The Contracting Education Academy

Contracting Academy Logo
  • Home
  • Training & Education
  • Services
  • Contact Us
You are here: Home / Archives for NSF

August 17, 2018 By AMK

Georgia Tech researchers help close security hole in popular encryption software

Cybersecurity researchers at the Georgia Institute of Technology have helped close a security vulnerability that could have allowed hackers to steal encryption keys from a popular security package by briefly listening in on unintended “side channel” signals from smartphones.

The attack, which was reported to software developers before it was publicized, took advantage of programming that was, ironically, designed to provide better security. The attack used intercepted electromagnetic signals from the phones that could have been analyzed using a small portable device costing less than a thousand dollars. Unlike earlier intercept attempts that required analyzing many logins, the “One & Done” attack was carried out by eavesdropping on just one decryption cycle.

“This is something that could be done at an airport to steal people’s information without arousing suspicion and makes the so-called ‘coffee shop attack’ much more realistic,” said Milos Prvulovic, associate chair of Georgia Tech’s School of Computer Science. “The designers of encryption software now have another issue that they need to take into account because continuous snooping over long periods of time would no longer be required to steal this information.”

The side channel attack is believed to be the first to retrieve the secret exponent of an encryption key in a modern version of OpenSSL without relying on the cache organization and/or timing. OpenSSL is a popular encryption program used for secure interactions on websites and for signature authentication. The attack showed that a single recording of a cryptography key trace was sufficient to break 2048 bits of a private RSA key.

Results of the research, which was supported in part by the National Science Foundation, the Defense Advanced Research Projects Agency (DARPA), and the Air Force Research Laboratory (AFRL) will be presented at the 27th USENIX Security Symposium August 16th in Baltimore.

After successfully attacking the phones and an embedded system board – which all used ARM processors – the researchers proposed a fix for the vulnerability, which was adopted in versions of the software made available in May.

Side channel attacks extract sensitive information from signals created by electronic activity within computing devices during normal operation. The signals include electromagnetic emanations created by current flows within the devices computational and power-delivery circuitry, variation in power consumption, and also sound, temperature and chassis potential variation. These emanations are very different from communications signals the devices are designed to produce.

In their demonstration, Prvulovic and collaborator Alenka Zajic listened in on two different Android phones using probes located near, but not touching the devices. In a real attack, signals could be received from phones or other mobile devices by antennas located beneath tables or hidden in nearby furniture.

The “One & Done” attack analyzed signals in a relatively narrow (40 MHz wide) band around the phones’ processor clock frequencies, which are close to 1 GHz (1,000 MHz). The researchers took advantage of a uniformity in programming that had been designed to overcome earlier vulnerabilities involving variations in how the programs operate.

“Any variation is essentially leaking information about what the program is doing, but the constancy allowed us to pinpoint where we needed to look,” said Prvulovic. “Once we got the attack to work, we were able to suggest a fix for it fairly quickly. Programmers need to understand that portions of the code that are working on secret bits need to be written in a very particular way to avoid having them leak.”

The researchers are now looking at other software that may have similar vulnerabilities, and expect to develop a program that would allow automated analysis of security vulnerabilities.

“Our goal is to automate this process so it can be used on any code,” said Zajic, an associate professor in Georgia Tech’s School of Electrical and Computer Engineering. “We’d like to be able to identify portions of code that could be leaky and require a fix. Right now, finding these portions requires considerable expertise and manual examination.”

Side channel attacks are still relatively rare, but Prvulovic says the success of “One & Done” demonstrates an unexpected vulnerability. The availability of low-cost signal processing devices small enough to use in coffee shops or airports could make the attacks more practical.

“We now have relatively cheap and compact devices – smaller than a USB drive – that are capable of analyzing these signals,” said Prvulovic. “Ten years ago, the analysis of this signal would have taken days. Now it takes just seconds, and can be done anywhere – not just in a lab setting.”

Producers of mobile devices are becoming more aware of the need to protect electromagnetic signals of phones, tablets and laptops from interception by shielding their side channel emissions. Improving the software running on the devices is also important, but Prvulovic suggests that users of mobile devices must also play a security role.

“This is something that needs to be addressed at all levels,” he said. “A combination of factors – better hardware, better software and cautious computer hygiene – make you safer. You should not be paranoid about using your devices in public locations, but you should be cautious about accessing banking systems or plugging your device into unprotected USB chargers.”

In addition to those already mentioned, the research involved Monjur M. Alam, Haider A. Khan, Moumita Dey, Nishith Sinha and Robert Callen, all of Georgia Tech.

