How much private and sensitive data can you get by pointing $600 worth of satellite equipment at the sky?

Quite a bit, it turns out.

Researchers from the University of Maryland and the University of California, San Diego say they were able to intercept sensitive data from the U.S. military, telecommunications firms, major businesses and organizations by passively scanning and collecting unencrypted data from the satellites responsible for beaming that information across the globe.

The satellites they focused on — geostationary satellites — provide modern high-speed communications and services to rural or remote parts of the globe, including television, IP communications, internet and in-flight Wi-Fi capabilities. They also provide backhaul internet services — the links between a core telecom or internet network and its end users — for private networks operating sensitive remote commercial and military equipment.

Using cheap, commercially available equipment, researchers scanned 39 satellites across 25 distinct longitudinal points over seven months.

The goal was to see how much sensitive data they could intercept by “passively scanning as many GEO transmissions from a single vantage point on Earth as possible.” It was also to prove that you don’t need to be a well-resourced foreign intelligence service or have deep pockets to pull it off.

What they found was unsettling: “Many organizations appear to treat satellite[s] as any other internal link in their private networks. Our study provides concrete evidence that network-layer encryption protocols like IPSec are far from standard on internal networks,” write authors Wenyi Zhang, Annie Dai, Keegan Ryan, Dave Levin, Nadia Heninger and Aaron Schulman.

They note that “severity” of their findings suggest “many organizations do not routinely monitor the security of their own satellite communication links” and that content scrambling “is surprisingly unlikely to be used for private networks using GEO satellite to backhaul IP network traffic from remote areas.”

“Given that any individual with a clear view of the sky and $600 can set up their own GEO interception station from Earth, one would expect that GEO satellite links carrying sensitive commercial and government network traffic would use standardized link and/or network layer encryption to prevent eavesdroppers,” the researchers wrote.

Wired first reported on the academic study.

Researchers reached out to major businesses and organizations that were leaking data via satellite communications to notify them and address the vulnerabilities, but said they declined to engage in any bug bounties that included a nondisclosure agreement.  

The researchers said discussions with the U.S. military, the Mexican government, T-Mobile, AT&T, IntelSat, Panasonic Avionics, WiBo and KPU all took place between December 2024 and July 2025 as the study was ongoing.

Satellites are outfitted with multiple transponders to collect different kinds of telemetry, and here the research focuses on a single type — Ku-Band transponders — that are heavily used for internet and television services. Using their consumer-grade equipment, the researchers were able to tap into 411 different transponders around the globe, collecting reams of sensitive data in the process.

They observed unencrypted data for T-Mobile users, including plaintext user SMS messages, voice call contents, user internet traffic, metadata, browsing history and cellular network signaling protocols, leaking out over the skies. Over a single, nine-hour listening session, the dish picked up phone numbers and metadata for 2,711 individuals. Similar leakages were spotted for calls over Mexican telecoms TelMex and WiBo, and Alaskan telecom KPU Telecommunications.

They also picked up unencrypted and encrypted traffic coming from U.S. military sea vessels, including plaintext that included the ships’ names — something the researchers said allowed them to determine they were all “formerly privately-owned ships” that are now owned by the government. Meanwhile, unencrypted HTTP traffic leaking out through the satellites gave them details into internal applications and systems used for infrastructure, logistics and administrative management.

The researchers say that while this kind of capability isn’t novel, previous research has suggested that only foreign governments and well-resourced companies have the capabilities to conduct such widespread monitoring. Their study, which developed a new way to parse through issues around signal quality, suggests that the barrier of entry is far lower than previously thought, requiring technical knowhow and just a few hundred dollars worth of commercial tech.

“To our knowledge, our threat model of using low-cost consumer grade satellite equipment to comprehensively survey GEO satellite usage has not been explored before in the academic literature.”

The findings underscore how much governments and businesses rely on standard satellite communications today to move their data around, and the lack of security attention these critical nodes receive compared to other technologies.The federal government has designated 16 sectors of society and industry as “critical infrastructure” and prioritized these sectors for additional security investment and assistance. Space is not one of those sectors, though policymakers have pushed the idea as a means to quickly retrofit our space-based communications for security. 

The post Researchers find a startlingly cheap way to steal your secrets from space  appeared first on CyberScoop.

Cryptologist/CS professor Daniel J. Bernstein is alleging that America's National Security Agency is attempting to influence NIST post-quantum cryptography standards. Bernstein first emphasizes that it's normal for post-quantum cryptography (or "PQ") to be part of "hybrid" security that also includes traditional pre-quantum cryptography. (Bernstein says this is important because since 2016, "We've seen many breaks of post-quantum proposals...") "The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ." Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing... I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.... The massive U.S. military budget now publicly requires cryptographic "components" to have NSA approval... In June 2024, NSA's William Layton wrote that "we do not anticipate supporting hybrid in national security systems"... [Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, "that's what they're willing to buy. Hence, Cisco will implement it".] What do you do with your control over the U.S. military budget? That's another opportunity to "shape the worldwide commercial cryptography marketplace". You can tell people that you won't authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you're actually using double encryption. This seems to be a speculative scenario. But Bernstein is also concerned about how the Internet Engineering Task Force handled two drafts specifying post-quantum encryption mechanisms for TLS ("the security layer inside HTTPS and inside various other protocols"). For a draft suggesting "non-hybrid" encryption, there were 20 statements of support (plus 2 more only conditionally supporting it), but 7 more statements unequivocally opposing adoption, including one from Bernstein. The IETF has at times said they aim for "rough consensus" — or for "broad consensus" — but Bernstein insists 7 opposers in a field of 29 (24.13%) can't be said to match the legal definition of consensus (which is "general agreement"). "I've filed a formal complaint regarding the claim of consensus to adopt." He's also written a second blog post analyzing the IETF's decision-making process in detail. "It's already bad that the IETF TLS working group adopted non-hybrid post-quantum encryption without official answers to the objections that were raised. It's much worse if the objections can't be raised in the first place." Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.

