Changelog: Signal makes a quantum leap

FLY:D / Unsplash

Welcome to Changelog for 9/21/23, published by Synack! README senior editor Nathaniel Mott here following the launch of Commit—more on that later—with the week’s top infosec news.

The payload

Signal is going post-quantum.

“Today we are happy to announce the first step in advancing quantum resistance for the Signal Protocol: an upgrade to the X3DH specification which we are calling PQXDH,” Signal Foundation CTO Ehren Kret said in a blog post. “With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards.”

Saying this update has broad implications for secure messaging apps would be an understatement. The Signal Protocol is used in the Signal apps themselves, sure, but they also provide the foundation for end-to-end encryption in WhatsApp, Facebook Messenger and Google Messages, among others. (With the important caveat that not all communications via these apps are encrypted by default.)

Ars Technica’s report on this change offers an excellent breakdown of why current encryption protocols won’t be enough to defend against quantum computers, why it’s proven so difficult to design protocols that will be able to stand up to these increasingly powerful devices and how various organizations are tackling this problem. For our purposes, suffice it to say that this Signal Protocol update is vital to the continued security and privacy of the many activists, whistleblowers and journalists who rely on this technology.

It’s also worth noting that the Signal Protocol won’t replace its current encryption protocol with this new one. Instead, the plan is to use both. 

“We believe that the key encapsulation mechanism we have selected, CRYSTALS-Kyber, is built on solid foundations, but to be safe we do not want to simply replace our existing elliptic curve cryptography foundations with a post-quantum public key cryptosystem,” Kret said. “Instead, we are augmenting our existing cryptosystems such that an attacker must break both systems in order to compute the keys protecting people’s communications.” Additional information is available via the accompanying white paper.

The week, compiled

Organizations are going to have to rethink their multi-factor authentication (MFA) implementations.

Reuters reported on Sept. 19 that Okta chief security officer David Bradbury connected the high-profile attacks on MGM Resorts and Caesars Entertainment to “three other companies in the manufacturing, retail and technology space.” These hacks reportedly prompted an Aug. 31 alert explaining how threat actors have “used social engineering to attain a highly privileged role in an Okta customer Organization (tenant)” before demonstrating “novel methods of lateral movement and defense evasion.”

Okta didn’t attribute this activity to a particular group, but ALPHV has claimed responsibility for the MGM hack, and Reuters said a group known as Scattered Spider has also been linked to these attacks. Mandiant published a blog post on Sept. 14 outlining the latter group’s tactics, techniques and procedures, and the incident response firm highlighted Scattered Spider’s (which it tracks as UNC3944) use of social engineering, infostealer malware and various phishing toolkits to gain access to MFA-protected accounts.

fly-d-zAhAUSdRLJ8-unsplash

FLY:D / Unsplash

I reported in November 2021 that threat actors were starting to devote more energy to bypassing MFA, and when Uber was hacked in September 2022, I said it would “compound pressure for other companies and even U.S. regulators to address known problems with certain types of MFA.” The attacks on MGM and Caesars—along with Okta’s repeated warnings to its customers—only reinforce that argument. Attackers have clearly started to take MFA seriously; how long will it take for their victims to do the same?

Now on to this week’s recap of all things README, including the debut editions of Commit, a complement to Changelog devoted to covering the stories that break in between installments of this newsletter. 

README: It’s past time for law firms to take their security more seriously. Cynthia Brumfield reported this week on a recent spree of attacks targeting “the biggest, richest and most prestigious legal advisors operating across multiple offices nationwide and many countries globally.” This is no accident—it’s a result of the legal industry simultaneously being trusted with sensitive data and neglecting its cybersecurity.

Commit 09_18_2023: This debut Commit covered new details about how the MGM Resorts hack has affected the company’s operations, a report that demonstrated the ease with which North Korean hackers are able to steal tens of millions of dollars every few weeks and Microsoft accidentally exposing 38TB of sensitive information via a misconfigured Azure Storage URL, among other things.

Commit 09_19_2023: This second Commit was devoted to numerous reports on advanced persistent threat groups deploying new implants, backdoors and other malware against targets around the world; the International Criminal Court’s announcement that it had “detected anomalous activity affecting its information systems” last week; and the continued fallout of a ransomware attack on Clorox.

