Virtual machine used to steal crypto keys from other VM on same server

By Dan Goodin Ars Technica Nov 6 2012
Piercing a key defense found in cloud environments such as Amazon’s EC2
service, scientists have devised a virtual machine that can extract
private cryptographic keys stored on a separate virtual machine when it
resides on the same piece of hardware.
The technique, unveiled in a research paper published by computer
scientists from the University of North Carolina, the University of
Wisconsin, and RSA Laboratories, took several hours to recover the
private key for a 4096-bit ElGamal-generated public key using the
libgcrypt v.1.5.0 cryptographic library. The attack relied on
“side-channel analysis,” in which attackers crack a private key by
studying the electromagnetic emanations, data caches, or other
manifestations of the targeted cryptographic system.
One of the chief selling points of virtual machines is their ability to
run a variety of tasks on a single computer rather than relying on a
separate machine to run each one. Adding to the allure, engineers have
long praised the ability of virtual machines to isolate separate tasks,
so one can’t eavesdrop or tamper with the other. Relying on fine-grained
access control mechanisms that allow each task to run in its own secure
environment, virtual machines have long been considered a safer
alternative for cloud services that cater to the rigorous security
requirements of multiple customers.
“In this paper, we present the development and application of a cross-VM
side-channel attack in exactly such an environment,” the scientists
wrote. “Like many attacks before, ours is an access-driven attack in
which the attacker VM alternates execution with the victim VM and
leverages processor caches to observe behavior of the victim.”
[…]
http://arstechnica.com/security/2012/11/crypto-keys-stolen-from-virtual-machine/

BITAG Announces Next Technical Topic on Port Blocking

Denver, CO (November 7, 2012): The Broadband Internet Technical Advisory Group (BITAG) is pleased to announce the launch of a new technical review on the topic of Port Blocking best practices. BITAG’s Technical Working Group elected to take up this topic through a self-initiated vote, as Port Blocking is of interest to many stakeholders in the Internet ecosystem.

Special Needs and 508 compliance Guidelines for Web Sites

Links as Language Accessibility really affects everyone.
“Click here is postmodern. It’s like a stop sign that says ‘This is a Stop Sign.’” People already know how to use a hyperlink. A hyperlink has words underlined in blue.

Dept. of Ed Privacy Technical Assistance Center Data Disclosure Guidance

Data Disclosure Guidance

The Privacy Technical Assistance Center invites you to attend a webinar focused on the latest guidance provided by the U.S. Department of Education in the area of Data Disclosure. The webinar is scheduled for Wednesday, November 7th at 1:30 PM ET. The Department and PTAC will provide an overview of the guidance documents around Data Disclosure avoidance and best practice strategies for protecting personally identifiable information from education records (PII) in aggregate reports. The webinar will provide suggestions on how to ensure that necessary confidentiality requirements are met, including compliance with the Family Educational Rights and Privacy Act (FERPA). Michael Hawes, Statistical Privacy Advisor for the U.S. Department of Education and Baron Rodriguez from the Privacy Technical Assistance Center will present.
For your reference, the three guidance documents released are available on the PTAC website:
Frequently Asked Questions – Disclosure Avoidance
Case Study #5 – Minimizing Access to PII: Best Practices for Access Controls and Disclosure Avoidance Techniques
Data De-identification: An Overview of Basic Terms