Retired Lieutenant General Rhett Hernandez, the first commander of US Army Cyber Command, has a great write-up on today’s cyber threats and the types of strategy organizations need to consider to properly defend their assets:

Cybercriminals are just beginning to think about the ways in which they can leverage their abilities. Any belief that if we pay them it will be okay will break down. You can’t trust agreements between people with values and people without values. Paying them will not ease the pain. Defining and mitigating the risk to prevent these threats from making you a victim is the key. And if prevention fails, your resiliency will depend on how prepared you are to recover and restore operations.

Taken together, the overall threat from cybercrime will result in far more expense to companies—not just from the breaches themselves, and working to prevent them, but also from litigation and, in all likelihood, additional regulation. Breaches at companies over the last year, especially Equifax, generated increased scrutiny among lawmakers and regulators around the country—and on Capital Hill. Expect a growing push for companies to start to do some of the necessary security basics.

In this environment, the main issue for CEOs and top leaders isn’t which software to buy. When it comes to cybersecurity, culture is the most important thing because people are the weakest link. It isn’t just in corporate America. In every large organization, including the Army, where high discipline and high standards are expected, people often fall short, given the anonymity the virtual world provides. In my experience, soldiers—and employees—often fail to remember that a risk to one is a risk to all.

After discussing threats, Hernandez gets into techniques leaders should employ to counter the cyber threat. Most of the ideas are common sense, but you would be surprised how many in upper management are unaware of how to develop sound cyber defense strategy.

But Hernandez is right in that the primary issue is culture. The weakest link in the security chain is often what ends up allowing an attacker to breach a network. Ensuring corporate culture prioritizes security pays huge, likely unquantifiable, dividends. It is not what guarantees breach prevention, but it definitely helps ensure employees are far more cognizant of the threat, take is seriously, and employ the necessary individual steps they can to thwart attacks.

Just like how safety is ingrained in most corporate cultures, cyber security needs to be at the forefront of peoples minds when operating or accessing their organizations IT assets, whether they are in private or public cloud environments.

CSO Online reports on how the GoScanSSH malware is targeting Linux operating systems but somehow manages to avoid government and military operated servers:

For the initial infection, the malware uses more than 7,000 username/password combinations to brute-force attack a publicly accessible SSH server. GoScanSSH seems to target weak or default credentials of Linux-based devices, honing in on the following usernames to attempt to authenticate to SSH servers: admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.

Those and other credential combinations are aimed at specific targets, such as the following devices and systems: Raspberry Pi, Open Embedded Linux Entertainment Center (OpenELEC), Open Source Media Center (OSMC), Ubiquiti networking products, jailbroken iPhones, PolyCom SIP phones, Huawei devices, and Asterisk systems.

After a device is infected, the malware determines how powerful the infected system is and obtains a unique identifier. The results are sent to a C2 server accessed via the Tor2Web proxy service “in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.”

The researchers determined the attack has been ongoing for at least nine months — since June 2017 — and has at least 250 domains; “the C2 domain with largest number of resolution requests had been seen 8,579 times.”

This sounds like a particularly nasty type of attack, but one that ought to be fairly simple to prevent. Considering it is easy to determine what the target system types are, and how the malware functions, deploying the right defense strategy is actually quite straightforward.

A quick couple of very simplistic examples immediately come to mind:

  1. Delete all unnecessary users from the above list or rename unneeded ones. In most cases guest, oracle, osmc, pi, test, ubnt, ubuntu, and user are unnecessary and can be removed. If they need to be kept, as I said, rename the accounts.
  2. For all the needed accounts, ensure ssh access is turned off. There is never a reason to SSH directly as root. This is the entire point of the sudo and su commands – login as another user and then use one of those commands to perform functions as root or other users.

There are plenty of other methods for combating this attack to make it more difficult to be breached. But simple actions like the above are often overlooked.

Talos provided both an IP blacklist and a domain blacklist that the malware uses to determine if it should continue attempts to compromise the system. Some of those domains include: .mil, .gov, .army, .airforce, .navy, .gov.uk, .mil.uk, govt.uk, .police.uk, .gov.au, govt.nz, and .mil.nz.

