When it comes to protecting the federal government from cyberattacks, simplicity is not that simple.

That was the underlying message Monday during multiple panels at RSA Public Sector conference in San Francisco, where government cybersecurity experts and the federal contractors that carry out the government’s cybersecurity operations discussed why things are currently complicated and what it will take to make things easier.

The government’s ongoing embrace of the cloud is helping move things in the right direction, but because agencies often follow a hybrid cloud model, watching over a government enterprise is still a highly complex task. Kevin Cox, the program manager for the Department of Homeland Security’s Continuous Diagnostics and Monitoring program, said Monday that it’s a challenge to ascertain exactly how each agency has its enterprise configured.

“From our perspective, CDM is working with civilian agencies to have a foundation in place to have the proper visibility on [on-premise data centers]. Yet, we are looking to support the agencies beyond into the cloud,” he said. “At the end of the day, we want to make sure the agencies have a comprehensive understanding where all of their data is, what their architecture looks like and how it connects back to the users, but supports the visibility for new technologies.”

Yet that architecture is often what causes problems, according to Steve Harris, senior vice president and general manager of federal at Dell EMC. He told CyberScoop that he’s still seeing security systems bolted on top of older security systems, which are then attached to bigger IT systems, making things nearly impossible to use for agency employees. He believes a holistically different approach would help simplify the issues he sees inside the government.

“When we actually treat the infrastructure as a platform, it allows customers to greatly simplify their development and the way the build software,” Harris told CyberScoop. “When you start building software in that way, it greatly reduces bad actors’ ability to attack you. What we’re accomplishing is taking what were many silos or products, and we’re integrating them together into a platform approach, which is eminently more defendable and securable.”

Yet even if the tech is modernized, the entire employee base still must understand the cybersecurity mission. Chris Novak, global director of Verizon’s threat research advisory center, says the technical people often get caught up in their own language and don’t grasp the true implications that IT vulnerabilities present to an enterprise.

“The challenge we often see is the folks who need to hear and understand threats don’t understand the CVE numbers and what that actually means,” Novak said. “They hear about Heartbleed and WannaCry and then ask ‘Is that good or is that bad?’ Over the last couple of years, we’ve changed the way we have conversations with our customers and say ‘If you were to talk this to the C-suite or the board, they want to know what’s the risk to business.’ ”

In order to bridge the communication gap, agencies are relying more on training non-technical people on cybersecurity than training the cyber experts on how to communicate with the rest of the enterprise.

“It is much easier to take an OT expert and make them smart on cybersecurity and then bring that back to their environment, as opposed to the length of time it would take to bring someone from an IT environment and come up with highly sophisticated types of ways of looking at [how to communicate],” said Jennifer Silk, a senior adviser for cybersecurity at the Department of Energy.

Most agreed however, that one of the biggest tools in simplifying the way that agencies think about cybersecurity is the NIST cybersecurity framework, which has long been considered a watershed document when it comes to the way enterprises construct their security methods.

“I had the opportunity to visit the cyber works at the Air Force — they are really using the cybersecurity framework language to describe the work they do, all the way down to training,” said Troy Taitano, chief of the cyber modernization office at the National Reconnaissance Office, a Department of Defense agency. “To sell that to leadership in D.C. is really important.”

The post The government’s struggle to simplify its cybersecurity appeared first on FedScoop.

The Cybersecurity and Infrastructure Protection Agency Act of 2016 changes NPPD to the Cybersecurity and Information Protection Agency, run by a director of national cybersecurity who would oversee four divisions dedicated to cybersecurity and critical infrastructure protection policy and operations for the DHS.

“This measure realigns and streamlines the department’s cybersecurity and infrastructure protection missions to more effectively protect the American public against cyberattacks that could cripple the nation,” Rep. Mike McCaul, R-Texas, said during Wednesday’s markup hearing.

The four divisions — Cybersecurity, Infrastructure Protection, Emergency Communications and Federal Protective Service — would all have their own deputy directors to oversee the programs. The director of national cybersecurity would be a new position, but the bill directs that the position can be filled by “an undersecretary responsible for overseeing critical infrastructure protection, cybersecurity and any other related program.” Suzanne Spaulding currently sits in that position as NPPD under secretary.

