The race is on to develop commercial quantum computers. The breakthroughs they promise new ways of simulating materials, optimizing processes and improving machine learning could transform society, just as todays digital computers have done. But the route to delivering economic benefits is uncertain. The digital revolution took decades and required businesses to replace expensive equipment and completely rethink how they operate. The quantum computing revolution could be much more painful1.

Quantum computers operate in a completely different way from digital computers, and can potentially store and analyse information more efficiently. Digital computers essentially use onoff switches and process binary bits of information (0s and 1s). Quantum computers encode information in the quantum state of atoms, electrons and photons, known as qubits. These qubits can represent many states at once and be combined or entangled, thereby speeding up calculations.

In the long run, businesses adopting quantum computing should have a competitive edge over others. Yet, in the short term, its unclear to what extent the introduction of these machines will prove commercially valuable.

When digital computers started to gain popularity in the 1970s and 1980s, rather than delivering efficiencies, for 15 years they slowed growth in productivity, the value added relative to inputs such as labour, by 0.76 percentage points per annum. Such a dip is known as the productivity paradox. It arose because businesses had to invest in new equipment and learn how to program the devices, as well as work out what to use them for. At first, firms did not invest enough in other innovations that were needed to change core processes and business models2,3. Only after many sectors had adjusted in the 1990s did productivity growth rise again, sharply (see Productivity paradox).

Source: The Conference Board Total Economy Database, 2022

For example, it took a decade of investment, throughout the 1980s, for large firms, such as the retail corporation Walmart, to routinely process data to coordinate planning, and to forecast and replenish their inventory along their supply chains. Walmart gave suppliers access to its sales and inventory data, helping to reduce costs from underproduction or overproduction. The company became able to handle its own distribution and achieve efficiency through economies of scale. All these changes took time and required coordination across many firms2.

We think that the quantum computing revolution could lead to an even more severe and expensive learning curve, for three reasons: high integration costs and few short-term rewards; difficulty in translating quantum concepts for business managers and engineers; and the threat to cryptography posed by quantum computers. As a consequence, assuming that the productivity growth rate slows by 50% more than it did for simpler digital computers, we estimate that the introduction of commercial quantum computers could result in economic losses in gross domestic product (GDP) per capita of approximately US$13,000 over 15 years (based on 2022 levels), or $310 billion per annum in the United States alone.

Fortunately, there are ways to lighten the load and accelerate the benefits to society, three of which we outline here.

Firms might initially adopt quantum computers to solve existing business problems, for which improvements are likely to be incremental. But for more-ambitious uses, the extra costs and likelihood of potential failures might make firms risk-averse. For example, a company that collects vast amounts of data from sensors to inform disaster relief and recovery might look to quantum computers to process information more quickly, to help save lives. But the first such computers might be more prone to faults and errors than are digital ones, with potentially grave consequences for life-critical operations. Such companies might therefore be put off from using quantum computers, until they are more reliable.

These computers will also need to be networked with digital computers, and integrating two such different technologies will be difficult and expensive. Firms will still need digital computers to perform everyday tasks and computations; they will use quantum computers to solve more-complex and specialist problems. Yet, developing hybrid protocols and programs that can work in both situations is much harder than it was to program digital computers in the 1970s.

Hybrid systems will need to be fluent in both digital bits and quantum qubits, and able to encode classical data into quantum states and vice versa. They will need converters to translate digital and analogue signals to transfer information between the two types of processing unit4. Quantum computers are generally large and might need to be cryogenically cooled, making it unlikely that many companies will have a machine of their own. Many will buy services remotely in the cloud through the Internet, for example sourcing extra computing power for simulating materials. Some users, such as traders in financial markets, in which millisecond timing is crucial, might need to host both types of computer.

A chip for quantum computing is tested with a laser at a laboratory of the manufacturing company Q.ANT in Stuttgart, Germany.Credit: Thomas Kienzle/AFP via Getty

To bring firms on board quickly, the commercial advantages will need to be demonstrated in practice. For this, government funding will be needed to attract private investment. We suggest this could be framed as a mission to help companies apply quantum computing to industrial and societal grand challenges. For example, for weather forecasting, quantum systems could analyse huge amounts of data to keep up with rapidly changing conditions. The resilience of the financial system could be improved through better modelling of markets, as would the development of low-carbon technologies to address climate change, such as catalysts for carbon capture or electrolytes for batteries.

