STTarx was highlighed in a military defense news periodical, Warrior Maven. Industry innovators and academia collaborate on emerging cybersecurity technology which, after millions of attempted intrusions, has not yet been hacked. Developers at Secure Transport Technology (STT) have tested a self-contained network which defied an attempted DDoS attack, stopping 2.0 Terabytes of attempted intrusions per second.

The article was orignaly published on Warrior Maven by Kris Osborn.

Warrior Maven article: Industry Tests Unhackable Network. Stops Supercomputer Denial of Service Attacks.

Alabama News Network Reporter Justin Walker spotlights STTarx in his article “Unhackable” Technology Created Could Prevent Hackers From Getting Your Information.

Sighting that "Hackers are a growing threat in the changing world. Technology companies are always looking for ways to prevent hackers from obtaining personal information. One company may have found the answer. Secure Transmission Technology, or STT, has designed a form of technology called STTarx".

STTarx was highlighed in a Fox News article, Is there new 'hackproof' cyber defense? Air Force, industry test new system, about the US Air Force working with the security industry to test emerging cybersecurity technology which has not, as of yet, been hacked.

The article was orignaly published on Warrior Maven by Kris Osborn.

Warrior Maven article: Is There New "Hackproof" Cyber Defense? Air Force, Industry Test New System.

STTarx demonstrated the uninterrupted network communications and ease of changing traditionally difficult network security policies on the fly, from security zones to dynamic Virtual Private Network (VPN) encryption ciphers rotating as fast as once per second, all while under cyber-attack. STT remains proud to have empowered the event participating first responders and Verizon's Head of Network & Security Innovation Programs, Jeff Schweitzer, in the next generation Software Defined Perimeter.

Press Release: STT Next Gen Dynamic Encryption Demonstrated at 2017 Verizon OCR.

STT LLC is proud to announce that the STTarx software product has received the DT&E designation of the Department of Homeland Security (DHS). STTarx is now certified as a QATT (Qualified Anti–Terrorism Technology).

Customers of the certified technology now have protection under the SAFETY Act from lawsuits or claims alleging failure of the technologies to prevent or mitigate an act of cyber terrorism. STT LLC is proud that it's STTarx software is the only network protection product that has been certified under the Safety Act to date.

The SAFETY Act — officially called "Support Anti–Terrorism By Fostering Effective Technologies Act of 2002" — is a DHS liability management program aimed at encouraging the development and deployment of security products and services that will enhance the protection of the United States. DHS has designated over 700 products, technologies and services since the SAFETY Act was enacted in 2002. The liability protections provided by the SAFETY Act encourage more effective security deployments by automatically limiting the types of liability claims companies using certain products may face following a terrorist event.

In December 2014 an unnamed ISP experienced a DDoS attack that peaked at a router-straining 400 gigabytes per second, easily the largest denial of service event in Internet history... (Full Article)

STTarx withstood a DDoS attack 5 times larger, 2 terabytes per second to be exact, in an open and live environment during extensive testing and evaluation performed by Troy University and the Alabama Computer Forensics Institute (ACFI) in 2014.

Summary

Troy University and the Alabama Computer Forensics Institute (ACFI) completed the task of carrying out a security assessment and subsequent penetration test of the STTarx product.

The purpose of these tests were to determine security vulnerabilities in the STTarx application in two applied environments. Server configurations and web applications running on the servers were specified as part of the scope. The tests assumed the identity of an attacker or a user with malicious intent. No due care was attempted to prevent damage to the clients and the servers — the threat assessment included thorough, rigorous efforts to compromise traffic, clients and servers, employing a wide variety of techniques.

Approach

• Controlled test environment
  • Perform broad scans to identify potential areas of exposure and services on the client and the server that may serve as entry points
  • Perform targeted scans and manual investigation to validate any observed vulnerabilities
  • Test identified components to gain access to (1) traffic, (2) client, and (3) server
  • Rank vulnerabilities based on threat level, loss potential, and likelihood of exploitation
  • Identify issues of immediate consequence and recommend solutions
• Open, live environment
  • Perform broad scans to identify potential areas of exposure and services on the client and the server that may serve as entry points
  • Perform targeted scans and manual investigation to validate any observed vulnerabilities
  • Test identified components to gain access to (1) traffic, (2) client, and (3) server
  • Rank vulnerabilities based on threat level, loss potential, and likelihood of exploitation
  • Identify issues of immediate consequence and recommend solutions

During the network security checks, for both types of tests, we tried to probe ports present-known to us and all available ports. We scanned all published services running on known ports and common operating system level services and attributes. We sought configuration issues and logical errors present with the operating system and associated services. Within the controlled test environment, both the client and server were unpatched Windows operating systems.

Scope

The scope of these tests fell into two categories. In the controlled environment, we scanned the actual devices within the development group. In the open, live environment, we scanned the entire IP subnet of the client and target server networks. The total number of IP addresses scanned for the live test was 512.

Key Findings

Troy University and ACFI did not identify any open ports, live IP addresses in either environment running the STTarx product. Troy University and ACFI did not identify any common insecure services such as VNC, Telnet, FTP, Terminal Services, MySQL, and Microsoft SQL as being externally accessible. Troy University and ACFI often finds these types of services during external penetration tests. During the course of this assessment we did not receive an Internet Control Message Protocol (ICMP) Echo Reply from any hosts. Upon additional reviews of the test and live environments with Troy University personnel and STTarx managers, Troy verified that the configuration in place was for testing purposes and the intent of the configuration was live with no additional security measures in place, which could have affected discovery.

With known knowledge of the configurations in both environments, a directed assault was launched to the IP addresses of the clients and servers. The assets did not respond to any attempt to attack the devices. Furthermore, a vast array of attacks were offered. Included among the attack types were denial of service, distributed denial of services, operating system exploitations, network payload manipulation, malware and viruses.

Once Troy University and ACFI completed its testing regime, another third-party was employed to verify test results and conduct another series of tests. The group reached identical conclusions — the STTarx protected devices could not be observed nor compromised. The tests were conducted by Troy University and ACFI eleven times. Host discovery yielded no results. Service enumeration yielded no results with known active IP addresses. Vulnerability scans of known IP addresses to purposefully exposed services yielded no results. Following the vulnerability scans, we performed manual tests. Those tests yielded no results.

Conclusion

According to our tests, and verified by independent review, the STTarx product functioned as described. In a controlled test environment where all variables were disclosed, the STTarx product performed without failure. In a live, production environment, the STTarx product performed as described. All tests to locate, infiltrate and erode the security of the STTarx solution were unsuccessful.