The U.S. Defense Department is constructing a massive, electronic system to provide an overview of the vulnerabilities of the military’s computer networks, weapons systems, and installations, and help officials prioritize how to fix them, according to the deputy commander of U.S. Cyber Command.
Air Force Lieutenant General Kevin McLaughlin told Reuters officials should reach agreement on a framework within months, with a goal of turning the system into an automated “scorecard” in coming years.
The effort, being led by the Pentagon’s chief information officer, grew out of a critical report about cyber threats released earlier this year by the Pentagon’s chief weapons tester, and escalating cyber attacks by China and Russia.
The report by Michael Gilmore, the Pentagon’s director of testing and evaluation, warned that nearly every major U.S. weapons system was vulnerable to cyber attacks.
Initial data entry would be done by hand, but the goal was to create a fully automated system that would help defense officials instantaneously detect and respond to cyber attacks, McLaughlin said after a speech at the annual Billington Cybersecurity Summit.
McLaughlin told the conference that Cyber Command had already set up about half of 133 planned cyber response teams with about 6,200 people, and all of them would achieve an initial operational capability by the end of 2016.
He said the initial focus of the new scorecard would be on the greatest threats, including weapons systems fielded 30 years ago before the cyber threat was fully understand, as well as newer systems that were not secure enough.
“There’s probably not enough money in the world to fix all those things, but the question is what’s most important, where should we put our resources as we eat the elephant one bite at a time,” he said.
McLaughlin said the scorecard was initially intended to look at weapons and networks, but the Pentagon was now looking at a broader and more sophisticated approach that also accounted for how data was moved among agencies within the military.
IBM security research has found that people are using the so-called dark net to launch cyber attacks, force ransomware demands on punters and make distributed denial-of-service (DoS) attacks.
The dark net, accessed via Tor, is often tagged as a threat. The IBM X-Force Threat Intelligence Quarterly 3Q 2015 report identifies a spike in bad traffic and leads with a warning.
The report introduces Tor as the network that takes people to the dark net. We might start calling it the ferryman and the passage across the river Styx, but things are complicated enough.
IBM said that Tor is used by “non-malicious government officials, journalists, law enforcement officials” and bad people alike. It is the latter that should concern us.
“This latest report reveals that more than 150,000 malicious events have originated from Tor in the US alone thus far in 2015,” the report said.
“Tor has also played a role in the growing ransomware attack trend. Attackers have evolved the use of encryption to hold data hostage and demand payment/ransom for the decryption code.”
We have been here before, and ransomware has been a feature of many a security alert this year already. We heard, courtesy of Bitdefender, that ransomware charges start at £320, and are a real pain to deal with. We also heard that it is Android mobile users in the UK who get the worst of the hackers’ grabbing-for-money treatment.
Back at the IBM report, and we find IBM X-Force on the issue. X-Force, which is nothing like X-Men, said that hackers push internet users who are easily fooled by flashy online advertisements into installing the new cyber nightmare. Ransomware, it warns, will separate you from your cash.
“A surprising number of users are fooled by fake/rogue antivirus [AV] messages that are nothing more than animated web ads that look like actual products. The fake AV scam tricks users into installing or updating an AV product they may never have had,” it explains, adding that in some cases people pay the money without thinking.
“Afterward, the fake AV keeps popping up fake malware detection notices until the user pays some amount of money, typically something in the range of what an AV product would cost.”
This establishes the subject as a mark, and the hackers will exploit the opportunity. “Do not assume that if you are infected with encryption-based ransomware you can simply pay the ransom and reliably get your data back,” said IBM.
“The best way to avoid loss is to back up your data. Regardless of whether your backup is local or cloud-based, you must ensure that you have at least one copy that is not directly mapped visibly as a drive on your computer.”
Tor nodes in the US spewed out the most bad traffic in the first half of this year, according to the report, adding up to about 180,000 attacks. The Netherlands is second with around 150,000, and Romania is third with about 80,000.
The bulk of this negative attention lands at technology and communications companies. You might have assumed the financial markets, but you were wrong. IBM said that ICT gets over 300,000 Tor thwacks every six months, manufacturing gets about 245,000, and finance gets about 170,000.