Economists will need to devise a framework for evaluating the financial benefits of quantum computing, to encourage firms to invest. Researchers should build proof-of-concept cases, starting by identifying areas in which quantum computers might outperform digital computers for societal grand challenges. Researchers should also set out what firms need to do to adopt quantum technologies, including how they might need to change their business models and practices, as well as working with others along their value chains.

Quantum technologies operate on principles that are often counterintuitive and outside the comfort zone of many engineers and business managers. For example, these technologies work probabilistically and dont seem to obey classical conceptions of cause and effect. According to some schools of thought, in the quantum world, human agency might influence outcomes5, meaning the person operating the computer might need to be considered as part of the system.

And, at present, theres no shared language among scientists, engineers and business managers around quantum computing. Misunderstandings and confusion create delays and therefore further costs. Managers and engineers will need to know enough to be able to select the right class of problems for quantum computers, know what type of information is required to solve them, and prepare data in a quantum-ready format (see go.nature.com/3opfsap).

For example, a delivery logistics company might wish to reschedule its vehicle routes more rapidly to respond better to customer demand for pickups of goods that need returning. Quantum computation could be effective for such replanning which involves solving a complex combinatorial problem in which one change has a knock-on effect on other areas of the business, such as inventory management and financing. But managers would need to be able to spot areas of advantage such as this and know what to do to implement quantum computing solutions.

IBM quantum computer passes calculation milestone

A common semantic and syntactic language for quantum computers needs to be developed. It should be similar to the standardized Unified Modeling Language used for digital computer programming a visual language that helps software developers and engineers to build models to track the steps and actions involved in business processes. Such a tool reduces the costs of software development by making the process intuitive for business managers. Quantum computers also require algorithms and data structures, yet quantum information is much richer than classical information and more challenging to store, transmit and receive6.

A quantum unified modelling language that is similar to the classical one but can also work with quantum information will enable scientists, engineers and managers to stay on the same page while they discuss prototypes, test beds, road maps, simulation models and hybrid information-technology architectures7. Design toolkits that consist of reusable templates and guidelines, containing standard modules for hardware and software development, will allow users to innovate for themselves, shortening development times.

Some of this is beginning to happen. For example, modular workflows are emerging that enable computational chemists and algorithm developers to customize and control chemistry experiments using early versions of quantum computing platforms. A more concerted approach to standardize the language across application areas and hardware platforms is needed to foster commercialization.

Strategies for communicating about quantum computing with the public are also needed, to build trust in these new technologies and ensure that benefits accrue to all parts of society in a responsible manner. Scientists, policymakers and communications specialists should work together to create narratives around the usefulness of quantum technologies. They should focus on practical problems that can be solved rather than tales of weird quantum behaviour.

Although some such initiatives are being set up as part of national quantum programmes, more research is needed to better understand how cognitive biases and ways of learning might influence the adoption of quantum computing. For example, how were cognitive barriers overcome in adopting digital computers and nanotechnologies? Answers to questions such as this will help researchers to develop communication protocols and toolkits.

Quantum computing threatens to break a widely used protocol for encrypting information. Today, sensitive data are typically encrypted by using digital keys in the form of factors for large prime numbers, and sent through fibre-optic cables and other channels as classical bits streams of electrical and optical pulses representing 1s and 0s. The encryption relies on the inability of classical computers to compute the factors for the prime numbers in a reasonable time. However, quantum computers could in principle work out these factors faster and therefore break the encryption.

Are quantum computers about to break online privacy?

Addressing this risk will bring further costs. To protect the security of data and communications, firms will need to invest in new mathematical approaches for encryption, or use quantum-based communications systems, such as quantum key distribution. Quantum key distribution uses qubits sent either through fibre-optic cables or free space (through air, vacuum or outer space), to randomize the generation of keys between the sender and receiver using the probabilistic principles of quantum mechanics. Because of the fragile nature of qubits, if a hacker tries to observe them in transit, the quantum state is affected and the sender and receiver will know that it was tampered with.

Such a threat to sensitive government data and communications8 could also raise geopolitical issues and lead to export controls, such as those imposed by the United States and the Netherlands on microprocessors. The technology bottlenecks for quantum computing are unclear because there are several types of machine that rely on different components and therefore different supply chains. Such restrictions could stifle innovation, increase costs and disrupt the global nature of design, testing and manufacturing processes. Limited exchange of ideas and access to new prototypes would influence the eventual nature of commercial systems and supply chains, as they did for early video cassette recorders reliant on formats such as Betamax and VHS.

