SoylentNews is people
SoylentNews
Submission Preview
Analysis | the Cybersecurity 202: DARPA Wants Hackers to Try to Crack its New Generation of Super-se
████ # This file was generated bot-o-matically! Edit at your own risk. ████
Analysis | The Cybersecurity 202: DARPA wants hackers to try to crack its new generation of super-secure hardware [washingtonpost.com]:
with Tonya Riley
The Pentagon’s top research agency thinks it has developed a new generation of technology that will make voting machines, medical databases and other critical digital systems far more secure against hackers.
Now, the Defense Advanced Research Projects Agency, which helped invent GPS and the Internet, is launching a contest for ethical hackers to try to break into that technology before it goes public. DARPA is offering the hackers cash prizes for any flaws they find using a program called a “bug bounty.”
The new technology is based on re-engineering hardware [washingtonpost.com], such as computer chips and circuits, so that the typical methods hackers use to undermine the software that runs on them become impossible. That’s far different from the standard approach to cybersecurity, in which tech companies release a never-ending stream of software patches every time bad guys discover a new bug.
If industry widely adopts the new systems, DARPA researchers believe they can finally shift the tide in a battle that has favored hackers over defenders basically since the birth of the Internet.
“It [would have] a huge, huge impact,” DARPA Microsystems Technology Office Program Manager Keith Rebello, who’s running the program, told me. “About 70 percent of all cyberattacks are due to hardware vulnerabilities. If we can fix those permanently, we can take a large portion of the attack surface away.”
DARPA has built model versions of several different computerized systems that use the new hardware and that cybersecurity pros will try to break into.
The agency purposefully chose some of those models to demonstrate the dangers of the current generation of poorly secured hardware and to show how much safer the world could be with more secure versions, Rebello told me.
The biggest ticket item is a voter registration database. State and federal election officials have identified [washingtonpost.com] such systems as one of the greatest vulnerabilities if hackers from Russia or elsewhere try to undermine the 2020 election. Kremlin-linked hackers successfully broke into voter databases in Illinois [washingtonpost.com] and Florida [washingtonpost.com] in 2016, though there’s no evidence they changed any votes.
If DARPA can prove its version of the database is far tougher to hack, that could be a game-changer, allowing officials to be far more confident about election security.
Another model for the bug bounty is a medical database containing research into the novel coronavirus — information that FBI and Department of Homeland Security officials say is being targeted by Chinese hackers [washingtonpost.com].
“We wanted to use demonstrations that are relevant to show the impact that we can have with this technology,” Rebello told me.
The program, which is officially called System Security Integration Through Hardware and Firmware, or SSITH, started in 2017 and will run for another year. So there will be time to make fixes based on problems the cybersecurity pros uncover.
The secure hardware itself is funded by DARPA but is being built by researchers and academics at places like Lockheed Martin, the University of Michigan and the Massachusetts Institute of Technology.
This is the first bug bounty for the DARPA hardware program, but such programs have become increasingly popular in government in recent years.
DARPA is working with the Defense Digital Service, a technology tiger team inside the Pentagon that has managed bug bounties for the Army, Navy and Air Force and recently helped find hackable bugs [washingtonpost.com] in systems on a U.S. fighter jet.
The project is also being managed by the cybersecurity company Synack, which specializes in running bug bounties and has worked with the Defense Digital Service on some of its earlier projects.
The largest share of the hacking will be done by cybersecurity pros who work regularly with Synack and have expertise in a number of specialized areas, including hacking hardware. There will also be a broader part of the program that’s basically open to anyone with hacking experience who isn’t barred from working with the government, such as people on terrorist watch lists.
“This is a wide pool of people with different skill sets that we might not always find in government,” Rebello said. “We’ll have three months for the hacker community to experiment and take things apart, and try and reverse-engineer our hardware to see if they can break it.”
