NIST Selects ‘Lightweight Cryptography’ Algorithms to Protect Small Devices

 Lightweight electronics, meet the heavyweight champion for
protecting your information: Security experts at the National Institute of
Standards and Technology (NIST) have announced a victor in their program to
find a worthy defender of data generated by small devices. The winner, a group
of cryptographic algorithms called Ascon, will be published as NIST’s lightweight
cryptography standard later in 2023.

The chosen algorithms are designed to protect information created
and transmitted by the Internet of Things (IoT), including its myriad tiny
sensors and actuators. They are also designed for other miniature technologies
such as implanted medical devices, stress detectors inside roads and bridges,
and keyless entry fobs for vehicles. Devices like these need “lightweight
cryptography” — protection that uses the limited amount of electronic resources
they possess. According to NIST computer scientist Kerry McKay, the newly
selected algorithms should be appropriate for most forms of tiny tech.

Read More

VMware ESXi have come under attack

 Patch your VMware ESXi 

Servers running the popular
virtualization hypervisor VMware ESXi have come under attack from at least one
ransomware group over the past week, likely following scanning activity to
identify hosts with Open Service Location Protocol (OpenSLP) vulnerabilities.

Specifically, threat actors have
been taking advantage of unpatched systems vulnerable to CVE-2020-3992 and CVE-2021-21974 that, when
exploited, can allow remote code execution.

Of the incidents observed thus
far, a ransomware-as-a-service (RaaS) group known as Nevada, appears to
be responsible ― although their ransom note shares many similarities with
Cheerscrypt, a ransomware threat that targeted ESXi in early- to mid-2022.

Attend Microsoft Secure

 

Join
us for a new security digital event – Microsoft Secure on March 28, 2023 8:30
AM Pacific Time (UTC-08:00). Registration is now open.

Why join Microsoft Secure?

By
joining our very first Microsoft Secure, you’ll:

·       
Be
among the first to see what an AI-driven future means for cybersecurity.

·       
Gain
insights from experts, including
Vasu Jakkal, Bret Arsenault, Charlie Bell, Joy Chik,
and many
more.

·       
Get
actionable steps from breakout
sessions
on extended detection and response (XDR), multicloud
security, cloud-managed endpoints, Zero Trust, built-in security
configurations and more.

·       
Connect
with your peers and have your product and strategy questions answered by
Microsoft experts in a live
chat Q&A
.

Register now
to catch our upcoming announcements. Be sure to follow Microsoft Security on LinkedIn, Twitter, and Blog for the latest news and event
information.

Thank
you,

NIST Cloud Computing Forensic Reference Architecture: NIST Requests Public Comments on SP 800-201

 The initial public draft of NIST Special Publication (SP) 800-201,
NIST Cloud
Computing Forensic Reference Architecture
,
is now
available for public comment. This document addresses the need to support a
cloud system’s forensic readiness, which is the ability to quickly and
effectively collect digital evidence with minimal investigation costs.

The document presents a reference architecture to help users
understand the forensic challenges that might exist for an organization’s cloud
system based on its architectural capabilities, as well as the mitigation
strategies that might be required. The reference architecture is both a
methodology and an initial implementation that can be used by cloud system
architects, cloud engineers, forensic practitioners, and cloud consumers to
analyze and review their cloud computing architectures for forensic readiness.

The public comment period for this
initial public draft is open through March 31, 2023
. See
the publication
details
for a copy of the draft and instructions for submitting
comments.


NOTE:
A call for patent claims is included on page ii of this document. For
additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications
.

Read
More

Proposal to Update NIST SP 800-38E, Using the XTS-AES Mode for Confidentiality on Storage Devices

 In August 2021, NIST’s Crypto Publication Review
Board announced the review of NIST Special Publication (SP) 800-38E,
 Recommendation
for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on
Storage Devices
. In response, NIST received public comments.

NIST proposes to update SP 800-38E to
address the editorial suggestions in the public comments. In particular, the
updated publication will mention the security vulnerability that results when
the two AES (sub)keys are improperly generated to be identical, as discussed in
Annex C.I of Implementation
Guidance for FIPS 140-3 and the Cryptographic Module Validation Program
.

The updated SP 800-38E would be published without a period of
public comment.

Submit your comments on
this decision proposal by March 10, 2023
. See the
full announcement,
which includes NIST’s rationale for this proposal and instructions for
submitting comments.

Read
More

NIST Revises the Digital Signature Standard (DSS) and Publishes a Guideline for Elliptic Curve Domain Parameters

 Today, NIST is publishing Federal Information Processing Standard
(FIPS) 186-5,
Digital Signature
Standard (DSS)
, along with NIST Special Publication (SP)
800-186,
Recommendations
for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters

FIPS 186-5 specifies three techniques for the generation and
verification of digital signatures that can be used for the protection of data:

  1. Rivest-Shamir-Adleman (RSA)
    Algorithm
  2. Elliptic Curve Digital
    Signature Algorithm (ECDSA)
  3. Edwards Curve Digital Signature
    Algorithm (EdDSA)

The Digital Signature Algorithm (DSA), which was specified in
prior versions of FIPS 186, is retained only for the purposes of verifying
existing signatures. 

The companion document, NIST SP 800-186, specifies the set of
recommended elliptic curves. In addition to the previously recommended
Weierstrass curves, there are two newly specified Edwards curves included for
use with the EdDSA algorithm. Edwards curves provide increased
performance, side-channel resistance, and simpler implementation when compared
to traditional curves. While NIST SP 800-186 includes the specifications
for elliptic curves over binary fields, these curves are now deprecated, and the
use of other (prime) curves is strongly recommended.

The algorithms in these standards are not expected to provide
resistance to attacks from a large-scale quantum computer. Digital
signature algorithms that will provide security from quantum computers will be specified
in future NIST publications. For more information, see the Post-Quantum
Cryptography Standardization project
.

Read
More

Phishing Resistance – Protecting the Keys to Your Kingdom

 

Image depicting cybersecurity phishing

If you own a computer, watch the news, or spend virtually any time
online these days you have probably heard the term “phishing.” Never in a
positive context…and possibly because you have been a victim yourself.

Phishing refers to a variety of attacks that are intended to convince
you to forfeit sensitive data to an imposter. These attacks can take a number of
different forms; from spear-phishing (which targets a specific individual within
an organization), to whaling (which goes one step further and targets senior
executives or leaders). Furthermore, phishing attacks take place over multiple
channels or even across channels; from the more traditional email-based attacks
to those using voice – vishing – to those coming via text message – smishing.
Regardless of the type or channel, the intent of the attack is the same – to
exploit human nature to gain control of sensitive information (citation
1).
 These attacks typically make use of several techniques including
impersonated websites, attacker-in-the-middle, and relay or replay to achieve
their desired outcome.

Read More

Migrate from AD FS to Microsoft Azure Active Directory for identity management

The Microsoft 365 cloud environment benefits from an extensive monitoring and security infrastructure. Using machine learning and human intelligence that looks across worldwide traffic can rapidly detect attacks and allow you to reconfigure almost in real time.   None of the following scenarios apply to my org, and I’m ready to move forward with my migration.

For all types of migrations, the following AD FS scenarios can’t be migrated to Azure AD.

  • Custom attribute store to retrieve additional claims from LDAP and SQL
  • Non-Microsoft MFA provider integrated with AD FS
    Non-Microsoft Mobile Device Management (MDM) integrated with AD FS
  • Non-persistent virtual desktop infrastructure (VDI) with Windows 11
    Windows Hello for Business in certificate authentication mode
  • Azure AD Cloud Sync with hybrid Azure AD join
    Dual-federation (for example, Azure commercial and Azure China 21Vianet)
  • Sign-in with SamAccountName or EmployeeID

For staged rollouts (migrating a small group), the following configurations are unsupported.

  • Legacy authentication, such as POP3 and SMTP
  • Nested groups, dynamic groups, and groups that contain contact objects
    If your application includes the “domain_hint” attribute
  • Windows 10 version 1903 or older for both hybrid Azure AD join or Azure AD join if user has a non-routable UPN


What to expect 


To get custom guidance for migrating to Azure AD, you’ll first answer a few questions about your Active Directory Federation Services (AD FS) infrastructure. Then implement either pass-through authentication (PTA) or password hash sync (PHS) to give users a streamlined experience while accessing your org’s apps

Use the full tool here

Register for the Identity workshop for Developers Free

he Identity workshop for Developers, you will create an opportunity to upskill & upgrade to secure and contemporary practices while developing, integrating, migrating, and managing apps on the Microsoft Identity Platform. The workshop is designed to be hands-on, which will not only enable you to learn and practice the latest but also earn Badges. We look forward to your participation in the Identity workshop for Developers for an engaged and immersive learning experience. You have 3 opportunities to register for the workshop.

When: Tuesday – Thursday, February 14 to 16, 2023
Time: 9 AM UTC to 12 PM UTC (EMEA/IST)
Where: Microsoft Teams Meeting

When: Tuesday – Thursday, March 14-16, 2023
Time: 9:00 AM – 12:00 PM (Pacific Time)
Where: Microsoft Teams Meeting

Modules for the workshop:

  • Microsoft Identity Platform Overview
  • Fundamentals of Modern Authentication
  • Permissions and Consent
  • Migrating your Apps
  • Protecting APIs
  • Token Customization


The workshop will be a combination of discourses and hands-on modules.
Microsoft Privacy Statement – https://privacy.microsoft.com/en-US/privacystatement 





click here to register.