Category Archives: Government

What are Advanced Cryptographic Capabilities (ACC)?

| November 19, 2020

Advanced Cryptographic Capabilities (ACC) is a National Security Agency (NSA) mandated standard for asymmetric cryptographic algorithms providing confidentiality services. Devices affected by these ACC standards are In-line Network Encryptors (INEs) and certain secure voice solutions.

REDCOM Solutions with Advanced Cryptographic Capabilities

The REDCOM Secure Voice Gateway is an ACC-compliant integrated solution for Type 1 secure voice gateways to connect new and legacy SCIP secure voice devices. This solution employs a REDCOM SVG-1200 and General Dynamics Sectéra vIPer phones as encryptors. Powered by REDCOM’s flagship Sigma command and control software, the REDCOM SVG-1200 enables secure multi-party voice conferencing across red and black networks. The included REDCOM Conference Manager app provides real-time conference control and attendee information from a browser-based app.

SVG 1200

The REDCOM SVG-1200 can connect up to twelve standard production Sectéra vIPer Phones, which act as voice encryptors. The vIPer encryptors are NSA–certified, delivering Type 1 encryption and SCIP interoperability to protect sensitive voice calls classified Top Secret and below. If more than 12 secure talk paths are required, multiple SVG-1200 units may be networked together.

Learn More About the REDCOM Secure Voice Gateway


Tips for Cybersecurity Awareness Campaigns

| November 5, 2020

Cybersecurity presentationsNearly all professionals are familiar with the idea of cybersecurity awareness campaigns: presentations and discussions about cyber risks and practices to mitigate said risks.  Likewise, many familiar with these campaigns may also know how ineffective they can be in convincing the average user to enhance their security habits. Recent research has attempted to isolate certain aspects of cybersecurity campaigns which lead to their ineffectiveness and overall downfall. In this post, we will explore the research and dive into suggested ways to help improve the odds of an awareness campaign being successful.

Cybersecurity campaign goals

The overall goal of a cybersecurity awareness campaign is to “render people amenable to change(s)” which will ultimately raise their security posture. To accomplish this goal, two conditions must be met:

1. People must be able to understand and apply cybersecurity advice
2. Users must have their attitudes and intentions changed in favor of being more security-conscious

A successful campaign will need to be structured around these conditions to alter attitudes and actions towards cybersecurity. According to NIST Special Publication 800-50, it is important to note that cybersecurity awareness is not the same as cybersecurity training. Cybersecurity awareness should ultimately alter a person’s cybersecurity perspective, rendering them more motivated and receptive to formal cybersecurity training.

Factors of an unsuccessful cybersecurity campaign

While the goal is to run successful cybersecurity campaigns, it is vital to understand that factors that can derail the effort, factors such as:

misunderstanding cybersecurityMisunderstanding security

Although this idea may seem obvious, it proves to be a point of failure for campaigns. Not only must a campaign have an idea as to what general cybersecurity looks like, they must also know what cybersecurity means to the audience they’re communicating with. Not all experiences with cybersecurity are created equally, so realizing your audience’s current understanding of cybersecurity is crucial in order to effectively relate to them. Relating to your audience in how they already think about cybersecurity feels more personal and will be easier to convey knowledge that will impact their actions.

Compliance

Compliance with a cybersecurity education program does not equal proper behavioral changes. It is more important to emphasize appropriate behavior and actions than compliance with a cybersecurity course or program.

Uniqueness of awareness

Heightened awareness of cybersecurity will be an entirely new action or practice for many individuals, so it should be taught with that same approach. Cybersecurity awareness is a unique skill, so constant reinforcement of proper behaviors and actions is a necessity, as well as reassurance when individuals falter or have misunderstandings.

Lack of engaging material

Information disseminated by cybersecurity campaigns must be easily digestible and engaging. This could prove rather difficult for large-scale campaigns, as cybersecurity notions will certainly differ from one audience to another. A wide range of information covered via several media (e.g., posters, brochures, presentations, demonstrations, etc.) could increase adaptability to multiple distinct audiences.

Relate to an audience at the individual level

Studies have shown that one of the most effective media for engaging with audiences from the general population is the poster.

Absence of data collection

Regularly collecting metrics from audiences allows for those working on the campaign to learn which methods are working and which are not. Data collection will enable campaigns to improve based on direct feedback from audience members.

Unreasonable expectations

Organizers of cybersecurity campaigns must recognize that they are attempting to teach an entirely new skill and that failure is inevitable. Individuals will falter when learning any new practice, and cybersecurity is no exception: organizers must leave room for failure and turn failures into learning opportunities.

Multiple threats

There is an ever-increasing variety of cyberattacks, so awareness campaigns must be prepared to test their audiences in a variety of different ways (quizzes, false phishing, risky behavior analysis, etc.). Like the last point, it is important not to shame or discourage an individual if they fail a testing exercise, rather, it is important to turn the failures into learning moments and provide continued encouragement.

Factors of a successful cybersecurity campaign

Communication

Finding success with a broad audience requires information through several media. As mentioned before, posters have been reported to be the most effective.

Computer-based training

Computers are an omnipresent component of modern cybersecurity, so it’s crucial to expose audiences to them as much as feasibly possible. Computer demonstrations and exercises may be useful for smaller-scale audiences.

