Recently in Encryption Category

This morning I posted a link on our twitter site about an article from Ross Anderson and Shailendra Fuloria on issues concerning the Governance and Security of Smart Meters.
"Who controls the off switch?" This article was referenced in one of the major Scada Security List Services.

The article does point out the concerns about Cyber attacks by international criminal organizations, military initiatives of foreign nations causing massive black outs and some ways of mitigating those risks.

The article does point out another interesting point about the use of cryptography and key management. How will the keys be managed in Smart Meter technology on hundreds of millions of smart meters with pre-shared secrets or PKI infrastucture?
How will new keys be added for new energy companies? How will the keys be changed?

There is some new work being done by the Oasis Group on key management
The OASIS KMIP Key Management project may be one of the center pieces for offering interoperability across a "Trans-Smart Grid". A 2009 presentation by the University of Colorado also lists KMIP as key to interoperability. The Colorado University presentation by Dr. Edward Chow goes on to show the complexity in monitoring attacks from the trust relationships of various parts of the infrastructure including "Fake ID Hijack Station","Jamming Wormhole Attacks", "Meter Database Tampering" from Insider Attacks to External Attacks and the correlation of events moving through these trust relationships.

The Second paper from Ross Anderson and Shailendra Fuloria also referenced in the
paper Who controls the off switch is On the security economics of electricity metering .
This is an excellent paper that not only provides insight to the history of distributed power but also points out the complexities in providing modern day Smart Grid technologies not only from a technological perspective but from competitive analysis on the struggle for dominance within the distribution system both nationally and internationally and a warning on the comparisons of what happened with Enron when governance is not properly applied.

Jason Ross's presentation at the Blackhat DC conference related the issues about checkbox compliance, that companies are using checkbox compliance as a means to indicate whether they are secure. When in fact it should be deemed as the lowest possible level of acceptance a baseline of acceptance and he points out as others have that some of the largest privacy compromises of personal information were done at companies that had past their external PCI audits. Compliance is absolutely wonderful it enforces at least a baseline of requirements but it should not be used as a means that you have a seal that protects you from exploits and non-publicized
holes in the grid.

Jason points out the difficulties of detecting Malware in enterprise environments, that by the time the antivirus sends off an alert about a malware or virus being seen it's usually too late you have already been owned, as Dan Geer pointed out a few years ago at the Gartner Risk Conference it's hard to get exact metrics on what is happening because by the time that alert kicks off 6 other events have already happened that were not detected.

For IT and Security administrators that have been through some of these malware wars with Downloaders and Polymorphic attacks know that just because the antivirus says it's cleaning up there are way too many other things happening. I once saw some thing interesting it was a Polymorphic virus that was loaded on a system that had Microsoft's development studio on it, that we could watch as the polymorphic virus recompiled other malware from it's code that would attempt many ways to infect the machine and other machines quickly and one time there was a downloader. Even Microsoft writes about recovering the operating system and files from a known state from before this activity started unfortunately with out historical view of activity on this node and user that information and the correlation of events will be difficult.

Jason Ross points out the goals of malware now is to have Business support models. Their objective is not to be noisy but to be very quietly performing their tasks of infecting other hosts and using a network of hosts to make money and the use of malware like URL Zone and Monkif

In the presentation he talks about Spider Monkey - By Didier Stevens a tool for helping to analyze malcode. The use of SAN NETS to isolate malcode in action so that it can be analyzed to determine what it wants to connect with or what services or files it wants to abuse with Polymorphic viruses that constantly change it's usually interesting to observe them in action in a closed environment.

Years ago I can't remember the movie name, but the analyst in the movie were collecting them and keeping the code and binaries for sale and redistribution or modifying them in some way not to be detected.

Another point from the presentation is that Malcode writers are now writing them so they can not be easily detected by signatures by using multicode that each binary performs a small function of the code.

via this Black Hat briefing

• Internet Explorer could turn your Windows XP machine into a web server, Microsoft warns (guardian.co.uk)

• Massive blackhat SEO of 200K sites (ecombizcenter.blogspot.com)

The Food and Drug Administration recently announced that the Office of the National Coordinator for Health Information Technology is launching the Sentinel Initiative with the ultimate goal of creating and implementing the Sentinel System - a national, integrated, electronic system for monitoring medical product safety.

