2017 Abstracts

Building a Civil-Military Framework for Cyber Deterrence

The Cold War was in part maintained by the clear nuclear deterrence of assured mutual annihilation among superpowers, and fear of nuclear reprisal among non-nuclear states. Some have begun to label the current age the Cyber Cold War, but the era of cyber weaponization is markedly different from the previous cold war in several ways. First, unlike nuclear warheads, cyber weapons may become obsolete before they are ever fired, as computer systems are patched and updated to plug known vulnerabilities. Second, an entire class of cyber weapons can become useless after a single deployment, as the executable code can be reverse-engineered and its exploits defended against. Finally, and perhaps most importantly, there is no longer as clear a deterrent in cyber warfare as there was in the nuclear age. There are neither stockpiles of highly visible, highly effective cyber weapons that ensure a nation’s security by their destructive capacity, nor are there guaranteed repercussions from striking a similarly armed peer.

Further, in the absence of an enemy claiming responsibility, attribution of cyber attacks is a slow and difficult process. Even when we can accurately identify the attacker, Just War Theory (JWT) does not yet consider non-kinetic cyber attacks, such as economic sabotage, as acts of war permitting proportionate retaliation. Russia has allegedly attacked Ukraine, Georgia, and other states using cyber weapons, with little to no publicly-disclosed retaliation from victim states or from the international community. Less developed nations, terrorist groups, and non-nation-state actors can disproportionately employ cyber weapons against a more developed, highly cyber-dependent adversary with little fear of retaliation. For example, if North Korean attackers were able to shut down a US stock exchange, what would be a proportionate response, as North Korea is among 20 or so nations with no stock exchange of their own

The authors propose that civil-military cooperation is crucial to establishing and maintaining both cyber deterrence and cyber defense. Just as the Reserve and National Guard components maintain a trained, ready force to respond to home-land emergencies and peacekeeping needs abroad, a new Civilian Cyber Defense Corps could serve as a kind of cyber national guard. By training qualified civilians in some of the latest defensive and offensive capabilities, we can both respond to the critical need for cybersecurity professionals in private industry and sustain a corps of well-trained cyber guardians to protect and restore critical systems at home and support both defensive and offensive operations against foreign adversaries.

Different from the existing cyber components in the National Guard and Reserve, the key to garnering broad participation would be the civilian nature of the CCDC, waiving both physical fitness and age requirements, trading boots and fatigues for t-shirts and tennis shoes. The Cyber Corps could become a vital bridge to high-paying private industry cybersecurity jobs for returning or retiring active-duty service personnel, a career-booster for underemployed but patriotic Americans coming from displaced industries, and a career-starter for the next generation of Cyber Heroes.

Return to the 2017 Symposium Page

Designing a Military Cyber Strategy for South Africa

South Africa, and indeed the African continent as a whole, experiences challenges in terms of cyber threats within the African digital space.  While South Africa leads the way in terms of legislation and the establishment of formal cyber response and coordination entities, a number of substantial challenges remain.  Foremost amongst these is the framing of a national cyber strategy and further to that, a military or cyber warfare strategy.  There are key questions which arise in the South African context around such strategies in terms of governance, policy development, doctrine and capability development, knowledge collaboration and the sharing of information and intelligence with other states.  Associated questions regarding which entity is responsible for securing South Africa’s digital landscape are equally difficult to answer.

The need to make rapid progress in both the policy and human capital environment is self-evident.  South Africa is home to the most technologically advanced economy in Africa and a service hub for the entire region as well as being an important regional power.  While South African defence planners do not easily foresee a conventional short or medium term military threat to the country the same cannot necessarily be said for a cyber and possibly a cyber/kinetic attack due to the global nature of cyber threats as well as the proliferation of possible nonstate actor adversaries.  The protection of the South African arms manufacturing industry, both from a military as well as an economic perspective, is an additional important consideration.