Awareness events

Events help bring security awareness efforts to life. Events are places where information can be distributed, demonstrations can be performed, and questions can be asked. Events can also allow campaign organizers to gauge an audiences’ understanding and feelings of cybersecurity.

Security portal

An online campaign must provide general information on cyber attacks and cybersecurity in general in an online format. The portal should include a knowledge base and a section where general users can ask questions in an online forum to promote discussion.

Behavioral testing & teachable moments

Campaign organizers need to be prepared to allow failures in understandings, practices, and testing. As stated previously, these failures should be met with a positive attitude and reinforcement of proper cybersecurity behaviors and actions.

Teaching new skills effectively

Cybersecurity is an extraordinarily complex field, so when teaching proper skills & behavior to a general audience, complex goals should be broken down into short-term, achievable steps. Any & all assistance should be offered to all participants of a campaign at any time, whether it be answering a specific question or reintroducing basic concepts.

Conclusion

cybersecurityCybersecurity awareness is an enormous concept and campaigns will take some trial & error in order to see some marginal success. It is important to consider the factors outlined in this study, as they seem to make valid points about the human experience with cybersecurity. One of the most important aspects, it seems, is that no one person is an expert in all of cybersecurity, and when teaching practices of good cybersecurity posture, one should treat it as the almost entirely new skill that it is. It is also important to remember that cybersecurity is an ever-changing field, and advances in cybersecurity awareness & overall posture must remain ever-changing as well.

TAA: Why It Matters When Buying Communications Products

| October 13, 2020

REDCOM - TAA Compliant ProductsThe integrity of computing technology and communications gear is more important now than ever before. When government agencies, militaries, and first responders deploy mission-critical communications solutions, lives are on the line. Understanding where this technology was sourced and built is critical to our security as a nation.

The Trade Agreements Act was enacted to govern trade agreements between the United States and foreign countries. One of the principal features of the Act is that it limits U.S. Government procurement to products made in the U.S. or in designated countries (such as Canada, Japan, Australia, or many European nations). If components are sourced from “non-designated” countries (such as China or India), then these components must undergo substantial transformation in a designated country. Only by meeting these criteria can a product be referred to as “TAA compliant.”

REDCOM products meet TAA compliance because REDCOM designs, develops, and manufactures all of our products at our headquarters in the United States. We work only with vetted and trusted suppliers to ensure that we source the best and most reliable components for every product, and we document the County of Origin for every component we purchase. REDCOM has proactively addressed every step of the supply chain to reduce risk and meet the federal standards for TAA compliance.

Defining Advanced Persistent Threats (APT)

| September 15, 2020

Attempts to define the characteristics of an Advanced Persistent Threat (APT) are often varied and describe a wide range of behaviors, capabilities, and motivations. In this exercise, we’ll look into a widely accepted definition of APT and review two well-known APTs to explore the factors that lead to their classification.

Defining an APT

Per the National Institute of Standards and Technology (NIST), a renowned source of information and network security, there are three characteristics which define an APT: repeated and continuous pursuit of specific objectives, active adaptation to measures taken meant to defend against attacks, and efficient maintenance of control mechanisms in order to execute necessary functions (NIST, 2013). This NIST definition will be used to compare and contrast the known characteristics, capabilities, motivations, and operations of two well known APT groups: APT 28 and Lazarus Group.

Introduction to the APTs – APT 28 & Lazarus Group

APT 28

Actions Of APTs REDCOM

As cybersecurity has traversed more into the public sphere, the idea of the Advanced Persistent Threat has become more real even to those not directly involved in internet technologies (IT) or network security. From large-scale attacks such as the 2016 presidential election interference to the WannaCry ransomware attacks to smaller-scale incidents such as concerted attacks on cryptocurrency exchange markets, the actions of APTs are becoming increasingly more complicated, while the effects of these actions are becoming more wide-scale and public.

The APTs themselves are also aware of these trends and are taking measures to ensure that their operations stay efficient, effective, and difficult to defend against. Well-known threat groups, APT 28 and Lazarus Group, are defined as APTs according to the definition provided by the National Institute of Standards and Technology (NIST).

APT 28 and the Lazarus Group have conducted relatively recent large-scale cyber-attacks which fit this description of efficiency, complexity, and ability to keep pace with cybersecurity trends. APT 28, also known as Fancy Bear, Strontium, and Tsar Team, has largely been concerned with targeting critical infrastructures of enemies of the Russian government, both foreign and domestic (Mwiki, 2019).

Russian HackingIn 2016, APT 28 perpetrated an attack against the Democratic National Committee (DNC) where threat actors intruded the DNC network, harvested sensitive information and troves of private e-mails, and leaked the data to the public. Within evidence from this intrusion, files were found which utilized Russian language settings and some files included Cyrillic text artifacts. Other crucial evidence supporting this group’s ties to Russia was the utilization of Command & Control (C2) functions which were instructed to communicate with IP addresses already associated with APT 28.

Although this evidence does not concretely define the group’s ties to the Russian government,  it is unlikely that another APT was leaving this evidence behind to masquerade as APT 28, as the governments of the United States and United Kingdom have pinned APT 28 as one of the operating arms of Russia’s Main Intelligence Directorate (GRU).  This claim was further asserted via the U.S. placing sanctions on the Russian government for interference in the 2016 presidential election, directly implying a relationship between APT 28 and the Kremlin.

