Blog: HIPAA Security Rule; new implementation guide

SANS NewsBites Vol. 10 Num. 86 (fwd)

Fri, 31 Oct 2008

STANDARDS

--NIST Releases Documents on Key Management, Security in System Development Life Cycle and HIPAA Rule Implementation (October 27, 2008) The National Institute of Standards and Technology (NIST) has released three documents. Special Publication 800-57, "Recommendation for Key Management Part 3: Application Specific Key Management Guidance," is a draft document aimed at helping "system administrators and system installers adequately secure applications based on product availability and organizational needs and to support organizational decisions about future procurements." Comments on the draft document will be accepted through January 16, 2009. Special Publication 800-64, "Security Considerations in the System Development Life Cycle," is a document in its final form that "has been developed to assist federal government agencies in integrating essential IT security steps into their established IT system development life cycle." Special Publication 800-66, "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,"

also in its final form.

http://www.gcn.com/online/vol1_no1/47450-1.html?topic=security

http://csrc.nist.gov/publications/drafts/800-57-part3/Draft_SP800-57-Part3_Recommendationforkeymanagement.pdf

http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf

http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

Blog: European Computer Scientists Seek New Framework for Computation

European Computer Scientists Seek New Framework for Computation
European Science Foundation (10/29/08)

One of the challenges still remaining for electronic computation is the ability to break down large complex processes into small, more manageable components that can be reused in different applications. This goal can be accomplished in a variety of ways, but none of them can manage all the processes very well. The major problem is that the dependent links, or correlations, that interconnect computer processes or programs cannot be broken down. These dependent links are common to all processes in which computation is involved, including biological systems, quantum computing, and conventional programming. European computer scientists believe that now is the time to create a coordinated effort to solve the correlation problem, and the European Science Foundation recently held a workshop to establish a framework for additional research. The workshop identified that correlations in computer science represent an important problem common to the entire field of programming and concluded that the evolution of general purpose computing has reached a point where the correlation problem will hinder additional progress. The workshop discussed progress in the relatively new field of aspect-oriented software development (AOSD), which is creating new techniques for isolating the correlations bridging software components. AOSD techniques make it possible to modularize those aspects of a system or process that cut across different components, enabling them to be broken down into reusable components or objects.

View Full Article

Blog: Ozzie responds: Is Microsoft Azure just 'Hailstorm' revisited?

Ozzie responds: Is Microsoft Azure just ‘Hailstorm’ revisited?

Posted by Mary Jo Foley

At the Professional Developer Conference (PDC) in Los Angeles, I’ve heard a few long-time Microsoft watchers wondering aloud whether Microsoft’s newly unveiled “Azure” isn’t simply Microsoft taking another run at “Hailstorm.”

I had a chance to ask Ray Ozzie, Microsoft’s Chief Software Architect, that very question this week.

First, a quick refresher: For those who weren’t following the Microsoft juggernaut back in the late 1990s, Hailstorm was Microsoft’s first pass at a .Net services platform. “HailStorm” technologies will enable a new world of computing where all the applications, devices and services in an individual’s life can work together, on their behalf and under their control,” explained Microsoft in a 2001 press release. (Sounds eerily like Live Mesh/Live Services, doesn’t it?)

Microsoft ended up killing off Hailstorm before it ever really launched. One of the main reasons was privacy: Microsoft customers were nervous about trusting Microsoft with hosting their data. And the idea of an on-premise, customer-managed Hailstorm cloud was not fleshed out.

Isn’t Azure — Microsoft’s new cloud platform, of which Live Services are one key component — just Hailstorm Take 2? And if it’s not, how is it really different, I asked Ozzie.

…

“It’s amazing that at this point in time, as compared to that
long ago, (that) we still don’t have that one nailed from a privacy and
ownership perspective. That was what so many people complained about. But right
now you’ve got Open Social and Facebook Connect, and both of them want to still
create walled gardens, open walled gardens, whatever that is, but that they are
lending you your information back and withdrawing it within 24 hours or
whatever.”

“I think we need to get past that, and what we’re
trying to do with Mesh and the terms of use. We’re trying to get to a point
where you literally do own your data, we bring the personal of the personal
computer to the cloud where it’s your stuff, and if you do something with
someone, it better be a symmetrical synch relationship where you’re giving them
rights, they’re giving you rights, because I just don’t see how it works. We
can’t create a walled garden; it’s just not going to work.”

