Dec 062015
 

Defense Systems – December 5th, 2015

 

Information Security

 

The Air Force is looking beef up security across the board and improve its intelligence, surveillance and reconnaissance through what it calls kill-chain integration and full-spectrum awareness of emerging threats from both the outside and inside.

In a new Broad Agency Announcement, the service is taking aim at Air Force Secretary Deborah Lee James’s “Bending the Cost Curve” initiative announced at the beginning of last year by seeking to develop a better understanding to objectives and threshold requirements as well as rapidly addressing the need to integrate kill-chain solutions.

In typical military parlance, the term “kill chain” refers to the lengthy process of identifying and thwarting threats, typically covering activities from reconnaissance until the threat is eliminated. This term also generally applies to threats in cyberspace and the electromagnetic spectrum, with regard to identifying and eliminating network intrusions.

 

Air Force cyber logo

The Air Force has begun operating in multi-domain, multi-spectrum environments. Radars on traditional aircraft are susceptible to being jammed via electronic warfare, while newer systems such as the remotely piloted aircraft and high-tech 5th generation fighters are susceptible to being hacked in the cyber domain, in addition to having their radars jammed.

In stressing the importance of maintaining a tactical edge in these realms of operation, the BAA quotes Lt. Gen Robert Otto, deputy chief of staff for Intelligence, Surveillance and Reconnaissance, who writes in the “Air Force ISR 2023” strategy document that the “challenge for [Air Force] ISR is to maintain the impressive tactical competencies developed and sustained over the past 12 years, while rebuilding the capability and capacity to provide the air component commander and subordinate forces with the all-source intelligence required to conduct full-spectrum cross-domain operations in volatile, uncertain, complex, and ambiguous environments around the globe.”

The Air Force is interested in two specific areas of research. The first covers operationally focused ISR capabilities that meet combatant commander requirements and optimize end-user experience. Capabilities under this research area could include:

  • ISR modernization
  • Enhancing situational awareness
  • Mobile networking and communications equipment
  • Improvements to existing Air Force/Defense Department infrastructure
  • USAF cryptographic operations modernization
  • Geospatial analysis of social media
  • Exploitation of enemy threat systems
  • Increasing data utility and accessibility.

air force cyberSecond, the Air Force wants agile mechanisms for networks and IT systems that can detect, monitor, assess and isolate insider threats, which is a growing concern for DOD. Simultaneously, these systems must include mechanisms to restore contaminated systems to “pristine trusted states.” The solicitation said these networks:

  • Need solutions that address IT system security that uses virtualization coupled with both manual and machine learning techniques to isolate application threads to protect systems.
  • Must address and deliver software solutions to act autonomously to assess the probability of a function to be untrusted and, if deemed untrusted, disable the function, while allowing trusted functions on the host to interact normally with threads.
  • In cases where system contamination is beyond a point where function isolation can provide the appropriate protection, provide solutions for automated and/or manual mechanisms capable of restoring IT systems to a pristine state with minimal disruption to users.
  • Provide solutions to counter insider threats, whether controlled manually, through deterministic algorithms, or via pseudo-random methods; morphing attack surfaces are needed both in client hosts as well as server hosts.
Dec 062015
 

Defense Systems – December 5th, 2015

 

air force cyberwarfare

 

The Air Force has plenty of firepower, but some of its biggest concerns these days concern other domains. “We’re the best Air Force in the industrial age, but we’re living in the information age,” Lt. Gen. William Bender, chief of Information Dominance and CIO of the Air Force, said Wednesday at the Air Force IT Day hosted by AFCEA, as he and other officials outlined some of the steps the service is taking to maintain an edge across all domains.

In March, the Air Force established a cyber task force, which has made a significant difference, changing the game for the service going forward, he said. It has been an enterprise level initiative, which means everyone is involved, and has addressed enterprise level problems such as budget, a changing culture and policy.

air force cyberOne of the reasons for creating the task force was to get at the question of protecting weapons systems, said Peter Kim, deputy director of cyberspace operations for the Air Force. “We had to find someone who could diagnose a problem and say ‘what are we really need to be concerned about?’” he said, noting the discussion included the Defense Department unclassified NIPRNet, the classified SIPRNet and the Air Force Network, AFNET. “Are the core missions assured? Do we have mission assurance in and through cyberspace? And if we don’t know what that answer is, do we have a risk mitigation strategy? Is there a way we can fight through the cyberspace that’s contested?”

