Items from security-related news (E108.Jun-2012)
Information from NIST
Second Public Draft, Special Publication 800-130, A Framework for Designing Cryptographic Key Management Systems
From Carl Landwehr: NSA Publication Addresses Security Science
The current issue of The Next Wave focuses on developing a blueprint
for a science of cybersecurity. It includes an introduction by Bob
Meushaw and seven articles looking at this topic from different
perspectives by Fred Schneider, Alessandro Chiesa and Eran Tromer,
Anupam Datta and John Mitchell, Dusko Pavlovic, Roy Maxion, Adam
Shostack, and Carl Landwehr. Copies are freely available in hard copy
(only) from:
From the Washington Post, April 17, 2012
International Espionage Targets US Networks
From The Washington Post, May 11, 2012
Defense Contractors Try Out Monitoring Software
From the New York Times, June 1, 2012
Offensive Cyberwarfare is Here
From CNN Security Blogs, June 5th, 2012
Flame: Complicated, Clever, and Effective
From PC World, June 1, 2012
FPGA Design: Useful or Deceitful?
From the Deseret News, May 16, 2012
Ignored Server Leaks Personal Data of Utah Patients
From CNNMoneyTech, June 6, 2012
LinkedIn Caught With Its Salt Down
From the New York Times, April 14, 2012
The Cybercrime Wave that Wasn't
Public Comment Period: April 13, 2012 through July 30, 2012.
Email Comments to: ckmsdesignframework@nist.gov
Second Public Draft Details:
NIST requests comments on SP 800-130, A Framework for Designing
Cryptographic Key Management Systems. This is a revision of the
document that was provided for public comment in June 2010. Comments
are requested by July 30, 2012 and should be sent to
ckmsdesignframework@nist.gov, with "Comments on SP 800-130" in the
subject line. Another document, SP 800-152, which provides a basic
profile of this framework document for the Federal government, will be
available for initial comment later this year.
Links:
Draft SP 800-130 (PDF) on CSRC website:
http://csrc.nist.gov/publications/drafts/800-130/second-draft_sp-800-130_april-2012.pdf
National Security Agency
Attn: Kathleen Prewitt, Managing Editor
Suite 6541
Ft. George G. Meade, MD 20755-6541
or by email to: TNW@tycho.ncsc.mil
Several nations are trying to penetrate U.S. cyber-networks, says ex-FBI official Shawn Henry.
http://www.washingtonpost.com/world/national-security/several-nations-trying-to-penetrate-us-cyber-networks-says-ex-fbi-official/2012/04/17/gIQAFAGUPT_story.html
The Pentagon will expand a voluntary cybersecurity program for defense contractors. The systems scans incoming email and selectively blocks outgoing connections.
http://www.washingtonpost.com/world/national-security/pentagon-to-expand-cybersecurity-program-for-defense-contractors/2012/05/11/gIQALhjbHU_story.html
The US Department of Defense has signalled its participation in offensive
cyberwarfare several times in the past year. Now more information about
its involvement in the Stuxnet targeting of Iran's nuclear program is available.
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html
The origin of the Flame virus remains unknown, but the capabilities are
wide-reaching. Allegedly, some of the code compromises Microsoft authenticity
checks by generating false credentials, but the details have yet to
be revealed. MD5 is a likely suspect.
http://security.blogs.cnn.com/2012/06/05/decoding-the-flame-virus/?hpt=hp_c3
For more cryptographic detail, see also
Cryptography
Engineering Blog
FPGA security called into question.
The company Microsemi says its chip
has a debugging mode, some analysts call it a backdoor.
http://www.pcworld.com/businesscenter/article/256666/microsemi_denies_existence_of_backdoor_in_its_chips_researchers_disagree.html?tk=out
Analyzing a data breach that released personal information for nearly 800K
people, the state of Utah uncovered many procedural errors, and the state's
IT director lost his job.
http://www.deseretnews.com/article/865555954/Multiple-mistakes-led-to-massive-health-data-breach-director-says.html
The password file from LinkedIn was revealed by persons unknown. The
file was easily subject to a dictionary attack because the passwords
were hashed without the well-known technique of "salting" the password.
Because the usernames were not part of the disclosure, it did not
compromise user accounts significantly.
http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/index.htm?hpt=hp_c1
An op-ed piece addresses the question of the economic impact of
cybercrime, finding little data to support numbers that have been
widely cited.
http://www.nytimes.com/2012/04/15/opinion/sunday/the-cybercrime-wave-that-wasnt.html?_r=1