ISSSource White Papers

Posts Tagged ‘NSA’

Wednesday, July 16, 2014 @ 09:07 AM gHale

In a move to strengthen its cryptography efforts, the National Institute of Standards and Technology (NIST) needs to increase its staffing to implement more explicit processes for ensuring openness and transparency, an advisory board said.

The Visiting Committee on Advanced Technology (VCAT) report also highlights the importance of having the trust and participation of the broader cryptographic community in NIST’s program.

Transport Layer Security Guide Revised
NIST Removes NSA Algorithm
NIST Security Program Starts
Smart Grid Framework 3.0 Available

In the fall of 2013, former NIST Director Patrick D. Gallagher requested the VCAT review NIST’s cryptographic standards and guidelines development process, in response to concerns a cryptographic algorithm in a NIST standard ended up deliberately weakened.

In making its recommendations, the VCAT specifically addressed NIST’s interactions with the National Security Agency (NSA). The report states, “NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess it and reject it when warranted.”

“Ensuring we have a process that delivers strong cryptography and protects the integrity of our standards and guidelines is our highest priority,” said Acting NIST Director Willie May. “We appreciate this review by the VCAT and the individual Committee of Visitor experts. NIST has already taken several steps to strengthen the process for developing cryptographic standards and will carefully consider these recommendations.”

The Federal Information Security Management Act (FISMA) of 2002 gives NIST responsibility for developing information security standards and guidelines for non-national security federal information systems. These standards and guidelines have been widely adopted by U.S. industry and the international community. FISMA also directs NIST to consult with other agencies such as the NSA, to promote coordination and avoid conflicting standards.

In May 2014, the VCAT convened a blue ribbon panel of experts called the Committee of Visitors (COV) and asked each expert to review NIST’s cryptographic process and provide individual reports of their conclusions and recommendations. The experts “point out several shortcomings and procedural weaknesses that led to the inclusion” of the algorithm, despite known community concerns with its security.

In its report, the VCAT said “it is of paramount importance that NIST’s process for developing cryptographic standards is open and transparent and has the trust and support of the cryptographic community.” The committee recommends NIST explore, “in addition to the current avenues, expanding its programs to engage academia and outside experts to aid in the review of specific technical topics.”The report also recommends that NIST review the current requirement for interaction with the NSA and recommends changes in instances where it “hinders [NIST’s] ability to independently develop the best cryptographic standards.”

The VCAT review was part of a larger initiative by NIST that included an internal review of its development process and the February 2014 release of a document outlining the principles behind that process. NIST IR 7977: DRAFT NIST Cryptographic Standards and Guidelines Development Process will wrap up by the end of this year, and will include more detailed processes and procedures that incorporate feedback from the VCAT and the public.

“We will continue to work with the best cryptography experts in the world, both inside and outside of government,” said May. “At the same time, we recognize and agree with the VCAT that NIST must strengthen its in-house cryptography capabilities to ensure we can reach independent conclusions about the merits of specific algorithms or standards.”

Friday, June 20, 2014 @ 05:06 PM gHale

Kansas State University’s cyber security center earned redesignation as a National Center of Academic Excellence in Information Assurance/Cyber Defense Research.

The university’s Center for Information and Systems Assurance gained the designation from the U.S. Department of Homeland Security (DHS) and the National Security Agency (NSA) and is effective from 2014 to 2019.

NC University Gains Security Designation
Free DHS Cyber Assessments
Major Update to ICS Security Guide
NIST Guidelines: Start with Security

“The redesignation is a strong indication that the center’s research continues to be highly regarded by major federal agencies,” said Xinming “Simon” Ou, associate professor of computing and information sciences and director of the center. “This will help bring in future funding opportunities. The designation is also a requirement for our students to receive certain federal scholarships in cyber security.”

The official Center of Academic Excellence certificate ended up presented on June 16 in San Diego as part of the 18th Colloquium for Information Systems Security Education.

Kansas State University’s Center for Information and Systems Assurance — also known as CISA — involves a wide range of research in cyber security and information assurance, including high-assurance software, network security, cloud security, mobile-system security, cyber-physical system security, usable security, privacy and anonymity.

