Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS Offers $40M For Top Cybersecurity Research

Posted by CmdrTaco on from the piece-of-the-pie dept.

Trailrunner7 writes "The US Department of Homeland Security issued a call for proposals this week in a $40m program to encourage research and development in a wide range of topics related to cybersecurity: from designing more resilient software, to alternatives to passwords and CAPTCHA technology to prevent automated attacks. DHS laid out its areas of interest in a Broad Agency Announcement dated January 26. In it, the domestic security agency said it was soliciting papers and proposals centered on 14 different topic areas. At stake is $40m in federal funding for research and development, with individual grants ranging up to $3 million. DHS's areas of interest include software assurance, enterprise security metrics, usable security, as well as the challenges posed by insider threats."

33 comments

  1. Setting an achor? by glueball · · Score: 1

    [From the summary]DHS's areas of interest include software assurance, enterprise security metrics, usable security, as well as the challenges posed by insider threats

    Call me naive but is sounds to me like DHS wants to stick around a while. Or am I still too new here?

    1. Re:Setting an achor? by egamma · · Score: 3, Informative

      [From the summary]DHS's areas of interest include software assurance, enterprise security metrics, usable security, as well as the challenges posed by insider threats

      Call me naive but is sounds to me like DHS wants to stick around a while. Or am I still too new here?

      What made you think the DHS was ever designed to be a temporary agency? It's a permanent restructuring of the government. Looks to me like they want to expand their scope--that's the "new" part.

      --
      Battlemaster--Game with friends in medival realms
    2. Re:Setting an achor? by chemicaldave · · Score: 1

      Call me naive but is sounds to me like DHS wants to stick around a while. Or am I still too new here?

      You're being naive. Considering that the only US Cabinet level department to be dropped was the Post Office, I'd say that DHS is here to stay. Then again, their goals for information security are a bid naive as well. I doubt they'll be able to hire 1000 security experts as they're trying to do.

    3. Re:Setting an achor? by AB3A · · Score: 1

      Even if they could hire them; I'd be even more concerned with retaining them. From everything I've seen with DHS, it's not a good place to get anything done. The last thing anyone wants to do is to get on hamster wheel.

      --
      Nearly fifty percent of all graduates come from the bottom half of the class!
    4. Re:Setting an achor? by davester666 · · Score: 2

      Particularly since their goal is flawed to begin with.

      It's not "To keep information secure from unauthorized access."

      It's "To keep information secure from unauthorized access except from them."

      --
      Sleep your way to a whiter smile...date a dentist!
    5. Re:Setting an achor? by egcagrac0 · · Score: 1

      What, good security types don't work for $40k?

  2. more resilient software by doperative · · Score: 1

    "The U.S. Department of Homeland Security issued a call for proposals this week in a $40m program to encourage research and development in a wide range of topics related to cyber security: from designing more resilient software, to alternatives to passwords and CAPTCHA technology to prevent automated attacks"

    Run your software from read-only hardware and don't allow execution of downloaded code, the exception being scripts that run in the browser context. This is run from RAM and gets flushed at reboot. Devise an automated one-time pseudo password system for identity management. This will defeat key loggers and identity theft.

    1. Re:more resilient software by angelwolf71885 · · Score: 0

      that will be 3 million dollars please uncle SAM

    2. Re:more resilient software by mlts · · Score: 2

      Some more elaboration on that:

      1: Technology for low level read-only abilities, Code to redirect writes somewhere else, and the ability for a device to periodically shut down, completely wipe itself and go back to factory standards.

      2: If possible, flashing of a device can only be allowed physically. You stick a SD card in the device with the signed image, start the flashing process, and then press a button inside the machine to confirm this. The old ROM is saved off to a secure location, the new one is copied and verified, and only then is the new ROM flashed. As always, there is a mechanism to go back to a "1.0" ROM which is burned into the machine, if all else fails.

      3: Segment and conquer. If some embedded devices need to talk to a log gathering server, put those machines on their own subnet physically separate from the Internet. Then have the logs pushed to another machine via a direct network connection over a crossover cable, or even a serial connection. This way, a blackhat is not going to be able to jump through a getty-less serial connection to do much other than look at logs.

      4: Backups, backups, backups.

      5: Defense in depth. A lot of companies rely on their network to provide security. However, what happens if a router blows a gasket and decides to fail to an "allow all" mode? Hosts need to have IP protection too.

      6: Don't just test machines. Run social engineering pen tests. Call up people in the CEO's name and ask for enable passwords.

      7: Be good at IPv6. If misconfigured, an attacker can easily grab the whole network topology of an IPv6 network (due to no need for NAT).

      8: Encryption is useful, but key management is just as important.

      9: Keep logs, and preferably on a server pair (where one of the servers only gets logs via a serial port, and no network connections otherwise.) Then back up logs to WORM media such as special tapes, or DVD-Rs.

      10: Work on a ZTIC-like keyfob to allow for "trusted" confirmation to remote hosts. This way, even if the Web browser on a box is so hacked that it is changing data before it is displayed, there is still a secure channel. The ZTIC is secure because it is simple and hardened. Ideally combine it and the CAC.