Blog: In Chaotic Computing, Anarchy Rules OK

In Chaotic Computing, Anarchy Rules OK
New Scientist (10/29/08) No. 2860, P. 40; Graham-Rowe, Duncan

Building next-generation computer processors by tapping the electronic parallel of chaotic weather systems is the goal of a team of physicists in the United States and India led by William Ditto of the University of Florida in Gainesville. Such processors would be vastly more powerful than their conventional chip equivalents, as well as self-reparable, through their ability to channel all their computational muscle into the task at hand and then reassign it as soon as a different chore comes up. The unpredictability of chaotic systems is the result of their sensitivity to the most infinitesimal influences, which inspired Ditto and Sudeshna Sinha of the Institute of Mathematical Sciences in Chennai to consider the construction of a circuit that exhibited chaotic behavior that could be harnessed for practical applications. Ditto and Sinha conceived of a chaotic logic gate with two inputs and one output like a conventional gate, but composed of a chaotic element or chaogate. When the chaogate receives its input signals, the internal chaotic circuit starts oscillating and quickly stabilizes at a value that relies on the inputs and a control signal. The research team calculated that changing the control signal's setting would enable the chaogate to be transformed into any desirable logic gate, and a prototype chaogate proved the concept's feasibility. Ditto is currently engaged in the commercialization of the technology and the fabrication of prototype circuits, and one of the promised advantages of chaotic logic is the dramatically reduced cost of producing custom chips. If a chip containing chaotic logic gates suffers damage, performance need not be affected as the circuits can be reconfigured to bypass the damaged area. Ditto's team has developed a method to use "chameleon" logic circuits to store data, producing digital memory that offers greater compactness than conventional memory and that also can retrieve data faster.

View Full Article

Blog: Enterprise readiness of Cloud ratcheting up

Enterprise readiness of Cloud ratcheting up

Posted by James Staten

It may just be time for enterprise customers to take a serious look at cloud computing. Major announcements in the past few days from Microsoft and Amazon have certainly signaled that the on-demand Internet computing model has staying power. And with a long recession looming there may be no better time to start getting familiar with something that could dramatically lower infrastructure costs.Amazon, which has been the dominant market leader and pioneer of cloud computing, finally lifted the “beta” tag from the Elastic Compute Cloud (EC2) and delivered an SLA for the service and support for Windows applications. It also announced plans to provide service monitoring, load balancing and automatic scaling services in the future. And Amazon’s even starting taking phone calls and providing premium support for enterprise customers. Nearly all of these capabilities have been available for months from smaller cloud players (especially those coming from an ISP background where such capabilities are commonplace).

Microsoft countered by signalling that cloud computing has such significant staying power that they are willing to bet the “Windows” brand on it. Ray Ozzie’s Windows Azure goes beyond the basic infrastructure and services of EC2 providing Visual Studio.Net developers with the promise of a complete platform for their works. This will put Microsoft in competition with EC2 as well as Salesforce.com’s Force.com platform. But Azure is just a technical preview today (aka “beta”).

Blog: Good Code, Bad Computations: A Computer Security Gray Area

Good Code, Bad Computations: A Computer Security Gray Area
UCSD News (10/27/08) Kane, Daniel

University of California, San Diego (UCSD) graduate students Erik Buchanan and Ryan Roemer, building on previous research by UCSD professor Hovav Shacham, have demonstrated that the technique of building malicious programs from good code using return-oriented programming can be automated. They also demonstrated that this vulnerability applies to RISC computer architectures as well as the x86 architecture. Shacham has already described how return-oriented programming could be used to force computers with the x86 architecture to act maliciously without infecting the machines with new code. However, the attack required extensive manual construction and appeared to rely on a unique quirk in the x86 design. Buchanan and Roemer will present their work at ACM's Conference on Communications and Computer Security (CCS), which takes place Oct. 27-31 in Alexandria, Virginia. "Most computer security defenses are based on the notion that preventing the introduction of malicious code is sufficient to protect a computer," says UCSD professor Stefan Savage. "There is a subtle fallacy in the logic, however: simply keeping out bad code is not sufficient to keep out bad computation." Return-oriented programming starts with the attacker taking advantage of a programming error in the target system to overwrite the runtime stack and divert program execution away from the path intended by the system's designers. However, instead of injecting malicious code, this technique enables attackers to create any kind of malicious computation or program using existing code.

