Posts Tagged ‘NSA’
Wednesday, April 23, 2014 @ 04:04 PM gHale
The National Institute of Standards and Technology (NIST) removed the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) from its list of random number generators (RNG).
The reason this is a big deal is because this RNG ended up delivered by the National Security Agency (NSA), which has had trust issues of late.
Dual_EC_DRBG ended up used by RSA in its BSAFE products after it accepted $10 million from the NSA. People instantly became concerned the algorithm contained a backdoor that would allow the intelligence agency to obtain the encryption keys of all users, and therefore to defeat the very purpose of the product.
NIST recommended against the use of the algorithm at the time, but it has only just now taken the final step to remove it from its draft guidance on RNGs.
“The revised document retains three of the four previously available options for generating pseudorandom bits needed to create secure cryptographic keys for encrypting data. It omits an algorithm known as Dual_EC_DRBG, or Dual Elliptic Curve Deterministic Random Bit Generator. NIST recommends that current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible,” NIST said.
The institute explained that its decision to remove the Dual Elliptic Curve Deterministic Random Bit Generator from the list comes after it performed an evaluation, but also in response to the lack of public confidence in the algorithm.
NIST advises anyone still using the NSA-recommended algorithm to stop doing so and use one of the three remaining approved alternatives. NIST issued an advisory to federal agencies and other buyers of cryptographic products to simply ask vendors if their cryptographic modules rely on Dual_EC_DRBG and if so, to ask for the products’ reconfiguration.
“Most of these modules implement more than one random number generator. In some cases, the Dual_EC_DRBG algorithm may be listed as included in a product, but another approved algorithm may be used by default. If a product uses Dual_EC_DRBG as the default random number generator, it may be possible to reconfigure the product to use a different default algorithm,” NIST said.
Monday, March 10, 2014 @ 05:03 PM gHale
Yes, the NSA remains in the news along with Edward Snowden, but security professionals are living in the here and now and are more concerned with everyday issues like external threats from the bad guys, a new survey said.
“While the debate over the NSA and its authority does carry importance, this survey clearly demonstrates that IT security pros are more concerned with cybercriminals than government action,” said Fred Touchette, senior security analyst at software-as-a-service provider, AppRiver. “These are the people who deal with security every day, whose jobs depend on keeping networks secure, and who see threats as a practical problem, not a theoretical or philosophical issue.”
More than 110 attendees at RSA Conference 2014 took the survey, conducted via in-person interviews by AppRiver, a provider of email messaging and Web security solutions.
When asked to name the most dangerous threat to the security of their organization, the response breakdown follows:
• 56.2 percent of respondents report cybercrime from external sources as most problematic
• 33 percent said insider threats with non-malicious intent give them the most trouble
• 5.3 percent blame malicious insiders for causing the biggest security headache
• 5.3 percent point the finger at external threats from government as chief offender
Malware, including email-borne and web-based threats, topped the list of most concerning threat vectors followed by personally identifiable information (PII) and social engineering. The majority of respondents, 71.4 percent, cited people as the most frequent (or most likely) point of failure for IT security. 21.4 percent faulted process and 7.2 percent labeled technology as the weak link.
“As a new breed of cybercriminal gets more sophisticated, IT security pros believe employees are not prepared for the more serious threats,” Touchette said. “This chasm demands a comprehensive security strategy that takes into account all threat vectors from technological and human standpoints. Organizations need a layered security approach that includes technology, training, awareness and enforcement to keep both inadvertent and intentional attacks from happening.”
Despite the Snowden incident, more than two thirds of respondents do not think it is time to ask employees to take psychometric tests to determine their honesty. When asked if IT security pros themselves would be willing to take such a test as a condition of employment, more than 65 percent said yes.
Friday, January 10, 2014 @ 02:01 PM gHale
Cyber attacks as the greatest threat to U.S. national security, according to a survey released Monday.
A cyber attack is the single greatest threat, according to 45 percent of respondents in the Defense News Leadership Poll. That response came in almost 20 percent above terrorism, which ranked second.
The poll, underwritten by United Technologies, surveyed 352 Defense News subscribers, based on job seniority, between Nov. 14 and Nov. 28, 2013. The poll targeted senior employees within the White House, Pentagon, Congress, and the defense industry.
It’s not the first time cyber has ranked at or near the top of a list of security concerns. Seventy percent of Americans called a cyber attack from another country a major threat in a Pew Research Center survey released last month.
