CyberSecurity news
FlagThis - #cryptography
|
@securelist.com
//
Developers using the AI-powered coding assistant Cursor have fallen victim to a sophisticated crypto heist, losing an estimated $500,000. The incident involved a malicious extension, disguised as a legitimate tool for Solidity developers, which was distributed through the Open VSX marketplace. This marketplace, which serves as a source for extensions for AI development tools like Cursor, does not undergo the same stringent security checks as other marketplaces, creating a vulnerability that attackers exploited. The fake extension, titled "Solidity Language," managed to gain tens of thousands of downloads, likely boosted by bot activity, and successfully deceived even experienced users.
The malicious extension operated by silently executing PowerShell scripts and installing remote access tools on the victim's computer. Upon installation, the extension contacted a command-and-control server to download and run these harmful scripts. The attackers then leveraged the installed remote access application, ScreenConnect, to gain full control of the compromised system. This allowed them to upload additional malicious payloads, specifically targeting the developer's crypto wallet passphrases and ultimately siphoning off approximately $500,000 in cryptocurrency assets. The attackers also employed algorithm tricks to ensure the malicious extension ranked highly in search results, further increasing its visibility and the likelihood of it being downloaded by unsuspecting developers. This incident highlights a growing trend of attacks that leverage vulnerabilities within the open-source software ecosystem. While the Solidity Language extension itself offered no actual functionality, its deceptive appearance and elevated search ranking allowed it to trick users into installing malware. Security experts are urging developers to exercise extreme caution when installing extensions, emphasizing the importance of verifying extension authors and using robust security tools. The weaponization of AI-enhanced development tools serves as a stark reminder that the very tools designed to enhance productivity can be turned into vectors for significant financial loss if not handled with the utmost security awareness. Recommended read:
References :
@medium.com
//
The Post-Quantum Cryptography Coalition (PQCC) has recently published a comprehensive roadmap designed to assist organizations in transitioning from traditional cryptographic systems to quantum-resistant alternatives. This strategic initiative comes as quantum computing capabilities rapidly advance, posing a significant threat to existing data security measures. The roadmap emphasizes the importance of proactive planning to mitigate long-term risks associated with cryptographically relevant quantum computers. It is structured into four key implementation categories: Preparation, Baseline Understanding, Planning and Execution, and Monitoring and Evaluation.
The roadmap offers detailed steps for organizations to customize their adoption strategies, regardless of size or sector. Activities include inventorying cryptographic assets, assigning migration leads, prioritizing systems for upgrades, and aligning stakeholders across technical and operational domains. Furthermore, it underscores the urgency of Post-Quantum Cryptography (PQC) adoption, particularly for entities managing long-lived or sensitive data vulnerable to "harvest now, decrypt later" attacks. Guidance is also provided on vendor engagement, creating a cryptographic bill of materials (CBOM), and integrating cryptographic agility into procurement and system updates. In related advancements, research is focusing on enhancing the efficiency of post-quantum cryptographic algorithms through hardware implementations. A new study proposes a Modular Tiled Toeplitz Matrix-Vector Polynomial Multiplication (MT-TMVP) method for lattice-based PQC algorithms, specifically designed for Field Programmable Gate Arrays (FPGAs). This innovative approach significantly reduces resource utilization and improves the Area-Delay Product (ADP) compared to existing polynomial multipliers. By leveraging Block RAM (BRAM), the architecture also offers enhanced robustness against timing-based Side-Channel Attacks (SCAs), making it a modular and scalable solution for varying polynomial degrees. This combined with hybrid cryptographic models is a practical guide to implementing post quantum cryptography using hybrid models for TLS, PKI, and identity infrastructure. Recommended read:
References :
@quantumcomputingreport.com
//
The rapid advancement of quantum computing poses a significant threat to current encryption methods, particularly RSA, which secures much of today's internet communication. Google's recent breakthroughs have redefined the landscape of cryptographic security, with researchers like Craig Gidney significantly lowering the estimated quantum resources needed to break RSA-2048. A new study indicates that RSA-2048 could be cracked in under a week using fewer than 1 million noisy qubits, a dramatic reduction from previous estimates of around 20 million qubits and eight hours of computation. This shift accelerates the timeline for "Q-Day," the hypothetical moment when quantum computers can break modern encryption, impacting everything from email to financial transactions.