Read more of this story at Slashdot.

Encryption lives on in Europe. For now.

The German government has said it will oppose a piece of European Union legislation later this month that would subject phones and other devices to mass scanning — prior to encryption — by the government for evidence of child sexual abuse material.  

Federal Minister of Justice Stefanie Hubig was one of several officials from the ruling Christian Democratic Union party to reiterate over the past 24 hours that Germany’s position hasn’t changed.

“Mass scanning of private messages must be taboo in a constitutional state,” Hubig said, according to a statement on X from the Ministry of Justice and Consumer Protection Wednesday. “Germany will not agree to such proposals at the EU level.”

Another CDU member, Jens Spahn, told German journalist Phillip Eckstein of ARD-Hauptstadtstudio that those sentiments are widely held within the party.

“We, as the CDU/CSU parliamentary group, are against the random monitoring of chats,” Spahn said, according to a machine-translated transcript. “That would be like opening all letters as a precaution and checking whether there’s anything illegal in them. That’s not possible, and we won’t allow that.”

The statements came after a week where tech experts and privacy activists in Europe publicly warned that Germany — which had opposed the measure since its introduction in 2022 and operated as a key swing vote — was preparing to back the measure in an upcoming Oct. 14 vote.

The German government did not respond to requests for comment from CyberScoop earlier this week, and other parties have said efforts to communicate with German officials about their intentions were met with “silence” and “stonewalling.”

The prospect of having all digital messages — and possibly other content like audio and video — scanned before encryption would defeat the very purpose of encryption and create an untenable situation, according to Meredith Whittaker, CEO of encrypted messaging app Signal. Whittaker threatened that her organization was prepared to pull out of Europe over the proposal.

Germany’s about-face likely won’t mark the end of this dispute. Western governments in the U.S. and Europe have been seeking to place limits on encrypted communications for decades, arguing that end-to-end encryption with no means of access for law enforcement makes it harder to investigate horrific crimes like pedophilia, terrorism and cybercrime. 

Earlier this year, Apple pulled its own end-to-end encryption feature in the U.K. after British national security officials sent the company a letter demanding access to encrypted iCloud data for law enforcement and national security investigations.

There are indications that criminal suspects are increasingly turning to encrypted communications to hide evidence of their criminality. But privacy advocates have pointed out that strong encryption also protects many law-abiding citizens from potential government repression.

The post German government says it will oppose EU mass-scanning proposal appeared first on CyberScoop.

Tech experts and companies offering encrypted messaging services are warning that  pending European regulation, which would grant governments broad authority to scan messages and content on personal devices for criminal activity, could spell “the end” of privacy in Europe.

The European Union will vote Oct. 14 on a legislative proposal from the Danish Presidency known as Chat Control — a law that would require mass scanning of user devices, for abusive or illegal material. Over the weekend, Signal warned that Germany — a longtime opponent and bulwark against the proposal — may now move to vote in favor, giving the measure the support needed to pass into law.

On Monday, Signal CEO Meredith Whittaker warned that her company, which provides end-to-end encrypted communications services, could exit the European market entirely if the proposal is adopted.

“This could end private comms-[and] Signal-in the EU,” Whittaker wrote on BlueSky. “Time’s short and they’re counting on obscurity: please let German politicians know how horrifying their reversal would be.”

According to data privacy experts, Chat Control would require access to the contents of apps like Signal, Telegram, WhatsApp, Threema and others before messages are encrypted. While ostensibly aimed at criminal activity, experts say such features would also undermine and jeopardize the integrity of all other users’ encrypted communications, including journalists, human rights activists, political dissidents, domestic abuse survivors and other victims who rely on the technology for legitimate means.

The pending EU vote is the latest chapter in a decades-long battle between governments and digital privacy proponents about whether, and how, law enforcement should be granted access to encrypted communications in criminal or national security cases. 

Supporters point to increasing use of encrypted communications by criminal organizations, child traffickers, and terrorist organizations, arguing that unrestricted encryption impedes law enforcement investigations, and that some means of “lawful access” to that information is technically feasible without imperiling privacy writ-large.

Privacy experts have long argued that there are no technically feasible ways to provide such services without creating a backdoor that could be abused by other bad actors, including foreign governments.

Whittaker reportedly told the German Press Agency that “given a choice between building a surveillance machine into Signal or leaving the market, we would leave the market,” while calling repeated claims from governments that such features could be implemented without weakening encryption “magical thinking that assumes you can create a backdoor that only the good guys can access.”

