Cybersecurity

ARCHIVES

How Cyber Scary Is It Outside Today?

By Aliya Sternstein // July 16, 2014

We have shrunk ThreatWatch, Nextgov's online rundown of the latest reported breaches, into an iPhone app that offers more news and numbers. 

You'll still find depictions of hacks hitting agencies, retailers and every sector daily, but now there also are threat-level scores and story feeds from around the globe.

This infotainment tool – “NG Cybersecurity” -- is designed to raise cybersecurity awareness among the uninitiated and keep experts up to date. 

For instance, today's government sector score is 29, on a 100-point scale, according to data analytics company HackSurfer. The health care industry is on the lower end of the spectrum, at 5. Recent agency-related hacks include allegations a Chinese entrepreneur stole data about a U.S. military cargo plane. In the health world, a plastic surgeon provided a female's before-and-after photos to a television station for a public broadcast. 

You'll see tech security stories from the Guardian, Wired and other reputable publications streamed constantly, along with commentary from cyber firms, such as Sophos and Malwarebytes. Nextgov's award-winning reporting is also in the mix.

The app is free and available for download at the iTunes App Store

Senate Defense Bill Unearths NSA ‘Sharkseer’ Program

By Aliya Sternstein // May 28, 2014

m00osfoto/Shutterstock.com

Highlights from the Senate Armed Services Committee's new defense policy bill show lawmakers would like to drop $30 million on an obscure National Security Agency cybersecurity program called Sharkseer. 

There is little official, public information on the program. Based on a job posting for a contractor position, its sounds like an automated network-surveillance system -- just for military networks -- fueled by intelligence on potential hazards. Hazards like the leaks on domestic spying by ex-NSA contractor Edward Snowden? Unclear. 

All we officially know about the program, from committee spokeswoman Tara Andringa, is that the Senate’s 2015 National Defense Authorization Act would authorize money for NSA to use technology available in the marketplace for detecting suspicious communications and blocking them before they can do damage.

“Defense needs to explore a wide range of approaches to address the ever-increasing cyber threat,” she told Nextgov on Wednesday afternoon. “Taking advantage of creative solutions developed in the private sector is a path that we can't afford to neglect.”

A September 2013 job opening at Leidos, a spinoff of defense contractor SAIC, provides a few more details, including that Sharkseer will combine the company's CloudShield hardware with "vendor software such as McAfee, FireEye ...

HHS, DHS and EPA Don’t Need to Dole Out New Cyber Rules

By Aliya Sternstein // May 22, 2014

White House Cybersecurity Coordinator Michael Daniel
White House Cybersecurity Coordinator Michael Daniel // Ann Heisenfelt/AP

White House officials on Thursday announced that the departments of Homeland Security and Health and Human Services, along with the Environmental Protection Agency, do not need to impose new regulations to defend industry against hacks, because voluntary measures will suffice.

Obama administration officials stopped short of saying whether independent regulatory agencies should prescribe new cyber rules for the energy, financial and other critical sectors. 

A February 2013 presidential executive order required agencies to determine whether current rules are sufficient to carry out forthcoming industry cyber standards. The standards, which came out in February and presently are voluntary, instruct organizations on how to identify, respond and recover from network disruptions. 

"The major outcome is that the administration’s analysis supports our current voluntary approach to address cyber risk," White House Cybersecurity Coordinator Michael Daniel said in a blog post. "The administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information."

Much of the nation's critical infrastructure is governed by independent regulators, which were not required to do an analysis, he noted. 

"The analysis conducted pursuant to [the order] represents a limited subset of critical infrastructure ...

USPS Employees Get Fake USPS Phishing Emails, Too

By Aliya Sternstein // May 21, 2014

Paul Sakuma/AP file photo

Postal Service personnel, who, like all of us, receive bogus emails claiming to be from the USPS, have a few ways of dealing with the threats that are sometimes part of mass spam campaigns and occasionally hack attempts targeted at feds.

An exchange of emails among users of the U.S. government's Web content managers listserv highlights the desire to keep tabs on the motives in play. 

A couple of years ago, listerv users, including "From: @USPSOIG.GOV,” wrote about receiving malicious Postal Service emails. The Postal Service IG recipient asked other government Web managers to send similar emails for record-keeping purposes. In reply, listserv user "From: @US.ARMY.MIL" forwarded one such bogus message that he or she received.

The government provided Nextgov with the listserv messages in response to an open records request, after redacting the individuals’ names.

The exchange transpires as follows:

From: @USPSOIG.GOV>

Date: Friday, May 18, 2012 11:00

Subject: Re: [CONTENT-MANAGERS-L] Any USPS members on the list?

To: CONTENT-MANAGERS-L@LISTSERV.GSA.GOV

Hi -

I'm with USPS-OIG.

 

There are a series of malicious spam, phishing scheme and/or virus

emails going around masked as coming from USPS. I actually

received some myself ...

Lawmakers Say Favored NSA Reform Bill Doesn’t Go Far Enough

By Frank Konkel // May 15, 2014

Patrick Semansky/AP file photo

A group of lawmakers concerned about weaknesses in the most popular surveillance reform bill circulating on Capitol Hill wants to insert an amendment that would bar the National Security Agency from weakening encryption standards or exploiting large-scale internet security vulnerabilities.

According to a report in the Guardian newspaper, Rep. Zoe Lofgren, D-Calif., and other House members want to stop the NSA from “utilizing discovered zero-day flaws,” like the Heartbleed flaw made public in April that compromised countless online systems. The proposed amendment, the report claims, would also not allow the NSA “to create them, nor to prolong the threat to the Internet” by failing to warn against vulnerabilities.

The NSA came under fire when reports surfaced last month that the agency knew about -- and exploited -- the Heartbleed bug, adding fuel to the fire of privacy advocates who were outraged to learn the NSA had also deliberately subverted encryption standards adopted and promulgated by the National Institute of Standards and Technology. NIST recently removed a cryptographic algorithm from its draft guidance on random number generators following extensive public feedback and its own tests following the revelations, which came from documents leaked by former NSA contractor Edward Snowden.

Lofgren told the Guardian ...