IEEE Cipher --- Items from security-related news (E132.May-2016)





Missiles and Floppies

The real reason America controls its nukes with ancient floppy disks
The Washington Post
by Brian Fung
May 26, 2016

Summary:
The US military has had its ups and downs with modern technology, and it remains wary of wholesale adoption of newfangled things like USB drives and the Internet. Despite the fact that malware was originally spread via floppy disks, they are apparently viewed as the most secure data transfer method for our missle systems. These systems are "not on the Internet", probably because the most secure way to attach to the Internet is to cut the cable and disable wifi. But the military has an even larger problem trying to attract young talent to its cybersecurity ranks. Industry offers high salaries and glitzy dreams of wealth, and the military entices only a tiny percentage of new graduates.


Hospital Chain Endures Malware Attack

  • MedStar paralyzed as hackers hit U.S. hospital
    The Salt Lake Tribune
    By Jack Gillum, David Dishneau and Tami Abdollah
    The Associated Press
    Mar 29, 2016

    Summary: Cipher has previously noted that the healthcare industry is a target for malware attacks, and several hospitals in the MedStar system were hit in late March. The problems may have been caused by the infamous ransomware crypto attack. MedStar may have recovered by shutting down its systems and restoring from backups.


    NIST Tackles Random Bits

    NIST invites comments on the second draft of Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. This Recommendation specifies constructions for the implementation of RBGs. An RBG may be a deterministic random bit generator (DRBG) or a non-deterministic random bit generator (NRBG). The constructed RBGs consist of DRBG mechanisms, as specified in SP 800-90A and entropy sources, as specified in SP 800-90B.

    Email comments to: rbg_comments@nist.gov with subject "Comments on Draft SP 800-90C" preferably using the Comment Template. Comments due by: Monday, June 13, 2016 at 5:00PM EDT.

    On May 2-3, 2016, NIST will host a workshop on Random Number Generation to discuss the SP 800-90 series of documents--specifically, SP 800-90B and SP 800-90C.


    FBI No Stranger to Hacking

  • F.B.I. Used Hacking Software Decade Before iPhone Fight
    The New York Times
    By Matt Apuzzo
    Apr 14, 2016

    Summary:
    According to recently revealed documents, the FBI resorted to hacking in 2003 when an investigation was stymied by encryption. The animal rights group was using PGP for their communication, and even a full wiretap was not getting the FBI enough information to prosecute. Then the FBI managed to intall surreptitious monitoring software on the suspects' computers. As a result, they were convicted, and the conviction was upheld in 2009. The Federal Appeals Court noted that use of encryption could be considered as evidence of criminal intent.


    Microsoft Wants to Tell You About Search Warrants

  • Microsoft sues over law banning tech firms from telling customers about data requests
    The Washington Post
    By Ellen Nakashima
    Apr 14, 2016

    Summary:
    On average, the FBI issues more than 5 warrants per day to Microsoft for the purpose of obtaining customer data. Most of these are for unlimited duration and have a gag order attached. Microsoft has filed suit, claiming that under the Fourth Amendment, customers should be notified about the data collection. It seems clear that any presumption of privacy of customer data held by large companies is ... unwarranted.


    Computer science education has no cybersecurity?

  • Why computer science programs don't require cybersecurity classes.
    Slate.com
    By Josephine Wolff
    Apr 16, 2016

    Summary:
    Professor Wolff believes that cybsecurity is a quickly changing field. Although it deserves study, requiring it of all computer science majors should not be done until the community agrees on what the essentials really are. Absent metrics and evalutions of effectivity, such a requirement might result in detracting from the ability to teach students the core concepts of computer science.


    $1M USD, and the FBI remains basically clueless (5 items). Last March the FBI demanded Apple's help in breaking into iPhones. Apple resisted, and since then, the FBI has gained access to at least two of phones without the company's help, something it had claimed it did not know how to do, despite having a state-of-art cybercrime lab. The FBI claims that it still does not know how to get the data because in at least one case, it paid an outside firm for the data but did not get any insight into how the encryption protections were breached.

  • Once again, the government finds a way to crack an iPhone without Apple's help
    The Washington Post
    Ellen Nakashima
    Apr 25, 2016
  • Summary:
    Saying that someone had come forward with the passcode for unlocking an iPhone that was part of a criminal investigation, the FBI dropped one of its demands that Apple provide assistance by developing a bypassable operating system. The fact that two iPhones have been accessed with Apple's help seemed to undermind the FBI's claims that no alternative technology existed. This might affect the standard of evidence that the government must supply in future, similar, cases.

  • U.S. Presses Bid to Force Apple to Unlock iPhone in New York
    The New York Times
    By Eric Lichtblau and Katie Benner
    Apr 8, 2016

    Summary: Law enforcement demanded Apple's help in unlocking two iPhones. They claimed that because of differences in Apple's operating systems, the technique used on the San Bernardino terrorist's phone would not work on phones at the center of investigations in Boston and Brooklyn.

  • FBI cracks iPhone of San Bernardino terrorist without Apple's help
    CNN Money
    By Laurie Segall, Jose Pagliery and Jackie Wattles
    Mar. 28, 2016

    Summary:
    The FBI, after going to court to get access to iPhone data relevant to the San Bernardino attacks, abruptly postponed the case when it used nearly found technology to exploit a flaw. This caused a debate to erupt about disclosing the flaw so that Apple could patch its operating system and protect its users world-wide from malicious hackers.

