researchers know of use an LLL-style algorithm as a “basic building block,” said Wessel van Woerden, a cryptographer at the University of Bordeaux. In practical experiments to study these attacks, that building block can slow everything down. Using the new tool, researchers may be able to expand the range of experiments they can run on the attack algorithms, offering a clearer picture of how they perform.

_Original story_ _reprinted with permission from_ Quanta Magazine, _an editorially independent publication of the_ _Simons Foundation_ _whose mission is to enhance public understanding of science by covering research developments and trends in mathematics and the physical and life sciences._

A Celebrated Cryptography-Breaking Algorithm Just Got an Upgrade

In the Samly package before 1.4.0 for Elixir, `Samly.State.Store.get_assertion/3` can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry.

**Samly access control vulnerability**

Moderate severity GitHub Reviewed Published Feb 11, 2024 to the GitHub Advisory Database • Updated Feb 12, 2024

GHSA-h3rw-77w7-92gf: Samly access control vulnerability

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector."

**Ghost has possible Cross-site Scripting issue**

Moderate severity GitHub Reviewed Published Feb 11, 2024 to the GitHub Advisory Database • Updated Feb 12, 2024

Tag

#git