Daniel Cuthbert’s Post

This was an excellent project to work on - whilst CodeQL can show you what cryptography your code supports, and filesystem analysis can show you what certificates etc. you have, only a passive network analysis will show you what cryptography is actually in play! So that's what we did... 📍The concept is really simple - using eBPF loaded by a python script, we can passively monitor for TLS and SSH traffic. If we find either, we take the packet and extract data from it. 💡 The analyser doesn't just look at HTTPS and SSH - it also looks at port 990 (FTPS), 3389 (RDP) and some proxy ports as well to give a fuller picture of the cryptography that is in play on a network. 🕵🏻♂️ But what can we see? Well, we can see client TLS ciphersuite offerings, we can see server ciphersuite confirmation, we can see certificates (TCP fragmentation permitting), SSH KEX and cipher negotiations, and in the future hopefully more! 📋 The aim is to gather as much information as we can to enrich our picture of cryptography that we use, for #DORA #PCIDSS, #PQC migration, and much more.

The Santander Cybersecurity Research team with Daniel Cuthbert and Mark Carney continues to opensource useful tools to help discover your cryptography. This is a demonstration of our strong belief that collaboration is needed to address this as a global task. Take a look!

CryptoMon - the best way to verify TLS encryption in use inside of your network! There are many cipher suits available for TLS 1.2 and 1.3, but not all of them are currently strong enough to protect your sensitive data, or meet strong cryptography requirements (PCI DSS). This tool will help you spot your weak points and prepare plan for migration to more secure algorithms, including Quantum Safe TLS suits. Great job Mark Carney and Daniel Cuthbert ! #CryptoMon #TLS #CBOM #SBOM #QuantumSafe #PQC #compliance

Big day for #PQC and the evolution of #cybersecurity! QuSecure is proud of our #leadership role in advancing #crypto agility with our #quantum resilient software solution QuProtect. To assist organizations in getting started, contact QuSecure as we are offering organizations the following four opportunities: 1. For CISOs: A free road mapping session with QuSecure, the award-winning company in crypto agility with more implementations than anyone to date. 2. For Boards and Executive Team Members: A half-day briefing with Accenture and QuSecure. Learn what others are doing and how to apply what they have learned to your organization. 3. For Organizations Ready to Test Crypto Agility: A #free #POC addressing your choice of Crypto Agility across applications, networks, and routers. 4. For Anyone Looking to Learn More: QuSecure is teaming with PayPal for a webinar on “Protecting Blockchain & Crypto Against Quantum & AI” on Wednesday, August 14, at 1 pm PT/4 pm ET.

I'm sure other cyberrisk experts can comment, but I'd expect quantum-safe standards to eventually be a part of insurance cyberrisk coverage requirements and/or rating criteria. For non-insurance people: getting insurance coverage against cyberrisk incidents is going to be harder over the long haul if you cannot demonstrate you are running on secure platforms.

This is a HUGE milestone in cryptography. The ability of quantum computers to break RSA encryption with ease was always a bit concerning (to say the least). Hopefully having some guiderails in place will allow quantum development to move forward with speed. https://lnkd.in/ewUSE86y

IBM is the company working on both solutions, I'd say :) 😀 "Notably, IBM Research cryptography researchers in Zurich developed two of these standards – ML-KEM and ML-DSA –with external collaborators. The third standard – SLH-DSA – was co-developed by a scientist who has since joined IBM Research. Clearly, this is a topic that greatly interests IBM. Considering that IBM is also a leading developer of quantum computers, you could say that the company is working on both the problem and its solution, with respect to cryptography in cyberspace" read more fun article from:

NIST has just published 3 post-quantum cryptography standards. They specify algorithms derived from CRYSTALS-Dilithium, CRYSTALS-KYBER and SPHINCS+. These standards were created in order to combat quantum computing threats when using asymmetric encryption methods. It is important to be prepared for a future where quantum computing may become a reality. More information in the following link https://lnkd.in/daZu6wJ

Are you planning to implement quantum-safe cryptography? IEEE Spectrum interviewed Scott Best for the "5 Questions" column in the July 2024 issue. "When does the switch to quantum-resistant cryptography need to happen? It will take another eight years to have a quantum computer with 400 logical qubits. That's when a state-funded actor could start breaking traditional encryption using Shor's algorithm. Which systems need to be switched now? Systems which will still be in operation then (8 years from now) should switch to quantum-resistant algorithms now." https://lnkd.in/ecthXm8p https://lnkd.in/ehUp5GWR