The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for malware

By

New federal contracting rule cuts off Kaspersky

The government is seeking to eliminate all traces of cybersecurity firm Kaspersky Labs from federal systems, issuing a new interim rule in the June 15 Federal Register to extend the governmentwide ban to contractors.

The rule, issued by the General Services Administration, the Department of Defense and the National Aeronautics and Space Administration, amends the Federal Acquisition Regulation to require that all contracts and solicitations finalized after July 16, 2018, include language prohibiting the presence of Kaspersky hardware, software and products.

The rule applies not just to federal contracts but also smaller “micro” purchases and the purchase of commercial off the shelf items, which are often exempt from many contracting regulations. The notice states that the interim rule was issued without prior opportunity for public comment due to “urgent and compelling reasons.”

Keep reading this article at: https://fcw.com/articles/2018/06/15/kaspersky-rule-contractors.aspx

By

FBI: Reset your router or face Russian malware

It’s not every day that the Federal Bureau of Investigation gives you an order.

On May 25 the FBI asked members of the public to turn off and turn back on their routers because of the spread of malware called “VPNFilter” created and distributed by the Russian hacker network Sofacy.

Georgia Tech Senior Research Scientist Charles “Chaz” Lever explained the damage this malware can do:

“This malware will affect the average user by using one of the capabilities in the malware to passively collect traffic. This can be used to harvest banking credentials or other sensitive password information that is going over the home network. Additionally, your home network could be hijacked to be part of an attack on a remote entity, masking the identity of the original user and potentially putting you in the crosshairs of law enforcement.”

In addition to just a simple reboot, Lever recommended following the manufacturer’s instructions on resetting the software in the device, also known as “firmware.”

Source: http://www.news.gatech.edu/2018/06/06/fbi-reset-your-router-or-face-russian-malware

Learn more about cybersecurity research at Georgia Tech by visiting the Institute for Information Security and Privacy.

Watch a YouTube video on this subject by clicking on the image below:

Recently the Federal Bureau of Investigation (FBI) issued a critical warning for all Americans to reset their routers for homes and small businesses in an effort to disrupt a potential cyber attack. We sat down with Georgia Tech’s senior research scientist, Charles “Chaz” Lever, to find out just what this threat contains and how serious it can potentially be.

By

Georgia Tech pursues new technique for wireless malware monitoring of Internet devices

A $9.4 million grant from the Defense Advanced Research Projects Agency (DARPA) could lead to development of a new technique for wirelessly monitoring Internet of Things (IoT) devices for malicious software – without affecting the operation of the ubiquitous but low-power equipment.

DARPAThe technique will rely on receiving and analyzing side-channel signals, electromagnetic emissions that are produced unintentionally by the electronic devices as they execute programs. These signals are produced by semiconductors, capacitors, power supplies and other components, and can currently be measured up to a half-meter away from operating IoT devices.

By comparing these unintended side-channel emissions to a database of what the devices should be doing when they are operating normally, researchers can tell if malicious software has been installed.

“We will be looking at how the program is changing its behavior,” explained Alenka Zajic, the project’s principal investigator and an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “If an Internet of Things device is attacked, the insertion of malware will affect the program that is running, and we can detect that remotely.”

The four-year project will also include two faculty members from Georgia Tech’s School of Computer Science: Professors Milos Prvulovic and Alessandro Orso. Also part of the project will be a research team from Northrop-Grumman, headed by Matthew Welborn. Details of an early prototype of the side-channel technique, called “Zero-Overhead Profiling” because the monitoring doesn’t affect the system being observed, were presented July 20th at the International Symposium on Software Testing and Analysis (ISSTA).

Within the next four years, an estimated 30 billion IoT devices will be in operation, doing everything from controlling home heating and air conditioning to sensing and managing critical infrastructure. The devices are usually small with limited processor power and memory. Their limited computing capabilities means they can’t run the kinds of malware protection software found on laptop computers, and they cannot use virtualization and other technology to protect the system software even when an application is taken over by an attacker. This means that once attackers compromise the internet-connected application, they typically “own” the entire IoT device and can even make it falsely respond to traditional queries about its own security status.

