Information Security News
On Friday, the National Institute of Standards and Technology (NIST), which sets many of the standards that cryptographers use to create robust security systems, gave notice that it would formally review its standards development process. This comes about two months after a report from the New York Times that the National Security Agency may have included a backdoor in an algorithm called Dual EC_DRBG, which is used to create a widely-adopted, NIST-approved encryption standard.
The fallout from the September New York Times report, which was based on internal memos leaked by former NSA contractor Edward Snowden, made many security experts wary of NIST and its standards. At the time of the report, NIST issued a statement saying that it would reopen its public vetting process for the encryption standard that was in question. “We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place,” a memo from the Institute read.
Now, NIST is apparently going a step further. In its latest November 1 statement, the organization promised to do a full audit of its standards development process. “Recent news reports about leaked classified documents have caused concern from the cryptographic community about the security of NIST cryptographic standards and guidelines,” the statement read.
Four weeks ago, Adobe disclosed a sustained hack on its corporate network that threatened to spawn a wave of meaner malware attacks by giving criminals access to the raw source code for the company's widely used Acrobat and ColdFusion applications. Now, researchers are warning the same breach could significantly strengthen the password crackers' collective hand by revealing a staggering 130 million passcodes used over the years by Adobe customers, many of them from the FBI, large corporations, and other sensitive organizations.
That's because Adobe engineers used reversible encryption to scramble the passwords contained in a 9.3-gigabyte file that's now available online. Surprisingly, they flouted almost universally recognized best practices that call for stored passwords to be protected by bcrypt or another one-way cryptographic hashing algorithm. Just as ground hamburger can't be converted back into steak, there's no mathematical way to reverse cryptographic hashes and return them to their plaintext origins. One-way hashing is designed to thwart cracking by requiring crackers to pass individual password guesses through the same algorithm and see if it produces the same long string of random-looking characters. When done correctly, it can take centuries to decipher long lists of credentials.
That's not at all the way the passwords for the 130 million active and inactive Adobe accounts are protected. They were scrambled using standard symmetric encryption. If crackers are able to figure out the key or keys that encrypt the data, they will have instant access to every single plaintext user password in the list.
Posted by InfoSec News on Nov 01http://www.buzzfeed.com/sheerafrenkel/battling-cyber-attacks-in-israel-one-simulation-at-a-time
Posted by InfoSec News on Nov 01http://www.computerweekly.com/news/2240208217/Olympic-cyber-security-down-to-design-and-testing-says-BT
Posted by InfoSec News on Nov 01http://www.theregister.co.uk/2013/10/31/research_investment_us_academia/
Posted by InfoSec News on Nov 01http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
Posted by InfoSec News on Nov 01http://www.healthcareitnews.com/news/patient-portals-pose-new-security-issues