“We would like to grow the center by adding more faculty members and research staff who can work across disciplines, since cyber security is inherently a multidisciplinary problem involving both technical and social, behavioral and economical domains,” Ou said.

Some of the most exciting new research efforts in the center, such as bringing anthropology into cyber security and cyber-physical system security, are interdisciplinary, Ou said.

“To be successful in these endeavors, we need more people who can talk multiple languages and work with a diverse range of domain experts,” Ou said. “The goal is to make the center an established name in cyber security and increase our capability of going after major funding opportunities on a multimillion-dollar scale.”

The university’s Center for Information and Systems Assurance had previously received the Center of Academic Excellence designation from 2010 to 2015.

In its first four years of the national designation, the center achieved multiple goals:
• A $2.4 million National Science Foundation grant that started the university’s CyberCorp Scholarship for Service program. The center selected the first cohort of scholars in fall 2013.
• A $606,000 grant from the Department of Defense University Research Instrumentation Program is strengthening the university’s cyber security research and education infrastructure.
• John Hatcliff, university distinguished professor of computing and information sciences, has led the laboratory for specification, analysis and transformation of software, also known as the SAnToS laboratory, in creating technologies that major industry players use in the high-assurance software area.
• Ou is leading the Argus Cybersecurity Lab, which is improving cyber-infrastructure protection by working extensively with industry partners and proposing game-changing new ideas for cyber defense.
• Scott DeLoach, professor of computing and information sciences, is collaborating with Ou on a moving target-defense project supported by a $1 million grant received from the Air Force Office of Scientific Research.
• An interdisciplinary academic and industry collaboration is using a $700,000 National Science Foundation grant to bring anthropological methods into studying cyber defense operations.
• Eugene Vasserman, assistant professor of computing and information sciences, is using his expertise in system security, privacy and anonymity to investigate security issues in medical device coordination framework. He has received two National Science Foundation grants for this effort, including the prestigious CAREER award.

Wednesday, June 11, 2014 @ 05:06 PM gHale

University of North Carolina at Charlotte gained re-designation as a National Center of Academic Excellence in Information Assurance/Cyber Defense Research from the National Security Agency (NSA) and the U.S. Department of Homeland Security (DHS).

In 2008, the university was one of the first in the country to receive this designation.

Free DHS Cyber Assessments
Major Update to ICS Security Guide
NIST Guidelines: Start with Security
Pressure Ratchets Up for Security Pros

“This is an incredible honor, as this recognition reflects upon the outstanding research accomplishments of our faculty and staff,” said Bill Chu, a professor in the College of Computing and Informatics’ Department of Software and Information Systems.

The College of Computing and Informatics (CCI) is home to the Cyber Defense and Network Assurability (CyberDNA) Center, which is the focal point of cyber security research at the University.

The CyberDNA Center promotes automated analytics and synthesis in the design, configuration and evaluation of mission-oriented security systems; conducts advanced study by integrating multidisciplinary research from security, networking, reliability, risk management, economical, behavioral and physical world communities; and creates deployable tools to facilitate technology transfer and workforce (student) education and preparation.

CCI faculty collaborate with researchers from other colleges and external entities on wide-ranging cyber security topics, including security configuration, policy-driven security management, intrusion detection, prevention, deception and resiliency, threat/fault diagnosis, risk management, applied cryptology, privacy, application and DB security, wireless security, autonomous agents, data mining, visualization and complex adaptive systems.

The college also helped form the Center for Configuration, Analytics and Automation under the National Science Foundation’s Industry/University Cooperative Research Center (I/UCRC) program.

Tuesday, May 13, 2014 @ 08:05 PM gHale

The NSA has been targeting routers, servers and other computer network devices to plant backdoors, a researcher said.

According to a new report from Glenn Greenwald via The Guardian, the NSA plants backdoors and other spyware before these devices ship overseas. The information comes from the batch of files Edward Snowden provided the journalist with last year. The United States accused the Chinese government of doing exactly this thing with Huawei and ZTE.

The government’s attack on the Chinese manufacturers was so strong that Huawei decided to take a step back and abandon the U.S. market.

