IEEE Cipher --- Items from security-related news (E187)
Prior news summaries from Cipher
Summary:
Nvidia's sales of its H2O AI chips to China were halted by US
government policy earlier this year, but were permitted in July, in
conjunction with a new policy that recommended that the chips have
backdoors for location tracking. That caused the Cyberspace
Administration of China to summon Nvidia to a meeting to explain its
plans for compliance with the policy. Nvidia issued a statement
saying "Cybersecurity is critically important to us. Nvidia does not
have 'backdoors' in our chips that would give anyone a remote way to
access or control them."
China needs Nvidia chips for its AI businesses, and the article predicts that China will not introduce regulatory restrictions that will prevent companies from using Nvidia products. In fact, recent news says that Alibaba and Nvidia has announced a partnership: Alibaba shares leap on Nvidia partnership, data center plans
Summary:
Cybersecurity is becoming more important due to the potent combination
of AI and cyberattacks that has been developing over the past few years.
Palo Alto Network's acquisition of CyberArk demonstrates how
security companies are widening their toolset to provide more
comprehensive protection for their clients. This deal, valued at
$25B, brings expertise in "privileged access management" to Palo Alto Network's customers. Some analysts have expressed concern about how the
new technology will be merged into the acquirer's infrastructure.
Imtiaz Koujalgi, Roth Capital Partners' managing director of software research.
opines: "Also, Palo Alto talks about integrating its acquisitions into its platform, but given the scale of CyberArk and installed base that could be a challenge."
Summary:
This article shows how difficult it can be for a global business to
provide a product to the US without relying on foreign workers.
Microsoft's cloud-based SharePoint systems are widely used, and the US
Department of Defense is a customer. Microsoft's team for maintaining
the software includes workers in China (under the supervision of US
managers). This became a cause for concern after Microsoft attributed
a serious zero-day hack to Chinese hackers. The Department of Defense
wants to more about the risks of maintaining critical software within
the borders of a foreign country. Did the hackers benefit from
information obtained by Microsoft employees in China? How much risk
does this raise? For its part, Microsoft said they were in the
process of moving the software maintenance tasks to the US.
Summary:
The European Telecommunications Standards Institute (ETSI) developed
an encryption algorithm a few years ago that is used around the world
for protecting sensitive information for critical infrastructure and
law and enforcement and military organizations. Dutch researchers
found a serious flaw in that algorithm in 2023, and ETSI responded
by endorsing an end-to-encryption scheme to be run 'on top of' the
original scheme. Because the algorithms are proprietary, there has been
no public examination of them. The researchers reversed engineered the
schemes that were baked into a radio made by Sepura.
The problems with the encryption security arise from how the keys are altered before being used in the algorithm. In one case the initial 80-bit key was reduced to 32 bits before use, and in another, an 80-bit key was reduced to 56 bits. ETSI said that they do not dictate the way keys are handled --- "The choice of encryption algorithm and key is made between supplier and customer organisation, and ETSI has no input to this selection". In some cases, the key length is reduced to meet export control requirements. However, it seems that many purchasers, including US critical infrastructure companies, are unaware of key length reduction and its affect on security.
Summary:
The exploit known as Salt Typhoon was uncovered last year. Chinese
hackers were able to access telecommunications infrastructure equipment
worldwide and collect call information without detection for at least
months. An investigation into the scope of the problem
showed that the penetration was shockingly widespread, leading
to a joint report by several governments:
Joint Cybersecurity Advisory Countering Chinese State-Sponsored Actors
Compromise of Networks Worldwide to Feed Global Espionage System.
The investigation found that attackers were able to take full
advantage of several vulnerabilities in telecommunications software
to collect customer information and to obscure the artifacts of
the intrusion by altering logs and authentication lists.
It seems reasonable to assume that anyone in the US who used phone service in 2024 would have had that information swept up by the intruders. The calling patterns could reveal business and personal relationships for most of the US population, and that would be a treasure trove for social network analysts. That information could feed into espionage strategies, phishing scams, and much more.
Summary:
The National Institute of Science and Technology announced grants
under their NICE program which is intended to "Prepare, grow, and
sustain a cybersecurity workforce that safeguards and promotes
America's national security and economic prosperity." The grants went
to 13 organizations to let them create "Regional Alliances and
Multistakeholder Partnerships to Stimulate (RAMPS)" that will build
cybersecurity workforce and education initiatives. NIST estimates
that the US currently has job openings for a half million
cybersecurity workers, but only 75% of those jobs can be filled
by the existing workforce.