uncompiled.com

The Defense Advanced Projects Agency (DARPA) has launched a project for detecting and responding to insider threats on Department of Defense networks.

Under the Cyber Insider Threat (CINDER) Program, DARPA will explore new approaches for improving the speed and accuracy of insider threat detection. The agency last week sought proposals for ways to identity hostile insider activity by monitoring specific user and network behaviors.

In the initial stage of the project, the goal is not necessarily to develop new ways of detecting individual malicious insiders themselves. Instead, DARPA hopes to figure out the tell-tale signs and network activities that organizations should monitor to accurately detect malicious activity.

“If we were looking for the insider actor himself, we might not detect someone who performs a single, isolated task and we run the risk of being inundated with false positives from events being triggered without context of a mission,” DARPA said. “To this end, CINDER starts with the premise that most systems and networks have already been compromised by various types and classes of adversaries. These adversaries are already engaged in what appear to be legitimate activities, while actually supporting adversary missions.”

In the next two phases of the three-part CINDER effort, DARPA will develop systems that can monitor networks and user activity and spot malicious activity more quickly.

The CINDER initiative comes just a few weeks after whistleblower Web site Wikileaks posted more than 70,000 documents containing sensitive details on American military operations in Afghanistan. The documents were allegedly leaked to the site by Bradley Manning, a relatively junior Army intelligence analyst who is also accused of supplying Wikileaks with a controversial video allegedly showing a deadly U.S Apache helicopter attack in Iraq.

Manning’s alleged actions have prompted widespread criticism from those who believe the data has put critical U.S. intelligence and military assets in Afghanistan in harm’s way. The leaks have also highlighted the risks associated with the information-sharing that has been going on within the military for some time.

Networks such as the U.S. Department of Defense’s Secret Internet Protocol Router Network or SIPRNet, which Manning is alleged to have accessed, are designed to pass along important information as quickly and efficiently as possible.

Detecting malicious insider activity is difficult. “What sets the insider threat apart from other adversaries is the use of normal tactics to accomplish abnormal and malicious missions,” DARPA said.

The same issue has dogged enterprises for years and is considered by many analysts to pose an even greater threat to corporate data and networks than external hackers.

Source

A top British codebreaker found mysteriously dead last week in his flat had worked with the NSA and British intelligence to intercept e-mail messages that helped convict would-be bombers in the UK, according to a news report.

Gareth Williams, 31, made repeated visits to the U.S. to meet with the National Security Agency and worked closely with British and U.S. spy agencies to intercept and examine communications that passed between an al Qaeda official in Pakistan and three men who were convicted last year of plotting to bomb transcontinental flights, according to the British paper the Mirror.

Williams, described by those who knew him as a “math genius,” worked for the Government Communications Headquarters (GCHQ) helping to break coded Taliban communications, among other things. He was just completing a year-long stint with MI6, Britain’s secret intelligence service, when his body was found stuffed into a duffel bag in his bathtub. He’d been dead for at least two weeks. His mobile phone and a number of SIM cards were laid out on a table near the body, according to news reports. There were no signs of forced entry to the apartment and no signs of a struggle.

Initial news stories indicated Williams had been stabbed, but police have since disputed that information, noting that — other than being stuffed into a duffel bag — there were no obvious signs of foul play. A toxicology report is expected Tuesday.

Investigators say they haven’t ruled out the possibility that the codebreaker was killed over something related to his work. Rumors that sexual bondage equipment was found in his apartment were also nixed by police, who said the rumors were untrue and they found no evidence yet to suggest that anything in Williams’ personal life led to his death.

Williams, an avid cyclist, lived in an apartment in Pimlico in central London that was reportedly part of a network of flats registered to an offshore front company and rented out to GCHQ workers. He is believed to have returned from a trip abroad on August 11. He was last seen alive on August 15, eight days before his body was found.

