People in leadership positions may sacrifice privacy for security

Pennsylvania State University (PSU) researchers performed experiments examining how people with high-status job assignments assessed security and privacy and how impulsive or patient they were in making decisions. The results showed that participants who were randomly placed in charge of a project tended to become more concerned with security. In a follow-up experiment, those appointed as supervisors also exhibited a more patient, long-term approach to decision-making. “Hopefully, by calling attention to these tendencies, decision-makers can rebalance their priorities on security and privacy,” says PSU professor Jens Grossklags. In the first experiment, the researchers randomly assigned 146 participants roles as either a supervisor or a worker to determine how those assignments changed the way leaders approached security or privacy during a task. Those appointed supervisors displayed a significant increase in their concern for security, while those who were assigned a worker-level status expressed higher concern for privacy. The second experiment, consisting of 120 participants, examined whether patience correlated with high-status assignments. The researchers found the low-status workers were more impulsive, as they were willing to sacrifice 35 percent more to receive prize money now rather than later, while supervisors were more willing to wait, showing they would be more patient in making decisions with long-term consequences.

People in leadership positions may sacrifice privacy for security | Penn State University.

Shortage of cybersecurity professionals poses risk to national security

The nationwide shortage of cybersecurity professionals – particularly for positions within the federal government – creates risks for national and homeland security, according to a new study from the RAND Corporation.

Demand for trained cybersecurity professionals who work to protect organizations from cybercrime is high nationwide, but the shortage is particularly severe in the federal government, which does not offer salaries as high as the private sector.

“It’s largely a supply-and-demand problem,” said Martin Libicki, lead author of the study and senior management scientist at RAND, a nonprofit research organization. “As cyber attacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks. But educating, recruiting, training and hiring these cybersecurity professionals takes time.”

via Shortage of cybersecurity professionals poses risk to national security.

Data Security Best Practices

Small businesses may think the cost of protecting data is high, but doing nothing can be far more expensive.

No matter the size or scope of the business, everyone is reliant on data to get the job done. That is why every business –big or small– needs a data-security-best-practices plan. If your company’s data is lost, the cost to recover or recreate it can be insurmountable for small operations.

“It doesn’t really cost a lot” for companies to protect their data, says David Zimmerman, chief executive of LC Technology International. “It could be thousands of dollars to recover the data if the recovery is successful at all.”

Small businesses owners have seen enough news about data breaches to know they need to keep sensitive information secure from hackers. But many don’t take time to put IT security best practices in place, and fail to protect their data from a hard drive crash or computer meltdown. If the data isn’t backed up it can take days or even weeks to be up and running, which could mean the demise of many small businesses.  That’s why experts say you need a good data protection plan in place that combines both on-site and off-site backups.

via Data Security Best Practices | Fox Small Business Center.

NSF Dear Colleague Letter- Cybersecurity Education EAGERs

The National Science Foundation (NSF) is announcing its intention to fund a small number of Early Concept Grants for Exploratory Research (EAGERs) to encourage advances in cybersecurity education, an area supported by the Foundation’s Secure and Trustworthy Cyberspace (SaTC) (see solicitation NSF 13-578) and CyberCorps®: Scholarship for Service (see solicitation NSF 14-510) programs.

EAGER is a mechanism for supporting exploratory work in its early stages on untested, but potentially transformative, research ideas or approaches. This work may be considered especially “high risk – high payoff” in the sense that it, for example, involves radically different approaches, applies new expertise, or engages novel disciplinary or interdisciplinary perspectives.

via NSF Dear Colleague Letter- Cybersecurity Education EAGERs » CCC Blog.

Navy puzzle challenge blends social media, cryptology

The Navy recently announced the winners of its cryptology puzzle game challenge: “Project Architeuthis.”

The puzzle, consisting of daily clues posted on Facebook, targets the cryptology technician community and was an attempt to raise awareness of the Information Dominance Corps. The challenge calls on Navy cryptology technicians to collect and analyze encrypted electronic communications, jam enemy radar signals, decipher information in foreign languages, maintain the state-of-the-art equipment, and defend and analyze networks.