The Chaos Computer Club, an association of more than 7,000 European hackers, has also opposed the measure, saying its efforts to reach out to Germany’s Home Office, Justice Department and Digital Minister Karsten Wildberger for clarity on the country’s position ahead of the Chat Control vote have been met with “silence” and “stonewalling.”

The association and U.S.-based privacy groups like the Electronic Frontier Foundation have argued that the client-side scanning technology that the EU would implement is error-prone and “invasive.”

“If the government has access to one of the ‘ends’ of an end-to-end encrypted communication, that communication is no longer safe and secure,” wrote EFF’s Thorin Klowsowski.

Beyond the damage Chat Control could cause to privacy, the Chaos Computer Club worried that its adoption by the EU might embolden other countries to pursue similar rules, threatening encryption worldwide.

“If such a law on chat control is introduced, we will not only pay with the loss of our privacy,” Elina Eickstädt, spokesperson for the Chaos Computer Club, said in a statement. “We will also open the floodgates to attacks on secure communications infrastructure.”

The Danish proposal leaves open the potential to use AI technologies to scan user content, calling for such technologies “to be vetted with regard to their effectiveness, their impact on fundamental rights and risks to cybersecurity.”

Because Chat Control is publicly focused on curtailing child sexual abuse material (CSAM), the intital scanning will target both known and newly identified CSAM, focusing on images and internet links. For now, text and audio content, as well as scanning for  evidence of grooming — a more difficult crime to define — are excluded. 

Still, the Danish proposal specifies that scanning for grooming is “subject to … possible inclusion in the future through a review clause,” which would likely require even more intrusive monitoring of text, audio and video conversations. 

It also calls for “specific safeguards applying to technologies for detection in services using end-to-end encryption” but does not specify what those safeguards would be or how they would surmount the technical challenges laid out by digital privacy experts.

The post Potential EU law sparks global concerns over end-to-end encryption for messaging apps  appeared first on CyberScoop.

BrianFagioli shares a report from NERDS.xyz: Signal has introduced the Sparse Post Quantum Ratchet (SPQR), a new upgrade to its encryption protocol that mixes quantum safe cryptography into its existing Double Ratchet. The result, which Signal calls the Triple Ratchet, makes it much harder for even future quantum computers to break private chats. The change happens silently in the background, meaning users do not need to do anything, but once fully rolled out it will make harvested messages useless even to adversaries with quantum power. The company worked with researchers and used formal verification tools to prove the new protocol's security. Signal says the upgrade preserves its guarantees of forward secrecy and post compromise security while adding protection against harvest now, decrypt later attacks. The move raises a bigger question: will this be enough when large scale quantum computers arrive, or will secure messaging need to evolve yet again?

Read more of this story at Slashdot.

The UK government has issued a new order to Apple to create a backdoor into its cloud storage service, this time targeting only British users' data, despite US claims that Britain had abandoned all attempts to break the tech giant's encryption. Financial Times: The UK Home Office demanded in early September that Apple create a means to allow officials access to encrypted cloud backups, but stipulated that the order applied only to British citizens' data, according to people briefed on the matter. A previous technical capability notice (TCN) issued in January sought global access to encrypted user data. That move sparked a diplomatic clash between the UK and US governments and threatened to derail the two nations' efforts to secure a trade agreement. In February, Apple withdrew its most secure cloud storage service, iCloud Advanced Data Protection, from the UK. "Apple is still unable to offer Advanced Data Protection in the United Kingdom to new users," Apple said on Wednesday. "We are gravely disappointed that the protections provided by ADP are not available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy." It added: "As we have said many times before, we have never built a back door or master key to any of our products or services and we never will."

Read more of this story at Slashdot.

Sen. Marsha Blackburn, R-Tenn., endorsed an aggressive effort by U.S. policymakers to help governments and businesses adapt to a future where quantum computers can break most standard forms of encryption. She also confirmed key details of a White House initiative on quantum technology previously reported by CyberScoop, while also promoting her own legislation on quantum migration and related strategies.

Blackburn, chair of the Senate Commerce, Science and Transportation Subcommittee on Consumer Protection, Technology, and Data, told audiences at a Wednesday event hosted by Politico that such an effort is needed to ensure that American technology is prepared well in advance for the shift and to counter potential threats from countries like Russia, China, Iran and North Korea.

Blackburn said lawmakers are asking questions about these countries such as, “What type of development are they doing? What kind of experimentation are they doing? And what is the expectation of those applications?”

“Now those are answers that we don’t know, so it is up to us to say, ‘how do we best prepare ourselves and how do we make certain that China is not going to lead this emerging tech space by 2049 — which is their goal — and how do we [combat] that?’” Blackburn said. 

When asked about reports that the White House was planning its own slate of executive actions, Blackburn confirmed elements of that push, saying Michael Kratsios, director of the White House Office of Science, Technology and Policy, and White House crypto and AI czar David Sacks are doing “a tremendous job.” Kratsios  is among the White House officials leading the federal quantum effort, in tandem with the Commerce Department and the Office of Management and Budget, sources told CyberScoop last month.

