01. Google Enhances Data Privacy with Client-Side Encryption for Gmail and Google Calendar

Google has announced the general availability of client-side encryption (CSE) for Gmail and Calendar, aimed at reducing the “burden of compliance” for enterprises and public sector organizations, ensuring that no third party, including Google, can access confidential data.

CSE encrypts data before it reaches Google servers, allowing users to send and receive encrypted emails and create encrypted meeting events within their organizations or to other external parties.

The feature is globally available to Workspace Enterprise Plus, Education Standard, and Education Plus, customers and does not extend to personal Google accounts.

Client Side Encryption
National Institute of Standards and Technology

02. NIST Standardizes Ascon Algorithm for Lightweight IoT Security

The US National Institute of Standards and Technology (NIST) has chosen a suite of authenticated encryption and hashing algorithms known as Ascon for standardization in lightweight cryptography applications, such as the Internet of Things and implanted medical devices.

Ascon offers authenticated encryption with associated data (AEAD) and resistance against quantum key search. It is easy to implement with countermeasures against side-channel attacks and ensures that protected data is authentic and unchanged in transit. While NIST recommends AES and SHA-256 for general use, Ascon is aimed at devices with limited resources.

03. Unlocked! TPM 2.0 Vulnerabilities Allow Hackers to Swipe Cryptographic Keys

Two buffer overflow vulnerabilities have been found in the Trusted Platform Module (TPM) 2.0 specification that could potentially give attackers access to or allow them to overwrite sensitive data, including cryptographic keys.

The vulnerabilities, CVE-2023-1017 and CVE-2023-1018, impact billions of devices and arise from how the specification processes the parameters for some TPM commands.

The vulnerabilities require authenticated local access to a device, so users are recommended to limit physical access to their devices, use signed applications from reputable vendors, and apply firmware updates as soon as they become available.

TMP 2.0 Vulnerabilities
HSB Identity Theft

04. Identity Theft Alert: Texas Bank Breach Exposes Thousands of Social Security Numbers

Texas-based Happy State Bank (HSB) has revealed that over 17,000 customers’ Social Security numbers were exposed in a suspected cyberattack. A phishing attack on an email account belonging to a former employee in July 2022 allowed cybercriminals to access customer data.

Sensitive customer data was stored in attachments to the former employee’s emails, but HSB claims there are no evidence attackers accessed or viewed the data. The bank has offered credit monitoring and protection services to affected customers.

05. Locked and Secured: AWS Implements Default Server-Side Encryption for S3 Objects

AWS has made server-side encryption (SSE-S3) a default feature for all Simple Storage Service (S3) buckets, meaning that all S3 buckets will have a base level of encryption by default. Previously an opt-in feature, the AWS-provided encryption relies on Advanced Encryption Standard (AES) encryption with 256-bit keys.

Customers can still choose from three encryption options: SSE-S3, AWS Key Management Service keys (SSE-KMS), customer-provided encryption keys (SSE-C), or client-side encryption. The change will be logged in the AWS CloudTrail data event logs.

AWS Implements SSE

Let's talk