The New York Times magazine tells the story of an innocuous-seeming message on LinkedIn in 2017 from Qu Hui, the deputy director of the China-based Provincial Association for International Science and Technology Development.

Federal agents eventually obtained search warrants for two Gmail addresses the official was using, and "In what would prove to be a lucky break, the investigators found that each email address was the Apple ID used for an iPhone, linked to an iCloud account where data from the phones was periodically backed up. The agents were later able to obtain search warrants for the two iCloud accounts [that] opened a treasure trove." This included confirmation of what they had suspected all along: that Qu worked for Chinese intelligence. His real name was Xu Yanjun. He had worked at the Ministry of State Security since 2003, earning six promotions to become a deputy division director of the Sixth Bureau in the Jiangsu Province M.S.S. Like so many of us, he had taken pictures of important documents using his iPhone — his national ID card, pay stubs, his health insurance card, an application for vacation — which is how they ended up in his iCloud account. There, investigators also found an audio recording of a 2016 conversation with a professor at N.U.A.A. in which Xu had talked about his job in intelligence and the risks associated with traveling. "The leadership asks you to get the materials of the U.S. F-22 fighter aircraft," he told the professor. "You can't get it by sitting at home." The discovery of evidence of Xu's identity in an iCloud account makes for a kind of delicious reversal. The ubiquitous use of iPhones around the world — a result of America's technological prowess — was helping to fight back against a rival nation's efforts to steal technology.
Qu scheduled a meeting in Brussels with one American target — where he was arrested and extradited to America, becoming the first-ever Chinese intelligence official convicted on U.S. soil on charges of economic espionage. The prosecution contended that Xu had been systematically going after intellectual property at aerospace companies in the United States and Europe through cyberespionage and the use of human sources. It's not often that prosecutors find a one-stop shop for much of their evidence, but that's what Xu's iCloud account was — a repository of the spy's personal and professional life. That's because often Xu used his iPhone calendar as a diary, documenting not just the day's events but also his thoughts and feelings.... The messages in Xu's iCloud account enabled investigators to make another damning discovery. Xu had helped coordinate a cyberespionage campaign that targeted several aviation technology companies....

At the end of the trial, Xu was convicted of conspiring and attempting to commit economic espionage and theft of trade secrets.... According to Timothy Mangan, who led the prosecution, the evidence laid out during Xu's trial goes far beyond merely proving his guilt — it uncovers the systematic nature of China's vast economic espionage. The revelation of Xu's activities lifts the veil on how pervasive China's economic espionage is, according to the F.B.I. agent. If just one provincial officer can do what he did, the agent suggests, you can imagine how big the country's overall operations must be.
The article notes that the Chinese government "also offers financial incentives to help Chinese expats start their own businesses in China using trade secrets stolen from their American employers." It also cites a 2019 report from a congressional committee's security review that found "myriad ways in which Chinese companies, often backed by their government, help transfer strategic know-how from the United States to China." The maneuvers range from seemingly benign (acquiring American firms with access to key intellectual property) to notoriously coercive (compelling American companies to form joint ventures with Chinese firms and share trade secrets with them in return for access to the Chinese market) to outright theft. Cyberattacks have become an increasingly common tactic because they can't always be linked directly to the Chinese government. Over the past few years, however, federal agents and cybersecurity experts in the U.S. have identified the digital footprints left along the trails of these attacks — malware and I.P. addresses among them — and traced this evidence back to specific groups of hackers with proven ties to the Chinese government.
One 2020 indictment blamed five "computer hackers" in China for breaching more than 100 organizations.

Thanks to Slashdot reader schwit1 for sharing the article.

Politico reports: Governments and businesses have spent two decades rushing to the cloud — trusting some of their most sensitive data to tech giants that promised near-limitless storage, powerful software and the knowhow to keep it safe.

Now the White House worries that the cloud is becoming a huge security vulnerability.

So it's embarking on the nation's first comprehensive plan to regulate the security practices of cloud providers like Amazon, Microsoft, Google and Oracle, whose servers provide data storage and computing power for customers ranging from mom-and-pop businesses to the Pentagon and CIA.... Among other steps, the Biden administration recently said it will require cloud providers to verify the identity of their users to prevent foreign hackers from renting space on U.S. cloud servers (implementing an idea first introduced in a Trump administration executive order). And last week the administration warned in its national cybersecurity strategy that more cloud regulations are coming — saying it plans to identify and close regulatory gaps over the industry....