However, Blackburn did not provide a timeline for any formal rollout by the administration, and promoted legislation like the National Quantum Cybersecurity Migration Strategy Act she co-sponsored with Sen. Gary Peters, D-Mich., as a vehicle for speeding up federal quantum migration strategies.

That bill would mandate that federal agencies move at least one high-risk information system to quantum-resistant encryption by Jan 1, 2027.

“You look at agencies like the IRS … you look at [the Department of Defense] and some of the cyber implications and you say, ‘OK, this makes sense,’” Blackburn said. “So, what we are trying to do is push them to move forward and not say, ‘well, we’ll get around to that later.’”

She characterized the White House initiative as focused on strengthening the quantum workforce, increasing commercial sector involvement, and ensuring strong security and encryption is in place to deal with threats from China and other adversaries.

“That I feel is more of the definition of how the White House sees this as moving forward,” Blackburn said.

Blackburn is leading or co-sponsoring several other quantum-related bills on the Hill, including the Defense Quantum Acceleration Act, which would require DOD to develop a strategic quantum roadmap, the Quantum Sandbox for Near-Term Applications Act, which would create a sandbox environment for quantum computing experimentation housed within the National Institute for Standards and Technology, and the Advancing Quantum Manufacturing Act, which would create a federal institute for quantum manufacturing.

The post GOP senator confirms pending White House quantum push, touts legislative alternatives appeared first on CyberScoop.

In August 2024, the National Institute of Standards and Technology published its first set of post-quantum cryptography (PQC) standards, the culmination of over seven years of cryptographic scrutiny, review and competition. 

As the standards were announced, the implications for cybersecurity leaders were clear: The U.S. government must re-secure its entire digital infrastructure — from battlefield systems to tax records — against adversaries preparing to use quantum computers to break our encryption.

This isn’t a theoretical risk; it’s an operational vulnerability. The cryptography that secures federal data today will be obsolete — NIST has already set a deadline to ban some algorithms by 2035 — and our adversaries know it.

A foundational national security threat

Quantum computers are no longer science fiction — they’re a strategic priority for governments across the United States, Europe, China, and beyond, investing billions in their development. While the technology holds promise for scientific and economic breakthroughs, it also carries significant risks for national security.

If just one adversarial state succeeds in building a large enough quantum computer, it would render RSA, ECC, and other foundational cryptographic systems — the algorithms underpinning federal communications, authentication, and data protection — completely obsolete. This would occur not in years or decades that it would take a classical computer today, but in days.

Even before such computers exist, the risk is clear. Intelligence agencies like the National Security Agency have long warned of “harvest now, decrypt later” attacks. That means sensitive U.S. government data — captured today over insecure links or stolen in data breaches — may be stored in data centers with the intention of being decrypted years from now when quantum capabilities mature. This includes classified material, personally identifiable information, defense logistics data, and more.

We are not talking about theoretical vulnerabilities or bugs. We are talking about a complete systemic failure of classical cryptography in the face of a new computing paradigm, and a long-known one at that.

You’ve been warned and instructed

If you work in federal IT or security and haven’t started quantum-proofing your systems, you are already behind. The U.S. government has made its intentions crystal clear over the past three years. 

National Security Memorandum 10 (NSM-10), under the Biden administration, was signed in 2022 and mandates that all National Security Systems transition to quantum-resistant cryptography by 2030. This was followed by Office of Management and Budget memo M-23-02 in November 2022, which requires all federal civilian agencies to inventory their cryptographic assets, assess quantum vulnerability, and develop transition plans.

These early instructions were cemented in the NSA’s CNSA 2.0 guidelines, stating that systems protecting classified and national security data must move to quantum-safe algorithms before the 2035 deadline, with many systems already transitioned by 2030, using NIST’s approved cryptographic standards.

This is not a proposal; it is federal policy. The deadlines are set. The threat is recognized and the technology is ready.

The scale is unprecedented but not insurmountable

There hasn’t been a cryptographic overhaul of this magnitude since the transition to public-key cryptography in the 1980s and arguably not since Y2K. But unlike Y2K, there is no fixed date when things will fail. There won’t be a headline or official press release when quantum computing arrives. If you’re waiting for a clear signal, you won’t get one — it will simply be here, and those who haven’t prepared will already be behind.

Just as when the Allies broke the Enigma machine, the first nation to build a cryptographically relevant quantum computer is not likely to announce this to the world and their adversaries. 

Quantum-safe transition isn’t as simple as swapping out a cryptographic library. Legacy systems across agencies rely on hardcoded cryptographic protocols. Hardware modules may require firmware upgrades or full replacement. Key management systems will need to be redesigned. Certification and compliance processes must be updated. 

This encryption is found everywhere across the technology supply chain and in everyday life. With so many critical government functions, services, systems and departments now run online, just one weak link in the supply chain could bring the whole network down. 

Under the NSA’s CNSA 2.0 guidelines, any business that wants to do business with the U.S. government must implement PQC, especially for any new technology procurement beyond 2030. Furthermore, any products using the designated vulnerable encryption will be discontinued by 2035.

