uncompiled.com

The Defense Advanced Projects Agency (DARPA) has launched a project for detecting and responding to insider threats on Department of Defense networks.

Under the Cyber Insider Threat (CINDER) Program, DARPA will explore new approaches for improving the speed and accuracy of insider threat detection. The agency last week sought proposals for ways to identity hostile insider activity by monitoring specific user and network behaviors.

In the initial stage of the project, the goal is not necessarily to develop new ways of detecting individual malicious insiders themselves. Instead, DARPA hopes to figure out the tell-tale signs and network activities that organizations should monitor to accurately detect malicious activity.

“If we were looking for the insider actor himself, we might not detect someone who performs a single, isolated task and we run the risk of being inundated with false positives from events being triggered without context of a mission,” DARPA said. “To this end, CINDER starts with the premise that most systems and networks have already been compromised by various types and classes of adversaries. These adversaries are already engaged in what appear to be legitimate activities, while actually supporting adversary missions.”

In the next two phases of the three-part CINDER effort, DARPA will develop systems that can monitor networks and user activity and spot malicious activity more quickly.

The CINDER initiative comes just a few weeks after whistleblower Web site Wikileaks posted more than 70,000 documents containing sensitive details on American military operations in Afghanistan. The documents were allegedly leaked to the site by Bradley Manning, a relatively junior Army intelligence analyst who is also accused of supplying Wikileaks with a controversial video allegedly showing a deadly U.S Apache helicopter attack in Iraq.

Manning’s alleged actions have prompted widespread criticism from those who believe the data has put critical U.S. intelligence and military assets in Afghanistan in harm’s way. The leaks have also highlighted the risks associated with the information-sharing that has been going on within the military for some time.

Networks such as the U.S. Department of Defense’s Secret Internet Protocol Router Network or SIPRNet, which Manning is alleged to have accessed, are designed to pass along important information as quickly and efficiently as possible.

Detecting malicious insider activity is difficult. “What sets the insider threat apart from other adversaries is the use of normal tactics to accomplish abnormal and malicious missions,” DARPA said.

The same issue has dogged enterprises for years and is considered by many analysts to pose an even greater threat to corporate data and networks than external hackers.

Source

Michigan CIO Ken Theis on state’s implementation of Einstein 2 intrusion detection system.

The numbers are staggering: the intrusion detection system Einstein 2 blocked 195,000 e-mail and spam messages as well 25,000 web defacements, 12,000 scanning, 18,000 Internet browser compromise and 17,000 intrusion prevention systems attempts. That for just one state and for just one day.

Michigan early this year became the first state to implement the Einstein 2 created by the federal Department of Homeland Security. What’s as important as blocking intrusions is the ability of the state to use Einstein to analyze the threat to its IT network, Ken Theis, director of Michigan Office of Technology and state chief information officer, said in an the second of a two-part interview with GovInfoSecurity.com.

“What Einstein has taught us is that even if you think you’re good, there are always opportunities to get a lot better, and I think Einstein has taken us up a couple of notches because it’s really providing us with a vision into a whole other level of threats that current processes in our current systems aren’t capable,” Theis said.

In the interview, conducted by GovInfoSecurity.com’s Eric Chabrow, Theis also discusses a framework Michigan has adopted to implement cloud computing in which the state, not cloud providers, prescribe the client-vendor relationship.

Source

Now it is official: The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008.

In an article to be published Wednesday discussing the Pentagon’s cyberstrategy, Deputy Defense Secretary William J. Lynn III says malicious code placed on the drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military’s Central Command.

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” he says in the Foreign Affairs article.

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

Lynn’s decision to declassify an incident that Defense officials had kept secret reflects the Pentagon’s desire to raise congressional and public concern over the threats facing U.S. computer systems, experts said.

Much of what Lynn writes in Foreign Affairs has been said before: that the Pentagon’s 15,000 networks and 7 million computing devices are being probed thousands of times daily; that cyberwar is asymmetric; and that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult to identify the instigator of an attack.

