Superb journalism in the form of an article posted by Ellen Nakashima and Aaron Gregg of The Washington Post detailing critical work of United States National Security Agency trained malware hunters - now the co-founders of Dragos, a highly respected cybersecurity firm. If you read anything today on public infrastructure security read Ellen Naksshima and Aaron Gregg's important piece at The Washington Post. You'll be glad you did.
The cyber threat hunters had honed their chops at the National Security Agency — the world’s premier electronic spy agency. And last fall, they were analyzing malware samples from around the world when they stumbled across something highly troubling... - via Ellen Nakashima and Aaron Gregg of The Washington Post**
The NCCoE has announced a new NIST Cybersecurity Practice Guide (currently in draft mode - for your commenting pleasure...) and entitled - "SP 1800-7 Situational Awareness for Electric Utilities. Enjoy.
Last week's MailChimp hack and subsequent malicious emails are still not sufficently explained... I'll wager the RCA (if one was accomplished) points to deeper process issues than meets casual inspection. Perhaps stronger customer guidance on information security matters is in order (if, in fact, the cause was customer exploitation, rather than in-built flaws in the MailChimp infrastructure. In any case, you be the judge.
"A MailChimp spokesperson confirmed that it had reset passwords on the accounts included in the data dump": "Our team has obtained the data from the security researcher. They’ve validated usernames with our user base, and have forced password resets on the affected users. - via the inimitable Graham Cluley at grahamcluley.com**
The Cybersecurity Research Alliance (CSRA) (in partnership with NIST), has announced open registration for the organization's latest conference, entitled 'Designed-in Cybersecurity for Smart Cities: A Discussion of Unifying Architectures, Standards, Lessons Learned and R&D Strategies'. Slated for May 27th and 28th 2015, at the National Institute of Standards and Technology Gaithersburg, Maryland campus. Visit the Conference Site for additional information.
The Federal Communications Commission has issued the codified order targeting Net Neutrality. Entitled FCC 15-24*, for GN Docket Number 14-28, In the Matter of Protecting and Promoting the Open Internet, Report and Order on Remand, Declaratory Ruling, and Order. At over *Four hundred pages long*, this document will (likely) become one of the most highly contentious Orders emerging this year (or the weapon of choice for conspiracy theorists due to it's weight*) from the Commission.
The National Institute of Standards and Technology (NIST) has announced a new internal report detailing a framework targeting Smart Meter Upgradability (NIST Internal Report NISTIR 7823), Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework). Authored by Michaela Iorga (a member of the Computer Security Division, in the Information Technology Laboratory (ITL) at NIST) and Scott Shorter (of Electrosoft Services, Inc. in Reston, Virgina), the document is also available at the International DOI System under NIST.IR.7823.
I reckon the document's abstract sums it up quite nicely:
"As electric utilities turn to Advanced Metering Infrastructures (AMIs) to promote the development and deployment of the Smart Grid, one aspect that can benefit from standardization is the upgradeability of Smart Meters. The National Electrical Manufacturers Association (NEMA) standard SG-AMI 1-2009, “Requirements for Smart Meter Upgradeability,” describes functional and security requirements for the secure upgrade—both local and remote—of Smart Meters. This report describes conformance test requirements that may be used voluntarily by testers and/or test laboratories to determine whether Smart Meters and Upgrade Management Systems conform to the requirements of NEMA SG-AMI 1-2009. For each relevant requirement in NEMA SG-AMI 1-2009, the document identifies the information to be provided by the vendor to facilitate testing, and the high-level test procedures to be conducted by the tester/laboratory to determine conformance." - via NIST IR 7823
Meanwhile, you can also track, examine and attempt to contain your surprise at the latest, recognized industiral control systems & supervisory control and data acquisition systems vulnerabilities from our colleagues st US-CERT, here.
News, via Wired's Robert McMillan, of trouble in paradise. In this case, an error prone computational quantum platform the search leviathan Google Inc. (NasdqGS: GOOG) is running, down yonder in Mountain View...
"The crux of the problem is a phenomenon called bit-flipping. This happens when some kind of interference—cosmic rays, for example—causes the bits stored in memory to “switch state”—to jump from a 0 to a 1 or vice versa. On a PC or a server, error correction is relatively easy." - via Wired's Robert McMillan
- Image depicts a D-WAVE branded quantum computational device