Lazarus Group

SONY attacked by APT Lazarus Group

The second APT subject of this analysis, Lazarus Group, is believed to be directly responsible for the infamous 2014 breach of Sony Pictures Entertainment and exfiltration of over one-hundred terabytes of sensitive data. Also known as Operation Blockbuster, this cyber-attack on Sony was attributed to Lazarus Group, a collection of threat actors that were already fairly well-known at the time, including their technologies, code-sharing behaviors, and alleged ties to the North Korean government.

Lazarus Group has a history of targeting several distinct industries, including military entities, governments, financial institutions, and entertainment companies. The malware used in the Sony attack had previously been associated with Lazarus Group, suggesting attack attribution relatively quickly. Other evidence that this attack was executed by Lazarus Group lies within other technical parts of the malware used to harvest and destroy data such as the encryption algorithms, data deletion protocols, and software naming schemes familiar to Lazarus Group and other related sub-groups.

Despite this evidence, though, there is still some uncertainty surrounding North Korea perpetrating this specific attack. For example, the IP addresses used for C2 communications were not previously associated with Lazarus Group, rather they were commonly known addresses utilized by a variety of threat actors. Also, some of the leaked data pertained to plans for employee downsizing and it is contested that in order to access some of the compromised data “insider knowledge” would have been needed. However, it is contended that the previously unassociated IP addresses are perhaps not the hallmark of a different actor, but rather the attempt of Lazarus Group to conceal their actions or hide their origins. Although some former employees had fallen under suspicion of assisting in the attack, the sentiments of those investigating the incident never took the blame off of Lazarus Group and, consequently, North Korea.

Analysis of APTs and their methodologies

With the definition of APTs provided by NIST, we can begin to analyze the capabilities of both APT 28 and Lazarus Group and uncover the characteristics which make them true APTs.

 

First Requirement

Defining APT first requirementsThe first stipulation of the definition, repeated and continuous pursuit of specific objectives, applies to both APT 28 and Lazarus Group. To confirm this, a brief analysis of their attack patterns must be conducted.  APT 28 attacked several entities pertaining to the Democrat political party, including the Democratic National Committee, Democratic Congressional Campaign Committee, and the Hillary Clinton presidential campaign. These successive strikes against a single United States political institution have all the necessary characteristics to satisfy the first requirement of the APT definition.

For Lazarus Group, it is believed that the primary motivations are a general collection of information as well as financial gain. Although much broader than APT 28 in their mission, these motivations bring sense to their operating strategy of attacking such a wide range of verticals on an international scale. Finding monetary successes through avenues of cybercrime makes sense for North Korea, as they have come under heavy sanctions in recent history, providing a geopolitical context for the origination of Lazarus Group’s operations. Like APT 28, an analysis of Lazarus Group’s previous attack history will satisfy the first component of the NIST definition for APTs.

Beginning back in 2007, Lazarus Group’s operations have spanned from wide-scale DDoS attacks on foreign militaries to intrusions into South Korean bank infrastructures; Lazarus Group’s history is littered with repeated attacks in pursuit of specific goals. On the technical side, both threat groups have demonstrated their use of phishing and spear-phishing techniques, granting access to user accounts and the privileges that come along with them. There is evidence to suggest that both APTs have utilized spear-phishing via malicious e-mail attachments, and malicious shortened hyperlinks disguised to appear as something different (Mwiki, 2019).

Second Requirement

Defining APTs second requirementThe second requirement of the NIST definition for APTs is the exhibition of active adaptation to measures taken meant to defend against attacks. This can be shown via analysis of further technical capabilities of the APTs.

For APT 28, several mechanisms are utilized which ensure evasion of defensive measures that could be deployed against attacks. Such mechanisms include creation of AutoStart extensibility points (ASEPs) and utilization of encrypted and compressed payloads (Mwiki, 2019). For further example, APT 28 is known to ensure the resiliency of their C2 infrastructure, via mechanisms such as installing loader Trojans to ensure persistence.

Likewise, in order to evade defensive measures, Lazarus Group has deployed mechanisms that are known to defeat certain security platforms such as Microsoft Windows System Event Notification & Alerter and McAfee Antivirus. Lazarus Group is also demonstrably innovative in the deletion of files. This pertains not only to information Lazarus Group is looking to remove from the victim, but also to hide traces left behind from deployment of their own malware (MITRE, n.d.).

Third Requirement

Defining APTs third requirementThe last stipulation for the NIST definition of APTs pertains to ensuring enough control is maintained over infected systems such that the core mission operations can still continue. For example, APT 28 is known to use bootkits and command-line interfaces in order to create new backdoors into systems, leaving them vulnerable even if the initial vulnerability is corrected. APT 28 has also demonstrated the ability to create custom cryptographic protocols for the purpose of securing and concealing C2 traffic, allowing for quick setup or alteration to C2 capabilities.

For Lazarus Group, they have developed several “fallback channels”, i.e., their C2 capabilities are often hard-coded to reach back to one of several servers, seemingly at random. Also, in the interest of maintaining control, Lazarus Group has more recently demonstrated their ability to monitor traffic and collect intelligence on a victim network, as seen in their October 2018 Operation Sharpshooter.

