Summer Internship at
NSA in Science of Security
The National Security Agency is currently taking applications for internships in the summer 2020 for its Summer Program in Science of Security. Applications are being accepted until October 15, 2019. The National Security Agency (NSA) Science of Security (SoS) & Privacy Lablets Summer Internship Program is for undergraduate and graduate students currently enrolled at U.S. universities and colleges. The program provides an opportunity for exceptional science, technology, engineering, and math (STEM) students to work directly with NSA SoS Champions on mission-critical hard problems and experience the excitement of the NSA research community first-hand.
|
|
SoS Musings -
Ransomware Nightmare
Ransomware attacks remain a significant threat to government agencies, financial institutions, schools, businesses, and individuals, calling for continued research and advancements surrounding the prevention of such attacks. Ransomware is a type of malware that encrypts files and demands the payment of a ransom in order to decrypt the files. It has been discovered that ransomware is often delivered through actions initiated by users such as clicking on malicious email attachments and URLs as well as malvertising and drive-by-downloads. The McAfee Labs Threats Report for August 2019 highlighted an increase in ransomware attacks by 118% in the first quarter of 2019. In addition, security researchers have observed the use of more powerful malware and the adoption of new attack techniques by cybercriminals in the launch of ransomware attacks. According to Malwarebytes’ quarterly report, titled Cybercrime Tactics and Techniques: Ransomware Retrospect, there has been a 365% increase from Q2 2018 to Q2 2019 in the detectionof ransomware targeting businesses, while there has been a decline in ransomware attacks targeting individual consumers as it is suspected that cybercriminals are seeking gain more profit by targeting higher value targets. More than 50% of Malwarebytes’ ransomware detections account for attacks against machines located in the U.S. Organizations and security professionals are encouraged to continue their efforts to fighting ransomware attacks.
In the development of techniques towards preventing ransomware attacks, it is important for security professionals to examine past and current ransomware attacks. There are six ransomware attacks that have made the biggest impact within the last five years, which include Teslacrypt, SimpleLocker, WannaCry, NotPetya, SamSam, and Ryuk. From 2015 to 2016, TeslaCrypt ransomware largely targeted the gaming community in that it encrypted ancillary files such as saved games, user profiles, and more, associated with 40 popular video games, including Call of Duty and World of Warcraft, as well as PDF documents, photos, iTunes files, and Word documents. A $500 Bitcoin ransom payment was demanded of TeslaCrypt victims in order to decrypt these files and if there were a delay in payment, the ransom increased to $1,000. In 2014, SimpleLocker emerged as the first Android-based ransomware, encrypting SD card files, including images, documents, and videos, and demanding the payment of 260 Ukrainian Hryvnia worth $21, in order to decrypt of these files. WannaCry ransomware arrived in 2017, infecting thousands of computers in more than 100 countries at a rapid rate and impacting the operations of over 100,000 businesses. Following closely behind WannaCry, was NotPetya ransomware, which was initially reported as a variant of Petya, a strain of ransomware that emerged in early 2016, demanding that victims pay to recover their files. NotPetya was discovered to be purely destructive in that it kept computers’ master boot records and master file tables encrypted despite the payment of the demanded ransom. Multinational companies, including Danish business conglomerate Maersk, pharmaceutical company Merck, FedEx’s European subsidiary TNT Express, food producer Mondelez, and more, were impacted by NotPetya. Since 2016, SamSam ransomware and its variants have been targeting organizations with a significantly low tolerance for downtime, such as those within the public-facing civil sector or the healthcare sector. These types of organizations are attractive targets for the hackers behind SamSam as they rely on real-time data and networked systems, thus the longer it takes to pay the ransom for the decryption of such data and systems, the more damage could occur. Ryuk is another of strain ransomware that has been active since August 2018, impacting more than 100 U.S. businesses, most of which have been logistics companies,technology firms, and small municipalities. The FBI recently issued a flash alert in which it is stated that Ryuk is capable of deleting files related to its intrusion, stealing credentials, establishing persistence in the registry, and more. The newest Ryuk ransomware instructs victims to contact the attackers via one of several email addresses to find out how much the ransom is and which Bitcoin wallet must be used to pay the ransom. The trends in ransomware strains and incidents must be further explored.