There are also a number of vexatious foreign policy challenges for South Africa in terms of cyber cooperation as the country is a member of a number of international organizations from the UN, the AU, SADC, BRICS and the Commonwealth.  This is set against a backdrop of the African continent which as a whole faces many security challenges combined with outdated resource challenges in the ITC sector.  Despite this Africa’s number of internet users is exploding as the Continent’s physical cable connectivity to the rest of the world grows at a rapid pace.  It is therefore perhaps fair to assume that the African threat landscape is large and somewhat exposed.  South Africa is dependent on the continued growth and development of the Africa continent as a whole and therefore needs to play a leading role in shaping cyber policy and capacity within the region.  The strategic and economic importance of Africa is reflected by the presence of major world powers such as the United States, Russia and China.  From a South African perspective this presents a complex backdrop against which cyber strategies must be framed.

This paper aims to explore some of these challenges and propose a number of ideas and considerations in terms of the formulation of a military cyber strategy for South Africa.

Return to the 2017 Symposium Page

Cyber Security as a Horizontal Issue in Public Service

Cybersecurity is a major national security issues for all countries. Hungary is also struggling with this problem. Criminal activities in cyberspace has reached the point where national interests need to be represented EU and NATO-wide in cybersecurity related discussions. Governmental IT systems should be protected from criminals and foreign intelligence services, just to name a few challenges. Moreover, Hungary borders the Ukraine where Russia employs hybrid warfare at the highest level, including cyber activities. Meanwhile, Hungary is preparing for the next parliamentary election in 2018, a high-risk endeavor in every European country these days. These elements require a new approach to cyberdefense.

The National University of Public Service (NUPS) in Hungary is responsible for educating military, intelligence and law enforcement officers, public servants, disaster management experts, diplomats and water supply engineers. Cybersecurity is one of the topics that is vital for all students to understand as they must deal with the negative effects of IT related issues on a daily basis in their career. The NUPS Cybersecurity Academy was established in 2017 to support all educational and research activities, meanwhile collect requirements from the affected parties. As a trusted party, it is also responsible for sharing independent information with the public and promoting cybersecurity as a career option inside and outside the university for youngsters. As a research pillar, the Cybersecurity Research Team was established and began a joint research project on some missing fields of the above-mentioned professions, such as security awareness, the security questions of smart cities, the risks of social media, cybercrime investigations, cyberstrategy, international relations in cyberspace and security operation centers.

As a prominent military and civil cooperative effort in the field of cybersecurity, this educational project can be used as a best practice worldwide, therefore our aim is to share our initial experiences. We highlight the legal and institutional background that governs Hungary’s cyberdefense. We also speak about the major challenges and potential answers from the Academia. Moreover, we intend to share the first results of Cybersecurity Research Team.

Return to the 2017 Symposium Page

Cyber-Resilience Strategies for Small Countries

Mass use of the Internet destroyed the Westphalian state system (named after the 1648 Peace of Westphalia treaty). In that system each country has a territory (and people, economy and society), shared (in principle) with no other country, and – usually, and desirably – a government. Within very broad limits, each country is ‘sovereign’: it can make laws that apply within its territory, and it can deal with other countries on the basis of a presumption of equality. Other countries don’t claim to be able to interfere in each other’s internal affairs (with known exceptions).

Nowadays, almost any individual, organization, or state with enough information technology knowledge may easily intervene in the affairs of a country. Mass media almost every day report on such activities. Slowly, kinetic wars are enhanced, or replaced by cyber wars. At present, the major players in cyber attacks are organizations sponsored by state government of various countries: from major players like USA, China or Russia, to minor, like Israel or North Korea. The main objective of all these players is to learn as much as possible of the other countries military and civil activities, and, if desired, disturb these activities.

The issues, which we would like to address, are: In which way small countries may increase their resistance against such cyber-attacks? How big players could support building of these defensive capabilities.

Building resistance against cyber-attacks requires investigation of many quite different problems, including:

  • Information technology itself
  • Education
  • The law
  • International relations
  • Possible cyber-attacks formats
  • National polices related to cyber conflicts and defenses

Investigation of all these problems is costly. And there is an obvious question: Where to find funds covering studies of these problems?