DARPA couldn’t say how much money it expects to pay out to hackers who find bugs. Synack said its payouts “typically range from hundreds to tens of thousands of dollars for very severe vulnerabilities.”
The new secure hardware won’t be commercially available in time for the election in November or probably to protect research for a coronavirus vaccine.
But Rebello is hopeful it will start being integrated into some commercially available computer chips in the next two to four years, he told me.
A handful of companies have already expressed interest in piloting some version of the system, including the British firm Arm Holdings, he said.
The rush is on because cybersecurity is going to grow far more important during the next decade.
That’s partly because critical business sectors will be doing far more of their work using online systems, such as manufacturing, medicine, transportation, energy and agriculture. The Internet will also begin connecting to a slew of new devices that weren’t networked before, such as driverless cars, thermostats and home security systems, creating far more opportunities for hackers.
“The attack surface is going to explode, so we really need to start thinking about how we can rein that in,” Rebello said. “And having secure hardware, I think, is one very important key to solving that puzzle.”
Welcome to The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
The keys Democrats want to ensure federal agencies aren’t conducting improper surveillance on protests against police brutality.
Sen. Kamala D. Harris (Calif.) and Reps. Mary Gay Scanlon (Pa.) and Juan Vargas (Calif.) led 97 colleagues [senate.gov] in a letter to Customs and Border Protection and Immigration and Customs Enforcement officials demanding answers about what surveillance tools the agencies have used, how they shared surveillance footage and whether their staffs have been trained to comply with privacy laws.
In a separate letter [house.gov], Democrats on the House Oversight Committee, including Rep. Alexandria Ocasio Cortez (D-N.Y.) demanded a full account of DHS's role in surveillance of protesters in Minneapolis where George Floyd was killed in police custody and where the protest movement began.
The letter slammed [house.gov] the agency's use of a military drone for surveillance as a "gross abuse of authority."
House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) has also demanded answers [washingtonpost.com] about the agencies’ surveillance. So far DHS has not scheduled a briefing or answered Thompson’s letter, according to a committee representative.
Drug Enforcement Administration agents have also reportedly conducted surveillance [washingtonpost.com] of the protests. Rep. Ted Lieu (D-Calif.) announced on Twitter that he's working on a bill that would ban agencies from using powerful “Stingray” technology that spoofs cellphone towers to collect cellular messages and data from protesters.
I am working on legislation to ban the use of Dirtboxes, Stingrays and other powerful cell site simulators on protestors. Warrantless surveillance of #BlackLivesMattters [twitter.com] activists and protestors by @TheJusticeDept [twitter.com] is unAmerican and unconstitutional. https://t.co/4Y6iWJzALk [t.co]
— Ted Lieu (@tedlieu) June 6, 2020 [twitter.com]
It's unclear if the DEA actually used the technology, which could ensnare the communications of thousands of bystanders.
Google and Apple are struggling to ban coronavirus contact tracing apps that violate privacy rules.
Some of the suspect apps aren't clear about users' privacy protections while others don't have privacy policies at all, Khadeeja Safdar and Kevin Poulsen at the Wall Street Journal report [wsj.com]. Researchers at the International Digital Accountability Council also found apps that failed to safeguard users’ location and other sensitive data, potentially exposing it to hackers.
Lawmakers recently introduced legislation that would limit data coronavirus-tracing apps can collect and potentially ban them from using it for commercial purposes.
Until those laws are passed, however, it's mostly up to Apple and Google to decide which apps to allow in their stores. And changing guidelines have led to confusion for some developers.
Google removed one contact tracing app that included paid ads allegedly profiting off the pandemic. Apple forced the company to stop taking money for ads on its version of the app.
A major British bank fears it will face economic reprisals from China if the United Kingdom bans Huawei from its 5G network.
The chairman of HSBC privately urged Prime Minister Boris Johnson not to go through with banning Huawei, the Telegraph reports [telegraph.co.uk]. British lawmakers could reach a decision as soon as this month over whether to ban Huawei from its 5G network. The lawmakers previously approved a limited role for the company but have reconsidered the decision in light of a U.S. decision to ban Huawei from using chips made with U.S. technology.