Most agencies aren’t prepared, and the private sector vendors they depend on are working hard to provide the tools needed to deliver the transition. What we must be careful of is some suppliers marketing “quantum-safe” solutions that do not meet NIST standards and may introduce new vulnerabilities down the line.

What federal IT leaders must do today 

The countdown to 2030 and 2035 has already begun. Federal CIOs, CISOs, and program managers should take the following steps this fiscal year:

1. Enforce cryptographic discovery mandates. OMB memo M-23-02 requires all agencies to submit an annual inventory of cryptographic systems. If your agency hasn’t complied or gone beyond minimal discovery, it’s time to escalate.
   
2. Demand vendor transparency. Your suppliers must tell you when and how they plan to support NIST’s PQC algorithms, not “proprietary” solutions. If they can’t, find new ones.
   
3. Fund pilot deployments now. Testing post-quantum algorithms in isolated systems today will reveal architectural bottlenecks and allow for smoother rollout in future years.
   
4. Educate procurement teams. Use the NSA’s quantum-safe procurement guidance to ensure RFPs, contracts, and tech refreshes explicitly require PQC readiness.
   
5. Treat PQC as a cybersecurity budget line item, not a future capital project. Quantum risk is not hypothetical, it’s live and needs action to address it today.
   

The bottom line: This is a national defense imperative

You don’t have to believe the quantum hype — you just have to follow your own government’s threat assessments.

 Federal legislation, including the Quantum Computing Cybersecurity Preparedness Act, signed into law in December 2022, requires agencies to prepare for the migration.

If your systems still rely on RSA, ECC, or other legacy algorithms without a transition roadmap,  you are not defending them — you are leaving them open to attack.

The NIST standards show that with one year of progress behind us, there are five years of opportunity ahead.

Ali El Kaafarani is the founder and CEO of PQShield, a global leader in post-quantum cryptography.

The post Why federal IT leaders must act now to deliver NIST’s post-quantum cryptography transition appeared first on CyberScoop.

Sen. Ron Wyden, D-Ore., on Wednesday called for the Federal Trade Commission to investigate Microsoft, saying the company’s default configurations are leaving customers vulnerable and contributing to ransomware, hacking and other threats.

That includes the 2024 Ascension hospital ransomware attack, which resulted in the theft of personal data, medical data, payment information, insurance information and government IDs for more than 5.6 million patients.

Wyden, whose staff interviewed or spoke with Ascension and Microsoft staff as part of the senator’s oversight, said the attack “perfectly illustrates” the negative consequences of Microsoft’s cybersecurity policies.

Ascension told Wyden’s staff that in February 2024, a contractor using one of the company’s laptops used Microsoft Bing’s search engine and Microsoft Edge, the default web browser that came with it. The contractor clicked on a phishing link, which infected the laptop and spread to Ascension’s broader network. The hackers gained administrative privilege to the company’s accounts through Active Directory, another Microsoft product that manages user accounts, and pushed ransomware “to thousands of other computers in the organization.”

Wyden noted in his letter to FTC Chair Andrew Ferguson that the hackers used a technique known as Kerberoasting to access privileged accounts on Ascension’s Active Directory server. This method takes advantage of weaknesses in encryption protocols that have been obsolete and vulnerable for decades.

“This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous,” Wyden wrote.

Still, organizations that rely on RC4 continue to be compromised through Kerberoasting. In 2023, the Cybersecurity and Infrastructure Security Agency warned about exploitation of RC4 and Kerberoasting in the health care sector. A year later, CISA, the FBI and the National Security Agency all warned that foreign countries like Iran were also exploiting the same technique to target American companies.  

Wyden questioned why the company continued to support RC4, saying it “needlessly exposes its customers to ransomware and other cyber threats” and pointing out that better encryption technologies exist — like the Advanced Encryption Standard (AES) — that have federal government approval and could have better protected Microsoft customers.

While Microsoft has said the threat can be mitigated by setting long passwords that are at least 14 characters long, their default settings for privileged accounts do not require it.

In response to Wyden’s letter, a Microsoft spokesperson told CyberScoop that “RC4 is an old standard and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic.”

“However, disabling its use completely would break many customer systems,” the spokesperson wrote. “For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible.”

Wyden wrote that in conversations with his staff in 2024, Microsoft officials agreed to discontinue support for RC4, but have yet to do so nearly a year later.

Microsoft’s press office told CyberScoop that the company plans to have RC4 disabled by default in Active Directory installations starting Q1 of 2026. They also said that disabling RC4 more broadly is “on our roadmap” but did not provide a timetable for doing so.

But Wyden’s letter emphasized that he believed Microsoft, not the public, should bear the security burden of fixing the problem.

“Microsoft chooses the default settings, including the security features that are enabled automatically and the required security settings (e.g. minimum password length),” Wyden wrote, noting that while organizations can change those settings, “in practice, most do not.”

The post Wyden calls on FTC to investigate Microsoft for ‘gross cybersecurity negligence’ in protecting critical infrastructure appeared first on CyberScoop.

Federal Trade Commission Chair Andrew Ferguson warned U.S. tech companies not to accede to laws in foreign countries that weaken Americans’ free speech or data privacy rights.

