NSA organized a "Science of Security" (SoS) Community meeting that was held last week (Nov 29-30) at National Harbor (immediately following NSF's Secure and Trustworthy Cyberspace PI meeting at the same place.
At the conclusion of the SoS meeting, NSA's Director of Research, Mike Wertheimer, announced a new NSA-sponsored competition to identify the "best scientific cybersecurity paper" published in the past fiscal year (i.e., October 2011 - September 2012). Nominations are invited immediately and will close on January 31, 2013.
A set of "Distinguished Experts" will provide NSA with their
individual assessments of nominated papers. The experts named so far
Dr. Daniel Geer, In-Q-Tel
Professor David Wagner, University of California at Berkeley
Professor Ronald Rivest, MIT
Mr. Phillip Venables, Goldman Sachs
Professor Angela Sasse, University College London
Professor Fred Schneider, Cornell University
Dr. John McLean, Naval Research Laboratory
Assessment will be based on:
- Scientific merit and significance of the work reported,
- The degree to which the paper exemplifies how to perform and report scientific research in cybersecurity
Winners are expected to be announced June 1, 2013.
We are delighted to announce that the recipient of the 2012 Microsoft Research Verified Software Milestone Award is Xavier Leroy of the Paris-Rocquencourt (http://www-rocq.inria.fr) research center of INRIA, France, for the CompCert Project (http://compcert.inria.fr). Specifically, the award is given in recognition for Xavier's role as architect of the CompCert C Verified Compiler as well as his leadership of the development team.
The formal presentation of the Award will be made to Xavier at POPL 2013 (http://popl.mpi-sws.org/2013/), which takes place in Rome - January 23-25, 2013.
"Microsoft Research is delighted to celebrate the advances made by Dr Leroy in the vital field of software verification. Compilers are the basis for all the software we generate, and by ruling out compiler-introduced bugs, the CompCert project has taken a huge leap in producing strengthening guarantees for reliable critical embedded software across platforms. We congratulate Dr Leroy on his significant achievement in winning this Award."
Dr. Judith Bishop, Principal Research Director, Computer Science, Microsoft Research, Redmond
The full award citation is provided along with further details of the award process at the VSI website, i.e. http://dream.inf.ed.ac.uk/vsi
Andrew Ireland & Jim Woodcock (Chairs of the Award Committee)
Summary: The US Justice Department announced the arrest of 10 people worldwide for allegedly operating the "Butterfly" botnet which aided in the theft of personal data and credit card data from millions of computers. In a modern twist, the malware spread through links on Facebook pages, infiltrating user accounts and posting links to infected sites, luring "friends" into the botnet.
Summary: Various researchers, including Avi Rubin of Johns Hopkins University, have found that computer systems used by the health care industry have serious security flaws. Federal guidance on cybersecurity for health data systems seems to be confusing and insufficient.
Rubin recounts an amusing story: A nurse had the job of typing in a physician’s password constantly so that the doctor would not have to do it. She walked around the room logging the doctor into every machine, every hour.
Summary: A large-scale DDoS attack directed at US banks is suspected to be the work of Iranians. The attack has been traced to data centers. Security researchers still do not know how the data centers used in the first wave of attacks were infected in the first place, how widespread the infection rate was and — perhaps most troubling - whether the servers could be used to damage other sensitive targets in the future.
Summary: The DDoS attacks have caused US banks to ask for help from the National Security Agency. Although this kind of cooperation is not unprecedented, the article notes that "The ability to share information between the FBI and the banks has been eased by the granting of more than 250 classified-level security clearances to bank officials in the past five years, industry officials said."
Summary: The malware known as "Red October" or "Rocra" has been carrying out fairly thorough cyber-espionage tasks for five years, working quietly and without notice. Kaspersky Labs has analyzed the software and believes that it is targeting several specific industries. The number of targets is unknown.