Cyber War Stakes Rising
Hackers Secure F-35 Fighter Plans
U.S., Israel behind New Iran Attack
Shamoon Target: Aramco Production

And while the American market was short of one big provider, the rest of the world should be avoiding the “Made in the USA” label for a range of products. Greenwald cites a June 2010 report from the chief of the NSA’s Access and Target Development department which indicates just how the NSA was fiddling with the tech shipments.

The NSA routinely receives or intercepts routers, servers and other computer networking devices exported from the United States before they end up delivered to the international customers, the file said.

The agency implants the spying tools, repackages the devices with a factory seal and sends them on their way.

“In one recent case, after several months a beacon implanted through supply-chain interdiction called back to the NSA covert infrastructure. The call back provided us access to further exploit the device and survey the network,” the file reads, explaining just how the NSA conducts business.

Creating backdoors into products is not new, as ISSSource reported in October, 2011 that facing mounting concern about Iran’s nuclear program, a top U.S. and Israeli technical team has developed a computer “malworm” designed to take down all of Iran’s computer software.

ISSSource learned leaders of the three major software companies, Sergey Brin at Google, Steve Ballmer at Microsoft and Larry Ellison at Oracle have been working with Israel’s top cyber warriors and have now come up with new version of a Stuxnet-like worm that can bring down Iran’s entire software networks if the Iranian regime gets too close to a breakout, according to U.S. intelligence sources. Google, Microsoft and Oracle had no comment on the issue.

This new Stuxnet worm is a more powerful tool with more range and a stronger capability than the previous version, said administration and intelligence officials. Officials want this new cyber capability to derail any military action that could result in a regional war.

The Stuxnet attack on Iran’s nuclear plants in Bushehr and Natanz in 2010 was the result of a joint effort between the United States and the cyber warfare experts of Israel’s Mossad and the IDF Unit 8200. The attack wrecked havoc on Iran’s nuclear program for 11 months, U.S. officials confirmed.

Wednesday, April 23, 2014 @ 04:04 PM gHale

The National Institute of Standards and Technology (NIST) removed the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) from its list of random number generators (RNG).

The reason this is a big deal is because this RNG ended up delivered by the National Security Agency (NSA), which has had trust issues of late.

NIST Security Program Starts
Smart Grid Framework 3.0 Available
Electric Grid Size Matters
Smart Grid; Vulnerable Grid

Dual_EC_DRBG ended up used by RSA in its BSAFE products after it accepted $10 million from the NSA. People instantly became concerned the algorithm contained a backdoor that would allow the intelligence agency to obtain the encryption keys of all users, and therefore to defeat the very purpose of the product.

NIST recommended against the use of the algorithm at the time, but it has only just now taken the final step to remove it from its draft guidance on RNGs.

“The revised document retains three of the four previously available options for generating pseudorandom bits needed to create secure cryptographic keys for encrypting data. It omits an algorithm known as Dual_EC_DRBG, or Dual Elliptic Curve Deterministic Random Bit Generator. NIST recommends that current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible,” NIST said.

The institute explained that its decision to remove the Dual Elliptic Curve Deterministic Random Bit Generator from the list comes after it performed an evaluation, but also in response to the lack of public confidence in the algorithm.

NIST advises anyone still using the NSA-recommended algorithm to stop doing so and use one of the three remaining approved alternatives. NIST issued an advisory to federal agencies and other buyers of cryptographic products to simply ask vendors if their cryptographic modules rely on Dual_EC_DRBG and if so, to ask for the products’ reconfiguration.

“Most of these modules implement more than one random number generator. In some cases, the Dual_EC_DRBG algorithm may be listed as included in a product, but another approved algorithm may be used by default. If a product uses Dual_EC_DRBG as the default random number generator, it may be possible to reconfigure the product to use a different default algorithm,” NIST said.

Tuesday, April 8, 2014 @ 12:04 PM gHale

Yahoo is now encrypting traffic flowing between its data centers. The move comes months after leaked documents revealed the government was peaking into those links.

As of March 31, traffic moving between Yahoo data centers undergoes full encryption, the company said.

