Microsoft is introducing a new consumer tier to its Microsoft 365 subscription offerings. From a report: Priced at $1.99 per month, Microsoft 365 Basic is designed to replace the 100GB OneDrive storage option with some extra features that sit in between the free option and the $6.99 a month Personal subscription. Microsoft 365 Basic will be available worldwide on January 30th with 100GB of cloud storage, an ad-free Outlook web and mobile experience, and enhanced security features. The security features include data encryption for an Outlook mailbox, suspicious link checking, and virus / malware scanning for attachments. Existing OneDrive 100GB storage customers will be automatically upgraded to Microsoft 365 Basic at the same $1.99 monthly rate. [...] The main difference between the $6.99 Personal subscription and this new $1.99 Basic one (other than the amount of cloud storage) is that Microsoft 365 Basic doesn't include access to the desktop versions of Word, Excel, and PowerPoint apps. Basic subscribers will have to use the web or mobile versions instead.

Academic researchers have discovered serious vulnerabilities in the core of Threema, an instant messenger that its Switzerland-based developer says provides a level of security and privacy "no other chat service" can offer. From a report: Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, typically abbreviated as E2EE. Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta's WhatsApp messenger. It's among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.

Researchers from the Zurich-based ETH research university reported on Monday that they found seven vulnerabilities in Threema that seriously call into question the true level of security the app has offered over the years. Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing. "In totality, our attacks seriously undermine Threema's security claims," the researchers wrote. "All the attacks can be mitigated, but in some cases, a major redesign is needed."

Are today's rudimentary quantum computers already on the verge of significant feats beyond the reach of traditional computers? Or have their capabilities been exaggerated, as practical uses for the technology recede into the future? From a report: These questions have been thrown into sharp relief in recent days by a claim from a group of Chinese researchers to have come up with a way to break the RSA encryption that underpins much of today's online communications. The likelihood that quantum computers would be able to crack online encryption was widely believed a danger that could lie a decade or more in the future. But the 24 researchers, from a number of China's top universities and government-backed laboratories, said their research showed it could be possible using quantum technology that is already available.

The quantum bits, or qubits, used in today's machines are highly unstable and only hold their quantum states for extremely short periods, creating "noise." As a result, "errors accumulate in the computer and after around 100 operations there are so many errors the computation fails," said Steve Brierley, chief executive of quantum software company Riverlane. That has led to a search for more stable qubits as well as error-correction techniques to overcome the "noise," pushing back the date when quantum computers are likely to reach their full potential by many years.

The Chinese claim, by contrast, appeared to be an endorsement of today's "noisy" systems, while also prompting a flurry of concern in the cyber security world over a potentially imminent threat to online security. By late last week, a number of researchers at the intersection of advanced mathematics and quantum mechanics had thrown cold water on the claim. Brierley at Riverlane said it "can't possibly work" because the Chinese researchers had assumed that a quantum computer would be able to simply run a vast number of computations simultaneously, rather than trying to gain an advantage through applying the system's quantum properties.

The company behind Ciphr, an encrypted messaging platform that was especially popular among organized criminals and high tier drug traffickers, is beta testing a new app in an apparent rebrand from its long running reputation as a tech tool of the underground. From a report: The news shows the continuing ruptures across the underground encrypted phone industry after an escalating series of law enforcement hacks and investigations. The rebrand by OnyxCorp, the company that made Ciphr, is the latest episode in that fallout. Other companies in the space have died altogether, had their founders arrested and imprisoned, and had thousands of their criminal users arrested and charged. "There was talk of reinventing the app with a focus on enterprise customers," a former employee told Motherboard. Motherboard granted the source anonymity because they said they had signed an NDA. The new app is called Mode. "Privacy & Protection for Team Communication," the app's website reads. The website says Mode protects chats with end-to-end encryption and disappearing messages, and also includes video calling and file sharing.

Amazon Simple Storage Service (S3) will now automatically encrypt all new objects added on buckets on the server side, using AES-256 by default. BleepingComputer reports: While the server-side encryption system has been available on AWS for over a decade, the tech giant has enabled it by default to bolster security. Administrators will not have to take any actions for the new encryption system to affect their buckets, and Amazon promises it won't have any negative performance impact. Administrators may leave the system to encrypt at the default 256-bit AES or choose one of the alternative methods, namely SSE-C or SSE-KMS.