While networks have anti-virus measures, Kim said that concerns were more focused on high-tech weapons systems such as the F-22 Raptor.

The task force started by funding near-term initiatives, the “low hanging fruit,” Kim said. “If there’s stuff that we can get at that remediate the risk, the cyber risk to weapons systems platform or mission, we were very fortunate to get some of the money from [the Air Force Financial Management and Comptroller], we just started funding projects.”

Following the conclusion of the task force’s experimental run, Bender said, “we’re going to hand an enduring framework to the Air Force that has cyber as a constant understanding in cyberspace and [a] fully fleshed out and understood domain, we’re going to have risk management strategy for how we’re going to deal with the cyber-contested environment, we’re going to have a much better idea of the problem and we’re going to have a laundry list to prioritize investments.”

 

Air Force cyber logo

 

Another critical component is the cyber workforce. Both Bender and Kim were keen to mention that this will be a transformative process. Personnel must be trained to operate in cyberspace and within cybersecurity, and build on an increasing partnership with industry and academia, Bender said.

“We have cyberspace operators and we have cyberspace operations personnel, and I don’t want to say they’re support, I don’t want to say they’re IT…but they provide extremely valuable services to our Air Force in terms of AFNET ops,” Kim said, noting that the service also has to incorporate its operations with the DOD-wide Joint Operating Environment.

Additionally, the airmen of today are significantly different than the airmen of previous generations. “It is fundamentally a different mindset of these recruits that come in,” said Maj. Gen. Bradford Shwedo, Commander of the 25th Air Force. “They look at the software…and they’re very comfortable going into the ones and zeros of software and changing them to their advantage. I love that, ’cause we’re bringing these guys in and they’re finding ways to change ones and zeros to make bad guys go away every day. And we’re exploiting those on the cyber side.”

Lastly, there is the Cyber Mission Force, which will by 2017 consist of a total of 133 teams across DOD. The breakdown of the teams will consist of 68 Cyber Protection Teams that will be focused on DOD’s No. 1 mission – defense of the network; 13 National Mission Teams that will help defend the nation’s critical infrastructure; 27 Combat Mission Teams that will be aligned with the combatant commanders and assist in their planning and operations; and 25 Support Teams that will be available to support the National Mission and Combat Mission teams.

The Air Force will provide 39 teams to the overall mission force with 1,700 personnel, Col. Robert Cole, director of Air Forces Cyber Forward said. Those personnel will be drawn from both the 24th Air Force, the service’s cyber wing, and the 25th Air Force, which focuses on full spectrum decision advantage, ISR and electronic warfare.

In the end, the Air Force’s contribution to the cyber mission force will be roughly a 60/40 split of cyber and intelligence personnel because the cyber defensive element has so many more teams, Cole stated.

Dec 062015
 

Defense Systems – December 5th, 2015

 

muos satellite

 

The fourth Mobile User Objective System (MUOS) satellite was launched on Sept. 2 from Cape Canaveral Air Force Station, Fla., aboard an Atlas V rocket. On-orbit testing was completed on Nov. 30, the company said. The next step involves moving the MUOS-4 to its operational slot in the communication satellite constellation next spring. An on-orbit spare is scheduled for launch some time next year, Lockheed Martin added.

Ten days after its September launch, MUOS-4 executed a series of seven burns to move from its transfer orbit to a geosynchronous orbit over the Pacific Ocean. The burns maneuvered the satellite to its test slot roughly 22,000 miles above Earth.

At least four MUOS satellites are required to provide mobile forces with near-global coverage. Once the constellation is operational, forces equipped with MUOS terminals would have voice and data communications along with the ability to share imagery in real time.

 

 

muos satellite

The contractor also claims MUOS can provide the first polar communications capability from geosynchronous orbit.

The space network, with the satellites helped by mesh reflectors, also is expected to provide up to 16 times the communications capacity of current ultrahigh frequency communications satellites, which will eventually be replaced. “The legacy satellite communication system allowed users to ‘talk’ as long as they were within the same satellite footprint,” said Navy Capt. Joe Kan, program manager for the Communications Satellite Program Office. “MUOS allows troops all over the world to talk, text and share mission data seamlessly without having to worry about where they are in relation to a satellite.”

Lockheed Martin said it expects more than 55,000 radio terminals already in the field to be upgraded for compatibility with MUOS. Most will require only a software upgrade, the company said.

muos satellite

While the Navy’s Space and Naval Warfare Systems Command oversees the MUOS program, SPAWAR officials said users would include ground forces down to the level of individual soldiers as well as U.S. Special Forces.