Defense Department officials continue to warn about the increasing threat. FBI Director James Comey, Rand Beers, the then-acting secretary for the Homeland Security Department, and Gen. Keith Alexander, director of the National Security Agency, each voiced their concerns before Congress last year.
And House Intelligence Committee Chairman Mike Rogers, R-MI, called it the “largest national security threat to the face the U.S. that we are not even close to being prepared to handle as a country.”
Meanwhile, more than half of poll respondents said U.S. Cyber Command and the NSA should have separate leaders, but the Obama administration ruled out such a move last month. Alexander, who will most likely retire later this year, has overseen both agencies since 2010.
Click here to download the survey.
Friday, November 1, 2013 @ 05:11 PM gHale
Tor traffic increased by 350 percent over the third quarter, a new report said.
Although surging Tor usage may be attributable to anti-NSA surveillance activities, it is also possible the August and September surge in Tor activity also came from a new variant of the Mevade malware family, according to the Solutionary Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report for Q3 2013.
Designed to use the Tor network to hide command and control servers, the developers end up deploying harder-to-detect malware.
Other findings include:
• Hacktivist campaigns continued to compromise and deface the websites of Israel- and European Union-based organizations.
• Phishing emails continued to be successful attack vectors, with attackers using them to launch APT campaigns.
• There has been an uptick in anomalous ICMP traffic outside the realm of normal activity based on the structure and frequency of packets.
The hacktivist campaigns OpUSA and OpIsraelReborn continued to compromise and deface Israel- and European Union-based organizations’ websites; the primary attack vectors consisted of spear phishing, Domain Name System (DNS) registry tampering, SQL injection, Cross-Site Scripting (XSS) and Distributed Denial of Service (DDoS) attacks, the report said.
Spear phishing attacks identified by SERT found users still fall victim to phishing attacks despite the existence of anti-phishing awareness programs within organizations. While tactics and techniques have evolved over the years, this specific attack vector has maintained a very high success rate.
The report found a noticeable increase in ICMP traffic targeting monitored devices in the U.S. and Europe. While ICMP is for diagnostic and control purposes and it occurs in normal traffic, SERT identified traffic that is outside the realm of normal activity based on the structure and frequency of the packets. One such payload shared commonalities with the worm Nachi.
For more details, click here to register to download the report.
Wednesday, October 2, 2013 @ 10:10 AM gHale
Seventeen Carnegie Mellon University (CMU) graduate students earned cyber security scholarships from the National Science Foundation, the Department of Homeland Security’s CyberCorps Scholarship for Service (SFS) Program and the Department of Defense’s Information Assurance Scholarship Program (IASP).
The SFS awards went to nine students in CMU’s Information Networking Institute (INI) and six students at CMU’s Heinz College. The IASP awards went to two INI students.
Both programs share a common goal and that is to increase and strengthen the amount of federal information assurance professionals that protect the nation’s critical infrastructures and national defense.
“As future federal employees, the SFS and IASP scholars delve into challenging engineering and information assurance coursework and engage in interdisciplinary cyber security research. In addition to the emphasis on the technologies and strategies related to cyber defense and cyber offense, CMU’s cyber security curricula explore risk management, economics and policy issues related to reducing vulnerability and securing our national information infrastructure,” said Dena Haritos Tsamitis, INI director and director of education, training and outreach for CyLab. She is also the principal investigator of the grants.
Increased global cyber attacks make the training and retention of cyber security experts a priority of the U.S. government. The National Security Agency (NSA) and the United States Cyber Command designated Carnegie Mellon as a National Center of Academic Excellence (CAE) in cyber operations for 2013-2018. The National Security Agency designated the university as a CAE in Information Assurance Education and a CAE in research.
More than 160 students in the SFS program have graduated from CMU in the past decade. One student in the IASP graduated from the INI in 2012.
Both programs provide full-tuition scholarships and stipends to scholars in exchange for working for the federal government after graduation.
Thursday, September 19, 2013 @ 05:09 PM gHale
After reports of hacking attempts, Brazilian oil giant Petrobras wants to keep itself on the winning security edge by increasing its spending on its IT infrastructure this year and for the following four years at least.
Maria das Graças Silva Foster, president of Petrobras, said at a public hearing in the Brazilian Senate the company will invest $1.8 billion (R$4 billion) in 2013 and $9.6 billion (R$21.2 billion) between 2013-2017 on information technology and telecommunications.
“This is a policy that is so important it has been personally approved by the board of directors,” said Graças Foster. “The management of our goods, people, information and the wealth we create is of crucial importance.”
