Tag

cybersecurity

Browsing

After many years of watching senior leadership ignore cyber, operational military commanders are finally beginning to understand their gaps and weaknesses in cyber security, and the impact this has on mission readiness and effectiveness:

“While we’ve held a decisive and dominant advantage in all the other domains, that’s not necessarily the case in the cyber domain,” Brig. Gen. Robert Skinner, deputy commander of the Joint Force Headquarters-DoD Information Networks, told a conference on Thursday.

“The cost of entry in this domain is very minimal, which enables individuals or groups to generate effects that take a significant expenditure of resources to respond. The value curve is in the wrong direction,” he added.

Skinner’s department was launched in January to shoulder some of the responsibility for cyber operations in the Defense Department.

“We are conducting thousands of defensive operations each and every day … and countering millions of cyberattacks annually,” Skinner said. “We are in constant contact with agile, learning adversaries in cyberspace, and their learning curve has turned upside down.”

Additionally, officials said, the integration of technology, bureaucracy and personnel represent a challenge for the U.S., even as cyberattacks grow.

Lt. Gen. Ed Cardon, the leader of Army Cyber Command, said, “If [we] have all these technologies, but you can’t connect these to a command operation, how are we going to integrate all this stuff so that it accomplishes an effect?”

Another week, another round of bad news about the OPM breach. This time we learn the fingerprints of 5.6 million US government employees was exfiltrated by the ostensible Chinese hackers:

The attack on the agency, which is the main custodian of the government’s most important personnel records, has been attributed to China by American intelligence agencies, but it is unclear exactly what group or organization engineered it. Before Wednesday, the agency had said that it lost only 1.1 million sets of fingerprints among the records of roughly 22 million individuals that were compromised.

“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a written statement. But clearly the uses are growing as biometrics are used more frequently to assure identity, in secure government facilities and even on personal iPhones.

The working assumption of investigators is that China is building a huge database of information about American officials or contractors who may end up entering China or doing business with it. Fingerprints could become a significant part of that effort: While a Social Security number or a password can be changed, fingerprints cannot.

Customs and immigration officials frequently fingerprint incoming travelers; millions of fingerprints in a Chinese database would help track the true identities of Americans entering the country.

“I am assuming there will be people we simply can’t send to China,” a senior intelligence official said this summer, before the most recent revelation. “That’s only part of the damage.”

The agency said that an “interagency working group,” with help from the F.B.I., the Department of Homeland Security and the intelligence agencies, “will review the potential ways adversaries could misuse fingerprint data now and in the future.”

The OPM breach is going to be studied for the next few years and will become the premier case study on how not to conduct cyber security. It is amazing they still have not increased their cyber defense capabilities since this all came to light a few short months ago.

According to a report by the Japanese National Police Agency, there was a huge surge in targeted cyber attacks in Japan in 2015:

The National Police Agency said it recorded 1,472 attacks from January to June, NHK news agency reported.

The agency monitors such attacks in coordination with more than 6,900 defence and nuclear-related firms and others, which are the main targets.

In targeted attacks, emails carrying computer viruses are sent to companies and government offices in a bid to steal classified information. Typically, the virus is hidden in an attached file sent with the e-mail.

The agency said cases in which a Microsoft Word document was used to automatically download an illicit programme accounted for 64 percent of all incidents involving attached files. That’s up from two percent last year.

Ever since the proof-of-concept hack against Jeep, automobile cyber security is on peoples minds. This time two US senators are asking automobile manufacturers for details on their cyber security strategies:

Two U.S. senators have asked the world’s biggest automakers for information on steps they have taken to protect cars from being hacked, as attention on vehicle security has surged following the first car recall over a cyber bug.

Democratic Senators Edward Markey and Richard Blumenthal wrote to 18 automakers on Wednesday asking about efforts taken to secure vehicles including 2015 and 2106 models. They asked automakers how they test electronic components and communications systems to ensure attackers cannot gain access to onboard networks.

Concerns about auto cyber security have grown since July, when researchers gained remote control of a moving Jeep, prompting Fiat Chrysler Automobiles (FCAU.N) (FCHA.MI) to recall some 1.4 million vehicles for a software update.

The request from the senators follows a review that Markey began in December 2013. He concluded in a February 2015 report that the spread of technology connecting vehicles to networks had outpaced industry and government efforts to protect vehicles from hackers.

The senators said they want to know what automakers have done since the last survey to beef up security.