The first option (SSE-C) gives bucket owners control of the keys, while the second (SSE-KMS) lets Amazon do the key management. However, bucket owners can set different permissions for each KMS key to maintain more granular control over the asset access system. To confirm that the changes have been applied to your buckets, admins can configure CloudTrail to log data events at no extra cost. Then perform a test object upload, and look in the event logs for the "SSEApplied": "Default_SSE_S3." field in the log for the uploaded file. To retroactively encrypt objects already in S3 buckets, follow this official guide. "This change puts another security best practice into effect automatically -- with no impact on performance and no action required on your side," reads Amazon's announcement.

"S3 buckets that do not use default encryption will now automatically apply SSE-S3 as the default setting. Existing buckets currently using S3 default encryption will not change."

Computer security experts were struggling this week to assess a startling claim by Chinese researchers that they have found a way to break the most common form of online encryption [the link may be paywalled] using the current generation of quantum computers, years before the technology was expected to pose a threat. Financial Times: The method, outlined in a scientific paper [PDF] published in late December, could be used to break the RSA algorithm that underpins most online encryption using a quantum machine with only 372 qubits -- or quantum bits, a basic unit of quantum computing -- according to the claims from 24 researchers from a number of academic bodies and state laboratories. IBM has already said that its 433 qubit Osprey system, the most powerful quantum computer to have been publicly unveiled, will be made available to its customers early this year.

If correct, the research would mark a significant moment in the history of computer security, said Roger Grimes, a computer security expert and author. "It's a huge claim," he said. "It would mean that governments could crack other governments secrets. If it's true -- a big if -- it would be a secret like out of the movies, and one of the biggest things ever in computer science." Other experts said that while the theory outlined in the research paper appeared sound, trying to apply it in practice could well be beyond the reach of today's quantum technology. "As far as I can tell, the paper isn't wrong," said Peter Shor, the Massachusetts Institute of Technology scientist whose 1994 algorithm proving that a quantum machine could defeat online encryption helped to trigger a research boom in quantum computing. Shor's method requires machines with many hundreds of thousands, or even millions, of qubits, something that many experts believe is a decade or more away.

WhatsApp is launching proxy support for its users all over the world, the company announced on Thursday. The support will allow users to maintain access to WhatsApp if their connection is blocked or disrupted. From a report: Choosing a proxy enables users to connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely. WhatsApp says connecting via proxy maintains the same level of privacy and security the app provides, and that personal messages will still be protected by end-to-end encryption. The company says messages will not be visible to anyone in between, not the proxy servers, WhatsApp or Meta.

"Our wish for 2023 is that these internet shutdowns never occur," WhatsApp wrote in a blog post. "Disruptions like we've seen in Iran for months on end deny people's human rights and cut people off from receiving urgent help. Though in case these shutdowns continue, we hope this solution helps people wherever there is a need for secure and reliable communication."

Last week, LastPass announced that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. "While the company insists that your login information is still secure, some cybersecurity experts are heavily criticizing its post, saying that it could make people feel more secure than they actually are and pointing out that this is just the latest in a series of incidents that make it hard to trust the password manager," reports The Verge. Here's an excerpt from the report: LastPass' December 22nd statement was "full of omissions, half-truths and outright lies," reads a blog post from Wladimir Palant, a security researcher known for helping originally develop AdBlock Pro, among other things. Some of his criticisms deal with how the company has framed the incident and how transparent it's being; he accuses the company of trying to portray the August incident where LastPass says "some source code and technical information were stolen" as a separate breach when he says that in reality the company "failed to contain" the breach. He also highlights LastPass' admission that the leaked data included "the IP addresses from which customers were accessing the LastPass service," saying that could let the threat actor "create a complete movement profile" of customers if LastPass was logging every IP address you used with its service.

Another security researcher, Jeremi Gosney, wrote a long post on Mastodon explaining his recommendation to move to another password manager. "LastPass's claim of 'zero knowledge' is a bald-faced lie," he says, alleging that the company has "about as much knowledge as a password manager can possibly get away with." LastPass claims its "zero knowledge" architecture keeps users safe because the company never has access to your master password, which is the thing that hackers would need to unlock the stolen vaults. While Gosney doesn't dispute that particular point, he does say that the phrase is misleading. "I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted."

