About the Standards Blog
FERC sets rules to protect grid from malware spread through laptopsJohn Siciliano
Washington Examiner –October 20, 2017 - The Federal Energy Regulatory Commission on Thursday proposed new mandatory cybersecurity controls to protect the utility system from the threat posed by laptops and other mobile devices that could spread malicious software.
The standards are meant to "further enhance the reliability and resilience of the nation's bulk electric system" by preventing malware from infecting utility networks and bringing down the power grid, according to the nation's grid regulator...The proposal includes "mandatory controls to address the risks posed by malware from transient electronic devices like laptop computers, thumb drives and other devices used at low-impact bulk electric system cyber systems," the agency said after announcing the proposed controls at its public meeting...The NERC standards are mandatory for the industry to comply with and enforceable with fines. Violation of some of NERC's reliability standards can incur fines up to $1 million per day, per violation... Full StoryDHS orders federal agencies to bolster cybersecurity with HTTPS, email authenticationAlison DeNisco Rayome
TechRepublic –October 18, 2017 - On Monday, the US Department of Homeland Security announced a new requirement for federal agencies to employ web and email encryption to boost cybersecurity protections...[The] Office of Cybersecurity and Communications at the Department of Homeland Security, issued a Binding Operational Directive (BOD) for these federal agencies to implement these cyber policies.
More about IT Security
IT proâ€™s guide to effective patch management (free PDF)
Cheat sheet: How to become a cybersecurity pro
Gallery: 10 of the most dangerous malware threats on the internet today.
Within 90 days, all federal agencies must deploy the email security protocol DMARC (Domain-based Message Authentication, Reporting & Conformance)...And within 120 days, all federal agencies must employ HTTPS (Hypertext Transfer Protocol Secure) for all websites to ensure safer connections for citizens, and use other encryption protocols such as STARTTLS to help ensure that communications with the federal government are secure... Full StoryWireless encryption showing signs of KRACKing?Graeme Park
Computing.co.uk –October 17, 2017 - This Monday, at 8am EST, the cybersecurity industry received its latest shot of adrenaline as researchers revealed high-severity vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol: vulnerabilities so severe that attackers can eavesdrop on Wi-Fi traffic passing between computers and access points. This is not the first time Wi-Fi connections have been found wanting, and it will not be the last...WPA2 has become the de-facto standard for wireless encryption for home and business networks. This protocol has been relatively difficult to decrypt, with attacks requiring a large amount of computing power or prior knowledge of the WPA Pre- Shared Key structure - but attacks have happened...Today, researchers from Belgium released an attack that will change the prevailing dynamic. Rather than using mathematically difficult attacks that rely on guessing passwords, their research explains how to reinstall an already in-use key. The method has been termed Key Reinstallation AttaCK, or KRACK.
The reinstallations works by exploiting vulnerabilities in the design or implementation flaws...Furthermore, attackers can now add additional data, such as a ransomware payload, to HTTP requests...the research has already been proven to affect most clients tested, including iOS, Android and Windows. It also affects other variations of WPA such as GCMP, which is expected to be widely adopted in the coming years... Full StoryIEEE to develop standard for automotive Ethernet of over 1 Gbps
Telecompaper –October 16, 2017 - Industry body IEEE and the IEEE Standards Association (IEEE-SA) announced the formation of a task force to develop IEEE P802.3châ€”Standard for Ethernet physical layer specifications and management parameters for greater than 1 Gbps automotive Ethernet. The new standards development project aims to meet the demand for higher speed Ethernet in the automotive environment to support ongoing technological developments, such as connected cars, advanced driver assisted systems and infotainment systems... Full StoryG7 Leaders Recognize International Standards to Drive Innovation, Competitiveness in Information and Communications Technologies
ANSI.org –October 13, 2017 - A newly published G7 Declaration promotes international cooperation on standards as a means to promote economic growth, innovation, productivity and competitiveness, interoperability, trust, and security in the use of information and communications technologies (ICTs)...Entitled "Making the next production revolution inclusive, open and secure," the declaration was drafted during the G7 meeting in Torino, Italy, in September. G7 countries developed the declaration as part of an effort to leverage best practices to respond to the Next Production Revolution, as digital innovation, new technologies, new materials, and new processes change the landscape of 21st century global production... Full StoryNISO Publishes Standards Tag Suite (NISO STS) StandardPress Release
NISO.org –October 10, 2017 - The National Information Standards Organization (NISO) announces the publication of a new American National Standard, STS: Standards Tag Suite, ANSI/NISO Z39.102-2017. The purpose of this "standard for standards," which will be known as NISO STS, is to define a suite of XML elements and attributes that describes the full-text content and metadata of standards. NISO STS provides a common format that preserves intellectual content of standards independent of the form in which that content was originally delivered.
