DoD Networks Completely Compromised, Experts Say

A group of U.S. federal cybersecurity experts recently blasted the Defense Department's network security efforts and called for a completely new and different model for DoD cybersecurity in the future.

Posted March 22, 2012to Security |

5 

Comments

 

The Defense Department’s (DoD) computer networks have been totally compromised by foreign spies, according to federal cybersecurity experts. The experts, speaking before the Senate Armed Services Subcommittee on Emerging Threats and Capabilities, say current efforts to protect those networks are misguided at best.

Those expert claim that the billions spent by the government on cybersecurity have provided only a limited increase in protection; attackers can penetrate DoD networks; and the defense supply chain and physical systems are at high risk of attack.

James Peery, director of Sandia National Labs’ Information Systems Analysis Center, told the committee. “We’ve got the wrong model here. …  I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway."

The DoD has layered security onto a uniform architecture which only protects against known threats and doesn’t adapt to new ones, according to Acting Director of the Defense Advanced Research Projects Agency (DARPA) Kaigham Gabriel. The offensive situation is no better, he warned, because the DoD has merely tried to scale up its intelligence-based cyber capability–which is a long way from actually giving the Pentagon an offensive threat.

“DoD is capability-limited in cyber, both defensively and offensively,” Gabriel told the panel. “We need to change that.”

It is difficult to know how many of these warnings are hyperbole, since some, but not all of them, were accompanied by pleas for more funding. Michael Wertheimer, director of research and development at the National Security Agency (NSA) said proposed 2013 funding levels are adequate and that the government just needed to spend it more wisely. The NSA is one of several agencies with budgets that can only be speculated on because they are kept top secret.

So, the DoD can’t protect its networks but we're supposed to think the Department of Homeland Security (DHS) will be able to protect those in the private sector? Thatlegislation is still out there, and it's making me more nervous every day.

Constantine von Hoffman writes CIO.com's IT Security Hack blog. Follow Constantine on Twitter @CurseYouKhan. Follow everything from CIO.com on Twitter @CIOonlineand on Facebook. Email Constantine at cvon@areporter.com.

Read Constantine 's bio

Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)

15 comments, 3 called-out

+ Comment now

Chaouki Bekrar (center) and Vupen's team of hackers at the Pwn2Own hackathon in Vancouver in March. (Photo credit: Ryan Naraine)

This story appears in the April 9th issue of Forbes magazine.

At a Google-run competition in ­Vancouver last month, the search giant’s famously secure Chrome Web browser fell to hackers twice. Both of the new methods used a rigged ­website to bypass Chrome’s security protections and completely hijack a target computer. But while those two hacks defeated the company’s defenses, it was only a third one that actually managed to get under Google’s skin.

A team of hackers from French security firm Vupen were playing by different rules. They declined to enter Google’s contest and instead dismantled Chrome’s security to win an HP-sponsored hackathon at the same conference. And while Google paid a $60,000 award to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used, Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques—certainly not for $60,000 in chump change.

With $1 Million On The Line, Chrome Finally Cracked In Hacking CompetitionAndy GreenbergForbes Staff

Meet Telecomix, The Hackers Bent On Exposing Those Who Censor And Surveil The InternetAndy GreenbergForbes Staff

“We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”

Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who ­purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.

In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret. Bekrar won’t detail Vupen’s exact pricing, but analysts at Frost & Sullivan, which named Vupen the 2011 Entrepreneurial Company of the Year in vulnerability research, say that Vupen’s clients pay around $100,000 annually for a subscription plan, which gives them the privilege of shopping for Vupen’s techniques. Those intrusion methods ­include ­attacks on software such as Micro­soft Word, Adobe Reader, Google’s ­Android, Apple’s iOS operating systems and many more—Vupen bragged at HP’s hacking competition that it had exploits ready for every major browser. And sources familiar with the company’s business say that a single technique from its catalog often costs far more than its six-figure subscription fee.

Even at those prices, Vupen doesn’t sell its exploits exclusively. ­Instead, it hawks each trick to multiple government agencies, a business model that often plays its customers against one another as they try to keep up in an espionage arms race.

Bekrar claims that it carefully screens its clients, selling only to NATO governments and “NATO partners.” He says Vupen has further “internal processes” to filter out nondemocratic nations and requires buyers to sign contracts that they won’t reveal or resell their exploits. But even so, he admits that the company’s digital attack methods could still fall into the wrong hands. “We do the best we can to ensure it won’t go outside that agency,” Bekrar says. “But if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.”

