DARPA’s quest for the (almost) unhackable
Illustration: Si Weon Kim
Welcome to Changelog by README! I’m your host, Blake Sobczak. Every Sunday, I’ll deliver cybersecurity news and analysis to your inbox, provided the internet hasn’t gone down in flames. Think of me as your guide through a thicket of vulnerabilities, cyberthreats and all the ups and downs of our hackable world. As managing editor of README, published by Synack, I’ll bring you fresh, diverse perspectives from across the global hacking community.
The payload
Could we ever build an unhackable computer? Probably not. But what about one with hardware systems that are immune to common memory or cryptographic errors? We’d all be a lot safer, right? If fundamental hardware like my laptop processor was impervious to software-based cyberattacks, it could upend the endless cycle of breach, patch, repeat.
That’s the kind of moonshot goal that gets the attention of researchers at DARPA, the Pentagon offshoot best known for inventing the precursor to the modern internet. So, in keeping with its tradition of taking on hard problems, it launched an initiative five years ago aimed at designing secure computing architecture capable of wiping out entire categories of software vulnerabilities. The program drew the likes of Lockheed Martin, MIT, the University of Cambridge and the University of Michigan, among others.
These R&D heavyweights developed prototypes with solid-sounding names like “Sanctum,” “Morpheus,” and “HARD.” Hacking into them would be, well, hard. But in July 2020, DARPA invited about 580 cybersecurity experts to do just that, including Malcolm Stagg, a Texas-based security researcher with a taste for taking on tough DARPA challenges.
Now, for the first time, Stagg reveals how he owned two secure hardware setups as part of a DARPA bug bounty program to test the limits of the secure prototypes. For README, he details that adventure in hacking. Even though he and other researchers found some problems with the prototypes, the idea is to make the next iterations more robust and hardened against attacks. And who knows — maybe we’ll get closer to that mythic unhackable computer.
The week, compiled
It was a busy week for cyber policy, with the Biden administration releasing a long-awaited federal memo on zero-trust architecture and separately unveiling a 100-day action plan to shore up water utilities’ defenses.
The water sector cybersecurity initiative comes less than a year after a malicious hacker unsuccessfully tried to poison a Florida town’s water supply, and follows similar White House efforts focused on the electric and pipeline industries. I’m not convinced it will keep water and wastewater companies out of hacking hot water: A 2018 pipeline security initiative drew in the Cybersecurity and Infrastructure Security Agency, the Department of Energy and the Transportation Security Administration — but it didn’t stop Colonial Pipeline from crashing into a ransomware crisis less than three years later. Of course, there will be cyber laggards and overachievers in any industry. But breaches hit different when they disrupt water, electricity or fuel supplies, so the stakes are high for the latest White House push. We’ll have to wait and see how far EPA, CISA and private water utilities can go in 100 days.
Here’s what we’re reading:
The New York Times Magazine: The FBI paid Israel-based spyware developer NSO Group about $5 million for access to its notorious Pegasus phone hacking system and shopped around for another sketchy NSO offering called Phantom. The law enforcement agency opted against using NSO’s spying tools.
README: American University researchers are turning to old-school statistics to scrub misinformation from social media platforms, leaving behind the “black box” baggage that comes with complex machine learning tools whose inner workings can’t be explained.
Wired: Hackers in Belarus announced last week that they breached the authoritarian country’s railway system in what may mark the first case of ransomware used in a politically motivated cyberattack. There’s a big asterisk, though: Genuine as the pro-democracy Belarusian Cyber-Partisans may seem, some cybersecurity researchers have pointed out that “hacktivist” operations have a history of turning out to be state-sponsored. With Russia amassing troops along Ukraine’s border with Belarus, there’s no shortage of nation-state suspects.
The Register: The UK government is moving toward creating a registry of cybersecurity professionals, forcing them to meet baseline “competence and ethical requirements” or risk being B listed for job opportunities. It’s all part of a new UK National Cyber Strategy.
Zero Day: The destructive WhisperGate malware discovered targeting Ukrainian government agencies this month recycled code from the WhiteBlackCrypt “fake ransomware” strain that struck Russian victims last year. The overlap may have been a convoluted attempt to pin the WhisperGate attacks on Ukraine.
Flash memory
Eight years ago, retail giant Target Corp. disclosed that hackers compromised a third-party vendor to steal debit and credit card information from tens of millions of U.S. shoppers. (The breach itself took place in December 2013.) Cybersecurity journalist Brian Krebs first reported the name of the, ahem, targeted company: Fazio Mechanical Services, a small Pennsylvania HVAC contractor that suddenly found itself at the center of one of the biggest hacks in U.S. history. The case offered a harbinger of supply chain cybersecurity woes to come. Hackers have since made a habit of using less-secure contractors and vendors as a means to an end, compromising everything from managed service providers in 2014 to SolarWinds’ widely used Orion software platform in 2020. But we have Target to thank for making “supply chain security” a cyber buzzword.
Local files
NBC News: Ransomware attackers who targeted a school in the Dallas suburbs sent threatening emails directly to victim families, marking an escalation in aggressive tactics.
AP: Florida State Sen. Lauren Book (D) is pushing to enact legislation to bolster the Sunshine State’s revenge porn laws after nude images were stolen from her and distributed online.
WLKY: A regional hospital in Kentucky said last Monday that its computer systems and phone lines were down as it investigated a “cybersecurity incident.”
Off-script
Self-described Dutch “geo-geeks” put together a real-time map of the world’s lighthouses, including their true colors. It’s a European project, though, so alas, it’s missing my hometown Sanibel Island lighthouse. Still, the map is almost as mesmerizing as a “pew-pew” cyberattack simulation:
That’s all for this week — tips, feedback and hacker film recommendations are all welcome: bsobczak@synack.com. Thanks for reading!T