Archive for the ‘cybersecurity’ Category

Cybersecurity as the seamy underbelly of information technology

Wednesday, September 8th, 2010

nextgov reports in ‘Scientists view cybersecurity as an intimidating conundrum’ on the President’s Council of Advisors on Science and Technology recent look at cybersecurity.

“The Internet’s extensive cybersecurity vulnerabilities are so hard to fix that information technology researchers sometimes avoid studying the topic like they were steering clear of the seamy underbelly of a great metropolitan city, top scientists said on Thursday.

Jeannette M. Wing, who served as assistant director of the computer and information science and engineering directorate at the National Science Foundation from 2007 until recently, was called in by the President’s Council of Advisors on Science and Technology to discuss specific areas in the networking and information technology sector that the federal government should be investing research and development funds in.

“I think cybersecurity . . . is the most difficult challenge. And it’s not just a societal and political challenge. It’s a technical challenge,” said Wing, who this summer returned to her post as head of the computer science department at Carnegie Mellon University. “Leadership needs to come from the top since no one sector of government, industry and academia can address this challenge alone.”

PCAST is an advisory group of the nation’s leading scientists and engineers who directly advise the President on areas involving science, technology, and innovation. strengthening our economy and forming policy that works for the American people. PCAST is administered by the Office of Science and Technology Policy (OSTP).

You can see Dr. Wing testamony in this video.

UMBC launches new cybersecurity graduate programs

Saturday, August 28th, 2010

UMBC has established two new graduate programs in cybersecurity education, one leading to a Master’s in Professional Studies (MPS) degree in cybersecurity and another to a graduate certificate in cybersecurity strategy and policy. Both are designed for students and working professionals who aspire to make a difference in the security, stability, and functional agility of the national and global information infrastructure. The programs will begin in January 2011.

Middle-earth dictionary attack

Tuesday, August 24th, 2010

Middle-earth dictionary attack

Middle earth dictionary attack

Researchers install PAC-MAN on Sequoia voting machine w/o breaking seals

Monday, August 23rd, 2010

Here’s a new one for the DIY movement.

Security researchers J. Alex Haldeman and Ariel Feldman demonstrated PAC-MAC running on a Sequoia voting machine last week at the EVT/WOTE Workshop held at the USENIX Security conference in DC.

Amazingly, they were able to install the game on a Sequoia AVC Edge touch-screen DRE (direct-recording electronic) voting machine without breaking the original tamper-evident seals.

Here’s how they describe what they did on Haldeman’s web site:

What is the Sequoia AVC Edge?

It’s a touch-screen DRE (direct-recording electronic) voting machine. Like all DREs, it stores votes in a computer memory. In 2008, the AVC Edge was used in 161 jurisdictions with almost 9 million registered voters, including large parts of Louisiana, Missouri, Nevada, and Virginia, according to Verified Voting.

What’s inside the AVC Edge?

It has a 486 SLE processor and 32 MB of RAM—similar specs to a 20-year-old PC. The election software is stored on an internal CompactFlash memory card. Modifying it is as simple as removing the card and inserting it into a PC.

Wouldn’t seals expose any tampering?

We received the machine with the original tamper-evident seals intact. The software can be replaced without breaking any of these seals, simply by removing screws and opening the case.

How did you reprogram the machine?

The original election software used the psOS+ embedded operating system. We reformatted the memory card to boot DOS instead. (Update: Yes, it can also run Linux.) Challenges included remembering how to write a config.sys file and getting software to run without logical block addressing or a math coprocessor. The entire process took three afternoons.”

You can find out more from the presentation slides from the EVT workshop, Practical AVC-Edge CompactFlash Modifications can Amuse Nerds. They sum up their study with the following conclusion.

“In conclusion, we feel our work represents the future of DREs. Now that we know how bad their security is, thousands of DREs will be decommissioned and sold by states over the next several years. Filling our landfills with these machines would be a terrible waste. Fortunately, they can be recycled as arcade machines, providing countless hours of amusement in the basements of the nations’ nerds.”

USCYBERCOM secret revealed

Thursday, July 8th, 2010
USCYBERCOM logo.  Click to enlarge.

The secret message embedded in the USCYBERCOM logo


is what the md5sum function returns when applied to the string that is USCYBERCOM’s official mission statement. Here’s a demonstration of this fact done on a Mac. On linux, use the md5sum command instead of md5.

~> echo -n "USCYBERCOM plans, coordinates, integrates, \
synchronizes and conducts activities to: direct the \
operations and defense of specified Department of \
Defense information networks and; prepare to, and when \
directed, conduct full spectrum military cyberspace \
operations in order to enable actions in all domains, \
ensure US/Allied \ freedom of action in cyberspace and \
deny the same to our adversaries." | md5

md5sum is a standard Unix command that computes a 128 bit “fingerprint” of a string of any length. It is a well designed hashing function that has the property that its very unlikely that any two non-identical strings in the real world will have the same md5sum value. Such functions have many uses in cryptography.

Thanks to Ian Soboroff for spotting the answer on Slashdot and forwarding it.

Someone familiar with md5 would recognize that the secret string has the same length and character mix as an md5 value — 32 hexadecimal characters. Each of the possible hex characters (0123456789abcdef) represents four bits, so 32 of them is a way to represent 128 bits.

