Internet Security Alliance Daily Brief
** Your source for current and relevant cyber security issues **
** Your source for current and relevant cyber security issues **
Board Teleconference Notes
Sponsors, the notes from the August 2nd Board teleconference have been circulated for review and comment.
The DARPA Information Innovation Office is Seeking Private Sector Recommendation
The Defense Advanced Research Projects Agency (DARPA) Information Innovation Office (I2O) is requesting information on innovative technologies and approaches to secure the Nation’s infrastructure and to ensure the survival of the Department of Defense’s cyber capabilities in case of attack.
Specifically, answers are sought to the following questions:
1. At present, attackers in cyberspace seem to have the initiative and hence the advantage. What specific technologies should DARPA develop to address the imbalance?
2. Attacks on embedded computing systems have received much attention. What specific technologies should DARPA develop to secure embedded computing systems?
3. If DARPA could only invest in one cyber-security research area, what should that be and why?
Based on the responses to this announcement, DARPA will invite individuals from the technical community to participate in the DARPA Colloquium on Future Directions in Cyber Security, to take place on November 7, 2011 in Arlington, Virginia. For more information, contact Josh Magri at jmagri@isalliance.org
ISA to Appear on C-SPAN
C-SPAN, the official, but independently operated, network of the US Congress is doing a special program covering the Administration's Cyber Security Legislative proposal. They have asked the Internet Security Alliance to provide the private sector perspective. Marc Rotenberg from the Electronic Privacy Information Center will be interviewed to represent individual privacy perspectives on the proposal. ISA’s comments during the interview were based on the ISA testimony before the House Homeland Security Committee in June and Larry Clinton’s appearance before the Congressional cyber Security Task Force set up by Speaker Boehner in July.
The 30 minute C-SPAN program will air tonight, Monday, August 22nd, at 8 PM on C-SPAN II.
In Today's News
Koobface spreads via torrents. August 19, Softpedia – Security researchers identified a new version of the Koobface worm, which uses the global torrent network instead of social networking Web sites to spread. Dating back to July 2008, Koobface is one of the oldest and most successful computer worms that is still active. Its original variants targeted MySpace and Facebook, but it later expanded to other social networking sites. Koobface has seen many improvements and is a fairly sophisticated piece of malware most likely maintained by more than one developer. Despite its success, the worm suddenly stopped spreading on Facebook in February, a decision that baffled security researchers. In April, security experts from FireEye reported Koobface was still serving as a distribution platform for other malware, and that its command and control servers were still operational. A new sample found recently by security researchers from Trend Micro seems to indicate the worm’s creators developed a new propagation routine. The new version bundles version 2.2.1 of the uTorrent client which runs hidden in the background to seed trojanized torrents. These torrents pose as cracked versions of popular applications or games. The new version also uses encryption to evade antivirus detection. The rogue torrents promoted via public trackers and discoverable through the global torrent network contain multiple components that decrypt each other.
AES proved vulnerable by Microsoft researchers. August 18, IDG News Service – Researchers from Microsoft and the Dutch Katholieke Universiteit Leuven discovered a way to break the widely used Advanced Encryption Standard (AES), the encryption algorithm used to secure almost all online transactions and wireless communications. Their attack can recover an AES secret key from three to five times faster than previously thought possible, reported the Katholieke Universiteit Leuven, a research university based in Belgium. The researchers cautioned the attack is complex in nature, and so cannot be easily carried out using existing technologies. In practice, the methodology used by the researchers would take billions of years of computer time to break the AES algorithm, they noted. But the work, the result of a long-term cryptanalysis project, could be the first chink in the armor of the AES standard, previously considered unbreakable. When an encryption standard is evaluated for vital jobs such as securing financial transactions, security experts judge the algorithm’s ability to withstand even the most extreme attacks. Today’s seemingly secure encryption method could be more easily broken by tomorrow’s faster computers, or by new techniques in number crunching.
