IEEE Cipher --- Items from security-related news (E131.Mar-2016)

  • More employee data leakage from US Federal Departments
    Hackers Access Employee Records at Justice and Homeland Security Depts.
    New York Times
    by Eric Lichtbleau
    Feb 8, 2016

    In today's world, the disclosure of personal information of 30,000 government workers on the Internet is hardly enough to break into the news cycle. But, because it affected the departments of Justice and Homeland Security, it seems just worthy of note. The information seems to have been obtained by a politically motivated hacker who used information about an employee on a social media site to leverage access to government employee directories.

  • British teenager social engineers top US officials
    British teen arrested in hacking of top U.S. intelligence officials
    The Washington Post
    Feb 12, 2016
    By Matt Zapotosky and Ellen Nakashima

    The emails of the CIA director and the Director of National Intelligence were the victims of email hacking, and a British teenager has been arrested for it. The investigation of the exploit has focused on "Crackas With Attitude", and they are suspected of leaking government employee information (see the preceding news item).

    The exploit may have been "old school" because it is rumored to have been based on convincing Verizon workers that they were talking to the victims. The hackers got the account access information changed so that they could login to the victims' email accounts. They also claimed to have changed voice forwarding on one of the phones.

  • NIST announces new publication
    Special Publication (SP) 800-57, Part 1 Rev. 4, Recommendation for Key Management, Part 1: General

    NIST announces the completion of Special Publication (SP) 800-57, Part 1 Rev. 4, Recommendation for Key Management, Part 1: General. This Recommendation provides general cryptographic key management guidance. The proper management of cryptographic keys is essential to the effective use of cryptography for security. Public comments received during the review of this document are provided here.

    NIST announces new draft publication, invites comments
    Special Publication (SP) 800-175, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms.

    NIST requests comments on SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms. The SP 800-175 publications are intended to be a replacement for SP 800-21, Guideline for Implementing Cryptography in the Federal Government, but with a focus on using the cryptographic offerings currently available, rather than building one's own implementation. SP 800-175B is intended to provide guidance to the Federal government for using cryptography and NIST's cryptographic standards to protect sensitive, but unclassified digitized information during transmission and while in storage. The cryptographic methods and services to be used are also discussed. The first document in the series (i.e., SP 800-175A) will be available shortly. Please provide comments on SP 800-175B by Friday, April 29, 2016.
    Comments may be sent to, with "Comments on SP 800-175B" as the subject.

  • The iPhone lands in hot water, crypto-wise
    In the past two months there have been many stories about how the US government has been raising legal objections to commercial applications that encrypt data without providing any backdoors for law enforcement. Apple iPhones have been the focal point for the controversy, and the Justice Department has taken the unusual step of ordering Apple to produce a digitally signed (cf. Turing award) and weakened version of its OS to load onto the iPhone of a dead terrorist.

    The debate about public safety vs. personal privacy has moved into new territory. We present a selection of pointers to news and commentary about it.

  • Stop changing your password
    Why changing your password regularly may do more harm than good
    The Washington Post
    Mar 3, 2016
    by Andrea Peterson

    Federal Trade Commission chief technologist, Lorrie Cranor, has some contrarian advice about password changes. An expert in human factors issues for computer security, Cranor suggests that people have enough trouble coming up with one good password, let alone a constant stream of them. The result is that bad passwords are used more often when changes are frequent. Case studies bear out the claim. Some people take this as just one more reason to give up on passwords altogether and switch to biometric authentication.

  • Iran to be named dam hacker
    U.S. plans to publicly blame Iran for dam cyber breach
    Mar 10, 2016
    by Evan Perez and Shimon Prokupecz

    As reported in the last issue of Cipher, in 2013, using off-the-shelf malicious software tools, someone gained access to the "backoffice systems" for a dam in New York state. Although no damage resulted, it was unsettling to US officials to have a piece of physical infrastructure come close to being breached. Iran has been named the likely culprit, and an indictment may be handed down soon.

  • Carhacking, it's a thing in the Io(insecure)T
    Car hacking
    March 17, 2016
    by David Shepardson

    As Cipher's book review this month points out, car hacking is now an activity. So serious a thing that there have been three separate software security updates by major manufacturers in the past year, one of them involving a recall. The Alliance of Automobile Manufacturers and Association of Global Automakers late last year opened an Information Sharing and Analysis Center. Perhaps this will help improve the awareness of risks and secure design methods.

    The FBI and NHTSA warn that owners might be tricked into installing malicious software updates on their smartphones (there's an app for your car) or directly onto their vehicles. That software might let hackers take control of vehicles and cause mayhem. Federal Bulletin.

  • Diffie and Hellman win the 2015 Turing Award
    "Cryptography Pioneers Receive ACM Turing Award"
    ACM Press Release
    March 1, 2016

    Decades ago two Stanford researchers decided to tackle the seemingly off-limits topic of cryptography, and they ended up making the remarkable discovery of public key cryptography. Now, the pair, Whitfield Diffie and Martin Hellman, have received the ACM's Turing Award for 2015.