Recent incidents indicate the rise in ransomware attacks on municipalities, educational institutions, and healthcare organizations. A ransomware attack on Johannesburg's electric utility, City Power, left some of the city's residents without power and impacted residents' ability to purchase electricity, upload invoices, and access the electricity provider's website. Baltimore City suffered a ransomware attack, which disrupted city government emails, the processing of calls at the city's 311 call center, 911 services, and more. Over 20 municipalities in Texas have recently been hit with ransomware, affecting computer systems, city businesses, and financial operations. Other municipalities that have fallen victim to ransomware attacks include Key Biscayne, Lake City, Riviera Beach. Louisiana Governor John Bel Edwards, declared a state of emergency in response to ransomware attacks on three Louisiana public school districts - Sabine, Morehouse and City of Monroe - which resulted in the loss of data stored on servers, the disabling of some technology systems, and the takedown of office phone systems. Grays Harbor Community Hospital in Aberdeen Washington just faced a ransomware attack that has resulted in the encryption of more than 85,000 patients' health data by attackers contingent on the payment of a ransom. Although much of this data was recovered, there are parts of the electronic medical record that are still encrypted and inaccessible by the hospital and Holston Medical Group. Such incidents call for the development of solutions.
As ransomware remains a major threat... more ►
|
|
Cyber Scene -
Cybersecurity's Changing Face
US Attorney General (AG) William Barr presents his view of cybersecurity as the largest game changer in his nearly 30-year bookend tenures as AG (Bush 41 and Trump) at a Fordham University conference sponsored by the NY FBI Field Office. He poignantly notes that in the "vast and expanding digital infrastructure" that we depend on, we are challenged by "...making our virtual world more secure...but not at the expense of making us more vulnerable in the real world." One particular example is encryption to defend against cyber attacks while still retaining the ability to lawfully respond to criminal activity. He boils it down to balancing a citizen's and the general public's interests, as intended by the Fourth Amendment. He lays forth Supreme Court case history, the issue of "going dark," and suggestions from the UK's GCHQ for mitigating encryption challenges as well as examples of other nations which are moving on to establish statutory frameworks to better create a balanced way forward.
Another lead attorney, NSA General Counsel (GC) Glenn Gerstell in his 10 September NYT op-ed, underscores concern about technology "upending our entire national security infrastructure." He writes of the US Intelligence Community in its entirety and expands to include partners such as the Five Eyes community (US, UK, Australia, Canada and New Zealand) and other like-minded countries as warfare morphs increasingly into digitized expressions. The GC had earlier served on the president's National Infrastructure Advisory Council, where infrastructure includes digital bridges derived from the imperative to embrace the future and plan for a "whole of government" + partners solution.
Moving from the (attorney) general to the specific--Army General, NSA Director and Cyber Command Commander Paul Nakasone--NYT intelligence experts David Sanger and Julian E. Barnes look on 23 September at the context of possible cyber attacks against Iran. The Pentagon has held for several years that a cyberattack may be viewed as an act of war. The possibility of spiraling retaliations, digital and tactile, could ensue. General Nakasone has reportedly informed the White House that a "cyberscenario is no magic bullet" for deterring Iranian aggression. As noted above by GC Gerstell, such a scenario would not only engage the whole of government but would have broad-reaching international implications.
For those curious as to how inching into a cyberwar without a magic bullet, or perhaps a clear end state and means to get there could play out in an era of denial of service (hospitals, electricity, water supply) , captured ships(recent history), or boots on the ground, aural learners might appreciate Episode 84 of the "Dead Prussian Podcast" military strategy series, the Prussian being the revered military strategist Carl von Clausewitz. In this broadcast aired on 20 September, the host discusses a recently published book on "The Day After" the cessation of combat. The author, Lieutenant Colonel Brendan R. Gallagher, a serving US Army battalion commander ("Princeton Ranger" on Twitter), analyzes the last 20 years of US military engagement regarding success or failure. This is viewed from the existence or absence of clearly articulated goals paired with a strategy, working backwards, to get there. An inconsistent tension underlines these wars: choosing "enduring democracy" or “bring the troops home now," but not both. He argues that the decision to go to war needs to be reached after this strategy is determined, the means to execute it to the desired end state with obstacles identified and mitigated, and teed up by the National Security Council apparatus for whole of government engagement. This approach may be applied to cyberwarfare as well as 21st Century sea/land/air combat.
Cybermetrics, Anyone?
Former DHS Deputy Assistant Secretary for Policy and Senior Chertoff Group Advisor Paul Rosenzweig writes in Lawfare that cybersecurity is similar to (well, you know...): "we know it when we see it" but struggle to define or measure it. This impacts on our ability to judiciously make "tradeoffs, cost-benefit assessments, and (address) issues of practicality and scalability." He opines that measuring cybersecurity is foundational for policy, law, and business decision-making. He notes that "trust us" is no longer a rational response, particularly in the current environment of "tech-lash." Granted, there have certainly been improvements but how much, how fast, how effective are they? Some are considered "secret sauce" not openly disclosed, so transparency and accountability are left wanting. Or is the "quest for good cybersecurity metrics a phantasm?" The answers to cost, value and benefit are unknown if this exceedingly elusive quest for metrics remains unresolved. Science and art seem to be inextricably linked for those seeking a solution.