If the system or device is on neither set of blacklists, Talos “believes the attacker then compiles a new malware binary specifically for the compromised system and infects the new host, causing this process to repeat on the newly infected system.”

That is an interesting and novel approach to avoiding governmental systems. It is not unprecedented but definitely not a method often seen.

Federal News Radio reports on the US Navy’s attempt to remove a management bureaucracy layer by eliminating the previous executive-level Navy Chief Information Officer position:

A memo signed last Friday by Thomas Modly, the new undersecretary of the Navy, effectively eliminates the office of the Department of the Navy chief information officer, formerly an influential, separate position within the Secretary of the Navy’s organizational chart.

Going forward, Modly himself will take over the pro-forma title of DON CIO along with all of its responsibilities and authorities. A handful of staff will remain assigned to a restructured and downsized office, but only to handle the IT duties that federal law explicitly requires the secretaries of the military departments to perform.

The changes to the CIO role come as part of a broader management restructuring Modly directed just a few months after his confirmation as the Navy’s number-two civilian official.

The memo fully eliminates the deputy undersecretary of the Navy for management, the organization that, until last week, oversaw the DON CIO and some other functions, including its Office of Strategy and Innovation.

On the surface this sounds like a really bad idea(tm). There needs to be some senior executive leadership overseeing how the Department of the Navy handles not just information technology assets, but the associated cyber security requirements to adequately defend Navy networks.

The new arrangement appears to de-emphasize the notion that the two sea services should operate under one set of IT policies, but also reflects the realities of the different directions the Navy and Marine Corps have taken. The split was noticeable after a 2013 restructuring of what had previously been a single contract for a fully-outsourced Navy-Marine Corps Intranet (NMCI).

In the intervening years, the Navy and Marine Corps have chosen to pursue different models under the Navy’s Next Generation Enterprise Network (NGEN) contract.

The Marines have opted for a fully government owned-and-operated network known as the Marine Corps Enterprise Network (MCEN), including a cloud computing strategy that relies largely on a Marine-operated cloud computing center in Kansas City (MCEITS).

Meanwhile, the Navy has leaned toward an operating model in which it owns most of its infrastructure, but relies on the NGEN contract to perform most of the day-to-day labor involved in running its IT networks in the continental U.S.

Modly’s decision to devolve more control to the services also potentially reduces confusion about the various positions in the Navy that can lay claim to the title of CIO.

NMCI has nothing been short of an utter train wreck. It is no surprise the Marine Corp pulled out of that disaster to go their own separate, more agile way of handling IT. Not only are the Marines doing it for less cost, but the service levels have dramatically increased. I never heard a single person who was happy with NMCI.

Government owned, government operated is a far better model than allowing a contractor to come in and nickel and dime the Navy for every little thing they do. NMCI, and by extension the Overseas Navy Enterprise Network (ONE-NET), have never been truly successful. I foresee NGEN turning into the same type of disaster ONE-NET was unless there are some major modifications made to the way the contract is executed.

The Navy has, and continues, to do things its own way compared to the rest of the US military. After all, this is the department still paying Microsoft to support Windows XP because there are too many outstanding deployments of the operating system in mission critical areas. Rather than paying to upgrade those systems, the Navy is paying for security patches. This is just outright unfathomable. So maybe its makes sense the Navy has opted to eliminate the CIO position because, it could be argued, they were not doing their job to begin with.

Bottom line, removing the CIO position demonstrates a lack of understanding of what role a CIO should play in a major organization like the Department of the Navy. I am extremely concerned about the direction the Navy is going and wonder what unintended consequences there will be from this change.

The Hill has a report stating General James “Maddog” Mattis, the Secretary of Defense, has told colleagues he is unsure if he can work with John Bolton, the most recent selection for the US national security adviser:

Defense Secretary Jim Mattis, the retired general who has argued for keeping the Iran deal intact and warned that military confrontation with North Korea would result in “the worst kind of fighting in most people’s lifetimes,” told colleagues on Friday that he did not know if he could work with Mr. Bolton. The White House chief of staff, John F. Kelly, another retired four-star general, was also unenthusiastic about Mr. Bolton’s hiring.