The IP-based MUOS constellation also allows secure access to classified networks that enable tactical users to exchange sensitive situational awareness and targeting data, program officials said.

Along with greater capacity, the MUOS wideband CDMA (code division, multiple access) waveform is able to penetrate foliage and is designed to provide a stronger signal via prioritization and localized beam power control, Lockheed Martin said.

Dec 062015
 

MIT Tech Review – December 5th, 2015

 

censys

 

Early this week the Austrian security company SEC Consult found that more than three million routers, modems, and other devices are vulnerable to being hijacked over the Internet. Instead of giving each device a unique encryption key to secure its communications, manufacturers including Cisco and General Electric had lazily used a much smaller number of security keys over and over again.

That security screwup was discovered with the help of Censys, a search engine aimed at helping security researchers find the Internet’s dirty little secrets by tracking all the devices hooked up to it. Launched in October by researchers at the University of Michigan, it is likely to produce many more hair-raising findings. Google is providing infrastructure to power the search engine, which is free to use.

“We’re trying to maintain a complete database of everything on the Internet,” says Zakir Durumeric, the University of Michigan researcher who leads the open-source project.

Censys searches data harvested by software called ZMap that Durumeric developed with Michigan colleagues. Every day Censys is updated with a fresh set of data collected after ZMap “pings” more than four billion of the numerical IP addresses allocated to devices connected to the Internet. Grabbing a fresh set of that data takes only hours.

 

censys

 

The data that comes back can identify what kind of device responded, as well as details about its software, such as whether it uses encryption and how it is configured. Searching on Censys for software or configuration details associated with a new security flaw can reveal how widespread it is, what devices suffer from it, who they are operated by, and even their approximate location.

Steve Manzuik, director of security research at Duo Security, says that Censys should help make the Internet more secure. His researchers used the tool in their investigation of a major security flaw on computers sold by Dell revealed last week.

Dell had to apologize and rush out remediation tools after Duo showed that the company was putting rogue security certificates on its computers that could be used to remotely eavesdrop on a person’s encrypted Web traffic, for example to intercept passwords. Duo used Censys to find that a Kentucky water plant’s control system was affected, and the Department of Homeland Security stepped in.

Censys was born after Durumeric and colleagues found themselves deluged with requests to run scans to help measure new problems. This March they helped with the response to a major encryption flaw affecting some five million websites including those of Apple, Google, and the FBI (see “Probing the Whole Internet for Weak Spots”).

It has competition in the form of a commercial search engine for security researchers called Shodan, which uses a similar methodology but different software. Durumeric says head-to-head tests show Censys offers significantly better coverage of the Internet and fresher data, making it better suited to measuring and responding to new problems.

John Matherly, founder and CEO of Shodan, says he doesn’t think his coverage is much different, and notes that Shodan currently probes IP addresses in a wider variety of ways than Censys, for example looking specifically for certain types of control system.

Those behind Censys and Shodan can agree that making it easier to ferret out flaws in the Internet should make it more secure. Matherly says his tool has led to over 100,000 industrial control systems being properly secured and helped with the shutdown of numerous servers used by criminals to control malware.

Dec 032015
 

CNN Money – December 2, 2015

(Lightly edited for punctuation and grammar, because CNN employs halfwits as editors to deliver their faulty narrative…)

 

hacking power plants

 

You could live near — or work at — a major facility that has been hacked repeatedly and investigated by the federal government…but you’d never know.  What’s more, that secrecy could hurt efforts to defend against future attacks.  The murky information that is publicly available confirms that there is plenty to worry about.

Unnamed energy utilities and suppliers often make simple mistakes — easily exposing the power grid to terrorist hackers and foreign spies. A CNNMoney investigation has reviewed public documents issued by regulators that reveal widespread flaws.  There was the power company that didn’t bother to turn off communication channels on its gear at mini-stations along the electrical grid, leaving access points completely open to hackers. It was fined $425,000 by its regulator in August.

Another power company forgot to patch software on 66% of its devices, thus exposing them to known flaws exploited by hackers. It got a $70,000 fine in February.  There are plenty of other examples, and all “posed a serious or substantial risk” to portions of the electrical grid, these documents say, and hackers do sometimes get through.

