recommended reading

ARCHIVES

HHS, DHS and EPA Don’t Need to Dole Out New Cyber Rules

By Aliya Sternstein // May 22, 2014

White House Cybersecurity Coordinator Michael Daniel
White House Cybersecurity Coordinator Michael Daniel // Ann Heisenfelt/AP

White House officials on Thursday announced that the departments of Homeland Security and Health and Human Services, along with the Environmental Protection Agency, do not need to impose new regulations to defend industry against hacks, because voluntary measures will suffice.

Obama administration officials stopped short of saying whether independent regulatory agencies should prescribe new cyber rules for the energy, financial and other critical sectors. 

A February 2013 presidential executive order required agencies to determine whether current rules are sufficient to carry out forthcoming industry cyber standards. The standards, which came out in February and presently are voluntary, instruct organizations on how to identify, respond and recover from network disruptions. 

"The major outcome is that the administration’s analysis supports our current voluntary approach to address cyber risk," White House Cybersecurity Coordinator Michael Daniel said in a blog post. "The administration has determined that existing regulatory requirements, when complemented with strong voluntary partnerships, are capable of mitigating cyber risks to our critical systems and information."

Much of the nation's critical infrastructure is governed by independent regulators, which were not required to do an analysis, he noted. 

"The analysis conducted pursuant to [the order] represents a limited subset of critical infrastructure...

USPS Employees Get Fake USPS Phishing Emails, Too

By Aliya Sternstein // May 21, 2014

Paul Sakuma/AP file photo

Postal Service personnel, who, like all of us, receive bogus emails claiming to be from the USPS, have a few ways of dealing with the threats that are sometimes part of mass spam campaigns and occasionally hack attempts targeted at feds.

An exchange of emails among users of the U.S. government's Web content managers listserv highlights the desire to keep tabs on the motives in play. 

A couple of years ago, listerv users, including "From: @USPSOIG.GOV,” wrote about receiving malicious Postal Service emails. The Postal Service IG recipient asked other government Web managers to send similar emails for record-keeping purposes. In reply, listserv user "From: @US.ARMY.MIL" forwarded one such bogus message that he or she received.

The government provided Nextgov with the listserv messages in response to an open records request, after redacting the individuals’ names.

The exchange transpires as follows:

From: @USPSOIG.GOV>

Date: Friday, May 18, 2012 11:00

Subject: Re: [CONTENT-MANAGERS-L] Any USPS members on the list?

To: CONTENT-MANAGERS-L@LISTSERV.GSA.GOV

Hi -

I'm with USPS-OIG.

 

There are a series of malicious spam, phishing scheme and/or virus

emails going around masked as coming from USPS. I actually

received some myself...

Lawmakers Say Favored NSA Reform Bill Doesn’t Go Far Enough

By Frank Konkel // May 15, 2014

Patrick Semansky/AP file photo

A group of lawmakers concerned about weaknesses in the most popular surveillance reform bill circulating on Capitol Hill wants to insert an amendment that would bar the National Security Agency from weakening encryption standards or exploiting large-scale internet security vulnerabilities.

According to a report in the Guardian newspaper, Rep. Zoe Lofgren, D-Calif., and other House members want to stop the NSA from “utilizing discovered zero-day flaws,” like the Heartbleed flaw made public in April that compromised countless online systems. The proposed amendment, the report claims, would also not allow the NSA “to create them, nor to prolong the threat to the Internet” by failing to warn against vulnerabilities.

The NSA came under fire when reports surfaced last month that the agency knew about -- and exploited -- the Heartbleed bug, adding fuel to the fire of privacy advocates who were outraged to learn the NSA had also deliberately subverted encryption standards adopted and promulgated by the National Institute of Standards and Technology. NIST recently removed a cryptographic algorithm from its draft guidance on random number generators following extensive public feedback and its own tests following the revelations, which came from documents leaked by former NSA contractor Edward Snowden.

Lofgren told the Guardian...

FCC Employees, Is Your Internet Running Sluggish Today?

By Aliya Sternstein // May 14, 2014

Members of US advocacy groups camp outside FCC headquarters in Washington, DC, on Jan. 30, 2014
Members of US advocacy groups camp outside FCC headquarters in Washington, DC, on Jan. 30, 2014 // Kevin Wolf/AP

Some website operators are slowing down Federal Communications Commission employees' access to their sites in protest of potential paid Internet fast lane regulations. On Thursday, FCC Chairman Tom Wheeler is expected to release a proposal that would let broadband providers charge sites for bandwidth-heavy content. 

The hacktivist collective Anonymous is circulating through Twitter a file -- dubbed "How to throttle the FCC to dial up modem speeds on your site" -- that makes a specific site load at a turtle's pace for anyone using an IP address belonging to the FCC. 

For example, if Nextgov.com used the configuration, then readers of Nextgov at the FCC would have trouble accessing our stories. The instructions provide actual FCC IP ranges. (Note to FCC readers: We don’t plan to do this.)

Affiliates of Anonymous and security researchers alike call the gambit hilarious. 

The virtual sit-in at government websites is nothing new. In 2012, Anonymous wielded a similar tactic against Justice.gov to successfully kill anti-piracy legislation it condemned as censorship. That time, opponents of the Cyber Intelligence Sharing and Protection Act, or CISPA, waged a distributed denial of service, or DDoS, attack that silenced Justice's site with bogus Web traffic. 

The...

Feds: You Need to Fix Your TSP Passwords This Weekend

By Aliya Sternstein // May 7, 2014

Bruce Rolff/Shutterstock.com

The website of the Thrift Savings Plan, the retirement program for 4.6 million federal employees and retirees, gives identity thieves clues about how to crack users passwords, some security analysts say. As it happens, TSP plans to change its password policy this coming weekend to eliminate those clues, a spokeswoman told Nextgov when asked about it this week.    

Security has been a sensitive issue for TSP administrators after hackers in 2011 penetrated a contractor’s computer exposing the Social Security numbers of 125,000 plan participants.

The problem with the TSP website, one expert said, is that crooks can use details about creating logins to compose a convincing phishing email: 

“The fact that they publish that it's an eight digit password length for changing your online contribution is unbelievable," NSS Labs Chief Technology Officer John Pirc says.

Worse yet, they aren't following U.S. Government Configuration Baseline guidelines that recommend agencies use passwords longer than eight characters, ideally at least 12 characters, he says. Based on recent tests, figuring out an eight character password takes about 24 hours, Pirc says.  

TSP should rethink the use of eight-character passwords and change the language on its website, which “provides...