Up Hill Toward Intelligent Decisions
In the wake Director Mueller's headline-monopolizing Congressional testimony in late July, a reflection of extremely encouraging bipartisan unity also occurred at that time: the move forward in Congress of the Intelligence Authorization Act for FY 2018, 2019 and 2020. This provides a means of resolving some of the challenges noted by AG Barr, GC Gerstell, and lawyer Rosenzweig above. The HPSCI approved the bill and moved it forward. The House added a few amendments, "overwhelmingly passed" in a bipartisan show of strength: 397-31 (92% yea, 7% nay, 1% not voting).
The SSCI had approved it unanimously on 14 May, but recommended a full Senate vote. With strong votes in the full Senate. For cyber practitioners reading this Cyber Scene, the act not only specifically calls out Russian cyber threats relating to election interference and creating a task force within the ODNI to protect the US tech supply chain, but also, notably, "...enhancing career path flexibility and benefits for cybersecurity experts working within the Intelligence Community."
Distrust and Verify
In the US
With attempts to measure, balance, and fund the future cyber developments as noted above, interaction between the tech giants and the Hill continues to accelerate. This includes discussion about regulation. The US Department of Justice (DOJ) decided to open an antitrust review regarding tech giant competition and market power, which ups the game. On the one hand, the 10 August Economist posits that the big tech firms are solidly ensconced. The article notes that not only are these firms exceedingly successful, they also pour vast bullish proceeds into innovation and advertizing for their customers. These customers, however, are more concerned than in the past about big tech's negative impact on society. DOJ is not alone. Kevin Roose, in the 12 August NYT criticizes the tech leadership for swapping hoodies for flag pins to woo Congress by "conspicuous patriotism." This approach from tech leadership may not yet be successful: on 9 Sep the NYT published charts on "16 Ways that Facebook, Google, Apple and Amazon are in Government Cross Hairs." The leading, detailed offenses across the board, as denoted by tech company and the particular agency or committee that was in the mix, were privacy and antitrust infractions.
Foreign Relations Trick or Treat: Cybersecurity Month and Leif Erikson Day
In the shadow of this year's DHS designated Cybersecurity Month, NYT Adam Satariano reports from Copenhagen on 3 September that Big Tech is so powerful and so global as to merit collective superpower status there. He notes that in 2017, Denmark acknowledged that such a superpower required diplomatic treatment and named a career diplomat, Casper Klynge, as Ambassador to the Tech Industry. His war experience involves Kosovo and Afghanistan (two of the wars discussed in the above-cited podcast) and also harkens to the classic Clausewitzian definition of war as "the continuation of politics by other means." A case could be made relying on the diplomatic tool of statecraft to avert cyberwarfare or tech-bashing. The future may offer the readership an opportunity to weigh whether diplomacy or Congressional regulation is more effective. On a lighter note, there have been unconfirmed rumors that this Viking nation, whose early explorer discovered the new world, may be considering a "Make Denmark Great Again" agenda by repossessing New England. (N.B. This is unrelated to the self-designated "Great Dane," the prescient and late Victor Borge.) Minnesota may also be in the mix. The Danes appear to be disinclined to sell Greenland. The 9 October traditional US presidential proclamation on Leif Erikson Day, should it occur this year, may shed some light on the future of US-Danish partnership.
Near and Far
As facial recognition improves by leaps and bounds, its applications and countermeasures do so as well. The Economist 15 August "Face off" scans across San Francisco, CA, through the UK and Hong Kong tech developers and academics who are moving full-frame ahead, so to speak, in perfecting AI-based techniques and expanding face-recognition applications. Some US cities disallow their use as an affront to privacy. Protesters in Hong Kong have hidden their faces or pointed hand-held lasers at cameras. Although face recognition is broadly used in UK surveillance, some members of parliament have called for a ban on police use. How good is it? The US National Institute of Standards and Technology (NIST) says that as of 2018, face-recognition technology was over 99% accurate. The article goes on to analyze academic research across the globe, summing up that there are still loopholes. Sunglasses, anyone?
For those who deem these countermeasures insufficient... more ►
|
|
Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view its description and links to the publications.
|
|
|
|
|
|