Williams flew up to four times a year to the U.S. to the NSA’s headquarters at Fort Meade HQ, according to the Mirror. His uncle, Michael Hughes, told the paper that Williams would mysteriously disappear for three or four weeks.

“The trips were very hush-hush,” Hughes said. “They were so secret that I only recently found out about them – and we’re a very close family. It had become part of his job in the past few years. His last trip out there was a few weeks ago, but he was regularly back and forth.”

Williams was said to have worked with the NSA on e-mails intercepted between Abdullah Ahmed Ali and Assad Sarwar and Rashid Rauf, a British national in Pakistan who was allegedly director of European operations for al Qaeda. The e-mails, intercepted by the NSA in 2006, allegedly contained coded messages.

The NSA shared the e-mails with British prosecutors but wouldn’t allow them to use the evidence in an early trial of the suspects out of fear of tipping off Rauf that he was under surveillance. It was only after Rauf was reportedly killed in a U.S. drone attack that the NSA allowed prosecutors to use the e-mails to convict the other suspects. It’s never been known whether the NSA intercepted the messages overseas or siphoned them as they passed through internet nodes on U.S. soil as part of the NSA’s controversial and unconstitutional warrantless wiretapping program.

An unidentified Western intelligence source told the Mirror that Williams’ job would have had him participating in “crucial high-level meetings with American intelligence officers. His job would have been crucial to the security of the UK and our interests abroad – and also to America and Europe.

“Although not particularly high up the GCHQ ladder, the importance of his role should not be underestimated. The man was a mathematical genius.”

His landlady, Jenny Elliott, told the Telegraph, “Occasionally you could hear tapes whirring from his flat, which must have been audio cassettes he used for work, but he never told me what they were.”

Source

Michigan CIO Ken Theis on state’s implementation of Einstein 2 intrusion detection system.

The numbers are staggering: the intrusion detection system Einstein 2 blocked 195,000 e-mail and spam messages as well 25,000 web defacements, 12,000 scanning, 18,000 Internet browser compromise and 17,000 intrusion prevention systems attempts. That for just one state and for just one day.

Michigan early this year became the first state to implement the Einstein 2 created by the federal Department of Homeland Security. What’s as important as blocking intrusions is the ability of the state to use Einstein to analyze the threat to its IT network, Ken Theis, director of Michigan Office of Technology and state chief information officer, said in an the second of a two-part interview with GovInfoSecurity.com.

“What Einstein has taught us is that even if you think you’re good, there are always opportunities to get a lot better, and I think Einstein has taken us up a couple of notches because it’s really providing us with a vision into a whole other level of threats that current processes in our current systems aren’t capable,” Theis said.

In the interview, conducted by GovInfoSecurity.com’s Eric Chabrow, Theis also discusses a framework Michigan has adopted to implement cloud computing in which the state, not cloud providers, prescribe the client-vendor relationship.

Source

Now it is official: The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008.

In an article to be published Wednesday discussing the Pentagon’s cyberstrategy, Deputy Defense Secretary William J. Lynn III says malicious code placed on the drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military’s Central Command.

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” he says in the Foreign Affairs article.

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

Lynn’s decision to declassify an incident that Defense officials had kept secret reflects the Pentagon’s desire to raise congressional and public concern over the threats facing U.S. computer systems, experts said.

Much of what Lynn writes in Foreign Affairs has been said before: that the Pentagon’s 15,000 networks and 7 million computing devices are being probed thousands of times daily; that cyberwar is asymmetric; and that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult to identify the instigator of an attack.

But he also presents new details about the Defense Department’s cyberstrategy, including the development of ways to find intruders inside the network. That is part of what is called “active defense.” Counterfeit hardware has been detected in systems that the Pentagon has bought. Such hardware could expose the network to manipulation from adversaries.

He puts the Homeland Security Department on notice that although it has the “lead” in protecting the dot.gov and dot.com domains, the Pentagon – which includes the ultra-secret National Security Agency – should support efforts to protect critical industry networks.

