Tag Archive for: dhs

‘Hack DHS’ Bug Bounty Program to Begin Second Phase with New Contract Request

/in


The Department of Homeland Security has issued a solicitation for companies to provide crowdsourced vulnerability assessment services—including for competitions and live events—for phase two of the agency’s “Hack DHS” bug bounty program. 

The request for proposals says that the contract “will be used to conduct crowdsourced vulnerability discovery and disclosure activities across the full range of networks, systems and information, including web applications, software, source code, software-embedded devices and other technologies as solicited across the whole Department of Homeland Security, or other assets as deemed appropriate by the program office.”

DHS established the “Hack DHS” bug bounty program following passage of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, or the SECURE Technology Act, in 2018. Under the law, DHS is required to establish a multi-year bug bounty program allowing eligible individuals, organizations and companies to receive compensation for identifying and reporting vulnerabilities in the agency’s systems. 

The agency announced in April that it has completed the first phase of its bug bounty program, in which 450 vetted security researchers identified 122 vulnerabilities in “select external DHS systems.” 27 of these vulnerabilities were considered “critical” by DHS. Researchers and ethical hackers who participated in the first phase of the program had the opportunity to receive up to $5,000 for identifying verified vulnerabilities, and DHS reported that it awarded a total of $125,600 to participants. 

Under the second phase of the program, researchers and ethical hackers will participate in live hacking events, while the third and final phase will allow DHS to identify and review the lessons learned from the program, as well as plan for additional bug bounty initiatives. 

The RFP calls for six time-boxed challenges and two continuous challenges during the first year of the contract, and then up to 12 time-boxed and five continuous challenges in the optional contract years. The contractors are also expected to conduct live, U.S.-based events with between 15 to 50 researchers, as…

Source…

Hackers Can Hack US Emergency Alert System, DHS Warns

/in


emergency alert hacked

The U.S. Department of Homeland Security (DHS) warned that hackers could exploit critical security vulnerabilities in Emergency Alert System (EAS) encoder/decoder devices that are not updated to issue fake warnings over TV, radio, and cable networks.

For the unversed, EAS is a national warning system in the United States designed to allow authorized officials to broadcast emergency alerts and warning messages to the public via cable, satellite, or broadcast television, and both AM/FM and satellite radio.

“We recently became aware of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to most recent software versions, could allow an actor to issue EAS alerts over the host infrastructure (TV, radio, cable network),” the DHS’s Federal Emergency Management Agency (FEMA) said in an advisory delivered through the Integrated Public Alert and Warning System (IPAWS).

“This exploit was successfully demonstrated by Ken Pyle, a security researcher at CYBIR.com, and may be presented as a proof of concept at the upcoming DEFCON 2022 conference in Las Vegas, August 11-14.

“In short, the vulnerability is public knowledge and will be demonstrated to a large audience in the coming weeks.”

To safeguard against such exploits, FEMA has strongly encouraged its EAS participants to ensure that:

  • EAS devices and supporting systems are up to date with the most recent software versions and security patches;
  • EAS devices are protected by a firewall;
  • EAS devices and supporting systems are monitored and audit logs are regularly reviewed looking for unauthorized access.

Ken Pyle, the cybersecurity researcher who discovered the issue told Bleeping Computer that the vulnerabilities lie in the Monroe Electronics R189 One-Net DASDEC EAS, which is an EAS encoder and decoder device used by TV and radio stations to broadcast emergency alerts.

According to the researcher, the issue has now ballooned into a huge flaw because multiple vulnerabilities and issues (confirmed by other researchers) have not been patched for several years.

“When asked what can be done after successful exploitation, Pyle said: ‘I can easily obtain access to the credentials, certs, devices,…

Source…

DHS Warns of Heightened Terrorism Risk over the Summer – National Review

/in



DHS Warns of Heightened Terrorism Risk over the Summer  National Review

Source…

DHS and 5G security. US State Department’s first cyber ambassador. China’s cybersecurity regulations.

/in


At a glance.

  • DHS and 5G security.
  • US State Department’s first cyber ambassador.
  • China’s cybersecurity regulations.

US Department of Homeland Security’s quest to secure 5G tech.

SIGNAL Magazine offers a look at the US Department of Homeland Security’s (DHS)’s progress in filling security gaps presented by 5G technology identified by the Cybersecurity and Infrastructure Security Agency (CISA). 5G has become increasingly critical to DHS’s goals, and its Science and Technology Directorate leads the Secure and Resilient Mobile Network Infrastructure program (SRMNI) and the sister program Emergency Communications Research and Development. Brent Talbot, a program manager within the Science and Technology Directorate’s Office of Mission Capability and Support, explains, “CISA is our customer, and they are looking to get some research and development performed to fill some cybersecurity gaps in the mobile 5G infrastructure. They’re looking to secure those venues for not only the general public but for the government, for the nation. We’re trying to push the boundaries of what is known, and we’re looking to protect those communications venues, especially for our frontline workers, the emergency responders.” SRMNI’s goal is to provide solutions and knowledge that will help officials to make risk- and cost-informed decisions regarding capability gaps, threat identification, architectural frameworks and potential mitigations. Already, 4K Solutions LLC has developed GovSecure, a protected domain name system available on Google Play store and the Apple App Store that allows secure, untraceable communications for sensitive but unclassified messages.

US State Department names its inaugural cyber ambassador. 

CyberScoop reports that the US State Department has selected Nathaniel Fick as its first Ambassador-at-Large for Cyberspace and Digital Policy, pending confirmation from the US Senate. Launched in April, the Bureau of Cyberspace and Digital Policy is focused on supporting the White House’s effort to provide digital aid to allies and US leaders as they set global cyber standards. Currently the general manager of information security for internet search company Elastic, Fick…

Source…