And here are some other headlines that caught my eye this week:

AP: MGM Resorts announced on Sept. 20 that “all of [its] hotels and casinos are operating normally,” though it added that its “amazing employees are ready to help guests with any intermittent issues,” which suggests the company still hasn’t fully recovered from the ransomware attack. The Associated Press also noted that MGM still hasn’t disclosed the full extent of the breach—which makes it hard to gauge the veracity of the claim that everything is back to normal—or how much it has cost the company.

TechCrunch: Apple released iOS 17 this week, and in addition to all the features most iPhone owners will notice, the latest version of the mobile operating system includes a variety of privacy and security improvements. TechCrunch has the full breakdown, but the most important changes were made to Lockdown Mode’s handling of insecure Wi-Fi networks and easily exploited 2G cellular networks.

BleepingComputer: The P2PInfect botnet revealed in July has reportedly seen a spike of activity in the last few weeks. BleepingComputer described the botnet as “peer-to-peer malware that breaches Redis instances using a remote code execution flaw on internet-exposed Windows and Linux systems” that has compromised systems around the world, including within China, Germany, the U.K. and the U.S.

A message from Synack

Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.

Flash memory

You can’t throw a rock these days without hitting someone working on a new programming language. Looking for a better C? Meet Zig. Want memory safety without having to deal with Rust’s borrow checker? Check out Vale and Hylo. Looking for a closed-source Python that makes bombastic performance claims while currently supporting a subset of its predecessor’s features? Step into Mojo’s dojo.

Then there’s Fortran. It’s not new—the first program written in the language was run on Sept. 20, 1954. And even though most people are probably unaware of its existence, to hear IBM tell it, Fortran is at least somewhat responsible for the preponderance of software available today.

“From its creation in 1954, and its commercial release in 1957 as the progenitor of software, Fortran (FORMula TRANslator) became the first computer language standard, ‘helped open the door to modern computing,’ and may well be the most influential software product in history,” IBM said on a website dedicated to this ancient tongue. “Fortran liberated computers from the exclusive realm of programmers and opened them to nearly everybody else. It is still in use more than 50 years after its creation.”

So the next time you’re frustrated by software, remember that it’s Fortran’s—and therefore IBM’s—fault.

Local storage

The Record: A cyberattack on Pittsburg, Kansas, reportedly “disrupted the government’s email, phone and online payment systems” over the weekend. The Record noted that Pittsburg is in good company, with similar attacks targeting county governments in Missouri and Mississippi revealed in the last week.

CyberScoop: The Department of Homeland Security is pushing the U.S. government to simplify the incident reporting process for critical infrastructure operators, according to CyberScoop, which said that organizations have to contend with “dizzying 45 active reporting requirements from 22 different federal agencies and and an additional five under consideration.”

Dark Reading: The FBI and the Cybersecurity and Infrastructure Security Agency published an advisory related to the Snatch ransomware-as-a-service, which has been around since at least 2018, this week. These advisories are fairly common, but Dark Reading noted that neither agency explained why they felt the need to highlight a five-year-old threat actor whose last publicly attributed attack was in June. Hmm.

Off-script

Who’d have thunk Nintendo would be the first gaming company to support passkeys?

The 134-year-old company isn’t particularly well known for keeping up with the latest online technologies. It lagged behind Sony and Microsoft in offering an online service for over a decade, for example, and the resulting offering is often criticized for being a poor value. (Especially since it provides access to decades-old games that people have already purchased several times over rather than newer titles.)

Yet people now have the option of securing their Nintendo Account with a passkey—the passwordless authentication mechanism that has the support of Apple, Google and Microsoft as well as the broader industry. Passkeys are clearly going to be A Thing… but I didn’t expect Nintendo to realize that until long after every other company in the gaming industry made the shift.

claudio-luiz-castro-_R95VMWyn7A-unsplash

Cláudio Luiz Castro / Unsplash

And that’s a good thing! Now anyone who’s arguing in favor of passkeys at their company can point to Nintendo, the century-old company that people of a certain age still associate with gray cartridges and 8-bit graphics, and say that even it understands that it’s time to support passkeys. What’s the company going to do next, implement time-based one-time passwords instead of relying on less-secure MFA?

Oh! Wait! That’s exactly what Nintendo’s done. I feel like I just got red-shelled so hard I ended up in a parallel universe where Nintendo is better at this “internet” thing than most other companies. Mamma-mia.