In an industry newsletter available online, the Department of Homeland Security occasionally documents hacks, though only with vague descriptions. In early 2013, hackers attacked several natural gas pipelines in the Midwest, trying to break into the communication network that tells industrial machines what to do.

Last year, a hacker got into the network that controls industrial equipment at a public utility — but DHS won’t even say where it is in the United States.  We don’t know what happened in either case — or the dozens that stay under the radar each year. Neither do the very computer experts who train the nation’s next generation of hacking defenders. And even regulators can’t use this information to make safety regulations.

“Most folks don’t have any idea,” said David Kennedy, whose firm TrustedSec investigates attacks on power plants and other critical companies.  Steven Aftergood, who leads the project on government secrecy at the Federation of American Scientists, worries that “by categorically withholding this information, the government is concealing the very factors that shape homeland security policy.”

“Instead of a precise picture of an actual threat, the public is left with only vague generalities. The resulting deliberative process is crippled from the start,” Aftergood said.  It’s not just the energy industry. Every company that’s considered “critical infrastructure” can keep major hacks secret: the telecom industry, big banks, major chemical makers.  The only reason you hear about the small time stuff — such as when a retailer loses your credit card — is because some states have laws demanding disclosures. The potentially dangerous hacks stay in the dark permanently.

Why all the secrecy?

In the wake of the 2001 terrorist attacks, government officials were worried about protecting the nation’s critical infrastructure.  To encourage the sharing of information about major physical and computer-based attacks, the 2002 Homeland Security Act included special protection for U.S. companies: Any evidence they submit is considered “Protected Critical Infrastructure Information” (PCII) and kept from public disclosure.

CNN Money reviewed a 2009 DHS policy manual explaining the policy to law enforcement, government agents and industry. The manual explicitly explains this information is to be kept out of the hands of journalists, regulators and the public at large. The media “may not receive PCII” unless a company approves. A safety inspector “does not have a valid need-to-know” if he or she plans to use that information “for regulatory purposes.”  The manual explains what this means in practice. What happens if a severe vulnerability exists that makes train stations prone to terrorist attacks? If that information is categorized as “PCII,” a federal regulator can’t mention it — even when writing reports to push for better safety regulations at train stations.

At an energy industry conference in Philadelphia last month, Caitlin Durkovich, assistant secretary for infrastructure protection at DHS, repeatedly told company executives they’d never have to worry about public exposure.  “We go through extraordinary measures to make sure that information cannot get to someone who’d want to hurt you,” she said. “We cannot make it available to regulators, sunshine laws or [public records]. It’s part of building this trusted relationship with you.”

“We recognize we work in support of you,” Durkovich said.

The value of silence

There are good reasons for the policy. Investigators don’t want tip off hackers how close they are to catching them. And cybersecurity experts agree we shouldn’t make computer flaws public before they’re fixed.  American power utilities tell CNNMoney they don’t want to give hackers a road map to their systems, which rarely get upgraded or replaced.  Then there’s DHS. It is concerned that, if records ever go public, the many private companies that run the vast majority of the nation’s backbone will stay silent.  “The program… offers an essential incentive for critical infrastructure owners and operators to share relevant information with DHS,” said agency spokesman S.Y. Lee.

Besides, the public hears about some hacks anyway.  “I think we know enough. We do know enough that this is an epidemic. I don’t think we need the whole picture and all the gory details,” said Phillip Dunkelberger, a technology executive who leads Nok Nok Labs, which specializes in biometrics and other futuristic authentication tools.

The darkness is blinding.

Even if they agree about the need for initial secrecy, computer security experts are deeply skeptical about making it permanent. “It makes zero sense to lock up this information forever,” said Jeremiah Grossman, who founded cybersecurity firm WhiteHat Security. “Certainly there are past breaches that the public should know about, is entitled to know about, and that others can learn from.”

Robert M. Lee spent time in the U.S. Air Force, where he identified critical infrastructure attacks as a “cyber warfare officer.” Now he travels the world for the SANS Institute, teaching the actual government investigators and power plant computer teams who face these types of dangerous attacks.  Except he doesn’t have any class material. He can’t find it. It’s all secret.  “My class is the only hands-on training for industrial control systems, but my students’ number one complaint is that there aren’t case studies or enough data out there about the real threat we’re facing,” he said. “There’s no lessons learned. It is extremely destructive to the overall national security status of critical infrastructure.”