But he also presents new details about the Defense Department’s cyberstrategy, including the development of ways to find intruders inside the network. That is part of what is called “active defense.” Counterfeit hardware has been detected in systems that the Pentagon has bought. Such hardware could expose the network to manipulation from adversaries.

He puts the Homeland Security Department on notice that although it has the “lead” in protecting the dot.gov and dot.com domains, the Pentagon – which includes the ultra-secret National Security Agency – should support efforts to protect critical industry networks.

Lynn’s declassification of the 2008 incident has prompted concern among cyberexperts that he gave adversaries useful information. The Foreign Affairs article, Pentagon officials said, is the first on-the-record disclosure that a foreign intelligence agency had penetrated the U.S. military’s classified systems. In 2008, the Los Angeles Times reported, citing anonymous Defense officials, that the incursion might have originated in Russia.

The Pentagon operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy, Lynn said. In November 2008, the Defense Department banned the use of flash drives, a ban it has since modified.

Infiltrating the military’s command and control system is significant, said one former intelligence official who spoke on the condition of anonymity because of the sensitivity of the matter. “This is how we order people to go to war. If you’re on the inside, you can change orders. You can say, ‘turn left’ instead of ‘turn right.’ You can say ‘go up’ instead of ‘go down.’ ”

In a nutshell, he said, the “Pentagon has begun to recognize its vulnerability and is making a case for how you’ve got to deal with it.”

Source

Heartland Payment Systems, which last year suffered the largest ever data breach involving payment card data, is downplaying reports out of Austin, Texas linking the payment processor to a data breach at a local restaurant chain.

Heartland CIO Steven Elefant told Computerworld by e-mail late Thursday that the reports out of Austin point to a “localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud.”

“The Heartland system at large and its merchants would not be compromised in any way by this type of attack, and the company is unaware of any broader issue,” he said.

He added that Heartland officials will work closely with business owners to help identify the source of the breach, and help with remediation efforts.

The Austin Statesman reported on Thursday that an “accounting network” at Tino’s Greek Cafe, a local restaurant chain with four locations in Austin, had been breached.

The story, which quotes a local police spokesman, said the intruders had hacked into the network connecting Tinos with Heartland Payment Systems. The spokesman is quoted as saying that somebody had hacked into a computer system “somewhere between Tinos’ point of sale and their credit card clearinghouse company.”

It’s unclear yet, if only customers have been affected by the incident, the spokesman is quoted as saying. The breach has apparently result in fraudulent charges appearing on the cards of several Tinos customers. Many of the charges have occurred at merchant locations around the country and beyond, and have been happening for several months.

The Statesman story points to one case where the city’s University Federal Credit Union contacted police after notice multiple unauthorized charges against the accounts of customers who had been to Tinos.

According to one source who requested anonymity, it’s quite likely that Austin police are confused about how the payment infrastructure works and are just assuming Heartland is involved. “As soon as they hear Heartland is the processor, they are most likely just assuming a larger problem,” he said.

“From the description of the attack, it sounds very localized and unfortunately it is not uncommon for restaurants to be attacked like this,” he said.

Source

Police have expanded their use of powers to force suspects to decrypt files by 50 per cent in the last year, figures released today reveal.

In the 12 months to March 31 this year, government officials approved 38 notices under Part III of the Regulation of Investigatory Powers Act, compared to 26 in the previous year.

The powers, known as section 49 notices, require suspects to hand over passwords or make files intelligible to investigators on threat of a two-year jail sentence, or five years where national security is concerned.

As well as obtaining more section 49 notices, police also expanded the range of crimes they were used to investigate.

In 2008/09 they were served in relation to counter-terrorism, possiession of indecent images of children and “domestic extremism” (a case involving activist attacks on animal testing labs). In the last 12 months, however, RIPA Part III was used to demand decryption in cases of insider dealing, illegal broadcasting, theft, excise duty evasion and aggravated burglary, the Chief Surveillance Commissioner Sir Christopher Rose said in his annual report.