IBM said that the old enemy, SQL injection attacks, is the most common Tor-led threat to come at its customers. Vulnerability scanning attacks are also a problem, and IBM said that the use of the network as a means for distributed DoS attacks should “Come as no surprise”. It doesn’t.
“These attacks combine Tor-commanded botnets with a sheaf of Tor exit nodes. In particular, some of the US-based exit nodes provide huge bandwidth,” explained the report.
“Employing a handful of the exit nodes in a distributed DoS orchestrated by the botnet controller and originating at dozens or hundreds of bot hosts can impose a large burden on the targeted system with a small outlay of attacker resources, and generally effective anonymity.”
There is a lot more. The bottom line is that bad things happen on the dark net and that they come to people and businesses through Tor. IBM said that concerned outfits should just block it and move on, which is along the lines of something that Akamai said recently.
“Corporate networks really have little choice but to block communications to these stealthy networks. The networks contain significant amounts of illegal and malicious activity,” said Akamai.
“Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions.”
That sounds fine to us, but won’t someone give a thought to those non-malicious government officials out there?
Volkswagen (VW) has watched as a security vulnerability in a key system on a range of vehicles has been released from the garage and put on the news road.
VW was first notified about the problem two years ago, but has worked to keep it under the bonnet. Well, not all of it, just a single line – not a yellow line – has been contentious. The line is still controversial, and has been redacted from the full, now released, report.
VW secured an injunction in the UK high court two years ago. The firm argued at the time that the information would make it easy to steal vehicles that come from its factories and forecourts. That might be true, but that is often the case with vulnerabilities.
The news that VW has suppressed the report for this amount of time is interesting, but it does remind us that not everyone in the industry appreciates third-party information about weaknesses.
VW has a lot of cars under its hood and, according to the report, a lot of different vehicles are affected. These run from Alfa Romeo through to Volvo, and take in midlife crisis mobility vehicles like the Maserati and Porsche.
The report is entitled Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer (PDF), and is authored by Roel Verdult from Radbound university in the Netherlands and Flavio Garcia from the University of Birmingham in the UK.
Megamos Crypto sounds like a sci-fi bad guy, maybe a rogue Transformer, but it is actually designed to be a good thing. The security paper said that it is a widely deployed “electronic vehicle immobiliser” that prevents a car starting without the close association of its key and included RFID tag.
The researchers described how they were able to reverse engineer the system and carry out three attacks on systems wirelessly. They mention several weaknesses in the design of the cipher and in the key-update mechanisms. Attacks, they said, can take as little as 30 minutes to carry out, and recovering a 96-bit encryption key is a relatively simple process.
This could be considered bad news if you are a car driver. It may even be worse news for pedestrians. Concerned car owners should find their keys (try down the back of the sofa cushion) and assess whether they have keyless ignition. The researchers said that they told VW about the findings in 2012, and that they understand that measures have been taken to prevent attacks.
We have asked VW for an official statement on the news, but so far it isn’t coughing. Ready to talk, though, is the security industry, and it is giving the revelation the sort of disapproving look that people give cats when they forget what that sand tray is for.
Nicko Van Someren, CTO at Good Technology, suggested that this is another example of what happens when you go from first gear to fourth while going up a hill (this is our analogy). He described it in terms of the Internet of Things (IoT), and in respect of extending systems before they are ready to be extended.
“This is a great example of what happens when you take an interface that was designed for local access and connect it to the wider internet,” he said.
“Increasingly, in the rush to connect ‘things’ for the IoT, we find devices that were designed with the expectation of physical access control being connected to the internet, the cloud and beyond. If the security of that connection fails, the knock-on effects can be dire and potentially even fatal.”
Nearly half of all security breaches come from vulnerabilities that are between two and four years old, according to this year’s HP Cyber Risk Report entitled The Past Is Prologue.
The annual report found that the most prevalent problems came as a result of server misconfiguration, and that the primary causes of commonly exploited software vulnerabilities are defects, bugs and logic flaws.
But perhaps most disturbing of all was the news that Internet of Things (IoT) devices and mobile malware have introduced a significant extra security risk.
The entire top 10 vulnerabilities exposed in 2014 came from code written years, and in some cases decades, previously.
