I can’t say WHY I’m looking at bash script vulnerabilities, but they’ve been around since…well, this Kaspersky article is based upon CVE-2014-6271.
“The “bash bug,” also known as the Shellshock vulnerability, poses a serious threat to all users. The threat exploits the Bash system software common in Linux and Mac OS X systems in order to allow attackers to take potentially take control of electronic devices. An attacker can simply execute system level commands, with the same privileges as the affected services….
“But just imagine that you could not only pass this normal system information to the CGI script, but could also tell the script to execute system level commands. This would mean that – without having any credentials to the webserver – as soon as you access the CGI script it would read your environment variables; and if these environment variables contain the exploit string, the script would also execute the command that you have specified.”
An authorization nightmare as a hostile non-person entity runs amok.
And it’s still a threat, as two recent CVEs attest…and that’s all I’ll say.
I was working with these sectors back when I was at MorphoTrak.
“There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive supersedes Homeland Security Presidential Directive 7.”
Cybersecurity professionals need to align their efforts with those of the U.S. National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE). Download the NCCoE project portfolio, and plan to attend the February 19 webinar. Details below.
“The NIST National Cybersecurity Center of Excellence (NCCoE) is excited to announce the release of our inaugural Project Portfolio, providing an overview of the NCCoE’s research priorities and active projects.”
“The NCCoE serves as a U.S. cybersecurity innovation hub for the technologies, standards, and architectures for today’s cybersecurity landscape.
“Through our collaborative testbeds and hands-on work with industry, we build and demonstrate practical architectures to address real-world implementation challenges, strengthen emerging standards, and support more secure, interoperable commercial products.
“Our trusted, evidence-based guidelines show how organizations can reduce cybersecurity risks and confidently deploy innovative technologies aligned with secure standards.”
Formal and informal collaborations with other entities.
The NCCoE’s four pillars: Data Protection, Trusted Enterprise, Artificial Intelligence, and Resilient Embedded Systems.
The “forming,” “active,” and “concluding” projects within the pillars, with links to each project.
For example, one of the listed AI projects is the Cyber AI Profile:
“Recent advancements in Artificial Intelligence (AI) technology bring great opportunities to organizations, but also new risks and impacts that need to be managed in the domain of cybersecurity. NIST is evaluating how to use existing frameworks, such as the Cybersecurity Framework (CSF), to assist organizations as they face new or expanded risks.”
This group has published its roadmap, including workshops, working sessions, and document drafts.
And if you are a cybersecurity or identity company needing to communicate how your product protects your users, Bredemarket can help you bring your message to your prospects.
Book a free meeting with me and let’s discuss how we can work together.
Here are details on how Bredemarket works: its services, its process, and its pricing.
The French and Germans like each other more than they did in past centuries, but they still compete.
A month ago I wrote about the French company Thales and its efforts to develop a quantum-resistant smartcard called the MultiApp 5.2 Premium PQC. (PQC stands for post-quantum cryptography.)
“In recent months, Bundesdruckerei GmbH and G+D [Giesecke+Devrient] have established a unique technical foundation for this transformation [of the German identity card]. The federal technology company and the international SecurityTech leader jointly initiated the development of a demonstrator together with the German Federal Office for Information Security (BSI), implemented on specialized chips produced by semiconductor manufacturer Infineon.
“Germany’s transition to quantum-secure ID cards will occur in two stages. First, personal data will be protected from forgery using a quantum-resistant digital signature scheme. The second phase will involve a full transition to quantum-secure technology.”
Let’s take a step back from Module-Lattice-Based Digital Signature Standards (NIST FIPS 204) and see what quantum-infused fraudsters can do to bypass your security protections. Your “practically unbreakable” security system today may be wide open in 10 years…or 5 years.
Shor’s Algorithm
To understand how fraud can occur, you need to understand (Peter) Shor’s Factoring Algorithm.
According to Classiq, Shor’s Factoring Algorithm can find the prime factors of any number, including very large numbers.