This vulnerability stems from the ability of quantum computers to utilize Shor's algorithm for factoring large numbers, a task prohibitively difficult for classical computers. Google's innovation involves several technical advancements, including approximate residue arithmetic, magic state cultivation, optimized period finding with Ekerå-Håstad algorithms, and yoked surface codes with sparse lookups. These improvements streamline modular arithmetic, reduce the depth of quantum circuits, and minimize overhead in fault-tolerant quantum circuits, collectively reducing the physical qubit requirement to under 1 million while maintaining a relatively short computation time. In response to this threat, post-quantum cryptography (PQC) is gaining momentum. PQC refers to cryptographic algorithms designed to be secure against both classical and quantum attacks. NIST has already announced the first set of quantum-safe algorithms for standardization, including FrodoKEM, a key encapsulation protocol offering a simple design and strong security guarantees. The urgency of transitioning to quantum-resistant cryptographic systems is underscored by ongoing advances in quantum computing. While the digital world relies on encryption, the evolution to AI and quantum computing is challenging the security. Professionals who understand both cybersecurity and artificial intelligence will be the leaders in adapting to these challenges. Recommended read:
References :
@www.microsoft.com
//
IACR News has highlighted recent advancements in post-quantum cryptography, essential for safeguarding data against future quantum computer attacks. A key area of focus is the development of algorithms and protocols that remain secure even when classical cryptographic methods become vulnerable. Among these efforts, FrodoKEM stands out as a conservative quantum-safe cryptographic algorithm, designed to provide strong security guarantees in the face of quantum computing threats.
The adaptive security of key-unique threshold signatures is also under scrutiny. Research presented by Elizabeth Crites, Chelsea Komlo, and Mary Mallere, investigates the security assumptions required to prove the adaptive security of threshold signatures. Their work reveals impossibility results that highlight the difficulty of achieving adaptive security for key-unique threshold signatures, particularly for schemes compatible with standard, single-party signatures like BLS, ECDSA, and Schnorr. This research aims to guide the development of new assumptions and properties for constructing adaptively secure threshold schemes. In related news, Muhammed F. Esgin is offering PhD and Post-Doc positions in post-quantum cryptography, emphasizing the need for candidates with a strong mathematical and cryptography background. Students at Monash University can expect to work on their research from the beginning, supported by competitive stipends and opportunities for teaching assistant roles. These academic opportunities are crucial for training the next generation of cryptographers who will develop and implement post-quantum solutions. Recommended read:
References :
@www.microsoft.com
//
Microsoft is taking a significant step towards future-proofing cybersecurity by integrating post-quantum cryptography (PQC) into Windows Insider builds. This move aims to protect data against the potential threat of quantum computers, which could render current encryption methods vulnerable. The integration of PQC is a critical step toward quantum-resilient cybersecurity, ensuring that Windows systems can withstand attacks from more advanced computing power in the future.
Microsoft announced the availability of PQC support in Windows Insider Canary builds (27852 and above). This release allows developers and organizations to begin experimenting with PQC in real-world environments, assessing integration challenges, performance trade-offs, and compatibility. This is being done in an attempt to jump-start what’s likely to be the most formidable and important technology transition in modern history. The urgency behind this transition stems from the "harvest now, decrypt later" threat, where malicious actors store encrypted communications today, with the intent to decrypt them once quantum computers become capable. These captured secrets, such as passwords, encryption keys, or medical data, could remain valuable to attackers for years to come. By adopting PQC algorithms, Microsoft aims to safeguard sensitive information against this future risk, emphasizing the importance of starting the transition now. Recommended read:
References :
@thecyberexpress.com
//
A critical security vulnerability has been discovered in OpenPGP.js, a widely used JavaScript library that implements the OpenPGP standard for email and data encryption. Tracked as CVE-2025-47934, the flaw allows attackers to spoof both signed and encrypted messages, effectively undermining the trust inherent in public key cryptography. Security researchers from Codean Labs, Edoardo Geraci and Thomas Rinsma, discovered that the vulnerability stems from the `openpgp.verify` and `openpgp.decrypt` functions, and it essentially undermines the core purpose of using public key cryptography to secure communications.
The vulnerability impacts versions 5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0 of the OpenPGP.js library. According to an advisory posted on the library's GitHub repository, a maliciously modified message can be passed to one of these functions, and the function may return a result indicating a valid signature, even if the message has not been legitimately signed. This flaw affects both inline signed messages and signed-and-encrypted messages. The advisory also states that to spoof a message, an attacker needs a single valid message signature along with the plaintext data that was legitimately signed. They can then construct a fake message that appears legitimately signed. Users are strongly advised to upgrade to versions 5.11.3 or 6.1.1 as soon as possible to mitigate the risk. Versions 4.x are not affected by the vulnerability. While a full write-up and proof-of-concept exploit are expected to be released soon, the current advisory offers enough details to highlight the severity of the issue. The underlying problem is that OpenPGP.js trusts the signing process without properly verifying it, leaving users open to having signed and encrypted messages spoofed. This vulnerability allows message signature verification to be spoofed. Recommended read:
References :
|