Items from security-related news (E108.Jun-2012)

Information from NIST

Second Public Draft, Special Publication 800-130, A Framework for Designing Cryptographic Key Management Systems
Public Comment Period: April 13, 2012 through July 30, 2012.
Email Comments to:
Second Public Draft Details:
NIST requests comments on SP 800-130, A Framework for Designing Cryptographic Key Management Systems. This is a revision of the document that was provided for public comment in June 2010. Comments are requested by July 30, 2012 and should be sent to, with "Comments on SP 800-130" in the subject line. Another document, SP 800-152, which provides a basic profile of this framework document for the Federal government, will be available for initial comment later this year.

Links: Draft SP 800-130 (PDF) on CSRC website:

From Carl Landwehr: NSA Publication Addresses Security Science

The current issue of The Next Wave focuses on developing a blueprint for a science of cybersecurity. It includes an introduction by Bob Meushaw and seven articles looking at this topic from different perspectives by Fred Schneider, Alessandro Chiesa and Eran Tromer, Anupam Datta and John Mitchell, Dusko Pavlovic, Roy Maxion, Adam Shostack, and Carl Landwehr. Copies are freely available in hard copy (only) from:

National Security Agency
Attn: Kathleen Prewitt, Managing Editor
Suite 6541
Ft. George G. Meade, MD 20755-6541
or by email to:

From the Washington Post, April 17, 2012

International Espionage Targets US Networks

Several nations are trying to penetrate U.S. cyber-networks, says ex-FBI official Shawn Henry.

From The Washington Post, May 11, 2012

Defense Contractors Try Out Monitoring Software

The Pentagon will expand a voluntary cybersecurity program for defense contractors. The systems scans incoming email and selectively blocks outgoing connections.

From the New York Times, June 1, 2012

Offensive Cyberwarfare is Here

The US Department of Defense has signalled its participation in offensive cyberwarfare several times in the past year. Now more information about its involvement in the Stuxnet targeting of Iran's nuclear program is available.

From CNN Security Blogs, June 5th, 2012

Flame: Complicated, Clever, and Effective

The origin of the Flame virus remains unknown, but the capabilities are wide-reaching. Allegedly, some of the code compromises Microsoft authenticity checks by generating false credentials, but the details have yet to be revealed. MD5 is a likely suspect.
For more cryptographic detail, see also Cryptography Engineering Blog

From PC World, June 1, 2012

FPGA Design: Useful or Deceitful?

FPGA security called into question.
The company Microsemi says its chip has a debugging mode, some analysts call it a backdoor.

From the Deseret News, May 16, 2012

Ignored Server Leaks Personal Data of Utah Patients

Analyzing a data breach that released personal information for nearly 800K people, the state of Utah uncovered many procedural errors, and the state's IT director lost his job.

From CNNMoneyTech, June 6, 2012

LinkedIn Caught With Its Salt Down

The password file from LinkedIn was revealed by persons unknown. The file was easily subject to a dictionary attack because the passwords were hashed without the well-known technique of "salting" the password. Because the usernames were not part of the disclosure, it did not compromise user accounts significantly.

From the New York Times, April 14, 2012

The Cybercrime Wave that Wasn't

An op-ed piece addresses the question of the economic impact of cybercrime, finding little data to support numbers that have been widely cited.