Privacy Alert: Mining Net Activity
Google Glass for Security
Strengthening Two-Factor Authentication
LinkedIn Joins Two-Factor Authentication

Last October, documents provided by former U.S. National Security Agency contractor Edward Snowden said the NSA had penetrated the main communications links that connect Yahoo and Google’s data centers.

Though it comes after those revelations, the encrypted data links is in keeping with a previous promise by Chief Executive Marissa Mayer to encrypt all information between its data centers by the end of March.

Yahoo also turned on encryption for a range of other services. For one, encryption of mail between its servers and other mail providers that support the SMTPLS standard ended up enabled in the last month, the company said. Yahoo turned on encryption by default between users and its email service in January.

Yahoo said its homepage and all search queries that run on it and most other Yahoo properties now also have HTTPS encryption enabled by default.

But if users want an encrypted session for Yahoo News, Yahoo Sports, Yahoo Finance or Good Morning America on Yahoo, they must manually type “https” into the site’s URL on their browsers, Yahoo said.

Monday, March 10, 2014 @ 05:03 PM gHale

Yes, the NSA remains in the news along with Edward Snowden, but security professionals are living in the here and now and are more concerned with everyday issues like external threats from the bad guys, a new survey said.

“While the debate over the NSA and its authority does carry importance, this survey clearly demonstrates that IT security pros are more concerned with cybercriminals than government action,” said Fred Touchette, senior security analyst at software-as-a-service provider, AppRiver. “These are the people who deal with security every day, whose jobs depend on keeping networks secure, and who see threats as a practical problem, not a theoretical or philosophical issue.”

Talk to Me: Elevating Security Awareness
Attacks a Top Risk after Target Hack
Awareness Awakening: Firms Assume Compromise
ARC: Securing Internet of Things

More than 110 attendees at RSA Conference 2014 took the survey, conducted via in-person interviews by AppRiver, a provider of email messaging and Web security solutions.

When asked to name the most dangerous threat to the security of their organization, the response breakdown follows:
• 56.2 percent of respondents report cybercrime from external sources as most problematic
• 33 percent said insider threats with non-malicious intent give them the most trouble
• 5.3 percent blame malicious insiders for causing the biggest security headache
• 5.3 percent point the finger at external threats from government as chief offender

Malware, including email-borne and web-based threats, topped the list of most concerning threat vectors followed by personally identifiable information (PII) and social engineering. The majority of respondents, 71.4 percent, cited people as the most frequent (or most likely) point of failure for IT security. 21.4 percent faulted process and 7.2 percent labeled technology as the weak link.

“As a new breed of cybercriminal gets more sophisticated, IT security pros believe employees are not prepared for the more serious threats,” Touchette said. “This chasm demands a comprehensive security strategy that takes into account all threat vectors from technological and human standpoints. Organizations need a layered security approach that includes technology, training, awareness and enforcement to keep both inadvertent and intentional attacks from happening.”

Despite the Snowden incident, more than two thirds of respondents do not think it is time to ask employees to take psychometric tests to determine their honesty. When asked if IT security pros themselves would be willing to take such a test as a condition of employment, more than 65 percent said yes.

Friday, January 10, 2014 @ 02:01 PM gHale

Cyber attacks as the greatest threat to U.S. national security, according to a survey released Monday.

A cyber attack is the single greatest threat, according to 45 percent of respondents in the Defense News Leadership Poll. That response came in almost 20 percent above terrorism, which ranked second.

Securing ‘Internet of Things’
Senior Mgt Biggest Security Violators
SMBs Not Really Security Aware – Yet
Firms Average 9 Targeted Attacks a Year

The poll, underwritten by United Technologies, surveyed 352 Defense News subscribers, based on job seniority, between Nov. 14 and Nov. 28, 2013. The poll targeted senior employees within the White House, Pentagon, Congress, and the defense industry.

It’s not the first time cyber has ranked at or near the top of a list of security concerns. Seventy percent of Americans called a cyber attack from another country a major threat in a Pew Research Center survey released last month.