It's another example of the wide-reaching economic repercussions of the feud between the Chinese telecom giant and the United States.
The United States has long accused Huawei of providing a possible backdoor for Chinese spying, allegations that the company has denied.
The Wall Street Journal's Dan Strumpf has a detailed behind-the-scenes account [wsj.com] of Huawei's efforts to combat U.S. claims.
Securing the ballot An online voting platform that’s been used by voters in several states can be manipulated to alter votes, a new study finds.
That manipulation might not be detected by voters or election officials, according to the study [mit.edu] from researchers at the University of Michigan and M.I.T. The platform, called OmniBallot, was offered to voters with disabilities in Delaware’s primary last week and in local elections in New Jersey and it’s been used elsewhere by voters with disabilities.
The new report follows a warning from DHS and the FBI last month [washingtonpost.com] discouraging states from using “electronic ballot return technologies.”
The paper also says the company that runs OmniBallot, Democracy Live, fails to protect voters from potential ad targeting based on their voter data.
Democracy Live Chief Executive Bryan Finney defended the platform in a New York Times interview, saying online voting options are necessary to make sure people aren’t blocked from voting. “No technology is bulletproof,” he said [nytimes.com]. “But we need to be able to enfranchise the disenfranchised. ”
Chat room
Here are recommendations for how election officials can use OmniBallot's technology while mitigating risk from one of the report's lead authors, University of Michigan professor Alex Halderman:
15/ (a) Discontinue online voting. No readily available defense can adequately mitigate the risks of OmniBallot's electronic return mechanism.
— J. Alex Halderman (@jhalderm) June 8, 2020 [twitter.com]
17/ To reduce security and privacy risks for voters who do need online marking, ballots should be generated locally in the browser, using client-side code. Democracy Live already offers this option in California and some other localities.
— J. Alex Halderman (@jhalderm) June 8, 2020 [twitter.com]
20/ (e) States should also require public, independent security analysis before considering online voting systems. Without such analysis, voters and officials will be unable to accurately weigh the tradeoffs between risk and access.
— J. Alex Halderman (@jhalderm) June 8, 2020 [twitter.com]
22/ Bottom line: OmniBallot's ballot delivery and marking can be valuable tools for helping voters participate *if* officials take precautions we suggest. Online voting, however, is a severe danger to election integrity and privacy, and we urge jurisdictions not to deploy it.
— J. Alex Halderman (@jhalderm) June 8, 2020 [twitter.com]
Cyber insecurity Hackers targeted more than 100 high-ranking executives helping the German government procure protective equipment during the coronavirus pandemic.
It's unclear how many of the phishing attacks were successful, IBM X-Force researchers say [securityintelligence.com].
The ongoing campaign highlights how a scramble for supplies to battle a second wave of coronavirus could create new hacking threats, they say.
More in cyberattacks and disruptions:
Bail organizations, thrust into the national spotlight, are targeted by online trolls [nbcnews.com] The network protection firm Cloudflare wrote in a blog post this week that attacks on advocacy sites have experienced a 1,120 percent increase from the month prior. NBC NewsDaybook
- The president of Estonia, Kersti Kaljulaid, [proofpoint.com] will be participating in a webinar, “Deciding on the Rules of the Road for Cyberspace: The Who, What, Where, When, How,” [proofpoint.com] presented by the Institute for International Cyber Stability at 10 a.m. Tuesday.
- The House Administration Committee will hold a hearing [house.gov] on the impact of covid-19 on voting rights and election administration Thursday at 1 p.m.
- The House Financial Services committee will host a hearing [house.gov] on how cybercriminals are exploiting the covid-19 pandemic on June 16 and 12 p.m.
Secure log off
Footage from The Post of the Black Lives Matter protests in Washington:
