DHS Offers $40M For Top Cybersecurity Research

Trailrunner7 writes "The US Department of Homeland Security issued a call for proposals this week in a $40m program to encourage research and development in a wide range of topics related to cybersecurity: from designing more resilient software, to alternatives to passwords and CAPTCHA technology to prevent automated attacks. DHS laid out its areas of interest in a Broad Agency Announcement dated January 26. In it, the domestic security agency said it was soliciting papers and proposals centered on 14 different topic areas. At stake is $40m in federal funding for research and development, with individual grants ranging up to $3 million. DHS's areas of interest include software assurance, enterprise security metrics, usable security, as well as the challenges posed by insider threats."

Re:Setting an achor?

[egamma]

[From the summary]DHS's areas of interest include software assurance, enterprise security metrics, usable security, as well as the challenges posed by insider threats

Call me naive but is sounds to me like DHS wants to stick around a while. Or am I still too new here?

What made you think the DHS was ever designed to be a temporary agency? It's a permanent restructuring of the government. Looks to me like they want to expand their scope--that's the "new" part.

Re:Nothing about developing "better" wiretapping t

[TheGratefulNet]

hey look over there! see that nice distraction we set up for you?

yes. it should be that obvious we are being played by our own gov. the ever expanding powers - "but its for your own good!"

do not ever believe a word this kind of organization says. all things must be assumed to be lies unless you know, for sure, otherwise.

governments have completely lost all our trust. we should know better (but we seem not to).

Re:more resilient software

[mlts]

Some more elaboration on that:

1: Technology for low level read-only abilities, Code to redirect writes somewhere else, and the ability for a device to periodically shut down, completely wipe itself and go back to factory standards.

2: If possible, flashing of a device can only be allowed physically. You stick a SD card in the device with the signed image, start the flashing process, and then press a button inside the machine to confirm this. The old ROM is saved off to a secure location, the new one is copied and verified, and only then is the new ROM flashed. As always, there is a mechanism to go back to a "1.0" ROM which is burned into the machine, if all else fails.

3: Segment and conquer. If some embedded devices need to talk to a log gathering server, put those machines on their own subnet physically separate from the Internet. Then have the logs pushed to another machine via a direct network connection over a crossover cable, or even a serial connection. This way, a blackhat is not going to be able to jump through a getty-less serial connection to do much other than look at logs.

4: Backups, backups, backups.

5: Defense in depth. A lot of companies rely on their network to provide security. However, what happens if a router blows a gasket and decides to fail to an "allow all" mode? Hosts need to have IP protection too.

6: Don't just test machines. Run social engineering pen tests. Call up people in the CEO's name and ask for enable passwords.

7: Be good at IPv6. If misconfigured, an attacker can easily grab the whole network topology of an IPv6 network (due to no need for NAT).

8: Encryption is useful, but key management is just as important.

9: Keep logs, and preferably on a server pair (where one of the servers only gets logs via a serial port, and no network connections otherwise.) Then back up logs to WORM media such as special tapes, or DVD-Rs.

10: Work on a ZTIC-like keyfob to allow for "trusted" confirmation to remote hosts. This way, even if the Web browser on a box is so hacked that it is changing data before it is displayed, there is still a secure channel. The ZTIC is secure because it is simple and hardened. Ideally combine it and the CAC.

another smartass response

[FuckingNickName]

The biggest vulnerability facing modern society is the cooperation of corporation and government. Entry points include the system of lobbying and the highly paid private consultant who used to work with and can whisper the right words to people in government.

I anticipate that tackling this problem will return approx. $1 trillion over the next decade. I believe my advice is worth at least $40 million, which I am willing to share with the first 39 people to reply to this post.

Re:Setting an achor?

[davester666]

Particularly since their goal is flawed to begin with.

It's not "To keep information secure from unauthorized access."

It's "To keep information secure from unauthorized access except from them."