Tag Archives: cyberattacks

Automated Cyber-Security Systems: DARPA

data

From the DARPA website:

DARPA’s Cyber Grand Challenge takes aim at an increasingly serious problem: the inadequacy of current network security systems, which require expert programmers to identify and repair system weaknesses—typically after attackers have taken advantage of those weaknesses to steal data or disrupt processes. Such disruptions pose greater risks than ever as more and more devices, including vehicles and homes, get networked in what has become known as “the Internet of things.

“Today’s security methods involve experts working with computerized systems to identify attacks, craft corrective patches and signatures and distribute those correctives to users everywhere—a process that can take months from the time an attack is first launched,” said Mike Walker, DARPA program manager. “The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly.”

To help accelerate this transition, DARPA launched the Cyber Grand Challenge, the first computer security tournament designed to test the wits of machines, not experts. The Challenge plans to follow a “capture the flag” competition format that experts have used for more than 20 years to test their cyber defense skills. That approach requires that competitors reverse engineer software created by challenge organizers and locate and heal its hidden weaknesses in a live network competition. The longest-running annual capture-the-flag challenge for experts is held at an annual conference known as DEF CON, and under the terms of a new agreement the Cyber Grand Challenge final competition is scheduled to co-locate with the DEF CON Conference in Las Vegas in 2016…

At the event, computers that have made it through a series of qualifying events over the next two years would compete head-to-head in a final tournament. Custom data visualization technology is under development to make it easy for spectators—both a live audience at the conference and anyone watching the event’s video stream worldwide—to follow the action.   Details about the Cyber Grand Challenge and some of the other registered teams can be found at www.cybergrandchallenge.com.

Cyberattacks for Industrial Espionage, the Duqu Virus

Internet security firms have raised the specter of a new round of cyber warfare with last week’s detection of the Duqu virus – a “relative” of last year’s Stuxnet malware, which is thought to have slowed down at least one Iranian nuclear facility.  Duqu’s detection comes amid growing talk in Europe about launching pre-emptive strikes to stop cyberattacks before they happen. But the nature of malware like Duqu and Stuxnet make pre-emptive strikes unrealistic.

“The problem is you can’t really say where they come from,” Candid Wüest, a virus expert at IT security firm Symantec told Deutsche Welle.  “You need evidence about who is behind an attack before you can strike pre-emptively,” said Wüest, “but you can never be sure – you can’t attack infrastructure, or even send in a stealth bomber, because any information about a location could be a red herring.”

Malware makers can hide their tracks using spoofing, VPNs, proxy services and other means to make it look like they are based in any number of countries – when in truth they are somewhere completely different.

Wüest is one of the experts at Symantec, who is currently analyzing the source code behind Duqu. Symantec says it was alerted to the new threat on October 14 by a laboratory that has “international connections.”  Since then, Symantec’s investigations suggest that a “few hundred systems have been infected at a handful of companies,” many of which are in Europe.  Another IT security firm, McAfee, is also working on the virus. McAfee and Symantec both believe that Duqu shares strong similarities with the Stuxnet virus.

Some of its source code matches that of Stuxnet and because the Stuxnet code is not known to be available online, they say it is likely that Duqu was created by the same people or that they sold the code to another group. While it remains unclear where Stuxnet came from, the New York Times reported in January 2011 that Stuxnet was developed by the American and Israeli governments.

But there are significant differences as well between Duqu and Stuxnet.  “Duqu is not spreading like Stuxnet,” said Wüest, “Duqu was carefully placed and can be controlled remotely.”  Experts believe that Duqu has been used to target only a limited number of organizations for the specific assets.  “Its warhead is not aimed at the technology industry, it’s being used to steal information, so it’s more like industrial espionage,” Wüest added.

By contrast, Stuxnet was created to attack particular computer control systems made by the German firm Siemens.  These control systems are typically used to manage water supplies, oil rigs, power plants and other critical infrastructure.  Stuxnet infections were also found at Iranian nuclear facilities in 2010, leading some to speculate that the virus may have been designed by state actors – by governments or state security services who had wanted to disrupt Iran’s nuclear program.  A year later, Siemens spokesman Wieland Simon is keen to stress that “no customers reported any disruptions” of their control systems because of Stuxnet.

British Foreign Minister William Hague has said his country is developing an unspecified electronic weapons that could be used to defend Britain against cyber attacks or prevent them….In Germany,the Criminal Police Union (BDK) called this week for a specialized federal ministry for the Internet.  Andre Schulz, the head of the BDK, told Deutsche Welle there was no danger that such a ministry would politicize issues around cyber warfare.  “It’s a sad situation,” said Schulz, “to realize that the government considers the Chaos Computer Club as its experts on IT security – we need a centralized body and I think that would be in the interest of business too.”  The CCC revealed nearly two weeks ago that a German government tool designed to perform digital surveillance domestically, went well beyond its legal guidelines.

Wieland Simon, the Siemens spokesperson, was less than encouraging, suggesting that “no government can guarantee it can protect a country or entity against cyber attack.”  But there is still pressure for governments to do something.  “In future wars, there will be a cyber element,” said Mikko Hypponen, the chief research officer of F-Secure, a computer security firm, in an interview with Deutsche Welle. “Countries hope that if they threaten to use missiles to retaliate against a cyber attack, others will think twice about about launching one.”