So far, cloud providers have haven't done enough to prevent criminal and nation-state hackers from abusing their services to stage attacks within the U.S., officials argued, pointing in particular to the 2020 SolarWinds espionage campaign, in which Russian spooks avoided detection in part by renting servers from Amazon and GoDaddy. For months, they used those to slip unnoticed into at least nine federal agencies and 100 companies. That risk is only growing, said Rob Knake, the deputy national cyber director for strategy and budget. Foreign hackers have become more adept at "spinning up and rapidly spinning down" new servers, he said — in effect, moving so quickly from one rented service to the next that new leads dry up for U.S. law enforcement faster than it can trace them down.

On top of that, U.S. officials express significant frustration that cloud providers often up-charge customers to add security protections — both taking advantage of the need for such measures and leaving a security hole when companies decide not to spend the extra money. That practice complicated the federal investigations into the SolarWinds attack, because the agencies that fell victim to the Russian hacking campaign had not paid extra for Microsoft's enhanced data-logging features.... Part of what makes that difficult is that neither the government nor companies using cloud providers fully know what security protections cloud providers have in place. In a study last month on the U.S. financial sector's use of cloud services, the Treasury Department found that cloud companies provided "insufficient transparency to support due diligence and monitoring" and U.S. banks could not "fully understand the risks associated with cloud services."

schwit1 shares an excerpt from a Substack article, written by former cybersecurity reporter Catalin Cimpanu: The Canada Revenue Agency (CRA), the tax department of Canada, recently updated its terms and conditions to force taxpayers to agree that CRA is not liable if their personal information is stolen while using the My Account online service portal -- which, ironically, all Canadians must use when doing their taxes and/or running their business. The CRA's terms of use assert the agency is not liable because they have "taken all reasonable steps to ensure the security of this Web site."

Excerpt from the CRA terms statement: "10. The Canada Revenue Agency has taken all reasonable steps to ensure the security of this Web site. We have used sophisticated encryption technology and incorporated other procedures to protect your personal information at all times. However, the Internet is a public network and there is the remote possibility of data security violations. In the event of such occurrences, the Canada Revenue Agency is not responsible for any damages you may experience as a result."

Unfortunately, that is not true. After reviewing the HTTP responses from the CRA My Account login page, it's clear the agency has not configured even some of the most basic security features. For example, security protections for their cookies are not configured, nor are all the recommended security headers used. Not only is that not "all reasonable steps," but the CRA is missing the very basics for securing online web applications.

The terms of use also state that users are not allowed to use "any script, robot, spider, Web crawler, screen scraper, automated query program or other automated device or any manual process to monitor or copy the content contained in any online services." Looking at the HTTP response headers using web browser developer tools doesn't breach the terms of services, but the CRA must be well aware that internet users perform scans like this all the time. And it's not the legitimate My Account users who are likely to be the culprits. Unfortunately for Canadians, threat actors don't read terms of use pages. A statement like this doesn't protect anyone, except CRA, from being held responsible for failing to properly secure Canadian citizens' personal data.

Germany's government is planning on forbidding telecoms operators from using certain components from Chinese companies Huawei and ZTE in their 5G networks, German paper Zeit Online reported on Monday. Reuters reports: The ban could include components already built into the networks, requiring operators to remove and replace them, Zeit Online wrote, citing government sources. The government, which is now in the midst of a broader re-evaluation of its relationship with top trade partner China, did not immediately reply to a request for comment. A source, however, confirmed the report to Reuters.

Critics of Huawei and ZTE say that their close links to China's security services mean that embedding them in the ubiquitous mobile networks of the future could give Chinese spies and even saboteurs access to swathes of essential infrastructure. Huawei, ZTE and the Chinese government reject these claims, saying that they are motivated by a protectionist desire to support non-Chinese rivals.

Zeit Online said the government's cybersecurity agency and interior ministry had for months been checking if there were components in the growing 5G networks that could put German security at risk. The survey had not officially been ended, but the result was already clear, the paper said, citing government sources. The government would ban operators from using certain controlling elements from Huawei and ZTE in 5G networks.