Integrating quantum computers and quantum communications technologies across a coordinated network to build a quantum internet9 could overcome this security threat and spur growth across many industries, as the creation of the Internet did. The quantum internet is a network that connects remote quantum devices through a combination of quantum and classical links. This allows distributed quantum computing, in which many devices work together to solve problems, further speeding up computations.

Office workers using computers and telephone headsets in 1965.Credit: Authenticated News/Archive Photos/Getty

The quantum internet could also enable new business models. For example, distributed quantum computers and a process known as blind quantum computing10, which allows fully private computation, could enhance machine learning while preserving proprietary data and guaranteeing that shared data are deleted after computation. Blind quantum computing would, for example, enable data or code from 3D-printing machines at a factory owned by one firm to be shared with machines at another firms factory without either firm seeing the details of the others processes. This would allow the creation and optimization of networks of factories owned by various firms to better cater for changes in product volume. Companies could offer unused 3D-printing production capacity to others, to increase efficiencies, localize production and add flexibility to supply chains.

Researchers need to determine the benefits to customers and firms of sharing data and information with faster computation, enhanced privacy and confidentiality. Would these benefits lead to more products and services that are better tailored to customer needs? What would the impacts be on the wider industrial landscape, and what new business models might emerge?

The promise of quantum computing is great if researchers can help to smooth the path for its implementation.

See the original post here:
How to introduce quantum computers without slowing economic ... - Nature.com

On July 20, a Nebraska court is expected to sentence Jessica Burgess, a 42-year-old woman who provided her 17-year-old daughter with pills for a late-term abortion, resulting in a two-year prison term. This case garnered attention as it raised concerns about prosecutors targeting individuals seeking abortions and those supporting them. It also underscores the privacy issues surrounding Meta's compliance with a search warrant, leading to the handover of private chats between the mother and daughter on Facebook to law enforcement authorities.

Meta's compliance was mandatory due to its possession of the data. However, this raises the question of why the company had possession of such data in the first place. Messenger is among the few major instant messaging services that lacks end-to-end encryption (E2EE) technology. Twitter also falls into this category, with its employees having been exposed to users' messages on the platform both actively and passively over the years.

Today, the greatest challenge to user privacy comes from governments striving to mandate technology companies to provide a "backdoor" for access to personal conversations in messaging applications. The most advanced legislation in this regard, supported by major industry players, is the British "Online Safety Bill," currently awaiting a vote.

This complex and comprehensive law addresses various important issues, including Section 110, which requires websites and applications to proactively prevent harmful content in messaging services. The legislation grants regulators the option to employ scanning technology (if available) to examine user communications and identify prohibited content. Based on the findings, various actions can be taken. The concern is that the legislation in the UK will establish a legislative precedent that other governments worldwide may follow, significantly undermining end-to-end encryption.

An open letter signed by the heads of seven messaging applications, including WhatsApp and Signal, stated, "If implemented as written, [this bill] could empower Ofcom to try to force the proactive scanning of private messages on end-to-end encrypted communication services nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users. In short, the bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate."

End-to-end encryption (E2EE) technology safeguards user privacy and security by encrypting digital communications, ensuring that only the sender and recipient can decrypt the messages. This means that even service providers like WhatsApp, Signal, or iMessage cannot read or listen to conversations. This technology already exists and is the default setting in many applications, enabling billions of users worldwide to communicate privately and securely.

While the British legislation is among the most advanced and comprehensive in addressing this technology, it is not the only one. In April, the United States introduced the federal bill "STOP CSAM (child sexual abuse material)" to protect children online. This legislation creates an exception to Section 230, which grants partial immunity to internet intermediaries for user-generated content related to child exploitation. The proposed bill holds technology companies civilly and criminally liable if their products are used to "promote or facilitate" crimes involving child exploitation and other offenses. It also requires companies to submit annual reports to the Federal Trade Commission (FTC), detailing the means and technologies they employ to protect users and any factors that may hinder their ability to identify instances of child exploitation.

