DARPA Seeks Input On Securing Networks Against Attackers 119
hessian writes with an article in Wired about the problems facing the U.S. Government's networks in an increasingly hostile world. From the article: "The Pentagon's far-out research agency and its brand new military command for cyberspace have a confession to make. They don't really know how to keep U.S. military networks secure. And they want to know: Could you help them out? DARPA convened a 'cyber colloquium' at a swank northern Virginia hotel on Monday for what it called a 'frank discussion' about the persistent vulnerabilities within the Defense Department's data networks. The Pentagon can't defend those networks on its own, the agency admitted."
Re: (Score:2)
Then who can?
Super Man?
Re: (Score:3)
Re: (Score:1)
Re: (Score:1)
4chan!
They ANYPA
Go basic (Score:1)
Oh, you want really secure? Turn it off and never use it.
Re: (Score:2)
Oh, you want really secure? Turn it off and never use it.
No doubt!
Gooberment:"Please secure my network from any possible attack."
l4t3r4lu5: Yoink. bzzzzzzrrrrr. "There you go!"
Re: (Score:2)
Filter error: Don't use so many caps. It's like YELLING.
Re: (Score:1)
1. Remove the USB ports or
2. Disable the USB ports in Group Policy.
The simplest way to prevent burglars from coming in your windows is to not have windows. Though you may like your windows, USB ports are not a necessity.
Re: (Score:1)
Re: (Score:2)
Then you run into problems with data that needs updating, like say, a map. Putting it on CD/DVD only works until malware realizes it needs to embed itself on said media, and once it has, there's nothing to prevent another stuxnet-like attack.
If data needs to flow somehow between airgapped networks, you're screwed. Doesn't matter if you use a data diode, physical separation, etc. As long as there is some way that data needs to go from an insecure network or inse
Wrong audience (Score:5, Insightful)
Darpa convened a “cyber colloquium” at a swank northern Virginia hotel on Monday for what it called a “frank discussion” about the persistent vulnerabilities within the Defense Department’s data networks.
Well there's your problem! The ones at the forefront of breaking-into-electronic-systems-in-interesting-ways aren't the usual crowd the DoD are used to wooing (heads of industry, academic engineers, the conference-at-swanky-hotel crowd) but people working out of their basements fiddling with things for the fun of it.
If they want a real assessment, offer a honeypot network with some stand-in data, and set a prize for whoever can get it and tell them how.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
We used to use tiger teams - hell, maybe we still do. A group of professionals that would try to break into government facilities or steal data. I think the best way to secure the systems would be to have the best people we can spare try to break into them and then recommend how we can make it harder for them.
Re: (Score:2)
Extraordinarily capable, loyal, well-trained professionals that act as hostile foreign agents to expose security gaps in government systems.
Re: (Score:1)
The Army still employs the Red Team, Blue Team model as well. There is a Warrant Officer billet for it. The few that I have met weren't terribly competent though. They were the one's who were persistent enough to hang around and get into the "cool" program. (Although my sample size is slightly more than a handful of reservists.)
Re: (Score:2)
That said, I'm sure there are smart people in all corners.
Re: (Score:2)
That fact that this kind of shit is happening means that they are either ineffective, understaffed, or both.
I mean, isn't one of the best tests of security by attempting to break into it? If we don't constantly test ourselves, we'll get complacent and shit like this happens. How long will it be before a foreign government fires off a missile or de-orbits a satellite?
Re: (Score:2)
No, that's exactly what everybody's doing now - an endless game of find-and-patch whack-a-mole. That's not DARPA, it's Norton anti-virus.
What they want is to go back to first principles for a fresh start, to preclude as many attacks as possible from arising in the first place. How possible that is, nobody really knows. I'm afraid it will be determined that there
Re: (Score:2)
OK. Write your own operating system from scratch. You can use Linux or BSD as a model, but change all the system calls, factor things differently, and use a language that will prohibit wild pointers. There's a dialect of D (Digital Mars D) that would work. There's also supposed to be a dialect of Ada, but I don't know enough about it to be sure. DON'T use C or C++, as you can't secure array boundaries.
