Geoffrey Darnton, Bournemouth University, UK
- “if you can get into people’s heads you can achieve anything”
- different consequences if people fear being killed vs. wanting to be killed
- scope and key issues
- currently, mainly conceptual
- conflics vs. war
- war and conflict can only occur if people are willing to play
- “willing” – coercion or real willingness
- belief systems are critical in info warfare
- war v conflict
- technically war is a legal state
- iw = information warfare
- maybe should be saying information conflict
- Civilian-ization of warfare via info technologies
- origins of war
- technology
- law
- social organization
- opinions and attitudes concerning basic values
- willingness
- religion and ideology
- both are complex sets of characteristics
- why does it matter in the discussion of IW?
- many acts of conflict and war are done n the name of furthering or preserving some important value of belief
- meta ideo-religious framework?
- experiential
- ritual
- mythology
- ethics
- doctrine
- social
- framework extensions
- symbols
- key personalities
- faith
- deification or reification
- example religions
- middle eastern
- indian
- far eastern
- example ideologies
- capitalism
- marxism
- humanism
- social anarchism
- democracy
- are there characteristics similar to religions?
- proselytizing
- done both by religions and ideologies
- often accompanied by behaviour to discourage “non belivers”
- studies of war
- stats based on religious wars
- extensions to ideology
- how many wars have been fought based on ideology?
- empirical questions
- how many have been killed as consequence of the pursuit of religion
- …pursuit of ideology
- predict that now ideology now kills more than religion
- Information operations
- targeted at belief systems
- goal to move people within info space
- change beliefs
- change value judgments
- relies on underlying epidemiological model for spread of beliefs
- causes of war
- seeking causes may be futile if war is a persistent human phenomenon
- suggests that something like “Information Peaceware”
- conclusion
- characteristics of religions and ideologies are similar for practical purposes to have the same effects when it comes to war and conflict.
Cynthia E. Irvine, Naval Post Graduate School, Monterey, CA
- Motivation
- collaboration permits information sharing
- attractive collaboration tool
- can it be applied in an MLS environment
- [M: don't comment on Wikipedia's "legitimacy", not relevant here in the least]
- objective
- develop multilevel wiki
- want high assurance policy enforcement
- run it as untrusted subject outside of TCB
- Testbed design slide
- highlights
- high assurance components
- ["thin client running OS from a CD"???]
- COTS components
- Underlying server
- BAE XTS-400
- “{linux like” interface
- background
- more than 140 wiki engines available
- aims
- narrow list
- select one or two to test
- selection methodology
- extensive public use
- wiki engines
- wikimatrix
- wikipedia
- considerations for MYSEA environment
- execute on red hat 8
- interface w/ apache
- simple setup, flat-file system
- other considerations
- MediaWiki used as a baseline
- Flat-file wiki list
- Short-listed wikis features slide
- 2 determining factors
- identity-based access control
- concurrent editing
- Decision
- TWiki
- better footprint
- better user control
- better editing
- porting methodology
- run on plain Red Hat 8
- Port Wiki to XTS-400 for execution as a single-level subject
- make multilevel aware
- web-based collaboration support
- logs into system
- logs into wiki
- user can read, edit, create
- high users able to read and modify content at high, able to view at low
- low users only able to read and modify wiki content at low, can link to high but not create high target
- wiki design & architecture