We’ll leave it as an exercise for the reader to compute the 128 bit sequence that our secret code corresponds to.

Cyber Command embeds encrypted message in USCYBERCOM logo

Wednesday, July 7th, 2010
USCYBERCOM logo.  Click to enlarge.

Cyber Command (USCYBERCOM) is the new unit in the US Department of Defense that is responsible for the “defense of specified Department of Defense information networks” and, when needed, to “conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure freedom of action in cyberspace for the U.S. and its allies, and deny the same to adversaries.”

Their logo as an encrypted message in its inner gold ring:


An article in Wired quotes a USCYBERCOM source:

“It is not just random numbers and does ‘decode’ to something specific,” a Cyber Command source tells Danger Room. “I believe it is specifically detailed in the official heraldry for the unit symbol.”

“While there a few different proposals during the design phase, in the end the choice was obvious and something necessary for every military unit,” the source adds. “The mission.”

Here’s your chance to use those skills you learned in CMSC 443. Wired is offering a T-shirt to the first person who can crack the code. With that hint in hand, go crack this code open. E-mail us your best guess, or leave it in the comments below. Our Cyber Command source will confirm the right answer. And the first person to get it gets his/her choice of a Danger Room T-shirt. USCYBERCOM might offer you a job.

Social media DOS attack focused on Georgian blogger Cyxymu

Thursday, August 6th, 2009

Elinor Mills of cnet reports that the DOS against twitter, facebook, livejournal and blogger were focused on a single Russian blogger using the name Cyxymu.

A pro-Georgian blogger with accounts on Twitter, Facebook, LiveJournal and Google’s Blogger and YouTube was targeted in a denial of service attack that led to the site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.

The blogger, who uses the account name “Cyxymu,” (the name of a town in the former Soviet Republic) had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News.

“It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard,” Kelly said. “We’re actively investigating the source of the attacks and we hope to be able to find out the individuals involved in the back end and to take action against them if we can.”

According to the Register, Researcher: Twitter attack targeted anti-Russian blogger, the DOS attack was driven by spam rather than a botnet. Spam messages enticed their recipients to click on a link to one of Cyxymu’s many social media accounts.

You can try to access Cyxymu’s pages on twitter, livejournal, facebook, blogger and youtube.

DDOS on twitter, facebook and livejournal

Thursday, August 6th, 2009

It will be interesting to see what comes from today’s DDOS attacks on twitter, facebook and liveJournal. It is certainly a show of strength from whoever controls the botnets that launched the attacks. We can only assume that three three are from the same source or at lease related sources. Some sources:

Was it a test? Demonstration? Preparation for extortion (Nice little Internet you got there. Shame if something happened to it.)?

DoD conflicted about social media systems

Thursday, August 6th, 2009

The Department of Defense remains conflicted about their position on social media.

This past Sunday the US Marine Corps announced an immediate ban of Internet social networking sites on their NIPRNET network due to potential security risks. Specific examples of the sites now banned included facebook, myspace, and twitter.

Adm. Mike Mullen, chairman of the Joint Chiefs of Staff, tweeted yesterday.

“Obviously we need to find right balance between security and transparency. We are working on that. But am I still going to tweet? You bet.”

The comment also appeared on Admiral Mullen’s facebook page.

While it’s tempting to poke fun at the apparent contradictions involved, it’s easy to see a difference. Its well known that there are many vulnerabilities on the Web that can result in compromising a computer and that they are more likely to be encountered in open, popular environments, like social media systems. So it’s prudent to limit access to some of these from networks like NIPRNET that are used for sensitive information. On the other hand, we assume that the computer used by Admiral Mullen and his staff for public announcements and PR are on conventional networks, so the risks asscociated with security problems are greatly reduced.

Still, you have to admit that it’s ironic.

NSA: lead for Government IDS, DHS involvement added

Friday, July 3rd, 2009

The Washington Post has a long article on the latest Obama administration plan to protect government agencies from cyber attacks, Cybersecurity Plan to Involve NSA, Telecoms — DHS Officials Debating The Privacy Implications.

“The Obama administration will proceed with a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, with AT&T as the likely test site, according to three current and former government officials.

President Obama said in May that government efforts to protect computer systems from attack would not involve “monitoring private-sector networks or Internet traffic,” and Department of Homeland Security officials say the new program will scrutinize only data going to or from government systems.

But the program has provoked debate within DHS, the officials said, because of uncertainty about whether private data can be shielded from unauthorized scrutiny, how much of a role NSA should play and whether the agency’s involvement in warrantless wiretapping during George W. Bush’s presidency would draw controversy. Each time a private citizen visited a “dot-gov” Web site or sent an e-mail to a civilian government employee, that action would be screened for potential harm to the network.”

This is reported to be a continuation of the Einstein 3 program begun under the Bush administration. One difference is the new role for DHS in providing some oversight and guidance.

“Under a classified pilot program approved during the Bush administration, NSA data and hardware would be used to protect the networks of some civilian government agencies. Part of an initiative known as Einstein 3, the plan called for telecommunications companies to route the Internet traffic of civilian agencies through a monitoring box that would search for and block computer codes designed to penetrate or otherwise compromise networks.”

There’s a lot more in the article that is worth reading.