The bill would also codify the Office of Biometric Identity Management, which helps federal, state and local governments accurately identify people, supplies the technology for collecting and storing biometric data, and provides additional analysis.

That office was created in March 2013 from the department’s United States Visitor and Immigration Status Indicator Technology program.

FedScoop reached out to Rep. McCaul’s office as well as House leadership on the future of the bill.

You can read the full bill on the committee’s website.

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.

The post House committee passes bill to reorganize DHS cyber office appeared first on FedScoop.

The Columbia, Maryland-based company hired Darron Makrokanis, formerly a senior business development executive and program manager for Splunk, to lead its new federal sales division. Prior to Splunk, Makrokanis worked at Booz Allen Hamilton where he managed the consultancy giant’s business development efforts for various U.S. government organizations, including the departments of Homeland Security and Defense.

“Tenable is a great company with a long history providing the DoD and the full range of federal agencies with security solutions that help protect the nation’s most critical networks,” Makrokanis said in a release. “I look forward to expanding and further strengthening the relationships with our FSIs and channel partners to enable the federal community to deliver on its security promises.”

The majority of Tenable’s customers are on the commercial side, using its software to continuously monitor various access points on an enterprise’s network. It offers a dashboard that can be used with the National Institute of Standards and Technology’s cybersecurity framework, allowing security analysts to determine their level of compliance in real time.

Tenable is a subcontractor for Hewlett-Packard Enterprise on the Palo Alto, California-based company’s seven-year, $39.8 contract with the Defense Information Systems Agency’s Assured Compliance Assessment Solution, an enterprisewide compliance solution for DOD. The company’s vulnerability scanners are also listed in DHS’ catalog for phase of of its continuous diagnostics and mitigation program.

“As the U.S. federal government heightens cybersecurity efforts under the Cybersecurity National Action Plan, our federal teams will be working alongside our customers to solve some of their biggest security challenges,” Mike Kirby, Tenable’s senior vice president of worldwide sales, said in a statement. “With impressive depth and breadth of experience within the defense, intelligence and law enforcement communities, Darron will lead Tenable’s federal expansion and help our customers defend complex networks against the cyber threats of today and tomorrow.”

According to business intelligence platform Govini, Tenable’s products have been a part of 418 federal contracts since 2001, worth a total $30.5 million. The company earned nearly a quarter of that total ($7.5 million) in the last 12 months.

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.

The post Tenable Network Security expanding its reach into federal market appeared first on FedScoop.

The FBI’s Request

In a search after the shooting, the FBI discovered an iPhone used by one of the attackers. The iPhone is the property of the San Bernardino County Department of Public Health where the attacker worked and the FBI has permission to search it. However, the FBI has been unable, so far, to guess the passcode to unlock it. In iOS devices, nearly all important files are encrypted with a combination of the phone passcode and a hardware key embedded in the device at manufacture time. If the FBI cannot guess the phone passcode, then they cannot recover any of the messages or photos from the phone.

There are a number of obstacles that stand in the way of guessing the passcode to an iPhone:

• iOS may completely wipe the user’s data after too many incorrect PINs entries
• PINs must be entered by hand on the physical device, one at a time
• iOS introduces a delay after every incorrect PIN entry

As a result, the FBI has made a request for technical assistance through a court order to Apple. As one might guess, their requests target each one of the above pain points. In their request, they have asked for the following:

• “[Apple] will bypass or disable the auto-erase function whether or not it has been enabled;
• [Apple] will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE; and
• [Apple] will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.”

In plain English, the FBI wants to ensure that it can make an unlimited number of PIN guesses, that it can make them as fast as the hardware will allow, and that they won’t have to pay an intern to hunch over the phone and type PIN codes one at a time for the next 20 years — they want to guess passcodes from an external device like a laptop or other peripheral.

