IEEE Cipher --- Items from security-related news (E130.Jan-2016)

  • Meet the woman in charge of the FBI's most controversial high-tech tools
    The Washington Post
    By Ellen Nakashima
    December 8, 2015

    Summary: The FBI is no longer behind the times in cyber technology, and their executive assistant director for science and technology is responsible for keeping them current. This article highlights the role of that person, Amy Hess, who took the reins in 2014. A video games whiz when she entered the FBI academy, she now manages a budget of around half a billion dollars while navigating the boundaries of security and privacy in relationships with industry.

  • After terrorist attacks, the debate over encryption gets new life
    The Washington Post
    By Ellen Nakashima
    Dec 9, 2015

    Summary: FBI Director James B. Comey made remarks at a Senate Judiciary Committee meeting urging the Senate to changed the "unacceptable" status quo with regard to encryption technology. The terrorist attacks in Paris and in San Bernadino, California have made law enforcement hungry to complete access to communications among suspected terrorists. Comey asserted that technology for encrypted intercepts was not an impediment and that controls could be installed without "breaking the Internet".

  • A looming anniversary, and an offer
    December 15, 2015
    From Gene Spafford

    Next year is the 25th anniversary of the publication of Practical Unix Security. The book has attracted quite a readership over the years.

    As a celebration of the anniversary, and as a way of helping raise some funds for two worthwhile non-profit organizations (EPIC and the ISSA Foundation), we are making a special offer to get a copy of the book signed by the authors.

    Details are at We encourage people to participate --- if nothing else, to provide some support to two worthwhile organizations supporting security & privacy work.

  • Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors
    by Kim Zetter

    Summary: Juniper Networks makes high-speed routers that power the Internet, so it was no small matter when it was discovered that their operating system had not one but two "backdoors" allowing access to traffic passing through. Further, one of the backdoors allows access to encrypted VPN traffic. There is no information about who installed the code, who used it, or whether or not the two backdoors come from the same source. Speculation is rife, and some experts suspect that there is some intertwined further vulnerability associated with keys derived from NIST's flawed EC random number generator. Juniper has issued patches for both backdoors, and one expert reversed engineered a patch to find the master password underlying the secret access.

  • Official: Iranians hacked into New York dam
    by Shimon Prokupecz, Tal Kopan and Sonia Moghe
    Dec 22, 2015

    In 2013, Iranian hackers infiltrated a software control system for a flood control dam in Rye Brook, New York, according to information from an unidentified US official and revealed in the Wall Street Journal last December. The hackers were not able to gain control of the floodgates, however. The town uses industry standard software control systems, but apparently the operators were not aware of security problems with the software or its configuration.

  • Google is trying to kill passwords. But what should replace them?,
    The Washington Post
    by Andrea Peterson
    Dec 23, 2015

    Summary: Google has been experimenting with alternatives to passwords. One trial involves combining computer access with cell phone authorization: when you try to login to an email account, a mesage is sent to your cell phone requesting permission. The cell phone response opens the email account to the computer. This method could be combined, in the future, with biometric authentication. Whether or not this increases the overall security of email access remains somewhat in question because it simply makes the cell phone the primary target of hackers.

  • Hackers caused a blackout for the first time, researchers say
    The Washington Post
    by Andrea Peterson
    Jan 6, 2016

    Summary: John Hultquist, head of iSIGHT Partner's cyberespionage intelligence practice, said that hackers had used a known malware package called Black Energy against an electric power substations in the Ukraine in late December. As a result, half the homes in the Ivano-Frankivsk region were without power. This seems to be the first time that a cyberattack has caused an outage. Cyber intrusions in power grids are not unknown, but successful sabotage is unknown, until now. The malware was not designed to take down power grids. It deletes computer files, making the computer unusable. The malware rendered more than one substation inoperative. The brute force simplicity of the attack and the ease with which it permeated the substations is cause for alarm (for those who were not already alarmed).

  • White House Officials Meet With Tech Leaders on Thwarting Terrorists,
    The New York Times
    by Gardiner Harris and Cecilia Kang
    Jan 8, 2016

    Summary: Not all of the US government's cyber responses to terrorism are concerned with encryption. Two new efforts will focus on countering propaganda from the Islamic State. The Department of Homeland Security and the Justice Department will coordinate the program, and the State Department will launch an effort to counter disinformation and to "create positive images of the West." Officials from the Obama administration emphasize that they need help from big technology companies to carry out their program.

  • Rarely Patched Software Bugs in Home Routers Cripple Security (NB: paywall access only)
    The Wall Street Journal
    By Jennifer Valentino-DeVries
    Jan 18, 2016

    Home routers are cheap and easy to set up, but a study an expert hired by the newspaper found that a great many of them rely on an insecure version of the firmware. Furthermore, it can be difficult to impossible to find firmware updates. This investigative article shows that the reach of poor security practices is immense, and there seem to be few economic incentives to fix them.