  • FBI paid professional hackers one-time fee to crack San Bernardino iPhone
    The Washington Post
    By Ellen Nakashima
    Apr 12, 2016
  • Summary: A "gray hat" firm, knowing of a flaw in Apple's operating system used on the iPhone of a terrorist, used that knowledge and some custom hardware to unlock that phone's data. The FBI director indicated that the bureau had paid more than one million dollars for the data.

  • FBI won't reveal method for cracking San Bernardino iPhone
    The Washington Post
    By Ellen Nakashima
    Apr 26, 2016
  • Summary:
    The FBI deflected a debate about disclosing the flaw that was used to access data on the San Bernardino terrorist's iPhone. Claiming that they had "limited understanding" of the means used to bypass Apple's cryptographic protections, the bureau implied that its $1M expenditure was for the data only, not the technique. Thus, it can offer no information to help Apple fix bugs in its operating system.


    Malware and the car (cf book review in March Cipher).

  • Next cyberattack front could be your car
    The Washington Post
    By Joe Davidson, Columnist
    May 18, 2016
  • Summary: The Government Accountability Office (GAO) has taken a look at the security of the smart devices that are beginning to connect cars to the Internet, and they are concerned. Their report, Vehicle Cybersecurity, paints a gloomy pictures of the threats looming against a landscape of unstoppable automation.


    When is a config glitch a "breach"? (2 items)

  • GSA says cyber 'mistake' was 'no breach'; others investigate
    The Washington Post
    By Joe Davidson, Columnist
    May 16, 2016
  • Summary: Apparently the Government Services Administration (GSA) uses Google for online chatting, and apparently they had their access permissions set just a little too wide. Although 100 "Google drives" were publically accessible, the GSA believes that no information was shared inappropriately. As far as they know. Both GSA's Inspector General and Congress would like to know more.

  • Congress hits FDIC cyber breach that 'boggles the mind'
  • FDIC reports five 'major incidents' of cybersecurity breaches since fall
    The Washington Post
    By Joe Davidson, Columnist
    May 16, 2016
  • Summary: Somehow, several employees leaving the FDIC downloaded the personal data of thousands of customers when they thought they were taking only their own data. The employees have said that they did not further disclose the information. Congress, when notified, was disturbed. The FDIC says it is taking several measures to improve cybersecurity, including restricting the use of USB drives through operating system modifications.


    Banking network used for theft, blame the banks, not the network (2 items)

  • Hackers' $81 Million Sneak Attack on World Banking
    The New York Times
    By Michael Corkery
    Apr 30, 2016
  • Summary:
    Using a thoroughly penetrated banking computer system in Bangladesh, hackers made off with $81M dollars by transferring money using the SWIFT banking network. This was only a fraction of what the thieves were attempting to steal.

  • Once Again, Thieves Enter Swift Financial Network and Steal
    The New York Times
    By Michael Corkery
    May 13, 2016
  • Summary:
    A unnamed commercial bank was the victim of a theft that was simiar to the Bangladesh bank exploit. Experts suspect that thieves are using insider information to get credentials that allow them to submit fraudulent transfer instructions over the SWIFT banking network.


    Crypto Wars Drag On (2 items)

  • Senate bill draft would prohibit unbreakable encryption
    The Salt Lake Tribune
    By Tami Abdollah
    The Associated Press Apr 8, 2016
  • Summary:
    The Senate Intelligence Committee drafted a bill aimed at ensuring that law enforcement would always have access to encrypted data. The onus of the requirement would fall on technology companies. The opposition claimed that this would mandate "back doors" that would put all customers at risk.

  • Police and Tech Giants Wrangle Over Encryption on Capitol Hill
    The New York Times
    By Cecilia Kang
    May 9, 2016
  • Summary:
    A visit to by the Manhattan district attorney, Cyrus Vance, was one of several events highlightint the divide between law enforcement and tech companies over encryption technology. The lobbying efforts of both sides were initiated by the FBI's demands that Apple produce methods for accessing iPhone data. Apple contends that this would be bad for the security of the phones that are becoming the core of digital identites.


    Nakamoto is an Ozzie?

  • Australian Entrepreneur Says He Created Bitcoin, but Doubts Persist
    The New York Times
    By Paul Mozur and Nathaniel Popper
    May 2, 2016
  • Summary:
    Saying that he didn't care if anyone believed him or not, Craig Steven Wright, an Australian entrepreneur, claimed the title of Bitcoin inventor. The tech world did not rush in to coronate him, though. While Bitcoin struggles to find a pathway for future growth, finding the person who originated the concept may help to clarify the vision and consolidate the community. Wright's demonstration of possessing a private key that provides that he is the Bitcoin inventor did not seem to satisfy skeptics.


    Really Bad Idea: Unpack malware in the kernel

  • Symantec antivirus bug allows utter exploitation of memory
    The Register
    by Richard Chirgwin
    May 19, 2016
  • Summary:
    When a respected anti-virus software company produces a vector for spreading malware across almost all major platforms, it's news. The Symantec Core Antivirus Engine is called when scanning material of malware, and it runs in OS kernels and scans, among other things, email. A bug in the unpacking routine of an early version of the software caused a buffer overflow. A buffer overflow in the kernel of Linux, MacOS, or Windows is Really Bad News (a nightmare scenario for Symantec).