Summary:
In today's world, the disclosure of personal information of 30,000 government workers on the Internet is hardly enough to break into the news cycle. But, because it affected the departments of Justice and Homeland Security, it seems just worthy of note. The information seems to have been obtained by a politically motivated hacker who used information about an employee on a social media site to leverage access to government employee directories.

Summary:
The emails of the CIA director and the Director of National Intelligence were the victims of email hacking, and a British teenager has been arrested for it. The investigation of the exploit has focused on "Crackas With Attitude", and they are suspected of leaking government employee information (see the preceding news item).

The exploit may have been "old school" because it is rumored to have been based on convincing Verizon workers that they were talking to the victims. The hackers got the account access information changed so that they could login to the victims' email accounts. They also claimed to have changed voice forwarding on one of the phones.

NIST announces the completion of Special Publication (SP) 800-57, Part 1 Rev. 4, Recommendation for Key Management, Part 1: General. This Recommendation provides general cryptographic key management guidance. The proper management of cryptographic keys is essential to the effective use of cryptography for security. Public comments received during the review of this document are provided here.

NIST requests comments on SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms. The SP 800-175 publications are intended to be a replacement for SP 800-21, Guideline for Implementing Cryptography in the Federal Government, but with a focus on using the cryptographic offerings currently available, rather than building one's own implementation. SP 800-175B is intended to provide guidance to the Federal government for using cryptography and NIST's cryptographic standards to protect sensitive, but unclassified digitized information during transmission and while in storage. The cryptographic methods and services to be used are also discussed. The first document in the series (i.e., SP 800-175A) will be available shortly. Please provide comments on SP 800-175B by Friday, April 29, 2016.
Comments may be sent to SP800-175@nist.gov, with "Comments on SP 800-175B" as the subject.

The iPhone lands in hot water, crypto-wise
In the past two months there have been many stories about how the US government has been raising legal objections to commercial applications that encrypt data without providing any backdoors for law enforcement. Apple iPhones have been the focal point for the controversy, and the Justice Department has taken the unusual step of ordering Apple to produce a digitally signed (cf. Turing award) and weakened version of its OS to load onto the iPhone of a dead terrorist.

The debate about public safety vs. personal privacy has moved into new territory. We present a selection of pointers to news and commentary about it.

• Justice Dept.: Apple won't help unlock iPhone due to worry about 'impact on its reputation'
  The Washington Post
  Feb 19, 2016
  by Mark Berman
• US government files appeal in New York iPhone unlocking case
  The Guardian
  March 7, 2016
  by Danny Yadron
• Apple, The FBI And iPhone Encryption: A Look At What's At Stake
  NPR
  February 19, 2016
  by Alina Selyukh and Camila Domonoske
• Congressional Committee Testimony re encryption
  by Susan Landau
• Apple Letter to Customers
  February 16, 2016
  by Tim Cook
  
• Obama at SXSW: "Dangers are real" in debate over encryption
  AP Wire
  Mar 12, 2016

Summary:
Federal Trade Commission chief technologist, Lorrie Cranor, has some contrarian advice about password changes. An expert in human factors issues for computer security, Cranor suggests that people have enough trouble coming up with one good password, let alone a constant stream of them. The result is that bad passwords are used more often when changes are frequent. Case studies bear out the claim. Some people take this as just one more reason to give up on passwords altogether and switch to biometric authentication.

Summary:
As reported in the last issue of Cipher, in 2013, using off-the-shelf malicious software tools, someone gained access to the "backoffice systems" for a dam in New York state. Although no damage resulted, it was unsettling to US officials to have a piece of physical infrastructure come close to being breached. Iran has been named the likely culprit, and an indictment may be handed down soon.

Summary:
As Cipher's book review this month points out, car hacking is now an activity. So serious a thing that there have been three separate software security updates by major manufacturers in the past year, one of them involving a recall. The Alliance of Automobile Manufacturers and Association of Global Automakers late last year opened an Information Sharing and Analysis Center. Perhaps this will help improve the awareness of risks and secure design methods.

The FBI and NHTSA warn that owners might be tricked into installing malicious software updates on their smartphones (there's an app for your car) or directly onto their vehicles. That software might let hackers take control of vehicles and cause mayhem. Federal Bulletin.

Summary:
Decades ago two Stanford researchers decided to tackle the seemingly off-limits topic of cryptography, and they ended up making the remarkable discovery of public key cryptography. Now, the pair, Whitfield Diffie and Martin Hellman, have received the ACM's Turing Award for 2015.