Then write your own network protocol. You can use IP as a guide, but change everything. I'm not just
Re: (Score:2)
No need to write the OS, it's been done. IBM iOS formerly i5/OS formerly AS/400. POSIX compliant, has the UNIX shell built in, all major languages, C++, Java, PHP, and yes RPG and COBOL. Apache and Websphere web serving. Also white list IP address ranges allowed access at entrance points to network.
Don't know the details of network administration, but PC's would be SELinux and not directly accessible from outside network for port scanning, etc.
This would be extremely secure network. It's there, it would mak
Re: (Score:2)
You're proposing something that's quite secure, but not *really* secure. Nobody has ever written the kind of system I proposed, because **it would be an incredible amount of work**. And you are proposing standard IP, which has known problems. E.g., you can't be sure who is on the other end of the line.
POSIX can't be used for real security, because it's got known holes. They aren't large, but they are there. SELinux is better in certain areas, but it's only better, not really secure.
It's true that the t
Re: (Score:2)
You're proposing something that's quite secure, but not *really* secure.
I take it you don't know much about the IBM i OS. It's "really" secure. Used by hundreds of thousands of business and government organizations around the world.
In addition, whitelisting IP address ranges that can access network eliminates the source of most attacks, And using a security device along with password eliminates the rest.
You act like systems can't be secure but we have real businesses that successully fend off the constant a
Re: (Score:2)
Thats what VPNs and ACLs are for. You dont think you could securely configure VPNs and ACLs for less than it would cost for a parallel infrastructure? What happens when someone bridges a wifi device onto your network?
Re: (Score:2)
Not all of those connections will be legitimate
Which is why we have things like PKI infrastructures, pre-shared keys, and RSA tokens. At least there you know what the threat is, and can fortify around it.
Im not sure Ive ever heard of a scenario where someone broke into a secure network by bruteforcing both the PKS and the secondary form of authentication; invariably, breaches are because someone made a stupid mistake like getting a virus, or by letting someone walk out with un-secured media, or connecting a wifi device to the secured network.
And with y
I wonder what this says about (Score:2)
Re: (Score:1)
I love those faculty and sysadmin types here who expect us to write these hideously involuted Access Control Lists on our routers to make up for their steadfast desire to avoid actually administering their systems. (*eyeroll*)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Building impressively secure systems(while by no means easy, it is serious software engineering and/or comp sci) is something that people can do and have done.
Building impressively secure systems that aren't wildly expensive and wholly incompatible with the shoddy-but-feature-rich crap that people like to buy is substantially harder.
Building impressively secure systems that aren'
Re: (Score:2)
Nothing since SELinux is not about securing networks.
Re: (Score:3)
Secure systems (Score:5, Interesting)
Start using systems that were designed to be secure in the first place. Stuff that works on a "deny by default" basis, that refuse to process any data that it doesn't understand, use OCSP as a white list on the CA side, defence in depth: use strict validation of input on multiple levels (when making web app: using default deny application firewal, then strict validation in form processing and finally use modular application design that validates data received from other modules) and so on.
This will require throwing away most, if not all, software in use. Including OSs, probably even Linux as I'm not sure if SELinux (or other such systems) go deep enough on the kernel side. Then making new software from scratch with primary design objective to be secure. As no politician or PHB can justify spending this amount of money on such nebulous concept as security, the whole idea will fail. Because this won't eliminate, just reduce the number of security related bugs, won't help the cause.
We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.
Re: (Score:1)
Re: (Score:1)
Well, if running pentest is only a first step in evaluating security of the system (after all it verifies if its secure against most common attacks) and throw it away as soon as it fails it, I'd say it adds large value.
I completely agree, test and patch doesn't work, if it did sendmail and IE would be the most secure software packages in existence.