Nov 222015
 

Techworm – November 22, 2015

 

smartphone-mobile-security s

 

Federal authorities have been warned by privacy advocates about a new concept of tracking people. Marketing companies are using sound waves beyond human ear’s listening range in their advertisements which are said to alter cookies of nearby devices. This enables companies to know about what user does on the Internet using those devices. The potential devices include TVs, PCs, tablets and other wearables which are connected to Internet in any way.

According to officials, the ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.

smartphone securityThe Center for Democracy and Technology wrote in recently filed comments to the Federal Trade Commission. The FTC has scheduled a workshop on Monday to discuss the technology. Often, people use as many as five connected devices throughout a given day—a phone, computer, tablet, wearable health device, and an RFID-enabled access fob. Until now, there hasn’t been an easy way to track activity on one and tie it to another.

“As a person goes about her business, her activity on each device generates different data streams about her preferences and behavior that are siloed in these devices and services that mediate them,” CDT officials wrote. “Cross-device tracking allows marketers to combine these streams by linking them to the same individual, enhancing the granularity of what they know about that person.”

The companies,according to officials which are involved are namely SilverPush, Drawbridge, and Flurry These are working on ways to pair a given user to specific devices. Adobe is developing similar technologies. Without a doubt, the most concerning of the companies the CDT mentioned is San Francisco-based SilverPush.

CDT officials wrote:

Cross-device tracking can also be performed through the use of ultrasonic inaudible sound beacons. Compared to probabilistic tracking through browser fingerprinting, the use of audio beacons is a more accurate way to track users across devices. The industry leader of cross-device tracking using audio beacons is SilverPush. When a user encounters a SilverPush advertiser on the web, the advertiser drops a cookie on the computer while also playing an ultrasonic audio through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software development kit installed on it. SilverPush also embeds audio beacon signals into TV commercials which are “picked up silently by an app installed on a [device](unknown to the user).” The audio beacon enables companies like SilverPush to know which ads the user saw, how long the user watched the ad before changing the channel, which kind of smart devices the individual uses, along with other information that adds to the profile of each user that is linked across devices.

The user is unaware of the audio beacon, but if a smart device has an app on it that uses the SilverPush software development kit, the software on the app will be listening for the audio beacon and once the beacon is detected, devices are immediately recognized as being used by the same individual. SilverPush states that the company is not listening in the background to all of the noises occurring in proximity to the device. The only factor that hinders the receipt of an audio beacon by a device is distance and there is no way for the user to opt-out of this form of cross-device tracking. SilverPush’s company policy is to not “divulge the names of the apps the technology is embedded,” meaning that users have no knowledge of which apps are using this technology and no way to opt-out of this practice. As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones.

The CDT letter also mentioned that cross-device tracking has been put to use by more than a dozen marketing companies. The technology, which is typically not disclosed and can’t be opted out of, makes it possible for marketers to assemble a shockingly detailed snapshot of the person being tracked.

While technology is evolving day by day, corresponding concerns are also increasing. Now when Cross Device Tracking has made its way into the structure of modern online lifestyle, it is very difficult to say what consequences this may offer. As there is no way for someone to detect that they are being tracked. Even if they do manage to detect, there is no way to opt out.

Nov 212015
 

MIT Tech Review – Antonio Regalado – November 2015

 

Trust in Health with tech companies

 

The American public does not trust technology companies with personal health data, according to a survey from Rock Health, a venture capital firm focused on digital health.

Venture investors have poured record amounts into health apps, electronic medical records, and wearable devices, including $4.3 billion last year. But Silicon Valley’s touch with consumers hasn’t yet translated into many big successes.

Rock Health—which has invested in 13 startups this year, including the telemedicine company Doctor on Demand and Chrono Therapeutics, which makes a programmable nicotine replacement patch—decided to launch a large consumer survey to find out why. “A lot of digital health companies are struggling to sell to consumers, and we so we wanted to understand better what the state of adoption looked like,” says Teresa Wang, strategy manager with the investment company.

The survey, of 4,017 people, found that only 8 percent said they would share health data like medical records and lab results with “a technology company.” There was a huge gap between that figure and the number who said they would hand their health history over to a research institution (36 percent) or to their own doctor (86 percent). When asked whom they would share their DNA data with, the responses were similar.

Health care accounts for about 18 percent of U.S. GDP; it’s an immense market that tech companies and entrepreneurs in Silicon Valley see as rife with inefficiencies and ready to be disrupted. But health apps and websites aren’t going to get very far without consumers’ data. Wang says the industry relies on “data liquidity” but that most health data is trapped inside hospitals or insurance databases and can’t be exchanged freely.

