NewsBits, IEEE Cipher E112, E112.Jan-2013

NSA Announcement,
November 30, 2012,
Best Security Paper of 2012 Competition,  

NSA organized a "Science of Security" (SoS) Community meeting that was held last week (Nov 29-30) at National Harbor (immediately following NSF's Secure and Trustworthy Cyberspace PI meeting at the same place.

At the conclusion of the SoS meeting, NSA's Director of Research, Mike Wertheimer, announced a new NSA-sponsored competition to identify the "best scientific cybersecurity paper" published in the past fiscal year (i.e., October 2011 - September 2012). Nominations are invited immediately and will close on January 31, 2013.

A set of "Distinguished Experts" will provide NSA with their individual assessments of nominated papers. The experts named so far are:
Dr. Daniel Geer, In-Q-Tel
Professor David Wagner, University of California at Berkeley
Professor Ronald Rivest, MIT
Mr. Phillip Venables, Goldman Sachs
Professor Angela Sasse, University College London
Professor Fred Schneider, Cornell University
Dr. John McLean, Naval Research Laboratory

Assessment will be based on:
- Scientific merit and significance of the work reported,
- The degree to which the paper exemplifies how to perform and report scientific research in cybersecurity

Winners are expected to be announced June 1, 2013.

Microsoft Research: 2012 Verified Software Milestone Award Winner
December 19, 2012
Press Release

We are delighted to announce that the recipient of the 2012 Microsoft Research Verified Software Milestone Award is Xavier Leroy of the Paris-Rocquencourt ( research center of INRIA, France, for the CompCert Project ( Specifically, the award is given in recognition for Xavier's role as architect of the CompCert C Verified Compiler as well as his leadership of the development team.

The formal presentation of the Award will be made to Xavier at POPL 2013 (, which takes place in Rome - January 23-25, 2013.

"Microsoft Research is delighted to celebrate the advances made by Dr Leroy in the vital field of software verification. Compilers are the basis for all the software we generate, and by ruling out compiler-introduced bugs, the CompCert project has taken a huge leap in producing strengthening guarantees for reliable critical embedded software across platforms. We congratulate Dr Leroy on his significant achievement in winning this Award."

Dr. Judith Bishop, Principal Research Director, Computer Science, Microsoft Research, Redmond

The full award citation is provided along with further details of the award process at the VSI website, i.e.

Kind regards,
Andrew Ireland & Jim Woodcock (Chairs of the Award Committee)

10 Arrested in Theft of Web Data,
By Brian X. Chen and John H. Cushman Jr.
New York Times
December 12, 2012

Summary: The US Justice Department announced the arrest of 10 people worldwide for allegedly operating the "Butterfly" botnet which aided in the theft of personal data and credit card data from millions of computers. In a modern twist, the malware spread through links on Facebook pages, infiltrating user accounts and posting links to infected sites, luring "friends" into the botnet.

Health-care sector vulnerable to hackers, researchers say
By Robert O'Harrow Jr.,
Washington Post
Published: December 25, 2012

Summary: Various researchers, including Avi Rubin of Johns Hopkins University, have found that computer systems used by the health care industry have serious security flaws. Federal guidance on cybersecurity for health data systems seems to be confusing and insufficient.

Rubin recounts an amusing story: A nurse had the job of typing in a physician’s password constantly so that the doctor would not have to do it. She walked around the room logging the doctor into every machine, every hour.

U.S. Banks Again Hit by Wave of Cyberattacks
By Nicole Perlroth
New York Times Bits Blog
January 4, 2013

Summary: A large-scale DDoS attack directed at US banks is suspected to be the work of Iranians. The attack has been traced to data centers. Security researchers still do not know how the data centers used in the first wave of attacks were infected in the first place, how widespread the infection rate was and — perhaps most troubling - whether the servers could be used to damage other sensitive targets in the future.

Banks seek NSA help amid attacks on their computer systems
Ellen Nakashima
The Washington Post
January 11, 2013

Summary: The DDoS attacks have caused US banks to ask for help from the National Security Agency. Although this kind of cooperation is not unprecedented, the article notes that "The ability to share information between the FBI and the banks has been eased by the granting of more than 250 classified-level security clearances to bank officials in the past five years, industry officials said."

Computer malware targets Europe agencies
By Ellen Nakashima
Washington Post
Published: January 14, 2013

Summary: The malware known as "Red October" or "Rocra" has been carrying out fairly thorough cyber-espionage tasks for five years, working quietly and without notice. Kaspersky Labs has analyzed the software and believes that it is targeting several specific industries. The number of targets is unknown.