The answer seems to be quite simple, but extremely difficult to apply:

At present, significant majority of governments spend between 1% and 2% of their budget on national defenses. These are substantial money. These funds all invested mostly in the “traditional” military hardware. Almost every week mass media reports about multibillion dollars prototypes of new aircraft carriers, planes, tanks etc.

The basic cost of a new German’s Leopard2 tank with the A7+ upgrades is reported to be about US$10 million. This is only a tank cost and related infrastructure costs much more than that. One such a tank would not be enough to defend a country. So, it could be affordable for big powers like USA or China and not for small countries. For example, at present, Poland has 128 Leopards tanks with the next 123 on order. In neighboring Germany, the number of Leopards tanks is measured in thousands. Due to overwhelming “traditional” military power of super countries small countries do not have any chance to survive attacks launched by major world power. However, they should have enough military hardware to effectively resist attacks from the neighboring countries (if they are not superpowers!). Some investments in the traditional hardware are dubious. For example, a decade ago New Zealand (country surrounded by ocean) bought over 100 of Light Armored Vehicles, of which significant part never left the garage. But one or two of these expensive tanks could be replaced by increased investment in cyber-war studies.

USA government should encourage their partnering countries to shift traditional military spending to cyber defenses. This talk will consider how such policy could look.

Return to the 2017 Symposium Page

A Taxonomy of National Challenges in Cyber Defense

Many countries all over the world are finding themselves trying to figure out how best to tackle cyber defense challenges that continue to be on the rise. This has led to country specific initiatives, regional alliance initiatives and new relationships being formed. The purpose of the paper is to taxonomize the national challenges facing South Africa’s attempts at establishing an effective cyber defense policy. This will be achieved by looking at the current (South African) National Cybersecurity Policy Framework and comparing it with those of other countries that are classified as similar to South Africa.

The research of course shows that every country has its own unique challenges that have to be properly analyzed before attempts to implement policies are put in place. The taxonomy adds value by indicating the magnitude of the challenges and how they differ from other countries. In South Africa’s case, one factor that stands out is the fact that South Africa is a fairly new democracy that has gone through a couple of metamorphoses – including the fusion of armed disparate armed forces – which have significant impact on the path forward.

What our research will show is the dependencies between the solutions that the first world countries come up with and the problems that are faced by the second world countries. If a first world country is struggling to find solutions or decide on what needs to be done within the cyber defense environment, this automatically mean those countries that  depend on the first world country stand to suffer the most. Because of the technological dependencies the second world countries such as South Africa find themselves having to find solutions outside of the  normal status quo as provided by those who may have been in the lead.

Return to the 2017 Symposium Page

Classification of Web Service-based Attacks and Mitigation Techniques

Web services are being widely used for business integration. Understanding what these web services are and how they work is important. Attacks on these web services are a major concern and can expose an organization’s valuable resources. This paper performs a survey describing web service attacks. We provide a taxonomy of web service vulnerabilities and explain how they can be exploited. This paper discusses some of the approaches that make up best practices and some that are in the development phase. We also discuss some common approaches to address the vulnerabilities. This paper discusses some of the approaches to be used in planning and securing web services. Securing web services is a very important part of a Cybersecurity plan.

Web services (also called application services) are defined as being “A standardized way of integrating Web-based applications using the XML, SOAP, WSDL, and UDDI open standards over an Internet protocol backbone”. WSDL is the Web Service Description Language. It is a XML-based interface definition language that describes the functionality offered by a web service. UDDI is Universal Description, Discovery and Integration. It is platform independent protocol that uses a XML-based registry that worldwide businesses can list themselves.

Web services are increasingly becoming a strategic vehicle for the exchange of data and content distribution for companies and corporations (large and small). It is a vital component of online stores. Within web services, the Simple Object Access Protocol (SOAP) XML-based messages are used to transmit data between the consumer and the provider over the network. This is done using the http or https protocols. These interactions take place when the consumer (client) sends a SOAP message request to the provider (server).

There are many existing attacks on web services and many mitigation approaches. However, there is little effort in providing a taxonomy of attack types and mitigation approaches. In this paper, we do an extensive survey of web service-based attacks and mitigation approaches. We discuss various types of attacks such as SOAP Action Overriding attacks, Privilege Escalation Attacks, Disclosure and Denial of Service attacks. For each of these attacks we provide some best practices and mitigation approaches.