Investigations into indecent images of children remained the “main reason” section 49 notices were served, he added.

Of the 17 notices obtained this year that have so far been served, six suspects complied and seven did not. The remainder are still being processed. One person suspected of possessing indecent images of children has been convicted for failing to hand over passwords.

The compliance rate was up on last year, the first full year since the powers were activated, when 11 out of 15 suspects served with a section 49 notice did not make their files intelligible to investigators.

Sir Christopher noted the discrepancy between 38 approvals granted by the National Technical Assistance Centre (NTAC) and the number of notices actually served. NTAC is a unit at GCHQ, the Cheltenham code-breaking agency.

“Notices, once approved, should be served without delay,” Sir Christopher said. “If delays continue, I will require an explanation.”

Last year The Register reported the case of the first man known to have been jailed for failing to hand over encryption keys to the police. “JFL” was a schizophrenic software developer initially charged with explosives offences that were later dropped. He was sectioned under the Mental Health Act during his prison sentence.

Source

Looking deeper within malware yields fingerprints of the hackers who write the code, and that could result in signatures that have a longer lifetime than current intrusion-detection schemes, Black Hat 2010 attendees will be told next week.

Analysis of the binaries of malware executables also reveals characteristics about the intent of the attack code that could make for more efficient and effective data defenses, says Greg Hoglund, CEO of HBGary, whose briefing “Malware Attribution: Tracking Cyber Spies and Digital Criminals” is scheduled for the Las Vegas conference.

Hoglund says this analysis uncovers tool marks — signs of the environments in which the code was written — that can help identify code written by a common person or group based on what combination of tools they use.

For example, his research looked under the covers of one malware executable whose fingerprint included use of Back Orifice 2000, Ultra VNC remote desktop support software, and code from a 2002 Microsoft programming guide. Each program was slightly modified, but the information available amounted to a good fingerprint.

The malware was a remote access tool (RAT), and RAT generators such as Poison Ivy could have created unique RAT code for each use, but that’s not the route this attacker chose. tifying this RAT in other instances of malware can link groups of malicious code to a common author or team, Hoglund says.

He has found that these fingerprints last a long time. Once written, the binaries themselves are altered only infrequently, so employing these fingerprints as malware signatures will be more useful for longer periods. “The bad guys don’t change their code that often,” Hoglund says.

A traditional antivirus platform tifies variants of malware. This research can anchor a new form of intrusion detection that analyzes malware deeply to find these fingerprints and to assign it to a threat group based on the intent of the malware, he says.

For instance, if the malware is designed to steal credit card numbers from individuals, a corporation might rank it as a lower threat to the corporation than malware that seeks to steal the company’s intellectual property, he says.

“You are not going to succeed in keeping the bad guys out of your network,” Hoglund says. “But if you can detect them as early as possible, you can prevent losses.”

During his talk, Hoglund says he will exhibit graphs that cluster half a million pieces of malware his team has examined on a graph according to how closely their fingerprints match. He says he hopes to demonstrate that the sources of these 500,000 examples number relatively low — in the hundreds rather than the thousands, he says.

If that’s the case, using these fingerprints as signatures by which malware is detected, intrusion-detection engines could focus on filtering them rather than the wrappers in which they are sent. That would mean a more stable library of signatures since the attackers are slow to change their code. These IDS signatures would work better over a longer period.

To do this the IDS needs to be on endpoints where the code executes and can be seen in the memory of the computer as a human-readable text. At the network layer, a packed executable would not reveal these attributes.

At the conference, Hoglund plans to release a tool called Fingerprint that analyzes and compares the similarities among the underlying artifacts found in different pieces of malware. Businesses could use the tool to determine what identifiable attacker wrote the code and what its intent is.

That in turn can give businesses an idea of whether they are under a concerted assault from a common group rather than being the victim of random attacks. Using this type of analysis, Hoglund says he found that one identifiable attacker was responsible for targeting the Department of Defense as well as a particular military base five years before.

That indicated the attacker was the same, and use of a Chinese-language development environment indicated the attacks came from there. Some of the source code used was exact copies of code traded on China hacker sites.