The Sentinel System, which will be developed and implemented in stages will ultimately enable us to access the capabilities of multiple, existing data systems (e.g., electronic health record systems, medical claims databases) to augment the agency's current capability.

The goal is an understanding of adverse events resulting from treatment creating new methods of signal detection, data mining, and analysis, enabling researchers to generate hypotheses about, and confirm the existence and causal factors, of safety problems in the populations using the products.

Currently the focus has been to integrate data from various large populated databases, from MedSun ( Medical Product Product Safety Network), KIDnet (a postmarket database of pediatric ICU's and Neonatal ICU's), Heartnet (data gathered from electrophysiology laboratories), Labnet (data collected from hospital laboratories), SightNet (a collection of data from the use of ophthalmic devices), and HomeNet (a collection of data from home use devices). The FDA signed agreements with the Veterans Health Administration ( VHA) to build tools and infrastructures for evaluating the safety of drugs, biologics, and medical devices as well as the Department of Defense (DoD) for automated signal generation and data mining tools with the DoD's ALTHA electronic medical record system as well as identify influenza vaccine safety.

At the core of this collaboration is Information Technology, the (CCHIT) The Certification Commission for Healthcare Information Technology provides processes that provide interoperability for Electronic Healthcare Records (EHR). The Healthcare Information Technology Standards Panel (HITSP) provides interoperability specifications (HITSP C 32, 35, 36) to exchange patient data between Community Heath Centers they share ( HIE's or Health Care Information Exchange).

The Nationalwide Health Information Network (HHIN) is being developed to provide a national, secure and interoperable network. The network of networks will connect diverse entities at the state and regional (HIE's) that need to exchange health care information. The FDA is planning on using the HHIN existing framework to provide Sentinel access to diverse networks to retrieve data from a number of healthcare resources.

Healthcare IT services now interconnect patient health care medical devices that are local and remote to the health facility to Medical Device Data Systems (MDSS) that collect and store status and performance data from medical devices. The MDSS systems interconnect with EHR systems that connect to the Healthcare network (HIE) and the (HHIN) "network of networks" grid. The Holland & Hart Healthcare Law Blog article on Internet Medicine points out the challenges to the interoperability of medical devices to electronic health record systems and the proliferation of internet worms (Conflicker). Robert Nadler's article from RDN Consulting on Medical Devices provides a diagram and shows protocols used for the interoperability of connecting Medical Devices to the Health Care Network.

In another article from Ph.D. Rex Gantenbein from the University of Wyoming displays the Federated model of the HIE and its advantages.

Monitoring the efficiency and effectiveness of the control environment of HIE connections as well as the back end infrastructure to EHR systems and their trust relationships with medical data systems and connections to patient medical devices will require a strong information security program that is integrated within the IT Medical framework and the Medical Business supply chain. Prevention of Intrusions and Data Breaches will be an on-going lesson learned as data is liberated from applications and becomes more liquid and data silos are taken down. Medical data is valuable information for those that depend on it for survival. Imagine botnets that are able to infiltrate healthcare medical devices or has the ability to turn off medical monitoring equipment.

Links:
Health Information Technology (HealthIT).
Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information
The FDA Sentinel Initiative.
Common Framework for Networked Personal Health Information

Cisco Security recommends changing the default behavior of the IOS CA to use SHA-1 hashing instead of the default MD5 hashing for certificates. Although the ASA CA may not be vulnerable to attacks as is the IOS CA, Cisco still recognizes the weakness in MD5 and plans to change the default behavior for the generation of end Certificates.
Cisco Security Response: MD5 Hashes May Allow for Certificate Spoofing

Verisign has stated that it fixed their CA's and even their Rapid SSL CA from using MD5. Versign's Blog on MD5 attacks as you can see from the comments users are concerned about the certificates online that were generated with a MD5 Hash.

MD5 considered harmful today in this publication released in Berlin on Dec. 31st 2008 by Alexander Sotirov, Arjen Lenstra, Dave Molnar, Dag Arne Osvik, Benne de Wegner. Their attack takes advantage of what was a theoretical scenario known as MD5 Collisions which is a weakness in the cryptology of the hash function.
attack.bmp They recommend stronger encryption offered by SHA1 and SHA2 to help prevent a Rogue CA server from being from being the authority of trust.

There maybe other concerns besides just the browser and the web server such as code signing certificates or emai certificates.