Defense Department officials continue to warn about the increasing threat. FBI Director James Comey, Rand Beers, the then-acting secretary for the Homeland Security Department, and Gen. Keith Alexander, director of the National Security Agency, each voiced their concerns before Congress last year.

And House Intelligence Committee Chairman Mike Rogers, R-MI, called it the “largest national security threat to the face the U.S. that we are not even close to being prepared to handle as a country.”

Meanwhile, more than half of poll respondents said U.S. Cyber Command and the NSA should have separate leaders, but the Obama administration ruled out such a move last month. Alexander, who will most likely retire later this year, has overseen both agencies since 2010.

Click here to download the survey.

Friday, November 1, 2013 @ 05:11 PM gHale

Tor traffic increased by 350 percent over the third quarter, a new report said.

Although surging Tor usage may be attributable to anti-NSA surveillance activities, it is also possible the August and September surge in Tor activity also came from a new variant of the Mevade malware family, according to the Solutionary Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report for Q3 2013.

Big Boost in Cyber Investment
Energy Sector Attacks on Rise
DoE Awards to Boost Security Tools
Petrobras Moves to Hike Security

Designed to use the Tor network to hide command and control servers, the developers end up deploying harder-to-detect malware.

Other findings include:
• Hacktivist campaigns continued to compromise and deface the websites of Israel- and European Union-based organizations.
• Phishing emails continued to be successful attack vectors, with attackers using them to launch APT campaigns.
• There has been an uptick in anomalous ICMP traffic outside the realm of normal activity based on the structure and frequency of packets.

The hacktivist campaigns OpUSA and OpIsraelReborn continued to compromise and deface Israel- and European Union-based organizations’ websites; the primary attack vectors consisted of spear phishing, Domain Name System (DNS) registry tampering, SQL injection, Cross-Site Scripting (XSS) and Distributed Denial of Service (DDoS) attacks, the report said.

Spear phishing attacks identified by SERT found users still fall victim to phishing attacks despite the existence of anti-phishing awareness programs within organizations. While tactics and techniques have evolved over the years, this specific attack vector has maintained a very high success rate.

The report found a noticeable increase in ICMP traffic targeting monitored devices in the U.S. and Europe. While ICMP is for diagnostic and control purposes and it occurs in normal traffic, SERT identified traffic that is outside the realm of normal activity based on the structure and frequency of the packets. One such payload shared commonalities with the worm Nachi.

For more details, click here to register to download the report.

Wednesday, October 2, 2013 @ 10:10 AM gHale

Seventeen Carnegie Mellon University (CMU) graduate students earned cyber security scholarships from the National Science Foundation, the Department of Homeland Security’s CyberCorps Scholarship for Service (SFS) Program and the Department of Defense’s Information Assurance Scholarship Program (IASP).

The SFS awards went to nine students in CMU’s Information Networking Institute (INI) and six students at CMU’s Heinz College. The IASP awards went to two INI students.

Grant to Boost Wireless Security
DoE Awards to Boost Security Tools
Petrobras Moves to Hike Security
NIST Grants to Improve Security, Privacy

Both programs share a common goal and that is to increase and strengthen the amount of federal information assurance professionals that protect the nation’s critical infrastructures and national defense.

“As future federal employees, the SFS and IASP scholars delve into challenging engineering and information assurance coursework and engage in interdisciplinary cyber security research. In addition to the emphasis on the technologies and strategies related to cyber defense and cyber offense, CMU’s cyber security curricula explore risk management, economics and policy issues related to reducing vulnerability and securing our national information infrastructure,” said Dena Haritos Tsamitis, INI director and director of education, training and outreach for CyLab. She is also the principal investigator of the grants.

Increased global cyber attacks make the training and retention of cyber security experts a priority of the U.S. government. The National Security Agency (NSA) and the United States Cyber Command designated Carnegie Mellon as a National Center of Academic Excellence (CAE) in cyber operations for 2013-2018. The National Security Agency designated the university as a CAE in Information Assurance Education and a CAE in research.

More than 160 students in the SFS program have graduated from CMU in the past decade. One student in the IASP graduated from the INI in 2012.

Both programs provide full-tuition scholarships and stipends to scholars in exchange for working for the federal government after graduation.

Archived Entries