Nextgov/FCW - Authors - Aliya Sternstein

Federal student loan data targeted in fraud

Aliya Sternstein, FCW — Tue, 08 Aug 2017 12:38:00 -0400

Federal prosecutors have declined to bring charges in a series of cases involving tampering with federal student loan accounts, including six instances of tampering by employees at a credit reporting firm.

Workers at that firm, then known as Kroll Factual Data, tampered with several federal student loan accounts to the point where customer service representatives at one loan provider weren't able to trust the data in their computers.

The episode came to light after a complaint from a Sallie Mae customer that the email address on his account had been changed without his permission, according to a heavily-redacted Education Department Office of Inspector General investigation report obtained through a Freedom of Information Act request.

The federal loan provider told the government that the individual who manipulated the customer's account "impaired the integrity of the data in Sallie Mae systems," and "if the email address has been changed without the knowledge of Sallie Mae or the customer, then Sallie Mae cannot trust the data in the system," according to the 2015 final report.

No one was ever prosecuted for a crime in the Kroll Factual Data case, however, or in nearly 20 other similar cases at other financial companies recounted in a September 2016 inspector general audit.

These investigations into unauthorized behavior involving online federal student loan accounts highlight the challenge of penalizing companies who fiddle with sensitive borrower data for commercial or personal gain. The 2016 report that exposes credential abuse warns that, when outside entities open accounts or change user information, the Department of Education and loan servicers may not be able to contact the borrower. Additionally, the report asserts that such activity violates federal user agreements.

Congress checks in

Some in Congress are pressing the Education Department to end the growing problem by shoring up the National Student Loan Data System, a central government database that underpins all student financial aid accounts. Online student loan deception became the focus of two House Oversight and Government Reform Committee hearings in one month this May.

Rep. Elijah Cummings, D-Md., ranking Democrat on the Oversight committee and an advocate for student aid reform, said the Kroll meddling seems similar to other exploitation the committee has reviewed.

"It is outrageous that these companies could not be prosecuted because of technicalities for conduct they must have known was wrong. We need to prevent loan servicing companies from engaging in these abuses and hold them accountable for protecting the students they are supposed to be serving," Cummings wrote in an email, referencing the Kroll case and previous probes into online student loan fraud. "These are abuses, plain and simple."

After the customer contacted Sallie Mae about the email address swap in 2013, Sallie Mae's in-house investigators checked his PIN. They determined that he had been locked out of his account, someone re-enrolled him under a new PIN account, and all the activity traced back to an IP address assigned to Kroll, according to the Department of Education inspector general's report.

New ownership at Kroll

Patricia Christel, a spokesperson for Navient, which spun off from Sallie Mae and services federal student loans, said in a July 10 email that the company didn't authorize Kroll's online activities and didn't provide Kroll with any customer federal student loan information.

"Our security program worked as designed to detect unauthorized traffic, and we followed established procedures to notify federal officials and collaboratively work with law enforcement," Christel said, adding that Navient follows industry best practices to safeguard customer privacy.

During the inspector general investigation, records showed Kroll employees even changed six usernames for Sallie Mae accounts to a fictitious name^. The credit reporting company said that it "counseled" one of the employees, according to the report, but it is unclear what this admonishment involved.

Kroll did not provide an explanation for how it obtained personal information to log into these accounts. Navient said it does not know definitively how Kroll acquired the data and does not want to speculate.

Catherine Grant, congressional and public affairs liaison for the Department of Education Office of the Inspector General, said in an email that "Kroll Factual Data did not keep detailed records" that explained the method by which employees obtained students' info.

A spokesperson for Kroll's new parent company FD Holdings, which acquired Kroll in January 2015, said in an emailed statement that the Department of Education inspector general inquired about "certain student loan information accessed by Kroll Factual Data in connection with one of its service offerings." But FD Holdings said it does not know further details about the incident, because the company didn't purchase Kroll until years after this happened.

The Department of Education presented the examination of "unauthorized Sallie Mae account tampering" to the Justice Department Computer Crimes and Intellectual Property Section for potential prosecution in 2014, but Justice declined to prosecute anyone, the report states.

One reason for not taking on the case was redacted in the final report, and another reason given was that potential remedies are available elsewhere, specifically at the Federal Trade Commission, which received the case in February 2015 and agreed to accept it.

FTC officials said, as a policy, the commission does not comment on whether it is investigating a matter.

The Kroll situation is but one example of recurrent findings by the Department of Education IG that outside vendors are misusing federal student loan credentials.