During the joint hearing with the Parliamentary Commission for the Espionage Inquiry and the Economic Affairs and Foreign Relations committees in the Senate, she said the company constantly monitors and protects its information. One case in point she cited the quantity of emails that end up preemptively blocked.
“Between August 09 and September 09 we received 195.9 million emails,” she said. “Of these, 16.5 million arrived at their destination.”
Regarding press reports the U.S.’ National Security Agency (NSA) targeted Petrobras through espionage, the president said no violation of Petrobras systems had been recorded, but the presence of the company’s name in reports has created “discomfort.”
“Systems used by Petrobras are among the most advanced on the market,” she said, emphasizing “investment in information security should be set to follow technological developments.”
Graça Foster said Petrobras has an integrated data processing center, which has restricted access, and the company’s strategic information does not go through the Internet.
“The company’s knowledge is held at the data processing center. Critical information is stored in an encrypted closed system. Access to the center is controlled with biometrics, weighing and monitoring with cameras” she said. Despite working with partner companies and suppliers, only Petrobras holds all the information, only allowing the company to read them, she said. Additionally, Petrobras has contracts that provide for confidentiality.
Strict security procedures included requiring scientists and functionaries to avoid transferring the most critical data, such as seismic studies of the company’s oil reserves, through the Internet.
Monday, September 16, 2013 @ 02:09 PM gHale
The National Security Agency (NSA) influenced the National Institute of Standards and Technology (NIST) to adopt a tainted encryption standard.
That standard, made by the NSA, included a weakness known only to the NSA. That standards in question is the NIST Special Publication 800-90, according to a report in The New York Times.
Adopted by NIST in 2006, NSA cryptographic experts authored the standard, which includes four Deterministic Random Bit Generators with one called Dual_EC_DRBG that should create random numbers to seed encryption keys but, as it turns out, the random numbers it produces have a small bias.
Expert cryptographer Bruce Schneier, and his colleagues Dan Shumow and Niels Ferguson who, in 2007, published research detailing the flaw and theorized it was a deliberate back door. Schneier remained puzzled as to why the NSA was so insistent about including this generator in the standard.
“It makes no sense as a trap door: It’s public, and rather obvious. It makes no sense from an engineering perspective: It’s too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy,” he said, and recommended that nobody use it.
The standard ended up not only adopted by NIST, but by the International Organization for Standardization and Canada’s Communications Security Establishment, as well, according to the Times report.
NIST said it “would not deliberately weaken a cryptographic standard” and that they would continue their mission “to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large.”
“NIST has a long history of extensive collaboration with the world’s cryptography experts to support robust encryption. The National Security Agency (NSA) participates in the NIST cryptography development process because of its recognized expertise. NIST is also required by statute to consult with the NSA,” they said.
Finally, in a gesture of good will and in the hopes to regain some of the trust they have lost from the security community, they reopened the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C so the public can peruse and comment on the standard for a second time.
“If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible,” they said.
Thursday, September 5, 2013 @ 05:09 PM gHale
In a move to cultivate more U.S. cyber professionals in the fast moving global security environment, the National Security Agency’s (NSA) National Centers of Academic Excellence (CAE) in Cyber Operations Program added four new schools.
NSA selected the following schools to receive the CAE-Cyber Operations designation for the 2013-2014 academic year:
• Air Force Institute of Technology in Ohio
• Auburn University, Alabama
• Carnegie Mellon University, Pennsylvania
• Mississippi State University
The program, which now has eight schools, complements more than 100 existing centers of academic excellence (CAEs) in research and information assurance education — jointly overseen by NSA and the Department of Homeland Security.
An outgrowth of the President’s National Initiative for Cybersecurity Education, the program identifies institutions that have a deeply technical, interdisciplinary curriculum centered on fields such as computer science and electrical engineering. The agency has long worked with schools to improve education in science, technology, engineering, and mathematics.
In addition, the program offers some participants opportunities to apply their learning or enhance their teaching in summer seminars at NSA. Participating students and faculty members do not engage in actual U.S. government intelligence activities.
Steven LaFountain, an NSA technical leader, said legal and ethical issues in cyber security are a required and critical part of the effort.
“In the application process and in all of its work with selected schools, NSA emphasizes the importance of integrity and compliance,” he said. “Cyber skills are increasingly important in national defense, but it’s even more important to operate as responsible citizens in the use of such skills.”
