Carbon Chemist

Tag: security

  • A Celebrated Cryptography-Breaking Algorithm Just Got an Upgrade

    A Celebrated Cryptography-Breaking Algorithm Just Got an Upgrade

    [ad_1]

    This is a job for LLL: Give it (or its brethren) a basis of a multidimensional lattice, and it’ll spit out a better one. This process is known as lattice basis reduction.

    What does this all have to do with cryptography? It turns out that the task of breaking a cryptographic system can, in some cases, be recast as another problem: finding a relatively short vector in a lattice. And sometimes, that vector can be plucked from the reduced basis generated by an LLL-style algorithm. This strategy has helped researchers topple systems that, on the surface, appear to have little to do with lattices.

    In a theoretical sense, the original LLL algorithm runs quickly: The time it takes to run doesn’t scale exponentially with the size of the input—that is, the dimension of the lattice and the size (in bits) of the numbers in the basis vectors. But it does increase as a polynomial function, and “if you actually want to do it, polynomial time is not always so feasible,” said Léo Ducas, a cryptographer at the national research institute CWI in the Netherlands.

    tile

    In practice, this means that the original LLL algorithm can’t handle inputs that are too large. “Mathematicians and cryptographers wanted the ability to do more,” said Keegan Ryan, a doctoral student at the University of California, San Diego. Researchers worked to optimize LLL-style algorithms to accommodate bigger inputs, often achieving good performance. Still, some tasks have remained stubbornly out of reach.

    The new paper, authored by Ryan and his adviser, Nadia Heninger, combines multiple strategies to improve the efficiency of its LLL-style algorithm. For one thing, the technique uses a recursive structure that breaks the task down into smaller chunks. For another, the algorithm carefully manages the precision of the numbers involved, finding a balance between speed and a correct result. The new work makes it feasible for researchers to reduce the bases of lattices with thousands of dimensions.

    Past work has followed a similar approach: A 2021 paper also combines recursion and precision management to make quick work of large lattices, but it worked only for specific kinds of lattices, and not all the ones that are important in cryptography. The new algorithm behaves well on a much broader range. “I’m really happy someone did it,” said Thomas Espitau, a cryptography researcher at the company PQShield and an author of the 2021 version. His team’s work offered a “proof of concept,” he said; the new result shows that “you can do very fast lattice reduction in a sound way.”

    The new technique has already started to prove useful. Aurel Page, a mathematician with the French national research institute Inria, said that he and his team have put an adaptation of the algorithm to work on some computational number theory tasks.

    LLL-style algorithms can also play a role in research related to lattice-based cryptography systems designed to remain secure even in a future with powerful quantum computers. They don’t pose a threat to such systems, since taking them down requires finding shorter vectors than these algorithms can achieve. But the best attacks researchers know of use an LLL-style algorithm as a “basic building block,” said Wessel van Woerden, a cryptographer at the University of Bordeaux. In practical experiments to study these attacks, that building block can slow everything down. Using the new tool, researchers may be able to expand the range of experiments they can run on the attack algorithms, offering a clearer picture of how they perform.

    Original story reprinted with permission from Quanta Magazine, an editorially independent publication of the Simons Foundation whose mission is to enhance public understanding of science by covering research developments and trends in mathematics and the physical and life sciences.

    [ad_2]

    Source link

  • I Stopped Using Passwords. It’s Great—and a Total Mess

    I Stopped Using Passwords. It’s Great—and a Total Mess

    [ad_1]

    Using passkeys likely means having a different mindset from how you think about passwords. There’s nothing to remember when you log in, and you have to use something else to store your passkeys. Passkeys can be stored in Apple’s, Google’s or Microsoft’s password manager systems; your browser; a dedicated password manager; or on a physical security key. I created a Google passkey on one USB key, and all I need to do to sign in is, essentially, plug it in. (All of the devices I use professionally and personally are Apple, meaning I haven’t tested passkeys between my iPhone and a Windows laptop, for instance.)

    “The technology is mature, the front ends are still nascent,” Shikiar from the FIDO Alliance says. Over the past year, the FIDO alliance has also been working on user experience guidelines, he says, making it more straightforward for people to sign up and use passkeys across systems. Gary Orenstein, the chief customer officer of password manager Bitwarden, says there are multiple groups involved in the creation and rollout of passkeys, so transitioning to a world where everything is seamless takes coordination. “The standards are at one level, user expectations are at a different level,” he says. “The vendor implementations are at a third level, and they’re merging, but it takes time.”

    Being able to save a passkey on essentially any device makes them more useful and means you aren’t locked in to Google’s, Microsoft’s, or Apple’s ecosystems. However, where you save a passkey is going to take some remembering. When setting up one passkey, I was asked by my password manager, browser, and the device operating system whether I wanted to save my passkey with each of them. Picking one spot and sticking to it is probably the best option.

    Most of my work is done on my laptop—and it’s rare that I download new apps or log out of apps on my phone—so I have been saving the majority of my passkeys in Bitwarden, which costs me $10 a year for a premium account alongside my hundreds of passwords. It works like this: When logging in to my Amazon account, I enter my username, and then Bitwarden’s browser extension pops up asking whether I want to log in with my passkey for Amazon. I press confirm, and I am logged in. It also offers the option to use my device or a hardware key to log in, and if I select one of these options, it looks for passkeys stored on my laptop.

