Saturday, August 28, 2010

Pentagon seeks anti-WikiLeaks technology

John Cook 

Evidently stung by the massive WikiLeaks dump of classified data about the Afghan war via a renegade Army intelligence analyst, the Pentagon is turning to its Top Secret "skunkworks" operation for a tech workaround. The Defense Advanced Research Projects Agency (DARPA) this week announced a new initiative to develop software that would identify and root out "insiders" stealing secrets from classified networks. The Cyber Insider Threat program, or CINDER for short, would "increase the accuracy, rate and speed with which insider threats are detected and impede the ability of adversaries to operate undetected within government and military interest networks," according DARPA's request for proposals.

While the announcement makes no mention of WikiLeaks per se, it's clear that whatever technology the program comes up with would, ideally, have nabbed intelligence analyst Bradley Manning before he could transfer more than 90,000 Secret Army documents — and perhaps as many as 250,000 classified State Department cables — to WikiLeaks.

As the announcement makes clear, it's extremely hard to monitor networks for suspicious activities carried out by the people who are authorized to use them: "Insiders are a dangerous threat to our network systems because insiders operate from within our networks; and easily evade existing security measures ... us[ing] legitimate accesses in support of their operations." Indeed, absent the proper software to root them out, "insider threats have been largely identified due only to incompetence on the part of the perpetrator or by accident." That's another way of saying that pretty much the only way to catch insiders determined to leak information is if they confess their conduct via IM chat to complete strangers — as Manning famously did.

Posted by Activist at 6:30 AM Labels: , , , , ,

1 comments:

rojelio said...

This will difficult, because the internet still widely uses IPv4 protocol. IPv4's only method of authentication is via IP address and MAC, both of which are spoofable. This being the case any attacker spoofing his IP and MAC has an increased ability of anonymity and leaves the security team hunting through MAC and ARP tables. Further compounding the issue is the fact many networks are still using WEP wireless encryption and WPA and WPA2 is penetrable given a captured "handshake" and a lot of time, (days if your cluster computing). As far as internal protection full separation from the world wide web, and compartmentalization at the user level, a separation of powers so to speak. Everything comes down to the lack of security at layer 2 and layer 3 (transport layer and network layer of the OSI model). IPsec and ssh will encrypt the payload of IP packets but not IP or MAC. MPLS/VPLS can provide some obfuscation with tagging at different layers but is still susceptible to a label attack.

August 28, 2010 5:54 PM

Post a Comment

Subscribe to: Post Comments (Atom)

ShareThis2