That arms-trade comparison is one Vupen’s critics are eager to echo. Chris Soghoian, a privacy activist and fellow at the Open Society Foundations, calls Vupen a “modern-day merchant of death,” selling “the bullets for cyberwar.” After one of its exploits is sold, Soghoian says, “it disappears down a black hole, and they have no idea how it’s being used, with or without a warrant, or whether it’s violating human rights.” The problem was starkly illustrated last year when surveillance gear from Blue Coat Systems of Sunnyvale, Calif. was sold to a United Arab Emirates firm but eventually ended up tracking political dissidents in Syria. “Vupen doesn’t know how their exploits are used, and they probably don’t want to know. As long as the check clears.”

Vupen is hardly alone in the exploit-selling game, but other firms that buy and sell hacking techniques, including Netragard, Endgame and larger contractors like Northrop Grumman and Raytheon, are far more tight-lipped than Bekrar’s small firm in Montpellier, France. Bekrar describes his company as “transparent.” Soghoian calls it “shameless.”

“Vupen is the Snooki of this industry,” says Soghoian. “They seek out publicity, and they don’t even realize that they lack all class. They’re the Jersey Shore of the exploit trade.”

Page 1 2 Next Page »

Source http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/

Experts Tell Senate that Critical Networks are Compromised

Thursday, March 22, 2012

Contributed By:
Headlines 

Top agency officials who testified before the Senate Armed Services Committee advised that the government can assume we are well beyond the threat of attackers gaining access to our critical networks, and that we must assume they have already successfully infiltrated them.

"I think we've got the wrong mental model here. We've got to go to a model where we assume our adversary is in our networks, on our machines, and we've got to operate anyway, we've got to protect the data anyway," said Sandia National Laboratory's James Peery.

DARPA's Ken Gabriel believes that the current strategies employed for the defense of sensitive networks are insufficient, and are merely providing the margin of opportunity to develop more substantial methodologies that would increase the level of investment attackers need to make for successful incursions.

"If you find yourself in the middle of the ocean, treading water is a good thing...buying tactical breathing room [is] much like treading water," Gabriel stated.

Gabriel's assertion prompted a terse response from Ohio Senator Rob Portman, who queried him by stating, "You believe we can do things that make it more costly for them to hack into our systems... but you didn't say that we can stop them."

The revelation that there is no state of absolute security is nothing surprising to those in the infosec realm, but apparently the notion is just taking a foothold with legislators.

In an attempt to explain the dynamic between attackers and those charged with defending networks, the Pentagon's chief technology officer Zachary Lemnios responded to Portman by stating that "we are in an environment of measures and countermeasure... for every concept that's deployed, a countermeasure is deployed by an adversary."

Lemnios went on to explain the basics of a perimeter defense approach to securing critical networks in which the focus is placed on preventing access to systems by attackers.

He continued that the perimeter defense strategy does little to protect critical data once an intrusion has occured, and also does little in the way of securing data against the possibility of an insider threat, for which he cited the WikiLeaks case in which Bradley Manning abused his access to systems in order to leak classified government materials to the activist group.

Lemnios advocated the monitoring approach in which activities within a secured system are evaluated in real time for inconsistencies and violations of access controls, such as with Manning's ingresses.The key to advanced monitoring is not in intrusion detection, but in securing the critical data and preventing exfiltration.

Also key to bolstering network defenses is the ability to effectively triage intrusion events, as not all attempts represent a critical threat. Some incursions are carried out by automated botnets that may simply be conducting "routine" reconnaissance, but in actuality pose no immediate threat of data loss.

The NSA's Michael Wertheime advocated for a retreat from reacting to the sheer volume of events lagged and for a closer examination of the who the attacker may be, noting that the greatest threats materialize from state-supported operations.

"Routine doesn't mean that it isn't important... we're not keeping a close enough eye on that nation-state threat... We have to deploy a Division I team because the adversaries are Division I," said the NSA's Michael Wertheime.

Source:  http://defense.aol.com/2012/03/21/they-re-here-cyber-experts-warn-senate-that-adversary-is-alread/

Exclusive Infographic: all Cyber Attacks on Military Aviation and Aerospace Industry

Exclusive Infographic: all Cyber Attacks on Military Aviation and Aerospace Industry February 21, 2012

Posted by Paolo Passeri in Information Security. 
Tags: Boeing 787 Dreamliner, China, Creech Air Force Base, Cyber Attacks Timeline, Cyberwar, Cyberwarfare, drone, F-35 Joint Strike Fighter, F-35 Lightning II, Hacking, Information Security, Iran, Jaxa, Joint Strike Fighter, JSF, L-3, L-3 Communications, Lockheed Martin, Lockheed Martin RQ-170 Sentinel,Malware, McAfee, Mitsubishi Heavy Industries, Northrop Grumman, Pentagon,RQ-170, RSA, SecurID, Sophos, Trend Micro, Virus
trackback

2011 has been an annus horribilis for information security, and aviation has not been an exception to this rule: not only in 2011 the corporate networks of several aviation and aerospace industries have been targeted by digital storms (not a surprise in the so-called hackmageddon) but, above all, last year will be probably remembered for the unwelcome record of two alleged hacking events targeting drones (“alleged” because in the RQ-170 Sentinel downed in Iran episode, several doubts surround the theory according to which GPS hacking could have been the real cause of the crash landing).