Lynn’s declassification of the 2008 incident has prompted concern among cyberexperts that he gave adversaries useful information. The Foreign Affairs article, Pentagon officials said, is the first on-the-record disclosure that a foreign intelligence agency had penetrated the U.S. military’s classified systems. In 2008, the Los Angeles Times reported, citing anonymous Defense officials, that the incursion might have originated in Russia.

The Pentagon operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy, Lynn said. In November 2008, the Defense Department banned the use of flash drives, a ban it has since modified.

Infiltrating the military’s command and control system is significant, said one former intelligence official who spoke on the condition of anonymity because of the sensitivity of the matter. “This is how we order people to go to war. If you’re on the inside, you can change orders. You can say, ‘turn left’ instead of ‘turn right.’ You can say ‘go up’ instead of ‘go down.’ ”

In a nutshell, he said, the “Pentagon has begun to recognize its vulnerability and is making a case for how you’ve got to deal with it.”

Source

The Web threat landscape is becoming increasingly dynamic and opportunistic as hackers continue to adapt to new online functionality and trends, according to a report on online security from Zscaler, a security firm that specializes in cloud computing.

“While the goals have not changed, the techniques continue to evolve,” wrote Michael Sutton, the company’s vice president of security research, in the “State of the Web” report for the second quarter of 2010. “The attacks that we’re seeing are increasingly dynamic in nature, continually shifting locations and swapping out payloads to avoid detection.”

Attackers are using social networking functionality, exploiting current events and using techniques such as fast flux to quickly change the Domain Name System resolution for IP addresses, a tactic that allows them to evade blacklists that block malicious sites. The trends are not new, but they illustrate the continued threat posed by increasingly professional criminals with access to a growing kit of malicious tools available in the underground market.

“Attackers are quickly moving content to different locations in order to ensure that enterprises cannot simply protect themselves by blocking a specific range of IP addresses,” the report concludes. “It is clear that security vendors must be able to quickly adapt and inspect Web-based content on-the-fly in order to identify and secure against emerging threats in this continually evolving environment.”

Legal inroads are being made against organized online crime. The Secret Service announced last week that Vladislav Anatolieviech Horohorin, known online as BadB, had been arrested by French authorities on U.S. federal indictments for access-device fraud, aggravated identity theft, and aiding and abetting. According to Secret Service officials, Horohorin was one of the founders of CarderPlanet, which the agency called “one of the most sophisticated organizations of online financial criminals in the world.” The site allegedly is operated by cyber criminal organizations to traffic counterfeit credit cards and false ID information and documents. The site provides a forum for purchasing stolen data and credentials as well as attack tools.

But criminals are resilient and continue to take advantage of current events, such as the recent World Cup tournament and Apple’s release of the iPad, and of new functionality, such as Facebook’s “Like” button. Zscaler described Likejacking schemes in which invisible buttons use clicks anywhere on a Web page to drive advertising by raising its Facebook profile.

The increasingly popular Twitter is also a rich target for phishing attacks as malicious third parties solicit Twitter account information with offers to increase the number of the account’s followers.

In addition, criminals are using search engine optimization techniques to drive malicious Web sites to the top of search results on major search engines, including Google, Bing and Yahoo, Zscaler found.

The United States remains by far the top country for malicious IP addresses identified by Zscaler in the second quarter, despite dropping from 62 percent of malicious addresses in April to 48 percent in June. All the other leaders are in the single digits. China and Germany were tied for second place with 7.11 percent each.

However, those figures likely say more about the number of computers and the rate of Internet use in a country than about where attacks originated.

Source

Developers of the 14 semifinalist algorithms for the new SHA-3 Secure Hash Algorithm standard will have a chance to defend their work next week at the second NIST candidate conference, being held at the University of California, Santa Barbara.

“We’re creating a record” on which to base selection of four to six finalists, expected to be named by the end of the year, said Bill Burr, manager of the Cryptographic Technology Group a the National Institute of Standards and Technology. “All in all we’ve got quite a bit of performance data. At this point we have a surprising amount of data on hardware implementation on all 14 candidates.”