“The main challenge from a security perspective is to make these devices secure so somebody can’t take them over,” explained Zajic. “There will be a lot of processing power out there that needs to be monitored, but you can’t just put traditional security software on that processor because is doesn’t have enough power for both the security software and the tasks the device is supposed to be doing.”

Zajic and Prvulovic pioneered research on measuring side-channel signals emitted from devices. These emissions differ from the signals the devices were intended to produce for communicating information across the Internet to other devices. The researchers have already shown that they can pick up the signals close to the devices using specially designed antennas, and one project goal is to extend the range to as much as three meters.

“When a processor executes instructions, values are represented as ones and zeroes, which creates a fluctuation in the current,” Zajic said. “That creates changes in the electromagnetic field we are measuring, providing a pattern for what each part of the program looks like on a spectrum analyzer.”

Key to detecting changes in the signals is getting a “before” recording of what these signals should look like to draw a comparison with an “after” set of signals for each combination of device and software. The researchers plan to evaluate each IoT device, sampling and recording its typical operation to create a database. To avoid recording overwhelming amounts of data, the system will take periodic samples from different stages of program loops.

“If somebody inserts something into the program loop, the peaks in the spectrum will shift and we can detect that,” Zajic said. “This is something that we can monitor in real time using advanced pattern-matching technology that uses machine learning to improve its performance.”

Detecting malware, however, is more of a challenge.

“The technique is currently 95 percent accurate at profiling – pinpointing the exact point in the IoT program code that is currently executing,” explained Prvulovic. “However, detection of malware is a much more difficult problem. Profiling is about identifying which part of the program is the best match for the signal, whereas malware detection is about detecting, with sufficient confidence, that the signal does not match any part of the original program, even when the malware is designed to resemble the original code of the application.”

Zajic and Prvulovic have been studying a wide range of devices to determine the emissions produced.

“We have more than one source on a circuit board, so we have been trying to localize the sources so we can build an antenna to give us the best possible signal,” said Zajic. “There are multiple places on the board where you connect to the same information, though it may be modulated at different frequencies.”

Ultimately, researchers expect the project – dubbed Computational Activity Monitoring by Externally Leveraging Involuntary Analog Signals (CAMELIA) – to be capable of monitoring several IoT devices simultaneously. That will require development of advanced processing techniques able to differentiate signals from each device, and new antennas able to pick up the signals from a greater distance.

CAMELIA is part of a DARPA program called Leveraging the Analog Domain for Security (LADS), which is investing in six different initiatives to address IoT security. The Georgia Tech-Northrop Grumman project is the only one of the projects led by an academic institution.

The research is supported by the DARPA LADS program under contract FA8650-16-C-7620. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the sponsoring agency.

Source: http://www.news.gatech.edu/2016/07/31/monitoring-side-channel-signals-could-detect-malicious-software-iot-devices

By

Defense Dept. awards Georgia Tech contract to support cyber security information systems

The Defense Technical Information Center (DTIC) awarded the Georgia Tech Applied Research Corp. (GTARC), the contracting arm of the Georgia Tech Research Institute (GTRI), a prime contract to support its Cyber Security and Information Systems Technical Area Task (CS TAT) program.

GTRI logoThis CS TAT award is an indefinite delivery/indefinite quantity (ID/IQ) contract with a ceiling value of $5 billion and a period of performance of five years.

“GTRI’s experience as the prime contractor on DTIC’s Military Sensing Information Analysis Center (SENSIAC) program, the deep bench of our large CS TAT team and GTRI’s strong and relevant past performance were key winning themes,” said GTRI’s CS TAT program manager Stephen Moulton. “GTRI leveraged several of its flagship programs to secure this award.”