- standard twiki architacture
- apache runs as singe user
- file system DAC
- wiki DAC
- MYSEA WebDAV DAC
- Apache
- MYSEA Apache Config
- Implications
- Users can bypass TWiki access controls by going directly to filesystem
- Solution Space
- Testing
- conductedtesting at various stages
- objectives
- test plans conform to MYSEA documentation standard
- Wiki in MYSEA visualization slide
- Future work
- Single signon
- Multilevel data fusion
Gail-Joon Ahn, UNC Charlotte
- motivation
- malicious bots
- surgein attacks
- 1241 bots collected by them in the past year
- 25% not detected by AV tools
- background
- most unknown bots are not detected
- risk-aware detection and prevention
- taxonomy of botnets is available
- approach
- components work individually & in cooperation
- analysis is performed both on and off the internet
- repository system component
- pattern correlation system component
- correlation system
- Traffic analysis
- detect malicious agents
- something else
- something else
- IRC Sandman
- Animations of how it works
- ongoing effort
- bot characteristics
- IRC conversation
- Intel attribution
- building new maps with various knowledge bases
Daniel J. Cotton, Univ of Nebraska, Omaha
- Vista Firewall
- filter incoming & outgoing traffic
- IPSec
- Address space layout randomization (ASLR)
- Moves vista around in memory
- BitLocker
- hard drive encryption
- uses TPM @ bootup
- can be used in one of three modes
- 128-bit AES, can use 256-bit
- User access control
- red/yellow/blue/gray backgrounds have meanings
- user accounts
- programs run at the level of the default user
- must elevate to run as admin
- filesystem
- volume boot record has moved
- journaling
- directory structure changes
- virtual folders
- registry structure changes
- virtual registry
- recycle bin moved & contents changed
- event logs
- xml format
- 30 different event logs
- forensic testing preparation and execution
- downloaded text virtual machines from NIST
- set up w/ default settings
- set of no-cost comm and line tools
- executed all from batch script
- run each tools separately to find differences
- focused on command line tools
- tool list not meant to be complete
- in Vista run as regular user and as admin
- impact of Vista on the tools
- 3 out of 46 failed completely
- one failed to resolve installation date
- some ran with gray UAC window
- some ran on xp as user but wouldn’t run witout admin on Vista
- Impact of Vista on *.mui files
- majority failed
- .mui file must be copied to the trusted media
- this behavior is not well documented
- Impact of FDCC
- only two tools failed
- impact minimal
- conclusion
- impact of vista on incident response is significant
- changes need to be made to the toolset
- impact of FDCC is less than anticipated
Are the System Security Watchmen Asleep?
Dr. Roger Schell, Aesec Corporation, Palo Alto, CA
- Executives are frequently clueless about security
- rely on professionals to be their watchmen
- “acceptable risk” based on gross misperception
- serious failure by security professionals
- “watchmen” responsible for likely disasters
- air gap between domains is secure – but crippling
- multi-level security slows or prevents info sharing
- misguided mgt response
- accredit and deploy low insurance platforms
- ignore that low assurance is unevaluatable
- exacerbate risks with plans to get well
- watchmen – sound the alarm
- subversion threat is serious and growing
- unconscionable use of overly weak solution
- verifiable protection technology languishes
- cross-domain solutions
- challenge is CDS connectivity
- connection of disparate domains is multilevel
- Cyber warfard subversion likely
- tiger teams are subversion tool of choice
- adversaries can use 30+ years experience
- buy IT solution from your mortal enemy?