This standard includes two implementations: the Interchange Tag Set and the Extended Tag Set. These tag sets, built from the elements and attributes defined in the Suite, provide models for standards publishing and interoperability. NISO STS builds upon the existing, widely used standard for journal publishers, ANSI/NISO Z39.96-2015, JATS: Journal Article Tag Suite, and a variant of JATS, ISOSTS, the International Organization for Standardization's (ISO) version of STS created in 2011. NISO STS has benefited from this robust foundation and broad industry expertise... Full StoryBrowsers Will Store Credit Card Details Similar to How They Save PasswordsCatalin Cimpanu
Bleeping Computer –October 9, 2017 - A new W3C standard is slowly creeping into current browser implementations, a standard that will simplify the way people make payments online.
Called the Payment Request API, this new standard relies on users entering and storing payment card details inside browsers, just like they currently do with passwords.
Websites will be able to use the standard to create one-click buttons that allow the user to buy a product without entering his payment details on each and every site on the Internet...
Under the hood, the Payment Request API works by providing a vendor-agnostic system for handling financial transactions.
When a user places an order, the website makes an API call to the user's browser, forwarding details about the order. The browser then takes over, prompting the user with a popup, asking for card details (if none exist) and a delivery/shipping address that is also stored in the browser's autofill section.
With these details selected, the browser â€” and not the website â€” contacts the user's payment handler, which can be Visa, Mastercard, or any of the other major credit card providers.
Once the payment has gone through, the browser sends back a response to the website, which records the transaction and moves forward with shipping the product, knowing that money is already in its bank account... Full StoryThe U.S. Senate just took the next step to creating a national standard for testing and deploying self-driving carsJohana Bhuiyan
ReCode –October 5, 2017 - The Senate Commerce Committee just took the next step in creating what could be the new national standard for the testing and deployment of self-driving cars...The bipartisan bill would establish nation-wide regulations for how companies like Uber, Tesla, Lyft, GM and others safely and legally test and then roll out their self-driving cars on public roads...Both bills would preclude states from passing any laws that would or would attempt to regulate how self-driving cars perform. State lawmakers would instead continue in their role of licensing drivers, law enforcement, crash investigations and more... Full StorySenator calls on voting machine makers to detail how theyâ€™ll prevent hacksTaylor Hatmaker
Tech Crunch –October 4, 2017 - One of the Senateâ€™s main cybersecurity proponents wants assurances that voting systems in the U.S. are ready for their next major threat and heâ€™s going straight to the hardware makers to get it. In a letter, Oregon Senator Ron Wyden â€” an outspoken member of the Senate Intelligence Committee â€” called on six of the main voting machine manufacturers in the U.S. to provide details about their cybersecurity efforts to date. The request comes on the heels of emerging details around Russiaâ€™s successful attempts to hack election systems in many states...last month the state of Virginia decertified some of its machines, moving its statewide standard to more secure voting machines that keep a paper tally of votes â€” a step the stateâ€™s board of elections undertook on its own. In January, the Department of Homeland Security added â€œstorage facilities, polling places, and centralized vote tabulations locationsâ€ in addition to voter databases and voting machines to a national list of critical infrastructure, making it easier for states to expedite requests for federal cybersecurity aid for their election systems... Full StoryIoT Cybersecurity Improvement Act of 2017: The pros and cons from a hacker
IoT Agenda –October 1, 2017 - ...The sponsors of the bill should be applauded for trying to tackle the security problems that the internet faces due to many of our internet-connected devices. They recognize that a problem exists and seek to rectify the problem with laws that address this situation.
There are obvious limitations and exceptions, but no other legislation comes close to trying to increase the security posture of such devices that we are aware of....While there are shortcomings to the bill, we feel that it is a step in the right direction. It is the first bill that we know of to address internet-facing devices specifically. It also addresses some shortcomings of the CFAA and DMCA in terms of bona fide research... Full Story