Conclusion

 

It is important to note that, while APTs serve as excellent case studies for understanding some of the geopolitical motivations of our adversaries, they are continuously active; always in pursuit of some very specific goal. At the time of writing this piece, Microsoft has reported that APT 28, along with other international threat groups, have ramped up their efforts to compromise the 2020 Presidential Election, specifically various accounts of those involved closely with it.

According to Microsoft, members of both the Trump and Biden campaigns have experienced coordinated attack efforts against accounts held by themselves, their staffers, and their consultants. From the available evidence, it has been determined that these groups are investing more of their resources in anonymization and automation, but more classic techniques like spear-phishing are still just as prominent. This shift in architectural investment is noteworthy, as understanding the tools an adversary chooses to utilize can inform defenders of their long-term goals.

The efforts of APTs are well-coordinated, well-funded, and always serve some larger purpose. In order to defend our critical processes against such foes, appropriate defenses must be planned for and deployed. While the actions APTs make up a small percentage of all cyber incidents that occur, their effectiveness and precision commands attention. While it is true that not all cyber attacks can be perfectly defended, understanding the mechanisms, motivations, and movements of adversarial groups like APTs help enforce and strengthen our operational defenses and overall security.

APTs are becoming more ubiquitous in the common discourse surrounding today’s cybersecurity. Because of this, it is important to distinguish between rogue actors, unfortunate cyber accidents, and actual APTs. Per the definition of APTs provided by NIST, an analysis is conducted on two suspected APT groups: APT 28, a group long thought to be an operating arm of the GRU, and Lazarus Group, a collection of actors allegedly tied to North Korea which pursues financial gains and collection of international intelligence. By analyzing the geopolitical trends surrounding these groups, the methods and technologies utilized by each group, and their recorded attack patterns, both APT 28 and Lazarus Group provably satisfy the requirements for APT consideration, outlined by the definition provided by NIST.

Sources

Mwiki, H., Mwiki, D., Raymond, K. (2019). Analysis and Triage of Advanced Hacking Groups Targeting Western Countries Critical National Infrastructure: APT28, RED October, and Regin: Theories, Methods, Tools and Technologies. doi: 10.1007/978-3-030-00024-0_12.

NIST. (2013). Security and Privacy Controls for Federal Information Systems and  Organizations. NIST Special Publication 800-53 Rev. 4. doi: 10.6028/nist.sp.800-53r4

Zero-Knowledge Proofs and their Impact on Cyber Security

| August 11, 2020

Why is it important?

A Zero-Knowledge Proof (ZKP) is a protocol that verifies whether certain knowledge exists without revealing it. In a ZKP two parties perform an exchange where one party proves to the other party that they know a secret without giving away any sensitive information about the secret. If an adversary were to sit in the middle and listen to the exchange, they would not learn the secret or any other information that could lead them to infer the secret. This is because the only information verified by a ZKP is that the proving party knows the secret. The verifying party does not learn what the secret is and cannot obtain or reconstruct the secret in any form.

In a world of password-based authentication and digital privacy, this could be a game-changer to modern cybersecurity. Many methods in cybersecurity involve addressing problems like:

  • How do I enroll in services without entering sensitive information?
  • How do I prove my identity without giving away my social security number?
  • How do I protect my password from hackers on the internet?

ZKP has the potential to solve these problems and others by allowing services to verify necessary information without the user ever disclosing it. This removes the concern of third-party services storing sensitive information in a database, and the user does not need to send it over an unsecure network.

How does it work?

Suppose there is a $100,000 prize to anyone who can find an algorithm that solves a specific type of puzzle. Peggy claims that she has found such an algorithm, but she doesn’t want to give it away in case someone else claims the prize money. Let’s assume that so far no one other than Peggy has been able to come up with a solution. How does Victor verify that Peggy has found an algorithm?

Victor can perform a Zero-Knowledge Proof by generating a random variation of the puzzle and sending it to Peggy. Let’s assume that Victor does not know the solution beforehand but can easily verify if Peggy’s solution is correct (e.g. you can verify a Sudoku puzzle by checking that all rows and columns add up to 9). If Peggy truly knows an algorithm, she can fill in the puzzle and return the answer to Victor. Then, he can confirm that her solution is correct. But what if he is unconvinced? What if Peggy guessed the solution? Then, Victor can repeat the exchange and send another randomly generated puzzle and Peggy can provide him with another solution. With each iteration, the likelihood that Peggy guessed the solution multiple times in a row decreases exponentially. Victor can continue to challenge Peggy with puzzles until he is convinced that she must know an algorithm and it is highly improbable for her to have guessed correctly so many times. Note that by filling in the puzzle, Peggy is not giving away her algorithm, and by receiving the solution Victor cannot presume how Peggy came up with her answer. Thus, Peggy’s secret, the algorithm, remains confidential.

