Category Archives: Science

LOOKS like Bitcoin has got too big to ignore. Virtual currencies are to be regulated by the US Treasury after the Financial Crimes Enforcement Network (FinCEN) moved to clarify their status under anti-money-laundering laws.

The move comes as Bitcoins doubled in value in just a few weeks to hit a record high of more than $70 each, possibly fuelled by the banking crisis in Cyprus and the rest of Europe.

Bitcoin is run on a decentralised network controlled by its users, making it difficult to regulate transactions within the currency. However, exchanges that swap Bitcoins for real-world currencies, such as MtGox, are another matter.

FinCEN##Q##s new guidelines don##Q##t mention Bitcoin by name, but say that anyone involved in exchanges of decentralised virtual currency for real currency must register as a money services business and obey existing regulations. The same applies for centralised virtual currencies, such as Facebook credits.

But in a peer-to-peer currency it is not so obvious what counts as an exchange. Bitcoin “miners”, who run software to create Bitcoins, might also have to register if they sell the newly minted currency for its real equivalent. Patrick Murck of the advocacy group Bitcoin Foundation called the guidelines “infeasible for many, if not most, members of the Bitcoin community to comply with”.

US to regulate Bitcoin currency at its all-time high – tech – 26 March 2013 – New Scientist.

If designed and built efficiently, flexibly and securely, next-generation cyber-physical systems (CPS) now sprouting from interconnections that join the digital and engineered physical worlds will deliver extraordinary capabilities and tremendous benefits on scales ranging from individuals to organizations and from industries to national and global economies.

Three new reports prepared for the National Institute of Standards and Technology (NIST) distill the perspectives of executives and technical experts from industry, academia and government on the “ifs” and the “what’s next” of emerging intelligent systems-of-systems technologies. Complex technical, institutional and societal challenges notwithstanding, future CPS could have sweeping impacts on how we live, work and do business, according to the reports.

CPS are enabling a new generation of ‘smart systems’ — and the economic impacts could be enormous,” explains the summary report of a NIST-organized roundtable of industry and government executives and university leaders. “The disruptive technologies emerging from combining the cyber and physical worlds could provide an innovation engine for a broad range of U.S. industries, creating entirely new markets and platforms for growth.”

CPS go well beyond today’s “embedded systems,” which are largely task-specific machines that operate under computer control. Anticipated CPS uses such as intelligent vehicles and highways and next-generation air transportation will be significantly more ambitious, diverse and integrated than those of today’s task-specialized embedded systems.

The broad sweep of anticipated CPS uses is suggested by a variety of other labels inspired by the convergence of networking and information processing technologies with engineered physical systems. Together, they create systems that integrate distributed networks of sensors, controls and processors — for example, “internet of things,” “industrial internet” and “smarter planet.”

The good news, according to the experts assembled by NIST, is that the United States, as the world leader in cutting-edge cyber technologies and engineered physical systems, is well-positioned to reap the competitive advantages of developing and mastering advanced CPS. But other nations are not conceding these advantages.

The European Union, for example, plans to invest $7 billion on embedded systems and CPS, with the aim of becoming a global leader in the field by 2020. Japan, which currently hosts the world’s largest tradeshow on embedded systems, has similar ambitions.

Developed with input from about 80 experts in CPS and related technologies, the new reports provide a strategic vision and business drivers motivating concerted public-private efforts to achieve the unprecedented capabilities of next-generation CPS within the next two decades. They also provide a multilayered view of the research and development challenges that must be solved to realize this potential. Sectors singled out to illustrate both the promise of anticipated CPS applications and obstacles that stand in the way include smart manufacturing, smart utilities, smart buildings and infrastructure, and smart transportation and mobility.

Transcending challenges and needs include cybersecurity, technology platforms with integrated architectures, interoperability standards, communication protocols, performance and quality assurance systems, seamless human-CPS interactions and education and workforce training.

The three reports are:
Strategic R&D Opportunities for 21st Century Cyber-Physical Systems: provides a high-level perspective on key challenges and research opportunities for advancing CPS; intended to inform decisions about the technology R&D that should be pursued. Available at www.nist.gov/el/upload/12-Cyber-Physical-Systems020113_final.pdf. 