Some of these programs include:

  • GTRI-developed Air Force Access Database System (AFADS): the authoritative source of personnel access information for special security;
  • Framework for Assessing Cost and Technology (FACT): an open architecture Web services-based environment that enables the interconnecting of models to provide rapid exploration of the design trade space in support of systems engineering analysis;
  • Apiary Malware Analysis Platform: this has analyzed more than 170 million unique samples of malicious binary files and executables and has generated over one billion analytical records to date
  • Prime support of Deployable Joint Command and Control (DJC2): a Secretary of Defense and Chairman, Joint Chiefs of Staff, priority transformation initiative that provides a standardized, integrated, rapidly deployable, modular, scalable, and reconfigurable Joint C2 Combat Operations Center to designated Geographic Combatant Commands;
  • GTRI’s support for the National Information Exchange Model (NIEM): A primary information sharing data layer supported by the Department of Justice, Homeland Security and the Department of Defense.

“All of these GTRI-led programs and many others mentioned in the proposal made this award a very easy decision for selecting Team GTRI for a prime contractor spot on CS TAT,” Moulton said.

GTRI assembled a very strong research and development team of 10 academic institutions, 4 non-profit research institutes, and 23 small and large business industry partners that work or perform research in all of the CS TAT technical focus areas, which include the following:

  • Software Data and Analysis
  • Cyber Security
  • Modeling and Simulation
  • Knowledge Management and Information Sharing

GTRI initiated the CS TAT capture process in July 2014 through the team of Chad Garber (capture lead), Trina Brennan, Jerry Lett, Roberta Burke, Steve Heighton, Jim Hilliard, Amy Paronto, Chris Smoak, Steve “Flash” Gordon, Frank Klucznik, Ryan Spanier, Ben Medlin, Margaret Loper, Chuck Turnista, Mark Kindl, Tommer Ender, Steve Reeder, Tim Boone, Bill Underwood, Terry Ragan, Ben Lowers, Valerie Taylor, Michael Farrell and Matt Guinn, as well as many others across GTRI.

GTRI’s expertise in basic and applied research, advanced technology development, advanced components and prototypes, system development and demonstration, research development test and evaluation (RDT&E) support, and operational system development, in addition to its frequent collaborations with Georgia Tech faculty, multiple facility locations, open-source software capabilities and a large body of cleared personnel contributed to the award.

“This was a total team effort across GTRI and our teammates,” said Steve Moulton, Director of Strategic Program Development, Information & Cyber Sciences Directorate (ICSD).  “Thanks to all of the hard work of our CS TAT capture team and to GTRI’s SENSIAC and Defense Systems TAT (DS TAT) teams that went before us, whose groundwork greatly added to our success and our ability to efficiently capture this CS TAT award,” added Moulton.

DTIC, which reports to the Assistant Secretary of Defense for Research and Engineering (ASD(R&E)), awarded CS TAT, effective Dec. 1, 2015. The vehicle is a multiple-award, ID/IQ contract for research and development (R&D), as well as for advisory and assistance services related to R&D efforts.

In addition to GTRI, contracts were awarded to nine other large businesses and six small businesses. Small businesses are not allowed to compete within the large business (full and open) pool. Task order-level contracts (TATs) range in value, but GTRI will regularly compete for TATs with values up to $50M and higher if sponsors require more ceiling. CS TAT, like DS TAT, is now a primary and very viable contract vehicle option for GTRI and our DoD and federal government sponsors.

For more information, please contact the CS TAT Program Management Office (PMO) at cstat@gtri.gatech.edu.

Source: http://gtri.gatech.edu/news/gtri-awarded-position-cs-tat-contract-vehicle

By

GTRI’s open source intelligence gathering system aggregates threat information to warn of possible cyber attacks

Coordinating distributed denial-of-service attacks, displaying new malware code, offering advice about network break-ins and posting stolen information – these are just a few of the online activities of cyber-criminals. Fortunately, activities like these can provide cyber-security specialists with advance warning of pending attacks and information about what hackers and other bad actors are planning.