As a remedy, the FBI has asked for Apple to perform the following actions on their behalf:

“[Provide] the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File (SIF) that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory (RAM) and will not modify the iOS on the actual phone, the user data partition or system partition on the device’s flash memory. The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE. The SIF will be loaded via Device Firmware Upgrade (DFU) mode, recovery mode, or other applicable mode available to the FBI. Once active on the SUBJECT DEVICE, the SIF will accomplish the three functions specified in paragraph 2. The SIF will be loaded on the SUBJECT DEVICE at either a government facility, or alternatively, at an Apple facility; if the latter, Apple shall provide the government with remote access to the SUBJECT DEVICE through a computer allowed the government to conduct passcode recovery analysis.”

Again in plain English, the FBI wants Apple to create a special version of iOS that only works on the one iPhone they have recovered. This customized version of iOS (*ahem* FBiOS) will ignore passcode entry delays, will not erase the device after any number of incorrect attempts, and will allow the FBI to hook up an external device to facilitate guessing the passcode. The FBI will send Apple the recovered iPhone so that this customized version of iOS never physically leaves the Apple campus.

As many jailbreakers know, firmware can be loaded via Device Firmware Upgrade (DFU) Mode.

Once an iPhone enters DFU mode, it will accept a new firmware image over a USB cable. Before any firmware image is loaded by an iPhone, the device first checks whether the firmware has a valid signature from Apple. This signature check is why the FBI cannot load new software onto an iPhone on their own — the FBI does not have the secret keys that Apple uses to sign firmware.

Enter the Secure Enclave

Even with a customized version of iOS, the FBI has another obstacle in their path: the Secure Enclave (SE). The Secure Enclave is a separate computer inside the iPhone that brokers access to encryption keys for services like the Data Protection API (aka file encryption), Apple Pay, Keychain Services, and our Tidas authentication product. All devices with TouchID (or any devices with A7 or later A-series processors) have a Secure Enclave.When you enter a passcode on your iOS device, this passcode is “tangled” with a key embedded in the SE to unlock the phone. Think of this like the 2-key system used to launch a nuclear weapon: the passcode alone gets you nowhere. Therefore, you must cooperate with the SE to break the encryption. The SE keeps its own counter of incorrect passcode attempts and gets slower and slower at responding with each failed attempt, all the way up to 1 hour between requests. There is nothing that iOS can do about the SE: it is a separate computer outside of the iOS operating system that shares the same hardware enclosure as your phone.

The Hardware Key is stored in the Secure Enclave in A7 and newer devices. (Apple)

As a result, even a customized version of iOS cannot influence the behavior of the Secure Enclave. It will delay passcode attempts whether or not that feature is turned on in iOS. Private keys cannot be read out of the Secure Enclave, ever, so the only choice you have is to play by its rules.

Passcode delays are enforced by the Secure Enclave in A7 and newer devices. (Apple)

At this point you might ask, “Why not simply update the firmware of the Secure Enclave too? That way, Apple could disable the protections in iOS and the Secure Enclave at the same time.”Although it is not described in Apple iOS Security Guide, it is believed that updates to the Secure Enclave wipe all existing keys stored within it. An update to the Secure Enclave is therefore equivalent to erasing the device. I initially speculated that the private data stored within the SE was erased on update but I now believe this is not true. After all, Apple has updated the SE with increased delays between passcode attempts and no phones were wiped. In all honesty, only Apple knows the exact details.

Apple has gone to great lengths to ensure the integrity of the Secure Enclave. Many consumers are familiar with some of these efforts after 3rd party replacement or tampering with the TouchID sensor produces an “Error 53.” Whether or not the Secure Enclave wipes its keys after an upgrade, the presence of one vastly complicates passcode recovery.

For more information about the Secure Enclave and Passcodes, see pages 7 and 12 of the iOS Security Guide.

The Devil is in the Details

At this point it is very important to mention that the recovered iPhone is a 5C. The 5C model iPhone lacks TouchID and, therefore, lacks the single most important security feature produced by Apple: the Secure Enclave.

