Showing posts with label HACKERS. Show all posts
Showing posts with label HACKERS. Show all posts

Monday, November 3, 2014

NSF FUNDS SIMULATIONS TO TRAIN STUDENTS IN CYBERSECURITY

FROM:  NATIONAL SCIENCE FOUNDATION 
Cybersecurity: It's about way more than countering hackers
Growing professionals in cybersecurity means supporting an interdisciplinary approach that develops sophisticated thinkers

It's tense in the situation room. A cyber attack on the electrical grid in New York City has plunged Manhattan into darkness on a day that happens to be the coldest in the year. Concurrently, the cellular phone network has been attacked, silencing smartphones and sowing confusion and panic. A foreign power has claimed responsibility for the attacks and says more are coming. Your job is to look at geopolitical factors, intelligence feeds, military movements and clues in cyberspace to predict what may be happening next. Your goal is to make a recommendation to the President.

This scenario is thankfully not real, but it is the kind of simulation planned for students in the cybersecurity program at California State University, San Bernardino (CSUSB). With funding from the National Science Foundation's (NSF) CyberCorps®: Scholarships for Service (SFS) program, undergraduate and graduate students take an interdisciplinary approach to cybersecurity.

"We provide an environment where business students can work with engineers on drones, and students from political science can work on predictive modeling," said Principal Investigator (PI) Tony Coulson. "Our students can major in business, public administration, criminal justice, computer science, intelligence, all with cyber security as an option. We produce students who can problem-solve--people who can understand politics and finance as well as computer science."

Cybersecurity is a field that has received a lot of attention in recent years because of hacking episodes that have compromised networks, and in turn, the personal information of citizens who depend on a safe cyberspace to do such activities as banking and shopping. Following such a breach, attention is generally focused on identifying the hackers and their methods.

Among the options for students supported through San Bernardino's SFS program is being educated in cyber intelligence to deal proactively with cyber threats--to predict malicious behavior before it happens. Doing so draws not only on a background in computer and information science, but also on an understanding of human behavior and psychology and the political and economic environment. About 50 students have gone through the program, including completing internship requirements, and Coulson reports 100 percent placement with employers.

"The San Bernardino project is one of 166 active projects around the country fully or partly funded by SFS," said SFS Lead Program Director Victor Piotrowski. "Cybersecurity is a dynamic and evolving field, and the country needs talented people with the skills to protect U.S. interests around the world. Through SFS, we prepare students for high-paying careers in government, and increase the capacity of institutions to offer quality course work in this area."

A condition of students' receiving support through SFS is that they put their skills to work in a government agency for a period equal to the duration of their scholarship. Coulson says that after completing the program at CSUSB, students often have to choose from multiple offers. The program boasts having students placed in many areas of government.

"CSUSB students have a depth of skills and often pick their dream jobs," said Coulson, including a student who got a job at his first-choice agency--the National Archives.

San Bernardino is a poor community, and the good jobs available to SFS graduates can make a huge difference to them and their families. To promote their success in finding and keeping employment, the professional development offered to students goes beyond their academic work to include business etiquette, mentoring, how to succeed at an internship, and how to conduct oneself successfully in an office. The goal is to produce a graduate ready to be hired.

In addition to traditional essay-based projects, students have to complete a very hands-on final exam, requiring that they pick locks and use digital and biometric information to hack into a network. According to Coulson, they enjoy the challenge.

Along with running the SFS project, Coulson is co-PI on another NSF-supported project, CyberWatch West, funded through the Advanced Technological Education program (ATE).

"Despite Silicon Valley being on the West coast, and California having the largest population of community colleges in the country, there are very few cybersecurity programs here," said Coulson.

So CyberWatch West aims to help community colleges, K-12 schools and universities link together in 13 western states to develop faculty and students in cybersecurity. The project is a resource for faculty to identify curriculum pathways and outreach, find mentors and engage students in competitions, events and presentations.