View Full Article

Blog: Microsoft's Azure cloud platform: A guide for the perplexed

Microsoft’s Azure cloud platform: A guide for the perplexed

Posted by Mary Jo Foley

Now that the initial Microsoft PDC pixie dust has settled, developers are trying to digest exactly what Microsoft’s cloud platform is. Here’s my attempt to explain it.

Microsoft layed out its “Azure” foundational infrastructure for the cloud during the keynote kick-off on day one of the Professional Developers Conference (PDC) here in Los Angeles. The goal of Azure is to provide developers who want to write applications that run partially and/or entirely in a remote datacenter with a platform and set of tools.

Blog: Computer Circuit Built From Brain Cells

Computer Circuit Built From Brain Cells
New Scientist (10/23/08) Barras, Colin

Researchers at Israel's Weizmann Institute of Science have developed a way to control the growth pattern of human neurons to build reliable computer circuits that use neurons instead of wires. The researchers start with a glass plate coated with cell-repellent material. The desired circuit pattern is scratched into this coating and then coated with a cell-friendly adhesive. The cell repellent forces the cells to grow in the scratched areas, which are thin enough to force the neurons to grow in a single direction, forming straight, wire-like connections around the circuit. Using this method, the researchers built a device that acts like an AND logic gate, which produces an output only when it receives two inputs. Weizmann researcher Assaf Rotem believes that this research provides a useful model for real brain function, and says that brain-cell logic circuits could serve as intermediaries between computers and the nervous system. Brain implants already give paralyzed people the ability to control robotic arms or the ability to talk, but these implants suffer a drop-off in performance when scar tissue covers the electrodes. "An intermediate layer of in vitro neurons interfacing between man and machine could be advantageous," Rotem says.

View Full Article

Blog: Computing With RNA

Computing With RNA
Technology Review (10/17/08) Graham-Rowe
California Institute of Technology (Caltech) researchers Christina Smolke and Maung Nyan Win have created molecular computers that can self-assemble from strips of RNA within living cells. The Weizmann Institute of Science's Ehud Shapiro says the research creates the possibility of computing devices capable of responding to specific conditions within a cell, and could lead to drug delivery systems that target cancer cells by sensing genes used to regulate cell growth and death. Smolke and Win's biocomputers are built using three main components--sensors, actuators, and transmitters--all made from RNA. The input sensors are made from RNA molecules that act like antibodies, binding tightly to specific targets. The actuators are made of ribozymes, complex RNA molecules that have catalytic properties similar to enzymes. These two components are combined with another RNA molecule that serves as a transmitter. It is activated when a sensor molecule recognizes an input chemical and triggers an actuator molecule. By combining RNA molecules in certain ways, the researchers demonstrated that they can get them to behave like different types of logic gates. Smolke says the modular molecules have a plug-and-play like capability, which allows them to be combined in different ways and could potentially be used to detect thousands of different metabolic or protein inputs.

View Full Article

Blog: Probe Sees Unused Internet

Probe Sees Unused Internet
Technology Review (10/15/08) Lemos, Robert
Internet addresses may not be running out as quickly as many feared, concludes a new research study. The study found that millions of Internet addresses have been assigned but remain unused. In a paper to be presented at the ACM Internet Measurement Conference, which takes place October 20-22, in Vouliagmeni, Greece, six researchers have documented what they say is the first complete census of the Internet in more than two decades. The researchers discovered a surprising number of unused addresses and predict that plenty of addresses will still be unused when the last numbers are assigned in a few years. The researchers say the main problem is that some companies and institutions are using only a small portion of the millions of addresses they have been allocated. The paper's lead author, University of Southern California professor John Heidemann, says the study indicates that there might be better ways of managing the IPv4 address space. A new map of the Internet created by the study suggests that there is room for more hosts even if addresses are running out. The map found that roughly a quarter of all blocks of network addresses are still unused. IPv4 offers about 4.3 billion addresses, while IPv6, the next-generation Internet address scheme, will offer 51 thousand trillion trillion addresses.

