• Researchers crack supposedly impregnable encryption algorithm in two hours

    Without cryptography, no one would dare to type their credit card number on the Internet. Security systems developed to protect the communication privacy between the seller and the buyer are the prime targets for hackers of all kinds, hence making it necessary for encryption algorithms to be regularly strengthened. A protocol based on “discrete logarithms,” deemed as one of the candidates for the Internet’s future security systems, was decrypted by École polytechnique fédérale de Lausann (EPFL) researchers. Allegedly tamper-proof, it could only stand up to the school machines’ decryption attempts for two hours.

  • NIST seeking comments on revisions to ICS security guide

    The National Institute of Standards and Technology (NIST) has issued for public review and comment a proposed major update to its Guide to Industrial Control Systems (ICS) Security. The NIST guide, downloaded more than 2.5 million times since its initial release in 2006, advises on how to reduce the vulnerability of computer-controlled industrial systems used by industrial plants, public utilities and other major infrastructure operations to malicious attacks, equipment failures, errors, inadequate malware protection and other software-related threats.

  • New algorithm revolutionizes cryptography

    Researchers have solved one aspect of the discrete logarithm problem. This is considered to be one of the “holy grails” of algorithmic number theory, on which the security of many cryptographic systems used today is based. They have devised a new algorithm which calls into question the security of one variant of this problem, which has been closely studied since 1976.

  • Cybersecurity bill not likely before a crisis proves its necessity

    A recent simulation, with 350 participants from congressional staffs, the cybersecurity sector, and the U.S. military, examined whether or not Congress was capable of passing a comprehensive cybersecurity legislation to protect the country’s critical infrastructure from debilitating cyberattacks. The simulation participants concluded that Congress is not likely to act unless there is a major cyber crisis, and that until such crisis occurs, smaller measures, such as the president’s voluntary cybersecurity framework, are the best that can be hoped for.

  • States lack expertise, staff to deal with cyberthreats to utilities

    The vulnerability of national electric grids to cyberattacks has caught the attention of federal utility regulators and industry safety groups, but state commissions tasked with regulating local distribution utilities are slow to respond to emerging cybersecurity risks. The annual membership directory of state utility regulators lists hundreds of key staff members of state commissions throughout the country, but not a single staff position had “cybersecurity” in the title.

  • Attackers exploited Microsoft security hole before company’s announcement

    Before Microsoft alerted its customers of a security flaw in Windows XP over a week ago, a group of advanced hackers had already discovered and used the vulnerability against targeted financial, energy, and defense companies.

  • FBI warns healthcare providers about cybersecurity

    The FBI has issued a private industry notification (PIN), warning healthcare providers that their cybersecurity networks are not sufficiently secure compared to the networks of the financial and retail sectors, making healthcare systems even more vulnerable to attacks by hackers seeking Americans’ personal medical records and health insurance data. Healthcare data are as valuable on the black market than credit card numbers because the data contain information that can be used to access bank accounts or obtain prescription for controlled substances.

  • U.S. military communication satellites vulnerable to cyberattacks

    A new report warns that satellite communication terminals used by U.S. military aircrafts, ships, and land vehicles to share location data, are vulnerable to cyberattacks through digital backdoors. A forensic security review of codes embedded inside the circuit boards and chips of the most widely used SATCOM terminals identified multiple hacker entry points.

  • Sandia offers free classes to high school students at the Lab’s Cyber Technologies Academy

    In the rapidly changing world of cybersecurity, who better to learn from than the professionals who live in that world every day? High school students are getting just that opportunity through Sandia National Laboratories’ Cyber Technologies Academy, free classes for high school students interested in computer science and cybersecurity.

  • Russia may launch crippling cyberattacks on U.S. in retaliation for Ukraine sanctions

    U.S. officials and security experts are warning that Russian hackers may attack the computer networks of U.S. banks and critical infrastructure firms in retaliation for new sanctions by the Obama administration, imposed in response to Russia’s actions in Ukraine. Cybersecurity specialists consider Russian hackers among the best at infiltrating networks and some say that they have already inserted malicious software on computer systems in the United States.

  • Innovative U.S. cybersecurity initiative to address cyberthreats

    Cyberattacks on computer networks around the world reached 1.7 billion in 2013, up from 1.6 billion in 2012. The administration’s 2012 Enhanced Cybersecurity Services(ECS) program, launched to protect the private sector from hackers by letting approved companies access classified information on cyber threats and sell cybersecurity services to critical infrastructure targets, is still in its early stages fourteen months after its launch.

  • With bugs in the system, how safe is the Internet?

    It seems hardly a week goes by without a major cyber security flaw exposed that could be exploited across millions of Internet and mobile connected devices. There is always the danger that people become complacent as more and more security threats are reported so it’s important to be aware of the risks and take note of any advice. In addition to frequently changing passwords, patching our software with updates as often as they are available, and being careful about what Web sites we visit, we must also demand more products that are fit for purpose, just as we do with the safety standards of physical consumer products. We should expect companies to understand the value of the business they do with us, and of our data that they hold in trust. Boards and CEOs need to care about this as much as they do about their brand.

  • Heartbleed bug: insider trading may have taken place as shares slid ahead of breaking story

    Here is a puzzle for you. Why did shares in Yahoo! slide by nearly 10 percent in the days before Heartbleed was announced and then recover after the main news items broke? It has long been the case that security vulnerabilities can have a negative effect on the public’s perception of tech companies and the value of their stock. All chief executives need to understand this and take action to reduce the exposure and associated risks. The evidence suggests that in the Heartbleed case, there could have been some insider trading taking place in the days before the story became big news. In theory the companies should have announced the problem to the stock market as soon as they became aware, but this series of events probably illustrates the limits of the duty on companies to disclose: when matters of national security are at stake, the rules may not be so rigorously applied.

  • NIST removes cryptography algorithm from random number generator recommendations

    Following a public comment period and review, the National Institute of Standards and Technology (NIST) has removed a cryptographic algorithm from its draft guidance on random number generators. Before implementing the change, NIST is requesting final public comments on the revised document, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. The revised document retains three of the four previously available options for generating pseudorandom bits needed to create secure cryptographic keys for encrypting data. It omits an algorithm known as Dual_EC_DRBG, or Dual Elliptic Curve Deterministic Random Bit Generator.

  • SEC to examine robustness of Wall Street’s cyber defenses

    The Security and Exchange Commission (SEC) announced plans last week to inspect the cyber defenses of fifty Wall Street investment advisers, brokers, and dealers to determine whether the financial sector is prepared for pinpointed cyberattacks. This is the first time the cybersecurity has made the list of the SEC’s annual investigations.