An official website of the United States government
In 2019, the US Department of Homeland Security issued an emergency warning about DNS infrastructure tampering. This alert, in response to a series of attacks against foreign government websites, highlighted how a sophisticated attacker could leverage access to key DNS infrastructure to then hijack traffic and harvest valid login credentials for target organizations. However, even armed with this knowledge, identifying the existence of such incidents has been almost entirely via post hoc forensic reports (i.e., after a breach was found via some other method). Indeed, such attacks are particularly challenging to detect because they can be very short lived, bypass the protections of TLS and DNSSEC, and are imperceptible to users. Identifying them retroactively is even more complicated by the lack of fine-grained Internet-scale forensic data. This paper is a first attempt to make progress at this latter goal. Combining a range of longitudinal data from Internet-wide scans, passive DNS records, and Certificate Transparency logs, we have constructed a methodology for identifying potential victims of sophisticated DNS infrastructure hijacking and have used it to identify a range of victims (primarily government agencies), both those named in prior reporting, and others previously unknown.
more »
« less
Should the Government Require Companies to Meet Cybersecurity Standards for Critical Infrastructure?
Major U.S. cities plunged into darkness. The financial system frozen. Transportation crippled. Drinking water in short supply. These are just a few of the ways that a successful cyberattack on critical infrastructure could wreak havoc on U.S. national security, economic stability and public health and safety. Worries that hackers are getting closer to inflicting serious damage on the U.S. were underscored in July, when the Department of Homeland Security reported that Russian agents had penetrated the control rooms of electric utilities, where they could have caused widespread blackouts. Should the Government Require Companies to Meet Cybersecurity Standards for Critical Infrastructure? Some argue that government regulation is needed to keep critical systems safe from hackers. Others say industry can do a better job on its own. The Department of Homeland Security reported in July that Russian agents had penetrated the control rooms of electric utilities Against that backdrop, a debate is under way about what U.S. policy makers should do to keep critical systems safe.
more »
« less
- Award ID(s):
- 1753681
- PAR ID:
- 10110263
- Date Published:
- Journal Name:
- Wall Street Journal
- ISSN:
- 2574-9560
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
null (Ed.)Since 2016, with a strong push from the Government of India, smartphone-based payment apps have become mainstream, with over $50 billion transacted through these apps in 2018. Many of these apps use a common infrastructure introduced by the Indian government, called the Unified Payments Interface (UPI), but there has been no security analysis of this critical piece of infrastructure that supports money transfers. This paper uses a principled methodology to do a detailed security analysis of the UPI protocol by reverse-engineering the design of this protocol through seven popular UPI apps. We discover previously-unreported multi-factor authentication design-level flaws in the UPI 1.0 specification that can lead to significant attacks when combined with an installed attacker-controlled application. In an extreme version of the attack, the flaws could allow a victim's bank account to be linked and emptied, even if a victim had never used a UPI app. The potential attacks were scalable and could be done remotely. We discuss our methodology and detail how we overcame challenges in reverse-engineering this unpublished application layer protocol, including that all UPI apps undergo a rigorous security review in India and are designed to resist analysis. The work resulted in several CVEs, and a key attack vector that we reported was later addressed in UPI 2.0.more » « less
-
Abstract The purpose of this article is to introduce a risk analysis framework to enhance the cyber security of and to protect the critical infrastructure of the electric power grid of the United States. Building on the fundamental questions of risk assessment and management, this framework aims to advance the current risk analysis discussions pertaining to the electric power grid. Most of the previous risk‐related studies on the electric power grid focus mainly on the recovery of the network from hurricanes and other natural disasters. In contrast, a disproportionately small number of studies explicitly investigate the vulnerability of the electric power grid to cyber‐attack scenarios, and how they could be prevented or mitigated. Such a limited approach leaves the United States vulnerable to foreign and domestic threats (both state‐sponsored and “lone wolf”) to infiltrate a network that lacks a comprehensive security environment or coordinated government response. By conducting a review of the literature and presenting a risk‐based framework, this article underscores the need for a coordinated U.S. cyber security effort toward formulating strategies and responses conducive to protecting the nation against attacks on the electric power grid.more » « less
-
We initiate the study of matching roommates and rooms wherein the preferences of agents over other agents and rooms are complementary and represented by Leontief utilities. In this setting, 2n agents must be paired up and assigned to n rooms. Each agent has cardinal valuations over the rooms as well as compatibility values over all other agents. Under Leontief preferences, an agent’s utility for a matching is the minimum of the two values. We focus on the tradeoff between maximizing utilitarian social welfare and strategyproofness. Our main result shows that—in a stark contrast to the additive case— under binary Leontief utilities, there exist strategyproof mechanisms that maximize the social welfare. We further devise a strategyproof mechanism that implements such a welfare maximizing algorithm and is parameterized by the number of agents. Along the way, we highlight several possibility and impossibility results, and give upper bounds and lower bounds for welfare with or without strategyproofness.more » « less
-
ABSTRACT Deficiencies in knowledge about water quality prevent or obscure progress on a panoply of public health problems globally. Specifically, such lack of information frustrates effective and efficient government regulation to protect the public from contaminated drinking water. In this Practical Paper, we lay out how recent scientific innovations in synthetic biology mean that rapid, at-home tests based on biosensor technology could be used to improve water quality monitoring and regulation, using the example of the U.S. Environmental Protection Agency's Lead and Copper Rule currently under revision. Biosensor tests can be used by non-scientists and the information that biosensor tests generate is relatively cheaper and faster than standard laboratory techniques. As such, they have the potential to make it possible to increase the number and frequency of samples tested. This, in turn, could facilitate more accurate compliance monitoring, justify more protective substantive standards, and more efficiently identify infrastructure priorities. Biosensors can also empower historically underrepresented communities by facilitating the visibility of inequities in lead exposure, help utilities to ensure safe water delivery, and guide policy for identifying and replacing lead-bearing water infrastructure, thereby improving public health. As the technology matures, biosensors have great potential to reveal water quality issues, thereby reducing public health burdens.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Journal Article:
- The DOI is not currently available.
