Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Army Eyes Monitoring Tools To Stop WikiLeaks Repeat

Keystroke monitoring may be just a start as Army seeks ways to sift through soldiers' website visits, search queries, and other work, watching for abnormal behavior and trying to stop inside attacks.

Defense Robots: Fast, Flexible, And Tough
Defense Robots: Fast, Flexible, And Tough
(click image for larger view and for slideshow)
The Army is looking for a few good tools to help it spot and block insider attacks.

Maj. Gen. Steven Smith, who heads the Army Cyber Directorate, said that putting such software in place is now one of his main priorities, the Army Times recently reported.

Such software would create benchmarks of normal behavior, then watch for any activity that looked abnormal. "So I'm on the South American desk, doing intelligence work, and all of a sudden I start going around to China, let's say," said Smith. "That might be an anomaly, it might be justified, but I would sure like to know that and let someone make a decision, almost at the speed of thought." He said his desired system would record downloads, Web search queries, and complete keystrokes.

Information security experts said that what the Army is proposing is likely possible. "We're verging on the capability of being able to handle, from a technological basis, that quantity of data," said Scott Crawford, managing research director for Enterprise Management Associates, via phone. "But can you really automate the process without being overwhelmed by false positives, or stumped by false negatives?"

[ Agency officials are struggling with many issues, but Security Is Top Concern Of Federal CIOs. ]

The Army's search for new monitoring tools is part of a broader Pentagon push to help detect when any bad actors--domestic or foreign--are accessing military or government networks. But the impetus for this particular wave of improvements can be traced directly to Army private Bradley Manning, the former intelligence analyst who's accused of copying sensitive State Department cables and almost 500,000 battlefield reports from Afghanistan and Iraq onto a recordable CD, then releasing them to WikiLeaks. He's likewise accused of leaking U.S. helicopter gunship footage, which WikiLeaks released under the banner of "Collateral Murder."

Obviously, the stolen data didn't make the State Department or Army look good. Likewise, WikiLeaks ultimately released the cables in unredacted form, which the U.S. government said put at least 100 confidential diplomatic sources at risk.

But questions remain about whether the Army's plan to analyze keystrokes to spot malicious insiders would be affordable, feasible, or even help prevent the next big breach. As an anonymous information assurance engineer posted to a related DataBreaches.net discussion, technology is only a first step. Someone still has to investigate potentially malicious behavior, and that requires substantial time and effort. "I see a large stream of data and an overwhelmed staff who eventually cannot keep up. Heck, just look at most places that can't even keep up to look at event logs. Now an additional layer of burden is brought upon an already overworked staff," said the engineer.

Indeed, security experts have suggested that the Army's plan "is going to take an army of people to run this stuff, deploy it, analyze the data, and act on it effectively," said Crawford at Enterprise Management Associates. "And that's true, to a point. But big data platforms are designed to handle this--though the analytic techniques may still be playing catch-up."

To be clear, he said that the analytic techniques are good enough, but using them in the big data way that the Army is proposing will require advancing the state of the art. Still, when it comes to crunching big data sets, "these are things that the Hadoop file system and MapReduce are specifically designed for," Crawford said. "They may be able to analyze this in hours instead of days. But is that fast enough?"

Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Here's how they're fighting back. Also in the new, all-digital Top Federal IT Threats issue of InformqtionWeek Government: Why federal efforts to cut IT costs don't go far enough, and how the State Department is enhancing security. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
5/10/2012 | 11:26:08 PM
re: Army Eyes Monitoring Tools To Stop WikiLeaks Repeat
I believe stealing is in fact the correct word according to the definition of Merriam Webster Online.

-- a: to take or appropriate without right or leave and with intent to keep or make use of wrongfully
-- c. to take surreptitiously or without permission

The Private, as anyone with a security clearance, was subject to the legitimate use rule. In other words, your access is authorized only for legitimate DoD use and only to the extent necessary to meet the "government's" objective not the private's. Copying, subtracting, or any other use is not considered legitimate and thereby stealing according to the common definitions above. If any of the 500,000 reports transferred contained information which revealed methods, sources, or other details of the operations then the value of those methods, sources, and processes are compromised.

I doubt if a bank (or anyone) loaned me $1000 and they knew I gained $1000 from using it during the period that they would be content just getting their 1000 back, they will want interest (although we can agree this would not constitute stealing only lack of ethical value system).

Finally to the substance of the article, wow keystroke monitoring on that scale is mind boggling. The algorithm to sift, compare, and come up with "possible" cases of questionable use on a dataset, that gives new meaning to the phrase Big Data. The general had to have been watching an episode of a TV program called Person of Interest.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
5/10/2012 | 2:26:53 PM
re: Army Eyes Monitoring Tools To Stop WikiLeaks Repeat
That's a very good point about how the concept of "stealing" squares with data. Great food for thought; promise to be more considered in the use of "stealing," especially as pertains to data.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
5/10/2012 | 2:01:14 PM
re: Army Eyes Monitoring Tools To Stop WikiLeaks Repeat
That's a very good point. Many Washington watchers point to the problem of "clearance creep" -- everyone in D.C. seems to have clearance -- as well as the habit of government and military employees classifying information "just in case." Of course, that makes it tough to tell what's really important, or not important, and adds the expense of having to restrict access to said info.
tedrey
50%
50%
tedrey,
User Rank: Apprentice
5/10/2012 | 1:53:19 PM
re: Army Eyes Monitoring Tools To Stop WikiLeaks Repeat
You're right, Matthew, we should synchronize our semantics. I would suggest that "stolen" is not the correct word in this case. Basic to the concept of stealing is the loss of the "item" to the original possessor. In some cases, one wouldn't mind someone else gaining $1000 dollars, as long as one still retained the use of one's own $1000. In other cases, it would be extremely unpleasant to have the item copied, due to decrease in its value, increased likelihood of prosecution, etc., etc. We can try to agree on what word to use here, but "stealing" is the wrong one.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
5/10/2012 | 12:31:09 PM
re: Army Eyes Monitoring Tools To Stop WikiLeaks Repeat
Thanks for the comments, Austin. Though you're tiptoeing around semantics here. If I take a copy of your written address book, and photocopy it without your knowledge or permission, haven't I just stolen a copy of the data set?
Austin Hook
50%
50%
Austin Hook,
User Rank: Apprentice
5/9/2012 | 7:44:01 PM
re: Army Eyes Monitoring Tools To Stop WikiLeaks Repeat
No such thing as "stolen" data. You can destroy an only copy, which is not a friendly thing to do, or you can copy data if you are authorized to access it, and these days, to even look at data is necessarily making a copy of it, if only for purposes of displaying it on your screen. So the mere copying is not to "steal" it. What may be illegal is to share data with an unauthorized third party. So instead of talking about "stolen" data, can we please talk about unauthorized sharing of data, if that's what we mean?

BTW, Wikileaks was not the originator of making the unredacted data public. Ir was the Guardian newspaper that released the hints about the encryption password to the encrypted but unredacted data. Wikileaks merely stopped hiding it at that point. I think that avoiding misleading statements matters. Maybe I'm the only one?
tedrey
50%
50%
tedrey,
User Rank: Apprentice
5/9/2012 | 4:11:46 PM
re: Army Eyes Monitoring Tools To Stop WikiLeaks Repeat
But is any effort at all being put into assuring that security classifications are not used to conceal irregularities, incompetency, and illegalities? It would do a great deal to prevent leaks if things that any sane person realizes SHOULD be public were not classified in the first place.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...