IEEE Cipher --- Items from security-related news (E132.May-2016)
Summary:
Summary:
Cipher has previously noted that the healthcare industry is a
target for malware attacks, and several hospitals in the MedStar
system were hit in late March. The problems may have been caused by
the infamous ransomware crypto attack. MedStar may have recovered
by shutting down its systems and restoring from backups.
NIST invites comments on the second draft of Special Publication (SP)
800-90C, Recommendation for Random Bit Generator (RBG) Constructions. This
Recommendation specifies constructions for the implementation of
RBGs. An RBG may be a deterministic random bit generator (DRBG) or a
non-deterministic random bit generator (NRBG). The constructed RBGs
consist of DRBG mechanisms, as specified in SP 800-90A and
entropy sources, as specified in SP 800-90B.
Email comments to: rbg_comments@nist.gov with subject "Comments on Draft SP 800-90C" preferably using the Comment Template.
Comments due by: Monday, June 13, 2016 at 5:00PM EDT.
On May 2-3, 2016, NIST will host a workshop on Random Number Generation to
discuss the SP 800-90 series of documents--specifically, SP 800-90B
and SP 800-90C.
Summary:
Summary:
Summary:
Summary:
Summary:
Law enforcement demanded Apple's help in unlocking two iPhones. They
claimed that because of differences in Apple's operating systems, the
technique used on the San Bernardino terrorist's phone would not work
on phones at the center of investigations in Boston and Brooklyn.
Summary:
Summary:
A "gray hat" firm, knowing of a flaw in Apple's operating system used on
the iPhone of a terrorist, used that knowledge and some custom hardware
to unlock that phone's data. The FBI director indicated that the bureau
had paid more than one million dollars for the data.
Summary:
Summary:
The Government Accountability Office (GAO) has taken a look at the security of
the smart devices that are beginning to connect cars to the Internet, and
they are concerned. Their report, Vehicle Cybersecurity, paints a gloomy pictures of the
threats looming against a landscape of unstoppable automation.
Summary:
Apparently the Government Services Administration (GSA) uses Google for
online chatting, and apparently they had their access permissions set
just a little too wide. Although 100 "Google drives" were publically
accessible, the GSA believes that no information was shared inappropriately.
As far as they know. Both GSA's Inspector General and Congress would like
to know more.
Summary:
Somehow, several employees leaving the FDIC downloaded the personal data of
thousands of customers when they thought they were taking only their own
data. The employees have said that they did not further disclose the
information. Congress, when notified, was disturbed. The FDIC says it
is taking several measures to improve cybersecurity, including restricting
the use of USB drives through operating system modifications.
Summary:
Summary:
Summary:
Summary:
Summary:
Summary:
The real reason America controls its nukes with ancient floppy disks
The Washington Post
by Brian Fung
May 26, 2016
The US military has had its ups and downs with modern technology, and it
remains wary of wholesale adoption of newfangled things like USB drives
and the Internet. Despite the fact that malware was originally spread
via floppy disks, they are apparently viewed as the most secure data
transfer method for our missle systems. These systems are "not on the Internet", probably because the most secure way to attach to the Internet is to
cut the cable and disable wifi. But the military has an even larger
problem trying to attract young talent to its cybersecurity ranks. Industry
offers high salaries and glitzy dreams of wealth, and the military entices
only a tiny percentage of new graduates.
Hospital Chain Endures Malware Attack
The Salt Lake Tribune
By Jack Gillum, David Dishneau and Tami Abdollah
The Associated Press
Mar 29, 2016
NIST Tackles Random Bits
FBI No Stranger to Hacking
The New York Times
By Matt Apuzzo
Apr 14, 2016
According to recently revealed documents, the FBI resorted to hacking in 2003
when an investigation was stymied by encryption. The animal rights group
was using PGP for their communication, and even a full wiretap was not
getting the FBI enough information to prosecute. Then the FBI managed to
intall surreptitious monitoring software on the suspects' computers. As
a result, they were convicted, and the conviction was upheld in 2009.
The Federal Appeals Court noted that use of encryption could be considered
as evidence of criminal intent.
Microsoft Wants to Tell You About Search Warrants
The Washington Post
By Ellen Nakashima
Apr 14, 2016
On average, the FBI issues more than 5 warrants per day to Microsoft
for the purpose of obtaining customer data. Most of these are for
unlimited duration and have a gag order attached. Microsoft has filed
suit, claiming that under the Fourth Amendment, customers should
be notified about the data collection. It seems clear that any
presumption of privacy of customer data held by large companies
is ... unwarranted.
Computer science education has no cybersecurity?
Slate.com
By Josephine Wolff
Apr 16, 2016
Professor Wolff believes that cybsecurity is a quickly changing field.