Tightening up citizen-facing tools

Many situations similar to the Kroll case pop up in the 2016 inspector general audit, Grant noted. In one investigation, an unidentified loan consolidator that promised to enroll borrowers in debt forgiveness programs -- for which they weren't necessarily eligible -- allegedly accessed the National Student Loan Data System and tampered with a borrower's PIN account. But the company had required borrowers to sign a power of attorney granting permission to view their accounts, so investigators were stymied in trying to bring charges for unauthorized access.

Other recent hacks of the system include a breach of a since-deactivated IRS tool supporting the Department of Education's online financial assistance form that may have affected up to 100,000 taxpayers.

In May, Diverse: Issues in Higher Education reported that a Louisiana private investigator allegedly tried exploiting the component, part of the Free Application for Federal Student Aid, to illegally obtain Donald Trump's tax records during last year's presidential campaign.

The tool was unplugged in March, after it became clear that bad actors were submitting Social Security numbers and other data to make the form automatically upload tax information.

Officials at Department of Education headquarters declined to comment on the Kroll breaches, but said they have been adjusting login requirements for certain financial aid websites, like FAFSA.gov and StudentLoans.gov.

In May 2015, Education rolled out "FSA ID," a credential consisting of a username and strong password. The sign on method does away with PINs and offers three options to reset accounts: enter a secure code sent by SMS message, a code sent by email, or the answers to previously chosen challenge questions.

"FSA ID uses several mechanisms to try to prevent fraud during account creation and login," Education spokeswoman Elizabeth Hill wrote in an email. Recently, "SMS was added for ID verification and account recovery," but that is optional.

The department completed a simple fix in May, when it quietly altered the terms and conditions on the National Student Loan Data System and the FSA ID website, as recommended by the inspector general. Now, the warning explicitly states that it's against the law for a third party to access the site for commercial or private financial gain, even if assisting an authorized user.

But the Education Department has yet to carry out repeated inspector general recommendations to require multi-factor authentication, which would demand users have a password or other credential plus an outside form of proof that can't be duplicated, like a one-time code from an automated voice call.

Cummings, who sits on several university boards, is working to ensure that agencies are well equipped, adequately funded, and fully staffed to protect young people from predatory lenders and cyber criminals, his aides say.

"There's something about this that just tears at my heart," the congressman said at a May 3 House hearing. "I see young people having to drop out of school because they don't have money and they are struggling. They just want to go out there and be all that God meant for them to be and not only to they have to fight people who are supposed to be helping them but then they lose the opportunity."

]]>

9 States Accept DHS' Election Security Support

Aliya Sternstein — Wed, 21 Sep 2016 17:04:50 -0400

Less than 20 percent of states have asked the Homeland Security Department for help assessing the security of machines at the polls and for scans of online voter registration databases ahead of the presidential election, a DHS official says.

DHS, the federal agency tasked with protecting U.S. networks, on Friday issued a statement reflecting a respect for the independence and reliability of state election systems but also a word of caution about the magnitude of the cyber threats menacing the 2016 race.

In the message, Homeland Security Secretary Jeh Johnson urged more states to take advantage of security protections the department makes available to outside organizations.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

As of Wednesday, "we have received requests and are currently working with nine states on scans and assessment services," DHS spokesman Scott McConnell told Nextgov. He did not disclose the names of the states.

Election officials can take advantage of a variety of DHS services, including exchanges of information about cyber incidents and on-site assessments conducted by DHS experts of network configurations and digital voting machines, McConnell explained.

The on-site risk and vulnerability assessments can take up to three weeks, Johnson said. Security researchers, for more than half a decade, have shown it doesn't require the internet or a nation-state cyber gang to manipulate the nation's outdated ballot devices.

Another option Johnson said DHS provides is “cyber hygiene scans” that run remotely on voter registration databases—like the internet systems in Arizona and Illinois allegedly compromised by Russian hackers, online election night reporting tools, and other internet-connected election management systems.

"It is important to emphasize what DHS assistance does not entail," he said. "DHS assistance is strictly voluntary and does not entail regulation, binding directives, and is not offered to supersede state and local control over the process. The DHS role is limited to support only."

Acknowledging localities have checks and balances built into electoral systems, Johnson said DHS has confidence in the overall integrity of state voting operations for the Hillary Clinton and Donald Trump contest.

But "we must be vigilant" in a country targeted by "a range of increasingly capable actors," including nation states, hacker activists and crooks, he said. "A number of states have reached out to us with questions or for assistance. We strongly encourage more state and local election officials to do so," he said.

On Thursday, the DHS cyber incident response team issued a security tipsheet for online voter registration databases.