"There's such a need in the Los Angeles and Orange County areas," said Coulson. There are something like 2,500 open positions, and we're graduating 200 kids."

Bringing together cybersecurity, law and digital forensics

Also responding to the need for a cybersecurity workforce prepared to deal with today's complex problems is an SFS project for undergraduates and graduate students at the University of Illinois, Urbana-Champaign (UIUC). The project has graduated 25 students who are already working in government (reflecting another 100 percentage placement rate), and another 20 are set to graduate next May.

Since last year, this project offers scholarships to law students as well as engineering and computer science students. According to PI Roy Campbell, few lawyers understand cybersecurity and few computer scientists understand the legal framework involved in prosecuting and preventing cyber crimes.

The first law student to be accepted in the program, Whitney Merrill, is a recent law school graduate currently practicing as an attorney while completing her master's in computer science at UIUC. She found the combination of cybersecurity and law in the UIUC program to be valuable.

"The two fields are fiercely intertwined," said Merrill. "Understanding both fields allows me to better serve and advocate for my clients. Additionally, I hope to be able to help the two communities more effectively communicate with each other to create tools and a body of law that reflects accurately an understanding of both law and technology."

Merrill found the program challenging at first.

"But my interest and love for the subject matter made the challenging workload (29 credits last semester) enjoyable," she added. "Working towards a mastery in both fields has also helped me to spot legal issues where I would not have before."

Next summer Merrill will be working as a summer intern at the Federal Trade Commission in their Division of Privacy and Identity Protection. She graduates in December 2015.

With additional NSF support, a new related program in digital forensics at UIUC has the goal of building a curriculum that will teach students about cybersecurity in the context of the law enforcement, the judicial system, and privacy laws.

"Digital forensics is not the sort of area a computer scientist can just jump into," Campbell said. "It's not just malware or outcropping of hacking techniques. It has to be done in a deliberate way to produce evidence that would be acceptable to courts and other entities."

Co-PI Masooda Bashir says digital forensics gets to the heart of the multidisciplinary nature of cybersecurity.

"If you think about the amount of digital information that is being generated, exchanged, and stored daily you begin to understand the impact that the field of Digital Forensics is going to have in the coming years, " she said. "But Digital Forensics (DF) is not only a technical discipline, but a multidisciplinary profession that draws on a range of other fields, including law and courtroom procedure, forensic science, criminal justice and psychology."

She added, " I believe it is through integration of such relevant nontechnical disciplines into the DF education we can help students develop the comprehensive understanding that they will need in order to conduct examinations and analyses whose processes and findings are not just technically sound, but legal, ethical, admissible in court, and otherwise effective in achieving the desired real-world goal."

As the new program evolves, Masooda is drawing on her background as a computer scientist/psychologist to add the psychology of cybercrime to the curriculum. She's also working on a project examining cybersecurity competitions to understand their impact on the cybersecurity workforce and also to better understand the psychological factors and motivations of cyber security specialist and hackers.

Students with an interest in cybersecurity can start planning now

The U.S. Office of Personnel Management maintains a website where students can get information of SFS and the institutions that are participating in it. Meanwhile, PIs can update their project pages and agency officials can check resumes for students with the qualifications they need.

In the evolving field of cybersecurity, individuals with technical skills and knowledge of the social and legal context for what they do will continue to be highly desirable workers

Thursday, October 30, 2014

ASSISTANT AG CARLIN MAKES REMARKS AT U.S. CHAMBER OF COMMERCE CYBERSECURITY SUMMIT

FROM:  U.S. JUSTICE DEPARTMENT 
Remarks by Assistant Attorney General John Carlin at the U.S. Chamber of Commerce Third Annual Cybersecurity Summit
Washington, DCUnited States ~ Tuesday, October 28, 2014
Remarks as Prepared for Delivery

Thank you, Ann [Beauchesne], for your warm introduction and for inviting me to your annual Cybersecurity Summit.  We all benefit greatly from your leadership, especially in promoting the Chamber of Commerce’s role in national security.

In establishing an annual gathering focused on cybersecurity challenges, the Chamber of Commerce continues to demonstrate its commitment to keeping our nation secure, and to lowering barriers for American businesses to compete fairly in our global economy.  The fact that this is your third annual cybersecurity summit is a testament to the growing magnitude of these threats and your commitment to make cybersecurity central to your business plans.

This is an important issue, and one I know the Chamber has emphasized as part of its National Cybersecurity Awareness Campaign, which kicked off in May.  In the campaign roundtable events leading up to today’s summit, the Chamber stressed the importance of cyber risk management and reporting cyber incidents to law enforcement.  I couldn’t agree with these two recommendations more.  Today’s event is our opportunity to discuss how we can take these steps and others to best protect ourselves and our nation.

Cybersecurity threats affect us all – and they affect our privacy, our safety, and our economic vitality.  They present collective risk; disrupting them is our collective responsibility. The attackers we face range in sophistication.  And when it comes to nation states and terrorists, it is not fair to let the private sector face these threats alone.  The government ought to help, and we do.

At the National Security Division, we focus on tackling cyber threats to the national security – in other words, those posed by terrorists and state-sponsored actors.  As I will talk about a bit later, we have restructured our division to focus on bringing all tools to bear against these threats.      

Likewise, Chamber members have a particularly important role to play in our strategy.

You are living through these consequences with alarming frequency: according to Brookings, 97 percent of Fortune 500 companies have been hacked.  PwC released a report this week finding that the number of detected cyberattacks in 2014 increased 48 percent over 2013.  As FBI Director James Comey said, “there are two kinds of big companies in America: those who have been hacked . . . and those who don't know they've been hacked.”

We are on notice.  We are all targets.  I would venture to say everyone in this room has, in their professional or private life, been affected by a cybersecurity breach.  At best – a minor inconvenience.  A re-issued credit card.  At worst – devastation to your company’s reputation, loss of customer trust, and injury to your bottom line.

Without taking proper steps – it is a question of when, not if, a major public breach will happen to you.  And with that will come questions about whether you did enough to protect your company, your customers, and your information.

Have you thought ahead to the day when you will have to face your customers, your employees, your board, and your shareholders.  When you will have to notify them that someone has infiltrated your company and stolen your most valuable or private information?  If that day was today, could you tell them that you’ve done everything in your power to protect your company’s future?  Had you warned them of the risks?  Would you be able to say that you minimized the damage?

Do you have a plan?

It’s a pretty daunting scenario.  So it is no surprise that surveys of general counsels identify cybersecurity as the number one issue on their minds today.  But surveys show that over a quarter of Fortune 500 companies still don’t have an established response to cyber intrusions.

This is risky business.  We know that we will never achieve impenetrable defenses.  That we will remain vulnerable.  But you can take steps to mitigate the risk, protect yourselves and your companies, and ultimately, the cybersecurity of the United States.

We have identified four essential components of corporate cyber risk management.

First – equip and educate yourself.  Make sure you have a comprehensive—and comprehensible— cyber incident response plan.

And review it.  I have spoken with many CEOs and general counsels who have said they have not reviewed, or cannot decipher, their company’s plan.  We must do better.  These are C-suite decisions.  You cannot manage your corporate risk if you do not understand it.

Make sure it addresses the “who,” the “what,” and the “when.”

Who is involved and who needs to be notified?

What will you disclose?

When will you notify clients, law enforcement, and the general public?

Second – know that your business contacts create risk.  Malicious actors can exploit your outside vendors—no matter how resilient you think your defenses may be.  Consider guidelines to govern third-party access to your network and ensure that your contracts require vendors to adopt appropriate cybersecurity practices.

Third – protect your bottom line.  Companies are increasingly considering cyber insurance, and you should consider how this may fit into your risk management strategy.  Cyber insurance may offer financial protection, and may also incentivize companies to audit their system’s defenses.

Finally – do not go it alone.  Some of our attackers are linked to deep state military budgets.  And when they are, it’s not a fair fight for you to take on alone. We must work together.

So working with us can be one more component of your risk-management strategy.  As more breaches are publicly acknowledged, the public will ask how quickly and effectively you responded.

As leaders, you will have to answer to your shareholders, board members, customers, the media and the public.  You will want to say you did everything you could to mitigate your financial loss.  Your company’s bottom line, and your financial reputation, will depend on it.  And we can help.  We can provide you with information to protect your networks, and we may be able to take actions to disrupt and deter the attackers that you cannot take by yourself.  So you are on the front lines of these battles, but we are with you.  We are committed to working with you to protect your networks, identify perpetrators, disrupt their efforts, and hold them accountable.  At the Department of Justice, this is among our top priorities.

At the National Security Division, we recently appointed new senior leadership to strengthen our capacity to protect national assets from cyberattacks and economic espionage. We created and trained the nation-wide National Security Cyber Specialists’ – or NSCS – Network to focus on combating cyber threats to the national security.

At DOJ, we follow the facts and evidence where they lead – whether to a disgruntled employee or lone hacker working in obscurity; to an organized crime syndicate in Russia; or even to a uniformed member of the Chinese military.

And indictments and prosecutions are a public and powerful way in which we the people, governed by the rule of law, legitimize and prove our allegations.  As Attorney General Holder said in May, “enough is enough.”  We are aware of no nation that publicly states that theft of information for commercial gain is acceptable.  And that’s because it’s not.  Nevertheless, in the shadows of their flags, some may encourage and support corporate theft for the profit of state-owned enterprises.  We will continue to denounce these actions, including by bringing criminal charges.  And we won’t stop until the crimes stop.  A core part of the government’s response must be disruption and deterrence, in order to raise the costs to people who commit these thefts and to deter others from emulating their actions.

Of course, we recognize that the criminal justice system is just one tool in our toolbox.  In addition to prosecutions, we are working in conjunction with key government partners to explore how to apply designations, sanctions, trade pressure, and other options, to confront new cyber challenges.

These changes will help us fulfill our collective responsibility.  And they will help us work with you.

Which is important because we rely on cooperation from the private sector to bring many of these cases, from identifying the malware and its functions, to pinpointing the location of servers commanding botnets, to assisting victims in removing the malicious software from their computers.

Take as one example the take-down of Gameover Zeus and disruption of the Cryptolocker ransomware – a big success for our colleagues in the Criminal Division’s Computer Crimes and Intellectual Property Section and the Western District of Pennsylvania.  This take-down would not have been possible without close cooperation.  The FBI’s Robert Anderson called it the “the largest fusion of law enforcement and industry partner cooperation ever undertaken in support of an FBI cyber operation.”

We recognize that one of the best ways to protect the nation is to support you in your own efforts.  In 2013, federal agents informed over 3,000 companies that their computer systems were hacked.  And every day, the FBI works with companies targeted by malicious activity, ranging from low-tech denial of service attacks to sophisticated intrusions by elite, state-supported military hacking units.

But, we’re not limited to helping you solely in the aftermath of an intrusion.

Nor do we see our role as only a collector of information.

We also share sensitive information with you so you can defend against attacks in real time, and engage in disruption efforts.  In the past year alone, the FBI presented over three dozen classified, sector-specific threat briefings to companies like yours.

The information we share with you may enhance your ability to deter future intrusions.  And your engagement with law enforcement can help us connect the dots between your breach and a broader threat.

We may be able to help identify what was stolen from you, locate the perpetrator of the attack, and in certain cases, be able to disrupt planned attacks or mitigate the effects of past intrusions.

Given the importance of this cooperation, the Department of Justice is committed to lowering the barriers to sharing information.  Through extensive one-on-one meetings with in-house legal teams, we learned what you perceive to be the legal hurdles to cooperation, and are addressing them.  