Specifically, Ferguson cited laws like the European Union’s Digital Service Act and the U.K.’s Online Safety Act as statutes that incentivize U.S. tech companies “to censor speech, including speech outside of Europe.” He said that could lead to heightened surveillance of Americans by foreign governments and increase their risk around identity theft and fraud.

“Companies might be censoring Americans in response to the laws, demands, or expected demands of foreign powers,” Ferguson wrote in letters to 13 different tech companies Thursday. “And the anti-encryption policies of foreign governments might be causing companies to weaken data security measures and other technological means for Americans to vindicate their right to anonymous and private speech.”

Additionally, as companies continue to face fragmented and balkanized internet laws across different countries, Ferguson worried that some companies may opt for maximally invasive or restrictive policies toward its users to stay in compliance with the strictest laws.  

“I am also concerned that companies such as your own might attempt to simplify compliance with the laws, demands, or expected demands of foreign governments by censoring Americans or subjecting them to increased foreign surveillance even when the foreign government’s requests do not technically require that,” he wrote.

Ferguson sent the letters to executives at Akamai, Alphabet, Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack and X.

He criticized the Biden administration for “actively” working to censor American speech online. The Supreme Court has largely upheld the constitutionality of the federal government’s conversations with tech companies under the Biden administration.

President Donald Trump has publicly attacked and pressured many of same companies Ferguson is targeting, in some cases threatening to use the power of the federal government to force them to adopt his preferred policies — not only on content moderation and disinformation, but also tariffs, diversity, equity and inclusion programs, unflattering search engine results and numerous other demands. Nevertheless, Ferguson praised Trump for allegedly putting “a swift end” to the weaponization of the federal government against Americans for their speech.

The FTC chair said in his letter that the agency is focused on the importance of offering strong end-to-end encryption to users, regardless of what laws or regulations in other countries may require.

“If a company promises consumers that it encrypts or otherwise keeps secure online communications but adopts weaker security due to the actions of a foreign government, such conduct may deceive consumers who rightfully expect effective security, not the increased susceptibility to breach or intercept desired by a foreign power,” Ferguson wrote.

The FTC’s letters were sent the same week that Director of National Intelligence Tulsi Gabbard announced the U.S. government had successfully engaged with U.K. leaders to drop their demand that Apple provide law enforcement with a means to access encrypted user cloud data for investigations, even for users outside the U.K.

The demand resulted in Apple withdrawing its Advanced Protection Program feature from U.K. iPhones and Apple computers, as privacy advocates continued to argue that any access given to law enforcement would fundamentally weaken the encryption that all its users rely on.

The post FTC warns tech companies not to weaken encryption, free speech practices for foreign governments appeared first on CyberScoop.

The United Kingdom has withdrawn its demand that Apple create a backdoor to its encrypted cloud systems following months of diplomatic pressure from the United States, according to a statement from Director of National Intelligence Tulsi Gabbard.

Gabbard announced the decision Monday on X, stating that the U.S. government had worked closely with British partners “to ensure Americans’ private data remains private and our Constitutional rights and civil liberties are protected.”

The reversal marks a significant development in the ongoing global debate over government access to encrypted communications and represents a victory for American officials concerned about protecting U.S. citizens’ digital privacy rights. 

The British government’s original demand came through a technical capability notice issued in January 2025 under the country’s Investigatory Powers Act. The order would have required Apple to provide blanket access to end-to-end encrypted cloud data, including information belonging to users outside the United Kingdom.

Apple responded to the British demand by disabling its Advanced Data Protection feature for U.K. users in February 2025. The feature provides end-to-end encryption for iCloud data storage, making it inaccessible even to Apple itself.

The company expressed disappointment with the requirement, stating it had never built backdoors into its products and never would. Apple subsequently appealed the order’s legality through the Investigatory Powers Tribunal, which denied the British government’s attempts to keep the proceedings secret.

“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the U.K., given the continuing rise of data breaches and other threats to customer privacy,” Apple said at the time.

American lawmakers had expressed significant concern about the U.K.’s encryption demands. In February, Sen. Ron Wyden, D-Ore., and Rep. Andy Biggs, R-Ariz., wrote to Gabbard arguing that forcing Apple to create backdoors would “seriously threaten the privacy and security of both the American people and the U.S. government.”

The lawmakers noted that Apple does not create different encryption software for different markets, meaning any backdoor created for British authorities would potentially affect American users. They suggested the U.S. should reconsider its cybersecurity and intelligence-sharing arrangements with the U.K. if Apple were forced to comply with the demands.

The dispute echoes previous conflicts between Apple and government authorities over encryption access. In 2015, Apple engaged in a prolonged legal battle with the U.S. government over providing access to an iPhone belonging to a terrorist who carried out the San Bernardino attack. The FBI ultimately gained access through a third-party vendor after Apple refused to create custom software to bypass the device’s security.

The post UK abandons Apple backdoor demand after US diplomatic pressure appeared first on CyberScoop.

Russia is restricting calls on the WhatsApp and Telegram messaging apps in what it says is a bid to counter criminal activity, but that WhatsApp contends is a response to its defiance of government efforts to violate user communication rights.

