BCA

By John Riley

 Cyber security was under attack during the past year as never before and it shows no sign of abating in 2010. While both government and business have been taking steps to deal with these threats, the most important step has yet to be taken…a partnership between government and business. While independent study commissions have recommended such a union, the necessary legislation has not been enacted.

However, that has not prevented organizations from moving ahead on their own. Michael Carpenter, Senior Vice President for the Public Sector at McAffee, says, “we can expect to see an increase in the overall effectiveness of government, business and  law enforcement, powered by innovative new technologies, to combat cybercrime.” Some of Carpenters’ predictions for 2010:

1)       Social mediums such as Facebook and Twitter will face more sophisticated threats as the number of users grow.

2)     Adobe software, especially Adobe Reader and Flash, will be the primary targets.

3)     Banking Trojans will become more clever, sometimes interrupting a legitimate transaction to make an unauthorized withdrawal.

4)     Botnets used for spamming and identity threat will remain the leading infrastructure for cybercriminals.

5)     We often think of “civilian” applications and “government” applications, but the increasingly seamless nature of the world means cybercrime fallout knows no borders and does not distinguish between victims.

 More Evidence of Progress

 A January 20, 2010 article in Enterprise Risk Management by Dr, Jagan Nathan Vaman, CEO Vertical Six, provides further evidence of government and industry’s progress in preparing for the future: 

 Input, a Reston, Va. government business consulting firm, indicated the government’s information security budget will increase from $7.9 billion in 2009 to $11.7 billion in 2014 at a compound growth rate of 8.1 percent.  This is largely due to a 300 percent increase in cyber attacks since 3005 and the sophistication of these attacks which  is also increasing.  Unfortunately, there is no figure on Cyber security expenditures by private firms because many of them do not want to admit their computers have been penetrated. Deputy Secretary of Defense, William J. Lynn, provided some insight into the commitment of the Pentagon in a recent speech when he said, “there were an estimated 90,000 people engaged in administering, monitoring and defending 15,000 networks connecting 7 million computers.”

 Bob Gourley, former chief technology officer for the Defense Intelligence Agency and a Board member of the Cyber Conflict Studies Association stated in a National Security Cyberspace Institute report, “U.S. cyber warriors are already deployed overseas and are in direct contact with adversaries. They live in adversary networks.” He added  that an editorial in the Chinese People’s Daily opined, ‘U.S. intelligence agencies can, through technical means, fully monitor, follow and erase online information harmful to U.S. national interests.’

 Loren Thompson, a military policy analyst for the Lexington Institute, says, “Cyber-Security is shaping up to be a major growth opportunity for the defense industry.” After years of working intensively on military equipment, the growing  infiltration of computer systems by cyber-spies is forcing contractors to shift that intensity to defending computer systems and networks.

 Timothy McKnight, vice president of Northrop Grumman Corp’s intelligence systems division,  observes that, “in today’s current state, there’s a good chance you have already been compromised. We want to stay ahead of this problem. We’re doing everything to stay on the cutting edge.” An important step in that direction was when Northrop, the maker of the B-2 stealth bomber and nuclear submarines, bought the Essex Corporation, which specializes in encryption technology used by U.S. intelligence agencies in 2007. In 2009, all of Northrop’s divisions handling cyber security business were consolidated into a single unit.

 Late last year, Northrop also entered a cyber security research consortium with Carnegie Mellon University, Massachusetts Institute of Technology and Purdue University to develop new technologies and collar promising new engineers. 

 Microsoft Corp, Cisco Systems Inc. and Dell Inc. joined with the nation’s largest military contractor, Lockheed Martin, to form a cyber security alliance with Lockheed Martin Corp to collaborate on ways to combat hackers.  Lockheed also built a 5,000 square foot facility in Maryland dedicated to cyber security research and hired Lee Holcomb, former chief technology officer for the Department of Homeland Security, to head cyber security activities.