We’ve clarified that certain laws - such as the Stored Communications Act and antitrust statutes – are not impediments to sharing information with the government in certain situations.

We understand that trust is an essential predicate to voluntary reporting.  And in our work with you, we strive to protect your sensitive data – including trade secrets, details of network architecture, and PII.

Bottom line, we can help you manage your risk, and you can help us keep our nation safe.

The 9/11 Commission recently concluded that “we are at September 10th levels in terms of cyber preparedness,” and warned that “history may be repeating itself in the cyber realm.”  We must band together to keep that from happening.

At the department, we want to arm ourselves for the threats of today, but prepare ourselves for those that are just over the horizon.

Think about the tools that cyber criminals use – intrusion software, ransomware, and botnets.  When used by cyber criminals, these tools are generally used for financial gain.  But these tools can also be used to disrupt and destroy.  Terrorists have stated they want to exploit cybersecurity vulnerabilities to harm our way of life.  Al Qaeda announced its intent to conduct cyberattacks against civilian targets such as the electric grid and financial system.

The Department of Homeland Security recently confirmed it is investigating two dozen cybersecurity flaws in medical devices and hospital equipment that could be exploited to injure or kill a patient with a few strokes on a keyboard.  The threats are real.

We must acknowledge that terrorists want to acquire these cyber capabilities and, if they succeed, will not hesitate to deploy them.  It is a race against time, and one with high-stakes consequences.

At the department, we are also looking at the gaps that may exist in our authorities.  Many of our laws – long on the books – were not written with cyberspace in mind.  They don’t necessarily contemplate remote access or extraterritorial crimes, they don’t facilitate multi-jurisdictional investigation, and they don’t always empower us to bring our authorities to bear swiftly and effectively.  But we are committed to working with the relevant law- and rule-makers who support modernizing these laws.  New cyber legislation, in several different areas, is needed.

I want to conclude my remarks by discussing the changing perceptions of being hacked.  Among consumers and industry, there is a growing understanding that companies are going to get breached.  But that doesn’t mean you should turn the other way.  There is an enormous downside to taking an “ostrich approach” to cyber threats.  Consumers expect that companies will adopt industry standards for cybersecurity.  And when intrusions happen, consumers expect companies to respond promptly, acknowledge the intrusion publicly, and cooperate with law enforcement to mitigate the damage.

The Chamber of Commerce and its members are uniquely positioned to drive corporate change; to ensure that your companies and your partners treat cyber breaches as more than mere technical problems; to recognize that security operations are not insulated from business operations; and to discuss with your boards, your employees, and your industries the importance of cybersecurity risk management.

As we face ever more threats in cyberspace, let’s incorporate public-private cooperation into our cyber tool kit.  The threats aren’t letting up, and neither will we.  Thank you very much for inviting me.

Monday, May 19, 2014

5 CHINESE MILITARY HACKERS CHARGED FOR CYBER ESPIONAGE

FROM:  U.S. JUSTICE DEPARTMENT 
Monday, May 19, 2014
U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage

First Time Criminal Charges Are Filed Against Known State Actors for Hacking
A grand jury in the Western District of Pennsylvania (WDPA) indicted five Chinese military hackers for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.

The indictment alleges that the defendants conspired to hack into American entities, to maintain unauthorized access to their computers and to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises (SOEs).  In some cases, it alleges, the conspirators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen.  In other cases, it alleges, the conspirators also stole sensitive, internal communications that would provide a competitor, or an adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.

“This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” U.S. Attorney General Eric Holder said.  “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response.  Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets.  This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”

“For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries,” said FBI Director James B. Comey.  “The indictment announced today is an important step.  But there are many more victims, and there is much more to be done.  With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources.”

“State actors engaged in cyber espionage for economic advantage are not immune from the law just because they hack under the shadow of their country’s flag,” said John Carlin, Assistant Attorney General for National Security.  “Cyber theft is real theft and we will hold state sponsored cyber thieves accountable as we would any other transnational criminal organization that steals our goods and breaks our laws.”

