Security News
A senior research scientist at Google has devised new CPU attacks to exploit a vulnerability dubbed Downfall that affects multiple Intel microprocessor families and allows stealing passwords, encryption keys, and private data like emails, messages, or banking info from users that share the same computer. Moghimi developed two Downfall attack techniques, Gather Data Sampling - which is also the name Intel uses to refer to the issue and Gather Value Injection - which combines GDS with the Load Value Injection technique disclosed in 2020.
Encryption is vital for securing data, whether in transit or stored on devices. ALGORITHM REQUIREMENTS. Ciphers that are proven, standard, highly tested and free of patent encumbrances must be used as the basis for encrypting devices and communications.
The Data Encryption Policy's purpose is to define for employees, computer users and IT department staff the encryption requirements to be used on all computer, device, desktop, laptop, server, network storage and storage area network disks, and drives that access or store organization information to prevent unauthorized access to organization communications, email, records, files, databases, application data and other material. This policy from TechRepublic Premium can be customized as needed to fit the needs of your organization.
A new security vulnerability has been discovered in AMD's Zen 2 architecture-based processors that could be exploited to extract sensitive data such as encryption keys and passwords. Discovered by Google Project Zero researcher Tavis Ormandy, the flaw - codenamed Zenbleed and tracked as CVE-2023-20593 - allows data exfiltration at the rate of 30 kb per core, per second.
Google has announced that it intends to add support for Message Layer Security to its Messages service for Android and open source implementation of the specification. "Like the widely used Double Ratchet protocol, MLS allows for asynchronous operation and provides advanced security features such as post-compromise security. And, like TLS 1.3, MLS provides robust authentication."
Cisco warned customers today of a high-severity vulnerability impacting some data center switch models and allowing attackers to tamper with encrypted traffic.Tracked as CVE-2023-20185, the flaw was found during internal security testing in the ACI Multi-Site CloudSec encryption feature of data center Cisco Nexus 9000 Series Fabric Switches.
The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down. Launched in 2022 and a successor of the Bobik botnet, the attack tool is designed for staging distributed denial-of-service attacks against targets primarily located in Europe as well as Australia, Canada, and Japan.
Apple has joined the rapidly growing chorus of tech organizations calling on British lawmakers to revise the nation's Online Safety Bill - which for now is in the hands of the House of Lords - so that it safeguards strong end-to-end encryption. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk."
It won't be until Slack offers E2EE as well as blocking, muting and reporting features to help protect users from harassment, they claim. "Millions of people use Slack every day to do their work, volunteer, and connect with communities online - including abortion funds and reproductive rights groups that are being targeted by anti-abortion efforts," Caitlin Seeley George, Fight for the Future's campaigns and managing director, told The Register.
A new-ish messaging service that claims to put users' privacy first has changed its tune - and the end-to-end encryption claims on its website - as well as pulling its app from both the Apple and Google app stores after being called out online. Converso - a comms app launched in September 2022 - billed itself as a "Next-generation messaging app that keeps your conversations completely private." This, according to the developer's website, included "Proprietary state-of-the-art end-to-end encryption technology," no storage of messages on servers, and "Absolutely no use of user data." It claimed it could stand up to the likes of Signal and WhatsApp in the security stakes.