Re:Secure systems does include SE Linux (Score:2)
It's B1 in the old (stringent) rating scheme, and can be configured to provide a lot of protection against theft of data, via
- mandatory access controls (not changeable by the process or user)
- secure path (knowing it's really you at the keyboard)
- covert channel analysis (genuinely hard, this is often "ongoing")
- audit (which eventually runs you out of disk (;-))
There is some protection against attack, but more or less as a side-effect of protecting against spies leaving with data.
--dave
Re: (Score:1)
Re: (Score:2)
What is needed is more well rounded professionals that understand both security and user's needs. I don't think our curren
Re: (Score:1)
Re: (Score:1)
Secure systems aren't useless, they are highly inflexible.
If you have a workstation commissioned to run 2 or 3 very specific jobs (entering recruits data, administering SCADA system, piloting UAVs, etc.) it can be relatively easily secured even now. Unless it has to have access to web (with its Flash, HTML5, Java and ActiveX) it's impossible to secure if you don't use purpose build browser (that disables most of functionality). Of course in any scenario, a user can't be able to install new software or use f
Re: (Score:2)
The Internet was designed to be damage tolerant, not secure. So it is fundamentally the wrong design for a secure system. Instead, the current internet does it's best to *deliver* data. So likely their best choice is to build a new network from the ground up, designed to be secure. That probably means *not* based on the Internet Protocol.
Re: (Score:1)
We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.
This theory can be applied to so many things when it comes to programming and designing. Many web applications are designed by designers, and security is never a consideration. Security awareness is increasing though, but it will take time to spread this knowledge through the industry.
Enforce Policy. (Score:2)
If you're not willing to make the hard calls when someone can't do something as simple as patching, you're doomed from the start.
Re: (Score:1)
Get rid of Windows (Score:4)
Securing the network on Windows is just about impossible. It was originally designed when computer security was nothing but a far-out concept and attempts to retrofit security into it without tossing out the basic design have been unsuccessful so far, actually securing it would require a silly level of hacked-up modification (try to prevent wifi dual-homing, I dare you). Toss out Windows, start with a custom Linux distro and go from there. Network-booting machines secured with in-house-administered TPM will be extremely hard to break into. Allow centralized control of all software so that any change to a computer's OS that wasn't signed off on by the IT department sets off the biggest red flag in the world.
It can be done but not while trying to pussyfoot around with commercial consumer-grade toys.
Re: (Score:1)
(try to prevent wifi dual-homing, I dare you).
Physically remove WiFi capability from your system?
Re: (Score:2)
Har har.
Re: (Score:1)
Har har.
I don't see why you think that's funny - we're talking capital-S security with DARPA here. Relying on encryption to keep your broadcasted-to-anyone-in-the-neighborhood data safe is clearly strictly less secure than not broadcasting your data in the first place.
And don't think that I'm limiting myself to WiFi when I mean "broadcasting" - just audio could be enough to compromise security: https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information [freedom-to-tinker.com].
Re: (Score:2)
Come on, Android is hardly Linux, the Linux-based kernel isn't even compatible with the mainline Linux kernel. Apart from that distinction, it's about as far from a locked-down security-centric distro as you can get.
And yes you can lock down Windows with an insane amount of work, but why not put that work towards a more fundamental and long-term solution, instead of slapping armor onto a vulnerable black box that was never designed to do the job?
Re: (Score:2)
Re: (Score:2)
Unix was designed with security in mind. It was designed to run as a multi-user system on college campuses, with lots of snoopy students...or students that wanted extra time to complete their projects.
MSDos intentionally stripped out all the security, in order to run more efficiently on minimally powered single user computers. The security didn't even START getting added back in for nearly a decade, and then it was mainly PR gestures.
It's not just the age of the system, it's the history. Every time MSWin
Security begins at home (Score:1)
I can't believe this silly disclaimer DARPA has on their site. Read it carefully. They're doing it wrong.
http://www.darpa.mil/external_Link.aspx?url=http://i.imgur.com/slZOR.jpg [darpa.mil] ;)
We need talent (Score:2)
With out the military part up or out will force ou (Score:2)
out good tech people or force them to be mangers and then on to some other post.