Strategic Vision and Business Drivers for 21st Century Cyber-Physical Systems: summarizes the ideas generated during an executive roundtable attended by business and technical leaders, representing a spectrum of applications for CPS, from medicine to energy to manufacturing. Available atwww.nist.gov/el/upload/Exec-Roundtable-SumReport-Final-1-30-13.pdf.

Foundations for Innovation in Cyber-Physical Systems: summarizes the results of a workshop where scientists and engineers identified and prioritized technical barriers — including measurement science and standards-related needs — that impede progress. Available at www.nist.gov/el/upload/CPS-WorkshopReport-1-30-13-Final.pdf.

New Reports Define Strategic Vision, Propose R&D Priorities for Future Cyber-physical Systems | DFI News.

Jeremiah Grossman is widely considered to be one of the world’s most talented ethical hackers, but even his ninja-like prowess wasn’t enough to recover a forgotten password used to encrypt sensitive work documents contained on his MacBook Pro.

After fiddling with a freely available password cracking program, the CTO of Whitehat Security soon realized that its plodding speed—about one password guess per second—meant it would likely take him decades of tries before he arrived at the right one. That’s when he called in the big guns, namelySolar Designer and other principals behind the free John the Ripper password cracker as well as Jeremi Gosney, a password security expert at Stricture Consulting Group. (Ars has chronicled Gosney’s cracking prowess in articles here and here.)

“Collectively, these guys are amongst the world’s foremost experts in password cracking,” Grossman wrote in a blog post describing the odyssey unlocking the crucial files. “If they can’t help, no one can. No joking around, they immediately dove right in.”

Security concerns—not to mention the enormous size of the DMG encrypted disk images—prevented him from sending the files directly to his rescuers. So he availed himself of a feature in JtR called dmg2john, which separates the encryption contained in a DMG from the data it’s protecting. That allows the cracking program to target the password protecting the file without exposing the underlying data.

But even then, there was a problem. Grossman’s AES256-encrypted DMG used a staggering 250,000 rounds of PBKDF2-HMAC-SHA-1, an algorithm designed to run extremely slowly to make the job of password cracking harder. Gosney’s Xeon X7350 could crack a single round of HMAC-SHA1 at a rate of about 9.3 million hashes per second. By forcing Gosney to repeat the process 250,000 times, his system was reduced to just 37 or so hashes per second. Even using all four processors of his machine, he could bump up the performance to only about 104 hashes per second. (JtR doesn’t support graphic-cards when cracking Apple’s latest DMG formats.)

Grossman continued:

Once understanding this, Jeremi begins asking for more information about what the extra six or so characters in my password might have been. We’re they all upper and lower case characters? What about digits? Any special characters? Which characters were most likely used, or not used? Ever bit of intel helped a lot. We managed to whittle down an in initial 41106759720 possible password combinations to 22472. This meant the total amount of time required to crack the DMG was reduced to 3.5 minutes on his rig.

Subsequently, Jeremi sent me what had to be one the most relieving and frightening emails I’ve ever received in my life. Relieving because I recognized the password immediately upon sight. I knew it was right, but my anxiety level remained at 10 until typing it in and seeing it work. I hadn’t touched my precious data in weeks! It was a tender moment, but also frightening because, well, no security professional is ever comfortable seeing such a prized password emailed to them from someone else. When/if that happens, it typically means you are hacked and another pain awaits.

Interestingly, in living out this nightmare, I learned A LOT I didn’t know about password cracking, storage, and complexity. I’ve come to appreciate why password storage is ever so much more important than password complexity. If you don’t know how your password is stored, then all you really can depend upon is complexity. This might be common knowledge to password and crypto pros, but for the average InfoSec or Web Security expert, I highly doubt it. [sic]

Grossman’s predicament, and the techniques used to resolve it, underscore the never-ending battle between password security and the latest cracking strategies. For much more about the techniques used to create and defeat strong passwords, see the Ars feature Why passwords have never been weaker—and crackers have never been stronger.

How a security ninja cracked the password guarding his most valued assets | Ars Technica.