Mr. Bolton’s harshest critics — mostly Democrats, but their ranks include some members of the Bush administration — argue that the odds of taking military action will rise dramatically when he becomes the last person a volatile American president consults.

“John Bolton is not some gray bureaucrat whose views are unknown to us,” said Michael McFaul, the American ambassador to Moscow under President Barack Obama, and now a Stanford professor and the director of the Freeman Spogli Institute for International Studies.

What a horrible selection for aguably one of the important positions within an administration.

The Washington Post reports the Trump administration announced sanctions and criminal indictments against an Iranian hacker network allegedly involved in “one of the largest state-sponsored hacking campaigns”:

Nine of 10 named individuals were connected to the Mabna Institute, a Shiraz-based tech firm that the Justice Department alleged hacks on behalf of Iranian universities and the IRGC. The institute conducted “massive, coordinated intrusions” into the computer systems of at least 144 U.S. universities and 176 foreign universities in 21 countries, including Britain and Canada, officials said.

The hackers stole more than 31 terabytes of data and intellectual property — the rough equivalent of three Libraries of Congress — from their victims, prosecutors alleged. Much of it ended up in the hands of the IRGC, which has frequently been accused of stealing information to further its own research and development of weaponry. The Guard Corps is the division of Iran’s security forces charged with overseeing Iranian proxy forces abroad and is under the direct control of the country’s religious leaders.

“Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code,” said Geoffrey S. Berman, U.S. attorney for the Southern District of New York.

“Iran is engaged in an ongoing campaign of malicious cyberactivity against the United States and our allies,” said Sigal Mandelker, the Treasury Department’s undersecretary for terrorism and financial intelligence. “We will not tolerate the theft of U.S. intellectual property or intrusion into our research institutions and universities.”

Although lately there is a lot of news about Russian state sponsored cyber attacks, make no mistake, Russia is not the only country engaged in malicious cyberspace activity. Alongside Russia are China, North Korea, and Iran. These countries are responsible for the majority of the hacking activity around the globe. There are various reasons why these nations engage in cyber-based operations, not the least of which is surveillance against their enemies.

Here is an extremely simplified view of the landscape as it stands today.

China is primarily interested in stealing intellectual property. The Chinese would prefer to forego research and development costs, and would rather take the hard work already completed by others to use as the basis for their own technologies. China is mostly looking to increase their economic and military capabilities through these operations, with a strong emphasis on the former more than anything.

North Korea is completely cut off from the world banking system, so they have had to look to creative means of getting finances into the country. What North Korea has opted to do is conduct financially motived cyber attacks. They leverage ransomware to be paid in bitcoin by the victims, thus allowing the country to bypass global banking and siphon money back into Pyongyang.

Finally, Iran ultimately wants to protect itself from neighboring countries but would like to demonstrate its cyber-might. Consider it a mock revenge scenario. Stuxnet caused a lot of harm to the country and setback its nuclear program decades. Iran not only acquired firsthand knowledge of the destructive capabilities cyber weapons may cause, but also how easy it is to leverage cyber operations compared to traditional kinetic weaponry.

So again, although Russia has been the primary culprit in the news these days, there are other sophisticated nation state actors engaging in cyber operations for various reasons. It should come as no surprise to see Iran accused of a vast global cyber conspiracy.

One thing to consider, especially in light of Bolton being named Trump’s new National Security Advisor, is the administrations desire for war. This announcement may very well be a precurser to additional comments about Iran from the Trump administration. While I do not claim to have any specific knowledge of what is to come, the timing seems all too convenient.

The Telegraph is reporting the US has been preparing to launch a wide ranging, potentially devastating cyber attack against North Korea:

In the last six months, the US has been covertly laying the groundwork for cyber attacks that would be routed through South Korea and Japan, where the US has extensive military facilities. The preparations include installing fibre cables into the region and setting up remote bases and listening posts from where hackers will attempt to gain access to North Korea’s version of the Internet, which is walled off from the rest of the world.