Also alot of tech people are to old for the military others don't have the mine set to make it though a military boot camp. If some of it needs to be military maybe then it's needs a special rank systems so techs are not forced to start at private pay and officers should not be the same way as the rest of the military is.
Also have a special boot camp say maybe little to no exercise part, no forced gun trading, no other battle fi
Prevent spear-phishing (Score:2)
Well if you look at the Chinese attacks they are all based on spear phishing. So what you need to secure is prevent people from running code sent to them via emails. Its really easy to do - simply enforce whitelists - not blacklists, whitelists. For example, the OS should refuse to run unsigned exe files - not simply ask you if you're sure, but actually tell you that you can't, period. And by unsigned I mean anything not signed with the private keys of your organization. Also, make a whitelist of domain na
"frank" is the 1st step (Score:3)
Frank discussion? That's the 1st problem.
Security seems to be extra vulnerable to fraud. Many times, I saw military customers wooed by vendors who are perfectly willing to give them a load of bull about how they can't explain why their devices, software, and ideas are secure, because that would compromise the security. Then the military goes a step further, and abuses their secret classification system to cover up security problems, keeping important information even from their own people. They base security decisions on politics. They are more interested in getting a system approved as secure, than in whether it is actually secure. and will lean on people to just rubberstamp systems. They play favorites. They like Windows, because they find it more user friendly, so they push to have it declared secure. Systems they don't like are held up to extremely difficult standards, the better to reject them. They engage in plenty of their own bull to pull that off. For instance, Linux is coded by foreigners, which they deem automatically makes it insecure. How can they know some foreign programmer won't put a back door into the Linux kernel? Never mind that Microsoft might employ Indians to work on Windows. And who's to say that US citizen programmers would never sell out?
They want COTS (Commercial Off The Shelf), to save money, but there is no COTS that meets their needs. They play a funny game with contractors too. Employ people as contractors and treat them with deep suspicion, but won't employ them as their own experts who just might possibly be a touch more committed and loyal.
No surprise that the military stinks up their security.
Easy (Score:1)
Stop putting critical systems online.
Wrong OS? (Score:2)
Was anyone ever able to compromise a correctly configured VMS box? Has anyone broken strong well configured public key encryption? Security is not a big secret, not easy, but good, effective practices are not unknown. So is the question "how do we keep script kiddies off our sharepoint site installed by a neophyte sysadmin"? Really the only valid response is a well quoted "*sigh*".
Re: (Score:2)
You can't assume that current public key systems will continue to be secure. Advances in Quantum Computing make that a dubious proposition. There are systems that will work, but they don't depend on prime factorization. (As for what they are, that's beyond the boundaries of my knowledge, but I don't believe they require quantum encryption, merely a system that can't be broken by a quantum computer, and actually, I'm told that they are rather limited in the areas where they have an advantage. (Though app
Does it really need to be online ? (Score:1)
Re: (Score:2)
You got it! My uncle is now a security officer in the military. he's a highly skilled Linux Programmer, and knows how to attack the network if he needs/wants to. the only reason he got in the military and is now in security is because he had a 96% accuracy at 300 yards. After all this time, the military still values killing over technical skills. While they should be on equal footing.
If an Iranian Nuclear power plant can be attacked by a virus, which could have caused major damage we are just lucky it didn't, you'd think the military would take a better look at their skill requirements. But they rely on their current ranks, the NSA/FBI/CIA to foot for when they can't make up. (and the majority of their skills are about as good as the Military) we need a skill refresh, its long over due.
I don't think you really know much about the military, or your Uncle is pulling your leg. That's not how the armed forces work in the U.S.
The problem is who is reviewing solutions (Score:1)
The problem is that they have government contractors reviewing potential solutions. The same people who are incapable of coming up with workable solutions themselves. So what makes anyone think they would know a good solution, even if it bit them in the ass?
DARPA announced a grant program for this last August at Black Hat [eweek.com]. We spent a month crafting an RA for developing a solution based upon formal methods that would change the advantage from the attacker to the defender. Even if we were full of
OMFG (Score:1)