    3. Re:more resilient software by rtb61 · · Score: 1

      You missed the most important one. Parallel networks, an inside secured hard wired network and an external at risk network.

      The internal secured network does not connect to the internet, any external connections are hard wired and all portable data device transfers are only done at secured monitored locations (upload or download).

      The external network that provides access to the internet, simply should not have access to any secured data, just regular communications. Transfer of data from internal to external, should require manual innervation and only be done at secured and monitored locations.

      The big driver in the digital age for security, oddly enough is to slow down the illicit transfer of data. Sure they can print out a hard copy, but they can't readily print out and walk off with 250,000 documents without getting caught.

      If it is meant to be secure, and it absolutely positively doesn't need to be connected to the internet, then don't connect it to the internet. So that is another big step in security, audting security and kicking every desk, every work station, every server, off the internet if it shouldn't be on it. It is stupid to save a thousands dollars a year by connecting a device to the internet only to spend a thousands dollars a year trying to secure it and risking a million dollars when security eventually fails.

      --
      Chaos - everything, everywhere, everywhen
    4. Re:more resilient software by mlts · · Score: 1

      Bingo. Essentially private companies need a "BIPRnet", similar to NIPRnet or SIPRnet. This would be for B2B communications (bank to credit card company, business to bank.)

      There are ways to make data accessible, but without allowing it to sit on a remote device. Heck, it could be a front-end that uses a serial protocol. The security engineering would be between the application and the server, showing a view of the data, but not allowing it to remain on a device, and this can get hairy, especially with the ease of keeping screenshots and movies (FRAPS-like utilities.)

      It might take a complete re-engineering from the ground up of devices with a hypervisor... this way, the "normal" OS and apps sit in a VM, while the "trusted" part (which is essentially a graphical dumb terminal) would set up connections using preshared secrets [1], then allow the user to log in.

      There is a balance between keeping everything on the mainframe and using 3270 terminals versus having it replaced to every smartphone in a company. Air-gapping is a viable security solution, and it would be nice if OS makers would make it easier to do this. This way, a machine can be configured as "no, it won't have an Internet connection, ever", and it would provide an alternate mechanism for updates (ISO images).

      [1]: I'd propose the same Diffie-Hellman exchange as in SSL, except the session key would be combined with a stored secret key (XOR works, perhaps encrypting the session key with the secret key, perhaps SHA-256-ing both keys joined together, etc.) This way, even if RSA encryption is completely broken, the preshared secret keeps the communications secure. If the preshared key is divulged (endpoint is compromised), the RSA key exchange keeps the session key from being gleaned, assuming a cryptographically secure PRNG.

    5. Re:more resilient software by Anonymous Coward · · Score: 0

      Run your software from read-only hardware... Only problem is you then have to replace your hardware every time you want to fix a bug.

      and don't allow execution of downloaded code Your system is still vulnerable to attacks from other sources -- insider, network attacks, etc.

      These are useful ideas that can be applied in certain cases, but a real solution will be far more complicated. DHS is trying to solve improve security for a very broad group of devices, users, and environments, so they'll have many different things to work on.

    6. Re:more resilient software by rtb61 · · Score: 1

      Simpler to provide 2 (technically 3 including smartphone) computers at each desk. A smart terminal and a netbook. Netbooks are getting cheaper all the time and a 12inch screen will do most 'communication' apps really well.

      Let the employees 'play' (it's inevitable) without any harm to secured system and even allows the communications network to be a provision of service to the employee as part of conditions of employment rather than an company communications channel, shifting all legal liability for communications back to the employee.

      Still need to scan the netbook whilst connected for illicit company data or unsafe applications etc. but games and other crap would be OK (give the employees some space to improve employee well being )

      --
      Chaos - everything, everywhere, everywhen
  3. Nothing about developing "better" wiretapping tech by Fibe-Piper · · Score: 1

    Everything in the article points to a responsible DHS and not a power hungry paranoia machine.

    What gives?

    --
    I went to battle M.C. Escher, but drew a blank.
  4. Re:Nothing about developing "better" wiretapping t by TheGratefulNet · · Score: 3, Interesting

    hey look over there! see that nice distraction we set up for you?

    yes. it should be that obvious we are being played by our own gov. the ever expanding powers - "but its for your own good!"

    do not ever believe a word this kind of organization says. all things must be assumed to be lies unless you know, for sure, otherwise.

    governments have completely lost all our trust. we should know better (but we seem not to).

    --

    --
    "It is now safe to switch off your computer."
  5. Greater security and shorter lines at the airport by Anonymous Coward · · Score: 0

    How about this?

    Each time I log into southwest.com, someone from DHS comes to my house and gives me the hand job right then and there? Greater security and shorter lines at the airport.

    Where do I collect my $40 million?

  6. Re:Nothing about developing "better" wiretapping t by jank1887 · · Score: 1

    "oh, look, a decoy!"

  7. Re:Nothing about developing "better" wiretapping t by ThatOtherGuy435 · · Score: 1

    Decoy, whatever. They need kittens. That'd distract me.

