Gov’t standards agency “strongly” discourages use of NSA-influenced algorithm

The NIST building in Boulder, Colorado.
Quinn Norton/Wired

Following revelations about the National Security Agency's (NSA) covert influence on computer security standards, the National Institute of Standards and Technology, or NIST, announced earlier this week it is revisiting some of its encryption standards. But in a little-noticed footnote, NIST went a step further, saying it is "strongly" recommending against even using one of the standards.

The institute sets standards for everything from the time to weights to computer security that are used by the government and widely adopted by industry.

As ProPublica, The New York Times, and The Guardian reported last week, documents provided by Edward Snowden suggest that the NSA has heavily influenced the standard, which has been used around the world. In its statement Tuesday, the NIST acknowledged that the NSA participates in creating cryptography standards "because of its recognized expertise" and because the NIST is required by law to consult with the spy agency. "We are not deliberately, knowingly, working to undermine or weaken encryption," NIST chief Patrick Gallagher said at a public conference Tuesday.

Read 8 remaining paragraphs | Comments


New features aim to shore up Java’s flagging security

Oracle has added new features to Java designed to make it harder for hacked or malicious websites to carry out drive-by malware attacks that exploit underlying vulnerabilities in the widely used software framework.

As Ars reported Wednesday, some security experts say the growing prevalence of attack code exploiting flaws that will never be fixed in an older, widely used version is one factor causing the security of Java to take a dangerous turn for the worse. That's largely the result of Oracle's move in April to stop issuing security updates for Java version 6. Many large companies still use the older release because their Java apps don't work on the latest one, putting the enterprises in the difficult position of choosing compatibility over the security of their employee desktop computers. Apple, Facebook, and Twitter are just some of the companies that have experienced breaches in the past year that targeted Java running on employee computers.

A new feature in Java 7 Update 40 is aimed at ameliorating this predicament. It's a change to the local security policy that allows large customers to specify a limited number of apps that will run on older versions of Java. Now known as a deployment rule set, the new instructions use a digitally signed certificate to whitelist specific apps, often referred to as JARs or java archive files. Those not on the list will be dropped, or possibly run on the latest Java version.

Read 3 remaining paragraphs | Comments


Apple Releases OS X Mountain Lion v10.8.5 and Security Update 2013-004

Original release date: September 13, 2013

Apple has released OS X v10.8.5 and Security Update 2013-004 to address multiple vulnerabilities. These vulnerabilities could lead to a denial of service, cross-site scripting, elevation of privilege, or the execution of arbitrary code.

US-CERT encourages users and administrators to review Apple Security Article HT5880 and apply any necessary updates to help mitigate the risks.

This product is provided subject to this Notification and this Privacy & Use policy.