In April, we reported on an emerging access control protocol from the Cloud Security Alliance, which offered a $10,000 prize to anyone who could crack former CIA spook Bob Flores’ account — and even provided his username and password.
The protocol, known as software-defined perimeter (SDP) or “Black Cloud,” withstood tens of thousands of attacks to remain undefeated in the third annual Hackathon, according to contest data provided exclusively to SDxCentral by Vidder, which provides a commercial implementation of the open source security standard.
Some of the attacks were incredibly sophisticated, indicating nation-state backing, Vidder founder and CTO Junaid Islam tells us. In addition to Flores’ login credentials, hackathon organizers published a packet capture of his login transaction with the target server, which some would-be attackers were able to perfectly replicate using sophisticated packet manipulation tools.
Still, nobody was able to breach the server, in part because SDP uses a unique cryptographic token for each login. The protocol combines a number of other security features, including binding credentials to devices and single-packet authentication that ignores any connection request that doesn’t include correct credentials in the first packet.
China generated the most breach attempts in the recent contest, followed by the United States and — somewhat surprisingly – Poland (see chart below).
Mazda and Coca-Cola have both shown interest in SDP, and have tested it to secure their fleet-management networks. But as the breaches continue to mount, Vidder’s Islam is surprised that the open source approach hasn’t caught on faster.
“You have all these people saying ‘There’s nothing we can do.’ I just don’t believe that — there is something very simple we can do,” he says.
“I don’t know how to make it more clear to people that we don’t have to be vulnerable to these kinds of cyberattacks.”
Photo: Vidder CTO Junaid Islam demonstrating SDP. (Keith Griffith/SDxCentral)