CISA and other agencies call to action for the US government to take steps to close the software understanding gap.
The post US Government Agencies Call for Closing the Software Understanding Gap appeared first on SecurityWeek.
SecurityWeek – Read More
Noteworthy stories that might have slipped under the radar: several multi-million dollar settlements, CrowdStrike-themed phishing emails, and MITRE launches D3FEND 1.0.
The post In Other News: Lawsuits and Settlements, CrowdStrike Phish, MITRE’s D3FEND 1.0 appeared first on SecurityWeek.
SecurityWeek – Read More
The theft of a PowerSchool engineer’s passwords prior to the breach raises further doubts about the company’s security practices.
© 2024 TechCrunch. All rights reserved. For personal use only.
Security News | TechCrunch – Read More
Cybersecurity researchers have disclosed three security flaws in Planet Technology’s WGS-804HPT industrial switches that could be chained to achieve pre-authentication remote code execution on susceptible devices.
“These switches are widely used in building and home automation systems for a variety of networking applications,” Claroty’s Tomer Goldschmidt said in a Thursday report. “An attacker
The Hacker News – Read More
As LLMs broaden access to hacking and diversify attack strategies, understanding the thought processes behind these innovations will be vital for bolstering IT defenses.
darkreading – Read More
Cybersecurity researchers have exposed a new campaign that targets web servers running PHP-based applications to promote gambling platforms in Indonesia.
“Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps,” Imperva researcher Daniel Johnston said in an analysis. “These attacks
The Hacker News – Read More
Quantum computers remain a highly exotic technology, used by a very small number of companies for very specific computational tasks. But if you search for “quantum computer news”, you might get the impression that all the major IT players have already armed themselves with quantum technology, and that any day now hackers will start using it to crack encrypted communications and manipulate digital signatures. The reality is both less tense and more complex — but such nuances don’t make the headlines. So, who’s been making all the noise about quantum hacking?…
Although the respected American mathematician Peter Shor meant to create neither hype nor panic, it was he who, back in 1994, proposed the idea of an entire family of algorithms for solving computationally complex mathematical problems on a quantum computer. Chief among these was the problem of factoring into prime numbers. For sufficiently large numbers, a classical computer would need… centuries to find a solution — which serves as the foundation of cryptographic algorithms like RSA. However, a powerful quantum computer using Shor’s algorithm could solve this problem much faster. Although such a computer was still a dream in 1994, Shor’s idea captured the imagination of hackers, physicists, and of course, journalists. Shor recalls that when he first presented his idea at a conference in 1994, he hadn’t yet completely solved the factorization problem — the final version of his research was only published in 1995. Nevertheless, just five days after his presentation, people were confidently proclaiming that the factorization problem had been solved.
For many years, the quantum threat was considered just a distant possibility. The number of quantum bits (qubits) required to break cryptography was estimated to be in the thousands or millions, while experimental quantum computers were still in single digits. The situation changed in 2007, when the Canadian company D-Wave Systems demonstrated the “first commercial quantum computer”, boasting 28 qubits, with a plans to scale up to 1024 qubits by the end of 2008. The company predicted that by 2009 it would be possible to rent quantum computers for cloud computations — using them for risk analysis in insurance, modeling in chemistry and materials science, as well as for “government and military needs”. By 2009, D-Wave expected to achieve quantum supremacy — when a quantum computer could solve a problem faster than a classical one.
The quantum community had to spend years dealing with the company’s claims. The principle of quantum annealing, used in D-Wave systems, wasn’t even considered a quantum effect, and its existence was only proven in 2013 — albeit with serious reservations. Meanwhile, the magnitude (and even the existence) of quantum supremacy continued to be a subject of debate even longer. In any case, D-Wave systems can run neither Shor, nor Grover’s algorithms, making them unsuitable for cryptanalysis tasks. The company continues to build computers (or, rather, “quantum annealers”) with ever-increasing numbers of qubits, but their practical application remains very limited.