Palant also notes that the encryption only does you any good if the hackers can't crack your master password, which is LastPass' main defense in its post: if you use its defaults for password length and strengthening and haven't reused it on another site, "it would take millions of years to guess your master password using generally-available password-cracking technology" wrote Karim Toubba, the company's CEO. "This prepares the ground for blaming the customers," writes Palant, saying that "LastPass should be aware that passwords will be decrypted for at least some of their customers. And they have a convenient explanation already: these customers clearly didn't follow their best practices." However, he also points out that LastPass hasn't necessarily enforced those standards. Despite the fact that it made 12-character passwords the default in 2018, Palant says, "I can log in with my eight-character password without any warnings or prompts to change it."

Computer scientists from Stanford University have found that programmers who accept help from AI tools like Github Copilot produce less secure code than those who fly solo. From a report: In a paper titled, "Do Users Write More Insecure Code with AI Assistants?", Stanford boffins Neil Perry, Megha Srivastava, Deepak Kumar, and Dan Boneh answer that question in the affirmative. Worse still, they found that AI help tends to delude developers about the quality of their output. "We found that participants with access to an AI assistant often produced more security vulnerabilities than those without access, with particularly significant results for string encryption and SQL injection," the authors state in their paper.

"Surprisingly, we also found that participants provided access to an AI assistant were more likely to believe that they wrote secure code than those without access to the AI assistant." Previously, NYU researchers have shown that AI-based programming suggestions are often insecure in experiments under different conditions. The Stanford authors point to an August 2021 research paper titled "Asleep at the Keyboard? Assessing the Security of GitHub Copilot's Code Contributions," which found that given 89 scenarios, about 40 per cent of the computer programs made with the help of Copilot had potentially exploitable vulnerabilities.

That study, the Stanford authors say, is limited in scope because it only considers a constrained set of prompts corresponding to 25 vulnerabilities and just three programming languages: Python, C, and Verilog. The Stanford scholars also cite a followup study from some of the same NYU eggheads, "Security Implications of Large Language Model Code Assistants: A User Study," as the only comparable user study they're aware of. They observe, however, that their work differs because it focuses on OpenAI's codex-davinci-002 model rather than OpenAI's less powerful codex-cushman-001 model, both of which play a role in GitHub Copilot, itself a fine-tuned descendant of a GPT-3 language model.

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident. BleepingComputer reports: This follows a previous update issued last month when the company's CEO, Karim Toubba, only said that the threat actor gained access to "certain elements" of customer information. Today, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data. The attacker gained access to Lastpass' cloud storage using "cloud storage access key and dual storage container decryption keys" stolen from its developer environment.

"The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," Toubba said today. "The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password. According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass' systems, and LastPass does not maintain it. Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data. However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass. If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology," Toubba added. "Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture."

Google has announced that two of its latest privacy-enhancing technologies (PETs), including one that blurs objects in a video, will be provided to anyone for free via open source. From a report: The new tools are part of Google's Protected Computing initiative designed to transform "how, when and where data is processed to technically ensure its privacy and safety," the company said. The first is an internal project called Magritte, now out on Github, which uses machine learning to detect objects and apply a blur as soon as they appear on screen. It can disguise arbitrary objects like license plates, tattoos and more.

The other with the unwieldy name "Fully Homomorphic Encryption (FHE) Transpiler, allows developers to perform computations on encrypted data without being able to access personally identifiable information. Google says it can help industries like financial services, healthcare and government, "where a robust security guarantee around the processing of sensitive data is of highest importance." Google notes that PETs are starting to enter the mainstream after being mostly an academic exercise. The White House recently touted the technology, saying "it will allow researchers, physicians, and others permitted access to gain insights from sensitive data without ever having access to the data itself."

Google Workspace is rolling out a new security update on Gmail, adding end-to-end encryption that aims to provide an added layer of security when sending emails and attachments on the web. From a report: The update is still in the beta stages, but eligible Workspace customers with Enterprise Plus, Education Standard, and Education Plus accounts can fill out an application to test the program through Google's support center. Once the encryption update has been completed, Gmail Workspace customers will find that any sensitive information or data delivered cannot be decrypted by Google's servers.