“According to law enforcement agencies’ information and numerous reports from citizens, the foreign messengers Telegram and WhatsApp have become the main voice services used for deceit and extortion and involvement of Russian citizens in sabotage and terrorist activities,” Russian telecommunications agency Roskomnadzor said Wednesday, according to the Russian news outlet Interfax. “The repeated demands for countermeasures to be taken have been ignored by the owners of the messengers.”

WhatsApp and Telegram responded separately.

“WhatsApp is private, end-to-end encrypted, and defies government attempts to violate people’s right to secure communication, which is why Russia is trying to block it from over 100 million Russian people,” a spokesperson said in a statement to CyberScoop. WhatsApp said it intends to keep doing what it can to make end-to-end encrypted communications available everywhere, including Russia, and would continue to add layers of protection against scams.

Telegram’s press team offered a statement to CyberScoop via its app.

“Telegram actively combats harmful use of its platform including calls for sabotage or violence and fraud,” the statement reads. “Moderators empowered with custom AI and machine learning tools proactively monitor public parts of the platform and accept reports in order to remove millions of pieces of harmful content each day.

“As well, Telegram pioneered granular privacy settings for calls, so every Telegram user can define who to accept calls from or to switch off calls completely,” the statement concludes.

The Roskomnadzor statement follows days of reports of problems making calls via the two apps, and as Russia seeks to introduce its own national messaging app, Max, raising surveillance concerns.

A top Russian lawmaker recently urged WhatsApp to get out of the Russian market to make way for Max. Facebook and Instagram, which share the parent company Meta with WhatsApp, have been banned in Russia since 2022 after the invasion of Ukraine.

WhatsApp recently announced that it had taken down 6.8 million accounts in the first half of 2025 as part of a crackdown on scams. Telegram has long garnered attention as a hub for criminals and extremists.

The post Russia restricts WhatsApp, Telegram calls, alleging criminal, terrorist activity appeared first on CyberScoop.

A bipartisan pair of senators are introducing legislation Thursday that would direct a White House office to develop a strategy for reckoning with the cybersecurity ramifications of quantum computers, and require agencies to begin pilot programs on quantum-safe encryption.

Sens. Gary Peters, D-Mich., and Marsha Blackburn, R-Tenn., say the National Quantum Cybersecurity Migration Strategy Act is meant to get ahead of rapidly advancing quantum computers that could bypass modern encryption standards and leave important data unprotected.

“It’s critical that the federal government be prepared for any threat posed by quantum computing technology, especially when it concerns our national security,” said Peters, the top Democrat on the Homeland Security and Governmental Affairs Committee. “My bill would help keep Americans safe by ensuring we have a quantum cybersecurity migration strategy to stay ahead of our adversaries and protect Americans’ personal data.”  

Blackburn added that “the National Quantum Cybersecurity Migration Strategy Act would ensure the federal government creates a road map to protect sensitive data and national security from emerging data security threats fueled by quantum computing.”

It’s a follow-up to two quantum computing laws passed in recent years: one devoted to developing U.S. quantum research and another devoted to pushing agencies to acquire IT systems with post-quantum cryptography. 

The latest legislation, which CyberScoop is first to report, would lean on the expertise of the Subcommittee on the Economic and Security Implications of Quantum Science (ESIX) — which is a part of the National Science and Technology Council that coordinates federal government technology policy — to develop the strategy. 

The strategy would recommend standards for federal agencies to define “a cryptographically relevant quantum computer,” to include characteristics such as “the particular point at which such computers are capable of attacking real world cryptographic systems that classical computers are unable to attack.”

The strategy would include an assessment of the need to migrate to post-quantum cryptography for each agency, and measurements for evaluating that migration.

ESIX would also establish a post-quantum pilot program that would require each sector risk management agency responsible for protecting the 16 federally designated critical infrastructure sectors to upgrade at least one high-impact system to post-quantum cryptography by the start of 2027.

“Because stolen data can be stored and decrypted later, experts warn that action must be taken now to secure systems with stronger, quantum-proof protections,” a forthcoming news release on the bill states. “This bill responds to that urgency by requiring federal agencies to begin migrating critical systems before it’s too late.”

Quantum industry leaders at a May hearing urged Congress to expand support for U.S. quantum initiatives. Experts and U.S. government officials are particularly worried about falling behind China on quantum computing.

Peters and Blackburn are introducing their bill the day after the Senate Homeland Security and Governmental Affairs Committee took action on its first slate of bills in 2025.

The post Senate legislation would direct federal agencies to fortify against quantum computing cyber threats appeared first on CyberScoop.

Ben Lovejoy reports: We learned earlier this year that the British government had secretly ordered Apple to create a backdoor into encrypted data for all iCloud users worldwide. Specifically, it wanted a way to see personal data protected by Apple’s introduction of Advanced Data Protection (ADP), which extended end-to-end encryption to almost all iCloud data, meaning not even the iPhone maker could access...

Former White House national security adviser Mike Waltz brushed aside criticisms Tuesday that he put sensitive military operations at risk by holding discussions about military strikes in a Signal group chat, claiming the app’s use was authorized by the federal government’s top civilian cyber agency.

