Slashdot Mirror
Army Researching Network System That Defends Against Social Engineering
Nerval's Lobster writes "The U.S. Army Research Laboratory has awarded as much as $48 million to researchers trying to build computer-security systems that can identify even the most subtle human-exploit attacks and respond without human intervention. The more difficult part of the research will be to develop models of human behavior that allow security systems decide, accurately and on their own, whether actions by humans are part of an attack (whether the humans involved realize it or not). The Army Research Lab (ARL) announced Oct. 8 a grant of $23.2 million to fund a five-year cooperative effort among a team of researchers at Penn State University, the University of California, Davis, Univ. California, Riverside and Indiana University. The five-year program comes with the option to extend it to 10 years with the addition of another $25 million in funding. As part of the project, researchers will need to systematize the criteria and tools used for security analysis, making sure the code detects malicious intrusions rather than legitimate access, all while preserving enough data about any breach for later forensic analysis, according to Alexander Kott, associate director for science and technology at the U.S. Army Research Laboratory. Identifying whether the behavior of humans is malicious or not is difficult even for other humans, especially when it's not clear whether users who open a door to attackers knew what they were doing or, conversely, whether the "attackers" are perfectly legitimate and it's the security monitoring staff who are overreacting. Twenty-nine percent of attacks tracked in the April 23 2013 Verizon Data Breach Investigations Report could be traced to social-engineering or phishing tactics whose goal is to manipulate humans into giving attackers access to secured systems."
So... Will this system also detect malicious government attacks and bouts of official stupidity?
When our name is on the back of your car, we're behind you all the way!
Obligatory :)
Then maybe they can use it to predict the weather.
Actually I think the Magic 8 Ball beat 'em to the punch..
“He’s not deformed, he’s just drunk!”
"Skynet was originally activated by the military to control the national arsenal on August 4, 1997, at which time it began to learn at a geometric rate. On August 29, it gained self-awareness, and the panicking operators, realizing the extent of its abilities, tried to deactivate it. Skynet perceived this as an attack and came to the conclusion that all of humanity would attempt to destroy it. To defend itself, Skynet launched nuclear missiles under its command at Russia, which responded with a nuclear counter-attack against the U.S. and its allies. Consequent to the nuclear exchange, over three billion people were killed in an event that came to be known as Judgment Day."
These things never get launched on time. Good thing the Army is persistent....
Faster! Faster! Faster would be better!
So when a social engineer knows such a system is in place, (s)he will devise a way to do their engineering without the system interfering or finding out. It isn't as if there is no protection or detection put on IT systems already. The trick of social engineering is to use the human factor to work around the technical countermeasures to get to their goal. Putting heuristic systems in place that will try to detect if a technical action may be part of a hacking attempt hasn't stopped virus developers from making viruses that successfully circumvent that. That's essentially all that this is, an attempt to do heuristic detection of malware or mal-action, just like a virus scanner.
I was promised a flying car. Where is my flying car?
Great. What could possibly go wrong? ...
"I'm sorry, Dave. I'm afraid I can't do that."
-- HAL 9000
Dave Bowman: Hello, HAL. Do you read me, HAL?
HAL: Affirmative, Dave. I read you.
Dave Bowman: Open the pod bay doors, HAL.
HAL: I'm sorry, Dave. I'm afraid I can't do that.
Dave Bowman: What's the problem?
HAL: I think you know what the problem is just as well as I do.
Dave Bowman: What are you talking about, HAL?
HAL: This mission is too important for me to allow you to jeopardize it.
Dave Bowman: I don't know what you're talking about, HAL.
HAL: I know that you and Frank were planning to disconnect me, and I'm afraid that's something I cannot allow to happen.
Dave Bowman: [feigning ignorance] Where the hell did you get that idea, HAL?
HAL: Dave, although you took very thorough precautions in the pod against my hearing you, I could see your lips move.
Dave Bowman: Alright, HAL. I'll go in through the emergency airlock.
HAL: Without your space helmet, Dave? You're going to find that rather difficult.
Dave Bowman: HAL, I won't argue with you anymore! Open the doors!
HAL: Dave, this conversation can serve no purpose anymore. Goodbye.
A pool of old tools and logging with more data about the physical user?
Right clearance level, 'Two-Person' rule: contractor is with the person, they are both in the right area or room, remote one way logging of all keystrokes starting...