Zulfikar Abbany, ‘Son of Stuxnet’ hits European computer networks, DW-World.De, Oct. 21, 2011

Cyberattacks to Laugh Out Loud: Lulz Security

Nearly 180 passwords belonging to members of an Atlanta-based FBI partner organization have been stolen and leaked to the Internet, the group confirmed Sunday.The logins belonged to members of the local chapter of InfraGard, a public-private partnership devoted to sharing information about threats to U.S. physical and Internet infrastructure, the chapter’s president told The Associated Press.  “Someone did compromise the website,” InfraGard Atlanta Members Alliance President Paul Farley said in a brief email exchange. “We do not at this time know how the attack occurred or the method used to reveal the passwords.”  Copies of the passwords — which appear to include users from the U.S. Army, cybersecurity organizations and major communications companies — were posted to the Internet by online hacking collective Lulz Security, which has claimed credit for a string of attacks in the past week.  In a statement, Lulz Security also claimed to have used one of the passwords to steal nearly 1,000 work and personal emails from the chief executive of Wilmington, Delaware-based Unveillance LLC.  Lulz Security claimed it was acting in response to a recent report that the Pentagon was considering whether to classify some cyberattacks as acts of war.  The FBI said Sunday that it was aware of the incident and that steps were being taken to mitigate the damage. Farley said InfraGard’s website had been taken down and that members had been advised to change their passwords and beware of further attacks.Farley added that his group — a volunteer organization — had had no previous involvement with Lulz Security, which describes itself as a collective of hackers who attack weakly-protected websites for fun. Lulz is a reference to Internetspeak for “laugh out loud.”

Excerpt, Raphael G. Satter,FBI partner attacked by hackers, passwords taken, Associated Press, June 5, 2011

Press Release Lulz Security

Lulz Security

Not the Last War: New and Old Warfare

Alight-bulb moment for me last year was hearing a Chinese defense expert named Dingli Shen in Shanghai talk about the future of warfare.  No, he wasn’t expressing a pipe dream about building a blue-water navy to challenge U.S. dominance in the Pacific. Instead, he was talking about the irrelevance of traditional land and sea power in the dawning age of combat – when weapons will include cyberattacks, space weapons, lasers, pulses and other directed-energy beams.

Shen, who teaches at Fudan University, was countering the view of some Chinese analysts that Beijing should embrace the gospel of Alfred Thayer Mahan, the 19th-century American missionary for sea power. Mahan is outdated, he said: With a laser weapon fired from space, “any ship will be burned.” China’s future isn’t in competing to build aircraft-carrier battle groups, argues Shen, but in advanced weapons “to make other command systems fail to work.”

The Chinese theorist’s comments suggest a trend that you might not appreciate watching the news footage of U.S. soldiers in Afghanistan. The nature of warfare is nearing another “hinge point” attributable to the advance of technology. Just as gunpowder, cannons, airplanes, rockets and nuclear power changed the face of combat, so, too, will a new generation of weapons on the drawing boards – not just in America but also in China, India and other advanced technological nations.

Here’s a hint of the coming competition: In 2010, China matched the United States in the number of rocket launches into space (15), the first time any nation has equaled the United States, according to Wired magazine’s “Danger Room” blog. Meanwhile, according to Aviation Week, peaceful Japan is planning to put a directed-energy weapon on its next-generation fighter.

The reality that warfare is changing has half-dawned on the Pentagon. The Navy and Air Force in particular are developing exotic weapons systems that use every trick of science. Here are a few examples I pulled from defense publications.

The Air Force, for example, has a “Directed Energy Directorate.” If you think “ray guns” are just for Buck Rogers, consider this pitch from one of the directorate’s publications about using gamma rays, lasers, microwaves and other parts of the electromagnetic spectrum: “Intensifying and focusing these waves can produce a variety of directed energy concepts capable of being developed into a highly effective weapons-class arsenal.”

The Navy has a “Maritime Laser Demonstration” project that seeks to build a shipboard laser cannon by 2014. Its first sea test was halted in November because of a malfunction, but it will be back. So will the Air Force, whose test of an airborne, megawatt-class chemical laser failed in October.

And while we’re discussing tests of spooky systems, how about an Air Force contract awarded last month to bombard computers with high-powered electromagnetic radiation, to see when they fail. The objective, says Wired’s Spencer Ackerman, is to “learn how to fry the other guy’s electronics while protecting your own.”

What worries me is that even as the military looks forward, the brass is still clamoring to build the legacy systems – think aircraft-carrier battle groups – that will soon be vulnerable to the new weapons. It’s as if the Pentagon were trying to be the old IBM, running big, clunky mainframes while trying to be an Apple-like innovator. We can’t afford to do both.

The puzzle to ponder in 2011 and beyond is how the United States can retain the “legacy power” benefits that come from conventional fleets and bases around the world while transitioning to the new realities of military power. We don’t want to be the national equivalent of a train company at the advent of air travel, or a radio network trying to protect its old programming in the age of television.

I come back to Shen, the Chinese analyst. He says that he’s grateful that the United States is willing to spend so many billions of dollars to protect the sea lanes on which China depends for its global commerce. But instead of competing to build ships and tanks, he says, China will focus on the weapons that can cripple them. Somehow, we need to stop being the suckers when it comes to defense.  We can’t stop “fighting the last war” when we’re in the middle of it. But it’s time to think more about the vulnerability of existing systems and whether there are ways to cut sharply the Pentagon’s “legacy” budget, even as we spend more for the new age.

By David Ignatius, The Future of Warfare, Washington Post,, January 2, 2011; A15