Source: http://www.computerworld.com/s/article/9219297/AES_proved_vulnerable_by_Microsoft_researchers
GingerMaster malware seen using root exploit for Android Gingerbread. August 18, Threatpost – The evolution of mobile malware seems to be accelerating, especially as it applies to Android malware. The newest example of this rapid change is the appearance of GingerMaster, a variant of the DroidKungFu malware that now sports a root exploit for Android 2.3 and gives the attacker complete control of the infected device. The new piece of malware, discovered by researchers at North Carolina State University, uses a jailbreak exploit for Android 2.3, also known as Gingerbread, which is packaged in an infected app as a seemingly legitimate file. Once that exploit runs, it gives the malware root privileges on the phone and also begins collecting data about the device for transmission to a remote server.
Texas-based Vanguard Defense Industries official hacked by Anonymous; CEO says damage limited. August 19, Associated Press – A Texas-based defense and aerospace firm said one of its top officials had his e-mail account broken into by the hacking group Anonymous, the Associated Press reported August 19. Vanguard Defense Industries’ chief executive said messages were stolen from the private Gmail account of a former FBI agent who now works as the company’s senior vice president. Anonymous said in a statement, it pilfered 1 gigabyte of private e-mails and documents from the account. The company’s chief executive told the Associated Press August 19 “there isn’t anything sensitive” in the released material. The company, based in Spring, Texas, specializes in the design and development of drones, unmanned aerial vehicles for law enforcement and the private sector.
DoD to expand cyber program with industry. August 17, Defense News – The U.S. Defense Department (DOD) is moving forward with a program designed to increase sharing with industry of classified and sensitive data about cyberattacks, the Deputy Secretary of Defense announced August 16. A 3-month pilot program — the Defense Industrial Base Cyber Pilot — has “stopped hundreds of attempted intrusions,” he said at a Defense Information Systems Agency conference. It also appears to be cost effective, he added. The program will be extended beyond its original end date of September 30. About 20 companies initially volunteered to participate in the pilot. “In the coming months, we will expand the pilot to the rest of the industrial base, as well as other key areas of critical infrastructure,” the deputy said. In addition to thwarting attacks against contractors, DOD said it identified strings of malware used by hackers. That information was incorporated into DOD network defenses and shared with companies participating in the pilot. Knowledge of these malware signatures “dramatically increases the effectiveness of cybersecurity,” the deputy said. DOD and its contractors must seize the current “window of opportunity” to strengthen their networks against destructive cyber threats, that if launched, would cause great physical damage and even loss of life, he said.
Upcoming Events
August 22 at 12:30pm: Protected Health Information Project Communication Subcommittee
The communications subcommittee will develop and manage a communications plan, and is co-chaired by Catherine Allen, chairman and CEO of The Santa Fe Group, representing Shared Assessments, and Linnea Solem of Deluxe Corporation.
August 23 at 3:00pm: Protected Health Information Project Finale Subcommittee
The finale subcommittee will facilitate overall integration of the subcommittee input with a view toward producing a coherent final report, and it is led by Rick Kam of ID Experts and Ed Stull of Direct Computer Resources, Inc.
August 24 at 2:00pm: Protected Health Information Project Ecosystem Subcommittee
The ecosystem subcommittee will define points of compromise in the healthcare ecosystem where there are risks of exposure, and is co-chaired by James Christiansen of Evantix, Gary Gordon of the Center for Identity at the University of Texas at Austin, and Lynda Martel of DriveSavers Data Recovery, Inc.
August 24 at 4:00pm: Protected Health Information Project Legal Subcommittee
The legal subcommittee will identify existing legal protections related to PHI, and is co-chaired by Christine Arevalo of ID Experts, Chris Cwalina and Steve Roosa of Reed Smith, LLP, and Jim Pyles from Powers Pyles Sutter & Verville, PC.
August 25 at 1:30pm: Protected Health Information Project Survey Subcommittee
The survey subcommittee will query chief security / privacy officers or consumers on what they consider to be sensitive data, and is being led Christine El Eris and Michael Morelli of Affinion Group, Larry Ponemon of the Ponemon Institute, Don Rebovich of the Center for Identity Management and Information Protection at Utica College; and Andrew Serwin from Foley & Lardner LLP.