View Full Article

Blog: Study: Use of Ruby Language on the Rise

Study: Use of Ruby Language on the Rise
eWeek (10/14/08) Taft, Darryl K.

The use of the Ruby programming language has grown significantly over the past four years, according to a study based on Black Duck Software's Koders.com search engine data. Ruby is now used more widely than PHP, Python, and Perl, and nearly as much as Visual Basic, C/C++, and C#. Black Duck says Ruby is now the fourth most requested language on Koders.com, behind Java, C/C+, and C#, and the number of Ruby searches has increased more than 20 fold since 2004. "Black Duck's search data confirms the tremendous growth that we are seeing within the community of Ruby developers," says RubyForge.org system administrator Tom Copeland. "It's great to see a leading code search site like Koders.com index RubyForge because it represents another way to make the projects in our community available to tens of thousands of developers worldwide." Ruby, used along with the Ruby on Rails framework, will reach 4 million developers worldwide by 2013, says Gartner's Mark Driver. "Ruby will enjoy a higher concentration among corporate IT developers than typical, dynamic 'scripting' languages, such as PHP," Driver says. Black Duck acquired Koders.com in April and has since enhanced the code search service by adding more than 200 million lines of code to the search engine's repository, increasing its size by 33 percent.

View Full Article

Blog: Dynamic Programming Futures

Dynamic Programming Futures
IDG News Service (10/13/08) Wayner, Peter

Dynamic programming languages such as Ruby on Rails, JavaScript, Perl, and Python have achieved sufficient critical mass to succeed and thrive in the future, but experts say the nature of one's business and the structure of one's data are more important considerations than coolness when it comes to choosing a language platform. The future evolution of scripting languages will be guided by 10 principles, including the reduced importance of semantic barriers as the languages scramble to pinch good concepts off each other, the growing dominance of frameworks, and the rising value of communities. Another factor shaping scripting languages is the evolution of applications into their own worlds, while the Web and the cloud are emerging as the conclusive platform. Improved language technology will lead to significant performance gains, and the life of dynamic code will be extended by emulation and cross-compilation. Another key principle is the penetration of programming into Web applications through embedding, while the relevance of dynamic programming could be greatly reduced by the advent of amateur programmers. Finally, a critical factor is adaptability for modern architectures. Any one of the emerging scripting languages may be appropriate as long as they track and navigate these 10 principles.

View Full Article

Blog: UK University Holds Artificial Intelligence Test

UK University Holds Artificial Intelligence Test
Associated Press (10/13/08) Satter, Raphael G.
The University of Reading recently conducted its annual Turing Test of artificial intelligence. Dozens of volunteers at split-screen terminals carried out two conversations simultaneously, one with a chat program and one with a human. After five minutes, the volunteers were asked to identify the human and the machine. The chatbot Elbot was declared the winner for fooling three out of the 12 judges assigned to evaluate the program's conversational skills, earning the Loebner Artificial Intelligence Prize's bronze medal. The contest is based on the ideas of British mathematician Alan Turing, who in 1950 argued that conversation was proof of intelligence, and if a computer talked like a human, then for all practical purposes it thought like a human. Each of the programs approached the Turing Test in slightly different ways. One program often referenced its native Odessa and "Aunt Sonya in America." Another used humor to try to fool the judges. Elbot tried to throw the judges off by humorously admitting it was a machine, saying it accidentally poured milk on its cereal instead of oil, and by trying to dominate the conversation to keep it from wandering into areas it was not properly programmed to handle. Elbot's bronze medal is awarded to the software that best mimics human conversation in text form. So far, no silver or gold medals have been awarded. A silver medal would go to a machine that could pass a longer version of the Turing Test and fool at least half the judges, and a gold medal would be awarded to a machine that could process audio and visual information in addition to text.