“Factoring numbers with Shor’s algorithm begins with selecting a random integer smaller than the number to be factored. The classically-calculated greatest common divisor (GCD) of these two numbers, the random number and the target number, is then used to determine whether the target number has already been factored accidentally. For smaller numbers, that’s a possibility. For larger numbers, a supercomputer could be needed. And for numbers that are believed to be cryptographically secure, a quantum computer will be needed.”
So what? I appreciate that people like the late Richard Crandall were into finding prime numbers with 20th century technology, but how does that relate to whether a fraudster can drain my bank account?
Breaking RSA encryption
It definitely relates, according to the MIT Technology Review. This article was written back in 2019.
“[C]omputer scientists consider it practically impossible for a classical computer to factor numbers that are longer than 2048 bits, which is the basis of the most commonly used form of RSA encryption.
“Shor showed that a sufficiently powerful quantum computer could do this with ease, a result that sent shock waves through the security industry.
“And since then, quantum computers have been increasing in power. In 2012, physicists used a four-qubit quantum computer to factor 143. Then in 2014 they used a similar device to factor 56,153.”
The largest recent record number that I found was 261,980,999,226,229, as described in this paper. It should be noted that many of these numbers were factored by a variety of methods: using a pure Shor’s Factoring Algorithm, the maximum number factored so far is 21.
What does this mean?
So what does this mean for 2048-bit encryption? 2048 bits is equivalent to hundreds of decimal digits. I’ve found different numbers of decimal digits, but for all practical purposes I can’t calculate them anyway. Heck, I can’t calculate trillions in my head. And there’s RSA-4096 encryption, but…well, we’ll get to that.
But when quantum calculating abilities can crack algorithms, then it’s trivial to compute the number of combinations to crack an encryption…or guess a password…or generate a face.
“Brute force attacks function by calculating every possible combination of passwords. As the password’s strength increases, the amount of time to crack it increases exponentially. So, in theory, if hackers tried to brute force their way into a key with AES-128 encryption, it would take approximately 1 billion years to crack with the best hardware available today [2023].
“But what if we lived in a post-quantum computing world? How long would a brute-force attack on popular cypher technologies take?…[We’re] likely still a decade or two away from Quantum computers that can easily break many of the cypher technologies in use today….
“[I]n a recently published report from Global Risk Institute (GRI), the time to break RSA-4096, which is practically impossible to break with classical computing technology, is under three days with a theoretical 1 megaqubit computer. While we are still a long way from a 1 megaqubit computer, the resources and time required are reducing rapidly at the same time we see advancements in Quantum computing which are in development.”
I have no idea how much lattice-based access control mitigates these threats, but if you go around saying that strong encryption will never be broken, you are a fool.
In this edition of The Repurposeful Life, I’m revisiting a prior post (“Is the Quantum Security Threat Solved Before It Arrives? Probably Not.“) and extracting just the part that deals with the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 204.
Thales used the NIST “FIPS 204 standard to define a digital signature algorithm for a new quantum-resistant smartcard: MultiApp 5.2 Premium PQC.”
The NIST FIPS 204 standard, “Module-Lattice-Based Digital Signature Standard,” can be found here. This is the abstract:
“Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time. This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures. ML-DSA is believed to be secure, even against adversaries in possession of a large-scale quantum computer.”
ML-DSA stands for “Module-Lattice-Based Digital Signature Algorithm.”
Now I’ll admit I don’t know a lattice from a vertical fence post, especially when it comes to quantum computing, so I’ll have to take NIST’s word for it that modules and lattice are super-good security.
“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”
You can see how this fits into an access control mechanism, whether you’re talking about a multi-tenant cloud (NordVPN’s example) or a smartcard (Thales’ example).
Because there are some things that Tom Sawyer can access, but Injun Joe must not access.
I’ll confess: there is a cybersecurity threat so…um…threatening that I didn’t even want to think about it.
You know the drill. The bad people use technology to come up with some security threat, and then the good people use technology to thwart it.
That’s what happens with antivirus. That’s what happens with deepfakes.
But I kept on hearing rumblings about a threat that would make all this obsolete.