 The Sleeping Giant is Awaking

 While there are signs of our progress in the cyber security quest for superiority, the competition is smart, innovative and persistent. It is clear the United States is the primary target of most, if not all, of the world’s cyber espionage players and it is unrealistic to think all of the best talent resides in this country. However, when  government and industry work together, it’s a very formidable combination and hopefully the day isn’t too far off when that team is on the field.

By John Riley

 “People should be aware that an extraordinary treasure chest of information has been stolen. And the same people doing the military espionage are engaged in economic espionage using the same or very similar techniques to steal information from organizations that are working on business ventures in the attackers’ country” says Alan Paller, director of research for the Sans Institute, a computer security company, in a PC World article, March 8.

 In a Wired Magazine article, February 3,   Kevin Mandia, CEO of Mandiant, a computer forensic security firm revealed, “The attack that hit Google is identical to publicly undisclosed attacks that have quietly plagued thousands of other U.S. companies and government agencies since 2002 and are rapidly growing. The scope of this is much larger than anybody has conveyed. There are thousands of companies compromised. Actively, right now. And they represent a sea of change from the attacks that have commonly hit networks.”

 Mandia  points to an incident last year: “a spear-phishing campaign (waves of targeted e-mail attacks) that targeted an unnamed, high ranking counterterrorism official, and two coordinators of local, state and federal intelligence. The report doesn’t indicate how successful the attacks were other than to say the intruders stole e-mail and information that helped them map networks and locate valuable data.” 

 Attacks are rarely detected by antivirus or intrusion programs

 “Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. The non-APT hackers target only financial data or sensitive customer data for identify theft, while the APT attackers never target such data. Instead, their focus is espionage. They attempt to take every Microsoft Work, Power Point, and Adobe PDF document from every machine they compromise, as well as all e-mail,” says Mandia.

 A Sans Institute study, September 2009,  shows 60% of total attack attempts are against web applications. Unrelenting e-mail attacks have penetrated Adobe PDF Reader, Quick Time, Adobe Flash and Microsoft Office and have been the major source of infection of client side computers. Users are fooled by expecting trusted sites to be safe when, in fact, downloaded documents or music may carry malware. In some cases, there is no need to open a document to become infected; visiting the infected site is all that is necessary . What few people realize is that these user applications can also be attacked remotely.

 Hackers are making an enormous effort to infect trusted web sites so they become malicious websites distributing infected content. Confronted with unending and escalating attacks, organizations have difficulty knowing which threats offer the greatest risk and what resources should be allocated.

 Mobile devices are the new target

 Now,  mobile devices are emerging as the  new frontier of cyber espionage  as they come under attack from malware,  reports bitDefender, a software security firm. According to Bogdan Dumitru, Chief Technology Officer, “there are numerous, documented cases recently of targeted malware attacks against business, usually employing infected MSOffice files.” Thus far, infection has not spread beyond the targeted accounts suggesting the malware used was written for specific companies. However, all of the security concerns of the Internet are now present in the mobile world where the integration of mobile devices with web browsers enable access to the always-on Internet.”

 Hackers have a variety of reasons for doing what they do, but none are more important than  stealing data or installing a back door through which they can return later. For that reason,  major organizations will patch their operating system weaknesses first and then patch client side application problems which usually take twice as long.

 Over the years, defenders who have learned attacker techniques have become the people most effective in combating them. As a White House spokesperson recently commented, “offense must inform defense” or in other words, those with experience countering attackers need to help train those who have spent all their time defending against them.

 U.S. is the primary cyber espionage target

 The Sans Institute concludes the United States has presented greater value propositions for attackers than other countries, reaching nearly 35 million server-side HTTP attacks by destination over a recent six month period. All other countries, including China and the Russian Federation have received less than 5 million attacks. There is little doubt the U.S. has become the world’s cyber battleground.

 Cyber Espionage (4 of 5) Prevention Takes Many Forms will appear April 7.

By John Riley

 When President Obama appointed The Commission on Cyber Security to advise him on the subject, their report contained an ominous challenge: America’s failure to protect cyber space  is one of the most urgent security problems facing the administration. This was no doubt influenced by the testimony of Dennis Blair, Director of National Intelligence, March 10, 2010, who said the intelligence community assessment is that a number of nations already have the capability to conduct crippling attacks against the United States.  

 In a recent Harvard law school paper, “Cyberlaw: Difficult Issues Winter 2010”, the scope of the problem was discussed. Their conclusion was that cyber security is perceived as an almost insurmountable problem. The group’s approach was to look at the vulnerable points in cyberspace by focusing on the most likely points of attack. They concluded the Internet is vulnerable to attack at several different key points, each with a different result and security concern:

 Assessing the Internet’s vulnerability

 The Internet is a large decentralized network which complicates its defense. “A clever hacker could shut down the Internet itself in an extreme case, or more conservatively can re-route the Internet to prevent users from getting where they need to go,” concluded  the paper.  

 When a message is sent through the Internet network, there are many different paths it can take. The path it takes is not necessary the shortest path to its’ destination. Usually the path is determined by which avenue has the least traffic (resistance). To disconnect or disrupt traffic, hackers can reconfigure the message address.

 Remedies are being explored. If network providers can be notified automatically when the virtual location of an Internet address changes, action can be taken to control the situation. A second approach is to handle broadcasts where changes of addresses can be detected as potential threats until  they can be evaluated. That usually takes 24 hours and then they can be accepted as legitimate.

 Assessing network endpoints vulnerability

 SCADA Systems

Every computer connected to the Internet is an endpoint which makes it vulnerable to attack. Computer systems that oversee industrial computer systems are known as supervisory control and data acquisition systems (SCADA). These are the computer systems that control the power grids, traffic lights, regulate dams and other components of civilian infrastructure. According to John Avlon, Right Side News, November 13, 2009, several al Qaida computers were seized in Pakistan that show details of the SCADA systems in America.  Authorities also found one al-Qaida safe house in that was devoted to the operational study of Internet attacks.

 Servers

It is not necessary for an attacker to target individual computers.  By singling out servers and providers, a terrorist can infect and compromise all computers connected to those servers. That includes internal computers and sensitive servers usually assumed to be shielded from unauthorized penetration by hackers. However, when infection occurs, regulators can step in and shut down the systems to prevent further distribution.

 The most common approaches used by hackers are brute force password guessing attacks and web application attacks.  If a valid username/password pair can be identified, it will enable the attacker to penetrate Microsoft SQL, FTP, and SSH servers. Microsoft applications have been a major hacker target in recent years.

 Computers

 One of the most attractive qualities of a computer is its’ ability to create things. However, it is also the computer’s greatest vulnerability. As the paper frames it, the issue becomes, “how do you preserve the generativity, while addressing the growing vulnerabilities that are innate to it?” It is not clear if there is an answer to the question.

 Government Computers

 In 2009, three incidents occurred that were quietly investigated: data about the Presidential helicopter appeared on Iranian laptops, the federal government’s job listing was taken, and a 19 year-old hacker breached Air Force, Navy, Department of Defense , NASA and MIT systems.  This after the Pentagon had spent $100 million to protect its’ systems.  As mentioned in the previous article, the problem was highlighted again earlier this year when it was revealed hackers broke into the Pentagon’s $300 million state-of-the-art Joint Strike Fighter program which raised significant military concerns.

 The policy vulnerability

 The National Security Cyberspace Institute reported March 5, 2010, that a study by the National Research Council, “Technology, Policy, Law and Ethics regarding the U.S. Acquisition and use of Cyberattck Capabilities”  revealed the U.S. has no formal policy for dealing with foreign government-led threats against U.S. interests in cyberspace. It cites three key points:

 1)      The U.S. policy and legal framework for the United States’ use of cyber attacks is “ill-formed, undeveloped, and highly uncertain”.

