The Pentagon, Contractors and Hackers: Who Protects the Protectors?

The United States Department of Defense is reportedly extending its Defense Industrial Base Cyber Pilot program, first announced by deputy defense secretary William Lynn in June, to defense contractors.

Under this program, the DoD, together with the U.S. Department of Homeland Security, will share classified information and information on how to use it with defense contractors or their Internet service providers to help protect their computer infrastructures from attack.

In other news, German cybersecurity expert Ralph Langer, widely acknowledged as the researcher who discovered the Stuxnet worm, has reportedly alleged that the United States developed and released that malware.

The Stuxnet worm targets Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes, and it struck at Iran’s nuclear plants.

Separately, researchers have discovered a weakness in some websites protected by the Secure Sockets Layer (SSL) that will let attackers decrypt data passing between a Web server and an end user’s browser.

Your Tax Dollars at Work

Defense contractors have proven to be particularly juicy targets for hackers associated with Anonymous, LulzSec and AntiSec of late.

For example, Booz Allen Hamilton was hacked by Antisec, which broke into unprotected servers, stole 90,000 military usernames and published the stolen information on the Internet.

AntiSec hacked into the servers of defense contractor Vanguard Defense Industries, then stole and released 1GB of private emails and documents of company senior vice president Richard Garcia.

Amid this, the U.S. Department of Defense is offering to protect defense contractors. However, in July, the DoD itself was hit by hackers who stole 24,000 sensitive files.

Further complicating the relationship is the fact that some defense contractors tout themselves as cybersecurity experts and offer that expertise to the U.S. federal government.

“Business wants the government to perform like a private company, and I guess this is one way of doing it,” independent security consultant Randy Abrams told TechNewsWorld.

The DoD and DHS did not respond to requests for comment by press time.

America and Stuxnet?

Reports say Ralph Langer, the German cybersecurity expert who discovered Stuxnet, has alleged that the United States developed and released the worm with the help of Israeli intelligence.

This could backfire on the U.S., Langer reportedly warned, because neither the U.S. federal government nor cybersecurity companies are prepared to cope with the worm.

McAfee, which had followed Stuxnet closely since the worm was discovered, declined to discuss the issue because it “does not comment on attribution,” company spokesperson Heather Edell told TechNewsWorld.

What Secure Sockets?

Secure Sockets Layer (SSL) technology uses certificates to encrypt sensitive information during online transactions. Such certificates are issued by certificate authorities (CAs).

Many Web and database servers use SSL to communicate, but SSL is getting a little long in the tooth. SSL certificates from Dutch CA DigiNotar were faked recently and reportedly used to spy on Google users in Iran, leading Microsoft, Google and the Mozilla Foundation to remove the CA from their trusted CA lists and issue browser updates.

SSL is being replaced by Transport Layer Security (TLS).

However, researchers Thai Duong and Juliano Rizzo presented a hack on TLS 1.0 and earlier versions at a security conference in Brazil recently. They call their proof of concept code “BEAST” — Browser Exploit Against SSL/TLS.

Their JavaScript code works with a network sniffer against targeted websites to decrypt encrypted cookies that restrict access to user accounts. It will reportedly work even against sites that use HTTP Strict Transport Security (HSTS), which prevents pages from loading unless they’re protected by SSL.

Apparently, BEAST won’t infect a PC, but will let attackers steal sessions on PCs, Philip Hoyer, director of strategic solutions at ActivIdentity, told TechNewsWorld.

It will let an attacker potentially perform fraudulent transactions or steal credentials, but won’t attack a site.

“This means that it is more stealthy and hence less detectable until after the event has happened,” Hoyer said.

Richard Adhikari

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFI chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels