Thursday, 21 August 2014

US Air Force is Focusing on Cyber Deception

Cryptome links (.pdf) to a copy of a presolicitation (original source) by the US Air Force for “capabilities for cyber resiliency” (BAA-RIK-14-07, dated August 1st 2014). That presolicitation mentions “cyber deception” (MILDEC) as a specific focus area for FY15-FY16:
Background: Deception is a deliberate act to conceal activity on our networks, create uncertainty and confusion against the adversary’s efforts to establish situational awareness and to influence and misdirect adversary perceptions and decision processes. Military deception is defined as “those actions executed to deliberately mislead adversary decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission.” Military forces have historically used techniques such as camouflage, feints, chaff, jammers, fake equipment, false messages or traffic to alter an enemy’s perception of reality. Modern day military planners need a capability that goes beyond the current state-of-the-art in cyber deception to provide a system or systems that can be employed by a commander when needed to enable deception to be inserted into defensive cyber operations.
Relevance and realism are the grand technical challenges to cyber deception. The application of the proposed technology must be relevant to operational and support systems within the DoD. The DoD operates within a highly standardized environment. Any technology that significantly disrupts or increases the cost to the standard of practice will not be adopted. If the technology is adopted, the defense system must appear legitimate to the adversary trying to exploit it.
Objective: To provide cyber-deception capabilities that could be employed by commanders to provide false information, confuse, delay, or otherwise impede cyber attackers to the benefit of friendly forces. Deception mechanisms must be incorporated in such a way that they are transparent to authorized users, and must introduce minimal functional and performance impacts, in order to disrupt our adversaries and not ourselves. As such, proposed techniques must consider how challenges relating to transparency and impact will be addressed. The security of such mechanisms is also paramount, so that their power is not co-opted by attackers against us for their own purposes. These techniques are intended to be employed for defensive purposes only on networks and systems controlled by the DoD.
Advanced techniques are needed with a focus on introducing varying deception dynamics in network protocols and services which can severely impede, confound, and degrade an attacker’s methods of exploitation and attack, thereby increasing the costs and limiting the benefits gained from the attack. The emphasis is on techniques that delay the attacker in the reconnaissance through weaponization stages of an attack and also aid defenses by forcing an attacker to move and act in a more observable manner. Techniques across the host and network layers or a hybrid thereof are of interest in order to provide AF cyber operations with effective, flexible, and rapid deployment options.
This focus area is currently envisioned to consist of two phases running approximately 12 months each. The first phase (Concept Development) will consist of one to three study efforts that will examine potential deception technologies that could be developed. This will focus on the description, design and development of techniques and technologies that could be employed in an Air Force network. These efforts will be brought to a proof-of-concept level, and the implementations will be evaluated at the end of this phase. In the second phase (Prototyping), also lasting approximately 12 months, one or more of the concepts that show promise will be further developed to produce a prototype system capable of demonstration in a relevant environment. The system(s) developed by the end of this phase will be evaluated. At the end of this second phase, a “go/no-go” decision will be made to determine if the prototype(s) will undergo further refinement, evaluation, and potential integration with an eye toward transition.
Questions regarding this focus area can be directed to:
Anthony Macera
(315) 330-4480
As an indication of what it’s all about, I cite the following from Deception for Defense of Information Systems: Analogies from Conventional Warfare (Neil C. Rowe and Hy S. Rothstein):
  • Six general principles for effective tactical deception (Fowler and Nesbitt, 1995)
    • Deception should reinforce enemy expectations
    • Deception should have realistic timing and duration
    • Deception should be integrated with operations
    • Deception should be coordinated with concealment of true intentions
    • Deception realism should be tailored to needs of the setting
    • Deception should be imaginative and creative
  • Taxonomy of kinds of deception (Dunnigan and Nofi, 2001)
    • Concealment (“hiding your forces from the enemy”)
    • Camouflage (“hiding your troops and movements from the enemy by artificial means”)
    • False and planted information (disinformation, “letting the enemy get his hands on information that will hurt him and help you”)
    • Lies (“when communicating with the enemy”)
    • Displays (“techniques to make the enemy see what isn’t there”)
    • Ruses (“tricks, such as displays that use enemy equipment and procedures”)
    • Demonstrations (“making a move with your forces that implies imminent action, but is not followed through”)
    • Feints (“like a demonstration, but you actually make an attack”)
    • Insight (“deceive the opponent by outthinking him”)
Related (partially thanks to Jim Henderson / Raytheon):

Professor hacks University Health Conway in demonstration for class

Louisiana-based University Health Conway is notifying more than 6,000 patients that a computer science professor from the City College of San Francisco gained access to a server with their personal information while demonstrating computer system vulnerabilities to a class.
How many victims? 6,073. 
What type of personal information? Guarantor names, account numbers and payment amounts.
What happened? A computer science professor from the City College of San Francisco accessed the server containing the data while demonstrating computer system vulnerabilities to a class.
What was the response? The computer science professor notified University Health Conway. Actions are being taken to secure the computer server and increase security monitoring of computer systems. University Health Conway is notifying all impacted individuals.
Details: The breach occurred on Monday and the computer science professor notified University Health Conway on Tuesday. The information dates back to 2012.

US hospital hack 'exploited Heartbleed flaw

Hospital image  
Community Health Systems believes the data breach did not involve medical records
The theft of personal data belonging to about 4.5 million healthcare patients earlier this year was made possible because of the Heartbleed bug, according to a leading security expert.
Community Health Systems - the US's second largest profit-making hospital chain - announced on Monday that its systems had been breached.
The head of TrustedSec - a cybersecurity firm - now alleges that the encryption flaw was exploited.
CHS has yet to respond to the claim.
The Heartbleed bug made headlines in April when Google and Codenomicon - a Finnish security company - revealed a problem with OpenSSL, a cryptographic library used to digitally scramble sensitive data.
OpenSSL is used by computer operating systems, email, instant messaging apps and other software products to protect sensitive data - users see a padlock icon in their web browser if it is active.
Heartbleed logo 
 Google publicised the discovery of the Heartbleed flaw in April
A fix was made available at the time, and software-makers that used OpenSSL in their products were urged to employ it.
If confirmed, this is the biggest identified breach relating to the bug.
Until now attacks on the UK's parenting social network Mumsnet and the Canadian tax authority were the biggest known Heartbleed-related intrusions.
Other examples may have gone undetected since hackers can exploit the problem without leaving a trace of their activity.
Patching Heartbleed David Kennedy, chief executive of TrustSec, told the Bloomberg news agency that three people close to the CHS investigation had notified him that Heartbleed had been pinpointed as the vulnerability used to steal names, phone numbers, addresses, and social security numbers from the hospital group's systems.
He explained the hackers took advantage of the fact that Franklin, Tennessee-based CHS, used products made by Juniper, a firm that makes hardware and software to manage computer networks.
Like many of its competitors, it took Juniper several weeks to patch all its affected code after the Heartbleed alert was issued.
"The time between zero-day (the day Heartbleed was released) and patch day (when Juniper issued its patch) is the most critical time for an organisation where monitoring and detection become essential elements of [an] IT security programme," wrote Mr Kennedy on his company's blog.
"What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay.
David Kennedy David Kennedy said that three sources had told him that investigators have pinpointed the Heartbleed bug
"Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place."
A spokeswoman for the CHS's security provider Mandiant was not available for comment.
TrustedSec previously helped uncover a security breach at Yahoo, and last year Mr Kennedy was called to give evidence to Congress about suspected vulnerabilities in the US government's healthcare website.
Another independent expert said the explanation given for the intrusion appeared incomplete but credible.
"The blog post is not very detailed and is attributed to an anonymous source," said Dr Steven Murdoch from University College London's computer science department.
"It's not conclusive evidence, but it's certainly plausible since the Juniper operating system was vulnerable to the Heartbleed attack, and the way that it's explained that the hackers got in is also plausible.
"It is interesting that the first breach happened in April, which was the same month that the Heartbleed vulnerability was announced, so it seems that well-organised hackers were making use of the flaw immediately after it came out."
Websites that use OpenSSL identify the fact they are secure by showing a closed padlock
CHS has indicated that the attacks originated from China and had resulted in the perpetrators obtaining log-in credentials belonging to its employees.
These were then used to steal records, it believes, in April and June this year.
The firm, which runs 206 hospitals in 29 states, is now in the process of notifying affected patients.
CHS has stressed that it believes no medical records or financial information have been transferred as result of the intrusion.