This paper will be organized as follows: Section 2 discusses SOAP and RESTFul web services. Section 3 describes a number of common attacks on web services. Section 4 discusses common tools and approaches from the literature that mitigate web service attacks. Section 5 discusses best practices to mitigate against web service attacks. Section 6 highlights the limitation of the approaches. Finally, Section 7 concludes the paper.

There are many types of attacks that attackers/criminal can use against a computer system. This research was focused on web services SOAP and RESTFul, and the attacks that can be used against them. Knowing the vulnerabilities and exploits that web services are susceptible to is important to finding the best practice for the mitigation of the attacks that can be used against web services.

Return to the 2017 Symposium Page

Hybrid Wars:  The 21st-Century’s New Threats to Global Peace and Security

This article discusses a new form of war, ‘Hybrid War’, under inclusion of aspects of ‘cyber-terrorism’ and ‘cyber-war’ before the backdrop of Russia’s ‘Ukrainian Spring’ and the continuing threat posed by radical Islamist groups in Africa and the Middle East. It discusses the findings of an on-going Hybrid Threat project by the Swedish National Defence College. This interdisciplinary article predicts that military doctrines, traditional approaches to war and peace and its perceptions will have to change in the future.

Return to the 2017 Symposium Page

Is Cyber Shape Shifting?

Neal Kushwaha
Impendo Inc.
neal@impendo.com

Bruce Watson
IP Blox
bruce@ip-blox.com

Abstract: Technologies have evolved so rapidly that companies and governments seem to be regularly trying to catch up to new capabilities and thereby sometimes making quick decisions that have the potential to set precedents and apply international challenges.[1]

With the opportunity to a take step away from the technical aspects of cyber and consider the taxonomy, this paper explores the domain of cyber by structuring the conceptual problems and by putting the individual small solutions into their respective places within a conceptual framework.

The paper breaks cyber into seven (7) concepts and discusses each of them:

  1. knowledge trajectory – aligning cyber to knowledge economies;
  2. discrimination – categorizing various cyber weapons;
  3. recombinant and mutable – discussing how cyber weapons can be easily modified when compared to traditional kinetic weapons;
  4. model/object dichotomy collapse and free replication – discussing how in cyber, the code is the object, making it easy to duplicate the weapon and how traditional methods of sanctions may no longer be suitable;
  5. speed of light – the challenge of detecting cyber weapons and the ease with which they can be shared;
  6. dynamic multidimensional space – discussing the change in theatre of operations and how collateral damage is an expected outcome; and
  7. scope of impact – discussing the true impact of cyber weapons and their behaviour.

The paper challenges the reader further by proposing the possibility that cyber is not a Domain of Warfare and that the term “cyber attack” may likely benefit from an alternate label such as “cyber espionage”. We discuss how cyber is impaired by:

  1. attribution, making it difficult to identify the source;
  2. scope of impact resulting in manipulation, interruption/disruption, and bullying; and
  3. highly dependent on the target’s cyber hygiene and IT business processes.

Because of these challenges, we propose cyber is rather simply a tool or tradecraft for the purpose of espionage or sabotage.

Keywords: knowledge economies, knowledge trajectory, capability and maturity model integration, cyber weapons, weapons of mass manipulation, weapons of mass interruption, cyber hygiene, tradecraft, espionage

[1] Clapper, et al., Joint Statement Record, p5 paragraph 1, “…countries do not widely agree on how such principles of international law as proportionality of response or even the application of sovereignty apply in cyberspace.”

Poster Abstracts

Civil-military cooperation and international collaboration in cyber operations

The paper addresses cyber-attacks in the context of civil-military cooperation. The role of international collaboration in Georgia’s  cyber defence is also highlighted.

Cyber threats and attacks have become a common phenomenon, turning more sophisticated and damaging. The world is faced with an evolving complex threat environment. State and non-state actors can use cyber-attacks in the context of military operations. Considering hardly controllable nature of cyber-attacks, it is difficult to bring out a rule of thumb.