One technique bad guys use to meddle with voter registration websites, called a SQL injection, enters commands into those online forms on a webpage that can allow the hackers entry into back-end databases, according to the U.S. Computer Emergency Readiness Team. Other assaults, like a denial-of-service attack, try to freeze voter registration websites by generating a barrage of bogus user traffic. Misconfigured servers and fraudulent emails also can let intruders grab voter information or disrupt voting operations, US-CERT said.

The DHS security tips discourage paying hackers who use "ransomware" that locks voter files until the attackers receive a bounty. Wiring the ransom "does not guarantee access will be restored to a compromised [voter registration database],” according to Homeland Security.

Amid fears of a hacked election, what really scares some state officials is that such fears will undermine trust in the democratic process.

At a Sept. 8 meeting of the federal Election Assistance Commission, West Virginia Secretary of State Natalie Tennant said her biggest concern about the November event is "that questioning and that lack of confidence that people might start perceiving."

Louisiana Secretary of State Tom Schedler told the commission the election security rhetoric in the media and in Congress should be ratcheted down.

"The last we thing we need is the creation of a new post office department or a new TSA in the area of elections in this country," he said, referring to the formation of the Transportation Security Administration under DHS. "Leave it in the states. That's what the Constitution says. Leave it there. We know what we're doing. We need your assistance. We want it. But let's everybody stay in their lanes."

]]>

NSA Dares College Students to Locate, Disarm Bombs Controlled through the Net

Aliya Sternstein — Wed, 14 Sep 2016 07:00:00 -0400

At this moment, cybersecurity students are scouring networks for a secret computer program designed to trigger a (prop) roadside bomb, in a twist on the National Security Agency's annual coed codebreaking contest, according to NSA officials.

A few days ago, the agency provided college undergraduates and graduate students with file downloads for solving the Codebreaker Challenge, which, in this case, is to locate, replicate or "reverse engineer," and neutralize an improvised explosive device.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

According to a countdown clock on the competition website, you have 109 days left to deactivate the bomb:

DISCLAIMER: The following is a FICTITIOUS story meant for providing realistic context for the Codebreaker Challenge and is not tied in any way to actual events.

Terrorists have recently developed a new type of remotely controlled Improvised Explosive Device, making it harder for the U.S. Armed Forces to detect and ultimately prevent roadside bomb attacks against troops deployed overseas. The National Security Agency, in accordance with its support to military operations mission, has been asked to develop capabilities for use against this new threat. This will consist of six tasks of increasing difficulty, with the ultimate goals of being able to disarm the IEDs remotely and permanently render them inoperable without the risk of civilian casualties.

NSA officials say they will confront young computer scientists with the kinds of threats the agency faces daily, partly as an intelligence analyst recruitment effort.

"The challenge is designed to simulate aspects of NSA's mission," agency spokeswoman Clarese Wilson told Nextgov in an email.

New for 2016, the spy agency has added "network traffic analysis" to the specialties players will have to apply during the competition.

"Software reverse engineering and network analysis are two disciplines that are critical foundations of both NSA's defensive mission and its support to offensive missions carried out by the military," Wilson said.

The tasks range from identifying IED network ports to decrypting an IED key file to permanently disabling any IED, according to a competition FAQ.

A scoreboard on the contest site ranks participating students by tasks solved. So far, Georgia Tech is leading in three of the six tasks, with Carnegie Mellon University first in two activities. The most active players hail from Carnegie Mellon University Georgia Institute of Technology Dakota State University, University of Maryland, Baltimore County, North Carolina State and Johns Hopkins University.

Other resources available on the site include four online lectures about hacking techniques, including heap overflow and format string attacks.

Interested programmers must sign up through their school's .edu email accounts to compete and receive more information.

"The scenario will revolve around finding an improvised explosive device and having the students figure out how to reverse engineer and then disarm the IED," NSA officials said in a Sept. 12 announcement. "The 2016 scenario differs from previous challenges in that it provides insight into both offensive and defensive missions of the agency. Previous challenges had focused heavily on only the offensive mission."

During Operation Enduring Freedom, there have been more than 1,400 IED-related deaths since 2001, according to iCasualties.org. On Aug. 23, a U.S. service member was killed while conducting an operation with Afghan forces when their patrol triggered an IED, Military.com reports.

"Starting in 2005, we started seeing a big uptick in casualties caused by IEDs and ambushes," NSA Deputy Director Rick Ledgett told Fox News in May.

The agency then created a secretive program to deploy NSA specialists on the battlefield in order to send troops fresh intelligence so they could avoid ambushes. The program, called the Real Time Regional Gateway, created to combat the IED attacks “was really a complete change in how we provided signals intelligence support to the tactical warfighter," Ledgett told Fox.