According to the American digital rights organization the Electronic Frontier Foundation (EFF), the terms "promote" and "facilitate" are broad and allow for low-standard accountability. Such broad wording may lead to a surge of lawsuits by victims of child exploitation filing claims against tech companies. Consequently, courts may have to address questions like whether Signal facilitates child exploitation by defaulting to end-to-end encryption or whether Apple contributes to it by offering the application in its app store. Opponents of the law argue that these options provide sufficient room for negotiation and could incentivize tech companies to weaken encryption, compromising digital security for all internet users.

In the European Union, efforts are also underway to promote CSAM legislation. Proposed in May and currently in the legislative process, this regulation mandates instant messaging applications to install monitoring software that scans images and conversations based on a secret database. An independent entity overseeing the process determines the content and criteria for searching, and if prohibited content is detected, it must be reported to the authorities. This legislation not only compromises end-to-end encryption but also enables governments to directly access personal information.

Proponents of these various legislations claim that they are necessary to protect children. "We support strong encryption, but it cannot come at the expense of protecting the public," said a British government spokesperson in a statement. "End-to-end encryption cannot hinder efforts to apprehend the perpetrators of the most serious crimes." A leaked document from the European Commission in May, responding to the Commission's legal advice on the proportionality issue, stated that "the Commission believe that there are many elements which, especially when considered as a whole, justify the conclusion that the proposed search warrant system is proportional."

Civil organizations working in this field argue that existing encryption is not only vital for the fundamental right of individual privacy, but also serves as essential protection for the most vulnerable. They explain that it prevents personal information from falling into the wrong hands, especially for children, and enables human rights activists to operate in hostile environments. Moreover, providing a backdoor for accessing private communications creates a significant information asymmetry between governments and citizens, potentially increasing surveillance and control, leaving citizens more vulnerable to cyber attacks, and ultimately failing to address the problem of child exploitation.

Signal President Meredith Whittaker, in discussing the British bill, told the BBC, "It's magical thinking to believe that only the good guys can have privacy. Encryption protects everyone or it is broken for everyone."

Read the original:
The battle over end-to-end encryption: Legislation threatens user ... - CTech

In an Orwellian era marked by ever-increasing digital surveillance, many law-abiding citizens are increasingly concerned about their privacy. The revelations by whistleblowers Edward Snowden and William Binney shed light on pervasive government surveillance and corporate surveillance by the tech giants may be even more widespread.

As a response to these abuses, the development and adoption of encrypted apps has gained momentum, providing individuals with a layer of privacy and security. In this article, well cover just a few of your best options to protect your online privacy.

Signal, endorsed by privacy advocates and experts worldwide, has emerged as the gold standard for secure messaging. This open-source app encrypts your conversations end-to-end, ensuring that only the intended recipient can decipher the messages. Signal also boasts features like self-destructing messages, verification codes, and secure voice and video calls. Its simplicity, robust encryption protocols, and wide adoption make it an ideal choice for safeguarding your private conversations.

When it comes to securing your email communications, ProtonMail stands out as a reliable option. Offering end-to-end encryption, ProtonMail ensures that your messages remain inaccessible to unauthorized entities. The app enables you to send encrypted messages to non-ProtonMail users, further expanding its reach. ProtonMails emphasis on privacy, coupled with user-friendly features, makes it a popular choice for those seeking to shield their email communications from prying eyes.

For users concerned about their online activities being tracked and monitored, the Tor browser provides a valuable solution. By routing your internet traffic through a network of encrypted relays, Tor conceals your identity and location, effectively shielding you from prying eyes. Whether youre accessing sensitive information, evading censorship, or simply desiring online anonymity, the Tor browser offers a powerful tool to protect your privacy during web browsing.

A Virtual Private Network (VPN) is a crucial tool for protecting your online activities from surveillance. NordVPN, a widely recognized and trusted VPN service, encrypts your internet traffic and routes it through remote servers, shielding your data from prying eyes. With an extensive network of servers worldwide, NordVPN offers robust security and privacy features, allowing you to browse the web, access geo-restricted content, and engage online without compromising your privacy.

ProtonVPN, developed by the same team behind ProtonMail, combines security, privacy, and user-friendliness. With a focus on strong encryption, a strict no-logs policy, and support for advanced security protocols, ProtonVPN ensures that your internet traffic remains shielded from surveillance. Its intuitive interface and various subscription plans cater to both casual users and privacy enthusiasts, making it a top choice for those seeking a VPN service with ease of use.