According to the support center, the application window will be open until January 20, 2023, and once users have accessed the feature, they will be able to choose to turn on the additional encryption by selecting the padlock button when drafting their email. But once activated, some features will be disabled, including emojis, signatures, and Smart Compose. The encryption feature will be monitored and managed by users' administrators and comes after Google started working to add more encryption features to Gmail. The report notes that client-side encryption, or CSE, "is already available for Google Drive, including in apps like Google Docs, Sheets, and Slides. It's also in Google Meet, and is in the beta stage for Google Calendar."

An anonymous reader quotes a report from MacRumors: Apple yesterday announced that end-to-end encryption is coming to even more sensitive types of iCloud data, including device backups, messages, photos, and more, meeting the longstanding demand of both users and privacy groups who have rallied for the company to take the significant step forward in user privacy. iCloud end-to-end encryption, or what Apple calls "Advanced Data Protection," encrypts users' data stored in iCloud, meaning only a trusted device can decrypt and read the data. iCloud data in accounts with Advanced Data Protection can only be read by a trusted device, not Apple, law enforcement, or government entities.

While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud, governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it's "deeply concerned with the threat end-to-end and user-only-access encryption pose." Speaking generally about end-to-end encryption like Apple's Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests "lawful access by design": "This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime, and terrorism," the bureau said in an emailed statement. "In this age of cybersecurity and demands for 'security by design,' the FBI and law enforcement partners need 'lawful access by design.'"

Former FBI official Sasha O'Connell also weighed in, telling The New York Times "it's great to see companies prioritizing security, but we have to keep in mind that there are trade-offs, and one that is often not considered is the impact it has on decreasing law enforcement access to digital evidence."

WankerWeasel writes: Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data. With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend. With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account. And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple's highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.

Elon Musk's SpaceX is expanding its Starlink satellite technology into military applications with a new business line called Starshield. CNBC reports: "While Starlink is designed for consumer and commercial use, Starshield is designed for government use," the company wrote on its website. Few details are available about the intended scope and capabilities of Starshield. The company hasn't previously announced tests or work on Starshield technology.

On its website, SpaceX said the system will have "an initial focus" on three areas: Imagery, communications and "hosted payloads" -- the third of which effectively offers government customers the company's satellite bus (the body of the spacecraft) as a flexible platform. The company also markets Starshield as the center of an "end-to-end" offering for national security: SpaceX would build everything from the ground antennas to the satellites, launch the latter with its rockets, and operate the network in space.

SpaceX notes that Starshield uses "additional high-assurance cryptographic capability to host classified payloads and process data securely," building upon the data encryption it uses with its Starlink system. Another key feature: the "inter-satellite laser communications" links, which the company currently has connecting its Starlink spacecraft. It notes that the terminals can be added to "partner satellites," so as to connect other companies' government systems "into the Starshield network."

Axios reports: "Although a quantum computer isn't expected until 2030, at the earliest, updating current encryption standards will take just as long," writes Axios, "creating a high-stakes race filled with unanswerable questions for national security and cybersecurity officials alike." As scientists, academics and international policymakers attended the first-ever Quantum World Congress conference in Washington this week, alarmism around the future of secure data was undercut by foundational questions of what quantum computing will mean for the world. "We don't even know what we don't know about what quantum can do," said Michael Redding, chief technology officer at Quantropi, during a panel about cryptography at the Quantum World Congress....

Some governments are believed to have already started stealing enemies' encrypted secrets now, so they can unlock them as soon as quantum computing is available. "It's the single-largest economic national-security issue we have ever faced as a Western society," said Denis Mandich, chief technology officer at Qrypt and a former U.S. intelligence official, at this week's conference. "We don't know what happens if they actually decrypt, operationalize and monetize all the data that they already have."

An anonymous reader quotes a report from TechCrunch: Dropbox has announced plans to bring end-to-end encryption to its business users, and it's doing so through acquiring "key assets" from Germany-based cloud security company Boxcryptor. Terms of the deal were not disclosed. Dropbox is well-known for its cloud-based file back-up and sharing services, and while it does offer encryption for files moving between its servers and the destination, Dropbox itself has access to the keys and can technically view any content passing through. What Boxcryptor brings to the table is an extra layer of security via so-called "zero knowledge" encryption on the client side, giving the user full control over who is allowed to decrypt their data.

