Last call for comments on Keccak encryption

The public has one more chance to weigh in on the selection of a Secure Hash Algorithm that will become the new standard for federal digital signatures and other hashing functions.

A hash algorithm is a cryptographic tool that can create a digest – a unique string of bits of a specific length – specific to a digital document. In an environment when most documents are created and used digitally, hashing is an essential tool for verifying the authenticity of documents.

Because the digest is unique and cryptographically tied to the message, it can be used to verify that the contents of a digital document have not been altered. If any changes are made in the document, the digests produced by the hash algorithm before and after will not match. The algorithms also can be used to create digital signatures.

The Keccak algorithm (pronounced “catch-ack”) was selected as the winner of a five-year public competition for a new hashing standard in 2012 by the National Institute of Standards and Technology. It will put a new cryptographic arrow in the federal quiver, supplementing the unexpectedly long-lived SHA-2 family of algorithms.

But before becoming enshrined as SHA-3 in the Federal Information Processing Standards (FIPS), there will be a final round of public comment on Keccak. Because the standard algorithm will be freely available to all users – government and private sector alike – NIST wants to make sure, among other things, that no patents will be infringed in the use of the algorithm.

NIST has announced a final three-month period for public comment on the proposed standard.

The development of SHA-3 was a response to advances over the last decade in the cryptanalysis, or breaking, of hash algorithms. New attacks introduced serious concerns about the security of the SHA-1 algorithm standard, and by 2007 cracks also had begun to appear in the algorithms that collectively make up the SHA-2 standard. So NIST began a competition to find a new, stronger algorithm.

SHA-1 has been retired, but the weaknesses in SHA-2 were not as serious as originally feared, and SHA-2 remains a viable cryptographic tool. Nevertheless, NIST continued with the competition in the expectation of identifying a new algorithm that would be not only more secure, but more efficient.

NIST received 64 entries and after two preliminary rounds, five finalists were selected in December 2010. After 18 months of review, Keccak was selected as the winning algorithm in October, 2012.

There were no published attacks that “in any real sense,” threated the practical security of any of the finalists, NIST wrote in its announcement, and all finalists had acceptable margins of security. But Keccak is a little stronger and a little faster than SHA-2 and it has the largest margin of security among the finalists. Its simplicity and flexibility means it should be able to run efficiently on a wide variety of platforms.

Also, SHA-3 will not replace SHA-2, but will become a standard for hashing alongside it the foreseeable future.

The Draft FIPS 202  specifies six functions based on Keccak. Four are fixed-length cryptographic hash functions and two are closely related "extendable-output" functions (XOFs). The four fixed-length hash functions provide alternatives to the SHA-2 family. The XOFs can be used in a variety of applications, including generating and verifying digital signatures, key derivation functions and random bit generation.

NIST is proposing the creation of FIPS 202, specifying SHA-3 as a hashing standard, and changes to the existing FIPS 180-4, which contains the SHA-2 specifications, to also allow use of SHA-3. Comments should be sent by Aug. 26 to SHA3comments@nist.gov with “Comment on Draft FIPS 202” or “Comment on draft revision to the Applicability Clause of FIPS 180” in the subject lines.

Posted by William Jackson on Jun 13, 2014 at 6:58 AM0 comments

Man with bug spray against stinkbugs

Is antivirus now useless?

Debates over the state of antivirus technology and tools have resurfaced yet again after the executive in charge of Symantec’s information security business was quoted in the Wall Street Journal a month ago as saying antivirus is dead.

Now, that should be a big deal, since Symantec has made its reputation and fortune off the back of the antivirus business, and it still makes up some 40 percent of its revenue. According to Symantec’s Brian Dye, the company no longer thinks of antivirus as any kind of money maker. Antivirus catches less than half of the cyber attacks that now occur, he said.

However, this is only the latest in a series of announced deaths of the venerable technology, which has for so long been a keystone of enterprise security. In 2012, the Flame malware was discovered to have infected systems around the world and to have been resident on those systems for up to two years without having been detected by antivirus software. It was seen as a huge failure for antivirus, and the potential death knell for the technology.