This is just a simplified example of how ZKP can be used to verify a condition (e.g. Peggy knows an algorithm), but how can this be used in cybersecurity? Computers today can perform ZKPs by repeating a series of mathematical tests (i.e. “validating the puzzle”). If Victor prompts Peggy with a “puzzle” or any sort of question like “Do you know the password?”, Peggy’s answer is obscured by a mathematical function. What Peggy sends Victor is not her answer, but something that is mathematically derived from her answer, thus hiding the original answer. With each iteration, the probability of Peggy repeatedly guessing the correct answer decreases. Some ZKPs also insert a small amount of randomness into each exchange to ensure that the same answers don’t produce the same results for following iterations.

How is it secure?

The highlight of ZKP compared to other security protocols is that anything sent across the network or stored in a database cannot be used to recreate the secret. It is infeasible to reverse engineer Peggy’s obscured answer to obtain the original answer because the obscured answer was derived using a special class of mathematical one-way functions that cannot be solved with modern computing. Knowing the outputs of these functions is currently not enough to reconstruct the inputs. A fundamental part of ZKP’s security is also tied to the number of “puzzles” or challenges Victor sends. Suppose there were 10 possible answers to each puzzle. Peggy would have a 1/10 chance of guessing the right answer on the first exchange, a 1/100 chance of guessing two right answers in a row, and a 1/1000 chance of guessing three right answers in a row. This pattern continues with every iteration until Victor decides that it is effectively impossible for Peggy to have guessed each correct answer. Notice that with each iteration the probability that Peggy guessed each answer approaches zero but will never reach it [Figure 1]. We must decide on a cutoff point that is close enough to zero that we are confident that Peggy could not be so precise without knowing the secret. As the number of possible answers for each challenge increases, the cutoff point is reached with fewer iterations.

Figure 1: The probability that Peggy will guess the answer for each iteration if there are 10 possible answers.

 

Hypothetical Cyber Attack – Exploiting WEA

| July 21, 2020

The global pandemic has shed light on the shortcomings of critical infrastructure across industries and uncovered significant vulnerabilities in current systems. One lesson to take from this pandemic is the importance of proactively examining essential systems for potential vulnerabilities. 

This practice is especially important in the telecommunications sector, which houses several critical sites and services that enable life-saving communications. As an exercise, REDCOM took a look at one of these systems, the Wireless Emergency Alert System or WEA (now known as the Presidential Alert System). 

WEA

If you have ever received an amber alert or severe weather alert directly on your smartphone, you’ve seen WEA in action. WEA is the system responsible for driving critical announcements to all available LTE devices in a target area. While this system is largely seen as a benefit to communities, there is an opportunity for abuse within the WEA by malicious parties with the appropriate technical skill and motivation. 

Past abuse of WEA

In 2018, a state-wide false alarm occurred in Hawaii, where residents were told that a ballistic missile was en route to Oahu. This incident was the result of miscommunication between workers at the Hawaii Emergency Management Agency (HEMA) and general human error. This alert was not deemed a false alarm for fifteen minutes before Hawaii’s governor David Ige made the announcement on Twitter. HEMA did not broadcast a corrective message until thirty minutes had passed.

WAE System hawaiiIn the hour after receiving the alert, residents were in a panic and attempting to flee or shelter at any cost. Honolulu EMS saw a doubling in its calls for assistance, with some of the more notable calls detailing heart attacks and vehicular accidents. With just an accidental misuse of the WEA system causing such damage, panic, and mayhem, one’s thoughts turn to the worst-case scenario: What damage could be done through a widespread, coordinated attack using the WEA System?

Understanding how WEA works

WEA alerts can be sent from a variety of Emergency Operations Centers (EOCs) – local and state EOCs have the power to send WEA alerts to their corresponding areas, while government agencies can send out nationwide alerts. A high-level view of the WEA system architecture can be seen below.

­­

Although not detailed in this image, the act of issuing a WEA alert appears fairly secure. WEA alerts must be submitted through a portal that requires a certified operator’s credentials (Mead, 2016). This alert must then be signed by a second operator before the alert can be sent to the Federal Alert Aggregator, further inspecting and authenticating the alert. If an alert is authenticated, it is sent through an Alert Gateway, where the alert will then be distributed according to who issued it; to the areas which the incident has/will affect, etc. Residents in the affected area then receive a WEA alert on their smart devices which informs them of the event at hand.

It is this stage of distribution where the major vulnerability lies for the WEA system. According to researchers at the University of Colorado at Boulder (UCB), a malicious actor would only need to construct a makeshift cellular tower and know how to impersonate the alert format to distribute false WEA alerts to citizens in a given area. This vulnerability is due to the use of less-secure LTE mechanisms rather than more traditional authentication-based messaging mechanisms. 

Hypothetical cyber attack

Because the goal of WEA messages is to broadcast to as many devices as possible, a threat actor with a makeshift cell tower only needs to know the message format and the LTE channel to send the faulty message to – any LTE device will then receive the message if they are in the range of the false tower. The formatting and band information are available and accessible through open-source and commercial-of-the-shelf (COTS) means. 

Given this information, it is unlikely that a malicious actor would be able to spoof a nationwide alert through the WEA system. However, it is plausible that a team of actors can distribute false messages to a few key populated areas to incite panic and create turmoil. 

If this attack were successful, and a few major cities were hit simultaneously, there could be substantial damage and loss of life. There could certainly be a period of time of total chaos if the message were severe enough and distributed to enough people. Depending on the content of the false alert, other critical resources may become unavailable due to investigating the situation (e.g., a false bomb threat in a crowded stadium may draw more police and EMS resources than other incidents). 

