Month: July 2024

Stay ahead of modern threats with new unified solutions   Cybercriminals have embraced emerging technologies like AI as quickly as the rest of the world. In today’s rapidly evolving threat landscape, your Zero Trust strategy has become more essential than ever. In this blog, you’ll learn how to bolster your Zero Trust strategy with innovative solutions that’ll help you stay ready for changes to the threat landscape—like the tenfold increase in password attacks in 2023.1 Read the blog to learn: New approaches to Zero Trust that protect against emerging threats.How to proactively secure access to any application or resource from any location.How Microsoft helps organizations extend Zero Trust requirements to all endpoints, apps, and data. 1 Microsoft Digital Defense Report 2023, Microsoft Threat Intelligence, October 2023.

Learn more

This post is part of a series on privacy-preserving federated learning. The series is a collaboration between NIST and the UK government’s Responsible Technology Adoption Unit (RTA), previously known as the Centre for Data Ethics and Innovation. 

The last two posts in our series covered techniques for input privacy in privacy-preserving federated learning in the context of horizontally and vertically partitioned data. To build a complete privacy-preserving federated learning system, these techniques must be combined with an approach for output privacy, which limit how much can be learned about individuals in the training data after the model has been trained.

As described in the second part of our post on privacy attacks in federated learning, trained models can leak significant information about their training data—including whole images and text snippets.

Training with Differential Privacy

The strongest known form of output privacy is differential privacy. Differential privacy is…

Read the Blog

In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) credentials, including those on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently been revised to align with FIPS 201.

SP 800-73-5: Parts 1–3
SP 800-73-5: Parts 1–3, Interfaces for Personal Identity Verification, describe the technical specifications for using PIV Cards. The three parts cover the PIV data model (Part 1), the card edge interface (Part 2), and the application programming interface (Part 3). Major changes to the documents include:

• Removal of the previously deprecated CHUID authentication mechanism
• Deprecation of the SYM-CAK and VIS authentication mechanisms
• Addition of an optional 1-factor secure messaging authentication mechanism (SM-Auth) for facility access applications
• Additional use of the facial image biometric for general authentication via BIO and BIO-A authentication mechanisms
• Addition of an optional Cardholder identifier in the PIV Authentication Certificate to identify a PIV credential holder to their PIV credential set issued during PIV eligibility
• Restriction on the number of consecutive activation retries for each of the activation methods (i.e., PIN and OCC attempts) to be 10 or less
• SP 800-73-5: Part 3 on PIV Middleware specification marked as optional to implement

SP 800-78-5
SP 800-78-5, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, defines the requirements for the cryptographic capability of the PIV Card and supporting systems in coordination with FIPS 201-3. It has been modified to add additional algorithm and key size requirements and to update the requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing, including:

• Deprecation of 3TDEA algorithms with identifier ‘00’ and ‘03’
• Removal of the retired RNG from CAVP PIV component testing where applicable
• Removal of retired FIPS 186-2 key generation from CAVP PIV component testing where applicable
• Accommodation of the Secure Messaging Authentication key
• Update to Section 3.1 and Table 1 to reflect additional higher strength keys with at least 128-bit security for use in authentication beginning in 2031

Read More

Dear Colleagues,

ln the last two posts of our Privacy-Preserving Federated Learning (PPFL) blog series, we covered techniques for input privacy in PPFL in the context of horizontally and vertically partitioned data. However, to complete a PPFL system, these techniques must be combined with an approach for output privacy to limit what can be inferred about individuals after model training.  Want to learn more about output privacy and training with differential privacy?  Found out more in this new post, Protecting Trained Models in Privacy-Preserving Federated Learning!

Protecting Trained Models in Privacy-Preserving Federated Learning by Joseph Near and David Darais
Read the post.  

Read blogs #1 – #6 on our PPFL Blog Series page. We encourage readers to ask questions by contacting us at privacyeng@nist.gov.

Meanwhile—stay tuned for the next PPFL blog post! 

All the best,
NIST Privacy Engineering Program

Read More

Event Date: August 15, 2024

Event Time: 2:00PM – 3:00PM EDT

Event Location: Virtual

Description:

Ransomware is a very serious and increasingly common threat to organizations of all sizes, and it is particularly devastating to smaller organizations that have limited resources. A successful ransomware attack can stop your business in its tracks.

During this NIST small business cybersecurity webinar, we will convene a panel to highlight:

• Common ways ransomware is delivered to businesses.
• Challenges small businesses face with ransomware.
• Common signs of a ransomware attack.
• What steps to take if your business falls victim to a ransomware attack.
• What role cyber liability insurance plays in ransomware risk management.
• Steps small businesses can take, and free resources you can use, to reduce your likelihood of falling victim to ransomware.