“This 21st century burglary has to stop,” said David Hickton, U.S. Attorney for the Western District of Pennsylvania.  “This prosecution vindicates hard working men and women in Western Pennsylvania and around the world who play by the rules and deserve a fair shot and a level playing field.”

Partial Summary of the Indictment
 Time period : 2006-2014.
Defendants :  Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, who were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA).  The indictment alleges that Wang, Sun, and Wen, among others known and unknown to the grand jury, hacked or attempted to hack into U.S. entities named in the indictment, while Huang and Gu supported their conspiracy by, among other things, managing infrastructure (e.g., domain accounts) used for hacking.

Victims : Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG (SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW) and Alcoa Inc.


.

Wednesday, September 26, 2012

THE U.S. DEPARTMENT OF DEFENSE COMMITMENT TO CYBERSECUTITY

The U.S. Cyberbrigade On Parade.  Credit:   U.S. DOD
FROM:  U.S. DEPARTMENT OF DEFENSE
Official Reaffirms DOD Commitment to Cybersecurity

By Army Sgt. 1st Class Tyrone C. Marshall Jr.
American Forces Press Service

WASHINGTON, Sept. 25, 2012 – The Defense Department remains vigilant and committed to cybersecurity, especially since its cyber operations present a target for hackers, a senior Pentagon official said here today.

Speaking at the Telework Exchange’s fall town meeting, David L. DeVries, the Defense Department’s deputy chief information officer for joint information enterprise, said the department is an attractive target for potential cyber attacks, due in part to its size.

"DOD is a large magnet for the security vulnerability side of the house," he said. "Just like they would like to hack into Wall Street or a financial institution, they would also like to hack into the Department of Defense and other federal agencies here."

Defense Department officials take cybersecurity very seriously, DeVries said, and that creates pressure on the department’s information technology personnel to stay vigilant.

"It gets exponentially more complex to ensure the security of the whole thing," he said. "And that’s why I have to keep security at the [forefront]."

DeVries said when he turns on his personal computer at home, it automatically seeks updates from Microsoft and implements those changes. "So Microsoft is keeping track of my computer for me," he said. "And it’s saying, ‘Hey, I found something and I updated this thing. You need to do this now, Mr. DeVries.’ So I … say, ‘OK, do it.’"

As the Defense Department moves away from laptops and personal computers and toward smart technology, DeVries said, officials face a difficult challenge. "There are more vendors with these [smartphones] that we’re trying to get connected into the network than we can possibly keep track of," he said.

To police this issue, he added, rules and policies have been published.

"We’re now starting to enforce it," he said. "I’m looking at it from an end-device capability: Are you complying with the measures I’ve put forth?"

DeVries said he was shocked when he learned, during an earlier panel, of a general lack of security for personal information when people use smartphones.

"What’s amazing is, I thought everything I bought was checked out," he said, waving his smartphone. "So I thought all those [applications] were checked by somebody."

A panelist in the earlier discussion said he had a report that said 80 percent of the apps on his smartphone are not compliant with security requirements, DeVries said.

"[This is] my personal stuff I’m worried about there, and now I’ve put it into my workspace. … That’s a scary thought," he added.

Some companies work with the business world to make sure that their apps and operating systems are secure, DeVries said.

"Other vendors are more worried about, ‘I just want to be open to everybody out there from the teenager all the way up to the grandfather,’" he added.

DeVries said the Defense Department already has taken certain precautions.

"So we published our mobile strategy, and again, with a corporation the size of DOD, we’re going a little bit slow," he said.

"I can’t keep up with how fast this stuff gets on the street," he continued. "But I do know I have to protect the data that resides inside DOD -- No. 1, because people’s lives are at stake, and 2, the defense of the nation is at stake. So I take this seriously."


Search This Blog

Translate

White House.gov Press Office Feed