- Trojan horse attacks
- hidden functionality in application
- application user is unwitting agent
- current networks’ open vast opportunity
- 3000+ products online have easter eggs in them, all benign, doesn’t mean all will be benign
- Trap Door attack
- malicious code in platform
- can be remotely activated/deactivated
- efficacy and effectiveness demonstrated
- summary of subversion process
- infrastructure subversion
- execution of artifice software
- (optional) “two card loader”
- access to unauthorized domain data
- weakest link in flawed solutions
- single flawed interface exposes whole net
- “secure application” is non-computable
- “secure” pixie dust components
- vested interest research “sand boxes”
- hard problems for MLC systems remain
- CDS can be no better than platform it is on
- flaws in solutions missed
- false security from isolated components
- accreditations cannot responsibly judge flaws
- only a veriftably secure CDS is evaluatable
- impact indications and warning
- vendor downloadable product subverted
- intrusion can replace traditional espionage
- SW subversion steals credit/debit card data
- military recognition of subversion
- Sorry state of defense today
- sharing data across desparate domains need MLS
- isolation obstructs missions
- any low connection => MLS
- class A1resists subversion
- share but resist subversion
- proven methods evaluated and deployed TCB
- mature, proven trusted systems technology
- “rainbow series”
- verifiably secure: Class A1/EAL7
- only this class excudes malicious software
- proven solution: security kernel
- illustrative MLS demonstrations
- multilevel secure web server
- multilevel ftp server
- covert communications proxy
- validated verifiable technology
- blacker
- hsrp
- chots guard
- cots trusted oracle 7
- saclant client/server
- affpb crypto-seal guard
- more opportunities
- mls networked windows
- mls network attached storage
- guards & filters
- real-time exec
- verifiably secure mls linux
- identity management
- mls handheld network devices
- cost/benefit of evaluated protection capabliities
- conclusion
- subversion threat is serious and growing
- unconscionable use of overly weak solutions
- verifiable protection technology languishes
- customers aren’t telling vendors security is a priority
Reiner van Heerden , CSIR Pretoria, South Africa
- passwords are part of everyday life
- password model
- crack passwords
- measure strength
- suggested rules
- upper & lower case
- numerals
- 8 character minimum
- no dictionary words
- no names
- easy to remember
- People keep using a single password for everything
- Asdf1234
- follows those rukes
- possible patterns
- start w/ cap
- follow w/ keyboard sequences
- end w/ numerals
- tradeoff between security & memory
- avg length 7-8 char
- advice usually ignored
- dictionary words & numbers are popular
- special char use limited
- memory is the key factor of choice
- Markov model
- sequence of events for which… just see the photos
- Results (see photo, actually very interesting)
- Uses
- defensively as a password strength evaluator
- offensively as a tool to enhance password guessing
Stuart Kurkowski, Air Force Institute of Technology, Wright-Patterson AFB
- Work in progress, developing the tool to do all this
- Fused Alert Data
- alert data is cleaned and reduced to remove redundant or false-positive alerts
- IDS Alerts and log files are grouped into “tracks”
- 10939 CGI Script events reduced to 150 tracks
- Cyber situation awareness model
- level 0 & 1 exist
- level 2+ is this project
- three part approach
- fused track data only
- minimalist additional data & track data
- visual attributes for context awareness
- why visualization?
- large volume of data
- visualization advantages
- more resources to apply
- humans process visual data faster
- relevant info visualized not searched
- patterns easier to recognize
- temporal activity becomes more obvious
- more configurable interface
- Other products
- NVisionIP 2004
- PortVIs 2005
- VisFlowConnect 2005
- VIAssist 2007
- VisAlert 2005
- Methodologies
- lots of screenshots. See fickr tag iciw2008 in my account for photos
- TCPDump data linked with the tracks to give additional context and information
- the visualizations involve a dynamic and interactive process (i.e. filters)
- filters can be saved and retrieved to run against different datasets
- Results
- allows visualization of heterogeneous sources
- provides more context
- provides viz filter
- easier to project behavior
- future
- add database source to front end
- colors, shapes & borders to be added
- directional information
Carl Colwill, BT DEsign Security Risk & Compliance, UK
- “The insider will always be the greatest threat”
- Worry about the senior people, not just the lowest people
- hard to distinguish your people from 3rd party people due to so much outsourcing
- it’s a rapidly changing world
- national and international boundaries are being stretched
- India is a playground for intelligence communities right now
- risk assessments are essential
- incorporate regional factors
- what are the crown jewels?
- highlight risk priorities
- identify layers of control
- streamlined risk assessment tools need to feed into business decisions
- By outsourcing you may actually be giving away confidentially
- new opportunities for attack
- loyalty thresholds
- most threat agents will apply inducements to turn insiders
- failing that they’ll infiltrate with their own people
- complex mix of threat agents and influences
- what can be done?
