Welcome to the second edition! We’re up to 60 subscribers after just a week, which is very exciting. Thanks for supporting this, and let’s dive right in…
Quantum Readiness
NIST, CISA and the NSA have published a memo on post-quantum migration. In case you haven't read it, let me save you the time.
In short - the document says nothing new, versus most standard advice on the topic. Organisations are strongly encouraged to plan their migration to quantum-safe algorithms. And speak to their vendors to understand what plans they have in place.
My favourite sentence:
"Technology manufacturers and vendors whose products support the use of quantum-vulnerable cryptography should begin planning and testing for integration".
I talk to a lot of cyber vendors, and very few are actively exploring post-quantum. Hopefully strong statements like this, from the NSA and friends, will help change this.
Link to the NSA announcement, which contains a link to the PDF document.
Meta Encryption
Fascinating blog from the Facebook Messenger team about the challenges of implementing end-to-end encryption.
Over 100 features had to be rewritten because they relied on a central server that could read messages.
It's a useful reminder of how product architecture influences security. And that many security decisions are trade-offs.
Read their blog post: https://messengernews.fb.com/2023/08/22/expanding-testing-for-end-to-end-encryption-on-messenger/.
EncroCrap
What happens when you break the encryption used by a major criminal phone network?
Answer: 6,500 arrests, €900m seized, 100 tonnes of cocaine, 3 tonnes of heroin, 83 boats, 43 planes... the list goes on.
This is the result of a pan-European infiltration of the EncroChat system. A pay-as-you-go criminal phone network that promised end-to-end encryption and a number of clever features, like remote wiping.
It remains unclear how the system was broken, but it seems likely it was due to some home-rolled cryptography being used in the system.
The system was broken back in 2020, and Europol is now releasing information about the impact of the operation. See links below for more.
The takeaway? Just another reminder that when the foundations of your cryptography get pwned, the impact is very painful. On this occasion, thankfully it's the bad guys who are feeling that pain.
Europol press release: https://www.europol.europa.eu/media-press/newsroom/news/dismantling-encrypted-criminal-encrochat-communications-leads-to-over-6-500-arrests-and-close-to-eur-900-million-seized.
End-to-End-Ish
Are your phone messages end-to-end encrypted?
This useful blog compares WhatsApp, Apple, Android, Facebook Messenger, and Signal.
Spoiler: it's complicated. End-to-end encryption (a running theme this week) introduces complexity and trade-offs. One example is data backups.
I'm not a Washington Post reader, but I was able to view this without subscribing to anything. If you struggle, try opening the URL in a new "private window" on your browser.
PKI Grows Up
At last! A PKI maturity model was released by the PKI Consortium last week.
This is a great initiative, given PKIs are so critical to organisational security.
Organisations can use this model to benchmark themselves against the industry and to identify the gaps they need to address to move up a level.
The model defines 5 levels of increasing maturity. At the bottom end is the "Initial" tier, where no processes exist and everything is reactive and ad-hoc. The top tier is "Optimized", where international standards are used, processes are reactive and always followed, and there is a culture of continuous improvement.
Information on the maturity model: https://pkic.org/pkimm/model/.