In a Senate Foreign Relations Committee hearing, Waltz — who has been nominated to represent the U.S. at the United Nations — was pressed about his short tenure as President Donald Trump’s top national security official. In particular, he was grilled by Sen. Chris Coons, D-Del., for his use of the end-to-end encrypted messaging application Signal to coordinate with other officials over airstrikes on Houthi rebels.

While much of the initial attention was focused on Waltz adding journalist Jeffrey Goldberg to the chat, national security experts were also aghast by  government officials at the highest levels coordinating highly sensitive military operations using a free application.

The incident is widely viewed as contributing to Waltz’s departure just months after leaving Congress to take the role, and his subsequent shuffling to a new nomination at the U.N.

Coons referenced Waltz’s long background of public and military service, arguing he should have known better.

“In your role in the Army, in the House, as national security adviser, you have long handled classified and highly sensitive information. We both know Signal is not an appropriate, secure means of communicating highly sensitive information,” Coons said.

But Waltz was defiant in his response, not only insisting that classified information wasn’t involved — the chats involved detailed descriptions of targets, timing, aircraft and munitions that would be used — but that his use of Signal had been “driven by and recommended by the Cybersecurity [and] Infrastructure Security Agency.”

“The use of Signal is not only … authorized; it was recommended in the Biden-era CISA guidance,” he said.

Waltz was referencing a piece of 2024 guidance put out by CISA on mobile security. He later read from a portion of the guidance, which recommended using “only end-to-end encrypted communication” and to “adopt a free messaging application to secure communications that guarantees end to end encryption, particularly if you are a highly targeted individual, such as Signal or other apps.”

CISA is the federal government’s top civilian cyber agency, but has no legal authority over U.S. military or Department of Defense operations. It’s not clear why Waltz believed that voluntary guidance from the agency — which was directed to the broader public following news that the Chinese hacking group Salt Typhoon had penetrated U.S. telecommunications infrastructure — would cover sensitive military operations overseen by the White House and DOD.

A request for comment sent to CISA was not returned at press time.

Waltz further claimed that the incident was subject to investigations by the White House and DOD. While the DOD investigation is still ongoing, he said the White House review cleared him of any wrongdoing, concluding that “the use of Signal was not only authorized, it’s still authorized and highly recommended.”

Signal is considered the gold standard for end-to-end encrypted communication apps, and cybersecurity experts broadly endorse its use for a range of parties and scenarios. But the highest levels of the U.S. government and military are exceptionally valuable targets that are routinely targeted by the most advanced hacking groups and foreign intelligence services around the globe. Further, additional reporting identified that Waltz was relying on an insecure third-party clone of Signal called TeleMessage.

The DOD has multiple classified systems and Secure Compartmentalized Information Facilities (SCIFs) that are designed to secure classified or sensitive military discussions.

Coons retorted that he was “hoping to hear from you that you had some sense of regret over sharing what was very sensitive, timely information about a military strike on a commercially available app,” arguing that there have been “no consequences” for the incident.

In response to questions submitted to the White House about the investigation into Waltz and current policy on the use of Signal, spokesperson Anna Kelly responded:
“As we have said many times, Signal is an approved app for government use and is loaded on government phones. Mike Waltz will make an outstanding US Ambassador to the United Nations.”

Sen. Tim Kaine, D-Va., questioned how Waltz could claim no classified information was shared when there are separate ongoing investigations by DOD and Air Force into Secretary of Defense Pete Hegseth for his role in the chat.

“They certainly haven’t reached any conclusion that classified information wasn’t shared,” Kaine said. “Am I wrong about that?”

Waltz said he couldn’t comment on ongoing investigations but echoed previous congressional testimony from Hegseth that no names, targets, locations, units, routes, sources or methods were shared in the chats.

The post Waltz brushes off SignalGate questions, points finger at CISA  appeared first on CyberScoop.

Pentest reports sometimes include bad information under a heading like, “Weak TLS Configuration” or “Insecure SSL Certificates.” This article will explain how TLS is supposed to work, common ways it […]

The post Testing TLS and Certificates  appeared first on Black Hills Information Security, Inc..

Sally Vandeven// TL;DR – Passwords stored using reversible encryption, even if they are VERY LONG,  can be trivially reversed by an attacker. Password cracking is quite enjoyable. It is very satisfying […]

The post How I Cracked a 128-bit Password appeared first on Black Hills Information Security, Inc..

David Fletcher// The following blog post is meant to expand upon the findings commonly identified in BHIS reports.  The “Server Supports Weak Transport Layer Security (SSL/TLS)” is almost universal across […]

The post Finding: Server Supports Weak Transport Layer Security (SSL/TLS) appeared first on Black Hills Information Security, Inc..

Kent Ickler// TLDR: We use a custom dictionary to crack Microsoft Office document encryption.  Then we use a custom dictionary for pwnage in LinkedIn hash database. Background: I recently got […]

The post How to Crack Office Passwords with a Dictionary appeared first on Black Hills Information Security, Inc..

Logan Lembke // Step One: Power. Step Two: Enter. Step Three: ???? Step Four: Profit. In the security industry, we love our encryption. However sometimes, the complexity introduced by encryption […]

The post Two Button PWNage appeared first on Black Hills Information Security, Inc..