In an age where violations of privacy by governments and corporations have become pervasive, encrypted apps provide a formidable line of defense.. By harnessing the power of these tools, you can regain control over your digital persona. If you are among those who still value their privacy, even in the digital age, you must stay vigilant by adopting privacy-focused technologies, and reclaim your rights.

Read more from the original source:
Safeguarding Your Privacy With Encrypted Apps to Thwart ... - Innovation & Tech Today

A Norfolk, Nebraska, woman pleaded guilty to helping her daughter have a medication abortion last year. The charges came after Facebook, by court order, provided police with evidence that bolstered a Madison County prosecutors case against her.

Last year, it emerged that the two were charged after police acquired Facebook messages that proved the two had acquired abortion medication intended for first-trimester abortions. In a June 2022 affidavit (via Jezebel), the officer investigating Celeste Burgess, the daughter who was charged along with her mother, Jessica Burgess, said hed served Meta a warrant seeking their messages, and the company quickly complied.

The charges include having an abortion after 20 weeks, false reporting, and tampering with human skeletal remains. According to last years affidavit, Burgess was about 23 weeks along in her pregnancy, which is also later than the Nebraska 20-week post-fertilization abortion ban in place at the time. Nebraska has since implemented a 12-week abortion ban.

The case underscores a crucial privacy drawback of Facebook Messenger, which to this day doesnt default to end-to-end encryption (E2EE) like other messengers, such as Signal, Metas own WhatsApp, or Apples iMessage do. Because its not the default, average people not being intentional about their messaging may not realize they can even turn it on.

E2EE is important because, when its properly implemented, the company offering it has no key to unlock the messages the only person who can access the messages is the sender and the receiver, and in some cases, you can even set the messages to be deleted.

In June, when the investigating officers affidavit was filed, the Supreme Court was on the precipice of striking down Roe v. Wade which it did only nine days afterward on June 24th, 2022. Afterward, existing, unenforceable abortion bans around the country immediately took effect, while many states got to work passing new restrictions, and womens rights advocacy groups warned of digital privacy risks illuminated in cases just like the Burgess.

Meta itself has been reticent to take a stand on abortion. Although then-Meta executive Sheryl Sandberg posted in May 2022 in support of abortion rights, the next day, the company restricted internal discussion of the issue to one-on-one private chats with trusted colleagues or up to five like-minded people in listening sessions, though the company allowed its employees to share their thoughts on their personal Meta social apps.

The company also downweighted abortion content on its platforms well before the Supreme Court struck down the Roe v. Wade decision that had previously served as a barrier against strong abortion laws at the state level.

The mother and daughter are scheduled for sentencing on September 22nd and July 20th, respectively. Her daughter pleaded guilty in May. The Madison County prosecutor, attorney Joe Smith, said this was his first charge of illegal abortion after 20 weeks since the previous ban was instituted in 2010.

Update July 12th, 2023 10:27PM ET: Updated to credit the linked affidavit PDF to Jezebel, where it was published previously.

Read more from the original source:
A woman and her daughter plead guilty to abortion-related charges ... - The Verge

Hacking group CL0Ps attacks on MOVEit point to ways that cyber extortion may be evolving, illuminating possible trends in who perpetrators target, when they time their attacks and how they put pressure on victims.

Malicious actors that successfully target software supply chains can maximize their reach, impacting the initial victims as well as their clients and clients clients. And Allan Liska, intelligence analyst at threat intelligence platform provider Recorded Future, noted that cyber extortion groups like CL0P have the money to buy zero-day vulnerabilities to compromise commonly used platforms.

Plus, perpetrators increasingly use threats to publish stolen data more so than file encryption to put pressure on victims and are exploring new ways of denying victims access to their data.

And other extortionists are likely watching the MOVEit incident play out and drawing their own takeaways.

With a lot of these, the first big attack, it gets the headlines, but these ransomware groups are learning at the same time, Hofmann said. They're seeing what worked well, what didn't, what tactics worked, and they're learning from each other. So, the next go-around is going to be different.

Groups like CL0P also appear to be putting attention on targeting widely used platforms and exploiting zero-day vulnerabilities.