None of this is news to most security professionals, who have been preaching the vulnerability of “traditional” security for some time and the need for layered, in-depth defense. Symantec now certainly believes that, since it has a new philosophy (and new products and solutions to sell) which emphasizes this approach.

But, is antivirus now really useless? That would be bad news for many government organizations, which still rely to a great extent on legacy systems such as antivirus for the core of their security. Lastline Labs, which looks at these kinds of issues, is one outfit that isn’t ready to toll the bell for antivirus yet, though it does say it’s staggering badly.

The main problem, it believes, is that antivirus takes too long to catch up with malware. From tests run for over a year, from May 2013 to May 2014, it found that, on any given day, at least half of the AV scanners it tested failed to detect new malware. Even after two months, a third of the scanners were still not detecting it.

Eventually, AV scanners do start to catch up. Two weeks was the common lag time. But, even after a year, according to Lastline, there were malware samples that still evaded 10 percent of the scanners tested.

Chart by Lastline showing effectiveness of antivirus software

Source: Lastline. Click chart for larger view.

As the graph shows, there’s a major problem with the 1 percent of malware that consistently evades capture by antivirus systems. That likely represents advanced malware that more sophisticated criminals use to persistently target and infiltrate organizations, Lastline said. Unfortunately, unlike more opportunistic cyber events, attacks that use such malware are the ones that usually cause the most serious security breaches.

Traditional antivirus is not dead, Lastline believes, but it does need to be complemented with other approaches, such as those based on dynamic analysis of samples and network anomaly detection. The National Security Telecommunications Advisory Committee came to a similar conclusion in a report to the president last year, and it’s the basis of many of the next generation of security tools that are now being unveiled.

Meanwhile, until budget-constrained agencies can catch up with this flow, many will have to persist with the AV systems they already have while being aware of their limitations.

Which brings up another point.

In February of this year, a Senate report on the federal government’s cybersecurity track record found that agencies that had recently suffered major breaches had consistently failed to patch security software, including antivirus, with some as many as two years behind on their updates.

Even the admittedly limited effectiveness of traditional antivirus systems won’t survive that.

Posted by Brian Robinson on Jun 06, 2014 at 9:00 AM1 comments

Man juggling spinning remote IT devices

Is shadow IT spinning out of control in government?

The influx of consumer IT into the workplace — often unmanaged and unseen by administrators — is speeding up, and it isn’t just the fault of irresponsible employees.

“People need to get their work done, and they’ll do anything to get it done,” said Oscar Fuster, director of federal sales at Acronis, a data protection company. When tools that can help them appear in the marketplace, and in their own homes, they chafe when administrators do not let them use them. The result often is an unmanaged shadow infrastructure of products and services such as mobile devices and cloud-based file sharing that might be helpful for the worker but effectively bypasses the enterprise’s secure perimeter.

It is not all the fault of the administrators. They have policy, regulation and legislation to comply with. But if someone doesn’t do something quickly, agencies will soon find that their sensitive data is outside of their control.

What is needed is a more agile approach to acquiring and managing technology that doesn’t leave the government two years behind the consumer curve in acquiring tools. Departments must be willing to decentralize authority so that agencies can adapt quickly to their technology needs, and more freely interpret legislative mandates.

“It’s easier said than done,” Fuster said. But most IT legislation is technology neutral, and policies can be fashioned to accommodate new technology more quickly than is happening now, he says. “The second you fall behind, people will start cutting corners.”

Shadow IT is not a new problem. In the early days of the home PC, workers could use removable hard drives to work at home, and floppy disks could move files easily from one office to another. The difference was that 40 years ago it took more tech savvy and a little more investment to get outside the perimeter. When the world went wireless 15 or so years ago, there was an exponential jump in the ability to think and work outside the box.

Things have shifted again with handheld mobile devices and nearly ubiquitous network access. Consumer cloud services can put an entire suite of productivity tools in your hand, but it also takes data outside the administrator’s control.