Final selection of a new standard hashing algorithm for government is expected by early 2012, although that date could slip if additional analysis is needed, Burr said.

A hashing algorithm is a cryptographic formula for generating a unique, fixed-length numerical digest—or hash—of a message. Because the contents of the message cannot be derived from the hash and because the hash is to a high degree of probability unique for each message, it can be used to securely confirm that a document has not been altered. It also can be used to effectively sign an electronic document and link the signature to the contents.

SHA-3 will augment and eventually replace those algorithms now specified in Federal Information Processing Standard 180-2. The standard now includes SHA-1 as well as SHA-224, SHA-256, SHA-384 and SHA-512, collectively known as SHA-2. The standards undergo regular reviews and the decision was made to open a competition for SHA-3 in 2007 after weaknesses had been discovered in the currently approved algorithms.

Sixty-four algorithms were submitted to NIST in 2008, of which 51 were met minimum criteria for acceptance in the competition. The cryptographic community spent the next year hammering at the candidates, looking for flaws and weaknesses and 14 algorithms advanced to the second round in July 2009. The 14 second-round candidates are BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD and Skein. Candidate algorithms are available online, and NIST has published a status report on the first round of the competition.

Next week’s conference will give the entrants a chance to address the results of analysis and testing over the past year. The conference is being held in conjunction with this week’s overlapping CRYPTO 2010 conference and the workshops on Cryptographic Hardware and Embedded Systems, being held by the International Association for Cryptologic Research at Santa Barbara.

Harnessing the collective brainpower of the cryptographic community to identify strengths and weaknesses of possible hash algorithms is the idea behind the competition. This is the third cryptographic competition conducted by NIST to select a standard algorithm. The first, to select the Digital Encryption Standard in the 1970s, drew just two submissions, only one of which was seriously considered. In the 1990s the competition for the DES replacement, the Advanced Encryption Standard, drew about 15 submissions.

With 14 semifinalists to hear from, the conference schedule will be tight, with each presenter having only about 15 minutes to address results of analysis over the past year and present an argument for moving to the final round. After a second year of testing and analysis by the crypto community, a final candidate conference is expected to be held in the winter of 2012.

Even when the field has been narrowed to about five finalists, doing an analysis of cryptographic tools that are expected to remain in the federal toolkit for years to come takes considerable time and effort, Burr said, and there have been calls to slow down the process and extend it beyond the current 2012 end point.

“I’m not inclined to do that, but I’m open to arguments,” Burr said.

The timeline for selection will depend in part on developments in cryptography and in attacks against existing standards, he said. NIST might have some additional breathing space in selecting a new standard algorithm because there has been little progress toward breaking SHA-2.

“There was a lot of fear about how much progress there would be in attacking SHA-2,” Burr said, but hackers to not appear to be focusing on that. “SHA-2 is falling, although more slowly than we thought.”

Source

Veterans Affairs Department employees continued to lose mobile devices in July, but the number of overall security breaches it experienced declined slightly from the previous month, according to VA chief information officer Roger Baker.

As the largest health care organization in the world, with thousands of contractors, VA experiences a variety of incidents each month. But with the exception of a few incidents every year, most of its security and data breaches are not significant, he during a press briefing this week.

VA must notify Congress monthly about both routine and major data breaches, a requirement imposed in the aftermath of several security break-downs during the past year. The public can now see those reports for itself, as the VA began on August. 11 to post them on the VA’s Web site.

“We gain a lot with transparency,” Baker said about making the report public. “When you see what normally happens and how they are handled, it lends a bit of confidence what we’re going to do when more serious ones occur,” he said.

For example, losing smart phones is a common security problem at VA, as it is elsewhere. In July, employees lost 13 Blackberry smartphones compared with 24 missing in June, he said.