Researchers have announced a major cybersecurity find -- the world's first-known instance of real-world malware that can hijack a computer's boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows. From a report: Dubbed BlackLotus, the malware is what's known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI -- short for Unified Extensible Firmware Interface -- the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC's device firmware with its operating system, the UEFI is an OS in its own right. It's located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch. Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to run malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.

As appealing as it is to threat actors to install nearly invisible and unremovable malware that has kernel-level access, there are a few formidable hurdles standing in their way. One is the requirement that they first hack the device and gain administrator system rights, either by exploiting one or more vulnerabilities in the OS or apps or by tricking a user into installing trojanized software. Only after this high bar is cleared can the threat actor attempt an installation of the bootkit. The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer's manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn't recognized, Secure Boot will prevent the device from starting.

The Biden administration announced on Friday a new plan to improve the digital defenses of public water systems. From a report: The move comes one day after the announcement of a national cybersecurity strategy by the White House, which seeks to broadly improve industry accountability over the cybersecurity of American critical infrastructure, such as hospitals and dams. The water system plan, which recommends a series of novel rules placing more responsibility for securing water facilities at the state-level, follows several high-profile hacking incidents in recent years.

In February 2021, a cyberattack on a water treatment plant in Florida briefly increased lye levels in the water, an incident that could have been deadly if an alert worker had not detected the hack quickly. And in March 2019, a terminated employee at a Kansas-based water facility used his old computer credentials to remotely take systems offline, according to an administration official. The government is acting now because of the urgency of the threat, according to a senior U.S. Environmental Protection Agency (EPA) official. Radhika Fox, the assistant administrator in the EPA's Office of Water, said hackers had "shut down critical treatment processes" and "locked control system networks behind ransomware," underscoring the current danger. However, some experts say the new plan will not do enough to help make systems more secure.

The Biden administration is promising to hold software developers and critical infrastructure to tougher security standards and apply more pressure on ransomware gangs as part of its first national cybersecurity strategy, released Thursday. From a report: The nearly 40-page document provides a roadmap for new laws and regulations over the next few years aimed at helping the United States prepare for and fight emerging cyber threats. The strategy -- which was crafted by the two-year-old Office of the National Cyber Director (ONCD) -- has five "pillars": defend critical infrastructure; disrupt and dismantle threat actors; shape market forces to drive security and resilience; invest in a resilient future; and forge international partnerships.

The strategy includes a wide range of tasks, from modernizing federal systems' cybersecurity defenses to increasing offensive hacking capabilities in the intelligence community. The administration will start working with Congress and the private sector on legislation that would hold software makers liable for security flaws if they fail to follow security best practices, like those developed by the National Institute of Standards and Technology.

Dish Network, one of the largest television providers in the United States, confirmed on Tuesday that a previously disclosed "network outage" was the result of a cybersecurity breach that affected the company's internal communications systems and customer-facing support sites. CNBC reports: "Certain data was extracted," the company said in a statement Tuesday. The acknowledgment is an evolution from last week's earnings call, where it was described as an "internal outage." Dish Networks' website was down for multiple days beginning last week, but the company has now disclosed that "internal communications [and] customer call centers" remain affected by the breach. Dish said it had retained outside experts to assist in evaluating the problem.

The intrusion took place on the morning of Feb. 23, the same day the company reported its fourth-quarter earnings. "This morning, we experienced an internal outage that's continuing to affect our internal servers and IT telephony," Dish CEO W. Erik Carlson said at that time. "We're analyzing the root causes and any consequences of the outage, while we work to restore the affected systems as quickly as possible." According to Bleeping Computer, the Black Basta ransomware gang is behind the attack, first breaching Boost Mobile and then the Dish corporate network.

Canada has announced it is banning TikTok from all government-issued mobile devices, reflecting widening worries from Western officials over the Chinese-owned video sharing app. From a report: Prime Minister Justin Trudeau said it might be a first step to further action or that it might be it. "I suspect that as government takes the significant step of telling all federal employees that they can no longer use TikTok on their work phones many Canadians from business to private individuals will reflect on the security of their own data and perhaps make choices," Trudeau said.

"I'm always a fan of giving Canadians the information for them to make the right decisions for them," he added. The European Union's executive branch said last week it has temporarily banned TikTok from phones used by employees as a cybersecurity measure. The EU's action follows similar moves in the U.S., where more than half of the states and Congress have banned TikTok from official government devices.