  8. another smartass response by FuckingNickName · · Score: 3, Insightful

    The biggest vulnerability facing modern society is the cooperation of corporation and government. Entry points include the system of lobbying and the highly paid private consultant who used to work with and can whisper the right words to people in government.

    I anticipate that tackling this problem will return approx. $1 trillion over the next decade. I believe my advice is worth at least $40 million, which I am willing to share with the first 39 people to reply to this post.

    1. Re:another smartass response by royallthefourth · · Score: 1

      Entry points include the system of lobbying and the highly paid private consultant who used to work with and can whisper the right words to people in government.

      One of the most important entry points is right in the summary: the DHS is hiring big contracting companies to do this job instead of hiring some people and carrying it out themselves. Not at all unusual, but quite poisonous in my opinion.

    2. Re:another smartass response by nog_lorp · · Score: 1

      HR is in the stone ages, so they can't figure out how to hire good people.

    3. Re:another smartass response by Anonymous Coward · · Score: 0

      Maybe they don't want to hire individual people at all ?

  9. Re:Nothing about developing "better" wiretapping t by Fibe-Piper · · Score: 1

    Great idea you gave me there.

    I'm off to pitch the Cheezeburger Network on a new app for the DHS

    http://icanhascheezburger.com

    --
    I went to battle M.C. Escher, but drew a blank.
  10. I for one... by Anonymous Coward · · Score: 0

    I for one am looking forward to a well researched, viable alternative to Captcha (as an example). I'd also like to see a more hardened version of Windows (as another). If I get all this at the American tax payer's expense instead of my own, ever more burdening taxes, well then all the better. If it all happens at the expense of US society, well, that's collateral damage and we'll weight that up as we go.

  11. Call in TSA by qbast · · Score: 1

    Every packet should be fondled by TSA agent. Also disallow carrying any sharp or explosive bits in payload. Internet finally will be safe!

    1. Re:Call in TSA by Anonymous Coward · · Score: 0

      They already fondle our packages; why not packets too?

  12. Re:Nothing about developing "better" wiretapping t by RazzleFrog · · Score: 1

    When was a government ever trustworthy? I'm pretty sure it's a built in quality. The thing is to hope that yours is less corrupt than others.

  13. How about changing default SCADA system passwords? by Anonymous Coward · · Score: 0

    Seriously, many SCADA systems make it extremely difficult if not downright impossible to change default passwords. So you end up with a hard (hopefully) exterior that is firewalled/etc. and a soft chewy center (which can often be reached due to unauthorized dial up ports, sending a malicious email to someone that reads email from an internal workstation improperly (assuming this has even been restricted), etc.

  14. Got to be kidding me. by Anonymous Coward · · Score: 0

    What's wrong DHS can't do a proper job? Need to offer a prize, so someone else can do your job for you? Tax dollars [not] at work.

    1. Re:Got to be kidding me. by Beezlebub33 · · Score: 1

      That doesn't make any sense. Government is not designed to ramp up a large number of workers in a technical area, especially if you want them to be leading edge or research positions. The government is better equipped to evaluate proposals and give contracts to contractors to do the real work. It's been that way for a while and it's a good thing. Government people are next to impossible to get rid of; contractors can be fired, or if that's too hard, you don't renew their contract.

      A major problem is the overly cozy relationship between the very large contractors and the government people handling the contracts. But, it works pretty well when the contracts go to small to medium size, aggressive companies.

      --
      The more people I meet, the better I like my dog.
  15. DHS RFP for cybersecurity by Anonymous Coward · · Score: 0

    Undoubtedly, and I am willing to bet, this RFP will be awarded to one of the Giant Defense contractors (Lockeed-Martin, IBM, etc..) where DHS (read we taxpayers) will receive very little value and outdated results. The talent instead resides in the Open Source independent thinkers "outside the box" who will never be associated with a Dinosaur corporation. I have seen this pattern over and over again in RFPs of the Dept of Defense, etc..
    DHS think outside the box or request help from DARPA!

  16. Fuuuuu... by nog_lorp · · Score: 1

    40Mil? Chump change relative to the importance of the issues at hand. We can spend a billion dollars a year buying Egypt tear gas to use on it's citizens and shit.

  17. Publicity stunt. by Anonymous Coward · · Score: 0

    I've tried to contact various government agencies over the years about "cyber" security jobs. I have yet to get a clear answer from them on who to talk to, the exact requirements, pay, etc. How can I take them seriously when they're claiming to be on the cutting edge of security but can't even manage to get a working public-facing website and personnel to answer e-mail efficiently and timely?

    So of course they're going to hire a contract house to do it... because they can't figure out how to organize themselves. If you want my advice -- it doesn't matter who you hire if your chain of command is f---ed because you won't be able to respond to a threat in a timely fashion and nobody will want to take responsibility or their own initiative because it's not just toes getting stepped on if they do, but jail time (unlike in the private sector, where you might get either dinner from your boss, or a written warning, depending on who finds out and when).