However, it’s difficult to impose consequences for the losses. There isn’t a cost benefit to denying the issuance of another smart phone to physicians and other professionals who lose them because the devices are inexpensive relative to the productivity gains they provide, Baker said.

“I don’t take losing a couple of hundred dollars of taxpayer money lightly,” he said. “But compared with a doctor that we may be paying $300,000 a year, I don’t want them spending time trying to figure how to get a new Blackberry. I want them to have a new Blackberry in their hands so they can be certain of providing patient services.”

VA also has a policy of encrypting mobile devices to reduce the potential for the disclosure of personal information by making the device unusable when they are lost or stolen.

In addition to the lost Blackberries, VA also reported this month:
– 66 internal unencrypted email incidents in July vs. 74 in June in which employees did not follow VA policy to encrypt emails that contained sensitive patient information;
– 103 mis-mailing incidents in July vs. 119 in June, in which a veteran was sent the wrong information or was sent the information of other veterans;
– 6 laptops missing or stolen in July vs. 16 in June. Of those in the July report, five were encrypted and one was used for reading bar codes for ensuring the correct administration of medications, so it did not contain sensitive health information. In June, 11 of the 16 missing laptops were encrypted;
–10 mis-mailed pharmacy incidents out of 5.6 million pharmacy packages mailed in July vs. 7 incidents in June.

Source

Federal agencies are making some progress on developing and executing strategies for building a stronger cybersecurity workforce, but much remains to be done, government officials and industry representatives said at a conference this week.

Coordinated efforts to spark improvements in the federal cybersecurity workforce, formerly part of the Comprehensive National Cybersecurity Initiative (CNCI), have been folded into a larger effort, the National Initiative for Cybersecurity Education (NICE), a broader national agenda, announced in April, which includes K-12 education and awareness campaigns as well as federal workforce efforts.

“We want to become a resource to not only get the federal government up to the best level it can be, but to be a leader for the rest of the country,” NIST’s NICE program lead, Dr. Ernest McDuffie, said in an interview.

In terms of government, NICE includes two tracks of work focused explicitly on improving the federal cybersecurity workforce — one on workforce structure, and the other on training and professional development. Some of the work under these buckets had already begun when NICE began, but it’s beginning to accelerate.

For example, the Office of Personnel Management embarked on a path to sharpen and redefine cybersecurity job policies last November, and that effort is picking up steam. Earlier this year, working groups began re-defining competency models — key roles and responsibilities — for cybersecurity pros in government. Soon, OPM will survey agencies to get feedback on draft competency models, and plans to release the final competency models in December.

However, the competency models are only the first step. OPM and auditors have long found cybersecurity pros working in a number of federal job series — groups of formally defined jobs — and there’s still some consideration of whether the cybersecurity workforce needs its own series to help better define what cybersecurity pros do. OPM is also considering whether hiring authorities and practices need to change, Maureen Higgins, OPM’s assistant director for agency support and technology assistance, said in an interview.

Work on workforce structure seems to be moving along, but training and professional development suffer from numerous challenges, such as a muddle of certifications, required skills and training that can sometimes make it difficult for hiring managers to determine who’s qualified or just what additional training their employees need.

Some things under consideration in terms of workforce development include the use of a practical, hands-on exam to determine qualifications. “There’s some divisiveness here, so we’re trying to get to what makes sense here,” John Mills, special assistant to the CNCI from the office of the assistant secretary of defense for networks and information integration, said in a presentation.

Source

The Senate Appropriations Committee has boosted federal spending for implementing web services next year but cut back on funding to use cloud computing to consolidate data centers and IT infrastructure throughout federal agencies.

As allocated by a Senate spending bill (S. 3677), passed July 29, the federal government will get $40 million in the fiscal 2011 federal budget to build a set of services that can be used across agencies to foster efficiency and collaboration between agency systems.

Specifically, the money is for the “development and operation of government-wide shared information technology services, the implementation of consolidated, resource-saving and energy-efficient platforms, and the development and operation of information technology security services … to promote inter-agency interoperability,” according to the bill.