    However, as mentioned, Bitwarden doesn’t currently offer passkeys on mobile, meaning that to get the mobile-first Coinbase integration to work, I ended up saving that passkey to iCloud’s Keychain instead. Orenstein, from Bitwarden, says that making passkeys work on mobile is a priority for Bitwarden and more support should be rolling out in the coming months. The company has seen a “fantastic” adoption of passkeys so far, he says, but acknowledges people will have to get used to the change. “You still need an awareness about where it is,” Orenstein says. “I think, over time, as an industry, we can reduce the need for that awareness, hopefully to zero.”

    The Password’s Long Goodbye

    You may not have set up any passkeys yet, but it’s only a matter of time. Tech companies are starting to make passkeys the default, and more businesses are adopting them. In the past couple of weeks, X has started allowing some people to use passkeys, and WhatsApp is bringing them to iPhones and iPads after previously rolling out passkey support for Android devices.

    Leona Lassak, Blase Ur, and Maximilian Golla, three academics from Germany and the US who have researched the adoption of passkeys, say that businesses they’ve interviewed are generally positive about the adoption of passkeys and the extra security it will bring. However, it will likely take some time until the majority of websites, apps, and companies are using passkeys for everything. “I don’t think we will have a big bang in the next few months,” Lassak says. “It’s going to be a slow process, which on the way will then also catch other and smaller entities.”

    As a result, passwords will still be around for a while. It’ll be a long time until I have converted my remaining 320-ish accounts to be using passkeys. And for the time being at least, those accounts where I do have passkeys will still have existing passwords that I can fall back on. “Passkeys is having fewer passwords, but not necessarily no passwords,” says Golla.

    Experts recommend setting up a few passkeys whenever you come across them on your online accounts, rather than necessarily trying to change them all at once. There are guides to what websites are using passkeys already, and Google, Microsoft, and Apple all have straightforward explanations on how to create passkeys. And there are plenty of benefits to getting started now.

    “They are a true password replacement that eliminate the threat of phishing, eliminate the hassle of password resets, and eliminate the liability that service providers have when they’re managing thousands, tens of thousands, or tens of millions, or billions of passwords,” Shikiar says. “It really is an entirely new way of doing user authentication.”

    [ad_2]

    Source link

  • Ransomware Payments Hit a Record $1.1 Billion in 2023

    Ransomware Payments Hit a Record $1.1 Billion in 2023

    [ad_1]

    A year ago, there seemed to be a glimmer of hope in the cybersecurity industry’s long-running war of attrition against ransomware gangs. Fewer corporate victims of those hackers, it seemed, had paid ransoms in 2022, and cybercriminals were earning less from their ruthless attacks. Perhaps the cocktail of improved security measures, increased focus from law enforcement, international sanctions on the ransomware operators, and scrutiny of the cryptocurrency industry could actually beat the ransomware scourge.

    Well, no. That respite appears to have been a mere hiccup on ransomware’s trajectory to become one of the world’s most profitable, and perhaps the most disruptive, form of cybercrime. In fact, 2023 was its worst year ever.

    On Wednesday, cryptocurrency-tracing firm Chainalysis published new numbers from its annual crime report showing that ransomware payments exceeded $1.1 billion in 2023, based on its tracking of those payments across blockchains. That’s the highest number Chainalysis has measured for a single year, and nearly twice as much as the year before. Indeed, the company now describes 2022’s relatively low $567 million in ransom payments as an “anomaly,” as total extortion transactions have steadily grown since 2020 towards their current 10-figure record.

    “It’s like we’ve picked up right where we left off, the real onslaught during Covid in 2020 and 2021,” says Jackie Burns Koven, head of threat intelligence at Chainalysis. “It feels very gloves-off.”

    That record-breaking $1 billion-plus in extortion payments was a result, in part, of the sheer number of ransomware attacks in 2023. Cybersecurity firm Record Future counted 4,399 ransomware attacks last year, based on news reports and ransomware gangs’ public listings of victims on their dark-web sites, a tactic the groups often use to pressure victims while threatening to release their stolen data. That’s compared to just 2,581 total attacks in 2022 and 2,866 in 2021.

    The spike in the number of attacks appears to have offset a more positive trend: By some counts, fewer victims of ransomware are paying the ransoms that hackers demand. According to data from the incident response firm Coveware, which frequently negotiates with ransomware gangs on behalf of victims, only 29 percent of ransomware victims paid a ransom in the fourth quarter of 2023, a dramatic drop from payment rates between 70 percent and 80 percent for most of 2019 and 2020.

    Even as fewer victims are paying, however, the total sum collected by ransomware gangs is nonetheless growing as more cybercriminals are drawn to a lucrative industry and carry out more attacks. Allan Liska, a threat intelligence analyst at Recorded Future, argues that the highly public nature of ransomware serves as a kind of advertising, constantly pulling in more opportunistic hackers, like sharks who smell blood in the water. “Everybody sees all these ransomware attacks,” Liska says. “Criminals tend to flock to where they see the money being made.”

    Chainalysis notes that the record $1.1 billion in ransoms paid in 2023 was also driven by ransomware hackers demanding larger sums from victims, many of whom were carefully chosen for both their inability to tolerate a crippling attack and their ability to pay—what Chainalysis’ Burns Koven calls “big game hunting.” That resulted in close to 75 percent of ransomware payments’ total value coming from transactions topping the $1 million mark in 2023, compared to just 60 percent in 2021.

    [ad_2]

    Source link

  • The spy balloon saga of 2023 inflated US-China political tensions

    The spy balloon saga of 2023 inflated US-China political tensions

    [ad_1]

    One of the year’s most unexpected controversies exploded after a US fighter jet shot down a Chinese balloon that drifted across North America – it also sparked fears over other unidentified flying objects

    [ad_2]

    Source link