Another official told the magazine that a large part of the US spying and cyber warfare capability is being refocused on North Korea, including analysis of signals intelligence, overhead imagery and geospatial intelligence.

Analysts with expertise in other areas – such as the war on narcotics or monitoring geo-political issues in Africa – are also being reassigned to the new Korea Mission Centre at the CIA’s headquarters in Langley, Virginia.

News about impending US perpetrated cyber attacks are highly unusual. This makes me wonder about the truth of this story. If it is true, to what extent there is an actual future plan as opposed to North Korean network assets already having been infiltrated.

There is far more to this story than being reported, and it will likely not be something mentioned for quite some time.

Nextgov reports on the Air Force paying out over $100,000 in a public web site bug bounty:

The Air Force paid out nearly $104,000 to a cohort of white-hat hackers as part of Hack the Air Force 2.0, the Pentagon’s most recent bug bounty competition. During the 20-day competition, participants uncovered 106 security vulnerabilities across roughly 300 of the branch’s public-facing websites.

“We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” said Air Force Chief Information Security Officer Peter Kim in a statement. “This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come.”

The event kicked off Dec. 9 with a hackathon in New York City that partnered military cyber specialists with an A-list group of 25 ethical hackers from the United States, Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia. Participants discovered two bugs within the first 30 seconds of the competition and another 53 by the end of the day, earning a total of $26,883 in bounties.

This is a smart move. It is an inconsequential amount of money in the context of the entire Air Force budget, and likely far less expensive than paying an overpriced defense contractor to perform an assessments. Plus, these are motivated people who are really interested in helping.

All around, it helps the Air Force find and fix vulnerabilities all while cultivating good will within the security industry.

C4ISR is reporting LTG Paul Nakasone, current Commander of the United States Army Cyber Command, has been nominated for the dual-hat position of Commander of US Cyber Command and the Director of the National Security Agency:

According to the congressional record, Nakasone was nominated for his fourth star Feb. 8.

Cyber Command is currently in the throes of elevating to a full unified combatant command. The elevation is expected to become official following Nakasone’s confirmation by the Senate.

Nakasone’s nomination for both jobs shows that the Trump administration is not using the retirement of current commander and director Adm. Michael Rogers’s to split the dual hat arrangement as some in the national security community had expected.

Nakasone appears to be a solid selection. Since he has been with ARCYBER for quite some time, he should have a deep understanding of signals intelligence and cyber defense, while at the same time capable of leading a cyber-oriented organization.

What I find most interesting in the small article is how Congress is not yet ready to split Cyber Command away from the NSA, even though, for all intents and purposes, the decision has been made. It will be interesting to see how the elevation of USCYBERCOMMAND from sub-unified to full Combatant Command, and the divorce from NSA, will affect its capabilities. I am a bit hesitant to get excited about the move, but remain optimistic.

Nextgov reports on a Pengaton report from 2000 predicting how cyber would be leveraged in the future:

The report, which Staniford co-authored with military and intelligence veterans Sami Saydjari and Ken Williams, was released this month within the first tranche of Rumsfeld’s “snowflakes”—the Pentagon nickname for the short email memos the secretary routinely blasted out to staff and advisers.

Roughly 59,000 pages of such snowflakes and their connected documents are being released in response to a Freedom of Information Act request filed by George Washington University’s National Security Archive.

Among other things, the report argues that:

  • The basic functions of critical infrastructure, such as dams, energy plants and airports, should be segregated from the internet. This is now considered conventional wisdom, though vulnerable, internet-connected front office tools frequently worm their way into the industrial control systems that operate critical infrastructure.
  • Over-classification of digital security information by the government might make it difficult to share vital information with companies that they can use to defend themselves. This remains a major problem, especially as the Homeland Security Department tries to ramp up cyber information sharing with the private sector.

It really is interesting how far advanced the US Department of Defense is in some way, while completely backwards in others. The two specific bullet points above are extremely prescient, and demonstrate the Pentagon’s ability to develop highly intelligent analysis.

Unfortunately, as is all too often in DoD, there are leaders who discard the information as either unnecessary, or they fail to take the time to fully comprehend its meaning and potential consequences. Far too much intelligence is discarded by leaders who cannot comprehend technical data, and thus we end up in a situation like this: accurate estimations primarily ignored.

Politico reports about an upcoming leadership change to National Security Agency thanks to ADM Mike Rogers impending retirement:

Picking Nakasone — who took the reins at Army Cyber Command in late 2016 — would place someone deeply versed in cyberspace operations atop the country’s premier intelligence-gathering service. As NSA head, Nakasone would also lead U.S. Cyber Command, the Pentagon’s digital warfare organization.

It’s unclear when the administration might formally announce the choice, but it’s believed the announcement could come in the next week or two, which means the Senate Armed Services Committee would hold a confirmation hearing in early March. The Senate Intelligence Committee may also hold a hearing, given the job’s heavy surveillance focus.

Nakasone sounds like a reasonable choice to lead the NSA considering his background and recent assignments. If selected, it will be interesting to see in what way the agency changes to adapt with the growing cyber threat, and more importantly, to the fallout from the still-unsolved Shadow Brokers breach.

Why exactly is DoD placing TOP SECRET and NOFORN data in an UNCLASSIFIED AWS S3 bucket? Have the rules changed about what systems are authorized to process classified data? This is just unbelievably lazy and stupid:

Within the bucket of data, Vickery found 47 viewable files and three downloadable files, some of which contained information designated as “Top Secret” or “NOFORN,” a security term that stipulates that material should not be shared with foreign allies.

As UpGuard’s report details, Vickery also found “a virtual hard drive used for communications within secure federal IT environments” and “Details concerning the Defense Department’s battlefield intelligence platform” known as DCGS-A and information on Red Disk, “a troubled Defense Department cloud intelligence platform” that integrates into Red Disk.

“Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data,” UpGuard notes.

Earlier this year, the same researcher discovered a set of sensitive files belonging to defense contractor Booz Allen Hamilton left out on a similarly unsecured server.

Of course, the issue isn’t that security firms are digging up these unprotected pockets of classified material, it’s that we have no way of knowing who else is.

The New York Times has done an incredibly in-depth report on how the various Shadow Brokers breaches and leaked NSA tools have really disturbed the organization like never before:

Like cops studying a burglar’s operating style and stash of stolen goods, N.S.A. analysts have tried to figure out what the Shadow Brokers took. None of the leaked files date from later than 2013 — a relief to agency officials assessing the damage. But they include a large share of T.A.O.’s collection, including three so-called ops disks — T.A.O.’s term for tool kits — containing the software to bypass computer firewalls, penetrate Windows and break into the Linux systems most commonly used on Android phones.

Evidence shows that the Shadow Brokers obtained the entire tool kits intact, suggesting that an insider might have simply pocketed a thumb drive and walked out.

But other files obtained by the Shadow Brokers bore no relation to the ops disks and seem to have been grabbed at different times. Some were designed for a compromise by the N.S.A. of Swift, a global financial messaging system, allowing the agency to track bank transfers. There was a manual for an old system code-named UNITEDRAKE, used to attack Windows. There were PowerPoint presentations and other files not used in hacking, making it unlikely that the Shadow Brokers had simply grabbed tools left on the internet by sloppy N.S.A. hackers.

This is one of the most fascinating cyber security and intelligence community stories of our time.

Why is a Hewlett Packard Enterprise Services Contractor carrying a laptop with sensitive information on 130,000+ current and former U.S. Navy Sailors? Just another in a series of embarrasing NMCI blunders for HPE:

Hackers gained access to sensitive information, including Social Security numbers, for 134,386 current and former U.S. sailors, the U.S. Navy said on Wednesday.

It said a laptop used by a Hewlett Packard Enterprise Services employee working on a U.S. Navy contract was hacked. Hewlett Packard informed the Navy of the breach on Oct. 27 and the affected sailors will be notified in the coming weeks, the Navy said.

There is no valid reason for an HPE Services employee to be running around with this type of data stored locally on a laptop. Why does a contractor even have access to PII data of this nature?

Michael Flynn is not the type of National-Security Adviser America needs now:

Flynn broke rules he thought were stupid. He once told me about a period he spent assigned to a C.I.A. station in Iraq, when he would sometimes sneak out of the compound without the “insane” required approval from C.I.A. headquarters, in Langley, Virginia. He had technicians secretly install an Internet connection in his Pentagon office, even though it was forbidden. There was also the time he gave classified information to nato allies without approval, an incident which prompted an investigation, and a warning from superiors. During his stint as Mullen’s intelligence chief, Flynn would often write “This is bullshit!” in the margins of classified papers he was obliged to pass on to his boss, someone who saw these papers told me.

Flynn is a “do as as I say, not as I do” kind of guy. While he regularly broke the rules he disliked, as a Commander he likely punished junior soldiers for doing the very same things. There is no way junior officers or enlisted could ever get away with writing “this is bullshit” in the margins of documents passed on to him for review.

Finally, installing an unapproved, unaccredited internet connection in his office is just unbelievable. Likely his Information Assurance Manager (IAM) consulted against it, but was likely told something along the lines of, “shut-up and color”, as is often times what happens when senior leadership desires something against the rules. This is a huge problem within the US military – far too many people are more interested in promotion, and will not fight for whats right, especially when it involves a senior ranking offer like Flynn.

In 2012, Flynn became director of the Defense Intelligence Agency, in charge of all military attachés and defense-intelligence collection around the world. He ran into serious trouble almost immediately. I’ve spoken with some two dozen former colleagues who were close to Flynn then, members of the D.I.A. and the military, and some who worked with him in civilian roles. They all like Flynn personally. But they described how he lurched from one priority to another and had trouble building a loyal team. “He made a lot of changes,” one close observer of Flynn’s time at the D.I.A. told me. “Not in a strategic way—A to Z—but back and forth.”

Flynn also began to seek the Washington spotlight. But, without loyal junior officers at his side to vet his facts, he found even more trouble. His subordinates started a list of what they called “Flynn facts,” things he would say that weren’t true, like when he asserted that three-quarters of all new cell phones were bought by Africans or, later, that Iran had killed more Americans than Al Qaeda. In private, his staff tried to dissuade him from repeating these lines.

Flynn’s temper also flared. He berated people in front of colleagues. Soon, according to former associates, a parallel power structure developed within the D.I.A. to fence him in, and to keep the nearly seventeen-thousand-person agency working. “He created massive antibodies in the building,” the former colleague said.

This is not the type of temperament America needs for a National Security Advisor. When I think of really good Advisors, Condoleezza Rice comes to mind. While I may not have agreed with all of her assessments, she had the right temperament and frame of mind for the position – something I believe Flynn is missing.

I met Flynn once here in Tokyo, and just was the aura surrounding him both when he spoke to the audience, and afterwards when he was “networking” with attendees. While he appeared to speak confidently and intelligently about his topic, there was just something off-putting about the way he handled himself. The above perfectly characterizes Flynn in a nutshell.

The US Army is sending West Point cadets to gain cyber security experience in Silicon Valley internships:

Vidder has partnered with the Army and the Defense Department to accept cadets from West Point as summer interns, learning the ins and outs of cybersecurity from industry professionals. Although cadets receive training in military aspect of cyber, the opportunity at Vidder offers a way to gain hands-on experience to supplement skills learned in the classroom and the opportunity to explore specific disciplines in greater depth.

“We really want to complement formal class work,: Vidder founder and CTO Junaid Islam told GCN. Commanders want to make sure the officers in training have a complete view of the supply chain of cybersecurity and understand how software, systems and networks are built, he added. Cadets already have an understanding of how cyber is used on the battlefield, but the internship gives them the opportunity to learn how software is developed. That experience will help them in the field, if they have to make a change to software or work with industry partners.