Since the earliest versions of the iPhone, "The ability to dynamically execute code was nearly completely removed," write security researchers at Trellix, "creating a powerful barrier for exploits which would need to find a way around these mitigations to run a malicious program. As macOS has continually adopted more features of iOS it has also come to enforce code signing more strictly.

"The Trellix Advanced Research Center vulnerability team has discovered a large new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS.... The vulnerabilities range from medium to high severity with CVSS scores between 5.1 and 7.1. These issues could be used by malicious applications and exploits to gain access to sensitive information such as a user's messages, location data, call history, and photos."

Computer Weekly explains that the vulnerability bypasses strengthened code-signing mitigations put in place by Apple on its developer tool NSPredicate after the infamous ForcedEntry exploit used by Israeli spyware manufacturer NSO Group: So far, the team has found multiple vulnerabilities within the new class of bugs, the first and most significant of which exists in a process designed to catalogue data about behaviour on Apple devices. If an attacker has achieved code execution capability in a process with the right entitlements, they could then use NSPredicate to execute code with the process's full privilege, gaining access to the victim's data.

Emmitt and his team also found other issues that could enable attackers with appropriate privileges to install arbitrary applications on a victim's device, access and read sensitive information, and even wipe a victim's device. Ultimately, all of the new bugs carry a similar level of impact to ForcedEntry.

Senior vulnerability researcher Austin Emmitt said the vulnerabilities constituted a "significant breach" of the macOS and iOS security models, which rely on individual applications having fine-grain access to the subset of resources needed, and querying services with more privileges to get anything else.
"The key thing here is the vulnerabilities break Apple's security model at a fundamental level," Trellix's director of vulnerability research told Wired — though there's some additional context: Apple has fixed the bugs the company found, and there is no evidence they were exploited.... Crucially, any attacker trying to exploit these bugs would require an initial foothold into someone's device. They would need to have found a way in before being able to abuse the NSPredicate system. (The existence of a vulnerability doesn't mean that it has been exploited.)

Apple patched the NSPredicate vulnerabilities Trellix found in its macOS 13.2 and iOS 16.3 software updates, which were released in January. Apple has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531. Since Apple addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people's devices.
TechCrunch explores its severity: While Trellix has seen no evidence to suggest that these vulnerabilities have been actively exploited, the cybersecurity company tells TechCrunch that its research shows that iOS and macOS are "not inherently more secure" than other operating systems....

Will Strafach, a security researcher and founder of the Guardian firewall app, described the vulnerabilities as "pretty clever," but warned that there is little the average user can do about these threats, "besides staying vigilant about installing security updates." And iOS and macOS security researcher Wojciech ReguÅa told TechCrunch that while the vulnerabilities could be significant, in the absence of exploits, more details are needed to determine how big this attack surface is.

Jamf's Michael Covington said that Apple's code-signing measures were "never intended to be a silver bullet or a lone solution" for protecting device data. "The vulnerabilities, though noteworthy, show how layered defenses are so critical to maintaining good security posture," Covington said.

CRN reports: Prominent incident response firm Mandiant disclosed Tuesday that it responded to 15 percent fewer ransomware incidents last year. The statistic was first reported by the Wall Street Journal. Mandiant, which is owned by Google Cloud, confirmed the stat in an email to CRN.

The WSJ report also included several other indicators that 2022 was a less successful year for ransomware. Cybersecurity giant CrowdStrike told the outlet that the average ransom demand dropped 28 percent last year, to $4.1 million, from $5.7 million the year before. The firm reportedly pinned the decline on factors including the arrests of ransomware gang members and other disruptions to the groups last year, as well as the drop in the value of cryptocurrencies such as Bitcoin. CrowdStrike confirmed the stat to CRN.
Their article also cites a blog post from Chainalysis, the blockchain data platform, which estimated that 2022's total ransomware revenue "fell to at least $456.8 million in 2022 from $765.6 million in 2021 — a huge drop of 40.3%." And that blog post cites the Chief Claims Officer of cyber insurance firm Resilience, who also specifically notes "signs that meaningful disruptions against ransomware actor groups are driving lower than expected successful extortion attempts," including arrests and recovery of extorted cryptocurrency by western law enforcement agencies.