August 31 at 4:00pm: Protected Health Information Project Legal Subcommittee
The legal subcommittee will identify existing legal protections related to PHI, and is co-chaired by Christine Arevalo of ID Experts, Chris Cwalina and Steve Roosa of Reed Smith, LLP, and Jim Pyles from Powers Pyles Sutter & Verville, PC.
September 26 &27: ACI Cyber and Data Risk Insurance
Larry Clinton will discuss the latest federal regulatory developments and enforcement actions and its impact on insurance coverage and litigation.
October 6: DHS Critical Infrastructure Partnership Advisory Council Plenary
In Case You Missed It
NIST Seeks Comment on the National Initiative for Cybersecurity Education Draft Strategic Plan
The National Institute of Standards and Technology (NIST) is pleased to announce that the Draft National Initiative for Cybersecurity Education (NICE) Strategic Plan is available for comment. The plan, “Building a Digital Nation,” outlines NICE’s mission, vision, goals and objectives. NIST and its interagency NICE partners seek comments from all interested citizens and organizations concerned with cybersecurity awareness, training and education.
Comments on this draft should be entered into the Comment-Template_Draft-NICE.xls and e-mailed to nicestratplan@nist.gov. Comments on the NICE draft strategic plan are due by September 12. NIST’s federal partners that contributed to the plan include the Department of Homeland Security, the Department of Defense, the Department of Education, the National Science Foundation, the Office of Personnel Management, and the National Security Agency.
NIST coordinates the interagency NICE program, which is a national campaign focused on enhancing cybersecurity in the United States by accelerating the availability of educational and training resources designed to improve the cyber behavior, skills and knowledge of every segment of the population. The program aims to improve secure use and access to digital information in a way that advances America’s economic prosperity and national security.
http://csrc.nist.gov/nice/documents/nicestratplan/NICE-Strategic-Plan-Announcement.pdf
Draft Guideline for Securing Electronics Supply Chain Available for Comment
ISA is circulating to its members the product of its multi-year effort to outline cost effective measures for securing the electronics supply chain. The paper is a 50 page set of instructions intended to be a both a guidebook for managing the supply chain as well as reference document in drafting contracts between producers and suppliers of electronic products in a way that hopefully secures greater benefits from globalization. The guidelines are affirmatively shaped by technical as well as economic considerations. The guidelines are written so as to be accessible both to technical as well non-technical personnel. More than 60 government and industry players collaborated in the development of the guidelines in a series of technical and legal workshops under the direction of Scott Borg of the US-CCU. Member comments can be provided to Josh Magri at jmagri@isalliance.org.
DPA Survey Request for Comments
ISA has developed a set of bullet points that speak to the fact that an effort is underway to compel potentially thousands of companies to provide proprietary data under the Defense Production Act (DPA) under the threat of fines and criminal prosecution. While use of the DPA has ample precedent, the current use seems to go well beyond its intended purposes with targets well beyond the traditional DIB companies. We are told as many as 5000 companies from a variety of industry sectors may receive these compulsory surveys.
US House Homeland Security Committee Hearing
ISA President, Larry Clinton has been ask to testify before the Homeland Security subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. The hearing is entitled "Examining the Homeland Security Impact of the Obama Administration's Cybersecurity Proposal. The webcast can be viewed live through the following link: http://homeland.house.gov/hearing/subcommittee-hearing-examining-homeland-security-impact-obamaadministrations-cybersecurity
Summer 2011, Journal of Strategic Security
"A Relationship on the Rocks: Industry-Government Partnership for Cyber Defense" authored by Larry Clinton was published in a recent issue. To view click here and then select the PDF file next to the article's title.
May 2011, Cutter IT Journal
ISA President Larry Clinton authored the article, "A Theory to Guide US Cyber Security Policy." To view the article click here, download the issue and go to page 30.
Spring 2012 - Conflict and Cooperation in the Commons
Larry Clinton has authored the chapter "Cyber Security Social Contract". This book is forthcoming from Georgetown University Press.
No comments:
Post a Comment