For the first time, the student competition has added a beginner track so freshman with basic skills can compete.

As with last year's contest, NSA liaisons will be visiting some participating schools to help with the problem sets and detail job opportunities at the agency. There also we be a virtual tech talk hosted through Adobe Connect for students who have questions about the challenge.

"The challenge is entirely fictitious -- no actual military operations or use of the SIGINT system are involved in the challenge story or the files that the users download," Wilson said. "The challenge was developed entirely from scratch, but has been inspired by aspects of NSA's mission that are necessary to protect our nation."

]]>

Congressional Probe Says OPM Hackers Arrived in 2012 And We Will Never Know What They Took

Aliya Sternstein — Wed, 07 Sep 2016 11:45:01 -0400

A new congressional probe into a massive Office of Personnel Management hack reveals the first traces of adversary activity on OPM's network date back to 2012, too far back in time to know what else beyond 21.5 million background check records might have been compromised.

Today, Republicans on the House Oversight and Government Reform Committee released this discovery and other findings from a year-long investigation into the multiyear cyberspy campaign.

"Due to security gaps in OPM's network and a failure to adequately log network activity, the country will never know with complete certainty all of the documents that the attackers exfiltrated from OPM in connection with the breach," states a copy of the 241-page majority staff report Nextgov reviewed.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The congressional investigation links the breaches to the hacker groups Axiom and Deep Panda, whom security consultants like Novetta and CrowdStrike have tied to the Chinese. Speaking at the American Enterprise Institute this morning, committee chairman Jason Chaffetz didn’t connect the hackers to a specific nation but said the adversaries were outside of the U.S.

“The report doesn’t attribute or attempt to attribute exactly who these nefarious actors were; we do believe the hack came from overseas,” he said.

Only after learning that attackers grabbed security documents offering a road map to OPM's data systems did the agency, in March 2014, start logging traffic in and out of the Personnel Investigations Processing System, according to the report. That tool handles intimate secrets on national security personnel and close contacts filed by individuals who apply for clearances to access classified material.

Network logs are the equivalent of CCTV cameras, so without logs, there's no tape of what happened, explained a committee staffer who spoke on background to Nextgov.

Attackers gained access to OPM's network in July 2012, the report states. That means there is an interval of about 17 months during which the United States likely will never know what data the bad guys touched, the staffer said.

"This breach involved data that included manuals and IT system architecture information, but the full extent of exfiltrated data is unknown," staffers said in the report, also noting the names and last four digits of certain contractor Social Security numbers were stolen.

The report draws extensively on interviews with personnel from multiple agencies and IT support contractors, Homeland Security Department incident response reports and internal government documents, some of which the committee subpoenaed.

The report also colors in the chronology of four separate heists believed to be part of the cyberspy operation: Following the hack of manuals and potentially other unknown data, attackers next copied the background check records in July and August of 2014.

Third, in December 2014, hackers scurried into a connected Interior Department data center holding OPM repositories and retrieved 4.2 million federal personnel records. Finally, less than a month before OPM caught on to the game plan, adversaries sucked out 5.6 million employee fingerprints on March 26, 2015.

"The intelligence and counterintelligence value of the stolen background investigation information for a foreign nation cannot be overstated, nor will it ever be fully known," the congressional investigators said.

Security Missed the Target

Subsequent to boosting network surveillance at OPM in March 2014, visibility increased but not enough to spot an attacker drop malware two months later, in May, that would ultimately help pocket the background check records, the staffer said.

According to the report, 99 percent of people only needed a password to access OPM networks at the time. The agency was not requiring computer users to enter a password and second ID format, like a personal identity verification card, for logging into networks.

"Had OPM leaders fully implemented the PIV card requirement—or two-factor authentication—security controls when they first learned hackers were targeting background investigation data, they could have significantly delayed or mitigated the data breach discovered in 2015," congressional investigators said.

At the top of the committee's 13 recommendations for avoiding another federal mega breach is advice that agencies ensure chief information officers are empowered, accountable and competent. At the AEI event, Chaffetz highlighted how a “zero trust” policy could also prevent future breaches from occurring.

“It doesn’t sound very nice but ‘zero trust’ is something I think the private sector figured out a long time ago, and the federal government is a decade or two behind," he said. "The federal government, at least in its federal information systems, often operates without these hall passes in its crudest form,” he added, referring to hall passes implemented in schools. “Once you get on the other side of the wall, they just believe you. ‘Oh yeah, everyone here is cool.’ That’s not the way it should work.”