From the Wall Street Journal: After ballooning for years, the amount of money being paid to ransomware criminals dropped in 2022, as did the odds that a victim would pay the criminals who installed the ransomware.... "It reflects, I think, the pivot that we have made to a posture where we're on our front foot," Deputy Attorney General Lisa Monaco said in an interview. "We're focusing on making sure we're doing everything to prevent the attacks in the first place."

The hacking groups behind ransomware attacks have been slowed by better company security practices. Federal authorities have also used new tactics to help victims avoid paying ransom demands.... And the FBI said last month that it disrupted $130 million in potential ransomware profits last year by gaining access to servers run by the Hive ransomware group and giving away the group's decryption keys — used to undo the effects of ransomware — for free.

In the fall, about 45 call-center operators were laid off by former members of a ransomware group known as Conti, according to Yelisey Bohuslavskiy, chief research officer with the threat intelligence firm Red Sense LLC. They had been hired as part of a scam to talk potential victims into installing remote-access software onto networks that would then be infected by ransomware, but the call centers ended up losing money, he said.

Companies have also stepped up their cybersecurity practices, driven by demands from insurance underwriters and a better understanding of the risks of ransomware following high-profile attacks. Companies are spending more money on business continuity and backup software that allow computer systems to restart after they have been infected. With improved backups, U.S. companies are better at bouncing back from ransomware attacks than they were four years ago, according to Coveware Inc., which helps victims respond to ransomware intrusions and has handled thousands of cases. Four years ago, 85% of ransomware victims wound up paying their attackers. Today that number is 37%, according to Coveware Inc. Chief Executive Bill Siegel.

L.Kynes shares a report from CSO Online: At a time when almost all software contains open source code, at least one known open source vulnerability was detected in 84% of all commercial and proprietary code bases examined by researchers at application security company Synopsys. In addition, 48% of all code bases analyzed by Synopsys researchers contained high-risk vulnerabilities, which are those that have been actively exploited, already have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities. The vulnerability data -- along with information on open source license compliance -- was included in Synopsys' 2023 Open Source Security and Risk Analysis (OSSRA) report (PDF), put together by the company's Cybersecurity Research Center (CyRC). "Of the 1,703 codebases that Synopsys audited in 2022, 96% of them contained open source," adds L.Kynes, citing the report. "Aerospace, aviation, automotive, transportation, logistics; EdTech; and Internet of Things are three of the 17 industry sectors included in the report that had open source in 100% of their audited codebases. In the remaining verticals, over 92% of the codebases contained open source."

The cyber-insurance market, battered by a rash of pandemic-era ransomware attacks, is making a comeback. Price hikes are moderating, new carriers and fresh sources of capital are emerging, and companies can better afford coverage. From a report: Cyber-insurance pricing increased 10% from a year earlier in January, a fraction of the 110% annual increase reported in the first quarter of 2022, preliminary data from insurance broker Marsh McLennan show. If those trends continue, prices could be set to decline, said Tom Reagan, Marsh's cyber practice leader. The reversal would follow a wave of digital intrusions that dominated the work-from-home era and forced insurers to recalibrate both how they write policies and their risk appetites. Those attacks also pushed their clients to adopt stronger cybersecurity measures. The brutal conditions in the market have let up since then, with claim frequency declining in the fourth quarter of 2022 even as severity remained elevated, according to Marsh.

"What we're left with is a very, very, very different market than what we went into two or three years ago," said Paul Bantick, the global head of cyber risks at London-based insurer Beazley. "We have a mature market that has stood up against a huge test." The risks posed by cyber criminals are still enormous. Ransomware attacks against industrial organizations increased by 87% in 2022 from the year before, while the US Treasury Department said financial institutions flagged nearly $1.2 billion in likely ransomware-related payments in 2021. Recent high-profile breaches at financial services firm ION Trading UK and a major Asian data center emphasized the grim risk posed by hackers. Even so, the total amount extorted from ransomware victims in 2022 dropped to $456.8 million from $765.6 million the year before, according to data from Chainalysis.

Staff working at the European Commission have been ordered to remove the TikTok app from their phones and corporate devices. The BBC reports: The commission said it was implementing the measure to "protect data and increase cybersecurity." EU spokeswoman Sonya Gospodinova said the corporate management board of the European Commission, the EU's executive arm, had made the decision for security reasons. "The measure aims to protect the Commission against cybersecurity threats and actions which may be exploited for cyberattacks against the corporate environment of the commission," she said. The ban also means that European Commission staff cannot use TikTok on personal devices that have official apps installed.