An attack via WEA may also be used as a diversion to render critical resources temporarily unavailable in pursuit of another mission or goal. Likewise, if the area of deployment were more targeted and the stakes of the false threat more serious, something like this could be used as a primary attack method. For example, an alert detailing imminent missile strikes in certain sections of New York City may be enough to cause destructive levels of panic. 

Either way, potential attacks on the WEA system are capable of turning normalcy on its head in a matter of seconds. Given the circumstances from the Hawaii incident, a successful, false WEA message may also discourage the general public from taking these messages seriously when they are legitimate, potentially resulting in more damage – this time from actual emergencies. 

Conclusion

While this exercise is purely hypothetical, it is not to discount the vulnerabilities in a critical alerting system. The WEA system using less-secure LTE mechanisms is an issue that should be addressed. A potential solution is merely adding more traditional authentication-based messaging mechanisms. It is imperative that we, as an industry, continue to look at critical infrastructure for vulnerabilities proactively. While it’s impossible to know, the weaknesses in systems that we address today can very well save lives tomorrow.

References

Mead, N. R., & Woody, C. (2016). Cyber security engineering: A practical approach for systems and software assurance. Addison-Wesley Professional

REDCOM HDX and SLICE® product families recertified by DoD’s Joint Interoperability Test Command

| June 30, 2020

REDCOM, a leading provider of advanced tactical and strategic communications solutions, announced today that its HDX and SLICE® product family have been officially recertified by the Joint Interoperability Test Command (JITC) and placed on the Department of Defense Information Network Approved Products List (APL). The REDCOM HDX and SLICE have been listed on the APL for more than a dozen years. This latest validation demonstrates REDCOM’s commitment to building and supporting a robust portfolio of proven military-grade products.

HDX V4.0AR5P3 and SLICE® V4.0AR5P3 have been carefully evaluated for Cyber Security (CS) and Interoperable (I/O) communications and are approved as Local Session Controllers (LSC). Both products deliver powerful capabilities highly relevant to the military, including support for the Assured Services Session Initiation Protocol (AS-SIP), IPv4/IPv6 dual stack, Multi-Level Precedence and Preemption (MLPP), conferencing, and secure communications.

HDX and SLICE® are REDCOM’s hybrid hardware platforms that enable seamless interoperability between IP, TDM, and radio networks. Both products can function as a stand-alone Local Session Controller (LSC) or as an adjunct to an existing Enterprise Session Controller (ESC) to deliver advanced voice services such as transcoding and conferencing for red and black networks.

REDCOM’s JITC-approved products deliver military-grade resiliency designed for deployments to the tactical edge. All REDCOM technology is based on open SIP standards, which eliminates proprietary endpoints and applications.

 

About REDCOM

REDCOM Laboratories, Inc. is a woman-owned small business that specializes in the design and manufacture of advanced tactical and strategic communications solutions with a focus on security, reliability, and interoperability. REDCOM’s MIL-spec products are optimized for low size, weight, and power (SWaP), making them the ideal communications core for denied environments or deployments to the tactical edge. REDCOM’s customers include all branches of the military, government agencies, emergency responders, integrators, and enterprises. For additional information, please visit the REDCOM website at www.redcom.com.

 

About Joint Interoperability Test Command (JITC)

DoD’s Joint Interoperability Certifier and only non-Service Operational Test Agency for Information Technology (IT)/National Security Systems. JITC provides risk-based Test, Evaluation & Certification services, tools, and environments to ensure Joint Warfighting IT capabilities are interoperable and support mission needs. For more information, visit their website at http://jitc.fhu.disa.mil/.

 

Secure Conferencing Beyond Mass-Market Software

| April 29, 2020

Secure Conferencing and Secure Video ConferencingThe Need for Secure Conferencing

The global pandemic has forced workers and executives across industries to transition to remote work. Companies and government agencies alike have turned to widely available commercial conferencing tools to maintain a semblance of collaboration and information sharing. These mass-market conferencing solutions are sufficient in many scenarios, but fall short in three key areas: security, capacity, and control.

Security. For sensitive communications that demand a secure connection, can you trust software that hosts your meeting on an unknown server? C-Suite execs discussing their company’s strategic direction and government agencies addressing issues of national security clearly need a most robust solution.

Capacity. Mass-market conferencing tools often top out at 100 participants, but let’s be honest, managing a conference with more than a few dozen attendees quickly becomes an exercise in frustration. In these scenarios, participants often find themselves talking over one another and getting interrupted by random background noise.

Control. Commercially available conferencing solutions offer no specialized operator controls, which is critical in large conferences or those during a crisis response scenario. Perhaps several participants need to have an off-topic sidebar discussion. Maybe a single participant needs urgent attention but is unable to break into the larger discussion. There could be two different teams holding separate conferences discussing the same situation without any easy mechanism to join the two. These types of problems are difficult to manage using traditional voice conferencing tools.

Complete Conferencing Solution

The REDCOM Conference Manager provides a powerful set of tools for monitoring and managing many different conferences — large and small — across several different sites simultaneously. REDCOM’s Conference Manager offers a variety of capabilities to manage and control not only the conferences as a whole, but individual attendees as well. Additionally, the REDCOM Conference Manager is endpoint-agnostic and will work with any device including smartphones, desk phones, softphones, and even radios.