This work has been supported, in part, by the National Science Foundation under grant 1563991 and by the Air Force Research Laboratory and DARPA LADS under contract FA8650-16-C-7620. The views and findings in this paper are those of the authors and do not necessarily reflect the official views of NSF, DARPA or the AFRL.

Source: https://www.news.gatech.edu/2018/08/09/researchers-help-close-security-hole-popular-encryption-software

 

Filed Under: Georgia Tech News Tagged With: Air Force Research Laboratory, authentication, cybersecurity, DARPA, encryption, Georgia Tech, NSF, software, vulnerability

April 3, 2018 By AMK

Researchers at Georgia Tech design robot to defend factories against cyberthreats

It’s small enough to fit inside a shoebox, yet this robot on four wheels has a big mission: keeping factories and other large facilities safe from hackers.
Cybersecurity experts have a new tool in the fight against hackers – a decoy robot. Researchers at Georgia Tech built the “HoneyBot” to lure hackers into thinking they had taken control of a robot, but instead the robot gathers valuable information about the bad actors, helping businesses better protect themselves from future attacks.

Meet the HoneyBot. 

Developed by a team of researchers at the Georgia Institute of Technology, the diminutive device is designed to lure in digital troublemakers who have set their sights on industrial facilities. HoneyBot will then trick the bad actors into giving up valuable information to cybersecurity professionals.

The decoy robot arrives as more and more devices – never designed to operate on the Internet – are coming online in homes and factories alike, opening up a new range of possibilities for hackers looking to wreak havoc in both the digital and physical world.

“Robots do more now than they ever have, and some companies are moving forward with, not just the assembly line robots, but free-standing robots that can actually drive around factory floors,” said Raheem Beyah, the Motorola Foundation Professor and interim Steve W. Chaddick School Chair in Georgia Tech’s School of Electrical and Computer Engineering. “In that type of setting, you can imagine how dangerous this could be if a hacker gains access to those machines. At a minimum, they could cause harm to whatever products are being produced. If it’s a large enough robot, it could destroy parts or the assembly line. In a worst-case scenario, it could injure or cause death to the humans in the vicinity.”

Internet security professionals long have employed decoy computer systems known as “honeypots” as a way to throw cyberattackers off the trail. The research team applied the same concept to the HoneyBot, which is partially funded with a grant from the National Science Foundation. Once hackers gain access to the decoy, they leave behind valuable information that can help companies further secure their networks.

“A lot of cyberattacks go unanswered or unpunished because there’s this level of anonymity afforded to malicious actors on the internet, and it’s hard for companies to say who is responsible,” said Celine Irvene, a Georgia Tech graduate student who worked with Beyah to devise the new robot. “Honeypots give security professionals the ability to study the attackers, determine what methods they are using, and figure out where they are or potentially even who they are.”

The gadget can be monitored and controlled through the internet. But unlike other remote-controlled robots, the HoneyBot’s special ability is tricking its operators into thinking it is performing one task, when in reality it’s doing something completely different.

“The idea behind a honeypot is that you don’t want the attackers to know they’re in a honeypot,” Beyah said. “If the attacker is smart and is looking out for the potential of a honeypot, maybe they’d look at different sensors on the robot, like an accelerometer or speedometer, to verify the robot is doing what it had been instructed. That’s where we would be spoofing that information as well. The hacker would see from looking at the sensors that acceleration occurred from point A to point B.”

In a factory setting, such a HoneyBot robot could sit motionless in a corner, springing to life when a hacker gains access – a visual indicator that a malicious actor is targeting the facility.

Rather than allowing the hacker to then run amok in the physical world, the robot could be designed to follow certain commands deemed harmless – such as meandering slowly about or picking up objects – but stopping short of actually doing anything dangerous.

So far, their technique seems to be working.

In experiments designed to test how convincing the false sensor data would be to individuals remotely controlling the device, volunteers in December 2017 used a virtual interface to control the robot and could not to see what was happening in real life. To entice the volunteers to break the rules, at specific spots within the maze, they encountered forbidden “shortcuts” that would allow them to finish the maze faster.

In the real maze back in the lab, no shortcut existed, and if the participants opted to go through it, the robot instead remained still. Meanwhile, the volunteers – who have now unwittingly become hackers for the purposes of the experiment – were fed simulated sensor data indicating they passed through the shortcut and continued along.

“We wanted to make sure they felt that this robot was doing this real thing,” Beyah said.

In surveys after the experiment, participants who actually controlled the device the whole time and those who were being fed simulated data about the fake shortcut both indicated that the data was believable at similar rates.

“This is a good sign because it indicates that we’re on the right track,” Irvene said.

This material is based upon work supported by the National Science Foundation under Grant No. 544332. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.

Source: http://www.rh.gatech.edu/news/604462/robot-designed-defend-factories-against-cyberthreats

Filed Under: Georgia Tech News Tagged With: cyber attacks, cyber incidents, cyberthreat, Georgia Tech, hackers, honeybot, honeypot, manufacturing, NSF, robotics

October 27, 2016 By AMK

Whistleblower alleges culture of intimidation at DCAA

J. Kirk McGill was a Senior Auditor at the Defense Contract Audit Agency (DCAA), the agency responsible for auditing the Department of Defense’s (DoD) contract expenditures. He is also a whistleblower whose disclosures to Congress have resulted in multiple Congressional hearings, the termination of a nonprofit from grants worth over $400 million, and the closure of a loophole in contracting policy for nonprofit grantees.

Importantly, his case also sets a precedent for federal whistleblowers to engage in whistleblowing activities while on official time. None of this was easy, and it came—as is too often the case for whistleblowers—at a personal cost to McGill.

In 2013, McGill and his DCAA team were loaned out to the National Science Foundation’s (NSF) Inspector General (IG) to conduct a follow-up audit of the $433 million construction grant NSF had awarded for a project called the National Ecological Observatory Network (NEON). The project was not competitively bid, and despite an earlier DCAA audit finding serious problems with the initial proposal, NSF awarded it to a nonprofit organization called NEON, Inc.—a nonprofit focused solely on the project.

McGill, who was the Auditor-in-Charge, and his team found that NEON, Inc.’s accounting system was seriously flawed and lacked important supporting documentation. The audit also found poor budget controls that meant the project managers wouldn’t know if the program ran over budget—even tens of millions of dollars over budget—until it was too late to prevent. (The NSF later admitted that the project had run $80 million over budget.) As concerning as those numbers are, the audit also found that NEON, Inc. was abusing a $1.8 million category of funds called “management fees,” which were being used to pay for unallowable costs like alcohol, lobbying, and a lavish holiday party. McGill reported two instances of suspected fraud to the NSF IG through the normal channels. The IG investigated and referred the cases to the Department of Justice (DOJ) for potential prosecution, but DOJ declined to pursue them [p.3].

When McGill examined the requirements of reporting suspected fraud in an audit report, he found himself trapped.

Keep reading this article at: http://www.pogo.org/blog/2016/10/whistleblower-alleges-culture-of-intimidation-at-dcaa.html

Filed Under: Government Contracting News Tagged With: Anti-Deficiency Act, audit, construction, DCAA, DoD, DOJ, fraud, GAO, IG, noncompetitive, NSF, unallowable costs, waste, whistleblower, Whistleblower Protection Act

August 21, 2015 By AMK

NSF funds $12 million research network to build healthy, sustainable, livable cities of the future

How will we build the cities of the future in a sustainable way?

A new National Science Foundation-funded research network will connect scientists at nine universities with infrastructure groups, public policy experts, and industry partners to reimagine cities. Georgia Tech will be an anchor of the $12 million network, which will be led by the University of Minnesota, and School of Civil and Environmental Engineering professor Ted Russell will serve as a co-director.

“We’re bringing some very different communities together more than past projects have done,” Russell said. “We are getting the engineering community, the health community, the atmospheric sciences community, the economics communities, the policy communities in the same virtual room to look to the future.”

“We’re looking at real-life cities and figuring out how to make these cities work better and how to help cities [in general] evolve.”

The idea is to reimagine infrastructure — energy grids, road networks, green spaces, and food and water systems — to create cities that are highly functional, that promote the health of residents and the environment, and that have that intangible “vibe” that makes them desirable places to live and work.

“We have to think in new ways about a city’s physical infrastructure to develop sustainable solutions,” said Anu Ramaswami, the project’s director and a professor in the Humphrey School of Public Affairs at the University of Minnesota. “Understanding that these physical systems are interconnected serves as a foundation for this work. For example, urban farms wouldn’t work very well without thinking about water, energy and transportation infrastructure as well as people, markets and policies.”

The network will use cities across the United States and in India as “test beds” for its work, a unique approach that Russell said means the outcome of the network’s studies will have significant impact. Atlanta is one of those cities.

“One of the points we made with this proposal is that it’s action-oriented, with the idea that the output of this project is not papers, it’s actually actions,” he said. “[We will] not only specify what actions might be taken but actually help realize those actions.”

The project, called a Sustainability Research Network in NSF parlance, runs for four years.

Skyline view of Atlanta and Georgia Tech taken from the roof of the campus library. Historic chimney, Bobby Dodd stadium, Tech Tower, and the North Ave. apartments can be seen.
Skyline view of Atlanta and Georgia Tech taken from the roof of the campus library. Historic chimney, Bobby Dodd stadium, Tech Tower, and the North Ave. apartments can be seen.

“Real success at the end of those four years would be one or more cities — having worked with us from the beginning — take actions that will lead to improving the livability of their city,” Russell said. “That could come in multiple ways: improved transit options, improved plans for water usage, effective urban farming, or strategies to improve air quality that they’ve actually implemented and to inform their citizenry of how to reduce their exposures to harmful chemicals and lead more healthy lives.”

The network stretches beyond civil and environmental engineering at Tech: Nisha Botchwey, an associate professor in the School of City and Regional Planning, and Peter Webster, a professor in the School of Earth and Atmospheric Sciences, will have significant roles, as will Tech’s Center for Education Integrating Science, Mathematics and Computing (better known as CEISMC).

In fact, Botchwey will lead the education component of the project, which includes outreach to K-12 students, college graduate students and Native American communities. Those efforts will include an innovative interdisciplinary summer school at the network’s nine partner schools.

Russell said Tech’s wide-ranging involvement in the project fits in perfectly with the Institute-wide focus in the coming decade on sustainability and community. Officials announced the Serve•Learn•Sustain initiative earlier this year as part of the Institute’s reaccreditation process.

“This fits in extremely well with that, because we are hitting all of those pieces in [the project],” Russell said.

Learn more about the project in the University of Minnesota news release and on the project’s website.

Source: http://www.news.gatech.edu/2015/08/12/nsf-funds-12m-research-network-build-healthy-sustainable-livable-cities-future

Filed Under: Georgia Tech News Tagged With: CEISMC, Georgia Tech, NSF, sustainability, Sustainability Research Network

April 27, 2015 By AMK

New robotic vehicle provides a never-before-seen look under Antarctica

A first-of-its-kind robotic vehicle recently dove to depths never before visited under Antarctica’s Ross Ice Shelf and brought back video of life on the seafloor.

A team of scientists and engineers from the Georgia Institute of Technology assembled the unmanned, underwater vehicle on Antarctica. They deployed (and retrieved) the vehicle through a 12-inch diameter hole through 20 meters of ice and another 500 meters of water to the sea floor.

Mick West poses with Icefin, the robotic underwater vehicle built by GTRI and Georgia Tech. The team, known as Team SIMPLE (Sub-Ice Marine and PLanetary-analog Ecosytems), assembled Icefin on Antarctica.
Mick West poses with Icefin, the robotic underwater vehicle built by GTRI and Georgia Tech. The team, known as Team SIMPLE (Sub-Ice Marine and PLanetary-analog Ecosytems), assembled Icefin on Antarctica.

The robotic vehicle, called Icefin, carried a scientific payload capable of measuring ocean conditions under the ice. Icefin’s readings of the environment under Antarctica’s ice shelves, and video of the life that thrives in these harsh conditions, will help understand how Antarctica’s ice shelves are changing under warming conditions, and to understand how organisms thrive in cold and light-free environments. The technologies developed for Icefin will also help in the search for life on other planets, namely Europa, a moon of Jupiter. Antarctica’s icy oceans are remarkably similar to Europa’s ice-capped oceans.

“We built a vehicle that’s a hybrid between the really small probes and the ocean-going vessels, and we can deploy it through bore holes on Antarctica,” said Britney Schmidt, an assistant professor in the School of Earth and Atmospheric Sciences at the Georgia Tech, and the principle investigator for the Icefin project. “At the same time, we’re advancing hypotheses that we need for Europa and understanding ocean systems here better. We’re also developing and getting comfortable with technologies that make polar science — and eventually Europa science — more realistic.”

NASA Icefin was deployed as a part of the Sub Ice Marine and Planetary–analog Ecosystem (SIMPLE) program, funded by NASA and supported by NSF, with Schmidt as the principle investigator. The research team returned from Antarctica in December 2014. Icefin is planned to make its Arctic debut in summer 2016, with a return to Antarctica that fall, the team hopes. 

At McMurdo Station, Schmidt and a team including Georgia Tech scientists and engineers from the Georgia Tech Research Institute (GTRI), led by principal research engineer Mick West, deployed Icefin to explore the underside of the ice shelves flowing off the continent.

“What truly separates Icefin from some of the other vehicles is that it’s fairly slender, yet still has all of the sensors that the scientists like Britney need,” West said. “Our vehicle has instrumentation aboard both for navigation and ocean science that other vehicles do not.”

