BioTone ZKI

Radical Simplicity for Cybersecurity. Apple shows us the way. Microsoft users benefit: youtu.be/vjAtyTZaPpw?si… #ZKI #PostPKI #ZeroKnowledge #ZeroKnowledgeInfrastructure

Let's not make life easy for them 😉 Use post-quantum encryption 🔒 👉 tuta.com/blog/post-quan…

For anyone worrying about this, I’d like to hear how you were already handling a near identical attack that didn’t require this vuln: - steal Yubikey - login - returns key WITHOUT cloning it, because 1 session is enough for most objectives Same attack flow. If that wasn’t already part of your threat model, why is this? If it was part of your threat model, how do your existing defenses not already handle the vuln? (I can think of a few, but none that apply to most of the people who are concerned) This should change very little for most people.

In October I will be trying to "sell" the Keccak instruction at RISC-V Summit😁 Those who know the PQC standards know why (it is relatively even more of a bottleneck when you have vector registers, which speed up NTT tremendously, but SHAKE hardly at all.)

Exciting news from the White House! wolfSSL attended the announcement of the new #PostQuantum standards, now officially endorsed by the US Federal Government 🎉 Standardized: - FIPS-203 ML-KEM - FIPS-204 ML-DSA - FIPS-205 SLH-DSA Learn more: wolfssl.com/wolfssl-invite… #PQC

The new Post Quantum Cryptography standards were just released by @NIST. Today marks a major milestone in keeping information on the Internet secure and confidential! See how @Google is using #PQC, and how organizations can adopt these new standards. security.googleblog.com/2024/08/post-q…

It’s here! After 9 years of work, the National Institute of Standards and Technology (NIST) has published its first three standards for post-quantum cryptography. Meet the standards: FIPS 203: ML-KEM, intended as the primary standard for general encryption FIPS 204: ML-DSA, intended as the primary standard for protecting digital signatures FIPS 205: SLH-DSA, intended as a backup method in case ML-DSA proves vulnerable “In 2015, NIST initiated the selection and standardization of quantum-resistant algorithms to counter potential threats from quantum computers. After assessing 82 algorithms from 25 countries, the top 15 were identified with global cryptographers' assistance. These were categorized into finalists and alternative algorithms, with draft standards released in 2023. Cybersecurity experts are now encouraged to incorporate these new algorithms into their systems.” nist.gov/news-events/ne…

NIST publishes standards for next-generation cryptography (cipher, digital signature) understood as resistant to attacks with future quantum computers. Migration will not be a piece of cake, but there’s time. nvlpubs.nist.gov/nistpubs/fips/… nvlpubs.nist.gov/nistpubs/fips/… nvlpubs.nist.gov/nistpubs/fips/…

.@Volexity shares #threatintel on how #StormBamboo compromised an ISP to conduct DNS poisoning attacks on targeted organizations & abuse insecure HTTP software updates, delivering custom malware on both macOS + Windows. Read the full analysis: volexity.com/blog/2024/08/0… #dfir

@UK_Daniel_Card @NCSC Thanks for emphasizing PROTECT. It seems as if the marketing budgets for this important part of the NIST CSF are no match for the DETECT parts.

Reminder if you are on a board of an organisation please ensure that you are discussing, planning and preparing on how to both PROTECT and RESPOND to cyber threats: There's loads of guidance from the @NCSC and cool toolset like Exercise in a Box ncsc.gov.uk/information/ex…

@MalwareJake @googlechrome We love this concept @AutoPilotCyber so much, we're extending it beyond browsers to your entire network, with post-PKI Zero Knowledge Infrastructure. More here: youtu.be/vjAtyTZaPpw?si…

Many people know SSH is encrypted, but this doesn’t mean using a password with it is safe. The encryption only protects a password in transit from an eavesdropper. It does not protect your password if the remote system is compromised. It can be saved off in cleartext.

"To this day," Thompson notes, "we still do not know how the threat actor accessed the signing key."

Re: the stolen signing key, Thompson says, "Microsoft's explanations about why the key was still active in 2023 and why it worked for both consumer and enterprise accounts have not been competent."

What happens when devs forget to modify the secret key... This is from a recent pentest for a client. This misconfiguration compromised the password reset feature. #pentesting #appsec #cybersecurity #infosec

Basic Cryptography Cheat Sheet

"ASML reassured officials about its ability to remotely disable the machines when the Dutch government met with the company on the threat, two others said." bloomberg.com/news/articles/…

The hacker group Cyber Army of Russia has sabotaged multiple US water utilities, and has ties to the GRU’s notorious Sandworm unit. They also talk a lot. So I asked for an interview and spent two weeks chatting with their spokesperson “Julia.” wired.com/story/cyber-ar…

Thx Richard w/ @AirCanada & @caseyjohnellis w/ @Bugcrowd for joining me to share insights on keeping bugs (vulns) off planes. Cooperation + collaboration across teams w/in airlines = results. @SecureAerospace #RSAC