IEEE Cipher --- Items from security-related news (E187)





Prior news summaries from Cipher



  • Do AI Chips Phone Home?
    Nvidia says its chips have no 'backdoors' after China flags H20 security concerns
    Publisher: Reuters
    Date: July 31, 2025

    Summary:
    Nvidia's sales of its H2O AI chips to China were halted by US government policy earlier this year, but were permitted in July, in conjunction with a new policy that recommended that the chips have backdoors for location tracking. That caused the Cyberspace Administration of China to summon Nvidia to a meeting to explain its plans for compliance with the policy. Nvidia issued a statement saying "Cybersecurity is critically important to us. Nvidia does not have 'backdoors' in our chips that would give anyone a remote way to access or control them."

    China needs Nvidia chips for its AI businesses, and the article predicts that China will not introduce regulatory restrictions that will prevent companies from using Nvidia products. In fact, recent news says that Alibaba and Nvidia has announced a partnership: Alibaba shares leap on Nvidia partnership, data center plans


  • Cybersecurity Company Eats So That It Can Grow
    Palo Alto's $25 billion deal for CyberArk targets rising AI-driven threats
    Publisher: Reuters
    Date: July 30, 2025
    By: Kritika Lamba and Aditya Soni

    Summary:
    Cybersecurity is becoming more important due to the potent combination of AI and cyberattacks that has been developing over the past few years. Palo Alto Network's acquisition of CyberArk demonstrates how security companies are widening their toolset to provide more comprehensive protection for their clients. This deal, valued at $25B, brings expertise in "privileged access management" to Palo Alto Network's customers. Some analysts have expressed concern about how the new technology will be merged into the acquirer's infrastructure. Imtiaz Koujalgi, Roth Capital Partners' managing director of software research. opines: "Also, Palo Alto talks about integrating its acquisitions into its platform, but given the scale of CyberArk and installed base that could be a challenge."


  • Hens Hiring Foxes
    Microsoft Used China-Based Engineers to Support Product Recently Hacked by China
    Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in its popular SharePoint software but didn't mention that it has long used China-based engineers to maintain the product.
    Publisher: Pro Publica
    Date: August 1, 2025
    By: Renee Dudley

    Summary:
    This article shows how difficult it can be for a global business to provide a product to the US without relying on foreign workers. Microsoft's cloud-based SharePoint systems are widely used, and the US Department of Defense is a customer. Microsoft's team for maintaining the software includes workers in China (under the supervision of US managers). This became a cause for concern after Microsoft attributed a serious zero-day hack to Chinese hackers. The Department of Defense wants to more about the risks of maintaining critical software within the borders of a foreign country. Did the hackers benefit from information obtained by Microsoft employees in China? How much risk does this raise? For its part, Microsoft said they were in the process of moving the software maintenance tasks to the US.


  • Long Key Made Short --- Shades of DES
    Encryption Made for Police and Military Radios May Be Easily Cracked
    Researchers found that an encryption algorithm likely used by law enforcement and special forces can have weaknesses that could allow an attacker to listen in.
    Publisher: Wired
    Date: Aug 7, 2025
    By: Kim Zetter

    Summary:
    The European Telecommunications Standards Institute (ETSI) developed an encryption algorithm a few years ago that is used around the world for protecting sensitive information for critical infrastructure and law and enforcement and military organizations. Dutch researchers found a serious flaw in that algorithm in 2023, and ETSI responded by endorsing an end-to-encryption scheme to be run 'on top of' the original scheme. Because the algorithms are proprietary, there has been no public examination of them. The researchers reversed engineered the schemes that were baked into a radio made by Sepura.

    The problems with the encryption security arise from how the keys are altered before being used in the algorithm. In one case the initial 80-bit key was reduced to 32 bits before use, and in another, an 80-bit key was reduced to 56 bits. ETSI said that they do not dictate the way keys are handled --- "The choice of encryption algorithm and key is made between supplier and customer organisation, and ETSI has no input to this selection". In some cases, the key length is reduced to meet export control requirements. However, it seems that many purchasers, including US critical infrastructure companies, are unaware of key length reduction and its affect on security.


  • The EoE (Everyone on Earth) Database?
    'Unrestrained' Chinese Cyberattackers May Have Stolen Data From Almost Every American
    Information collected during the yearslong Salt Typhoon attack could allow Beijing's intelligence services to track targets from the United States and dozens of other countries.
    Publisher: New York Times
    Date: Sept. 4, 2025
    By: Adam Goldman

    Summary:
    The exploit known as Salt Typhoon was uncovered last year. Chinese hackers were able to access telecommunications infrastructure equipment worldwide and collect call information without detection for at least months. An investigation into the scope of the problem showed that the penetration was shockingly widespread, leading to a joint report by several governments: Joint Cybersecurity Advisory Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System. The investigation found that attackers were able to take full advantage of several vulnerabilities in telecommunications software to collect customer information and to obscure the artifacts of the intrusion by altering logs and authentication lists.

    It seems reasonable to assume that anyone in the US who used phone service in 2024 would have had that information swept up by the intruders. The calling patterns could reveal business and personal relationships for most of the US population, and that would be a treasure trove for social network analysts. That information could feed into espionage strategies, phishing scams, and much more.


  • NICE Money
    NIST Awards More Than $3 Million to Support Cybersecurity Workforce Development Across 13 States
    Publisher: NIST
    Date: September 17, 2025

    Summary:
    The National Institute of Science and Technology announced grants under their NICE program which is intended to "Prepare, grow, and sustain a cybersecurity workforce that safeguards and promotes America's national security and economic prosperity." The grants went to 13 organizations to let them create "Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS)" that will build cybersecurity workforce and education initiatives. NIST estimates that the US currently has job openings for a half million cybersecurity workers, but only 75% of those jobs can be filled by the existing workforce.