The MOVEit compromise was CL0Ps third known attack on a file transfer service, each one netting more victims. Its 2020 Accellion exploit stole data from roughly 100 companies, while the hackers said their early 2023 attack on GoAnywhere impacted about 130 organizations, per Bleeping Computer. By early July, more than 200 organizations were believed to be affected by the MOVEit hacks, with data breaches affecting more than 17.5 million people, Emsisoft threat analyst Brett Callow told TechCrunch. Of course, hitting victims and getting money out of them are two separate matters.

Cyber criminals can buy zero-day vulnerabilities, said Liska. Paying six figures for zero days in top-name software like Microsoft Exchange may be too spendy for most, but many ransomware groups do have the money to shell out up to five figures to buy zero days in lower-profile, widely used platforms like MOVEit, he said.

You're not spending more than $100,000 and that. And as far as we can tell, CL0Ps made 100 times that at least from this particular attack, Liska said. So, in theory, if they reinvested all of that money, they could buy 100 more of these zero days to these types of platforms or more and still have money leftover to vacation in Sochi.

Still, organizations shouldnt forget about more traditional attack methods, Hofmann said. Roughly 90 percent of cyber extortionists still wage their attacks by taking advantage of unpatched Internet-facing systems, remote desktop protocol (RDP) connections where multifactor authentication (MFA) has yet to be implemented, or phishing and stolen credentials.

MOVEIt software creator Progress announced that the initially exploited vulnerability as well as one discovered a few weeks later took advantage of SQL injection vulnerabilities in the tool.

These are among the oldest forms of vulnerability and are the result of poor coding practices that are preventable, reported Ars Technica.

Federal efforts are underway to push software developers to design offerings with security baked in, thus improving overall safety of the software landscape.

Thats a good way to go, because a lot of these platforms that are heavily relied on are rickety, because they're not looked at they've been traditionally ignored by bad guys, and that picture is changing, Liska said.

Realizing that a secure-by-design vision could take decades, in the meantime, organizations should use a defense-in-depth approach to better protect themselves, Liska said.

In ransomwares early days, perpetrators encrypted files and demanded payment. But other methods may be gaining more popularity. A recent report found attackers increasingly pressuring victims by stealing their data and threatening to publish it, sometimes but not always pairing this with file encryption.

Organizations with sophisticated backup strategies may not need their files back, making traditional encryption-only extortion ineffective, said Lisa Forte, partner at cybersecurity training and consulting provider Red Goat Cyber Security. Plus encrypting and decrypting are tricky: Often the malware would be so aggressive that it would corrupt files, so even if the victim paid and they got the decryption key, the file would be corrupted. So, it was quite difficult to make a business case for companies to pay the ransom, Forte said. But threats to publish sensitive stolen data add new pressure.

And even when victims lack good backups making encryption attacks particularly painful some extortionists may still prefer the speed and efficiency of data theft-only attacks, Hofmann said.

Forte noted that while CL0P totally avoided encryption in its attack on MOVEit, many other threat actors have kept it in play. Even extortionists that, too, primarily use data theft as leverage against their victims often still lock up some parts of a victims network, as an opening salvo. The drama of a sudden file encryption and a ransomware splash screen appearing can grab victims attention.

One minute you think youre fine, and then next minute everything is locked, and youve got splash screens on every device, Forte said. That really brings the attention of the board. But definitely the main negotiating chip is the data thats stolen.

Liska has also seen some attackers adopt a new method of denying victims access to their files, creating a dramatic disruption while avoiding the technical complications and hassles of encryption. In these attacks, perpetrators exfiltrate their targets data then secure delete those files. Such a move rewrites the erased files with meaningless data, to prevent victims from being able to recover them. Extortionists can then demand ransom in exchange for sending victims back a copy of that exfiltrated data.

When we talk about taking the data and then secure deleting it, in effect you are actually stealing it at that point, because the data is no longer sitting on their [hard drives] unless it can be restored from backups. That's where I think this is going to go I think we'll see more of that, Liska said.

Of course, as Liska noted, victims might restore data from backups. But extortionists could still threaten to publish it.

In the MOVEit compromise, not even CL0P seemed prepared for how much data it managed to steal.

The hackers appeared to hurry to exploit as many systems as possible with the zero day before a patch could be issued. That meant they were scooping up data without necessarily knowing who it came from. Since then, the hackers have been working to sort through their stores of data, Liska said.

Notably and unusually rather than contact its victims with extortion demands, CL0P instead posted a message on its dark website telling victims to contact it.