In the this-is-not-a-surprise department, lawmakers accuse DHS of stonewalling on cyber security plans:

“The department has persisted in its ‘go it alone’ mentality and has ignored Congress’ requests for information despite a record that demonstrates its need for oversight and accountability,” added Rep. John Ratcliffe (R-Texas), who chairs the panel’s subcommittee on cybersecurity, infrastructure protection and security technologies.

The DHS has played an increasingly important role in the government’s cybersecurity effort over the last year.

Congress late last year passed a series of bills that strengthened the agency’s cyber workforce and codified certain aspects of the DHS cybersecurity mission.

Lawmakers are currently considering more bills that would further clarify the agency’s cyber role while strengthening its authority to proactively investigate and defend federal networks across the government.

The House Homeland Security Committee is also drafting a bill that would transform the NPPD.

McCaul said the committee would soon hold hearings as lawmakers work to draft the legislation.

“We welcome the department’s input and look forward to working closely with them on streamlining NPPD’s structure,” he said.

The committee’s bill would rename the NPPD to Cybersecurity and Infrastructure Protection. It would also create two positions to oversee the new wing: a deputy undersecretary for cybersecurity and a deputy undersecretary for infrastructure protection.

Even though Russia has highly advanced cyber attack capabilities, this does not mean they are immune to operations designed to breach their networks. It would seem China may have conducted a cyber attack against the Russian military:

“There is a world market for classified data of any time,” said Epstein. “There are documented cases in the past where private hackers hacked into various institutions and then sold the data to nation states. The lines are increasingly blurred in the world of cybersecurity.”

The attack starts with a well-written Russian-language email that seems to come from someone else in the targeted military division or an analyst section from the same group of the military, he said.

It comes with an attached document, a Microsoft Word file with a published article about the history of military testing in Russia.

“It’s a decoy document,” said Epstein. “You double-click on it, you open it, you read it, you think, ‘Ah, that was kind of interesting.’ Then you close it and you don’t think about it again. But when it closes, it activates a macro, and the macro triggers a secondary file to take action, which is to download a third file, which is the nasty stuff.”

That’s when the malware takes over the computer and everything the user has access to, the attackers now have access to.

“Any anti-virus program wouldn’t see a virus in the document because there’s no virus in the document,” he said. “And the trigger on closing is a common anti-sandboxing technique because most sandboxes check for triggering when documents are opened, not when they are closed.”

This is a fairly standard, yet highly advanced, technique for confusing endpoint anti-virus. This is why layered defenses extend beyond the network and need to be implemented at the endpoint level too. Tools like application whitelisting, host intrusion prevention, and desktop firewalls, when used together, can severely minimize the possibility of these types of malware from successfully executing.

Who here wonders if this attack was actually perpetrated by the United States but made to appear as if China is responsible?

An apparently state-backed cyber-espionage group based in Russia has conducted a targeted malware campaign targeting foreign governments over the course of the past seven years:

For the past seven years, a cyber-espionage group operating out of Russia—and apparently at the behest of the Russian government—has conducted a series of malware campaigns targeting governments, political think tanks, and other organizations. In a report issued today, researchers at F-Secure provided an in-depth look at an organization labelled by them as “the Dukes,” which has been active since at least 2008 and has evolved into a methodical developer of “zero-day” attacks, pulling together their own research with the published work of other security firms to provide a more detailed picture of the people behind a long-running family of malware.

Characterized by F-Secure researchers as a “well resourced, highly dedicated and organized cyberespionage group,” the Dukes have mixed wide-spanning, blatant “smash and grab” attacks on networks with more subtle, long-term intrusions that harvested massive amounts of data from their targets, which range from foreign governments to criminal organizations operating in the Russian Federation. “The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors,” the F-Secure team wrote. “Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.”

The first known targets of the Dukes’ earliest-detected malware, known as PinchDuke, were some of the first known targets and were associated with the Chechen separatist movement. By 2009 the Dukes were going after Western governments and organizations in search of information about the diplomatic activities of the United States and the North Atlantic Treaty Organization. While most of the attacks have used spear phishing e-mails as the means of injecting malware onto targeted systems, one of their attacks has spread malware through a malicious Tor exit node in Russia, targeting users of the anonymizing network with malware injections into their downloads.