Topics covered are routinely taught in colleges and universities, but this initiative seamlessly integrates the material to help students better understand how they could someday help to defend the nation. Summer seminar participants must undergo background checks and obtain temporary, top-secret security clearances.
The schools chosen in 2012, the program’s first year, were Dakota State University, South Dakota; the Naval Postgraduate School, California; Northeastern University, Massachusetts; and the University of Tulsa, Oklahoma. Like the agency’s other CAEs, those in the cyber operations program are evaluated annually. Designations are for five years and schools across the country can compete to join each year.
Retired Lt. Gen. Ronald L. Burgess Jr., a former director of the U.S. Defense Intelligence Agency, now serves as Auburn University’s Senior Counsel for National Security Programs, Cyber Programs, and Military Affairs. The CAE-Cyber Operations project has real merit, he said.
“Auburn has devoted significant resources and interdisciplinary rigor across campus to expand new cyber initiatives and extensive collaboration with external organizations,” he said. “We are extremely pleased that NSA has recognized our efforts by selecting Auburn University” for the program. “It is important to the nation — and we want to be a part of the strategic way ahead and feel we can contribute to this national need.”
Details about NSA’s Centers of Academic Excellence are available online.
Wednesday, July 31, 2013 @ 04:07 PM gHale
By Gregory Hale
Know all the facts before rushing to a decision or judgment, said General Keith Alexander.
That is the essential idea behind the PRISM program, the National Security Agency’s controversial intelligence gathering program. That tool was a vital part in thwarting 54 terrorist attacks worldwide, Alexander said during his keynote address at the Black Hat security conference in Las Vegas Wednesday. Of those 54 potential attacks, 13 were in the U.S., 25 in Europe, 11 in Asia and five in Africa.
The program and the NSA came to light after NSA contractor Edward Snowden leaked information warning the extent of mass data collection was far greater than the public knew and included what he characterized as dangerous and criminal activities.
“I believe what has happened; the damage to our country is significant and irreversible,” Alexander said.
Alexander came off defending what the NSA is all about and what it is trying to do in defending the country. Alexander said U.S. companies are not providing far reaching access to customer data, and only 35 NSA analysts have authorization to search phone metadata and emails. He also talked about the intense oversight involved from the three branches of government so as not to obstruct civil liberties.
Alexander talked about two programs, one is Section 215 Authority, which is a program designed to identify the communications of persons suspected to be associated with terrorist organizations communicating with individuals inside the U.S.
The other program was Section 702 Authority, which is for foreign intelligence purposes and applies only to communications of foreign persons located abroad and requires valid documentation for foreign intelligence purposes such as counterterrorism.
“Under 702, the U.S. does not unilaterally obtain information from the servers of U.S. companies,” Alexander said. “Industry is compelled to comply with this program.”
The genesis of the two programs was the result of terrorist incidents from the World Trade Center Attack in 1993 to the 9/11 attacks to the Boston Marathon attack this past spring.
“The intelligence community according to the 911 commission failed to connect the dots. We didn’t know because we didn’t have the tools and capabilities that showed (the attackers) were actually in California,” Alexander said.
“Virtually all democracies have lawful intercept programs,” he said. The goal of the programs is to collect information, but not a huge depth of information, Alexander said. In Section 215, the NSA will collect date and time of call; calling number; called number; duration of call, and origin of metadata. The NSA does not collect content of calls; no voice; no SMS, no names; addresses, and no credit cards.
In one case these programs helped disrupt a terrorist plot to bomb the New York City subway system, Alexander said.
Time was of the essence in this case. The attacker was in California and started driving across the country. “We intercepted this in early September 6 or 7 and the targeted attack date was by the 14th of September. The FBI had to put the pieces together quickly.”
We gave the email address to the FBI and they took that email address and determined a phone number that connected to New York City and they found that number also connected to other terrorist groups.
“This would have been the biggest terrorist attack since 9/11 on U.S. soil,” he said. “The initial tip came from the PRISM 702 data. We were able to stop the attack,” Alexander said.
As a part of the foreign intelligence program, the NSA intercepted an email from a terrorist in Pakistan. “By using 702 (the foreign intelligence program), we intercepted some communications and was able to get a phone number that was a potential terrorist.
Is what the NSA doing perfect? No, but Alexander said he wants to reach out and try to see how to improve upon intelligence gathering.
“Put the facts on the table. The nation needs to know we are going to do the right thing. If we make a mistake we will hold our selves accountable.”