• FAA Air Traffic Control System Vulnerable to Cyberattacks
    Homeland Security Today (03/03/15) Vicinanzo, Amanda

    According to a Government Accountability Office (GAO) audit report, security weaknesses in the Federal Aviation Administration’s (FAA) information security program place the nation’s air traffic control system at risk of being hacked. The Federal Information Security Management Act of 2002 requires federal agencies to enforce a security program that provides a framework for implementing controls at the agency, but FAA’s implementation of the program is incomplete. GAO found that FAA “did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster.” The reports stated that FAA will face major challenges and major weaknesses will persist until the agency develops an organization-wide strategy. The FAA agreed with the 17 recommendations made by the GAO, which the GAO stated have the possibility to “compromise the safety and efficiency of the national airspace system.”

    Web Link | Return to Headlines

    QR Codes Engineered Into Cybersecurity Protection
    University of Connecticut (02/26/15) Poitras, Colin

    University of Connecticut researchers led by professor Bahram Javidi want to use quick response (QR) codes to protect national security. They are using advanced three-dimensional optical imaging and extremely low-light photon counting encryption to transform a conventional QR code into a high-end cybersecurity application that can be used to protect the integrity of computer microchips. The researchers found they were able to compress information about a chip’s functionality, capacity, and part number directly into the QR code so it can be obtained by the reader without accessing the Internet, which Javidi says is an important cybersecurity breakthrough because linking to the Internet greatly increases vulnerability to hacking or corruption. The researchers also applied an optical-imaging mask that scrambles the QR code design into a random mass of black-and-white pixels. Another layer of security is then added through a random phase photon-based encryption, which converts the snowy image into a darkened image with just a few random dots of pixilated light.

    Web Link | Return to Headlines

    Universities Start Programs to Develop Cybersleuths
    Security InfoWatch (03/02/15) Forster, Dave

    George Mason University is now offering what it says it the world’s first undergraduate degree in cybersecurity engineering. There are currently 64 students enrolled in the program. Old Dominion University (ODU), meanwhile, pulled faculty and staff from a range of disciplines to form the Center for Cyber Security Education and Research, which launched March 2. In January, Norfolk State University was tapped by White House officials to lead a consortium of 12 historically black colleges and universities, two national labs, and one South Carolina school district with the goal of educating students in cybersecurity. ODU hopes to promote new approaches to research by drawing from different disciplinary backgrounds. For example, psychology, understanding why some people click on a link they should not click on could help protect systems against poor decision-making. The consortium led by Norfolk State received a $25 million federal grant, and most of it will go toward creating workers who are knowledgeable about cybersecurity. In the fall, Norfolk State will add an online master of science degree in cybersecurity.

    Web Link

  • In case you haven’t already figured out the Center for Disease Control ain’t what it’s cracked up to be, along comes this report:

    Safety Experts Slam Lax Safety Practices at CDC Labs

    USA Today (03/19/15) Young, Alison

    Safety advisers have found that the CDC does “inadequate” training, lacks commitment toward safety, and has a large percentage of staff who are afraid to report accidents. The Atlanta-based agency’s high-security labs work on many public health experiments and recently had lab mishaps involving some of the world’s most dangerous pathogens. An anthrax incident in June potentially exposed CDC employees to that bioterror agent and in December, a mix-up of specimens of the deadly Ebola virus resulted in the potential exposure of a lab worker who had to undergo 21 days of monitoring. There are nearly 20 recommendations for improvements in the report, but the CDC has implemented some recommendations by biosafety experts and will report on the progress.

    Web Link

  • Senate Panel Easily Passes Cybersecurity Bill
    Wall Street Journal (03/12/15) Paletta, Damian

    The Senate Select Committee on Intelligence easily passed a bill that encourages—but doesn’t require—companies to share information about cyberattacks with each other and the federal government, responding to a growing prevalence of data breaches at large U.S. companies. The 14-1 vote was the first step in what is likely to be a lengthy battle this year over how to prod firms, many of which are skeptical of government data collection, to collaborate more with federal officials to deter attacks. “It is the first leg of a very long race,” the panel’s chairman, Sen. Richard Burr (R-N.C.), told reporters after the vote. Earlier drafts of the bill would extend liability protections to companies that share information with each other and the government to protect them, in some cases, from being sued. Some changes to the bill were made during the vote, though the precise details weren’t shared. Sen. Dianne Feinstein (D-Calif.), told reporters that 15 privacy amendments were offered during debate and 12 were accepted “in whole or in part.”

    Web Link | Return to Headlines

    Senate to Advance Anti-Hacking Bill Amid Privacy Objections
    Bloomberg (03/11/15) Strohm, Chris

    The Senate Intelligence Committee today will hold a closed-door markup of its CISA cyberthreat information-sharing bill. Insiders say there have been some changes to the bill to increase privacy protections, although privacy and transparency concerns are expected to arise today. Privacy advocates have objected to the bill that would shield companies from lawsuits when they share information about cyber-attacks with each other and federal agencies. Industry groups, such as the Financial Services Roundtable, largely support the bill that’s under consideration by the Senate intelligence committee. Companies have resisted providing data to the government about hacking attacks out of concern they could be sued if they accidentally included private information about their customers, or accused of violating antitrust laws. Information sharing is needed to help prevent attacks that are growing more sophisticated and dangerous, according to the Obama administration. Senator Richard Burr (R-N.C.), chairman of the panel, wrote the bill with Senator Dianne Feinstein of California, the top Democrat on the panel. They plan to submit changes to a draft aimed at satisfying the concerns of privacy advocates who worried that the bill would expand government spying. The bill “represents compromises on both sides following feedback from the executive branch, private sector and privacy advocates,” says Feinstein. The new language would limit how the government can use information obtained from companies and restrict countermeasures companies can take, according to a Democratic Senate aide who spoke on the condition of anonymity because the changes have not been announced.

    Web Link | Return to Headlines

    Survey Finds Faith in Internet Trust System Fading Fast
    IT World (03/11/15) Roberts, Paul F.

    Despite growing reliance on public key encryption, IT professionals have unprecedented skepticism in the technology’s ability to protect critical data, indicating a breaking point in digital trust, according to a Ponemon Institute survey. Organizations have increased the number of keys and certificates deployed by 34 percent, but 54 percent do not know where all their keys and certificates are located. The report sounds a dire warning for the countless government and private sector firms that rely on public key encryption to protect online transactions and data. “The digital trust that underpins most of the world’s economy is nearing its breaking point, and there is not replacement in sight,” it concludes. Digital certificates have become a standard tool for securing communications to and from Internet connected devices, but oversight of those certificates and the infrastructure that supports them is often loose. Those certificates have become an attractive target for cyber criminal groups and state-backed hacking crews, who exploit the implicit trust granted to the certificates to plant malicious code on other systems. The report suggests organizations adopt practices that allow them to identify and track the certificates used within their environment.

    Web Link | Return to Headlines

    CIA Sought to Hack Apple iPhones From Earliest Days
    Reuters (03/10/15) Auchard, Eric

    CIA researchers have been working for almost 10 years to break the security protecting Apple products, according to The Intercept, which cited documents obtained from Edward Snowden. The report quotes top-secret U.S. documents that suggest U.S. government researchers have developed a version of Apple’s software application development tool to create surveillance backdoors into programs distributed on Apple’s App Store. The Intercept said the latest documents, which covered a period from 2006 to 2013, stop short of proving whether U.S. intelligence researchers had succeeded in breaking Apple’s encryption coding, which secures user data and communications. Efforts to break into Apple products by government security researchers started as early as 2006, a year before Apple introduced its first iPhone and continued through the launch of the iPad in 2010 and beyond, The Intercept said. Breeching Apple security was part of a top-secret program by the U.S. government, aided by British intelligence researchers, to hack “secure communications products, both foreign and domestic” including Google Android phones, it said. Silicon Valley technology companies have in recent months sought to restore trust among consumers around the world that their products have not become tools for widespread government surveillance of citizens.

    Web Link

  • NIST Outlines Guidance for Security of Copiers, Scanners
    Government Computer News (02/25/15)

    The U.S. National Institute of Standards and Technology (NIST) has released its Risk Management for Replication Devices report. The report focuses on protecting the information processed, stored, or transmitted on replication devices (RDs), which are devices that copy, print, or scan documents, images, or objects. The threats to RDs include default passwords, unencrypted data, service interruptions from user interfaces, unauthorized use, alteration of passwords or configuration settings, and outdated operating systems. The NIST report recommends IT managers limit or restrict access to RDs by either placing the devices in secured areas or requiring identification and authentication for use. In addition, IT managers should ensure that event logging is enabled so they can troubleshoot problems and investigate suspicious activity. Moreover, the report advises IT managers to regularly review vendor security bulletins and install patches and upgrades as needed. When RDs are no longer required by an organization, they should be wiped or purged, and all nonvolatile storage media should be destroyed. Passwords and user PINS should be changed, and the device configurations should be reset to the factory default settings. Finally, the NIST document includes a security risk assessment template in table and flowchart format to help organizations determine the risk associated with replication devices.

    Web Link

« Previous Entries   

Recent Posts

Recent Comments