The Pentagon, Contractors and Hackers: Who Protects the Protectors?
Defense contractors have been pelted with cyberattacks in recent months from infiltrators looking to steal and publicize whatever secret internal documentation they can lay hands on. Now the U.S. DoD is opening up its own brand of protection to defense contractors. Meanwhile, more of Stuxnet's origin story was revealed, and security certification technology takes another ding.
The United States Department of Defense is reportedly extending its Defense Industrial Base Cyber Pilot program, first announced by deputy defense secretary William Lynn in June, to defense contractors.
Under this program, the DoD, together with the U.S. Department of Homeland Security, will share classified information and information on how to use it with defense contractors or their Internet service providers to help protect their computer infrastructures from attack.
In other news, German cybersecurity expert Ralph Langer, widely acknowledged as the researcher who discovered the Stuxnet worm, has reportedly alleged that the United States developed and released that malware.
The Stuxnet worm targets Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes, and it struck at Iran's nuclear plants.
Separately, researchers have discovered a weakness in some websites protected by the Secure Sockets Layer (SSL) that will let attackers decrypt data passing between a Web server and an end user's browser.
Your Tax Dollars at Work
Defense contractors have proven to be particularly juicy targets for hackers associated with Anonymous, LulzSec and AntiSec of late.
For example, Booz Allen Hamilton was hacked by Antisec, which broke into unprotected servers, stole 90,000 military usernames and published the stolen information on the Internet.
AntiSec hacked into the servers of defense contractor Vanguard Defense Industries, then stole and released 1GB of private emails and documents of company senior vice president Richard Garcia.
Amid this, the U.S. Department of Defense is offering to protect defense contractors. However, in July, the DoD itself was hit by hackers who stole 24,000 sensitive files.
Further complicating the relationship is the fact that some defense contractors tout themselves as cybersecurity experts and offer that expertise to the U.S. federal government.
"Business wants the government to perform like a private company, and I guess this is one way of doing it," independent security consultant Randy Abrams told TechNewsWorld.
The DoD and DHS did not respond to requests for comment by press time.
America and Stuxnet?
Reports say Ralph Langer, the German cybersecurity expert who discovered Stuxnet, has alleged that the United States developed and released the worm with the help of Israeli intelligence.
This could backfire on the U.S., Langer reportedly warned, because neither the U.S. federal government nor cybersecurity companies are prepared to cope with the worm.
McAfee, which had followed Stuxnet closely since the worm was discovered, declined to discuss the issue because it "does not comment on attribution," company spokesperson Heather Edell told TechNewsWorld.
What Secure Sockets?
Many Web and database servers use SSL to communicate, but SSL is getting a little long in the tooth. SSL certificates from Dutch CA DigiNotar were faked recently and reportedly used to spy on Google users in Iran, leading Microsoft, Google and the Mozilla Foundation to remove the CA from their trusted CA lists and issue browser updates.
SSL is being replaced by Transport Layer Security (TLS).
However, researchers Thai Duong and Juliano Rizzo presented a hack on TLS 1.0 and earlier versions at a security conference in Brazil recently. They call their proof of concept code "BEAST" -- Browser Exploit Against SSL/TLS.
Apparently, BEAST won't infect a PC, but will let attackers steal sessions on PCs, Philip Hoyer, director of strategic solutions at ActivIdentity, told TechNewsWorld.
It will let an attacker potentially perform fraudulent transactions or steal credentials, but won't attack a site.
"This means that it is more stealthy and hence less detectable until after the event has happened," Hoyer said.