If the San Bernardino gunmen had used an iPhone with the Secure Enclave, then there is little to nothing that Apple or the FBI could have done to guess the passcode. However, since the iPhone 5C lacks a Secure Enclave, nearly all of the passcode protections are implemented in software by the iOS operating system and, therefore, replaceable by a firmware update.

In these older devices, there are still caveats and a customized version of iOS will not immediately yield access to the phone passcode. Devices with A6 processors, such as the iPhone 5C, also contain a hardware key that cannot ever be read and also “tangle” this hardware key with the phone passcode. However, there is nothing stopping iOS from querying this hardware key as fast as it can. Without the Secure Enclave to play gatekeeper, this means iOS can guess one passcode every 80ms.

Even though this 80ms limit is not ideal, it is a massive improvement from guessing only one passcode per hour with the Secure Enclave. If the recovered iPhone has a 4-digit PIN, this speedup will result in recovery of the PIN within a half hour. If the recovered iPhone has an alphanumeric password, then it is unlikely this speedup will be enough for the FBI to correctly guess it. It has not been reported whether the recovered iPhone uses a 4-digit PIN or a longer, more complicated alphanumeric passcode.

Festina Lente (More haste, less speed)

Apple has allegedly cooperated with law enforcement in the past by using a custom firmware image that bypassed the passcode lock screen. This simple UI hack was sufficient in earlier versions of iOS since most files were unencrypted. However, since iOS 8, it has become the default for nearly all applications to encrypt their data with a combination of the phone passcode and the hardware key. This change necessitates guessing the passcode and has led directly to this request for technical assistance from the FBI.

I believe it is technically feasible for Apple to comply with all of the FBI’s requests in this case. On the iPhone 5C, the passcode delay and device erasure are implemented in software and Apple can add support for peripheral devices that facilitate PIN code entry. In order to limit the risk of abuse, Apple can lock the customized version of iOS to only work on the specific recovered iPhone and perform all recovery on their own, without sharing the firmware image with the FBI.

Update: Apple has issued a public response to the court order.

Dan Guido leads the strategic vision for Trail of Bits products and services and manages its day-to-day operations. In addition to his professional work, Dan is a Hacker in Residence at NYU-Poly where he oversees student research and teaches classes in Application Security and Vulnerability Analysis.

The post How Apple can help the FBI appeared first on FedScoop.

A blog post from Finland-based cybersecurity firm F-Secure shows how some unidentified group is sending out LinkedIn invitations to infosec professionals. After a number of researchers at F-Secure received requests, they decided to investigate.

Yonathan Klijnsma, a researcher at Netherlands-based Fox-IT, also received messages from the group and chronicled them in a number of tweets.

F-Secure found that the images used by the group on LinkedIn were taken from other LinkedIn profiles or Instagram accounts. The “company” also uses a logo that was stolen from a different site.

The researchers haven’t found any sort of malicious activity tied to the group, but the information they did uncover was enough to raise a few red flags.

Read F-Secure’s blog for more.

The post Shady LinkedIn group targeting infosec professionals appeared first on FedScoop.

Content delivery network company Akamai issued a warning Wednesday that it had been monitoring an attack on one of its customers on May 16. Hackers used Routing Information Protocol version one, known as RIPv1, to launch a DDoS reflection attack. RIPv1, published in 1988, offers a way of transferring data inside small networks based on how servers talk to one another.

In an email to FedScoop, Jose Arteaga, senior security researcher for Akamai’s Prolexic Security Engineering and Research team, explained how this attack works:

“It would be like sending a letter to someone that they must respond to, but instead of using your own address as the return, you put someone else’s,” he wrote. “So imagine the letter is sent to thousands of different people, but the return address is always the same person. The thousands of people receiving the letter are like the RIPv1 reflector being abused, the person in the return address would be the target of the attack.”

Internet service providers are still deploying outdated equipment that use the old protocol, exposing vulnerabilities that malicious actors can exploit.

According to Akamai, the attack peaked at 12.8 gigabits per second at 3.2 million packets per second, which is a lower-sized attack. However, Arteaga said any organization or residence can be targeted by this attack as long as the protocol vulnerability remains open.

Akamai suggests switching to RIPv2 or using an access control list to restrict source port 520 from connecting to the Internet to avoid being used in further attacks.

Read Akamai’s full threat advisory, which provides the technical details, below.

The post Akamai: Old routing protocol being exploited for DDoS attacks appeared first on FedScoop.

Join Judson Walker, Brocade’s systems engineering director, and other senior agency officials and IT innovators on June 17 in Washington, D.C., as they share insights on top IT priorities.

The post Brocade’s Judson Walker on the Federal Forum’s Tech Track appeared first on FedScoop.

Join Anthony Robbins, Brocade’s federal vice president, and other senior agency officials and IT innovators on June 17 in Washington, D.C., as they share insights on top IT priorities.

The post Brocade’s Anthony Robbins on the ‘New IP’ appeared first on FedScoop.

Join Tony Celeste, Brocade’s director of federal sales, and other senior agency officials and IT innovators on June 17 in Washington, D.C., as they share insights on top IT priorities.

The post Brocade’s Tony Celeste on network innovation appeared first on FedScoop.

The Energy Department announced a $200 million contract Thursday to fund the world’s most powerful supercomputer to date.

Under the department’s Collaboration of Oak Ridge, Argonne and Lawrence Livermore National Laboratories, or CORAL, Intel Corp. will build a next-generation supercomputer, known as Aurora, that will be 18 times faster than its predecessor.

Aurora will be located at Argonne National Laboratory outside Chicago and commissioned in 2018. The Energy Department expects the supercomputer, which will operate at a peak of 180 petaflops (1 petaflop equals 1 quadrillion floating point operations per second), will help with research dedicated to materials science, transportation efficiency and renewable energy.

“Argonne National Laboratory’s announcement of the Aurora supercomputer will advance low-carbon energy technologies and our fundamental understanding of the universe, while maintaining United States’ global leadership in high performance computing,” Energy Department Undersecretary for Science and Energy Lynn Orr said in a press release. “This machine – part of the Department of Energy’s CORAL initiative – will put the United States one step closer to exascale computing.”

Under CORAL, the Energy Department has spent $525 million on next-gen supercomputers. In November, the department announced new supercomputers would be built at its Oak Ridge and Lawrence Livermore national laboratories.

Intel has hired Cray Inc. as a subcontractor for the project to build Aurora on its next-generation Shasta computer. The Shasta system architecture will support multiple infrastructures and software environments, allowing for broad configuration options and future iterations of Intel processors and high-speed interconnection technology.

A comparison of specifications between the Energy Department’s Mira supercomputer and the forthcoming Aurora supercomputer. (Intel)

Intel and Cray will also deliver a second system in 2016 called Theta that will serve as a transition system between Argonne’s current system, Mira, and Aurora’s launch in 2018. Theta will provide performance of 8.5 petaflops while requiring only 1.7 megawatts of power.

“We take great pride in building powerful supercomputers for advancing scientific discovery, and through our collaboration with Intel and Argonne, we expect the Aurora system will provide the DOE user community with the most powerful supercomputer we will have ever built,” said Peter Ungaro, president and CEO of Cray, in a release.

While Aurora may lead the world in supercomputing power once it goes live, the Energy Department is not resting on its laurels. It was also announced Thursday that $10 million has been awarded to four companies — AMD, Cray, IBM and Intel — through the department’s high-performance computing research and develop program, DesignForward. While the machines coming out of the CORAL program will be five to seven times more powerful than their predecessors, Orr said the companies involved with DesignForward are being tasked with finding ways to make supercomputers 20 to 40 times more powerful than what is currently available.

“These investments are really important because the applications for high-performance computing are extremely important to the nation’s goals of scientific discovery and national security and positioning the nation for sustained technical leadership,” Orr said.

To find out more about Aurora, check out the interactive graphic below or visit Argonne National Laboratory’s website.

The post Meet Aurora: The most powerful supercomputer appeared first on FedScoop.