The quantum threat and the possible 2029 “Q Day”
Today’s Q word is “quantum.”
But with great power comes great irresponsibility. Gartner said it:
“By 2029, ‘advances in quantum computing will make conventional asymmetric cryptography unsafe to use,’ Gartner said in a study.”
Frankly, this frightened me. Think of the possibilities that come from calculation superpowers. Brute force generation of passcodes, passwords, fingerprints, faces, ID cards, or whatever is necessary to hack into a security system. A billion different combinations? No problem.
“The good news is that technology companies, governments and standards agencies are well aware of the deadline. They are working on defensive strategies to meet the challenge — inventing cryptographic algorithms that run not just on quantum computers but on today’s conventional components.
“This technology has a name: post-quantum cryptography.
“There have already been notable breakthroughs. In the last few days, Thales launched a quantum-resistant smartcard: MultiApp 5.2 Premium PQC. It is the first smartcard to be certified by ANSSI, France’s national cybersecurity agency.
“The product uses new generation cryptographic signatures to protect electronic ID cards, health cards, driving licences and more from attacks by quantum computers.”
So what’s so special about the technology in the MultiApp 5.2 Premium PQC?
Thales used the NIST “FIPS 204 standard to define a digital signature algorithm for a new quantum-resistant smartcard: MultiApp 5.2 Premium PQC.”
Google Gemini.
The NIST FIPS 204 standard, “Module-Lattice-Based Digital Signature Standard,” can be found here. This is the abstract:
“Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation since the signatory cannot easily repudiate the signature at a later time. This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures. ML-DSA is believed to be secure, even against adversaries in possession of a large-scale quantum computer.”
ML-DSA stands for “Module-Lattice-Based Digital Signature Algorithm.”
Google Gemini.
Now I’ll admit I don’t know a lattice from a vertical fence post, especially when it comes to quantum computing, so I’ll have to take NIST’s word for it that modules and lattice are super-good security.
Certification, schmertification
The Thales technology was then tested by researchers to determine its Evaluation Assurance Level (EAL). The result? “Thales’ product won EAL6+ certification (the highest is EAL7).” (TechTarget explains the 7 evaluation assurance levels here.)
France’s national cybersecurity agency (ANSSI) then certified it.
However…
…remember that certifications mean squat.
For all we know, the fraudsters have already broken the protections in the FIPS 204 standard.
Google Gemini.
And the merry-go-round between fraudsters and fraud fighters continues.
If you need help spreading the word about YOUR anti-fraud solution, quantum or otherwise, schedule a free meeting with Bredemarket.
This may mean nothing. On the one hand, Davidson had been with the company a long time, having joined Oracle in 1988 AFTER a career in the US Navy as a civil engineer. So perhaps she just retired.
Then again, Larry Ellison is 81 years old, so people don’t HAVE to retire.
And it appears that Davidson’s departure wasn’t announced in a press release, but was buried in a June filing.
The one word associated with Davidson is the word “unbreakable.”
“[D]uring a 2002 interview with Businessweek, she described the challenges of making sure the firm’s products lived up to a marketing campaign envisioned by Ellison that touted the company’s products as ‘unbreakable’….She explained at that time, saying, ‘‘Unbreakable’ gives us something to live up to,’ adding, ‘It really does concentrate the mind wonderfully. The general thought is don’t embarrass the company. Nobody wants to be the group that makes us violate it.'”
(And yes, the red glow in the unbreakable oracle in the picture is intentional. If you have ever attended a San Francisco Oracle OpenWorld with hundreds of red and white banners, you’ll understand…)
“The new Sophos logo nods to our history, but it’s reimagined with a shield that represents our defense against cyberattacks. Inside that shield lives the dual strength of Sophos: AI-native technology and world-class human expertise. Together, they create unmatched defense that adapts as fast as threats evolve.”
Oh, and the consultation:
“Our partners are core to our success, and their feedback on the rebrand has been energizing…”
My bet is that Sophos will not have to withdraw this logo, like another logo change that was recently reversed.
Bredemarket 