Stakes rising as malware matures

Stakes rising as malware matures

With the constant drumbeat of cybersecurity worries that government has to deal with, it’s easy to lose sight of the trees when it comes to threats, and to consider them all as part of the same dark forest. But as two recently discovered exploits show, malware writing is as much a creative industry as any legitimate software business, and organizations need to be aware of the details to successfully defend their data and systems.

One of the newest pieces of malware is actually a throwback of sorts. MiniDuke was first identified in February 2013 by Kaspersky Lab, which described it as a “highly customized malicious program” used to attack multiple government entities and institutions both in the United States and around the world using a backdoor exploit.

The head of the Lab, Eugene Kaspersky, said then that it reminded him of older style of malware of the late 1990s and early 2000s, written with Assembler language and being very small in size, just 20 kilobytes or so. The combination of these “experienced, old school writers using newly discovered exploits and clever social engineering” against high profile targets he believed to be “extremely dangerous.”

In particular, according to the Lab’s analysis, MiniDuke was programmed to avoid analysis through a hard-coded set of tools in certain environments such as VMware, showing that the writers “know exactly what antivirus and IT security professionals are doing in order to analyze and identify malware.”

Following that first discovery, MiniDuke attacks decreased and eventually seemed to disappear. Apparently, however, it was only going underground, and it reappeared in an even more sophisticated form earlier this year. Among others, the targets apparently include organizations involved with government, energy, telecom and military contracting.

The new backdoor, also known as TinyBaron or CosmicDuke, spoofs a number of popular applications that run in the background on a system, can start up via the Windows Task Scheduler and can steal information using a broad range of extensions and file name keywords. Kaspersky Lab says it assigns a unique ID to each of the malware’s victims, which allows for specific updates of the malware. It also uses a custom obfuscator to prevent anti-malware tools from detecting it.

Remote access attacks

At the end of June, US-CERT issued an advisory about malware apparently aimed at industrial control systems, which some analysts claimed could cause Stuxnet-level damage to power plants and other sites through denial of service attacks. According to security firm Symantec, the attackers, known as Dragonfly, could potentially cause much greater chaos than Stuxnet, with victims already compromised in the United States, Spain, France, Italy, Germany, Turkey and Poland. 

The attackers use two main pieces of malware called remote access tools, Symantec said. Backdoor.Oldrea, also known as Havex or Energetic Bear, acts as a backdoor to a victim’s system and, once installed, can extract system information. The other main tool is Trojan.Karagany, openly available on the underground malware market, which can upload stolen data, download new files and run executable files on infected computers.

The Dragonfly group, possibly Eastern European and state sponsored, is “technically adept and able to think strategically,” Symantec said. “Given the size of some of its targets, the group found a ‘soft underbelly’ by compromising [the targets’] suppliers, which are invariably smaller, less protected companies.”

Defenses against the Dragonfly attacks include both antivirus and intrusion prevention signatures, but, given that the attacks had been ongoing and undetected for a while, a large number of systems probably remain infected.

As well as targeted attacks, general phishing attacks by cybercriminals aimed at stealing personal and financial information from institutions are also on the rise. While government sites are less than 2 percent of the overall targets for these attacks, according to the Anti-Phishing Working Group, the United States has by far the biggest number of phishing websites. Globally, it said, the number of infected machines has risen to nearly 33 percent.

The question is how government can best position itself against these attacks, which seem to be increasing both in number and sophistication. Keeping them out entirely no longer seems a plausible strategy, and the consensus is moving more towards limiting the damage they can cause.

Posted by Brian Robinson on Jul 07, 2014 at 12:53 PM0 comments

Man stares at screen

Can telework improve cybersecurity?

Federal officials gave high marks to the administration’s digital government strategy and telework initiatives in a recent survey, and the Mobile Work Exchange concluded that the future is bright for continued investment in technology to enable these efforts.

Yet in the same survey, 88 percent of human resource managers said they had an employee leave because of a lack of telework opportunities, and more than half said they had trouble landing the best candidates for a job because of teleworking restrictions. This makes federal agencies less competitive in the workforce marketplace at a time when another recent study by the RAND Corporation concluded that the shortage of cybersecurity professionals is a threat to national security.

“A shortage exists, it is worst for the federal government and it potentially undermines the nation’s cybersecurity,” said the RAND examination of the cybersecurity labor market. 

Although the report concluded that that the cybersecurity workforce shortage is “a crisis that requires and urgent remedy,” it also noted that work is underway to correct this situation and advised that “fears be tempered” on the subject.

Short-term shortages are likely to persist for some years, but the labor market eventually will correct itself in the long run with higher wages and more education and training programs.

In the meantime, however, employers will have to compete for a scarce resource. “Government agencies face a more difficult challenge, since their pay scales are constrained; they may therefore focus on hiring entry-level employees and training them,” the RAND report said.

Top-tier cybersecurity professionals can earn up to $250,000 a year in the private sector, according to the report, but federal salaries top out at a little more than $150,000, and most agencies have little flexibility in offering more money.

Government clearly will have to compete for these professionals in areas other than pay. Flexible working conditions, including the opportunity to be mobile on the job and telework, is one place agencies can improve their hiring and retention, the study by the Mobile Work Exchange suggested. Just about every study on the subject has shown that teleworking improves employee satisfaction.

Overall, the survey of 154 federal executives gave the government a B- in pursuing digital government initiatives, and a B+ on telework, and nearly 70 percent of respondents reported a positive return on their telework investments. But culture and resistance from managers remain roadblocks to fully taking advantage of the benefits of telework, ahead of security, technology and funding concerns.

The study estimated that the government has spent about $373 per worker – or $1.6 billion total – providing technology to enable a more mobile workforce, primarily by supplying laptops, smartphones and management software. But if frontline managers do not embrace the idea of a mobile workforce, agencies are likely to continue having trouble in hiring the best young people for entry level positions and have even more trouble hanging on to them after they have been trained and have become experienced professionals.

Posted by William Jackson on Jun 27, 2014 at 12:46 PM3 comments

Wrenches and bolts to tighten security for the Internet of Things

Tools to tighten the Internet of Things

The Internet of Things (IoT) is coming, and there’s no doubting its potential. Government IT managers don’t care that your fridge can tell your smartphone what you need to buy next, but they do appreciate that advances in connectivity and data collection will enable major improvements to services that government provides citizens.

Those improvements will come from linking the embedded computing systems that drive much of the country’s infrastructure and that outnumber the more familiar servers, PCs and laptops many times over. With the IoT, systems will become even more numerous and capable, and that’s one of the key factors in the growth of Smart Cities. But it poses a massive security problem.

Market researcher International Data Corp. sees strong growth for the IoT in a number of areas over the next few years, including government. It projects a 7.2 percent compound annual growth rate in environmental monitoring and detection through 2018, for example, and 6.3 percent CAGR for public infrastructure assets management.

Other large growth areas are public safety, emergency response and public transit.

“For IT, typical drivers for this growth are cost and time savings,” said Scott Tiazkun, senior research analyst for IDC’s Global Technology and Industry Research organization. “There’s the convenience factor in having all of these sensors in many places that automatically send data back versus having to send a person out to do a reading, which also decreases the chance for errors.”

Typically, however, these kinds of embedded systems have been built with cost and performance in mind and not security. Now that they are also becoming more interconnected, that vulnerability has become increasingly attractive to attackers looking for protected information or who want to disrupt public services.

The Department of Homeland Security says many of the public infrastructure sites that have recently been successfully attacked were insufficiently protected, and at times administrators weren’t even aware they needed to be secured.

Some parts of the government are keenly aware of potential security problems. Embedded computer systems play a part in just about every area of military technology, for example, and the Defense Advanced Research Projects Agency started its High Assurance Cyber Military Systems program in 2012 specifically to create technology for embedded systems “that are functionally correct and satisfy appropriate safety and security properties.”

Fortunately, it seems the security industry has begun to take notice of the needs of the IoT, though it’s debatable how far traditional IT security systems and techniques can be made to work for embedded systems. But tools specifically aimed at this market are being developed and some are already out.