When the U.S. National Security Agency (NSA) issues warnings and advice on a problem, it’s a good reason to take that problem seriously. That’s why the NSA’s 2015 recommendation urging companies and governments to begin transitioning to quantum-resistant encryption was taken as a signal that the arrival of practical quantum computers might just be round the corner. This warning came as a surprise: at the time, the largest number that had been factored using Shor’s algorithm on a quantum computer was… 21. This fueled speculation that the NSA knew something about quantum computers that the rest of the world didn’t.
Now, nearly a decade later, we can be fairly confident that the NSA was sincere in its subsequent explanations, released six months later: they were simply warning of a potential danger ahead of time. After all, equipment purchased for government agencies tends to remain in service for decades, so systems should be upgraded well in advance to avoid future vulnerabilities. Around the same time, NIST announced a competition to develop a standardized set of quantum-resistant algorithms. In 2024, this new standard was adopted.
Many major IT companies, such as Google and IBM, have shown interest in quantum computing — and invested in it. At the end of the 20th century, IBM labs created the first working quantum computer with two qubits. But it was Google that, in 2019, announced the long-awaited achievement of quantum supremacy. Their experimental 53-qubit computer, Sycamore, could reportedly solve a problem in not much over three minutes that would take a classical supercomputer 10,000 years. However, IBM disputed this claim, arguing that this problem was purely synthetic, designed for quantum computers specifically, and having no real-world application. For a supercomputer to solve the same problem, it would simply have to simulate a quantum one, which would be quite useless — not to mention slow. IBM further stated that with sufficient disk space, a classical supercomputer could solve the same problem with greater accuracy and in a relatively short time: no more than 2.5 days.
Even the original creator of the term “quantum supremacy”, Professor John Preskill, criticized Google’s excessive use of the phrase, noting its popularity with journalists and marketers. As a result, its intended technical use has been obscured.
Security experts, including the NSA, have repeatedly emphasized that the quantum threat is a reality — even in the absence of a practical quantum computer. One possible scenario is well-resourced malefactors storing an encrypted copy of valuable data today in order to decrypt it in the future when quantum computers become viable. Such an attack, known as harvest now, decrypt later, is often mentioned in the context of the “quantum race”, and in 2022, the U.S. government created quite a stir by claiming to already be facing SNDL attacks. Experts from the post-quantum security firm QuSecure also referred to SNDL attacks as a “common practice” in an article ominously titled Quantum apocalypse.
Meanwhile, the White House coined the term CRQC (Cryptanalytically Relevant Quantum Computer) and ordered U.S. agencies to switch to post-quantum encryption algorithms no later than 2035.
Quantum computers are complex, unique physical devices that often require extreme cooling. As a result, small firms and individual researchers have a hard time keeping up in the quantum race; however, that doesn’t stop some from trying. In 2023, statements from a researcher named Ed Gerck, founder of a company called Planalto Research, created a small buzz. According to Gerck, his company managed to perform quantum computations on a commercial Linux desktop with capital costs of less than a thousand dollars and without using cryogenics. The author claimed to have broken a 2048-bit RSA key despite these limitations. Interestingly, Gerck allegedly developed his own algorithm to do this, rather than using Shor’s. Cryptographers and developers of quantum computers have repeatedly demanded proof of Gerck’s claims but received only excuses in response. Gerck’s paper has in fact been published; however, experts note serious methodological flaws and speculative elements.
A study by researchers at Shanghai University directly linking quantum computing to encryption cracking was published in China in September 2024. However, it only caused a splash worldwide after a November article in the South China Morning Post. This article claimed that the Chinese scientists had successfully broken “military-grade encryption”, and this headline was carelessly replicated by other media outlets.
In fact, the authors of the study did target encryption, but solved a much more modest problem — they cracked 50-bit ciphers related to AES (Present, Gift-64, and Rectangle). Interestingly, they used one of the latest models from the very same D-Wave, using classical algorithms to compensate for its limitations compared to a full-fledged quantum computer. This study is scientifically novel, but its practicality in breaking real-world encryption is highly questionable. In addition to the deficit of qubits, the incredibly long classical pre-calculations required to crack real 128 or 256-bit keys remains an obstacle.
This wasn’t the first time researchers have claimed success in breaking encryption, but an earlier, similar announcement in 2022 received little attention.