Source

Thieves are stealing credit-card numbers through skimmers they secretly installed inside pumps at gas stations in the U.S., using Bluetooth wireless to transmit stolen card numbers, says law enforcement investigating the incidents.

“We’ve sent detectives out to every gas station within a mile of (U.S.) Interstate (highway) 75,” says Lt. Steve Maynard, spokesman for the Alachua County Sheriff’s Office in Gainesville, Fla., which last Thursday was first notified about a suspicious skimming device discovered by a maintenance worker at a Shell Station. So far, three card-skimming devices hidden in gas pumps at three stations have been discovered by the Alachua County Sheriff’s Office, and the U.S. Secret Service has been notified as part of the gas-pump card-skimming investigation.

The Secret Service may be best known as the U.S. president’s bodyguard, but it is also responsible for investigating fraud and computer crime.

The Alachua County Sheriff’s Office, along with other local police departments, are trying to inspect as many gas stations in the area as possible, especially focusing on those along I-75. But law enforcement is encouraging gas station operators to look for signs of the skimmers at their pumps and contact them if they think they’ve found something. The Secret Service has indicated there’s a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami, Maynard says.

Nearby St. Johns County in Florida has also been hit by the gas-pump card skimmers. Maynard says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps. It’s not known if the gas-pump skimming operation involves insiders or not. Law enforcement is encouraging gas-station operators to train video surveillance they may use on the pumps.

The particular card-skimmers seen in Alachua County have put together devices with computer components and in this case, a Bluetooth wireless capability to easily send the card information to the thieves. It’s not yet known how many credit cards may have been stolen by means of the skimmers and fraudulently used. The investigation is “ongoing,” Maynard says. “We’re nowhere near closure. We wish we were.”

Source

Oregon State University is notifying 34,000 current and former employees that a computer containing some of their personal information was recently infected by a virus.

In a press release issued Wednesday, the university said its computer experts believe it is “highly unlikely that the virus put any of that information in the hands of unauthorized users.”

However, the release added, “records for many of those employed between 1999 and 2005 contained Social Security numbers as the ‘unique identifier’ in each employee’s record, and the presence of those numbers raises the potential, however remote, of identity theft.”
Jon Dolan, chief information security officer for OSU, said the university doesn’t want to unnecessarily alarm anyone.

“We really found no evidence of (information) being removed,” he said. The notification was the result of extra caution and to comply with the Oregon Consumer Identity Theft Protection Act.

“Since we can’t prove that (the data) wasn’t lost, we felt it was the best thing to do,” he said.

Letters explaining the situation, and what people can do to protect themselves from identity theft, were mailed out to affected employees Tuesday.

OSU was notified of the possible data breach on June 28 after an employee reported the anti-virus software on her computer was alerting her to a virus.

Dolan, who received a notification letter of his own, said Wednesday afternoon that only a few hotline calls had been received.
It is the first time the university has had this type of situation.

“We have never sent notifications on this scale,” Dolan said.

He only knew of two other similar incidents at the university. In one case, the data at risk had been collected by a student, and OSU assisted the student on how to notify affected people. In the other incident, two Social Security numbers were possibly exposed when a laptop was stolen.

Two years ago, hackers breached the computer system of the OSU Bookstore, which is a separate legal entity from OSU, and accessed credit card numbers, names and addresses. The store contacted about 4,700 customers that their information may have been compromised.

Source

US strategy expert Stephen Flanagan: ‘The suspects had been under surveillance by the FBI for some years’
Ten alleged members of a Russian spy-ring have been charged in the US with acting as foreign agents.

The suspects are accused of posing as ordinary citizens, some living together as couples for years.

They were charged with conspiracy to act as unlawful agents of a foreign government, a crime which carries up to five years in prison.

A Russian foreign ministry spokesman said the allegations were contradictory.

“We are studying the information. There are a lot of contradictions,” spokesman Igor Lyakin-Frolov told the AFP news agency, declining further comment.