But, if Information Security professionals are quite familiar with the idea that military contractors are primary and preferred targets of the current Cyberwar as the following infographic shows, realizing that malware can be used to target a drone is still considered an isolated episode, and even worse, the idea of a malware targeting the multirole Joint Strike Fighter is still something hard to accept.

However, things are about change dramatically. And quickly.

The reason is simple: the latest military and civil airplanes are literally full of electronics, which play a primary role in managing avionics, onboard systems, flight surfaces, communcation equipment and armament.

For instance an F-22 Raptor owns about 1.7 millions od line of codes , an F-35 Joint Strike Fighter about 5.7 millions and a Boeing 787 Dreamliner about 6.5 millions. Everything with some built in code may be exploited, therefore, with plenty of code and much current and future vulnerabilities, one may not rule out a priori that these systems will be targeted with specific tailored or generic malware for Cyberwar, Cybercrime, or even hacktivism purposes.

Unfortunately it looks like the latter hypothesis is closer to reality since too often these systems are managed by standard Windows operating systems, and as a matter of fact a generic malware has proven to be capable to infect the most important U.S. robots flying in Afghanistan, Pakistan, Libya, and Indian Ocean:Predator and Reaper Drones.

As a consequence, it should not be surprising, nor it is a coincidence, that McAfee, Sophos and Trend Micro, three leading players for Endpoint Security, consider the embedded systems as one of the main security concerns for 2012.

Making networks more secure (and personnel more educated) to prevent the leak of mission critical documents and costly project plans (as happened in at least a couple of circumstances) will not be aviation and aerospace industry’s information security challenge; the real challenge will be to embrace the security-by-design paradigm and make secure and malware-proof productsab initio.

While you wait to see if an endpoint security solution becomes available for an F-35, scroll down the image below and enjoy the list of aviation and aerospace related cyber attacks occurred since the very first hack targeting the F-35 Lightning II in 2009.

Of course aviation and aerospace industries are not the only targets for hackers and cybercriminals. So, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in2011 and 2012 (regularly updated) at hackmageddon.com. And follow@pausparrows on Twitter for the latest updates.

More... http://theaviationist.com/2012/02/21/cyberwar-infographic/

'System is blinking red': Alarming rhetoric in push for cybersecurity bills

By Brendan Sasso - 03/17/12 10:49 AM ET

Lawmakers and administration officials have warned of potentially catastrophic consequences if Congress doesn't pass cybersecurity legislation this year, but some observers question whether the rhetoric is overblown.

"Think about how many people could die if a cyber terrorist attacked our air traffic control system and planes slammed into one another," Sen. Jay Rockefeller (D-W. Va.) testified at a Homeland Security and Government Affairs Committee hearing last month. "Or if rail-switching networks were hacked — causing trains carrying people, or hazardous materials — to derail and collide in the midst of some of our most populated urban areas, like Chicago, New York, San Francisco or Washington."

More...http://thehill.com/blogs/hillicon-valley/technology/216519-alarming-rhetoric-used-in-push-for-cybersecurity-bills

Jerry Brito, director of the Technology Policy Program at George Mason University, said the "rhetoric does not match the reality" on cybersecurity.

"When members of Congress talk about [cybersecurity] they conflate the different threats," Brito said.

He explained that cyber espionage is a "very real" problem that is "happening right now." Companies and foreign governments are hacking into the computer systems of American companies to steal their trade secrets and gain a competitive advantage.

But Brito said the likelihood of a cyber attack having a major "kinetic effect"—meaning significant physical destruction—is low.

He said he doubts that terrorist groups or hacker collectives like Anonymous have the sophistication to takedown critical infrastructure systems.

Foreign governments, such as Russia or China, could probably wreak havoc with a cyber attack, Brito said, but they would likely only employ that tactic if the U.S. was already engaged in all-out war with them.

Brito said comparing a potential cyber attack to Sept. 11 or Pearl Harbor is "totally hyperbolic."