Gathering and understanding this cyber-intelligence is the work of BlackForest, a new open source intelligence gathering system developed by information security specialists at the Georgia Tech Research Institute (GTRI). By using such information to create a threat picture, BlackForest complements other GTRI systems designed to help corporations, government agencies and nonprofit organizations battle increasingly-sophisticated threats to their networks.

GTRI logo“BlackForest is on the cutting edge of anticipating attacks that may be coming,” said Christopher Smoak, a research scientist in GTRI’s Emerging Threats and Countermeasures Division. “We gather and connect information collected from a variety of sources to draw conclusions on how people are interacting. This can drive development of a threat picture that may provide pre-attack information to organizations that may not even know they are being targeted.”

The system collects information from the public Internet, including hacker forums and other sites where malware authors and others gather. Connecting the information and relating it to past activities can let organizations know they are being targeted and help them understand the nature of the threat, allowing them to prepare for specific types of attacks. Once attacks have taken place, BlackForest can help organizations identify the source and mechanism so they can beef up their security.

Organizing distributed denial-of-service (DDoS) attacks is a good example of how the system can be helpful, Smoak noted. DDoS attacks typically involve thousands of people who use the same computer tool to flood corporate websites with so much traffic that customers can’t get through. The attacks hurt business, harm the organization’s reputation, bring down servers – and can serve as a diversion for other types of nefarious activity.

But they have to be coordinated using social media and other means to enlist supporters. BlackForest can tap into that information to provide a warning that may allow an organization to, for example, ramp up its ability to handle large volumes of traffic.

“We want to provide something that is predictive for organizations,” said Ryan Spanier, head of GTRI’s Threat Intelligence Branch. “They will know that if they see certain things happening, they may need to take action to protect their networks.”

Malware authors often post new code to advertise its availability, seek feedback from other writers and mentor others. Analyzing that code can provide advance warning of malware innovations that will need to be addressed in the future.

“If we see a tool pop up written by a person who has been an important figure in the malware community, that lets us know to begin working to mitigate the new malware that may appear down the road,” Smoak said.

Organizations also need to track what’s being made available in certain forums and websites. When a company’s intellectual property starts showing up online, that may be the first sign that a network has been compromised. Large numbers of credit card numbers, or logins and passwords, can show that a website or computer system of a retail organization has been breached.

“You have to monitor what’s out in the wild that your company or organization owns,” said Spanier. “If you have something of value, you will be attacked. Not all attacks are successful, but nearly all companies have some computers that have been compromised in one way or another. You want to find out about these as soon as possible.”

Monitoring comments on websites can also reveal what kinds of security reputations organizations may have. If the advice is to avoid a particular organization because previous attacks have failed, that can give an organization a sense that its security is good. Attackers often seek the easiest targets, Spanier noted.

Individual organizations could gather the kinds of information monitored by BlackForest, but few organizations have the resources to connect the information. GTRI customizes the system to gather information specific to each user and their industry segment.

“The average organization doesn’t have the means to crawl all of this data and put together the complex algorithms needed to identify the useful information,” Smoak explained. “Because we have the environment and the connectivity, we have what we need to obtain this information.”

By automating much of the work involved in gathering and monitoring information, BlackForest can allow human resources to be used for more challenging information security activities.

“Our goal is to have tools that will help focus the resources so that the most valuable resources are used for the more difficult issues,” said Smoak. “Right now, we tend to find all kinds of security fires the same. This will help us focus on the most important threats.”

BlackForest joins two other GTRI cyber-security systems already available. Apiary is a malware intelligence system that helps corporate and government security officials share information about the attacks they are fighting. Phalanx helps fight the spear phishing attacks that are carried out by tricking email recipients to open malware-infected attachments or follow malicious web links.

Source: http://gtri.gatech.edu/casestudy/blackforest-gtri-aggregates-cyber-threat-informati

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter