A Spanish startup selected by the DARPA Cyber Fast Track (CFT)

Posted on June 25, 2013 by Simon Roses

The security landscape changed in August 2011 at the Black Hat Conference when the legendary hacker of the L0pht Peiter “Mudge” Zatko presented the new program Cyber Fast Track (CFT) (DARPA-PA-11-52) from DARPA (Defense Advanced Research Projects Agency of the United States Department of Defense) to finance R&D projects by hackers and SMEs. Detailed information about the program is available on DARPA CFT website (currently offline). DARPA CFT

The idea is simple, times have changed and hackers and small businesses are the ones who have ideas and agility to innovate but not the resources, and this is precisely what the program brings. Many countries should take note of this innovative idea that enhances creativity and R&D.

To facilitate the admission process a series of documents and guides was released. The idea was to streamline and simplify the process for people not accustomed to dealing with government bureaucracy. No doubt a great idea and a great help.

Besides being an unusual event for DARPA to finance hackers (I think that it was the only program of its kind in the world), more unusual was the fact that this program was open to any hacker and security boutique around the world!

Through the company I funded last year VULNEX, a startup specializing in cyber security located in Madrid, we decided to try our luck and created a proposal for R&D that we sent in August 2012 and five days later we received a call from the DARPA communicating that they had accepted our project, incredible.

The objective of the project was to improve security in the software development lifecycle. The project duration was five months analyzing the different compilers (Visual Studio, GCC and LLVM) and versions to determine security/mitigations measures offered, its effectiveness and how they affect the binaries produced.

With this in-depth analysis, the second and third phases of the project consisted in developing two technologies to help developers to produce secure software.

One of the technologies developed is BinSecSweeper, a powerful and easy-to-use tool to analyze binary security posture. The tool is open source, cross-platform and capable of analyzing different types of binaries and architectures. BinSecSweeper will be available on VULNEX website soon.

It is a pity that DARPA did close the CFT program last April 1, 2013, in which about 500 projects of more than 1500 received have benefited. The selected projects have been very interesting tools and are presented in top security conferences, I would recommended to do a web search to find many of these projects.

Certainly a disruptive idea that has been of great help for hackers and SMEs, and for us VULNEX, a Spanish startup, a pleasant experience to collaborate with DARPA and our technology presented at internal events :) 

From here we will like to thank Mudge, DARPA and the staff of BITSystems (responsible for the CFT management), great folks!

Thank you!

Did you know about the DARPA CFT? What do you think?

— Simon Roses Femerling

Posted in Business, Pentest, Security, Technology | Tagged , , , , , | Leave a comment

What’s the point of reporting 0day?

Posted on June 17, 2013 by Simon Roses

In the last weeks the news related to PRISM has not stopped since leaked by Edward Snowden, who worked for Booz Allen Hamilton, a defense contractor for the NSA.

One interesting outcome of these leaks is the NSA access to 0Day vulnerabilities on Microsoft products and who knows if other big companies as well (Google, Apple, Adobe, etc.) under the cooperation programs Microsoft Active Protections program (MAPPS) and the Security Cooperation Program (SCP). The first program is for security companies and the second for government agencies -for example the Spanish intelligence agency (CNI) is a member of this program- in order to be informed first when vulnerabilities appear to be able to protect themselves before the security patch is released and to update their security products.

These programs were created for defensive purposes, but they raise an interesting issue: the use of this information for offensive purposes.

Finding vulnerabilities in products from large companies is increasingly more expensive so access to information about 0day by intelligence agencies makes them gain time and save resources. Now they only have to develop exploits to attack any system, remember that the security patch has not been published yet…

Countries wishing to establish offensive and defensive capabilities should create national programs that offer financial rewards (depending on a scale) to individuals that inform them of 0Day.

Large software and big Internet companies are mainly American but many vulnerabilities are discover and reported by foreign security experts. If there were a national program in place on vulnerability reporting they could first inform their Government and not the software companies.

The question is why to report vulnerabilities to software companies so they in turn inform their intelligence agencies to carry out offensive actions against other nations?

Remember that 0Day vulnerabilities and exploits have economic value today, and many public and private companies pay good money for them.

Quite honestly we should not be surprised by NSA acts since at the end their mission is national security using all possible means (legal ¿?), the same as many countries’ intelligence agencies.

What is clear is that the PRISM case may have more consequences to the United States as seemed at first, and certainly many countries will change their policies on defensive / offensive cyber security.

It will certainly be interesting to see how cyber security policies evolve in countries in the coming years.

What changes do you think are necessary in cyber security policies?

— Simon Roses Femerling

Posted in Business, Microsoft, Pentest, Security, Technology | Tagged , , , , , , , , , , | Leave a comment

A tale of Government Trojans

Posted on June 5, 2013 by Simon Roses

Sorry, only in Spanish :)

— Simon Roses Femerling

Posted in Pentest, Privacy, Security, Technology | Tagged , , , , , , , , , | Leave a comment