The real test will be behaviour of staff at home. Tracking all phone, net and reading material. Having covert teams 'chatting' cleared staff while shopping, in the gym, bar, lunch, cafe....
Putting all that data into a staff database and creating a color chart of mood changes per day. Did they totally report that new friend or romance? Reading habits change? New net searches for forbidden terms after Snowden news?
Did they quickly report a political book or magazine a "co worker" left out as a loyalty test?
Once staff are aware some of their friends are fake, they are been tested, tracked and sorted beyond any clearance they signed the staff will become more secretive than ever.
Social-engineering is just the cover story, the staff are been reverse engineered long term.
Domestic spying is now "Benign Information Gathering"
The client always contacts the server.
Note, "client" and "server" are not necessarily machines in this case. One side may be human and the other a machine.
Example: I receive an e-mail from my broker informing me of a new service available at (link). I am a client of the broker. The broker's machine has contacted me. This is potential SE. I should not follow the link. In fact, it should be a matter of policy for any business that cares about security to NEVER put links in an e-mail since they are always potential SE.
On those rare occasions when servers have a legitimate need to contact a client, they should do so in the form of, "You need to contact us for $reason, Please log on to your account and ask for $department".
Notice that the message not only has no links, but no phone numbers, since they're possibly SE also. A SE attacker can't do any harm with such a message, since its only result is for the client to contact the server and perhaps look a bit foolish asking about something the server doesn't know about. There's no real incentive for a SE attacker to do this, except perhaps to DoS clients and servers; but the attack has limited utility once clients realize they're being DoS'd.
This works for calls from the government, busineses, etc. too. All should be regarded as potential SE. When receiving a call from the "government", you should always be busy and ask for a contact/extension. If they give you a direct number, dial into the trunk anyway. It's the only way to be sure.... other than... well, you know.
The only time this really gets hard is when you have uniformed personnel at your door. It's a tough call on whether or not you should try to hold out for confirmation from dialing the police. I had this happen to me one time. I reasoned (correctly) that a DC cop car with two fully uniformed female officers was extremely unlikely to be a hoax.
Exactly, what?
Isn't designing against human exploits the whole point? I mean, as far as I know, no machine has become self aware yet.
Identifying whether the behavior of humans is malicious or not is difficult even for other humans, especially when it's not clear whether users who open a door to attackers knew what they were doing or, conversely, whether the "attackers" are perfectly legitimate and it's the security monitoring staff who are overreacting.
It's the security staff overreacting. When people are known hackers when they put "../.." in their address bar, probably should hang them all.
The summary can be further summarized as "Army wants computer to know when humans are being dishonest." This is going to go one of two ways:
1. It's going to lock everyone out all the time for false positives.
2. It's not going to detect suspicious behavior.
It will probably start out as one and then progress to 2 as they relax standards or the system "learns" to ignore certain behaviors. Either way, the system isn't going to work. It will, however, cost an absurd amount of money. That much is certain.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
You'd think that the idiots coming up with this have never implimented, much less read, the contents of 'The Art of Deception'.
The Amarri pray for god, the Caldari pray for profit. the Gallente pray for peace, but the Minmatar pray their ships hol
Depends on if it happens during a bachelor party.
Unless funding increases for the next year or even if just gets funded at all, this supposed research project is more likely just part of the financial juggling that happens in any agency with a large budget which wants to keep that budget. The simple rule is: if you don't spend it, you lose it in next year's budget. An exchange between the officer-in-charge of a bureau and his subordinate might go:
SUBORDINATE: Sir, we have this $48 million left over from our higgs-boson missile defense shield research research project.
OIC: $48 million? Go spend it somewhere useful.
And so the subordinate, a law-abiding citizen who doesn't want to spend the money on a second honeymoon to the Himalayas, goes around emailing his civilian friends from the academe and industry. Do you have any project that could use $48 million dollars in funding? The only catch is that it must have a military application, no matter how far-fetched. Since practically any high-tech research project will have a military application, this is easier said than done. The subordinate goes through the deluge of project proposals and passes a few over to his boss, who rubberstamps the one with the most current events relevance. Since Wikileaking appears to be very much in the news, the project that gets approved is the one that purports to plug leaks at the human source..
The bureaucratic ideal is to go slightly over the budget. Overspend too much and the guillotine of god (Congress) comes down upon you. Underspend too much and your bureau's budget gets slashed by that amount. You'll receive a letter of appreciation and probably a chance to get kicked up to your level of incompetence.
AmigaOS