Panelists:

• Bill Fisher, Security Engineer, NIST
• Nick Lozano, Director of Technology, The Council of Insurance Agents & Brokers
• Stephanie Walker, Assistant Section Chief of the Cyber Engagement and Intelligence Section, Federal Bureau of Investigation (FBI)
• Ann Westerheim, Ph.D. Founder and President, Ekaru

Moderator:

• Daniel Eliot, Lead for Small Business Engagement, NIST

Register Here

• What: NIST Workshop on Privacy-Enhancing Cryptography (WPEC) 2024
• Date & time: September 24–26, 10am–5pm (EDT)
• Featured topics: Private-Set Intersection; other Privacy-Enhancing Cryptography (PEC) tools (MPC, FHE, ZKP, …)
• Free registration: ZoomGov Event
• Talk proposals: Check the Call for Talks and the Submission Form (July 22nd deadline)
• Details and updates: Check the WPEC 2024 webpage
• Tweet: https://twitter.com/NISTcyber/status/1802806825747882138 
• Organizing project: NIST Privacy-Enhancing Cryptography (PEC)
• PEC-Forum: For future related announcements, join the “PEC-forum” mailing list

WPEC 2024, the NIST Workshop on Privacy-Enhancing Cryptography 2024, will bring together multiple perspectives of PEC stakeholders. The three-day virtual workshop is organized for sharing insights about PEC capabilities, use cases, real-world deployment, initiatives, challenges and opportunities, and the related context of privacy and auditability. The program will cover the following two themes:

• Private Set Intersection (PSI): for a deep dive into this specific technique, exploring its technicalities, readiness, feasibility, applicability, variants, and broader context.
• Other PEC techniques: Other PEC techniques: for a broader perspective of PEC (including FHE, MPC, and ZKP, and possible combinations with other privacy-enhancing technologies).

Read More

On July 12, AT&T released a public statement on unauthorized access of customer data from a third-party cloud platform. AT&T also provided recommendations and resources for affected customers.    

CISA encourages customers to review the following AT&T article for additional information and follow necessary guidance to help protect personal information.  

•  AT&T: Unlawful access of customer data

The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification (PIN) to highlight how malicious cyber actors may seek to disrupt power generating operations, steal intellectual property, or ransom information critical for normal functionality to advance geopolitical motives or financial gain within the United States renewable energy industry. With federal and local legislature advocating for renewable energies, the industry will expand to keep pace, providing more opportunities and targets for malicious cyber actors.

Historical Cyber Incident Involving the Renewable Energy Industry’s Operations In 2019, a private company, which operates solar assets in the United States, lost visibility into approximately 500 MW of its wind and photovoltaic sites in California, Utah, and Wyoming as a result of a denial-of-service attack that exploited an unpatched firewall. While it was unclear if this specific incident was a deliberate cyberattack targeting this specific company, the incident highlighted the risks posed by a security posture that relies on outdated software.

Risks Associated with a Cyber Incident Impacting Solar Infrastructure A cyberattack against a solar panel system—residential or commercial—would likely focus on targeting the system’s operational technology (OT) software and hardware; specifically, malicious cyber actors could attempt to gain control over a solar panel system through the inverters. Inverters are responsible for converting the direct current (DC) energy that the solar panels generate into practical alternating current (AC) electricity. Some inverters have built-in monitoring systems that connect to the Internet, which increases their risk profile. If a malicious cyber threat actor took control of a residential inverter, they could attempt to reduce that solar panel system’s power output or target that home’s battery storage inverter (if one is onsite) to overheat it.

While cyberattacks against residential solar infrastructure have been rare historically, malicious cyber threat actors could seek to target microgrids, which local power systems use to operate independently of the larger electrical grid during a power outage. To attain a larger disruption, malicious cyber threat actors could attempt to target inverters at solar farms; however, researchers are working to counter this potential risk through a passive sensor device that can detect unusual activity in the electrical current.

This FBI PIN contains threat information, recommendations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

Researchers have been tracking the activity of a newly discovered threat actor group, Unfurling Hemlock, that may have been active for a while due to finding similar characteristics in older campaigns . These threat actors have distributed over 50,000 malware samples, which infect victims’ systems with up to ten different forms of malware at a time, mainly with information stealers and loaders. Researchers have considered these to be a type of “cluster bomb” attack, where each step of the attack includes an additional form of malware.

Unfurling Hemlock’s attack begins through a phishing email or an external website that initiates contact with the malware loaders to drop the malware.  Upon executing a malicious file named WEXTRACT.EXE, a chain of infections starts, and a series of nested compressed cabinet files begin to unpack malware onto the system. Researchers have found that each cabinet file includes a malware sample and the subsequent compressed file. The final compressed file contains two malware samples.

In the observed sample, Unfurling Hemlock was found to drop Mystic Stealer, Amadey, Redline, SmokeLoader, and finally, a second instance of Mystic Stealer and a utility that turns off system protections. Once the final stage has been extracted, the files execute in reverse order, starting with the utility disabling essential security features, such as Windows Defender, automatic updates, and notifications.

Recommendations

Avoid clicking links and opening attachments in unsolicited emails. Confirm requests from senders via contact information obtained from verified and official sources. Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks. Facilitate user awareness training to include these types of phishing-based techniques. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Phishing and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC.