Will NIST take over the NSA with its cryptography expertise?
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
July 15, 2014
The U.S. National Institute of Standards and Technology (NIST) has been asked to hire more cryptography experts in order that it can confidently tell the NSA to abandon the idea.
A report from NIST's Visiting Committee on Advanced Technology (VCAT), which scrutinizes and advises the institute has criticized NIST for being too dependant on the NSA's cryptography expertise (or lack thereof).
VCAT cited the adoption and backing of the use of the buggy Dual EC DRBG algorithm, an NSA-sanctioned random number generator that was later found to be flawed.
To be sure, random numbers are crucial in cryptography, as they thwart an eavesdropper attempting to decrypt intercepted enciphered data.
The report was launched in the wake of allegations from whistleblower Edward Snowden that the NSA deliberately weakened Dual EC DRBG and other algorithms for surveillance purposes.
Despite having been warned about those insecurities several years ago, the report also reveals that NIST – which is part of the U.S. Department of Commerce – relied heavily on input from the NSA in maintaining the security standard.
VCAT members believe that to guard itself from such scandals in the future, NIST will need to become more transparent and better engage with the security community as a whole.
According to the VCAT report, a lack of qualified personnel was a key shortfall for the NIST. Without enough experts on hand, the institute was unable to spot and address the security vulnerabilities in the Dual EC DRBG and the SP 800-90 standard.
To remedy the problem, the steering committee is recommending that NIST hire additional staff versed in cryptography as well as reaching out to academic institutions and security vendors when building and analyzing encryption standards.
Additionally, it was also determined that NIST will need to sever its ties with the NSA for good. "NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess it and reject it when warranted," the report suggests.
"This may be accomplished by NIST itself or by engaging the cryptographic community during the development and review of any particular standard," the report added.
And the report goes on to suggest other transparency measures as well, including the utilization of open competitions to build new standards and maintaining better documentation on how standards are developed.
NIST added that it would also continue to study the advisory board's findings ahead of releasing a new cryptographic standards report and some new guidelines regarding the development process by the end of 2014.
In other internet security news
Google is warning its users that bogus SSL certificates have been issued by India's National Information Centre (NIC).
Those certificates can be used by servers to masquerade as legitimate Google websites when they're not, and then eavesdrop or tamper with users' encrypted communications.
The internet connection would appear to be secure when in fact it's not. According Google's security team, it noticed unauthorized certificates for several Google domains that popped up last Wednesday and then traced them back to India's NIC.
What's troubling about this is that the issuer holds several intermediate CA certificates that are trusted by the Indian Controller of Certifying Authorities (India CCA) and also some Western companies.
"The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn't include these certificates," said Google security engineer Adam Langley.
"However, we are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although mis-issued certificates for other sites may exist," Langley added.
Google engineers alerted both Indian agencies and Microsoft about the security issue, and the bogus certificates were revoked a day later. In the meantime, Google has revoked all the certificates using Chrome's CRL Set function and says its products are in the clear.
It also appears that Microsoft users are now covered. "We are aware of the mis-issued third-party certificates and we have not detected any of the certificates being issued against Microsoft domains," a Microsoft spokesperson said.
"We are taking all the necessary steps to help ensure that our customers remain protected at all times."
The India CCA is now running a full investigation to determine exactly what happened to lead to the certificates being issued, but it's not the first time that certification authorities have either been tricked into issuing bogus certificates, or hacked in a manner to achieve that goal.
In other internet security news
According to military sources from South Korea, North Korea has doubled the number of government hackers it employs since mid-2012.
The allegations claim that no less than 5900 elite personnel were employed in Pyongyang's hacking unit, up from 3000 at the beginning of 2012.
The said hackers had their crosshairs firmly fixed on Seoul but operate from offices in China, the source told the Yonhap News Agency.
"North Korea operates a hacking unit under its General Bureau of Reconnaissance, which is home to some 1200 professional hackers," the source told the agency.
The hackers developed and foisted malware against South Korean banks, media websites, thegovernment and defence agencies during the employment surge and were fended off by a 900 strong South Korean security blue team.
Last year, South Korea planned to train 5000 security people to combat attacks from the North but it was unclear if these personnel have yet been trained for the task.
Pyongyang denied launching attacks and accused Seoul of fueling diplomatic tensions. The source said that the North had more "elite" hackers than the United States with 900, and Japan housing just 90.
Pyongyang trained 100 hackers a year through Mirim and Moranbong universities, said to be run by the Government's Operations Department that spearheaded cyber war efforts.
Hackers were divided up into 600 strong brigades taught by Russian professors from the Frunze Military Academy, North Korean defector Jang Se-yul told the popular Seoul Chosun newspaper in 2011.