The first step to falling for any cyber-attack is to believe that you will not be attacked. Tasks of collective defence, crisis management and cooperative security is crucial. NATO needs to be prepared to defend its networks and operations against the growing sophistication of the cyber threats it faces.

The Government of Georgia has acknowledged the challenge in its first Cyber Security Strategy. Large-scale cyber-attacks launched by Russia against Georgia in August 2008 have clearly demonstrated that the national security of Georgia cannot be achieved without ensuring security of its cyberspace. In the course of the Russian-Georgian war, Russian Federation engaged in targeted and massive cyber-attacks against Georgia alongside land, aerial and naval assault.

According to the National Security Concept of Georgia, Russia poses the most vivid threat not only militarily but also in terms of direct cyber threats both to state and non-state sectors of Georgia. As the document determines cyber security as one of the main directions of its security policy, Georgia tries to create new system of cyber security that will facilitate resilience of cyber infrastructure against cyber threat and also, will represent extra factor in country’s economic growth and social development. Accordingly, it is necessary to adhere to the following rules of cooperation: public-private partnership (PPP) and enhanced international cooperation. Development of mechanisms for cooperation between governmental agencies as well as boosting public-private partnership is essential for ensuring cyber security. Part of critical information system of Georgia is owned by private companies. It is important to develop cooperation modalities that would facilitate proper operation of critical information systems and would also offer additional factors for economic growth.

For successful elimination of cyber threats, first of all, it is omnipotent to consider international experience of civil-military cooperation. Some further recommendations can be considered for the commitment of Georgian cyber security. Furthermore, academic research centers of excellence in the cyber field must be established. It is also essential to promote cooperation between private and governmental sectors.

Finally, it is necessary to develop a national cyber defensive perimeter – automatic computerized system and human systems, which, together, would provide defence for predefined computer systems. Besides, there is a need to develop solutions for local defence as well as to increase the level of cyber security awareness.  

Return to the 2017 Symposium Page

Advantages and Disadvantages of Civil-Military Partnerships in Cyber Operations

Let me analyze this agenda in 3 different perspective: personnel, money and material. In this presentation, personnel mean human resources, money means sources of funding, and material means technology. We have some critical issues to solve especially in personnel and money. In material, however, there are edges.

Issues in Personnel

Different career path; specialist vs generalist

The biggest problem of personnel system in Japan is that technicians don’t have revolving doors. Most of them work at the same institutions till he retires. Outside the country, however, they come and go very flexibly.

What makes this difference?

I suppose that strict bureaucracy is the reason. In Japan, it’s hard for them to be hired as an individual by the government. They have to be public employee. In foreign countries, however, headhunt from military or from civils is not rare option.  Lacking of flexibility personnel system is one of the challenges against the goal.

Issues in money

Allergic to military research

It is world trend to try to invest in cyber space.

Issues in Money

In Japan, however, many people have allergic to military research. For example, Science Council of Japan addressed that they are on negative position against studies which may lead to military technology, though Ministry of Defense is trying to increase investment in these kinds of studies. Thus may be hard for us to build up civil-military partnership.

Issues in materials

Technology to be our edge

So far, I’ve been mentioned challenges against the goal.

However, there are some outstanding points in material field.

For example, one of Japanese institution (NICT) developed brand new technology.-quantum communication. This technology is expected to significantly improve security of communication.

This technology is important because today’s whole military systems are based on communication techniques like CPU and satellites.

Conclusion

Future perspective

I’ve been briefly pointed out what are challenges and advantages of our strategy.

We need to work on the challenges quickly. We hope 2020 Olympic will accelerate this movement because cyber accident will be the worst accident for the national event.