- many controls
- physical
- logical
- personnel
- key topics
- segregation (physical & logical)
- minimum privileges (physical & logical)
- system & user account mgt
- many approaches can be applied to build trust and relationships
- but allin the context of massive vendor staff churn
- it’s not just about technology
- compliance is fundamental
- evidence &detection
- ongoing education and awareness
- requires periodic onsite visits
- conclusions
- outsourcing is increasing attach posibilities
- these threats can be assessed, modeled & managed
- however can be expensive
- it’s a balance of risk and cost
Persistence, Ambiance, and New Maps
Brian Lopez, Lawrence Livermore Laboratories
(Led security for Utah winter Olympics)
- 1200 comp sci folks @ LLL
- LLL has world’s largest laser & world’s fastest supercomputer
- Vulnerability and Risk Assessment Program founder
- field assessment
- threat
- vulnerability
- consequences
- actionable findings
- 1996 Presidents Commission on Critical Infrastructure Protection (PCCIP)
- 1998 Presidential Decision Directive 63: Policy on Critical Infrastructure Protection (CIP)
- Moved to DHS in 2003
- DHS seeme to be “perpetually reorganized” (audience snickers)
- Energy infrastructures
- electric power
- oil
- natural gass
- Most owned by private corporations
- Assessment activities completed in 30 states
- Look for isomorphisms
- Red Hat, Black Ice exercises
- US Computer Emergency Readiness Team
- training annalists on protocols & systems
- Classified work
- Intel, VAs/Red Teaming, SNM,DBT
- Methodology Development
- Emerging vulnerabliities
- Smart border initiative
- attacks in canada & mexico can affect CI here in the US
- “Critical Infrastructure is the one place where the computers touch the physical world”
- Terrorist simulations folks use OpenSource tools
- Philosophy
- combine strong security and domain expertise
- field experience and capabiities
- multi-diciplnaty teams
- work at three levels
- strategic
- tatical
- technical
- approach – listen, learn, teach, collaborate
- actionable findings
- customers make all decisions
- continuous support
- Broke into state power grid in 20 minutes. Board’s response was “great, who do we fire”
- “Information” warfare, not computer science warfare
- Three themes
- Ambiance – what’s ambient that we can leverage
- New Maps – seeing though new lenses
- Persistence – tools to make those maps
- Beware of photocopiers, especially those with network connections and hard drives
- Has the mic on the videoconferencing system on even when they’re not using the room for a video conference?
- “OpenSource reconnaissance” / Social Engineering
- “How to initiate a fire drill other than the obvious starting a fire?” (laughs) “Hey, the terrorists aren’t beyond starting fires.”
- “The electric power grid runs on water.” so blow up the water main two blocks away from. (Second order effect)
- The Problem with Persistence
- photo of a theatre
- single exposure of a whole film
- Too much information creates no information
- “The sum of everything is nothing”
- “Honey Nets”
- Replicate a system to attract the bad guys
- “instrument the heck out of it” / “instrumented to beat the band”
- learn from what they try to do to it
- Now they’re building the map for you
- Research ideas for the attendees
- Ambiance
- expand field of vision of the target
- expand the avenues of attack
- cascading failure – infrastructure interdependence
- cascading support – leverage the dark fiber when other standard connections fail
- auto-characterizing environments tools
- ex-filtration
- what can you inject to induce signatures?
- New Maps
- “Good maps help win the war”
- map of the air – value cocaine from measuring the air
- maps of sound – IEDs & “what the locals know” – when the marketplace goes more quiet than normal
- biometrics – gait analysis, veins in the face, “we need BIG biometrics map”
- “maps used to represent the data, everything you know. now a map is a viewpoint, not everythng you know”
- establish new baselines & establish tools to organize that data
- mapping the physical to the cyber – where are the people in the virtual world located in the real world?
- Persistence
- More complex sensors
- More signal sensors
- We need tools to peer into all that data & pull out actionable items
- bioengineer plants to react to certain elements
- All this is dual-use i.e. commercial and governmental
- CS graduates are down 50%
- this is a crisis for the country
- There are tons of CS jobs available right now
- encourage Americans to go into science, esp CS
