Subj : CRYPTO-GRAM, September 15, 202 Part 1 To : All From : Sean Rima Date : Tue Oct 01 2024 09:52 pm Crypto-Gram September 15, 2024 by Bruce Schneier Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. For back issues, or to subscribe, visit Crypto-Gram's web page. Read this issue on the web These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available. ** *** ***** ******* *********** ************* In this issue: If these links don't work in your email client, try reading this issue of Crypto-Gram on the web. NIST Releases First Post-Quantum Encryption Algorithms New Windows IPv6 Zero-Click Vulnerability The State of Ransomware Hacking Wireless Bicycle Shifters Story of an Undercover CIA Officer who Penetrated Al Qaeda Surveillance Watch Take a Selfie Using a NY Surveillance Camera US Federal Court Rules Against Geofence Warrants The Present and Future of TV Surveillance Matthew Green on Telegram’s Encryption Adm. Grace Hopper’s 1982 NSA Lecture Has Been Published SQL Injection Attack on Airport Security List of Old NSA Training Videos Security Researcher Sued for Disproving Government Statements Long Analysis of the M-209 YubiKey Side-Channel Attack Australia Threatens to Force Companies to Break Encryption New Chrome Zero-Day Evaluating the Effectiveness of Reward Modeling of Generative AI Systems Microsoft Is Adding New Cryptography Algorithms My TedXBillings Talk Upcoming Speaking Engagements ** *** ***** ******* *********** ************* NIST Releases First Post-Quantum Encryption Algorithms [2024.08.15] From the Federal Register: After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+. These algorithms are part of three NIST standards that have been finalized: FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard FIPS 204: Module-Lattice-Based Digital Signature Standard FIPS 205: Stateless Hash-Based Digital Signature Standard NIST press release. My recent writings on post-quantum cryptographic standards. EDITED TO ADD: Good article: One -- ML-KEM [PDF] (based on CRYSTALS-Kyber) -- is intended for general encryption, which protects data as it moves across public networks. The other two -- - ML-DSA [PDF] (originally known as CRYSTALS-Dilithium) and SLH-DSA [PDF] (initially submitted as Sphincs+) -- secure digital signatures, which are used to authenticate online identity. A fourth algorithm -- FN-DSA [PDF] (originally called FALCON) -- is slated for finalization later this year and is also designed for digital signatures. NIST continued to evaluate two other sets of algorithms that could potentially serve as backup standards in the future. One of the sets includes three algorithms designed for general encryption -- but the technology is based on a different type of math problem than the ML-KEM general-purpose algorithm in today’s finalized standards. NIST plans to select one or two of these algorithms by the end of 2024. IEEE Spectrum article. Slashdot thread. ** *** ***** ******* *********** ************* New Windows IPv6 Zero-Click Vulnerability [2024.08.16] The press is reporting a critical Windows vulnerability affecting IPv6. As Microsoft explained in its Tuesday advisory, unauthenticated attackers can exploit the flaw remotely in low-complexity attacks by repeatedly sending IPv6 packets that include specially crafted packets. Microsoft also shared its exploitability assessment for this critical vulnerability, tagging it with an “exploitation more likely” label, which means that threat actors could create exploit code to “consistently exploit the flaw in attacks.” Details are being withheld at the moment. Microsoft strongly recommends patching now. ** *** ***** ******* *********** ************* The State of Ransomware [2024.08.19] Palo Alto Networks published its semi-annual report on ransomware. From the Executive Summary: --- * Origin: High Portable Tosser at my node (21:1/229.1) .