In addition to dissecting what happened during the assault, the report describes a history of culture and management problems at OPM dating back to 2005 that influenced events, including a poor IT security record, weaknesses in the agency's ongoing IT modernization project, and clashes between former agency CIO Donna Seymour and the OPM inspector general. Seymour “consistently failed to work with the inspector general to better secure [OPM’s] systems and at times, even was misleading and thwarting the watchdog,” Chaffetz said.

The document also delves into controversies surrounding the roles of contractors CyTech Services and Cylance in aiding incident response.

On Wednesday, OPM officials said the GOP staff report does not fully reflect the progress the agency has made to date.

For example, now users need two forms of identification, not just a password, to log onto OPM systems. The requirement "provides a powerful barrier to our networks from individuals who should not have access," OPM Director Beth Cobert said in a blog post.

Along with technological enhancements, the agency has made management adjustments to tighten information security, she said. There is a new CIO, chief information security officer and senior cybersecurity adviser, among other recent OPM IT leadership hires. Cybersecurity resources are centralized under the CISO, whose sole responsibility is to take the steps necessary to control access to sensitive information, Cobert added.

"The cybersecurity incidents at OPM provided a catalyst for accelerated change within our organization," she said. "Throughout this agency, management has embraced cybersecurity as a top priority. I am proud of the way the team at OPM rose to the challenge and appreciate the collaborative spirit with which our partners across government worked—and continue to work—side by side with us each and every day."

The top Democrat on the committee, Rep. Elijah Cummings, D-Md., told fellow minority members he could not support the Republican analysis because it assigns blame improperly.

In particular, the report downplays evidence indicating private vendors, not just OPM employees, were players in the lead up to the breaches.

"The OPM breach was achieved using credentials taken from one of OPM's contractors to disguise its initial movements" into the agency's network, Cummings pointed out in a 21-page memo to committee Democrats on Tuesday.

The report unfairly criticizes Seymour, who Chaffetz had demanded resign even before the investigation started, he added. Seymour resigned in February, after Chaffetz had called for her ouster at least five times, Cummings said.

"The Republican staff report fails to adequately address federal contractors and their role in federal cybersecurity," Cummings said. "The most significant deficiency uncovered during the committee's investigation was the finding that federal cybersecurity is intertwined with government contractors, and that cyber requirements for government contractors are inadequate."

Camille Tuutti contributed reporting.

]]>

Military Supermarket Chain's Encryption Setup is 'Unacceptable,' Commissary Says

Aliya Sternstein — Fri, 02 Sep 2016 13:10:29 -0400

The Defense Department's $6 billion supermarket chain needs tighter security for the secret keys fastening its hundreds of databases, Pentagon officials say.

Currently, those keys—lengthy, computer-generated passwords—essentially are stored underneath the doormat, beside personal and financial data, contracting documents show.

"In today’s solutions, the keys reside with the data and that is not acceptable," Defense Commissary Agency officials said in a recent request for information from vendors.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The data at stake includes encrypted payment card industry, or PCI, data and personally identifiable information, or PII, agency spokesman Kevin Robinson told Nextgov. Scrambled in code indecipherable to hackers, the records contain credit card numbers and security codes from the back of the card, he said.

The commissary agency's proposed system would make it possible, say, to deposit keys at DeCA's Fort Lee, Virginia, headquarters for locking and unlocking remote databases at a server farm "in the cloud," the contracting papers said.

The Pentagon embraces encryption while other parts of the government see it as an obstacle.

The FBI and other U.S. authorities want a copy of all keys or some other "backdoor" entry into encrypted data to intercept messages about terrorist plots and other life-or-death matters. Then, there are security experts, like technologist Bruce Schneier, who say there is no way to give the FBI that capability without weakening encryption against all adversaries.

Beyond using encryption to protect grocery store operations, the military deploys the data-scrambling feature in handheld radios, missile system data links and other communications devices to hide information from foes.

On Tuesday, FBI Director James Comey repeated a refrain from the past couple of years about encryption handicapping criminal investigations and said the bureau is collecting information about the challenge in preparation for an “adult conversation” next year.

Whatever the result of that conversation, the commissary agency's future encryption system would have to adapt its features accordingly.

"In order to keep pace with changes in encryption standards, the vendor is required to be in compliance with the encryption guidance that the National Institute of Science and Technology publishes for federal agencies," the RFI said. Computer algorithms that generate the encryption and decryption keys cannot be proprietary or "home-grown," and must be industry tested and DOD approved.

