Home Tags National Institute of Standards and Technology (NIST)

Tag: National Institute of Standards and Technology (NIST)

A pigeon-piloted bomb, odd powders, and cryptic science—Ars goes to NIST

Glimpse into the agencyrsquo;s archive of scientific objects and help identify unknown ones.

Why We Need a Data-Driven Cybersecurity Market

NIST should bring together industry to create a standard set of metrics and develop better ways to share information.

Trump Issues Previously Delayed Cybersecurity Executive Order

EO calls for immediate review of federal agencies' security postures, adoption of the NIST Framework, and a focus on critical infrastructure security.

Trump Signs Cybersecurity Executive Order

President Trump signed the cybersecurity executive order that mandates federal agencies implement the NIST Framework for risk management.

Microsoft finally bans SHA-1 certificates in Internet Explorer, Edge

The Tuesday updates for Internet Explorer and Microsoft Edge force those browsers to flag SSL/TLS certificates signed with the aging SHA-1 hashing function as insecure.

The move follows similar actions by Google Chrome and Mozilla Firefox earlier this year.Browser vendors and certificate authorities have been engaged in a coordinated effort to phase out the use of SHA-1 certificates on the web for the past few years, because the hashing function no longer provides sufficient security against spoofing.[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005.

The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made -- for example, for outdated payment terminals.To read this article in full or to leave a comment, please click here

Killing cancer cells using the DNA that drives them

Chromosomal rearrangements—a hallmark of tumor cells—make the cells a target.

NIST to security admins: You’ve made passwords too hard

Despite the fact that cybercriminals stole more than 3 billion user credentials in 2016, users don't seem to be getting savvier about their password usage.

The good news is that how we think about password security is changing as other authentication methods become more popular.Password security remains a Hydra-esque challenge for enterprises. Require users to change their passwords frequently, and they wind up selecting easy-to-remember passwords.

Force users to use numbers and special characters to select a strong password and they come back with  passwords like Pa$$w0rd.To read this article in full or to leave a comment, please click here

Proposed NIST Password Guidelines Soften Length, Complexity Focus

NIST's latest password guidelines focus less on length and complexity of secrets and more on other measures such as 2FA, throttling, and blacklists.

Google kills SHA-1 with successful collision attack

It's official: The SHA-1 cryptographic algorithm has been "SHAttered." Google successfully broke SHA-1. Now what?After years of warning that advances in modern computing meant a successful collision attack against SHA-1 was imminent, a team of researchers from Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands have successfully developed the first successful SHA-1 collision.
In practical terms, SHA-1 should not be relied upon for practical security.[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]Modern cryptographic hash functions depend on the fact that the algorithm generates a different cryptographic hash for every file.

A hash collision refers to having two separate files with the same hash.

The fact that cryptographic weaknesses in SHA-1 make certificates using the SHA-1 algorithm potentially vulnerable to collision attacks is well-known.

The National Institute of Standards and Technology deprecated SHA-1 more than five years ago, and experts have been long urging organizations to switch to stronger hash algorithms. Up until now, the only thing going for SHA-1 was the fact that collision attacks were still expensive and theoretical.To read this article in full or to leave a comment, please click here

Credential-stuffers enjoy up to 2% attack success rate – report

It's kinda easy when all the passwords are 1234567 Hackers achieve a success rate of 0.1 to 2 per cent when reusing stolen credentials to access other sites, according to a new study by Shape Security. More than three billion credentials were reported stolen worldwide in 2016, with 51 companies admitting a breach.

These stolen credentials are routinely abused by cybercriminals in attempts to hijack accounts on other sites, a tactic that only works because consumers often reuse the same password and login ID combination on multiple sites. A major retailer (which later became a Shape customer) experienced a large-scale credential-stuffing attack with more than 10,000 total login attempts over one day, using the most popular credential-stuffing attack tool, Sentry MBA. "Shape has identified millions of instances of credentials from reported breaches being used in credential-stuffing attacks on other websites, with up to a 2 per cent success rate in taking over accounts on systems that did not report public data breaches," the firm said. "As a result, automated fraud losses from credential stuffing is in the billions of dollars worldwide, based on the value of accounts taken over.

The most commonly targeted account systems include bank accounts, retail gift card accounts, and airline and hotel loyalty programmes." Yahoo!, which reported two separate spills in 2016, leaked the greatest number of login credentials, followed by FriendFinder, MySpace, Badoo and LinkedIn.

Tech companies spilled the most credentials (1.75 billion) but the gaming industry was the sector that witnessed the largest number of breaches. In response to the abuse of compromised user credentials, the National Institute of Standards and Technology last month recommended that online account systems check their users' passwords against known spilled credential lists, a practice already followed by companies such as Facebook and others.

The proposed checks are included in Draft NIST Special Publication 800-63B Digital Identity Guidelines.
If the password chosen by a user appears on the spilled credential lists, NIST recommends that the user be informed that they should choose another since their chosen phrase has been compromised. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub

The war for cybersecurity talent hits the Hill

Many analysts and business leaders believe there is a severe need for qualified cybersecurity professionals in the U.S., something that has caught the eye of at least one key congressman. U.S. House Homeland Security Committee Chairman Michael McCaul (R-Texas) on Wednesday said more needs to be done to address the cybersecurity labor shortage. “I agree 110 percent that we need to strengthen the workforce” of cybersecurity professionals, McCaul said during a meeting with reporters at the National Press Club. McCaul was referring not only to cybersecurity workers needed for U.S. government agencies, but also for U.S. businesses that control the nation’s critical infrastructure, including the electric grid and electronic healthcare records. “Eighty percent of the malicious codes are in the private sector,” he said. The need to fill cybersecurity jobs has been top of mind recently because of cyber exploits like the two massive Yahoo breaches announced late last year.

Also, intelligence community revelations that Russia tried to influence the U.S. elections with various cyber-exploits have galvanized some U.S. lawmakers, including McCaul. Several experts have estimated the workforce shortage of cybersecurity workers in the U.S.—across multiple job titles—currently at 300,000 or more.

The most recently available analysis, from the U.S.

Bureau of Labor Statistics, said the shortage of such workers in 2015 reached 209,000.

Globally, the shortfall of cybersecurity professionals is expected to reach 1.5 million by 2020, according to data published by the National Institute of Standards and Technology. Despite such dire projections, there is at least one contrary point of view.

A DHS official said in a blog post in November that the cybersecurity skills shortage is a myth. For his part, McCaul plans to push for a cybersecurity agency within the Department of Homeland Security, partly to provide cyber assistance for national elections that are under state management. “DHS needs focus and resources,” he said. To fill cybersecurity job openings, U.S. companies have developed a number of strategies over recent years. Major corporations such as AT&T have established in-house re-training of IT workers to become cybersecurity professionals.

Also, AT&T has set up a rotational program so that a recent graduate can rotate through various departments at the company to become a well-rounded security expert. “The labor shortage is a huge problem. Nobody can get enough resources,” said Jason Porter, vice president of security solutions at AT&T, in an interview. “We’re excited to see a bunch of colleges have launched new programs around cybersecurity, so we’ll see more cyber talent.

But companies are still way behind. Right now, cybersecurity is paramount. We are actively retraining our own employee base.” Over the entire company, AT&T currently has more than 2,000 cybersecurity professionals, he said.

The company operates eight security operations centers globally and offers cybersecurity services to thousands of companies. While AT&T and other major companies are trying to adjust, the security challenges are greatest for small and mid-sized companies, analysts said. “Small and mid-sized businesses are suffering the most,” said IDC analyst Sean Pike. “They don’t have the money to pay for talent and not even for managed services.

They are sometimes hiring inexperienced talent, like a security generalist, who will move into a specialty in a year or two.
It’s really difficult to attract and retain the specialists.” Pike said he’s heard of security specialists moving into managerial roles in corporations who can make $250,000. One such manager moved into the vice president level and made $750,000, he said. With salaries at such high levels, smaller companies often have to resort to taking out an incident response retainer with a service provider for a year to protect against exploits. Analysts said it isn’t necessarily that there aren’t cybersecurity candidates available to fill positions, but there might be a lack of candidates to fill the positions that are open at the time. Gartner in a recent report said that there is a “war for cyber talent as organizations seek qualified candidates in an environment where demand outweighs supply.” Gartner noted that the Bureau of Labor Statistics expects the demand for cybersecurity professionals to increase by 53 percent through 2018. Gartner also said security budgets in U.S. companies are not increasing enough to keep up with salaries for cybersecurity professionals that have “skyrocketed.” The cybersecurity labor gap is already causing “major vulnerabilities,” said Gartner analyst Avivah Litan, in an email. “Many organizations are turning to outsourced and managed security services to fill their cybersecurity skill gap, but those managed services firms are facing their own recruitment challenges since there just aren’t that many skilled cybersecurity professionals to fill the gaps.” This story, "The war for cybersecurity talent hits the Hill" was originally published by Computerworld.

Buggy Domain Validation Forces GoDaddy to Revoke Certs

GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar’s domain validation process. The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer. “GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process,” Thayer said in a statement. “The bug caused the domain validation process to fail in certain circumstances.” Part of the validation process involves registrar’s sending customers via email a validation code that the customer drops onto their site. Thayer explained that the system searches a particular spot for the code in order to complete validation. “When the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found,” Thayer explained, adding that GoDaddy was not aware of any compromises related to the bug. The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials. GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said. “This process will be identical to the process they followed when their previous certificates were issued. (If a customer has more than one revoked certificate associated with their customer account, they will be able to initiate the certificate process for each domain within the SSL Panel.),” Thayer said. “The SSL Panel provides helpful information and instructions that should allow customers to easily process the certificate online.” Affected websites will still resolve, GoDaddy said, but customers may see untrusted-site error warnings. Experts, meanwhile, caution that as more Certificate Authorities come online such as Let’s Encrypt, which provides free certs in an automated fashion, that more errors like this one could crop up. “I only see more of them happening,” said Kevin Bocek, vice president of security strategy at Venafi. “We’re seeing faster and faster certification validation with organizations like Let’s Encrypt turning up the competition [among CAs]. And things like DevOps driving faster certificate issuance. And with organizations moving to the cloud, you’re going to have more machines doing these types of requests for new certificates. “It’s all software,” Bocek said. “It could all have bugs. In the past year, we’ve seen more and more of these reports and the trend is going to continue.” Let’s Encrypt has taken great strides toward fulfilling its promise of bringing free encryption and SSL to the web by simplifying and automating the process. Let’s Encrypt isn’t alone; Amazon, Cloudflare and others also offer free SSL certs in one form or another. Let’s Encrypt uses ACME (Automated Certificate Management Environment), an open API, to automate certificate requests and issuance. And it’s working; in October, Mozilla telemetry that was made public showed that for the first time, more than half of all traffic in transit is encrypted. “There are going to be more demands on CAs and more and more machines doing requests,” Bocek said, adding that while ACME is great for efficiency, it is taking people out of the process. He recommends that organizations familiarize themselves with NIST guidance on preparing for and responding to CA compromises. “Everyone,” Bocek said, “needs to have a plan and an automated way to get around this.”