Secure Conferencing Controls. The Conference Manager was built with secure communications in mind and supports multiple levels of access security, flexible conferee screening, and voice encryption to protect confidential discussions and avoid corporate espionage. Additional security features include secure voice between any endpoint via TLS/SRTP, robust access control by user ID, ANI, PIN code or clearance level, security level knockdown, and more.

Full Conference Control. The REDCOM Conference Manager gives admins robust control over all aspects of multiple conferences in real-time. Conference managers can quickly access contacts through a built-in phone book, initiate a conference, and add/drop attendees with the click of a button. Additionally, managers can combine separate conferences into a single larger conference, split a single conference into multiple smaller conferences, create a sidebar conference for select attendees, as well as move attendees between conferences.

Attendee visibility. With the REDCOM Conference Manager, operators have detailed visibility of all conference participants. They can instantly see a user’s security clearance level, talking status, and even tell if that user’s talk path is secure.

 

Secure Conferencing with REDCOM Conference Manager and SIGMA

The REDCOM Conference Manager is the perfect solution for government agencies, military organizations, and enterprises that need to be able to bring multiple attendees together quickly, securely, and reliably. Indeed, REDCOM’s solution is already in use at multiple government agencies and has reduced the complexity and enhanced flexibility and responsiveness for its users.

 

Learn more about the REDCOM Conference Manager

REDCOM featured in April 2020 issue of Army Magazine

| March 25, 2020

The April 2020 issue of Army magazine just ran a full-page feature on REDCOM. We’re a national partner with the Association of the United States Army (AUSA), and we’re proud to build the technology that enables our armed forces to communicate and stay alive on the battlefield.

Click the image preview below to download a PDF of the article, which outlines REDCOM’s cutting-edge solutions for tactical edge communications.

REDCOM Army Magazine April 2020 Profile

Mitigation of Insider Threat Begins and Ends with Security Culture

| March 16, 2020

 

he most egregious security breaches in recent United States history were the direct result of the actions of individuals with both insider access and malicious intent. Some of these security breaches, namely the Manning and Snowden incidents, caused detrimental damage that the United States is still recovering from. Though devastating, these attacks were not executed by individuals with profound technological ability or intellectual prowess but by individuals with an aptitude for technology, network access that spanned far beyond the scope of their job requirements, and a sour attitude toward the United States and its operations.

Investigation of these incidents revealed ample evidence of the actors’ negative sentiments toward the United States – information that was known and in some cases, broadcasted publicly long before the insider attacks occurred. Records have also shown that, for both Chelsea Manning and Edward Snowden, questions of mental fortitude and disregard for proper operating procedures and the chain of command have been present throughout their professional careers.

Analyses of these attacks and statements made by their perpetrators have revealed that their success did not come from meticulous planning or novel methods of exfiltration but from the victims’ failure to adhere to fundamental principles of cybersecurity, a generally loose culture surrounding security, and a lack of tools to monitor internal network traffic. Improving upon these three concepts would have prevented these detrimental insider attacks and can prevent similar breaches from occurring in the future.

 

he Manning incident involved the unauthorized release of sensitive information pertinent to the wars in Iraq and Afghanistan and a host of international diplomatic relationships. Found guilty of multiple violations of the Espionage Act in 2013, Private Chelsea (formerly Bradley) Manning collected troves of sensitive data, personnel lists, and diplomatic cables for the benefit of and, in some cases, at the behest of WikiLeaks. At the beginning of her military career, Manning recounted to known hacker Adrian Lamo her hardships in finding commonality between herself and other service members, her overall failure to assimilate into the Army culture, and her sympathies for terrorist actors. Manning also reportedly “lashed out at fellow soldiers” soon after basic training, and her direct supervisors voiced concerns about whether she would be able to handle the mental stress of combat deployment. However, these concerns did not prevent Manning from having access to sensitive networks and using that access to carry out her now infamous data exfiltration campaign.

The prevailing factor in the success of Manning’s exfiltration tactics was the loose security culture surrounding the sensitive networks and their resources. In the presence of other network operators, Manning was able to download “thousands of classified significant activities (SIGACTS)” pertaining to Iraq and Afghanistan to a CD. Her ability to collect this data on a physical medium prompted more exfiltrations in a similar fashion, sometimes for the benefit of Julian Assange and WikiLeaks. In fact, Manning found the security culture to be so relaxed that she created a tasker on her DoD workstation that reminded her to acquire the Global Address List from the United States Forces-Iraq Microsoft/Outlook Server (USF-GAL), a trove of 74,000 email addresses. As a further testament to the loose security culture in Manning’s operating environment, she told Lamo that transferring data to unmarked CDs was actually quite common within the workspace, claiming “we transferred so much data” and that “everyone did” participate in data transfer this way.

Manning has actually credited this loose culture with providing her the opportunity to perform this massive amount of data extraction, as other network operators were often preoccupied with their own precipitous activities in the workspace. Manning has cited “weak servers, weak logging, weak physical security, weak counter-intelligence, [and] inattentive signal analysis” as the main contributors, the “perfect storm” to the success of her attack. The lack of both proper access controls and an internal traffic monitoring system also aided Manning in this campaign of information leakage.