The news comes in the same week that HP took a swipe at rival Lenovo for knowingly putting Superfish adware into its machines.
“Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager for enterprise security products at HP.
“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology. Rather, organisations must employ fundamental security tactics to address known vulnerabilities and, in turn, eliminate significant amounts of risk.”
The main recommendations of report are that network administrators should employ a comprehensive and timely patching strategy, perform regular penetration testing and variation of configurations, keep equipment up to date to mitigate risk, share collaboration and threat intelligence, and use complementary protection strategies.
The threat to security from the IoT is already well documented by HP, which released a study last summer revealing that 90 percent of IoT devices take at least one item of personal data and 60 percent are vulnerable to common security breaches.
More than a week after a massive cyber attack on Sony Pictures Entertainment, the Hollywood studio isstill struggling to restore some systems as investigators searched for evidence to identify the culprit.
Some employees at the Sony Corp entertainment unit were given new computers to replace ones that had been attacked with the rare data-wiping virus, which had made their machines unable to operate, according to a person with knowledge of Sony’s operations.
In a memo to staff seen by Reuters, studio co-chiefs Michael Lynton and Amy Pascal acknowledged that “a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents.”
They are “not yet sure of the full scope of information that the attackers have or might release,” according to the memo first reported by Variety, and encouraged employees to take advantage of identity protection services being offered.
Their concern underscores the severity of the breach, which experts say is the first major attack on a U.S. company to use a highly destructive class of malicious software that is designed to make computer networks unable to operate.
Government investigators led by the FBI are considering multiple suspects in the attack, including North Korea, according to a U.S. national security official with knowledge of the investigation.
The FBI said Tuesday that it is working with its counterparts in Sony’s home country of Japan in the investigation.
That comes after it warned U.S. businesses on Monday about hackers’ use of malicioussoftware and suggested ways to defend themselves. The warning said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea.
Researchers last week warned they uncovered Heartbleed, a bug that targets the OpenSSL software commonly used to keep data secure, potentially allowing hackers to steal massive troves of information without leaving a trace.
Security experts initially told companies to focus on securing vulnerable websites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc’s Android software and Apple Inc’s iOS software.
Scott Totzke, BlackBerry senior vice president, told Reuters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.
He said they are vulnerable to attacks by hackers if they gain access to those apps through either WiFi connections or carrier networks.
Still, he said, “The level of risk here is extremely small,” because BlackBerry’s security technology would make it difficult for a hacker to succeed in gaining data through an attack.
“It’s a very complex attack that has to be timed in a very small window,” he said, adding that it was safe to continue using those apps before an update is issued.
Google spokesman Christopher Katsaros declined comment. Officials with Apple could not be reached.
Security experts say that other mobile apps are also likely vulnerable because they use OpenSSL code.
Michael Shaulov, chief executive of Lacoon Mobile Security, said he suspects that apps that compete with BlackBerry in an area known as mobile device management are also susceptible to attack because they, too, typically use OpenSSL code.
He said mobile app developers have time to figure out which products are vulnerable and fix them.
“It will take the hackers a couple of weeks or even a month to move from ‘proof of concept’ to being able to exploit devices,” said Shaulov.
Technology firms and the U.S. government are taking the threat extremely seriously. Federal officials warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the Heartbleed bug.
Companies including Cisco Systems Inc, Hewlett-Packard Co, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others, like BlackBerry, are rushing to get them ready.
The Pentagon’s top research lab Darpa is planning a new classified cyberwarfare project. However it is not just about building the next Stuxnet, “Plan X” is designed to make online strikes a more routine part of U.S. military operations.
According to Wired, the move will mean that the US will “dominate the cyber battlespace” and force other nations to become born-again Christians, drink coke, watch rubbish telly, get fat, play with Apple gear and give all their cash to the very rich and other core US values.
“Plan X” will enable building tools to help warplanners assemble and launch online strikes in a hurry. It will also require software to assess the damage caused by a new piece of friendly military malware before it’s unleashed. One of the priorities is to get a map so generals to watch the fighting unfold in real time.
