• NIST seeks public comments on updated smart-grid cybersecurity guidelines

    The National Institute of Standards and Technology (NIST) is requesting public comments on the first revision to its guidelines for secure implementation of “smart grid” technology. The draft document, NIST Interagency Report (IR) 7628 Revision 1: Guidelines for Smart Grid Cybersecurity, is the first update to NISTIR 7628 since its initial publication in September 2010.

  • DDoS protection specialist Black Lotus raises $3.5 million

    San Francisco-based Black Lotus, a DDoS protection specialist, last week announced the completion of its first institutional financing in the amount of $3.5 million. The round was led by San Francisco-based Industry Capital. The strategic investment will fund entry into new markets, where Black Lotus will deploy additional capacity and improve quality of service through peering and closer proximity to global partner networks.

  • Terrorism insurance should cover cyberterrorism: industry

    The Terrorism Risk Insurance Act(TRIA) is a federal backstop designed to protect insurers in the event an act of terrorism results in losses above $100 million. Industry officials question whether cyber terrorism is covered by the program, which is administered by the Treasury Department. Industry insiders note that terrorism risks have evolved since TRIA was enacted and cyberterrorism is now a real threat. TRIA should thus not simply be reauthorized with a blanket stamp of approval; instead there should be a discussion about whether acts of cyberterrorism should be explicitly included in TRIA.

  • NIST releases Preliminary Cybersecurity Framework

    The National Institute of Standards and Technology (NIST) on Tuesday released its Preliminary Cybersecurity Framework to help critical infrastructure owners and operators reduce cybersecurity risks in industries such as power generation, transportation, and telecommunications. In the coming days, NIST will open a 45-day public comment period on the Preliminary Framework and plans to release the official framework in February 2014.

  • Cyber Grand Challenge for automated network security-correcting systems

    What if computers had a “check engine” light that could indicate new, novel security problems? What if computers could go one step further and heal security problems before they happen? To find out, the Defense Advanced Research Projects Agency (DARPA) intends to hold the Cyber Grand Challenge (CGC) — the first-ever tournament for fully automatic network defense systems. The Challenge will see teams creating automated systems that would compete against each other to evaluate software, test for vulnerabilities, generate security patches, and apply them to protected computers on a network. The winning team in the CGC finals would receive a cash prize of $2 million, with second place earning $1 million and third place taking home $750,000.

  • Physicians feared terrorists might hack Dick Cheney’s cardiac defibrillator

    In a 60 Minutes segment aired yesterday (Sunday), former vice-president Dick Cheney told the interviewer that his doctors turned off the wireless function of his implanted cardiac defibrillator (ICD) “in case a terrorist tried to send his heart a fatal shock.” Asked about the concern of Cheney’s physicians, electrophysiologists — these are the cardiologists who implant ICDs – say that as far as they know, this has never happened in the real world but that it is impossible to rule out the possibility.

  • Bipartisan cybersecurity measure to be introduced in Congress

    Senator Saxby Chambliss (R-Georgia) last week said he was “very close” to introducing legislation which would encourage the private sector and government agencies to share information regarding cyberattacks. Chambliss has proposed a government “portal,” operated by DHS, to handle information coming from the private sector. Privacy advocates welcome the proposal for a civilian agency like DHS to operate the information sharing “portal” (in earlier versions of proposed cybersecurity legislation, the NSA was tasked with a similar coordinating responsibility).

  • Web sites secretly track users without relying on cookies

    Device fingerprinting, also known as browser fingerprinting, is the practice of collecting properties of PCs, smartphones, and tablets to identify and track users. For the vast majority of browsers, the combination of these properties is unique, and thus functions as a “fingerprint” that can be used to track users without relying on cookies. Researchers have discovered that 145 of the Internet’s 10,000 top Web sites use device fingerprinting to track users without their knowledge or consent.

  • Popular e-commerce software vulnerable to hackers

    Online transactions rely on a trusted third party, or “cashier,” who bridges the gap between vendors and their customers. The use of a third party cashier, however, also complicates the payment logic and introduces a new class of vulnerabilities that can result in significant financial losses to merchants. Computer scientists found flaws in e-commerce software that allowed them to purchase stationery, candy, and toys online at below their correct cost.

  • Avira unveils free mobile security app for Apple iPhone, iPad, iPod

    Tettnang, Germany-based security firm Avira yesterday unveiled Avira Mobile Security app for Apple iPhone, iPad, and iPod. The company said that in addition to scanning for malicious processes that may be corrupting your iOS device, Avira Mobile Security integrates a free 5GB cloud storage account to let users free up space to take more pictures or videos, or to access and share media while on the go.

  • NSA tried to crack Tor anonymity tool

    In its efforts to gather more intelligence, and overcome obstacles to this effort, the National Security Agency (NSA) has repeatedly tried to develop attacks against people using Tor, a software tool designed to protect online anonymity – and which is primarily funded and promoted by the U.S. government itself to help political activists, whistleblowers, militaries, and law enforcement. The NSA’s determined effort to crack Tor raises questions about whether the agency, deliberately or inadvertently, acted against Internet users in the United States when attacking Tor. One of the main functions of Tor is to hide the country of all of its users, meaning any attack could be hitting members of Tor’s large U.S. user base.

  • Serious IT consequences if shutdown lasts

    The shutdown of the federal government, if it lasts no more than a week or so, will not seriously damage government IT operations, experts and industry insiders say. A longer shutdown, which would lead to extended furloughs for non-essential employees, will have more serious effects, as it will further depress the federal technology workforce and will deter top graduates from applying for government jobs. If Congress refuses to allow payment to furloughed employees for the time they were idled, the effect will be even more pernicious, these experts said.

  • National Cyber Security Awareness Month starts 1 October

    With just one week until the kickoff of National Cyber Security Awareness Month, and the National Cyber Security Alliance (NCSA) encourages everyone to get involved this October. The month’s theme is “Our Shared Responsibility,” which calls on everyone who uses the Internet to take steps to make it safer for all. This process begins with taking three simple steps before going online — STOP. THINKCONNECT.

  • Evaluating the IT security posture of business partners

    Evaluating the IT security of businesses is increasingly becoming a necessity when forming new business relationships. A start-up has launched a rating service, similar to a credit rating, to measure the security posture of a company based on a number of factors.

  • Rapidly evolving cybersecurity field too diverse for overly broad professionalization

    The U.S. cybersecurity work force is too broad and diverse to be treated as a single occupation or profession, and decisions about whether and how to professionalize the field will vary according to role and context, says a new report. Defined as the social process by which an occupation evolves into a profession, such as law or medicine, professionalization might involve prolonged training and formal education, knowledge and performance testing, or other activities that establish quality standards for the workforce.