The solution is two-fold. Because the enterprise itself is becoming more fluid, more attention is needed to the security of the data itself. Encryption and controls to monitor its movement, coupled with more well-defined access control, can help protect data and see who is using it and where. This addresses not just the shadow IT challenge, but the insider threat and the growing use of stealthy exploits that can sit quietly in the system and slowly export data.

At the same time, be open to accommodating workers so that they are less tempted to work around you. One powerful tool is the ability to manage mobile devices within your legacy infrastructure. Windows Phone has a small percentage of the mobile market, but the latest Windows 8.1 update allows administrators to use a common set of management tools from the server through the desktop to the handheld device. Even if your workers prefer an Android or iPhone, this can be a good compromise to making your workplace more flexible.

Posted by William Jackson on May 30, 2014 at 8:03 AM0 comments

Looking for insider threats

Insider threat detection tools: Hard to find, harder to fund

While most of the emphasis in cybersecurity seems to be on external threats and the damage suffered when network and data defenses are breached, threats from insiders are getting more attention in the aftermath of the Snowden and Wikileaks revelations. What to do about those is another question, since the tools currently used by organizations to track incursions don’t seem up to the task.

It’s not a new phenomenon. The FBI a long time ago began voicing its concern about threats from privileged users of data, both in government and industry. The issue has its very own website at the FBI, and the concern within government was bolstered by a White House memo published at the end of 2012 aimed at the heads of agencies.

Now comes a survey by the Ponemon Institute, sponsored by Raytheon, that shows where the recognition/mitigation gap lies.

Over all of the government and industry sources surveyed, for example, 88 percent said they recognized that the insider threat is a cause for alarm, and that the abuse will increase. At the same time, however, they said they have difficulty identifying what specific threatening action looks like.

chart showing challenges in establish whether an event is an insider threat

Source: Insider Threat Ponemon Survey Report

“Responders said they just don’t have enough contextual information from their existing tools, which also throw up too many false positives,” said Michael Crouse, Raytheon’s director of insider threat strategies. “There’s a real need for a different way to attack the problem.”

Unlike external threats, where malicious intent is assumed, the situation with insiders is more nuanced. Of those who access sensitive or confidential information that isn’t necessary for their jobs, for example, survey respondents said as many as two-thirds are simply driven by curiosity.

In government, you can probably add the frustration of people under increasing pressure to get the job done and who don’t want to spend the time working through the red tape necessary to access information they think they need. Who hasn’t asked a buddy in the office to help with that kind of thing?

Other recent studies have also made the point that insider threats come from relatively innocent actions as much, or even more, than malicious events. Verizon’s 2014 Data Breach Investigation Report, for example, showed that misuse by insiders could come from something as simple as sending an email to the wrong person or attaching files that shouldn’t be attached.

One simple move toward an answer would be for organizations to properly configure tools they do have, something Crouse said is “the easiest and most cost-effective” thing they can do. Beyond that, agencies  need complementary tools, such as end-point monitoring that show how users behave when they access data through an end-point, detailing IM traffic, contextual emails and whether they are cutting and pasting information in ways they haven’t previously.

That’s all well and good, of course, but there’s a big catch. While nearly 90 percent of those surveyed in the Ponemon report said they understood the need for enhanced security, only 40 percent had any kind of a dedicated budget to spend on tools specifically aimed at insider threats. That’s why most organizations — and certainly government agencies — have to limp along by trying to jerry-rig existing, and unsuitable, cybersecurity tools to do the job.

One of the reasons for that budget shortfall, Crouse gamely admitted, is that companies like his have not done a good job explaining the ROI from money spent on these tools. What organizations don’t understand, he said, is that while the number of actual breaches from insiders is low compared to those from external threats, the impact from those breaches is substantially higher.

“I don’t think they truly understand either the monetary or mission impact from these insider breaches,” he said. “They’re just now trying to get their heads around that.”

Posted by Brian Robinson on May 23, 2014 at 9:30 AM1 comments