The commission says it has around 32,000 permanent and contract employees. They must remove the app as soon as possible and no later than March 15. For those who do not comply by the set deadline, the corporate apps -- such as the commission email and Skype for Business -- will no longer be available. [...] TikTok, owned by Chinese company ByteDance, has faced allegations that it harvests users' data and hands it to the Chinese government.

Tech privacy advocates frustrated by failures on Capitol Hill are looking to mine state capitals for legislative victories. From a report: A broad bipartisan federal privacy bill that died in Congress last year has quickly become the template for a statehouse-by-statehouse campaign to enact tough new restrictions on how Americans' personal data can be mined and shared. Lawmakers in Massachusetts and Illinois are already proposing privacy measures modeled on the federal bill, and Democrats in Indiana are using it as inspiration to strengthen legislation that's already been proposed. Four other states have already passed their own data-privacy laws in the past two years -- raising anxiety levels among tech companies about a national "patchwork" of hard-to-navigate data rules -- but encouraging advocates who see an appetite for broader consumer protections.

"We were wondering if there would be something passed federally. It would definitely guide what we would be doing for the state," Democratic Indiana state Sen. Shelli Yoder said in an interview. "Because that failed, it put us in a position of needing to do something." The new statehouse focus by privacy advocates isn't necessarily designed to sweep across all 50 states but rather tighten regulations just enough in just enough places to force the industry into a de facto national standard. They're hoping to enact state-level privacy proposals that align closely with what Congress attempted to pass with the American Data and Privacy Protection Act: regulations that would limit what data companies can collect and share, create a data broker registry and establish new rights for Americans to delete data about themselves. But they're playing catch-up to an industry-led campaign that's made significant headway in several states, including Virginia and Utah, where weaker laws were enacted over the past two years.

In an episode that underscores the vulnerability of global computer networks, hackers got ahold of login credentials for data centers in Asia used by some of the world's biggest businesses, a potential bonanza for spying or sabotage, according to a cybersecurity research firm. From a report: The previously unreported data caches involve emails and passwords for customer-support websites for two of the largest data center operators in Asia: Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centres, according to Resecurity, which provides cybersecurity services and investigates hackers. About 2,000 customers of GDS and STT GDC were affected. Hackers have logged into the accounts of at least five of them, including China's main foreign exchange and debt trading platform and four others from India, according to Resecurity, which said it infiltrated the hacking group. It's not clear what -- if anything -- the hackers did with the other logins. The information included credentials in varying numbers for some of the world's biggest companies, including Alibaba Group Holding, Amazon, Apple, BMW, Goldman Sachs, Huawei, Microsoft, and Walmart, according to the security firm and hundreds of pages of documents that Bloomberg reviewed.

An anonymous reader quotes a report from BleepingComputer: Oakland has declared a local state of emergency because of the impact of a ransomware attack that forced the City to take all its IT systems offline on February 8th. Interim City Administrator G. Harold Duffey declared (PDF) a state of emergency to allow the City of Oakland to expedite orders, materials and equipment procurement, and activate emergency workers when needed. "Today, Interim City Administrator, G. Harold Duffey issued a local state of emergency due to the ongoing impacts of the network outages resulting from the ransomware attack that began on Wednesday, February 8," a statement issued today reads. The incident did not affect core services, with the 911 dispatch and fire and emergency resources all working as expected.

While last week's ransomware attack only impacted non-emergency services, many systems taken down immediately after the incident to contain the threat are still offline. The ransomware group behind the attack is currently unknown, and the City is yet to share any details regarding ransom demands or data theft from compromised systems. "The City's IT Department is working with a leading forensics firm to perform an extensive incident response and analysis, as well as with additional cybersecurity and technology firms on recovery and remediation efforts," the statement said. "This continues to be an ongoing investigation with multiple local, state, and federal agencies involved."

"The waiting time for general purpose quantum computers is getting shorter, but they are still probably decades away," notes Security Week.

But "The arrival of cryptanalytically-relevant quantum computers that will herald the cryptopocalypse will be much sooner — possibly less than a decade." It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.... [T]his is not a threat for the future — the threat exists today. Adversaries are known to be stealing and storing encrypted data with the knowledge that within a few years they will be able to access the raw data. This is known as the 'harvest now, decrypt later' threat. Intellectual property and commercial plans — not to mention military secrets — will still be valuable to adversaries when the cryptopocalypse happens.