Intriguingly, the same source said in prior years that a lack of local facilities meant hackers had to be taught in faraway locations.
Last year, North Korea was blamed for distributed denial of service attacks against government agencies including the Presidential Blue House and media companies.
It followed much larger attacks in March that year infecting banks, insurance firms and broadcasters with malware that permanently crashed computers.
In other internet security news
In a post NSA-Edward Snowden era, a team of security experts have teamed up to create a convenient internet messenger (IM) client designed especially for whistleblowers. And yes, Snowden himself would be proud.
The?'invisible.im project' promises an instant messenger app that leaves no trace. The team behind the project include Metasploit Founder HD Moore and noted expert The Grugq.
To be sure, invisible.im?is primarily geared towards serving the stringent anonymity needs of whistleblowers, as the project website explains.
The invisible.im project was established to develop an instant messenger and file transfer application that leaves virtually no evidence of conversations or file transfers having occurred.
The primary use case for this technology is for whistleblowers and media sources who wish to remain anonymous when communicating with the press or other organizations.
Still in its early development stage, the project is looking for developers to port its concept to various platforms-- Windows, OS X and Linux.
It also wants software and security experts capable of hooking the software into the darknet, specifically the i2p anonymisation network. It is also very keen to work with developers who are knowledgable about Tor.
SecureDrop and StrongBox are a good approach for large media organization such as the New York Times but are complex and require secure supporting infrastructure. The?invisible.im?project aims to plug that gap with technology an instant message and file transfer client that leaves as small a metadata trail as possible.
TorChat offers anonymity but still requires a registered IM account with an IM provider like AOL, Yahoo or Microsoft that inevitably leaks metadata sooner or later.
The?invisible.im project?openly acknowledges that any system it develops is never going to offer absolute anonymity under all circumstances. And that's fair.
"If a source is already the subject of targeted surveillance, invisible.im cannot facilitate secure, anonymous chats," it concedes.
More details on the scope of the project and its general design principals can be found in the FAQ section on the?invisible.im?website.
In other internet security news
It's reported this morning that hackers have cooked up a malicious Android app that bundles a whole slew of banking fraud mishaps into a single strain of mobile malware.
The HijackRAT is a banking trojan that packs together new and previously unseen functions, according to internet security firm FireEye.
The mobile app combines private data theft, banking credentials theft, spoofing and remote access into a single malicious app.
So far, Android malware has had only one of these capabilities built-in. Under the control of hackers, the app steals SMS messages and contact lists and can send SMSs as well.
The malware can also initiate malicious app updates and scan for banking apps installed on the smartphone and replace them with fake utilities.
The malware also attempts to disable any mobile security software that might be installed on a compromised device.
The current version of the malicious app scans for eight Korean banking apps and replaces them with fake ones.
"While it's limited to just eight Korean banks right now, the cyber criminal could easily add it in the functionality for any other bank with just 20 to 30 minutes of work," according to FireEye.
Overall, unfinished functionality built into the HijackRAT malware might eventually facilitate bank hijacking attacks, according to an analysis of the mobile malware by FireEye.
Such malicious attacks would be possible because of the combination of personal information taken from compromised devices combined with the introduction of counterfeit banking apps on Android smartphones and tablets.
Although the HijackRAT malware disguises itself as a “Google Service Framework" it obviously has no affiliation with the Google Play Store.
In other internet security news
Russia isn't just interested in the Ukraine and Crimea anymore, it's now setting its goals on U.S. interests as well, although this time it's using the internet to achieve its mischief.
An internet security firm reported this week that Russian hackers have launched unprecedented, highly-sophisticated cyber attacks on American oil and gas companies.
Nicknamed 'Energetic Bear', the cyber operation is the latest example of an ongoing war between American and British cyber spies on one side, and intellectual property-stealing hackers in Russia on the other. China could even be on this as well.
The report by Symantec described how hackers have managed to sneak malware into computers at power plants, energy grid operators, gas pipeline companies and industrial equipment makers.
For now, most of the targets were in the United States and Spain, but the rest were across Europe.
The malware was used to steal documents, usernames and passwords. In the best-case scenario, the hackers only took valuable and sensitive information. At worst, they gained the ability to hijack the controls and even sabotage the U.S.' energy supply.
Another security company, Crowdstrike, first spotted the Energetic Bear operation in 2012. Crowdstrike thinks the hackers at Energetic Bear work for or alongside Russian government intelligence services at the behest of state-owned gas enterprises, including Gazpro and Rosneft.
To no big surprise, neither the Russian embassy, nor those energy companies, responded to requests for comment.Tweet Share on Twitter.
Source: The U.S. National Institute of Standards and Technology (NIST).
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
You can link to the Internet Security web site as much as you like.