Steve Zurier@scmagazine.com
//
The National Institute of Standards and Technology (NIST) has announced that it will mark all Common Vulnerabilities and Exposures (CVEs) prior to January 1, 2018, as ‘deferred.’ This decision stems from the agency being overwhelmed by the surging volume of newly disclosed vulnerabilities and the agency will no longer prioritize updating National Vulnerability Database (NVD) enrichment for these older CVEs because of their age. This impacts a substantial number of CVEs, with estimates suggesting that over 94,000, or 34% of all CVEs, could be affected by this change. Despite this shift, NIST has stated it will continue to accept and review requests to update the metadata for these CVE records and prioritize updates if new information indicates it's appropriate, as time and resources allow.
This move has sparked concerns within the cybersecurity community. Many prolific cyber incidents have exploited older CVEs, like WannaCry, NotPetya, and the Colonial Pipeline attack. With limited resources, prioritizing newer vulnerabilities might protect a larger number of organizations. However, older vulnerabilities that are on the known exploited vulnerabilities KEV list will continue to be updated and worked on. Experts are also worried about the potential for older CVEs to be revived using new AI-driven exploit techniques. Marc Gaffan, CEO of IONIX, noted the rapid advancement of AI capabilities and the concern that these techniques could catch organizations off guard, leaving them unprepared for re-emerging threats. Jon France, CISO at ISC2, emphasized the importance of keeping software patched and up-to-date. Despite the concerns, NIST's decision reflects the challenges of managing an ever-growing database of vulnerabilities with finite resources. References :
Classification:
@The Cryptography Caffe? ?
//
The UK's National Cyber Security Centre (NCSC) has released a roadmap for transitioning to post-quantum cryptography (PQC), establishing key dates for organizations to assess risks, define strategies, and fully transition by 2035. This initiative aims to mitigate the future threat of quantum computers, which could potentially break today's widely used encryption methods. The NCSC’s guidance recognizes that PQC migration is a complex and lengthy process requiring significant planning and investment.
By 2028, organizations are expected to complete a discovery phase, identifying systems and services reliant on cryptography that need upgrades, and draft a migration plan. High-priority migration activities should be completed by 2031, with infrastructure prepared for a full transition. The NCSC emphasizes that these steps are essential for addressing quantum threats and improving overall cyber resilience. Ali El Kaafarani, CEO of PQShield, noted that these timelines give clear instructions to protect the UK’s digital future. Researchers have also introduced ZKPyTorch, a compiler that integrates ML frameworks with ZKP engines to simplify the development of zero-knowledge machine learning (ZKML). ZKPyTorch automates the translation of ML operations into optimized ZKP circuits and improves proof generation efficiency. Through case studies, ZKPyTorch successfully converted VGG-16 and Llama-3 models into ZKP-compatible circuits. References :
Classification:
|