The funds, which meet the requirements of a plan outlined in a presidential directive on transparency released in December 2009, will be available until Sept. 30, 2013, according to the bill.

At the same time the Senate green-lighted millions in funding for shared services, it drastically reduced funds allocated by the Obama administration to adopt cloud computing, putting a crimp in its data-center consolidation plans.

In its proposed fiscal 2011 budget, the administration requested $35 million for what is called the Electronic Government Fund. The money was meant to use cloud computing to consolidate IT infrastructure to reduce the amount of data-center hardware and real estate the federal government currently has.

However, the Senate spending bill allocates only $20 million toward this plan, which not only is $15 million less than the administration asked for, but also is $14 million less than the amount enacted in fiscal-year 2010, according to a report accompanying the bill.

In that report senators said that while they do support the move to cloud computing to improve efficiency and transparency, they are concerned that the federal plan to consolidate data centers via cloud computing lacks proper and detailed guidance.

They asked that the General Services Administration report to the Senate Appropriations Committee 120 days after the spending bill is enacted on the “feasibility of consolidating federal agency data centers into existing government owned/government-operated facilities with multiple federal tenants,” according to the report.

The House Appropriations Committee has not yet taken action on the 2011 federal budget. Consolidating data centers is a key IT objective for the Obama administration as a way to cut IT costs, reduce energy consumption, and improve IT security.

In February, the Office of Management and Budget issued a Federal Data Center Consolidation Initiative (DCCI), asking agencies to update their asset inventory annually by the end of the third quarter of each fiscal year, staring in fiscal year 2011. Agencies also should report progress on executing their data center consolidation plans by the end of each fiscal year starting in 2011.

The White House followed that up with a memo in early June putting a moratorium on agencies opening any new data centers. The administration also asked that they examine the properties they already have and develop plans to consolidate them and reduce their number by 2015.

Source

The Department of Homeland Security (DHS) plans to ramp up a program that sends specialized forensic teams to combat the cybersecurity threat on U.S. critical control systems, such as those that control power plants, industrial facilities and air-traffic control systems.
For the past year, the DHS has sent out four special teams — collectively a part of the Industrial Control System Computer Emergency Readiness Team — on missions to examine these systems to determine threats and respond to technical-support calls from private-sector partners.

However, the department plans to expand the program next year, a move that coincides with the discovery last month of the first worm designed to specifically attack such systems.

“There is no shortage of demand for this service from the DHS among our partners in the private sector,” said DHS spokesman Amy Kudwa Wednesday. “That there has been this worm that is specifically focused on control systems only solidifies our focus on expanding this program.”

The system attacked was based on technology from Microsoft and Siemens, which have developed patches for the worm, she added.

The worm attacked four systems, none of which were in the U.S. However, its presence is enough to put the DHS on alert for more direct attacks on critical systems.

The specialized control-system teams — which fall under the purview of the National Cybersecurity Division (NCSD), part of the DHS Office of Cybersecurity and Communications — went on 13 missions last year armed with a $5,000 case full of specialized forensic technology to identify malware on control systems

The expansion of the NCSD’s budget for the program from $10 million to $15 million is meant to increase the number of teams available for these service calls from four to 10 in 2011.

Response to the threat on critical control systems is not new. The DHS has been keeping a close eye on them and published reports about how to address vulnerabilities for about five years. The systems are high risk given that they are often built on outdated technology that does not have the same security level as newer systems.

Earlier this month, the Wall Street Journal revealed that the National Security Agency (NSA), too, is expanding its interest in protecting control systems. The agency is set to launch a program specifically aimed at assessing vulnerabilities and developing capabilities to secure them.

While the government’s interest in these systems is aimed at keeping crucial systems protected and online in the event of a cyberattack, it also has raised questions of privacy and just exactly what the government’s role should be in protecting privately owned networks.

Source