For many people, such as consumers storing family photos or music files, this level of privacy might not be a major priority. But for SMEs and enterprises, end-to-end encryption is a big deal as it ensures that no intermediary can access their confidential documents stored in the cloud -- it's encrypted before it even arrives. Moving forward, Dropbox said that it plans to bake Boxcryptor's features natively into Dropbox for business users. "In a blog post published today, Boxcryptor founders Andrea Pfundmeier and Robert Freudenreich say that their 'new mission' will be to embed Boxcryptor's technology into Dropbox," adds TechCrunch. "And after today, nobody will be able to create an account or buy any licenses from Boxcryptor -- it's effectively closing to new customers."

"But there are reasons why the news is being packaged the way it has. The company is continuing to support existing customers through the duration of their current contracts."

Dropbox has announced plans to bring end-to-end encryption to its business users, and it's doing so through acquiring "key assets" from Germany-based cloud security company Boxcryptor. Terms of the deal were not disclosed. From a report: Dropbox is well-known for its cloud-based file back-up and sharing services, and while it does offer encryption for files moving between its servers and the destination, Dropbox itself has access to the keys and can technically view any content passing through. What Boxcryptor brings to the table is an extra layer of security via so-called "zero knowledge" encryption on the client side, giving the user full control over who is allowed to decrypt their data.

For many people, such as consumers storing family photos or music files, this level of privacy might not be a major priority. But for SMEs and enterprises, end-to-end encryption is a big deal as it ensures that no intermediary can access their confidential documents stored in the cloud -- it's encrypted before it even arrives. Moving forward, Dropbox said that it plans to bake Boxcryptor's features natively into Dropbox for business users.

This month Road & Track looked at "increased cybersecurity measures" automakers are adding to car systems — and how it's affecting the vendors of "aftermarket" enhancements: As our vehicles start to integrate more complex systems such as Advanced Driver Assist Systems and over-the-air updates, automakers are growing wary of what potential bad actors could gain access to by way of hacking. Whether those hacks come in an attempt to retrieve personal customer data, or to take control of certain aspects of these integrated vehicles, automakers want to leave no part of that equation unchecked. "I think there are very specific reasons why the OEMs are taking encryption more seriously," HP Tuners director of marketing Eddie Xu told R&T. "There's personal identifiable data on vehicles, there's more considerations now than just engine control modules controlling the engine. It's everything involved."

In order to prevent this from becoming a potential safety or legal issue, companies like Ford have moved to heavily encrypt their vehicle's software. S650 Mustang chief engineer Ed Krenz specifically noted that the new FNV architecture can detect when someone attempts to modify any of the vehicle's coding, and that it can respond by shutting down an individual vehicle system or the vehicle entirely if that's what is required.

That sort of total lockout presents an interesting challenge for [car performance] tuners who rely on access to things like engine and transmission control modules to create their products.
Last month Ford acknowledged tuners would find the S650 Mustang "much more difficult," the article points out. And they add that Dodge also "intends to lock down the Engine Control Units of its upcoming electric muscle car offerings, though it will offer performance upgrades via its own over-the-air network."

"We don't want to lock the cars and say you can't modify them," Dodge CEO Kuniskis told Carscoops. "We just want to lock them and say modify them through us so that we know it's done right."

Thanks to long-time Slashdot reader schwit1 for submitting the article.

A new analysis has claimed that Apple's device analytics contain information that can directly link information about how a device is used, its performance, features, and more, directly to a specific user, despite Apple's claims otherwise. MacRumors reports: On Twitter, security researchers Tommy Mysk and Talal Haj Bakry have found that Apple's device analytics data includes an ID called "dsId," which stands for Directory Services Identifier. The analysis found that the dsId identifier is unique to every iCloud account and can be linked directly to a specific user, including their name, date of birth, email, and associated information stored on iCloud.

On Apple's device analytics and privacy legal page, the company says no information collected from a device for analytics purposes is traceable back to a specific user. "iPhone Analytics may include details about hardware and operating system specifications, performance statistics, and data about how you use your devices and applications. None of the collected information identifies you personally," the company claims. In one possible differentiator, Apple says that if a user agrees to send analytics information from multiple devices logged onto the same iCloud account, it may "correlate some usage data about Apple apps across those devices by syncing using end-to-end encryption." Even in doing so, however, Apple says the user remains unidentifiable to Apple. We've reached out to Apple for comment.