Another day, another news item about state-backed Chinese-based cyber attacks. This time Trend Micro has released a comprehensive report detailing how China-based cyber attacks on US military targets are “Advanced, Persistent And Ongoing”:

In its blog announcing the paper, Trend Micro stated that “Operation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of bytes of data from defense contractors in the U.S., including stolen emails, intellectual property, and strategic planning documents.” The report further details that targets of Iron Tiger included military defense contractors, intelligence agencies, FBI-based partners, and the U.S. government. The private entities were tech-based government contractors in the electric, aerospace, intelligence, telecommunications, energy, and nuclear engineering industries.

Iron Tiger was observed exfiltrating up to 58GB worth of data from a single target, more than was stolen in the Sony attack. It could have potentially stolen up to terabytes of data in total, Trend Micro reports. It is highly environmentally adaptive and otherwise sophisticated and well organized, potentially merely an arm of a larger, multi-teamed operation with various targets.

China is convincingly Iron Tiger’s home base

The primary situs of China as the operatives’ home base was convincingly evidenced by the facts that the operatives used virtual private network (VPN) servers that only accepted China-based registrants, used Chinese file names and passwords, and operated from China-registered domains, according to the report. Some of Iron Tiger’s actions were also attributed Iron to an individual physically located in China.

DoD CIO Terry Halvorson is talking tough on cyber, stating there is a need to make it cost prohibitive for hackers to conduct cyber attacks:

“We are on the wrong side of the cyber economic curve,” he said at the summit. “We need to raise barriers to attackers’ entry, making it more expensive to play.”

But how? The answer is multifold, but at least one aspect is automation, mechanizing some of the basic actions and response involved in cybersecurity maintenance, Halvorsen said.

Automation is key to turning around the economics and coping with the speed of the threat, he said at the summit and on the call.

“Automating eliminates the basic [adversarial] players, makes it so you have to raise your game to play,” Halvorsen said. “It reduces the benefit hackers will see and makes it more expensive for hackers to play.”

Another key part is establishing a pervasive, standard-operating-procedure culture of cybersecurity throughout entire enterprises and communities. It’s a worry that Halvorsen said keeps him up at night.

“How do I get a cyber discipline culture, how do I get a cyber economic culture and how do I get a cyber enterprise culture? I think those are the three things that if we got those, almost everything else comes after,” he said. “If I get to the cyber enterprise culture, I’ll start doing integrated, layered defenses, I’ll use automated tools — [joint regional security stacks are] the cornerstone for that — I’ll get the right level of accountability and I will understand the money.”

The only way DoD will get to where it needs to be in cyber security is through a cultural shift. Once senior DoD leaders recognize they are the biggest threat to the enterprise network, and thus stop asking for unnecessarily risky exceptions to DoD policy simply because they are who they are, then DoD may finally realize the type of discipline needed for the future.

United States Cyber Command is designing a system to stay ahead of hackers but apparently they are currently incapable of acquiring technology to automate this functionality:

U.S. Cyber Command is building a massive, electronic system to provide an overview of the vulnerabilities of the military’s computer networks, weapons system and installations and help officials prioritize how to fix them, its deputy commander said on Thursday.

Lieutenant General Kevin McLaughlin told Reuters officials should reach agreement on the framework within months, turning the system into an automated “scorecard” in coming years.

McLaughlin said the effort grew out of a disturbing report released earlier this year by the Pentagon’s chief weapons tester, Michael Gilmore. The report warned that nearly every major U.S. weapons system was vulnerable to cyber attacks, and an escalating number of attacks on U.S. computer networks by Russia and China.

Cyber Command staff would do the initial data entry by hand, but the goal was to create a fully automated system that would help defense officials instantaneously detect and respond to any attacks, McLaughlin said after a speech at the annual Billington Cybersecurity Summit.

Here we are in 2015 and US Cyber Command is developing a program designed to perform initial data entry manually. Seriously?

The Chinese government is following the US lead and is now telling US tech companies operating in China to sign a PRISM-like cyber-loyalty pact:

Much of the pledge document is focused on user privacy rights, outlining policies that would give users the right to know where their data was stored, to control how much of their personal data was collected, to opt out of the collection of personal data, and to “choose to install, or uninstall non-essential components [and] to not restrict user selection of other products and services.” The pledge also asks companies to “guarantee product safety and trustworthiness” by taking measures to build security into products, rapidly patch vulnerabilities, and “not install any hidden functionalities or operations the user is unaware of in the product.”

As part of the requirements for “security of user information,” the pledge would require tech companies to “employ effective measures to guarantee that any user information collected isn’t illegally altered, leaked or used.” All data collected from Chinese customers would have to be stored in Chinese facilities and not be moved outside the country “without expressed permission of the user or approval from relevant authorities”—meaning the government would have oversight over what data could be exported for corporate use (and potentially accessed by foreign intelligence organizations).