The Raspberry Pi Foundation recently announced that it has now sold around one million of its $35 “Model B” Linux-powered PCs. Today, the company can add 15,000 more units to its total, but these PCs will be sent out to school children in the UK for free.

In a post on the foundation’s blog, it announced that it has received a grant from Google Giving, the charity arm of Google. The foundation said:

We’re going to be working with Google and six UK educational partners to find the kids who we think will benefit from having their very own Raspberry Pi. CoderDojo, Code Club, Computing at Schools, Generating Genius, Teach First and OCR will each be helping us identify those kids, and will also be helping us work with them.

The grant will also help to pay for 15,000 teaching and learning packs to go along with the Raspberry Pi PCs. The foundation celebrated the Google donation in a school in Cambridge today which Google’s executive chairman Eric Schmidt attended.

The Raspberry Pi Foundation launched the $35 Model B PC as an educational tool first and foremost, and the group believes that Google’s new grant will help generate more interest in computer science in UK schools.

15,000 Raspberry Pi PCs go to UK students, courtesy of Google.

ShutterstockElectronic devices such as computers, cellphones and digital cameras must be properly seized, processed and stored to preserve the integrity of the data and ensure its evidentiary value. A manual developed by the Electronic Crime Technology Center of Excellence (ECTCoE) can provide agencies with much-needed guidance on drafting policies and procedures for handling digital evidence.

As stated in the text, the purpose of the sample Policy and Procedure Manual is to give law enforcement agencies a collection of documents that can serve as a starting point for developing policies and procedures for the collection, handling and processing of digital evidence. Once final, the manual will be posted to the National Law Enforcement and Corrections Technology Center (NLECTC) System website, in a Microsoft Word format to facilitate editing as needed by individual agencies. The NLECTC System is a program of the Office Justice Programs’ National Institute of Justice.

“The document was written in response to the many requests we’ve seen on the various computer forensic email lists requesting copies of policy and procedure
manuals by state and local officers and agents who have been tasked with developing such a document for their own agency,” explains Russell Yawn, ECTCoE deputy director.

In developing the manual, the ECTCoE was able to take advantage of in-house expertise along with information gathered from law enforcement agencies.

“The ECTCoE deals with the law enforcement community at large so we have contacts throughout the country and some internationally that we can rely on for input,” says ECTCoE Director Robert O’Leary. “We have a well-established network and relied on that network to provide us with examples that agencies were using at the state level, and combined it with the expertise in the ECTCoE. Every CoE staff member has criminal justice experience with digital evidence collection and examination, so we were able to leverage all those resources and put together this set of policies and procedures.”

Some of the agencies that provided assistance include the Southern Oregon High Tech Crimes Task Force, the New York Police Department, Orlando Police Department, Austin Police Department, Dallas Police Department and Charleston Police Department. The ECTCoE also looked at sample policies from the U.S. Department of Defense.

“We were able to get a great deal of information from a number of agencies and contacts, and look at the policies that had been implemented and ensure that we did not overlook any topics or points of interest that other agencies may have found important,” O’Leary says.

The manual should also help agencies performing the Commission on Accreditation for Law Enforcement Agencies (CALEA) accreditation process regarding digital evidence procedures. The purpose of CALEA accreditation programs is to improve the delivery of public safety services, primarily by maintaining a body of standards and establishing and administering an accreditation process.

“Another thing we tried to keep in mind was the CALEA standards,” O’Leary says. “We wanted to ensure that these procedures would lend themselves to compatibility, and we were able to rely on some of our contacts that perform CALEA reviews.”

The manual has sections covering case assignment and prioritization; equipment testing, validation and updates; evidence and property handling; search and seizure; storage of evidence and retention policy; reports; materials and supplies; computer forensic lab access; Manual Outlines Policies and Procedures for Digital Evidence2 release of information to the media; quality assurance policy and process; and sample forms (e.g., computer lab request for service, evidence inventory and details, and evidence access and tracking).

“Some forms we developed, others are based on forms received from other agencies. We simply wanted to give agencies a format they could work with as a guide,” O’Leary says.

Manual Outlines Policies and Procedures for Digital Evidence | DFI News.