Return to the 2017 Symposium Page

Use of force in cyberspace under Article 2(4) of the UN Charter: an analysis of stuxnet virus based on “Schmitt Criteria” in cyber-attacks

A cyber-attack could be defined as some action directed to networks or any other means of communication and information considering state actors and non-state actors. However, whether this should be seen as use of force is still undetermined. This poster's objective is to analyze the use of force in cyber-attacks. Taking into account the "Schmitt Criteria" for analysis, it aims at checking if the stuxnet virus attack could be classified as it. The hypothesis is that cyber-attacks can be considered according to the UN Charter due to its characteristics. The analysis indicated that it would be important to expand the scope of the Article 2(4) UN Charter, which presents a strict view of what may be considered use of force. Especially when we take into account the cyberspace, where a simple and low cost action can have a great power of destruction. Although “Schmitt Criteria” proved to be an important tool to analyze the use of force in cyber-attacks, issues such as the origin of the attack, the measurement of the kinetic effects and severity of the action were difficult to determine. Mainly because sometimes a cyber-attack do not destroy but only disable or steal information from the target, and the effects of it may be even worse than the destruction. The hypothesis that the cyber-attacks could be considered use of force was partially confirmed, because of the difficulties in qualifying the context of the attack as use of force, due to the many variables involved in it.

Return to the 2017 Symposium Page

 

At War with TOR

How anonymization technologies, OPSEC procedures and malware obfuscation are changing cyberwarfare.

My paper is focused on explaining the effects that anonymization networks, the spreading of OPSEC Tactics, Techniques and Procedures and obfuscation technologies have on operations, both military and criminal.
I will start by introducing in a not-too-technical manner what The Onion Router (a.k.a. TOR) is, how it works and how it can be (and actually is) used effectively by attackers worldwide to avoid identification and prosecution. With TOR will also be rapidly covered the so called Deep Web: how and why it is tightly related to TOR and what it truly is.
I will then move on to explain what OPSEC, short for Operations Security, is, where it originates and how the TTPs have evolved to adapt to the cyber space. When discussing OPSEC I will explain how it integrates with TOR and TOR-like technologies and how it can make it really difficult to uncover the true identity of who is behind a cyber attack or a cyber crime.
Last but not least I will talk about malware obfuscation and how these techniques can trick victims of an attack into thinking the attacker is not who he really is and allow effective and dangerous false flag attacks.
In conclusion I will then proceed to discuss some real world examples of what we have seen so far, making it clear how, even though quite some time has passed since some of these examples happened, we are not still completely sure of who was behind certain events and how researchers proved many attack signatures can be forged, making it almost impossible to discern the real enemy from a fake one.

Return to the 2017 Symposium Page

Cyber Mercenaries: Private Entities’ Offensive Intrusions and Militaristic Surveillance Capabilities

The exponential growth of civil-military cyber operations in regards to monitoring, intercepting and digitally-penetrating known criminal’s communications and digital activities has instigated the creation private entities that specialize in this field. Companies like Hacking Team, DigiTask, FinFisher and Trovicor have taken the cyber-espionage field to the store front, selling monitoring devices and exploitation programs to any country or highest bidder. Numerous companies in this private sector have become the target of information leaks and hack attacks by citizen watch-dog groups and lone hackers, and the revelations from these attacks proved that several prominent organizations, including Hacking Team, sold spyware, keystroke loggers and digital audio recorders to multiple authoritarian regimes in Africa, including the Ethiopian government.[1] But with the rise of end-to-end encryption becoming more prominent among popular communication tools used by the hostile and covert organizations, the creation, selling and distribution of offensive measures by the private companies to military and law enforcement agencies develops into a essential part of maintaining homeland security. By selling these tools as necessary utensils in preserving civil peace, these private companies protect and defend innocent lives across the globe, while maintaining great digital and financial success. In the proposed poster or paper, the ethical repercussions and direct results of these private entities will be defined and discussed. Whether the fiscal market can become a strong instigator for more advanced surveillance and penetration tools, or whether these private entities are over-stepping their civil boundaries selling these tools to multiple purchasing militaries in multiple countries.

[1] The Intercept article

Return to the 2017 Symposium Page

Applying the Cyber Kill-Chain Model on an Attack against Military Networks

As far as we know, nowadays the technology has evolved very much, so we know that our information has become more vulnerable; globally the cyber-attacks have developed. About this topic I have thought to explain a model of a cyber-attack from the point of view of the adversaries and from the network defender.