View Full Article

Blog: Academics Sink Teeth Into Yahoo Search Service

Academics Sink Teeth Into Yahoo Search Service
CNet (10/10/08) Shankland, Stephen
Academics and startups can construct their own search sites around Yahoo's search engine at no charge and manipulate results as they see fit through Yahoo's Build Your Own Search Service (BOSS), and the venture could give Yahoo potentially higher standing in a market where Google reigns supreme. BOSS can be used to modify search results, as illustrated by an application used by Chengxiang Zhai and Bin Tan of the University of Illinois at Urbana-Champaign. Their application directed Yahoo's search engine along specific paths based on the data stored on the user's own computer to deduce which of several items that shared the same name a user was more likely to be searching for. "We believe the client side of personalization ... can alleviate concern over privacy and it can provide more information about user activity," Zhai says. "And it can naturally distribute computation" so a search company's machines share work with the user's own system. Another service of potentially substantial value to academics is Yahoo's search assist feature, which suggests searches based on what people have started to type into the search box. For instance, it can display the variations of a search term, its membership in diverse categories, and the probability that people are searching for the term by itself or as part of a bigger query. "That's got a lot of potential," says Stanford University natural-language processing Ph.D. candidate Dan Ramage.

View Full Article

Blog: Researchers Show How to Crack Popular Smart Cards

Researchers Show How to Crack Popular Smart Cards
InfoWorld (10/07/08) de Winter, Brenno
Researchers at the Dutch Radboud University Nijmegen have published a cryptographic algorithm and source code that could be used to duplicate smart cards used by several major transit systems. The scientists presented their findings at the Esorics security conference in Malaga, Spain, and also published an article with cryptographic details. The research demonstrated how to circumvent the security mechanism of NXP Semiconductor's Mifare Classic RFID cards, which are widely used to provide access control to buildings and public transportation. The researchers exposed the workings of the chip by analyzing communication between the chip and the reader. A RFID-compatible device, the Ghost, was designed to work independently from a computer, which allowed the researchers to obtain the cryptographic protocol. Part of the vulnerability comes from the fact that the RFID reader has to communicate in a predictable way. Once the mechanism was exposed, the scientists were able to crack keys in less than a second using an industry standard computer with only 8MB of memory. The researchers also examined another chip, the Hitag2, to crack Mifare. Information on a Hitag2 hack is freely available online, which helped the researchers crack Mifare. Another effort by German researcher Henryk Plotz cracked the Mifare Classic by removing a Mifare chip from a card and removing layers, photographing each layer under a microscope and analyzing all the connections.

View Full Article

Blog: 'Intelligent' Computers Put to the Test

'Intelligent' Computers Put to the Test
Guardian Unlimited (UK) (10/05/08) Smith, David

Fifty years after mathematician Alan Turing questioned whether machines are capable of thinking, six programs will carry on a conversation with human interrogators in an experiment that will attempt to prove the answer is yes. To pass the Turing test, the software must trick the judges into believing they are talking to a human. So far, no program has passed the test, but six programs will soon answer questions posed by human volunteers at the University of Reading in an effort to do so. If any of the programs succeed, it will likely be considered the most significant advancement in artificial intelligence since the IBM supercomputer Deep Blue defeated world chess champion Garry Kasparov in 1997. The achievement could also raise profound questions surrounding whether a computer has the potential to be conscious and if humans have the right to turn such a computer off. University of Reading cyberneticist Kevin Warwick believes that machines are conscious, but in a different way, much like how a bat or a rat is conscious, but different from humans. "I think the reason Alan Turing set this game up was that maybe to him consciousness was not that important; it's more the appearance of it, and this test is an important aspect of appearance," Warwick says.
Click Here to View Full Article

Blog: NIST Issues Three IT Security Documents; SP 800-115, Technical Guide to Information Security Testing and Assessment

SANS New Bites: Vol. 10, Nu. 78; 10/03/2008

--NIST Issues Three IT Security Documents (October 2, 2008) The US National Institute of Standards and Technology (NIST) has released three documents that offer guidance on issues of information security. SP 800-121, Guide to Bluetooth Security, provides recommendations for securing implementations of Bluetooth technology. SP 800-115, Technical Guide to Information Security Testing and Assessment, offers guidance for designing and conducting security tests, analyzing the data generated by those tests, and implementing solutions to detected problems. Both documents are in final form.

SP 800-82, Guide to Industrial Control Systems (ICS) Security, is a draft document providing recommendations for securing Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and other system configurations. Public comment on this document will be accepted through November 30, 2008.

http://www.gcn.com/online/vol1_no1/47273-1.html?topic=security

http://csrc.nist.gov/publications/nistpubs/800-121/SP800-121.pdf

http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf