Tag

military

Browsing

In yet another unbelievable act of stupidity for the US military stationed on Okinawa, the prefectural police apprehended a Kadena Air Base Airman for drinking and driving:

At approximately 4:05 a.m. on Sunday, police stopped and questioned Christopher Aaron Platt, a 27-year-old staff sergeant, who was driving on a road in the town of Chatan. During questioning, police noticed liquor on the suspect’s breath. The results of a breathalyzer test revealed an alcohol level in excess of the legal limit.

Platt denies the charges. “I didn’t drink at all,” the suspect is quoted by police.

Prior to pulling Platt over, police observed his vehicle weaving on the road.

Is is that difficult to start living like an adult by not drinking and driving? Seriously, what is wrong with these people?

Okinawan prosecutors seek four year prison term for US Navy sailor who raped local woman in a hotel:

The prosecutors said in their closing arguments Monday at the Naha District Court that the actions of 24-year-old Justin Castellanos were “selfish and absolutely despicable,” and sought a harsh punishment.

The sailor, based at Camp Schwab, was indicted for raping a woman at a hotel in Naha on March 13. The victim, a woman in her 40s from Fukuoka Prefecture, was in Okinawa on holiday.

While the prosecutors said Castellanos took advantage of the state of the woman, who was asleep in a hotel corridor, his lawyers are seeking a lenient term, saying he had initially planned to take care of the woman after finding her.

I cannot comprehend “harsh punishment” and “four year prison term” existing in the same breath.

Military Times has an inside look at how the Pentagon is secretly preparing for cyber war through its Cyber Guard exercise:

The massive coordinated cyber attack began with rolling blackouts throughout the electrical grid stretching across the Midwest, leaving up to 10 million Americans’ homes without power and businesses unable to process credit and debit card purchases.

Then came the inexplicable malfunction at a large oil refinery in Port Arthur, Texas, which spewed an oil-slick five-miles wide along the gulf coast shoreline. The governors of Texas and Louisiana declared states of emergency. In southern California, the attack shut down several major ports by disabling hydraulic systems. Dozens of cargo ships were stranded off Los Angeles, unable to offload their stacks of truck-sized containers.

Attacks on the Defense Department’s networks threatened the systems that monitor North American airspace and the radars on which the U.S. military relies.

Total mayhem.

This fictitious scenario was laid out for nearly 1,000 military, government and private sector personnel here at this year’s Cyber Guard exercise, the nation’s largest test of its network defenses. Conducted over nine days in June, the event offered a disturbing look at the type of catastrophe that could unfold during what the government’s top officials call “cyber 9/11.”

DoD has a long way to go to adequately prepare to defend, and ultimately respond, to a major cyber attack consisting of these scenarios. Strategic hits to specific critical infrastructure areas would be catastrophic to the nation. These exercises are good practice, and help identify gaps in need of being shored up before an actual attack hits the country.

DoD announces “Hack the Pentagon” results and future cybersecurity plans:

The challenge – hosted by HackerOne, a Silicon Valley-based firm – was conducted on five public websites, which included defense.gov. It launched on April 18, and ran until May 12, with over 1,400 hackers, who completed registration and were invited to participate. Out of those who completed the registration, more than 250 submitted at least one vulnerability report. Among the contestants of the initiative, SECDEF gave an honorable mention to recent high-school graduate 18-year-old, David Dworkin and computer security researcher, Craig Arendt.

The purpose of the pilot program was to address the DoD’s defense in the digital world. “We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks,” says Secretary Carter. “What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference – hackers who want to help keep our people and nation safer.”

DoD should increase these bug bounty programs. Ultimately, allowing interested people to locate these types of vulnerability has two outcomes: it leads to increased DoD network strength, and allows white hat hacker types to refine their skills.

DISA has finally realized everyone is responsible for DoD cyber security rather than just the professionals:

As the pace of connectivity spurs forward, the job of protecting the networks has also expanded, often beyond the resources of the people meant to protect them. DISA Chief Technology Officer David Mihelcic said that because of the speed and adaptability of bad actors, cybersecurity has now moved to a kind of horizontal altruism that affects multiple elements of the information technology industry.

“Security cannot be the sole domain of cybersecurity specialists,” he said. “It has to be owned by everyone, to include the program managers and engineers who are developing and acquiring the system, the system administrators charged with operating the systems.

“We are going to have specialists. We’re going to have the CPTs — the cyber protection teams. We’re going to have offensive information and our cybersecurity forces as well, but cybersecurity cannot be the sole domain. We, the developers, the technologists and you, our mission partners, need to ensure that the [whole thing] is secure.

After reading a story of a man who seduced the United States Navy’s Seventh Fleet I cannot help but feel this is unsurprising:

The target was not a terrorist, nor a spy for a foreign power, nor the kingpin of a drug cartel. But rather a 350-pound defense contractor nicknamed Fat Leonard, who had befriended a generation of Navy leaders with cigars and liquor whenever they made port calls in Asia.

Leonard Glenn Francis was legendary on the high seas for his charm and his appetite for excess. For years, the Singapore-based businessman had showered Navy officers with gifts, epicurean dinners, prostitutes and, if necessary, cash bribes so they would look the other way while he swindled the Navy to refuel and resupply its ships.

The downfall of the mighty United States military will not come about because of another major military player, but sadly, by imploding due to an entitlement and “look the other way” culture.

DARPA believes it can protect critical infrastructure from cyber attacks using a brand new tool it has developed:

Hackers have been breaking through a lot of government agency’s defenses these past years, and DARPA thinks it’s high time to do something about it. Pentagon’s mad science division has launched a new program called Rapid Attack Detection, Isolation and Characterization (RADICS), which aims to develop innovative technologies that can quickly detect and respond to cyber attacks. Not just any cyber attacks, though: RADICS was specifically created to deflect security threats on critical infrastructures in the US, especially those that are vital to the Department of Defense’s missions. The agency likely wants to make sure the government can quickly detect and fight off terrorists and/or hackers trying to switch off the country’s electricity or transportation systems.

Raytheon wins $1 billion cyber security contract to battle attacks on US agencies:

The contract, one of the largest civilian cybersecurity orders in years, would help more than 100 federal civilian agencies protect their networks against malicious hackers, and it comes after the Office of Personnel Management suffered one of the most damaging breaches in history.

The OPM recently said that hackers stole the fingerprints of 5.6 million people, far more than previously thought. The attacks are believed to have affected more than 21 million former and current government employees, whose personal information, including Social Security numbers and information used in security clearances, may have been compromised.

The Obama administration has said it has made cybersecurity a top priority, and Congress has pushed to expand the nation’s defenses and make them more robust. The Pentagon is also taking steps to develop ways to fend off hackers, who often only have to find one crack in a network, while defenders have to guard the entire wall.

At a hearing on cybersecurity Tuesday, Sen. John McCain (R-Ariz.) said that in the past year, Iran, North Korea, China and Russia have all launched cyber­attacks on the United States. And he said the rate of the attacks has increased, “crippling or severely disrupting networks across the government and private sector and compromising sensitive national security information.”

He added: “Far more needs to be done to develop the necessary capabilities to deter attacks, fight and win in cyberspace.”

After many years of watching senior leadership ignore cyber, operational military commanders are finally beginning to understand their gaps and weaknesses in cyber security, and the impact this has on mission readiness and effectiveness:

“While we’ve held a decisive and dominant advantage in all the other domains, that’s not necessarily the case in the cyber domain,” Brig. Gen. Robert Skinner, deputy commander of the Joint Force Headquarters-DoD Information Networks, told a conference on Thursday.

“The cost of entry in this domain is very minimal, which enables individuals or groups to generate effects that take a significant expenditure of resources to respond. The value curve is in the wrong direction,” he added.

Skinner’s department was launched in January to shoulder some of the responsibility for cyber operations in the Defense Department.

“We are conducting thousands of defensive operations each and every day … and countering millions of cyberattacks annually,” Skinner said. “We are in constant contact with agile, learning adversaries in cyberspace, and their learning curve has turned upside down.”

Additionally, officials said, the integration of technology, bureaucracy and personnel represent a challenge for the U.S., even as cyberattacks grow.

Lt. Gen. Ed Cardon, the leader of Army Cyber Command, said, “If [we] have all these technologies, but you can’t connect these to a command operation, how are we going to integrate all this stuff so that it accomplishes an effect?”

Another week, another round of bad news about the OPM breach. This time we learn the fingerprints of 5.6 million US government employees was exfiltrated by the ostensible Chinese hackers:

The attack on the agency, which is the main custodian of the government’s most important personnel records, has been attributed to China by American intelligence agencies, but it is unclear exactly what group or organization engineered it. Before Wednesday, the agency had said that it lost only 1.1 million sets of fingerprints among the records of roughly 22 million individuals that were compromised.

“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the agency said in a written statement. But clearly the uses are growing as biometrics are used more frequently to assure identity, in secure government facilities and even on personal iPhones.

The working assumption of investigators is that China is building a huge database of information about American officials or contractors who may end up entering China or doing business with it. Fingerprints could become a significant part of that effort: While a Social Security number or a password can be changed, fingerprints cannot.

Customs and immigration officials frequently fingerprint incoming travelers; millions of fingerprints in a Chinese database would help track the true identities of Americans entering the country.

“I am assuming there will be people we simply can’t send to China,” a senior intelligence official said this summer, before the most recent revelation. “That’s only part of the damage.”

The agency said that an “interagency working group,” with help from the F.B.I., the Department of Homeland Security and the intelligence agencies, “will review the potential ways adversaries could misuse fingerprint data now and in the future.”

The OPM breach is going to be studied for the next few years and will become the premier case study on how not to conduct cyber security. It is amazing they still have not increased their cyber defense capabilities since this all came to light a few short months ago.

Another day, another news item about state-backed Chinese-based cyber attacks. This time Trend Micro has released a comprehensive report detailing how China-based cyber attacks on US military targets are “Advanced, Persistent And Ongoing”:

In its blog announcing the paper, Trend Micro stated that “Operation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of bytes of data from defense contractors in the U.S., including stolen emails, intellectual property, and strategic planning documents.” The report further details that targets of Iron Tiger included military defense contractors, intelligence agencies, FBI-based partners, and the U.S. government. The private entities were tech-based government contractors in the electric, aerospace, intelligence, telecommunications, energy, and nuclear engineering industries.

Iron Tiger was observed exfiltrating up to 58GB worth of data from a single target, more than was stolen in the Sony attack. It could have potentially stolen up to terabytes of data in total, Trend Micro reports. It is highly environmentally adaptive and otherwise sophisticated and well organized, potentially merely an arm of a larger, multi-teamed operation with various targets.

China is convincingly Iron Tiger’s home base

The primary situs of China as the operatives’ home base was convincingly evidenced by the facts that the operatives used virtual private network (VPN) servers that only accepted China-based registrants, used Chinese file names and passwords, and operated from China-registered domains, according to the report. Some of Iron Tiger’s actions were also attributed Iron to an individual physically located in China.

DoD CIO Terry Halvorson is talking tough on cyber, stating there is a need to make it cost prohibitive for hackers to conduct cyber attacks:

“We are on the wrong side of the cyber economic curve,” he said at the summit. “We need to raise barriers to attackers’ entry, making it more expensive to play.”

But how? The answer is multifold, but at least one aspect is automation, mechanizing some of the basic actions and response involved in cybersecurity maintenance, Halvorsen said.

Automation is key to turning around the economics and coping with the speed of the threat, he said at the summit and on the call.

“Automating eliminates the basic [adversarial] players, makes it so you have to raise your game to play,” Halvorsen said. “It reduces the benefit hackers will see and makes it more expensive for hackers to play.”

Another key part is establishing a pervasive, standard-operating-procedure culture of cybersecurity throughout entire enterprises and communities. It’s a worry that Halvorsen said keeps him up at night.

“How do I get a cyber discipline culture, how do I get a cyber economic culture and how do I get a cyber enterprise culture? I think those are the three things that if we got those, almost everything else comes after,” he said. “If I get to the cyber enterprise culture, I’ll start doing integrated, layered defenses, I’ll use automated tools — [joint regional security stacks are] the cornerstone for that — I’ll get the right level of accountability and I will understand the money.”

The only way DoD will get to where it needs to be in cyber security is through a cultural shift. Once senior DoD leaders recognize they are the biggest threat to the enterprise network, and thus stop asking for unnecessarily risky exceptions to DoD policy simply because they are who they are, then DoD may finally realize the type of discipline needed for the future.

United States Cyber Command is designing a system to stay ahead of hackers but apparently they are currently incapable of acquiring technology to automate this functionality:

U.S. Cyber Command is building a massive, electronic system to provide an overview of the vulnerabilities of the military’s computer networks, weapons system and installations and help officials prioritize how to fix them, its deputy commander said on Thursday.

Lieutenant General Kevin McLaughlin told Reuters officials should reach agreement on the framework within months, turning the system into an automated “scorecard” in coming years.

McLaughlin said the effort grew out of a disturbing report released earlier this year by the Pentagon’s chief weapons tester, Michael Gilmore. The report warned that nearly every major U.S. weapons system was vulnerable to cyber attacks, and an escalating number of attacks on U.S. computer networks by Russia and China.

Cyber Command staff would do the initial data entry by hand, but the goal was to create a fully automated system that would help defense officials instantaneously detect and respond to any attacks, McLaughlin said after a speech at the annual Billington Cybersecurity Summit.

Here we are in 2015 and US Cyber Command is developing a program designed to perform initial data entry manually. Seriously?

The Chinese government is following the US lead and is now telling US tech companies operating in China to sign a PRISM-like cyber-loyalty pact:

Much of the pledge document is focused on user privacy rights, outlining policies that would give users the right to know where their data was stored, to control how much of their personal data was collected, to opt out of the collection of personal data, and to “choose to install, or uninstall non-essential components [and] to not restrict user selection of other products and services.” The pledge also asks companies to “guarantee product safety and trustworthiness” by taking measures to build security into products, rapidly patch vulnerabilities, and “not install any hidden functionalities or operations the user is unaware of in the product.”

As part of the requirements for “security of user information,” the pledge would require tech companies to “employ effective measures to guarantee that any user information collected isn’t illegally altered, leaked or used.” All data collected from Chinese customers would have to be stored in Chinese facilities and not be moved outside the country “without expressed permission of the user or approval from relevant authorities”—meaning the government would have oversight over what data could be exported for corporate use (and potentially accessed by foreign intelligence organizations).

Finally, the pledge would also require companies to agree to “accept the supervision of all parts of society”—including third-party evaluation of all products to determine they are “secure and controllable…to prove compliance with these commitments.” It is this clause that the Times’ industry sources suggested could be used by the Cyberspace Administration of China to demand access to encrypted data stored in cloud computing services and to provide source code for review.

In response to questions posed by Senator Ron Wyden, National Counterintelligence Executive William Evanina claims it is not the intelligence community’s job to warn OPM of cyber threats:

National Counterintelligence Executive William Evanina wrote a letter to Sen. Ron Wyden answering the Oregon Democrat’s questions about the landmark cyberattack, which has been blamed on the Chinese.

In the response to Wyden’s question of whether the intelligence community assessed the vulnerabilities of a database OPM maintained of highly sensitive background check information that OPM maintained or whether it offered any advice to OPM, Evanina pointed to bureaucracy.

“Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS),” Evanina wrote. “The statutory authorities of the National Counterintelligence Executive … do not include either identifying information technology (IT) vulnerabilities to agencies or providing recommendations to them on how to secure their IT systems.”

In the short letter, Evanina also defended the decision to maintain a database of the background checks going back as far as 1985, saying it offers the advantage of being able to “assess the ‘whole person’ over a long period of time.”