The Southern Ocean can be as deep as 5,000 meters. Icefin is capable of diving 1,500 meters and can perform three-kilometer-long surveys. Previous vehicles in Icefin’s class were rated to a few hundred meters.

“We saw evidence of a complex community on the sea floor that has never been observed before, and unprecedented detail on the ice-ocean interface that hasn’t been achieved before,” Schmidt said.

Video captured by Icefin shows eerie footage of an active seafloor 500 meters under the Ross Ice Shelf.

“Biologists at McMurdo were just amazed at the amount of biology at that location which included sea stars, sponges and anemones that were at the ocean bottom,” West said. “To have our very first deep-ocean dive happen through a small hole in the ice and go all the way to the ocean bottom and get the video we did was pretty amazing.”

GTRI logoTo get to the bottom, Icefin first had to be built. A partnership between research-focused GTRI and academic-focused School of Earth and Atmospheric Sciences (EAS) enabled the team to design, build and deploy Icefin under the ice in less than a year. Traditional design cycles for these types of vehicles typically are two to three years.

The team had to design for a number of challenges associated with deploying Icefin in such an extreme environment. For example, standard electronics systems are not typically rated to the extreme temperatures found under the Ross Ice Shelf.

“We had probably 100 contingencies for if something went wrong,” West said. “Through lots of analysis and robust design, we were fortunate not to have to initiate any of them.”

Once Icefin was assembled, the vehicle was deployed through a bore hole in the ice that was 12 inches in diameter and 20 meters deep. Bore holes are often drilled on Antarctica for ocean moorings and sediment sampling.

Traditional underwater vehicles deployed on Antarctica are either “roving eyes” because they carry only a camera, or much larger vehicles that are deployed in the water on the edge of the ice shelf. Icefin fills the gap between these two kinds of vehicles: able to be deployed easily by small teams in any environment, yet still able to record oceanographic information traditionally done by much larger vehicles.

“Icefin is the most capable small vehicle that’s been down there,” Schmidt said. “What’s really rewarding is that at the same time, we were able to involve some outstanding students in the design, build and deployment of the vehicle.”

Graduate student Anthony Spears and undergraduate Matthew Meister, as well as Georgia Tech Vertically Integrated Projects (VIP) program participants, were involved in design of the vehicle. Spears and Meister also played key roles in the field integration and deployment of Icefin, along with EAS postdoctoral fellow Catherine Walker and graduate student Jacob Buffo from Icefin’s science team.

Icefin carries forward and up/down imaging and sonars and several different sensors. Icefin is also modular, similar to vehicles used on space missions. Scientists can swap sensors or point them in different directions as needed.

Traditional GPS does not work under the ice, so Icefin uses a navigation system called SLAM (simultaneous localization and mapping) to triangulate its position based on measuring the range and bearing of features on the seafloor or under the ice.

“Using algorithms such as SLAM allows us to construct a map of the unknown under-ice environment. When you can do that, you can begin to get a 3D picture of what’s going on under the water,” West said.

The sensors on Icefin are helping scientists understand how the ocean affects properties of the ice, and how the ice affects properties of the ocean. The exchange between ocean and ice is a process that mediates biology, affects the climate system and controls the stability of glaciers.

“Those are important processes that we can work out here in our backyard at the same time as we’re answering how an ice shell would reflect the ocean chemistry on Europa,” Schmidt said. “The ice shell is built out of the ocean, but how that process works is not well understood.”

Source: http://gtri.gatech.edu/casestudy/new-robotic-vehicle-provides-never-seen-look-under.  This research is supported by Georgia Institute of Technology and the School of Earth and Atmospheric sciences through Schmidt’s startup funds, and partnership with GTRI. Icefin deployed to Antarctica with SIMPLE funded by NASA through grant NNX12AL65G. Deployment was supported by the National Science Foundation (NSF) under project B259. Any conclusions or opinions are those of the authors and do not necessarily represent the official views of the sponsoring agencies.

Filed Under: Georgia Tech News Tagged With: Georgia Tech, NASA, NSF, robotics

  • 1
  • 2
  • Next Page »

Popular Topics

abuse acquisition reform acquisition strategy acquisition training acquisition workforce Air Force Army AT&L bid protest budget budget cuts competition cybersecurity DAU DFARS DHS DoD DOJ FAR fraud GAO Georgia Tech GSA GSA Schedule GSA Schedules IG industrial base information technology innovation IT Justice Dept. Navy NDAA OFPP OMB OTA Pentagon procurement reform protest SBA sequestration small business spending technology VA
Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter

Search this Website

Copyright © 2023 · Georgia Tech - Enterprise Innovation Institute