Finally, the pledge would also require companies to agree to “accept the supervision of all parts of society”—including third-party evaluation of all products to determine they are “secure and controllable…to prove compliance with these commitments.” It is this clause that the Times’ industry sources suggested could be used by the Cyberspace Administration of China to demand access to encrypted data stored in cloud computing services and to provide source code for review.

In response to questions posed by Senator Ron Wyden, National Counterintelligence Executive William Evanina claims it is not the intelligence community’s job to warn OPM of cyber threats:

National Counterintelligence Executive William Evanina wrote a letter to Sen. Ron Wyden answering the Oregon Democrat’s questions about the landmark cyberattack, which has been blamed on the Chinese.

In the response to Wyden’s question of whether the intelligence community assessed the vulnerabilities of a database OPM maintained of highly sensitive background check information that OPM maintained or whether it offered any advice to OPM, Evanina pointed to bureaucracy.

“Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS),” Evanina wrote. “The statutory authorities of the National Counterintelligence Executive … do not include either identifying information technology (IT) vulnerabilities to agencies or providing recommendations to them on how to secure their IT systems.”

In the short letter, Evanina also defended the decision to maintain a database of the background checks going back as far as 1985, saying it offers the advantage of being able to “assess the ‘whole person’ over a long period of time.”

President Obama warns China on cyber spying ahead of Xi visit:

A person briefed on the White House’s thinking said on Tuesday the United States does not plan to impose sanctions on Chinese entities for economic cyber-attacks ahead of Xi’s visit to avoid what would be seen as a diplomatic disaster.

The United States has emphasized to China that industrial espionage by its government or its proxies in cyberspace goes beyond traditional intelligence gathering, Obama said.

“That we consider an act of aggression that has to stop,” Obama told the Business Roundtable, a lobbying group.

Obama said the United States is preparing measures to show the Chinese “this is not just a matter of us being mildly upset, but is something that will put significant strains on a bilateral relationship if not resolved and that we are prepared to take some countervailing actions.”

White House spokesman Josh Earnest later said Obama was “intentionally non-specific” in the comments and said the US government is “hopeful” that it will not need to use sanctions or other measures against China for cyber-attacks on US commercial targets.

“It is clear that the Chinese government is being responsive to those concerns by at least engaging in a candid discussion of those issues,” Earnest told reporters.

The Federal Bureau of Investigation seems to be trying to get ahead of the so-called cyber attack business, and has issued some warnings about how to keep hackers from causing chaos at the gas pump and other similar tips:

The Defense Advanced Research Projects Agency in 2011 launched a program to help make “the code behind the physical control systems of an airplane or self-driving car,” for instance, “become mathematically, provably unhackable,” Carter said at a future technology forum hosted by the agency.

“DARPA’s already made some of that source code openly available online – it can give the Internet of Things a critical foundation of cybersecurity, which it’s going to need,” he said.

By 2020 there will be 250 million Internet-connected vehicles on the road, according to Gartner. A Wired journalist a few months ago had private researchers remotely kill the transmission of a Jeep on a St. Louis highway — while he was sitting in the driver’s seat.

The Office of Personnel Management’s response to their recent massive breach is once again being challenged by the Inspector General, who warns OPM is not doing enough corrective action to prevent future

It said that as a result, the process to identify existing systems, evaluate their technical specifications, determine requirements, and estimate costs of moving the data into a more secure environment still has not been completed. Nor is there support for OPM’s belief that some the cost of moving the data can be funded through discontinuing obsolete software, it said, calling OPM’s plan to find the rest of the funding from other accounts “inadequate and inappropriate.”

“Without this rigorous effort, we continue to believe that there is a high risk of project failure,” it said.

OPM also had rejected the IG’s recommendation to adopt industry best practices for planning such a project, saying it was following its own policies based on government standards. But the IG said that “based on documentation we have reviewed, we have determined that OPM is not in compliance with either best practices or its own policy.”

It noted that since the first report, former OPM director Katherine Archuleta had resigned under pressure and a Senate committee rejected a bid to add funding for the project even while backing extending the services to the victims. “In such a turbulent environment, there is an even greater need for a disciplined project management approach to promote the best possibility of a successful outcome,” it said.

Knowing how the government responds in these types of situations, I cannot say I am surprised. This sounds like business as usual.