Although it deserves study, requiring it of all computer science
majors should not be done until the community agrees on what the
essentials really are. Absent metrics and evalutions of effectivity,
such a requirement might result in detracting from the ability to
teach students the core concepts of computer science.
$1M USD, and the FBI remains basically clueless (5 items). Last March
the FBI demanded Apple's help in breaking into iPhones. Apple resisted,
and since then, the FBI has gained access to at least two of phones
without the company's help, something it had claimed it did not
know how to do, despite having a state-of-art cybercrime lab. The FBI
claims that it still does not know how to get the data because in
at least one case, it paid an outside firm for the data but did not
get any insight into how the encryption protections were breached.
The Washington Post
Ellen Nakashima
Apr 25, 2016
Saying that someone had come forward with the passcode for unlocking an
iPhone that was part of a criminal investigation, the FBI dropped one
of its demands that Apple provide assistance by developing a bypassable
operating system. The fact that two iPhones have been accessed with
Apple's help seemed to undermind the FBI's claims that no alternative
technology existed. This might affect the standard of evidence that the
government must supply in future, similar, cases.
The New York Times
By Eric Lichtblau and Katie Benner
Apr 8, 2016
CNN Money
By Laurie Segall, Jose Pagliery and Jackie Wattles
Mar. 28, 2016
The FBI, after going to court to get access to iPhone data relevant to the
San Bernardino attacks, abruptly postponed the case when it used nearly
found technology to exploit a flaw. This caused a debate to erupt about
disclosing the flaw so that Apple could patch its operating system and
protect its users world-wide from malicious hackers.
The Washington Post
By Ellen Nakashima
Apr 12, 2016
The Washington Post
By Ellen Nakashima
Apr 26, 2016
The FBI deflected a debate about disclosing the flaw that was used to access
data on the San Bernardino terrorist's iPhone. Claiming that they had
"limited understanding" of the means used to bypass Apple's cryptographic
protections, the bureau implied that its $1M expenditure was for the data
only, not the technique. Thus, it can offer no information to help Apple
fix bugs in its operating system.
Malware and the car (cf book review in March Cipher).
The Washington Post
By Joe Davidson, Columnist
May 18, 2016
When is a config glitch a "breach"? (2 items)
The Washington Post
By Joe Davidson, Columnist
May 16, 2016
The Washington Post
By Joe Davidson, Columnist
May 16, 2016
Banking network used for theft, blame the banks, not the network (2 items)
The New York Times
By Michael Corkery
Apr 30, 2016
Using a thoroughly penetrated banking computer system in Bangladesh, hackers
made off with $81M dollars by transferring money using the SWIFT banking
network. This was only a fraction of what the thieves were attempting
to steal.
The New York Times
By Michael Corkery
May 13, 2016
A unnamed commercial bank was the victim of a theft that was simiar to the
Bangladesh bank exploit. Experts suspect that thieves are using insider
information to get credentials that allow them to submit fraudulent
transfer instructions over the SWIFT banking network.
Crypto Wars Drag On (2 items)
The Salt Lake Tribune
By Tami Abdollah
The Associated Press
Apr 8, 2016
The Senate Intelligence Committee drafted a bill aimed at ensuring that
law enforcement would always have access to encrypted data. The onus
of the requirement would fall on technology companies. The opposition
claimed that this would mandate "back doors" that would put all customers
at risk.
The New York Times
By Cecilia Kang
May 9, 2016
A visit to by the Manhattan district attorney, Cyrus Vance, was one of
several events highlightint the divide between law enforcement and
tech companies over encryption technology. The lobbying efforts of
both sides were initiated by the FBI's demands that Apple produce
methods for accessing iPhone data. Apple contends that this would
be bad for the security of the phones that are becoming the core of
digital identites.
Nakamoto is an Ozzie?
The New York Times
By Paul Mozur and Nathaniel Popper
May 2, 2016
Saying that he didn't care if anyone believed him or not, Craig Steven
Wright, an Australian entrepreneur, claimed the title of Bitcoin
inventor. The tech world did not rush in to coronate him, though.
While Bitcoin struggles to find a pathway for future growth, finding
the person who originated the concept may help to clarify the vision
and consolidate the community. Wright's demonstration of possessing
a private key that provides that he is the Bitcoin inventor did not
seem to satisfy skeptics.
Really Bad Idea: Unpack malware in the kernel
The Register
by Richard Chirgwin
May 19, 2016
When a respected anti-virus software company produces a vector for
spreading malware across almost all major platforms, it's news.
The Symantec Core Antivirus Engine is called when scanning material
of malware, and it runs in OS kernels and scans, among other things,
email. A bug in the unpacking routine of an early version of the software caused
a buffer overflow. A buffer overflow in the kernel of Linux, MacOS, or Windows
is Really Bad News (a nightmare scenario for Symantec).