The one thing we can say with certainty is that it definitely won't happen in 2023 — probably. That probably comes from not knowing for certain what stage in the journey to quantum computing has been achieved by foreign nations or their intelligence agencies — and they're not likely to tell us. Nevertheless, it is assumed that nobody yet has a quantum computer powerful enough to run Shor's algorithm and crack PKI encryption in a meaningful timeframe. It is likely that such computers may become available as soon as three to five years. Most predictions suggest ten years.

Note that a specialized quantum computer designed specifically for Shor does not need to be as powerful as a general-purpose quantum computer — which is more likely to be 20 to 30 years away.... "Quantum computing is not, yet, to the point of rendering conventional encryption useless, at least that we know of, but it is heading that way," comments Mike Parkin, senior technical engineer at Vulcan Cyber. Skip Sanzeri, co-founder and COO at QuSecure, warns that the threat to current encryption is not limited to quantum decryption. "New approaches are being developed promising the same post-quantum cybersecurity threats as a cryptographically relevant quantum computer, only much sooner," he said. "It is also believed that quantum advancements don't have to directly decrypt today's encryption. If they weaken it by suggesting or probabilistically finding some better seeds for a classical algorithm (like the sieve) and make that more efficient, that can result in a successful attack. And it's no stretch to predict, speaking of predictions, that people are going to find ways to hack our encryption that we don't even know about yet."

Steve Weston, co-founder and CTO at Incrypteon, offers a possible illustration. "Where is the threat in 2023 and beyond?" he asks. "Is it the threat from quantum computers, or is the bigger threat from AI? An analysis of cryptoanalysis and code breaking over the last 40 years shows how AI is used now, and will be more so in the future."
The article warns that "the coming cryptopocalypse requires organizations to transition from known quantum-vulnerable encryption (such as current PKI standards) to something that is at least quantum safe if not quantum secure." (The chief revenue officer at Quintessence Labs tells the site that symmetric encryption like AES-256 "is theorized to be quantum safe, but one can speculate that key sizes will soon double.")

"The only quantum secure cryptography known is the one-time pad."

Thanks to Slashdot reader wiredmikey for sharing the article.

The U.S. government's cybersecurity agency has warned that criminal financially motivated hackers compromised federal agencies using legitimate remote desktop software. From a report: CISA said in a joint advisory with the National Security Agency on Wednesday that it had identified a "widespread cyber campaign involving the malicious use of legitimate remote monitoring and management (RMM) software" that had targeted multiple federal civilian executive branch agencies -- known as FCEBs -- a list that includes Homeland Security, the Treasury, and the Justice Department.

CISA said it first identified suspected malicious activity on two FCEB systems in October while conducting a retrospective analysis using Einstein, a government-operated intrusion detection system used for protecting federal civilian agency networks. Further analysis led to the conclusion that many other government networks were also affected.

The EU's proposed Cyber Resilience Act (CRA), which aims to "bolster cybersecurity rules to ensure more secure hardware and software products," could have severe unintended consequences for open source software, according to leaders in the open source community. From a report: The proposed Act can be described as CE marking for software products and has four specific objectives. One is to require manufacturers to improve the security of products with digital elements "throughout the whole life cycle." Second is to offer a "coherent cybersecurity framework" by which to measure compliance. Third is to improve the transparency of digital security in products, and fourth is to enable customers to "use products with digital elements securely."

The draft legislation includes an impact assessment that says "for software developers and hardware manufacturers, it will increase the direct compliance costs for new cybersecurity requirements, conformity assessment, documentation and reporting obligations." This extra cost is part of a total cost of compliance, including the burden on businesses and public authorities, estimated at EUR 29 billion ($31.54 billion), and consequent higher prices for consumers. However, the legislators foresee a cost reduction from security incidents estimated at EUR 180 to 290 billion annually. The question is though: how can free software developers afford the cost of compliance, when lack of funding is already a critical issue for many projects? Mike Milinkovich, director of the Eclipse Foundation, said it is "deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors. Legally altering this arrangement through legislation can reasonably be expected to cause unintended consequences to the innovation economy in Europe."