“It’s not the tech companies that have the problem—it’s the health institutions,” she says. “If [we] can’t access health data because it’s siloed, then we have to go to the consumer.”

And that’s exactly where consumer preferences pose a roadblock. Digital health companies need consumers to hand over data, but so far they haven’t given people a convincing reason to share their blood pressure, genetic makeup, or health habits.

The survey, which was conducted online in July and August, also asked how willing consumers would be to share health data with specific tech companies. The contenders–Apple, Google, Facebook, Microsoft, and Samsung—all fared poorly, with approximately 5 percent of people saying they’d share with these companies. The outlier was Facebook, which people were about half as likely to give their data to. Only 2 percent said they’d share health or DNA data with the social network.

The trust gap may help explain why large tech companies have launched a growing number of partnerships with hospitals and medical institutions. This year, Apple launched ResearchKit, a way to help medical researchers collect data using iPhone apps. And this month Google Life Sciences entered into a $50 million project with the American Heart Association to study heart disease.

“Google and Apple are doing the smart thing; they need the trusted partner,” says Dennis Ausiello, a doctor and former chief of medicine at Massachusetts General Hospital, who this year helped create a diabetes app for the iPhone and also consults with Google. Ausiello doesn’t think only technology companies need to adapt. He says digital medicine won’t advance unless many, if not most, people begin to share and pool data for the common benefit. That will require “a social and cultural sea change,” he says.

Aug 262015
 

Defense Systems – August 26th, 2015

 

 

 

In the grand scheme of cyber things, distributed denial of service attacks might be considered mostly an inconvenience, but they are an inconvenience nonetheless—they might not steal information or infect a network, but they can make it inaccessible. And if a system is mission-critical, that can be more than an inconvenience.

The Pentagon’s research arm is looking for ways to lessen the blow, issuing a solicitation for what it calls Extreme DDoS Defense, or XD3.

The U.S. Computer Emergency Readiness Team describes denial of service attacks as preventing legitimate users from accessing information or services such as email, websites, or accounts by targeting specific computers or networks. DDoS attacks commandeer other computers, as bots, and use them to distribute malicious activity by exploiting security weaknesses and vulnerabilities.

 

ddos attack scheme

The Defense Advanced Research Projects Agency, which issued the solicitation, notes that while botnet-induced volumetric attacks that generate a significant amount of malicious traffic are the most common form of DDoS attacks, “low‐volume DDoS attacks can be even more pernicious and problematic from a defensive standpoint.”

Further, DARPA said that current DDoS defenses typically rely on a combination of network-based filtering, traffic diversion and scrubbing, otherwise described as replicating stored data, as a means to dilute volumetric attack.

What DARPA is seeking “fundamentally new DDoS defenses that afford far greater resilience to these attacks, across a broader range of contexts, than existing approaches or evolutionary extensions thereto.”

The fundamental shortfalls of general DDoS defenses, DARPA said, fall under the following deficiencies:

  • Responses to DDoS attacks are too slow and manually driven, with diagnosis and formulation of filtering rules often taking hours to formulate and instantiate.
  • Low‐volume DDoS attacks remain exceedingly difficult to identify and block with in‐line detection techniques. Even for volumetric DDoS attacks, in‐line filtering can present daunting tradeoffs between the desire for complete blockage of malicious traffic and the need to “do no harm” to legitimate communication (i.e., maximizing true positives while minimizing false positives).
  • Mechanisms that rely on in‐line inspection of data flows may be problematic for handling encrypted tunnels, and pose scalability challenges as network bandwidths continue to increase.
  • Defensive methods must be applicable to real‐time, transactional services (such as military command and control) as well as to cloud computing. Techniques that are only useful for protecting the storage and dissemination of quasi‐static data are insufficient.
Aug 072015
 

MIT Tech Review – August 7, 2015

 

 

Encryption is American

 

 

Data breaches like the one that hit the Pentagon’s e-mail system this week often start when one person makes a simple mistake like opening a phishing message. But the computer security industry is mostly built on tools that probe, patch, or scrutinize software rather than human errors.

Laura Bell, CEO of SafeStack, a security company in Auckland, New Zealand, thinks she has a way to address that discrepancy. She’s developing a kind of security scanner for people, in the form of software called Ava. It sends people targeted e-mails or social-media messages to see how good they are at resisting the scams that lead to dangerous breaches.

