Security: NIST (Standardising Back Doors), Parching, Alerting, and Typical Microsoft FUD
-
NIST’s Post-Quantum Cryptography Standards [Ed: NIST works for NSA (i.e. back doors) agenda, and this is what NSA Bruce has to say on the topic]
Quantum computing is a completely new paradigm for computers. A quantum computer uses quantum properties such as superposition, which allows a qubit (a quantum bit) to be neither 0 nor 1, but something much more complicated. In theory, such a computer can solve problems too complex for conventional computers.
Current quantum computers are still toy prototypes, and the engineering advances required to build a functionally useful quantum computer are somewhere between a few years away and impossible. Even so, we already know that that such a computer could potentially factor large numbers and compute discrete logs, and break the RSA and Diffie-Hellman public-key algorithms in all of the useful key sizes.
Cryptographers hate being rushed into things, which is why NIST began a competition to create a post-quantum cryptographic standard in 2016. The idea is to standardize on both a public-key encryption and digital signature algorithm that is resistant to quantum computing, well before anyone builds a useful quantum computer.
NIST is an old hand at this competitive process, having previously done this with symmetric algorithms (AES in 2001) and hash functions (SHA-3 in 2015). I participated in both of those competitions, and have likened them to demolition derbies. The idea is that participants put their algorithms into the ring, and then we all spend a few years beating on each other’s submissions. Then, with input from the cryptographic community, NIST crowns a winner. It’s a good process, mostly because NIST is both trusted and trustworthy.
In 2017, NIST received eighty-two post-quantum algorithm submissions from all over the world. Sixty-nine were considered complete enough to be Round 1 candidates. Twenty-six advanced to Round 2 in 2019, and seven (plus another eight alternates) were announced as Round 3 finalists in 2020. NIST was poised to make final algorithm selections in 2022, with a plan to have a draft standard available for public comment in 2023.
-
Security updates for Monday [LWN.net]
Security updates have been issued by Debian (chromium, libtirpc, and xorg-server), Fedora (giflib, mingw-giflib, and teeworlds), Mageia (chromium-browser-stable, kernel, kernel-linus, mingw-giflib, osmo, python-m2crypto, and sqlite3), Oracle (httpd, php, vim, virt:ol and virt-devel:ol, and xorg-x11-server), SUSE (caddy, crash, dpkg, fwupd, python-M2Crypto, and trivy), and Ubuntu (gdk-pixbuf, libjpeg-turbo, and phpliteadmin).
-
Red Hat Satellite: How to obtain Insights Advisor recommendations [Ed: Red Hat trying to sell security as a "service"]
Red Hat Insights is a hosted service that analyzes applications and platforms to predict risk and recommend detailed remediation steps. Insights also has the ability to remediate problems automatically with a push of a button.
Red Hat Satellite manages Red Hat Enterprise Linux (RHEL) environments on-premises and in the cloud, helping to ensure that security is up to date while allowing businesses to manage the lifecycle of their hosts with precision.
-
New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack [Ed: Once again the sloppy media tries to blame bad passwords on "Linux" even though that has nothing to do with Linux]
A new IoT botnet malware dubbed RapperBot has been observed rapidly evolving its capabilities since it was first discovered in mid-June 2022.
"This family borrows heavily from the original Mirai source code, but what separates it from other IoT malware families is its built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai," Fortinet FortiGuard Labs said in a report.
-
GwisinLocker A New Ransomware Encrypts Windows and Linux ESXi Servers [Ed: With Windows, back doors exist. With Linux, it's not clear how such malware gets there in the first places, but they try to give an illusion of parity, as if back doors aren't the biggest problem.]
A new ransomware family has been discovered by ReversingLabs’ cybersecurity analysts, which targets specifically Linux-based systems using a range of encryption methods. GwisinLocker is the malware responsible for the attack.