They basically said, Hey, if you were one of the victims, email us, Liska said. They didn't even have a good accounting of who all they hit.

Organizations should take the threat seriously but shouldnt rush to comply, Hofmann said. Past incidents have seen some threat actors only discover who theyd hit when the victims got in touch, and victims that begin negotiations without a clear plan in place risk making the situation worse for themselves. They draw threat actors attention and might make mistakes, such as inadvertently revealing how badly attacks have affected them, thus handing leverage to the extortionists. In general, victims should never reveal anything that isnt already public knowledge, he said.

And victims should be wary of believing threat actors claims: Sometimes extortionists mistakenly think theyve impacted an organization, when theyve really hit another with a similar-looking website or one of the organizations subsidiaries, Hofmann said. CL0P may have made such mistakes, with ZDNET reporting in 2022 that CL0P tried to extort Thames Water, when it appeared to have actually hit South Staffordshire Water.

All this underscores the need for organizations including C-suite executives to participate in practicing and planning incident response and negotiations, to be ready should an extortion attack hit. For example, entities need to pin down details like, how much to tell the public; at what point they might engage with the extortionists and who will do that; as well as who will decide whether to pay and how that transaction will be made.

Despite the messiness of the attack, Liska believes CL0P has been improving its extortion tactics. Tracking of publicly known wallets suggests that the GoAnywhere hack didnt produce a lot of profit, but this time around, CL0P seems to have better determined how to monetize, he said.

CL0P has been gradually revealing its victims. This may in part indicate that its still working to sort through the stolen data, but also can be strategic, Liska said. Each new victim announcement returns public attention to the incident, keeping it in the news for months rather than weeks which may put more pressure on victims. Still, Hofmann said that, unlike for some past incidents, media reporting on MOVEit hasnt been critical of the impacted organizations: The optics of it, from a public perspective, are a little bit different, because many entities were affected via a trusted third-party vendor who was brought in specifically for protecting sensitive data.

Forte said CL0P appeared to struggle at first to determine which entities to extort in the affected software supply chain. Theyd compromised a file transfer tool created by Progress, and doing so let them obtain data handled by U.K. payroll solutions provider Zellis, for example. That data included payroll information on Zellis own clients, such as the BBC and British Airways.

There was a lot of confusion in the early days as to whether they were asking the actual end victims i.e., the BBC, British Airways, etc. or whether they were asking Zellis, or whether they were asking the company behind the MOVEit software, Forte said. The problem they had was that they didn't realize the complexity of the supply chain that they were hitting.

When choosing which impacted entities to threaten, cyber extortionists are often playing for media attention, Liska said. They typically threaten publish data from whichever impacted entities within the supply chain have the biggest name recognition. Threatening widely recognized end users will get more publicity, even if it technically was another entity's software that was compromised.

It doesnt matter whether or not they actually hit Ernst & Young or PwC. What matters is there's EY and PwC data that they got there, Liska said. You have to write about that as a journalist, because they are such big companies and they [cyber extortionists] know that.

CL0P said it would delete any data it had stolen from government, per TechCrunch. Opinions vary over whether organizations can believe these kinds of claims.

On the one hand, cyber criminals have a brand to protect, and some ransomware groups have followed through on promises to help restore data stolen from hospitals, for example, Forte said.

Victims have little motive to pay criminals who are known to go back on their word: The ransomware groups in general tend to be quite honorable to their word. They need to do that because they have to maintain a good brand image to get insurers, etc., to pay them when they hit other companies.

Plus, ransomware actors may hope that deleting data from entities like governments and hospitals could make them less of a priority for federal law enforcement. They also may hope it helps their image so they dont look quite so evil, she said.

Liska, meanwhile, said cyber criminals often give lip service to deleting the data in hopes of easing authorities attention on them, but he expects CL0P to still share or sell the government data.

You should never assume a ransomware actor is actually going to delete stolen data they will claim it up and down [but] once that data is stolen, that is out there and you have to assume that its going to be out there forever, Liska said.

One possible buyer? The Russian government. There appears to be some evidence suggesting a level of coordination between some cyber crime groups and the Russian government, which could enable gangs like CL0P to make such a sale, Liska said. But he cautioned against overstating this relationship, emphasizing the unavailability of evidence to indicate the Russian government is controlling the cyber criminals.

View original post here:
Cyber Extortion Trends: Lessons from CL0P and MOVEit - Government Technology