“If I’m the attacker, I’m going after the people,” says Bell, who presented Ava at the Black Hat computer security conference Thursday. “People are the path of least resistance, and we have to do something about it.”

Ava takes in data from corporate IT systems to map out the permissions that employees have and assess how frequently they communicate with each other. It also looks for employees’ social-media profiles and the connections between them, which can highlight key relationships that might be valuable to an attacker.

Ava can then be used to send phishing-style messages to employees to test how they respond. There might be a message from a senior executive asking a junior employee for a password, for example, or one from a distant coworker dropping the name of a friend and asking for a work document to be shared via Facebook.

An Eye is Upon YouThe security industry does have some established ways to try to rein in what are called social-engineering attacks. Security training has become standard at many large organizations, and some companies occasionally stage phishing attacks to drive home the risks of fake e-mail. But Bell says the continual stream of breaches caused by human slip-ups shows that education doesn’t work. Meanwhile, companies that perform phishing tests are rare, and they are generally one-off, manual exercises, she says.

Ava is intended to let organizations probe communication patterns and key relationships continually, says Bell—resulting in something more like an automated defense system such as a firewall. That could make it possible to track changes in a company’s level of human vulnerability over time, perhaps uncovering relationships to project deadlines or training events, she says.

However, Ava is still a work in progress. Bell has tested the software with a few small public- and private-sector organizations in New Zealand, and the team working on the software has grown. Now a newly formed ethics and privacy board is considering the legal and privacy issues that surround intentionally tricking people.

Aug 072015
 

MIT Tech Review – August 7th, 2015

 

Information Security

 

 

It is disturbingly easy to attack the backbone of the Internet to block access to a major online service like YouTube, or to intercept online communications at vast scale.

So say security researchers trying to rouse their industry into doing something about long-standing weaknesses in the protocol that works out how to route data across the different networks making up the Internet. Almost all the infrastructure running that protocol does not even use a basic security technology that would make it much harder to block or intercept data.

“The technology is available—the problem is we’re not using it,” said Wim Remes, manager of strategic services at security company Rapid7, in a talk at the Black Hat security conference in Las Vegas Wednesday. “There is limited probability of these attacks but the impact once they happen is huge.”

The weakness lies in the border gateway protocol, or BGP. Large routers operated by Internet service providers and major corporations use BGP to figure out how to get data between different places. Each of these major routers turns to others like itself—ones operated by other companies—for the information it needs to most efficiently dispatch data to its destination. Companies operating the routers manually choose which other routers theirs will trust.

 

Information Security

Unfortunately, BGP doesn’t have security mechanisms built in that allow routers to verify the information they are receiving or the identity of the routers providing it. Very bad things can happen when routers spread incorrect information about how to route data, intentionally or otherwise.

That problem has been known for decades. It was the basis of the hacking group L0pht’s 1998 claim before Congress that they could take down the Internet in 30 minutes. But incidents that have illuminated BGP’s flaws have prodded some security companies to take it more seriously.

In 2013, the security company Renesys observed several instances in which U.S. Web traffic was inexplicably diverted via Belarus and Iceland, in what may have been a “man in the middle” attack designed to covertly intercept data. In June this year, a Malaysian ISP misconfigured its routers and caused traffic from around the world to converge on its network, leading to hours of outages or sluggish performance for services including Snapchat, Skype, and Google. Artyom Gavrichenkov, a researcher with the security company Qrator, showed at Black Hat how BGP could be manipulated to obtain a security certificate in the name of a particular website without permission, making it possible to impersonate it and decrypt secured traffic.

Remes of Rapid7 says that companies running BGP infrastructure aren’t taking the risks of such problems seriously enough. A technology called RPKI can be used to give routers a way to verify that information they receive from others is valid. But only 16 of the world’s most heavily accessed sites have implemented it, and Facebook is the only site in the top 10 to have done so, he said.

Andree Toonk, manager of network engineering at OpenDNS, a security company recently acquired by Cisco Systems, says even wide adoption of RPKI would only go some way to addressing the hazards of BGP because it’s possible to work around it. “It solves 90 percent of the problem, but it is not foolproof,” he said.

In his own talk at Black Hat on Thursday, Toonk planned to describe a system of probes he set up around the world to track the activity of BGP routers. OpenDNS is to launch a kind of public alert system that will broadcast worrying changes in data routes via Twitter.