Project Architeuthis (the Latin name for giant squid) began on April 28. The first 10 people to successfully complete the puzzle won the game. Developed in partnership with the Lowe Campbell Ewald (LCE) marketing agency, the challenge involved fictitious characters and social media profiles. In pursuing the game, characters interact with the Project Architeuthis Facebook page through posts to add layers to the story and provide clues when participants are stuck on a puzzle.

via Navy puzzle challenge blends social media, cryptology — GCN.

Automating Cybersecurity

If only computers themselves were smart enough to fight off malevolent hackers.

That is the premise of an ambitious two-year contest with a $2 million first prize, posed to the world’s computer programmers by the Defense Advanced Research Projects Agency, better known by its acronym, Darpa. It is the blue-sky, big-think organization within the Defense Department that created a precursor of the Internet in the late 1960s and more recently held a contest that spurred development of self-driving cars.

Michael Walker, the Darpa cybersecurity program manager who is running the contest, imagines a future in which sensors on computer networks could detect intruders, identify the flaws that let them in, and automatically make the necessary repairs, all without a human computer expert lifting a finger.

via Automating Cybersecurity – NYTimes.com.

New algorithm shakes up cryptography

Researchers at the CNRS Lorraine Laboratory of Research in Computer Science and its Applications and the University of Paris’ Computer Science Laboratory have uncovered a flaw in cryptography security. Their work discredits several cryptographic systems that until now were assumed to provide sufficient security safeguards. The team has solved one aspect of the discrete logarithm problem, considered to be one of the chief goals of algorithmic number theory, which serves as the foundation for the security of many of today’s cryptographic systems. The researchers have devised an algorithm that is able to solve increasingly large discrete logarithm problems, while its computing time increases at a far slower rate than with previous algorithms. As a result, computation is made considerably easier. However, the researchers note the work is still theoretical and needs to be refined before it is possible to provide a practical demonstration of the weakness of this variant of the discrete logarithm. Nonetheless, they say it is likely to impact cryptographic applications of smart cards, radio-frequency identification chips, and other security devices.

New algorithm shakes up cryptography — ScienceDaily.

Big bucks going to universities to solve pressing cybersecurity issues

The Federal Emergency Management Agency (FEMA) announced a three-year, $800,000 grant to the University of Texas at San Antonio Center for Infrastructure Assurance and Security (CIAS), the University of Arkansas System’s Criminal Justice Institute and the University of Memphis’ Center for Information Assurance. They will join forces on research into helping states and communities better prepare for, detect and respond to cyber attacks.

More specifically, the funding will support development of a new training course and the updating of five existing ones through establishment of the National Cybersecurity Preparedness Consortium (NCPC). The Texas A&M Engineering Extension Service (TEEX) and the Norwich University Applied Research Institutes (NUARI) will also be part of this outfit.

via Big bucks going to universities to solve pressing cybersecurity issues – Network World.

Cybersecurity Researchers Roll Out A New Heartbleed Solution

As companies scrambled in recent days to address the latest cybersecurity bug known as Heartbleed, researchers at The University of Texas at Dallas had a solution that fixes the vulnerability, and also detects and entraps hackers who might be using it to steal sensitive data.

The advanced technique — dubbed Red Herring — was created by a team led by Dr. Kevin Hamlen, an associate professor of computer science in the Erik Jonsson School of Computer Science and Engineering. It automates the process of creating decoy servers, making hackers believe they have gained access to confidential, secure information, when in fact their deeds are being monitored, analyzed and traced back to the source.

“Our automated honeypot creates a fixed Web server that looks and acts exactly like the original — but it’s a trap,” said Hamlen, a member of the UT Dallas Cyber Security Research and Education Institute (CSI). “The attackers think they are winning, but Red Herring basically keeps them on the hook longer so the server owner can track them and their activities. This is a way to discover what these nefarious individuals are trying to do, instead of just blocking what they are doing.”

via Cybersecurity Researchers Roll Out A New Heartbleed Solution – News Center – The University of Texas at Dallas.

Heartbleed is about to get worse, and it will slow the Internet to a crawl

Efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the Internet over the next several weeks as companies scramble to repair encryption systems on hundreds of thousands of Web sites at the same time, security experts say.

Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information.

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy.

via Heartbleed is about to get worse, and it will slow the Internet to a crawl.