Quick Intro to Fully Homomorphic Encryption
- The definition is exactly right - Homomorphic Encryption is simply the encryption scheme where one can combine encrypted ciphertexts and obtain interesting computations on the original plaintext in an encrypted form without knowing the actual encryption key.
- This basically means that the encrypted ciphertext looks random and doesn’t provide any hint to its original plaintext, therefore ensuring that this scheme is secure against eavesdropping.
- Namely, this is an instance of Additively Homomorphic Encryption, where one can freely add ciphertexts together and obtain any linear combination of the original plaintexts, in encrypted form.
- If the HE scheme we choose is only partially homomorphic (for example, additively homomorphic), it means that the only thing we can do to the ciphertexts is to obtain an encrypted linear combination of the plaintexts.
SSH Emergency Access
- In this post we'll design a break glass procedure for reaching SSH hosts in an emergency, using security keys that you can store offline.
- We will store an offline SSH Certificate Authority on a hardware security key, and have our hosts trust that CA.
- Why use certificates instead of public/private keys for emergency access?
- Then, append the contents of your CA public key (sk-user-ca.pub) to /etc/ssh/ca.pub on the host.
- It's tempting to think of an SSH certificate as a replacement for a public/private key pair.
- Certificates just eliminate the need for the server to store public keys.
- 🥳 You can now create SSH certificates for any user on a host that trusts your emergency Certificate Authority.
- in ~/.ssh/authorized_keys for the ubuntu user), if you have been using that for emergency access.
Beware the Google Password Manager
- Then I did the second dumb thing, by far the worst - I logged into a Google account from Safari.
- Shouldn't have installed NoMachine, should have replaced the password with a stronger one, should never have logged onto a Google account on this machine in the first place, and definitely, definitely shouldn't have saved that password and not logged out.
- What I didn't realize, was that by default, your Google Account credentials are used to encrypt those passwords.
- After doing a significant amount of credential scrubbing, I eventually posted on Twitter: hey, uh, PSA, you don't need 2FA credentials to disable 2FA for your Google account anymore, and you don't get notified when it happens.
- I think this one may have helped - it probably would've asked for my passphrase when visiting the Google Password Manager page, and then the attacker would've been stopped right there.
Schools already struggled with cybersecurity. Then came COVID-19
- Those vulnerabilities have been fixed, but Henry, who now works full time on education technology, says that his experience illustrates the challenges facing school districts across the United States—and a problem that's grown more acute in the wake of Covid-19.
- Polk County is the seventh-largest school district in Florida, with more than 100,000 students, and in recent years it had been spending millions of dollars to develop an enrollment system called Delta and to contract for a new "Student Information System" from an outside vendor.
- Levin also points out that there may be a new digital infection spike in the fall when students, teachers, and administrators physically go back to school and plug their devices into hardwired networks for the first time in months.
Need a Cheap Phone? Look No Further Than Motorola's Latest
- The G fast has a 6.4-inch LCD and the Moto E sticks with a 6.2-inch panel, both of which have relatively slim bezels around the screen, giving the phones a modern look.
- The G Fast and Moto E are kitted out with 4,000-mAh and 3,550-mAh batteries, respectively, which are large enough to easily push these phones past a full day of use.
- Another sad note is that neither of these Moto phones has NFC (near-field communication) capability, which is what enables the use of contactless payment services like Google Pay. I've been using Google Pay more and more because it's a great way to minimize touching other surfaces at the grocery store checkout during this pandemic, and it's a shame I can't "tap to pay" with these devices.
Hong Kong protest leader flees as government warns calls for 'revolution' are now illegal
- Hong Kong (CNN) - The ramifications of a new security law imposed on Hong Kong by China are still unfolding, as authorities moved to outlaw a popular protest movement slogan and at least one prominent activist fled the city rather than face potential arrest.
- Nathan Law, a former lawmaker and leader of the 2014 Umbrella Movement, said late Thursday that he had left Hong Kong, soon after speaking to a US Congressional panel via video link.
- Of the 10 arrests under the law so far, made during protests on July 1, all were in relation to promoting Hong Kong independence, with people grabbed for showing flags, shouting slogans, or found with pro-separatist materials in their bags.
- Speaking to local media this week, Lento Yip Yuk-fai, chairman of the Hong Kong Internet Service Providers Association, said that companies will now have no choice but to help police if they make national security requests.
European police hacked encrypted phones used by thousands of criminals
- In one of the largest law enforcement busts ever, European police and crime agencies hacked an encrypted communications platform used by thousands of criminals and drug traffickers.
- The company installed its own encrypted messaging platform, removed the GPS, camera and microphone functions and offered features like the ability to wipe the device with a PIN.
- In 2018, the FBI arrested Vincent Ramos, the CEO of Phantom Secure, a company that was selling custom BlackBerrys to drug cartels.
- When Ramos pleaded guilty, he admitted that the encrypted handsets were used to facilitate sales of cocaine, heroin and methamphetamines and that Phantom Secure remotely wiped the devices if they were obtained by law enforcement.
- In theory, that may prevent platforms like Encrochat and Phantom Secure, but the bill would make changes to Section 230 of the Communications Decency Act, and doing that could have far-reaching consequences.
How Police Secretly Took over a Global Phone Network for Organized Crime
- Mark took the security of his operation seriously, with the gang using code names to discuss business on custom, encrypted phones made by a company called Encrochat.
- French, Dutch, and other European agencies monitored and investigated "more than a hundred million encrypted messages" sent between Encrochat users in real time, leading to arrests in the UK, Norway, Sweden, France, and the Netherlands, a team of international law enforcement agencies announced Thursday.
- Vincent Ramos, the founder of another secure phone company called Phantom Secure, which started as a legitimate firm, is currently in prison in part for telling undercover agents that he created the device to help with drug trafficking.
- Realizing this was an attack, over the next two days Encrochat pushed an update to its X2 models to restore the phone's features and gather information about the malware installed on its devices around the world, the associate said.
Peppering (Password Storage)
- As the majority of users will re-use passwords between different applications, it is important to store passwords in a way that prevents them from being obtained by an attacker, even if the application or database is compromised.
- Depending on the application, it may be appropriate to remove the older password hashes and require users to reset their passwords next time they need to login, in order to avoid storing older and less secure hashes.
- In some cases, it may be possible to increase the work factor of the hashes without the original password, although this is not supported by common hashing algorithms such as Bcrypt and PBKDF2.
- While this approach solves the problem of arbitrary length user inputs to slower hashing algorithms, it also introduces some vulnerabilities that could allow attackers to crack hashes more easily.
Defiance and fear as Hong Kong settles into new normal after China-backed law takes hold
- As the city marked 23 years of Chinese rule Wednesday, and less than 24 hours under the new reality of the national security law -- which criminalizes secession, subversion, terrorism, and collusion with foreign forces -- thousands of people defied a police ban to take to the streets.
- Police said around 370 people were arrested Wednesday, including 10 people under the new national security law.
- Zhang Xiaoming, deputy director of the Hong Kong and Macao Affairs Office of China's State Council, confirmed another controversial element of the law Wednesday, saying that suspects prosecuted by Chinese agents acting in the city will be tried on the mainland -- effectively permitting the extradition of Hong Kong residents across the border, the very issue which kick-started widespread protests in the city last summer.