Computer scientists at the University of California, San Diego, have developed a tool that allows hardware designers and system builders to test for security as they build their devices, for example. It tracks a system’s security-specific properties and makes sure they stay secure. It also detects problems in non-critical subsystems that can affect other, more critical ones.

On the software side, Real-Time Innovations has introduced what it claims is the first secure messaging software for critical industrial systems. Its machine-to-machine communication doesn’t need the centralized brokers or system administrators required by traditional IT security, which ensures the low communication latencies needed by such systems.

These tools, and others like them, will be needed. Embedded system security is still an unknown territory for many government organizations. As the IoT becomes a reality, that could put a lot of public systems and infrastructure at risk.

Posted by Brian Robinson on Jun 20, 2014 at 10:57 AM2 comments


Last call for comments on Keccak encryption

The public has one more chance to weigh in on the selection of a Secure Hash Algorithm that will become the new standard for federal digital signatures and other hashing functions.

A hash algorithm is a cryptographic tool that can create a digest – a unique string of bits of a specific length – specific to a digital document. In an environment when most documents are created and used digitally, hashing is an essential tool for verifying the authenticity of documents.

Because the digest is unique and cryptographically tied to the message, it can be used to verify that the contents of a digital document have not been altered. If any changes are made in the document, the digests produced by the hash algorithm before and after will not match. The algorithms also can be used to create digital signatures.

The Keccak algorithm (pronounced “catch-ack”) was selected as the winner of a five-year public competition for a new hashing standard in 2012 by the National Institute of Standards and Technology. It will put a new cryptographic arrow in the federal quiver, supplementing the unexpectedly long-lived SHA-2 family of algorithms.

But before becoming enshrined as SHA-3 in the Federal Information Processing Standards (FIPS), there will be a final round of public comment on Keccak. Because the standard algorithm will be freely available to all users – government and private sector alike – NIST wants to make sure, among other things, that no patents will be infringed in the use of the algorithm.

NIST has announced a final three-month period for public comment on the proposed standard.

The development of SHA-3 was a response to advances over the last decade in the cryptanalysis, or breaking, of hash algorithms. New attacks introduced serious concerns about the security of the SHA-1 algorithm standard, and by 2007 cracks also had begun to appear in the algorithms that collectively make up the SHA-2 standard. So NIST began a competition to find a new, stronger algorithm.

SHA-1 has been retired, but the weaknesses in SHA-2 were not as serious as originally feared, and SHA-2 remains a viable cryptographic tool. Nevertheless, NIST continued with the competition in the expectation of identifying a new algorithm that would be not only more secure, but more efficient.

NIST received 64 entries and after two preliminary rounds, five finalists were selected in December 2010. After 18 months of review, Keccak was selected as the winning algorithm in October, 2012.

There were no published attacks that “in any real sense,” threated the practical security of any of the finalists, NIST wrote in its announcement, and all finalists had acceptable margins of security. But Keccak is a little stronger and a little faster than SHA-2 and it has the largest margin of security among the finalists. Its simplicity and flexibility means it should be able to run efficiently on a wide variety of platforms.

Also, SHA-3 will not replace SHA-2, but will become a standard for hashing alongside it the foreseeable future.

The Draft FIPS 202  specifies six functions based on Keccak. Four are fixed-length cryptographic hash functions and two are closely related "extendable-output" functions (XOFs). The four fixed-length hash functions provide alternatives to the SHA-2 family. The XOFs can be used in a variety of applications, including generating and verifying digital signatures, key derivation functions and random bit generation.

NIST is proposing the creation of FIPS 202, specifying SHA-3 as a hashing standard, and changes to the existing FIPS 180-4, which contains the SHA-2 specifications, to also allow use of SHA-3. Comments should be sent by Aug. 26 to with “Comment on Draft FIPS 202” or “Comment on draft revision to the Applicability Clause of FIPS 180” in the subject lines.

Posted by William Jackson on Jun 13, 2014 at 6:58 AM0 comments