• States lack expertise, staff to deal with cyberthreats to utilities

    The vulnerability of national electric grids to cyberattacks has caught the attention of federal utility regulators and industry safety groups, but state commissions tasked with regulating local distribution utilities are slow to respond to emerging cybersecurity risks. The annual membership directory of state utility regulators lists hundreds of key staff members of state commissions throughout the country, but not a single staff position had “cybersecurity” in the title.

  • Attackers exploited Microsoft security hole before company’s announcement

    Before Microsoft alerted its customers of a security flaw in Windows XP over a week ago, a group of advanced hackers had already discovered and used the vulnerability against targeted financial, energy, and defense companies.

  • FBI warns healthcare providers about cybersecurity

    The FBI has issued a private industry notification (PIN), warning healthcare providers that their cybersecurity networks are not sufficiently secure compared to the networks of the financial and retail sectors, making healthcare systems even more vulnerable to attacks by hackers seeking Americans’ personal medical records and health insurance data. Healthcare data are as valuable on the black market than credit card numbers because the data contain information that can be used to access bank accounts or obtain prescription for controlled substances.

  • U.S. military communication satellites vulnerable to cyberattacks

    A new report warns that satellite communication terminals used by U.S. military aircrafts, ships, and land vehicles to share location data, are vulnerable to cyberattacks through digital backdoors. A forensic security review of codes embedded inside the circuit boards and chips of the most widely used SATCOM terminals identified multiple hacker entry points.

  • Sandia offers free classes to high school students at the Lab’s Cyber Technologies Academy

    In the rapidly changing world of cybersecurity, who better to learn from than the professionals who live in that world every day? High school students are getting just that opportunity through Sandia National Laboratories’ Cyber Technologies Academy, free classes for high school students interested in computer science and cybersecurity.

  • Russia may launch crippling cyberattacks on U.S. in retaliation for Ukraine sanctions

    U.S. officials and security experts are warning that Russian hackers may attack the computer networks of U.S. banks and critical infrastructure firms in retaliation for new sanctions by the Obama administration, imposed in response to Russia’s actions in Ukraine. Cybersecurity specialists consider Russian hackers among the best at infiltrating networks and some say that they have already inserted malicious software on computer systems in the United States.

  • Innovative U.S. cybersecurity initiative to address cyberthreats

    Cyberattacks on computer networks around the world reached 1.7 billion in 2013, up from 1.6 billion in 2012. The administration’s 2012 Enhanced Cybersecurity Services(ECS) program, launched to protect the private sector from hackers by letting approved companies access classified information on cyber threats and sell cybersecurity services to critical infrastructure targets, is still in its early stages fourteen months after its launch.

  • With bugs in the system, how safe is the Internet?

    It seems hardly a week goes by without a major cyber security flaw exposed that could be exploited across millions of Internet and mobile connected devices. There is always the danger that people become complacent as more and more security threats are reported so it’s important to be aware of the risks and take note of any advice. In addition to frequently changing passwords, patching our software with updates as often as they are available, and being careful about what Web sites we visit, we must also demand more products that are fit for purpose, just as we do with the safety standards of physical consumer products. We should expect companies to understand the value of the business they do with us, and of our data that they hold in trust. Boards and CEOs need to care about this as much as they do about their brand.

  • Heartbleed bug: insider trading may have taken place as shares slid ahead of breaking story

    Here is a puzzle for you. Why did shares in Yahoo! slide by nearly 10 percent in the days before Heartbleed was announced and then recover after the main news items broke? It has long been the case that security vulnerabilities can have a negative effect on the public’s perception of tech companies and the value of their stock. All chief executives need to understand this and take action to reduce the exposure and associated risks. The evidence suggests that in the Heartbleed case, there could have been some insider trading taking place in the days before the story became big news. In theory the companies should have announced the problem to the stock market as soon as they became aware, but this series of events probably illustrates the limits of the duty on companies to disclose: when matters of national security are at stake, the rules may not be so rigorously applied.

  • NIST removes cryptography algorithm from random number generator recommendations

    Following a public comment period and review, the National Institute of Standards and Technology (NIST) has removed a cryptographic algorithm from its draft guidance on random number generators. Before implementing the change, NIST is requesting final public comments on the revised document, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. The revised document retains three of the four previously available options for generating pseudorandom bits needed to create secure cryptographic keys for encrypting data. It omits an algorithm known as Dual_EC_DRBG, or Dual Elliptic Curve Deterministic Random Bit Generator.

  • SEC to examine robustness of Wall Street’s cyber defenses

    The Security and Exchange Commission (SEC) announced plans last week to inspect the cyber defenses of fifty Wall Street investment advisers, brokers, and dealers to determine whether the financial sector is prepared for pinpointed cyberattacks. This is the first time the cybersecurity has made the list of the SEC’s annual investigations.

  • Major step toward stronger encryption technology announced

    Researchers the other day announced the first successful trial of Quantum Key Distribution (QKD) technology over a live “lit” fiber network. The trial paves the way for more advanced research into QKD, the next frontier of data encryption technology, which will deliver even greater levels of network security.

  • Businesses looking to bolster cybersecurity

    Since the recent data breaches at retailers Target and Neiman Marcus, in which hackers stole millions of customers’ credit and debit card information, consumers have been urging card providers to offer better secure payment processors. Legislators have introduced the Data Security Act of 2014 to establish uniform requirements for businesses to protect and secure consumers’ electronic data. The bill will replace the many different, and often conflicting, state laws that govern data security and notification standards in the event of a data breach.

  • West Point wins Cyber Defense Exercise, launches Army Cyber Institute

    The U.S. Military Academy at West Point has won the annual Cyber Defense Exercise (CDX) which brought together senior cadets from the five service academies for a 4-day battle to test their cybersecurity skills against the National Security Agency’s (NSA) top information assurance professionals. West Point’s win comes just as the academy announced plans for its Army Cyber Institute(ACI), intended to develop elite cyber troops for the Pentagon.

  • How the Heartbleed bug reveals a flaw in online security

    The Heartbleed bug – which infects an extremely widespread piece of software called OpenSSL  — has potentially exposed the personal and financial data of millions of people stored online has also exposed a hole in the way some security software is developed and used. The Heartbleed bug represents a massive failure of risk analysis. OpenSSL’s design prioritizes performance over security, which probably no longer makes sense. But the bigger failure in risk analysis lies with the organizations which use OpenSSL and other software like it. A huge array of businesses, including very large IT businesses with the resources to act, did not take any steps in advance to mitigate the losses. They could have chosen to fund a replacement using more secure technologies, and they could have chosen to fund better auditing and testing of OpenSSL so that bugs such as this are caught before deployment. They didn’t do either, so they — and now we — wear the consequences, which likely far exceed the costs of mitigation.