Russian Foreign Minister Sergei Lavrov later said Moscow expected Washington to provide an explanation over the the spying row, Russia’s Interfax news agency reports.

Nine of the alleged spies also face a charge of conspiracy to launder money, which carries a 20-year prison sentence.

An 11th suspect remains at large, according to the US justice department.

Read More

More than 53,000 people, who did business with the University of Hawaii at Manoa parking office’s data base from 1998-2009, are being notified by mail that they may be affected by a computer security breach.

The FBI and Honolulu Police Department are investigating the breach that was discovered on June 15 during a routine audit. University officials say the unauthorized access to a computer server used by the Manoa parking office occurred on May 30.

Affected are 53,000 records, which included 41,000 Social Security numbers and 200 credit card numbers.

To protect personal information from further unauthorized access, social security numbers are no longer used for parking transactions, and are being purged from all current and past parking office databases, the university said.

The university said the main group of affected people included faculty and staff members employed in 1998; anyone who had business with the parking office between Jan. 1, 1998 to June 30, and who purchased parking permits, including staff of the East-West Center, UH Foundation, and Research Corporation of the University of Hawaii; and any campus visitor who had a vehicle towed or appealed a parking citation.

UH Manoa has also posted a list of frequently asked questions and answers on a website http://www.hawaii.edu/idalert/ . The questions and answers are re-printed below:

1. What happened?

A routine audit conducted on June 15, 2010, discovered unauthorized access to a computer server used by the UH Manoa Parking Office had occurred on May 30, 2010.

2. Am I affected?

Approximately 53,000 records were stored in the database. Of this total, approximately 41,000 Social Security numbers and 200 credit card numbers were exposed. The database contained data on two main groups of individuals:

>>UH Manoa faculty and staff member employed in 1998.

>> Anyone who had business with the UH Manoa Parking Office between January 1, 1998, and June 30, 2009. This includes:

>> Anyone who purchased parking permits, including staff of the East-West Center, UH Foundation and Research Corporation of the University of Hawaii.

>>Any campus visitor who had a vehicle towed or appealed a parking citation.

3. What information was in the compromised database?

The database contained personal information, including names, Social Security numbers, addresses, driver’s license numbers, vehicle information, and credit card information. Information on other individuals included their UH identification numbers, which are not sensitive.

4. Has the data been misused?

At this time, UH Manoa has no evidence that personal information was actually accessed, but we also cannot determine with certainty that it was not accessed.

5. Is there an investigation into this incident?

A forensic computer expert has been retained to further investigate this matter. The Honolulu Police Department and FBI have been notified, and have been asked to investigate any potential criminal activity related to this incident.

6. What is the campus doing to prevent future security breaches?

Social Security numbers are no longer used for parking transactions, and are being purged from all current and historical Parking Office databases. Additional security measures being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks.

7. How will affected individuals be notified?

Letters to affected individuals were mailed on Saturday and should be received starting today. In addition, an e-mail notice will be sent to affected individuals at their most recent e-mail address on record.

8. What should affected individuals know and do?

Carefully monitor your financial information and take protective measures against identity theft, which include:

>>Obtaining and carefully reviewing credit reports. Free credit reports from all three credit agencies may be obtained at http://www.annualcreditreport.com or by calling 877-322-8228.

>>Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.

>>Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.

If your identity or account has been compromised, you may take actions such as requesting refunds, closing accounts, and placing your credit records in a state of fraud alert or freeze. Please know that we are making every effort to ensure that this incident does not recur.

9. If I did not receive a notification letter, does that mean my information was not in the compromised database?

Not necessarily. The campus has been collecting addresses of affected individuals, but not all addresses could be located predominantly visitors to the campus who either appealed parking citations or who had vehicles towed at UH Manoa between January 1, 1998, and June 30, 2009.

10. How can I get more information?

On weekdays between the hours of 8:00 a.m. to 4:30 p.m., call (808) 956-6000, or go to the webpage at http://www.hawaii.edu/idalert/. Updates will be posted as new information becomes available.

Source