Darpa said that Plan X is explicitly not funding research and development efforts in vulnerability analysis or cyberweapon generation. “Plan X” aims to solve both problems simultaneously, by automatically constructing mission plans that are as easy to execute as “the auto-pilot function in modern aircraft,” but contain “formal methods to provably quantify the potential battle damage from each synthesized mission plan,” Darpa said.
Sony’s corporate credit rating has been downgraded by finance company Standard and Poor’s, with the group citing the lack of a likely recovery for the company’s core business in the near future.
The company is now rated A- for long term borrowing and A-2 for short term loans.
“The CreditWatch listing is based on our view that the likelihood of Sony’s weak earnings persisting has increased as there are no signs of a halt to the deterioration in the earnings of the company’s core flat panel TV business,” read a statement from the company.
“In addition, Sony’s financial burden is likely to increase in tandem with the company’s making Sony Ericsson a wholly owned subsidiary. Taking these factors into consideration, we have concluded that we need to review the prospects for Sony’s operating and financial performance and verify the effects on the rating.”
The area of Sony’s business which includes both flat-panel TVs and the PlayStation business registered a loss of $449 million during a recent financial report marking a third consecutive year in the red for the company as a whole. That period of losses is expected to continue next year.
“Standard & Poor’s will resolve the CreditWatch listing after meeting with Sony management and verifying the prospects for an earnings recovery in the company’s mainstay electronics business and improvement in its financial soundness for the next few years,” continued the company’s statement.
For an in-depth view on the current financial and business position which Sony occupies, read our Sony Stock Ticker piece from GamesIndustry.biz contributor Rob Fahey, published yesterday.
A mock Internet where the Pentagon can practice cyberwar games — complete with software that simulates human behavior under multiple military threat levels — is due to be up and running in a year’s time, according to a published report.
Called the National Cyber Range, the computer network mimics the architecture of the Internet so military planners can study the effects of cyberweapons by acting out attack and defense scenarios, Reuters says.
Planning for the Cyber Range was carried out by Lockheed Martin, which won a $30.8 million Defense Advanced Research Projects Agency (DARPA) grant, and Johns Hopkins University Applied Physics Laboratory, which won $24.7 million.
Cyber Range plans call for the ability to simulate offensive and defensive measures of the caliber that nations might be able to carry out. DARPA wants the range to support multiple tests and scenarios at the same time and to ensure that they don’t interfere with each other. “The Range must be capable of operating from Unclassified to Top Secret/Special Compartmentalized Information/Special Access Program with multiple simultaneous tests operating at different security levels and compartments,” according to DARPA’s announcement of the project.
In addition to the public version of the project, DARPA has issued a classified appendix that sets down more requirements.
“A goal of the NCR program is to develop a toolkit that the government may provide to any party it authorizes to conduct cyber testing at any authorized facility,” the DARPA Cyber Range document says.
According to the schedule for the project, Lockheed and Johns Hopkins should have produced a prototype Cyber Range for review by now. DARPA picks which one actually gets built.
If it weren’t so serious,it would be laughable. Hackers have once again breached Sony Corp’s computer networks and accessed the information of more than 1 million customers. This latest break in was designed to show the vulnerability of the electronic giant’s systems.
LulzSec, a group that claims attacks on U.S. PBS television and Fox.com, said it broke into servers that run Sony Pictures Entertainment websites. It published the names, birth dates, addresses, emails, phone numbers and passwords of thousands of people who had entered contests promoted by Sony.
“From a single injection, we accessed EVERYTHING,” the hacking group said in a statement. “Why do you put such faith in a company that allows itself to become open to these simple attacks?”
The security breach is the latest cyber attack against high-profile firms, including defense contractor Lockheed Martin and Google Inc.
LulzSec’s claims came as Sony executives were trying to reassure U.S. lawmakers at a hearing on data security in Washington about their efforts to safeguard the company’s computer networks, which suffered the biggest security breach in history in April.
Sony has been under fire since hackers accessed personal information on 77 million PlayStation Network and Qriocity accounts, 90 percent of which are users in North America or Europe.
Sony said it was investigating the breach claimed by LulzSec and declined to elaborate.
The latest attack, unlike that on the PlayStation Network, was not on a revenue-generating Website and was likely to have no impact on earnings, analysts said.