A new round of speculation began with Google’s recent announcement of its Willow chip. The developers have claimed that they’ve managed to solve one of the key problems in scaling quantum computing — error correction. This problem arises because it’s extremely challenging to read the state of a qubit without making errors or disturbing its entanglement with other qubits. Therefore, calculations are often run multiple times, and many “noisy” physical qubits are combined into a single “perfect” logical one. Despite these measures, as the number of qubits increases, errors grow exponentially, making the system increasingly fragile. In contrast, the new chip demonstrates the opposite behavior — as the number of qubits increases, errors are reduced.
Willow has 105 physical qubits. Of course, this is far from enough to break modern encryption. According to the Google researchers themselves, their computer would need millions of qubits to become a CRQC.
But such trifles didn’t stop other researchers from declaring the imminent death of modern cryptography. For example, researchers at the University of Kent have estimated that advances in quantum computing could require the Bitcoin network to shut down for 300 days in order to update to quantum-resistant algorithms.
Leaving the mathematical and technical aspects aside, it’s worth emphasizing that, as of right now, cracking modern encryption using quantum computers is still impossible, and this is unlikely to change in the near future. However, sensitive data that will remain valuable for years to come should be encrypted with quantum-resistant (post-quantum) algorithms today to avoid potential future risks. Several major IT regulators have already issued recommendations on transitioning to post-quantum cryptography, which should be studied and gradually implemented.
Kaspersky official blog – Read More
Explore how AI tools like OpenAI’s Sora face restrictions in Europe due to GDPR, with insights on bypassing…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Google releases OSV-SCALIBR, an open source library for software composition analysis and file system scanning.
The post Google Releases Open Source Library for Software Composition Analysis appeared first on SecurityWeek.
SecurityWeek – Read More
Key vulnerabilities in SAP, Microsoft, Fortinet, and others demand immediate attention as threat actors exploit critical flaws.
Cyble Research and Intelligence Labs (CRIL) analyzed significant IT vulnerabilities disclosed between January 8 and 14, 2025.
The Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
Microsoft released its January 2025 Patch Tuesday updates, addressing 159 vulnerabilities, including eight zero-days, three of which are under active exploitation.
Other notable vulnerabilities this week are flaws in SAP NetWeaver Application Server and other high-profile products. CRIL’s monitoring of underground forums also revealed discussions on critical zero-day vulnerabilities and their potential weaponization.
Impact: SAP NetWeaver’s foundational role in critical industries like finance, healthcare, and manufacturing makes these vulnerabilities particularly concerning.
Mitigation: Patches are available for all vulnerabilities, and immediate application is recommended.
Impact: Exploited in the wild, this vulnerability has been observed in attempts to gain super-admin privileges on affected systems.
Mitigation: Upgrade FortiOS to the latest patched versions (7.0.17 or above for version 7.0 and 7.2.13 or above for version 7.2).
Also read: Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security
Impact: These vulnerabilities pose risks of denial-of-service or privilege escalation within virtualized environments.
Mitigation: Apply Microsoft’s January Patch Tuesday updates.
CRIL observed active discussions and Proof-of-Concept (PoC) code for vulnerabilities on underground forums:
Observed Activity: PoC shared on Telegram by a threat actor.
Observed Activity: Threat actor “dragonov_66” posted PoC on cybercrime forums.
Additionally, a threat actor advertised for sale zero-day pre-authentication Remote Code Execution (RCE) vulnerabilities affecting GoCloud Routers and Entrolink PPX VPN services.
The following vulnerabilities were added to CISA’s KEV catalog:
| CVE ID | Vendor | Product | CVSSv3 | Exploitation |
| CVE-2025-21335 | Microsoft | Windows | 7.8 | Not observed |
| CVE-2024-55591 | Fortinet | FortiOS | 9.8 | Observed |
| CVE-2023-48365 | Qlik | Sense | 9.8 | Observed |
| CVE-2025-0282 | Ivanti | Connect Secure | 9.0 | Observed |
Also read: Inside the Active Threats of Ivanti’s Exploited Vulnerabilities
To mitigate risks associated with the identified vulnerabilities:
The post Weekly IT Vulnerability Report: Critical Updates for SAP, Microsoft, Fortinet, and Others appeared first on Cyble.
Blog – Cyble – Read More