 2)     “the decision-making apparatus for cyber attack and the oversight mechanists for that apparatus are inadequate”, and

 3)     “secrecy has prevented us from being able to effectively share information and debate about the nature and implications of cyber attacks.”    

 The Cyber Espionage (3 of 5): Threats are Many and Varied,  will appear April 3.

By John Riley

  Chinese hackers penetrated White House e-mail archives and were able to sneak onto the network several times according to The Register, a British publication in 2008. 

 North Korean hackers managed to penetrate a website and obtain a secret U.S.-South Korean plan to defend the Korean peninsula in case of war according to a recent Defense News report.

 An investigation by The Wall Street Journal revealed an unnamed intruder was able to penetrate the Pentagon computers and steal terabytes of information about the design and electronic systems for the new $300 billion state-of-the-art Joint Strike Fighter project.  

 Every day, the Department of Defense detects 3 million unauthorized computer probes of its networks while the Department of State fends off 2 million probes according to a Right Side News report November 29, 2009.

 Several countries have state-of-the-art cyber espionage capabilities

 These incidents are typical of the daily threats that military, government contractors, and industry organizations are facing. Global Cyber CEO, Jody Westby, said in USA Today in January that China, Russia, North Korea, Iran, Israel, France, the United States and the United Kingdom are recognized as possessing state-of-the-art cyber espionage expertise which they use for economic and military intelligence gathering. Alan Paller, director of research for the Sans Institute said on Fox News, January 22, 2010, that over 100 countries have cyber espionage capabilities.  

 “It’s espionage on a massive scale” says Paul B. Kurtz, a former high-ranking national security official. In 2008, over 12,900 cyber security attacks had been reported to the Homeland Security Dept. which was triple the number from two years earlier. Air Force Lt. General, Robert Elder points out “ while much of the focus is on data loss or data gain, the biggest concern should be that an adversary manipulates data and we do not even recognize it.”

 U. S. power plants are vulnerable

 To make the point, a PC World story in early 2009 talked about hackers believed to be from China or Russia, had penetrated the U.S. electrical grid and were able to install “software tools” that would disrupt the grid system. The degree to which the grid had been accessed was not revealed, but investigators said the attack was ‘pervasive’ to the extent that control of U.S. power plants could be taken over by the hackers.

 Several studies have been made of U.S. cyber security policies and programs to improve security, each with a set of recommendations. One of the most recent was the Commission on Cyber Security under the leadership of Melissa Hathaway, which made its recommendations to the White House and congress in February, 2009, but little or no implementation has taken place. The most important proposal calls for the government to work more closely with the private sector, but also pointed out the need for emphasis on key infrastructure and coordination of preventive and responsive activities.

 The U. S. has no formal policy dealing with foreign threats

 Another reason for adopting Hathaway’s study recommendation for closer government-private sector coordination is the fact most of the critical infrastructure is owned and operated by the private sector. Without that coordination, it is very difficult to determine the targets and the nature of the threats.

 According to a Wall Street Journal online report, “the U.S. government and private industry seem to be in a reactive role, detecting intrusions and information losses only after the fact, with no cross-government or industry coordinated response. Efforts to coordinate standards and policies across the private sector and in government, therefore appear stalled.” A Computer World story adds, “The U.S. has no formal policy for dealing with foreign government-led threats against U.S interest in cyberspace.

 While there are obvious areas of concern about the state of  U.S. cyber security, it is entirely possible some of the recommendations of various organizations have not been ignored. Cyber security techniques are not something the government would want to share in any detail. Time will tell if the government may have quietly adopted some or many of the recommendations and advanced our cyber security more than is generally recognized.

 The next article, Cyber Espionage- (2 0f 5) Vulnerabilities are Many, will appear March 30..