For example, Manning often reached data that existed outside the scope of her operations using her credentials alone. Manning was also able to introduce third-party software called “wget” to her workstation, which she used to download hundreds of thousands of diplomatic cables, some of which eventually fell into the hands of WikiLeaks operatives. Had any sort of traffic monitoring system been in place, this anomalous insider behavior, including the introduction of outside software and unusual download patterns, would have been easily detected.

 

hen considering the circumstances of the Snowden attack, many parallels can be drawn to the Manning situation. Leading up to Edward Snowden’s infamous data exfiltration campaign against the NSA, Snowden experienced clashes with direct supervisors and repeated failures to assimilate with his coworkers, similar to Manning’s struggles in the Army. While Snowden was working for the CIA in 2007, Snowden’s immediate supervisor recounted his unwillingness to “recognize the chain of command” and inability to “embrace the CIA culture.” While this alone may not have provided sufficient cause for concern about Snowden, current evidence suggests that Snowden fabricated portions of his education and work experience. This information was not revealed when he was employed by a major defense contractor for the NSA, as Snowden’s background investigation was “incomplete.” This unfinished background check failed to verify a self-reported “past security violation” and was unable to develop sufficient character witnesses. Had this investigation into Snowden’s history been completed, his consistent problems with leadership, failure to adopt working cultures of U.S. agencies, and untrustworthy character would have been revealed, possibly preventing him from receiving the clearances that proved integral to his attack.

In addition to this undiscovered information about his past, Snowden’s job position provided him with top-secret clearance and wide-reaching access within NSA networks – access privileges which already far exceeded the requirements for him to fulfill his job responsibilities. Snowden eventually went on to employ social engineering tactics to persuade other employees to provide him with their credentials, allowing him access to previously unavailable data and projects. Snowden utilized this all-encompassing, unmonitored network access to download data en masse. From secret NSA project files to data within the personal storage drives of other NSA employees, Snowden performed actions that should have been leagues beyond his access capabilities.

Not only were Snowden’s privileges too extensive, but there were also no mechanisms in place to monitor unusual traffic, such as mass downloads of unrelated files or accessing the personal data storages of others, despite former NSA technical director Bill Binney asserting that it was possible for this technology to be in place long before Snowden worked there. Beyond these oversights pertaining specifically to the network, Snowden lived mostly in Honolulu at the time and found himself at an advantage with his physical location. He often accessed the NSA network remotely, via a “thin-on-thick” machine, during hours in which on-site NSA employees had already finished work for the day. Outside individuals operating within the NSA network with near unlimited access, no oversight, and no other employees to interact with capitalizes the necessity of an in-house traffic monitoring system. But, according to Binney, this is unlikely to happen due to the security culture within the NSA. “Spies don’t want to be spied on,” Binney affirmed in a 2014 NPR interview, also suggesting the NSA has no plans to practice in-house traffic monitoring in the future.

lthough these incidents were unrelated, they were detrimentally successful in exploiting the same weaknesses. Security culture, or the attitude surrounding security of data and assets amongst its day-to-day operators, was largely exploited by Manning. Manning leveraged a relaxed security culture to collect data from sensitive networks on CDs. Manning then took this data and uploaded it to her own personal computer before handing it over to WikiLeaks. Despite exfiltrating this data during the day and in plain sight, not one question was raised about Manning’s actions.

Both Manning and Snowden found success in the lack of thorough investigation of their personal histories. Concerns of Manning’s mental fortitude, inability to assimilate with other service members, and regular conflicts with other soldiers were hardly considered before access to sensitive networks was given to her. Likewise, Snowden’s own problematic history was not analyzed before his attainment of top-secret security clearance and unfettered access to the NSA internal network. Snowden’s general disrespect for authority, history of support for actors like Manning, previous security incidents, and untrustworthy character were nonfactors in the decision to allow Snowden unmonitored access to the internal network of the NSA.

Manning and Snowden both benefitted from the lack of a monitoring system, which enabled them to collect colossal amounts of data in short periods of time. The lack of monitoring also enabled them to reach data that did not pertain to their day-to-day operations and, in the case of Manning, install an unauthorized application that allowed WikiLeaks operatives access to information within SIPRNet. Snowden saw optimal assistance in the oversight of his access privileges, which “far exceeded the access required to do his job,” and from coworkers who were vulnerable to his social engineering efforts. This fact coupled with the lack of internal monitoring and Snowden’s regular network access outside of normal working hours allowed his exfiltration campaign to carry out flawlessly. These factors that contributed to the successes of both Manning and Snowden stem from systematic problems within the current culture surrounding our security.

 

n the aftermath of these incidents, analyses have revealed the lack of technical complexity and relatively straightforward attack methods. These attacks found their successes in exploiting weaknesses in the practice of fundamental principles of cybersecurity. Cutting-edge data analytics or a top-notch AI solution will have no chance of stopping the next Manning or Snowden if they have already been given the access needed to haul the servers out of the building. The next major insider breach will be stopped by individuals and community – individuals who practice security and a community that promotes and discusses the importance of it. Becoming brilliant in the basics of security, promoting a healthier security culture, and engaging the community will counter insider threat before it has a chance to begin.