Therefore, I imagined that an unknown organization wants to steel classified information from an air-gap military type network. Based on the cyber kill-chain model theorized by Lockheed Martin, I will try to present the actions made by the adversaries and by the network defenders. As it is known, the model is made of seven stages. Shortly, I will try to explain every step. The first stage is called reconnaissance: in this time the adversaries gather information on the target. The network defender performs actions like: firewall protection, public data protection. Weaponization is the second stage of the model and it refers to developing the attack methods against to the network. The opponent makes actions like: malware development, antivirus evasion testing and the defender will action similarly like in the first stage. The third stage is called delivery, in which the adversary will transmit the malware to the target. The fourth stage is exploitation and it refers to the network’s infection and getting the information. The fifth stage is called installation. The sixth stage is command and control, in which the adversaries establish C2 between air-gap and internet connected network using the USB drive. The last stage is called action on objectives where the information is extracted from.

Return to the 2017 Symposium Page

VMI Cyber Club

The VMI cyber club poster proposal will illustrate how a Senior Military College cyber club engages potential cyber professionals in their freshman year who will either serve in the military or private sector. We will begin with discussing professional speakers who currently serve as cyber professionals and mentors who have served or taught in the realm of cyber security that come to speak to our young future professionals. Currently our club meets on Thursday evenings and we conduct exercises in a computer lab including instruction on how to hack into websites, data forensics, and stenography – which is hiding images and files inside of other images and files. On Mondays we also meet for practical exercises on how to hack into drone video feeds, directional controls, or cut off the flight controls. The most current item on our agenda is teaching our club members how to conduct a successful SQL injection which is used to exploit server vulnerabilities. During a cyber club member’s college experience, they will attend a major cybersecurity symposium or conference. The VMI cyber club is currently part of a Bug Bounty program run by Hackerone. This program allows the VMI cyber club to ethically hack companies that have signed up to expose any vulnerabilities they may have. This will enable them to secure those vulnerabilities with no damage being done. All of these activities are examples of goals and tasks that a Senior Military College cyber club should achieve in order to achieve the C1 additional skill identifier (ASI) for the US Army.

Return to the 2017 Symposium Page

On the Viability of Open Source in Cyber Security

Threats in cyberspace continue to outpace the development of patches that resolve them; though, one development model may allow for a better method for dealing with this conundrum: open-source, and its idea that collaboration causes clarification. As the innumerable vulnerabilities continue to grow, perpetuated by the increasing number of connectable devices – like desktops, laptops, smartphones, and the every-growing Internet of Things (IoT) – the problem swells in size. Combined with the manufacturer’s preference for reducing costs at the expense of security, these loopholes will eventually overwhelm cybersecurity personnel, as the situation currently stands. Without solutions being communicated, the deployed repair could already be outdated, or at worst, destructive. This research analyzes the modern lapses in security and the causes, as well as the likelihood for the trend towards open-source resulting in a Cyber Security enlightenment.

Return to the 2017 Symposium Page

Abstract by Marek Olsan

There are several types of browsers which are used and each of them has a specific system to handle with certificates, for example focus on the Chrome web browser made by Google, whose core are also used as Chromium browser and various other clones. We should aim to find out how it handles with certificates depending on the operating system. How certificates are stored and in what kind of format. The outcome should be an application able to compare it with the latest obtained data created some time ago or online database and compare the changes between them. I would like to create a tool which can handle this. This tool should become a simple and user-friendly way to verify the certificates and certificate authorities used in browsers. Certificate verification should be carried out by verifying the digital fingerprint of the generated hash function whether the family SHA-1, SHA-2, or SHA-256. But the problem comes with a database of digital fingerprints certificates, no one exists – so that is step two. For the fingerprint authentication in future I would like to create free accessible internet database, which allow to be a digital fingerprint checks more transparent. This application should provide a way for everybody to check their certificates. It would be released as open source software. The main reason for this work is the fact that in recent years has no change occurred in this aspect from the developers of web browsers such as Mozilla Firefox, Internet Explorer or Google Chrome etc.

Return to the 2017 Symposium Page