While the 250-store grocery chain has not committed to buying anything, officials Aug. 24 said there's a possibility an acquisition will take place in fiscal 2017.

The system, formally dubbed the Enterprise Encryption and Key Management Solution, would consist of commercial, currently available technology that stows encryption keys in a different location than the data in the agency's 629 database environments, officials said.

"What DeCA does today is utilize the inherent encryption capabilities of the databases it uses such as Oracle and Microsoft SQL Server," the contracting papers said. "The fundamental problem with this approach is not necessarily in the encryption but in the keys that enable the unencrypting of the data."

Early last month, Oracle informed customers of a data breach in a corporate unit that runs MICROS retail payment terminals, which experts say could explain a rash of recent cashier data breaches at many hotels, shops and other bricks-and-mortar outlets, Fortune reported. Oracle said the hack did not affect its cloud services.

The future defense agency arrangement would "enable the keys to be maintained external to the data that has been encrypted" and support various cloud databases, the contracting papers said.

Commissaries at military bases offer defense personnel and their families discounts, equal to the actual cost of a product plus 5 percent, that could cut customer expenses by thousands of dollars a year, according to the agency.

The new system should allow a way for "securing of encryption keys generated by DeCA database platforms that natively encrypt PCI and PII data," Robinson said in an email. "Additionally, the solution should provide alternatives to the local database native encryption features for PCI and PII data."

]]>

At Least One State Declines Offer for DHS Voting Security

Aliya Sternstein — Thu, 25 Aug 2016 12:52:41 -0400

At least one state has declined an offer from the Homeland Security Department to scan its voting systems for hackers ahead of the presidential elections.

As suspected Russian-sponsored attackers compromise Democratic Party and other U.S. political data allegedly to sway voter opinion, some security experts say it wouldn't even take the resources of a foreign nation to manipulate actual votes using this country's antiquated tallying systems.

Against this backdrop, Homeland Security Secretary Jeh Johnson during an Aug. 15 call with state election officials, offered states DHS services that can inspect voting systems for bugs and other hacker entryways. Earlier in the month, he also suggested the federal government label election systems as official U.S. critical infrastructure, like the power grid.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

But one battleground state, Georgia, intends to rely on its own security crew to maintain the integrity of voter data.

"The question remains whether the federal government will subvert the Constitution to achieve the goal of federalizing elections under the guise of security," Georgia Secretary of State Brian Kemp told Nextgov in an email. "Designating voting systems or any other election system as critical infrastructure would be a vast federal overreach, the cost of which would not equally improve the security of elections in the United States."

Georgia, where some projections show presidential contenders Hillary Clinton and Donald Trump neck and neck, reportedly could use a vote machine reboot.

"Georgia, which is running electronic-only machines—there's no paper trail. ... And the machines they're using are more than a decade old, so the hardware is falling apart. And the operating system they're using is Windows 2000, which hasn't been updated for security for years, which means it's a sitting duck," Zeynep Tufekci, a University of North Carolina information and library science professor, told NPR on Saturday.

There is no evidence ballot manipulation has ever occurred in the United States, and, per Johnson, DHS is not aware of any credible cyberthreats related to 2016 general election systems.

All the same, vote machine hacks are all the rage among researchers at Las Vegas hacker confabs.

Even top White House tech privacy adviser Ed Felten helped demonstrate the weaknesses of digital voting booths in his previous life as a Princeton University academic.

In a 2009 paper Felten co-authored, researchers commanded an AVC Advantage voting machine—the kind still deployed in Pennsylvania and other states—to steal votes. No internet required. They altered a pretend election by inserting a malicious memory cartridge the size of a paperback book that would typically be used for recording votes. The tainted device combined snippets of authorized code inside the system to cause the unauthorized behavior.

"An attacker who has access to the machine the night before an election can use our techniques to affect the outcome of an election by replacing the election program with another whose visible behavior is nearly indistinguishable from the legitimate program but that adds, removes or changes votes as the attacker wishes," Felten and colleagues from Princeton, University of California at San Diego and the University of Michigan wrote in "Proceedings of the 2009 Electronic Voting Technology Workshop."

No Recounts

Because of hacking concerns, many states are keeping a paper trail to audit the vote count, but not all.

In addition to Georgia, parts of Pennsylvania, another tossup state, do not maintain paper backups in the event of a hack, Tufekci said.

Pennsylvania officials say cybersecurity experts from the commonwealth's IT shop work closely with the state elections team to secure voting-related infrastructure.

"Pennsylvania has implemented policies, technologies, best practices and procedures around the safeguarding of data and the protection of our applications, systems and resources," Pennsylvania Department of State spokeswoman Wanda Murren said. "We constantly monitor our data and systems for vulnerabilities and attempted attacks in order to keep pace with the rapidly evolving threat landscape."

She declined to go into specifics as a matter of policy.

Update: On Aug. 30, Pennsylvania Deputy Secretary of Elections and Administration Marian K. Schneider said in a statement that Department of State had been in touch with DHS officials about how they could be of assistance in Pennsylvania.

A Homeland Security spokesman told Nextgov on background "several states" currently use DHS hygiene scans and assessment services for voting systems. He would not disclose the names of any jurisdictions.

Florida, where Trump has been down nine points, declined to say whether it will ask DHS to scan local voting machines but did participate in the national teleconference with Johnson.

The Florida secretary of State Department "is engaged with DHS, in addition to all of our other state and federal stakeholders, on an ongoing basis to help ensure the security and integrity of Florida elections," department spokeswoman Meredith M. Beatrice said.

Ohio, where Clinton has a narrow advantage over Trump, appears to be taking advantage of some DHS support for election cybersecurity.

"The Ohio Department of Homeland Security is working with their federal counterparts, so we are working through them to perform the needed scans," Ohio secretary of state spokesman Joshua Eck told Nextgov in an email.

Richard Clarke, a former National Security Council adviser under presidents Bill Clinton and both of the George Bushes, cautions it could be hard to detect a slight manipulation of voter data in some swing precincts.

"Smart malware can be programmed to switch only a small percentage of votes from what the voters intended. That may be all that is needed," Clarke, now an ABC News consultant, commented last week.

Correction: The original version of this article indicated that Pennsylvania had declined an offer from the Homeland Security Department for help in protecting its voting systems from hackers. While Pennsylvania officials indicated they had their own cybersecurity experts working on the issue, they also have had discussions with DHS about what kind of help the department could provide. The headline and the article have been updated.

Sept. 6 update: Georgia officials now say they are awaiting direction on what DHS plans to offer and how it plans to offer such assistance to state election officials.

]]>

VA's Latest Benefit: On-Demand Cyber Training

Aliya Sternstein — Fri, 19 Aug 2016 14:47:01 -0400

Your hacked credit card account could be the ultimate beneficiary of a relatively new perk the Homeland Security Department is offering former service members.

A DHS online school is providing vets classes in malware analysis, mobile security and ethical hacking, among other subjects, as the number of open cyber jobs and jobless veterans grows. The lessons are available on demand, so veterans can progress through the training at their own pace.

The need for cybersecurity experts is increasing 12 times faster than the current U.S. job market, according to a Veterans Affairs Department blog post advertising the courses.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Through the DHS Federal Virtual Training Environment, veterans also can take preparatory classes for professional certification tests administered by ISACA, (ISC)2 and CompTIA.

Cyber pros typically can command six-figure salaries.

"Veterans can sign up for an account through the Hire Our Heroes website and follow instructions through ID.me to verify veteran status and register for a FedVTE account," VA officials said in the post.

The cyber skills e-learning program is co-sponsored by Hire Our Heroes, a nonprofit, veteran-run organization that aims to employ the country's millions of out-of-work vets and service members close to retirement.

The DHS school is not the only no-cost information security training program targeted at vets. For example, VetSuccess, run by the privately operated SANS Institute, promotes itself as a hands-on academy that supplies the technical skills required to land current openings.

"One of the veterans in the first cohort had offers for $30,000-$40,000 help desk jobs," SANS Institute Research Director Alan Paller told Nextgov in an email Friday. "He applied for VetSuccess, got in and did well in the training and certification exams. Now, he is choosing among three offers in the $70,000 to $100,000 range."

Earlier this year, internet security firm Solutionary partnered with SANS on a six-week training program for qualified veterans who promise to work for the company at least two years.

Classmates in Solutionary's customized sessions "are ready to perform effectively on day one," Paller said. "They need intrusion detection skills as well as knowledge on exploits and how to find them and eliminate the attackers."

]]>

Privacy Guidebook for Eavesdropping on Americans Draws Flack

Aliya Sternstein — Thu, 18 Aug 2016 07:00:00 -0400

A privacy update to 1982 Defense Department rules for conducting surveillance on Americans contains a loophole that lets the National Security Agency continue eavesdropping on a wide swath of online conversations, critics say.

"DOD Manual 5240.01: Procedures Governing the Conduct of DOD Intelligence Activities" was last issued when all email addresses could fit in a Parent Teacher Association-sized directory.

The new rules reflect a shift in intelligence gathering from bugging an individual’s phone to netting communications in bulk from the global internet. The revision aims to address the reality that many, many conversations now occur online and should be shielded from government surveillance, intelligence and civil liberties experts agree.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

But the document creates a carveout that does not respect the privacy of data ferried along international communications wires, according to the New America Foundation's Open Technology Institute.

The new manual is "making kosher the kind of upstream collection that allows for really widescale incidental collection, even if very time-limited collection, of Americans' information," said Robyn Greene, the institute's policy counsel.

Unlike in the 1980s when transatlantic talk was cost-prohibitive (a 3-minute call between America and Western Europe cost up to $12.60), now the equivalent of several hundred Libraries of Congress worth of chatter traverses undersea cables everyday at a rate of a few cents per YouTube download.

So, the word "collection" takes on new meaning in the policy to try ensure personal data is handled with discretion. In the past, information was considered captured only when officially accepted for use by an analyst. Now, information is considered captured "when it is received," according to the revised manual.

"The clock starts to run as soon as information is collected, meaning that collected information must be promptly evaluated to determine the proper retention period," Cody Poplin, a former Brookings Institution researcher, commented in a Lawfare blog post.

However, privacy advocates say the timer to preserve confidentiality starts too late.

The new procedures do not consider short-term files like email contents and metadata swept up from the internet as "collections" that merit protection. The manual states: "Collected information does not include: Information that only momentarily passes through a computer system; information on the internet or in an electronic forum or repository outside the component that is simply viewed or accessed by a component employee but is not copied, saved supplemented or used."

"It's great" that more stored communications will enjoy privacy protections, but the document "fails to address the core concerns that we have about bulk collection and the impact that has on Americans' privacy and on nontargeted foreigners' privacy," Greene said.

Can't Touch This

It remains to be seen, or unseen, how U.S. spies are following the new data-handling guidelines in practice when scanning networks.

On Wednesday, Defense officials declined to comment on internet cable-tapping.

In response to the concerns raised, Pentagon spokesman Lt. Col. Eric Badger said in an email to Nextgov the "provision defining collection in the new manual, including the exclusions, does not diminish the protections that existed under the previous" guidelines.

He also said there is an existing classified annex containing "civil liberties and privacy protections for U.S. persons when conducting signals intelligence" that remains in effect until an update is issued.

“As to the hypothetical, we cannot comment,” Badger said.

The Aug. 8 rules apply to the entire Pentagon, including NSA.Defense Secretary Ash Carter and Justice Department head Loretta Lynch signed off on the manual, after consulting with Director of National Intelligence James Clapper.

One intelligence community contractor says the policy reboot does a much better job at spelling out the dos and don'ts of siphoning Americans' data from the internet.

The manual helps “clarify how that data could be used, how it’s going to be handled, how it’s going to be safeguarded, etc." said Justin Fier, director for cyber intelligence and analysis at Darktrace, where many on staff formerly served British and U.S. spy agencies.

"It allows Americans to feel OK with the fact that they can use the internet and the internet might be a collection platform," he said.

Five years is the cap for keeping data on Americans intentionally captured, as well as data "incidentally collected" while targeting a specific person in the United States, the manual says. Collateral data can be retained for up to 25 years if the target of the sweep is reasonably believed to be outside the United States, according to the policy.

"The procedures require that, at the end of the maximum evaluation period" data on Americans "is deleted from intelligence databases unless affirmatively determined to meet the criteria for permanent retention," an accompanying Pentagon fact sheet reads.

Civil liberties groups contend much of that data should not be retained to begin with, but reversing course would take changes to presidential policy. The manual is still undergirded by a Reagan-era executive order (E.O. 12333) that allows the government to Hoover up data on Americans from outside the United States, without the restrictions that limit stateside searches.

"These new privacy protections don't narrow the scope of collection authorized under E.O. 12333 to prohibit the mass surveillance that the NSA currently engages in," Greene said. Until the order "is amended to address that problem, the NSA will still be able to use that authority to scoop up the communications of millions of innocent people."

This week, NSA is dealing with an apparent counterespionage attack that perhaps leaked pieces of the spy agency’s hacking tool arsenal. Ex-intelligence contractor Edward Snowden, who exposed the bulk data interception at issue here, has suggested the Russian government spilled NSA’s malicious codes as part of an ongoing plot to tamper with the U.S. presidential elections.

]]>

DOD IG to Probe Security of Army Patient Records

Aliya Sternstein — Thu, 04 Aug 2016 15:31:21 -0400

The Pentagon inspector general on Thursday announced plans to audit, starting this month, the security of Army digital patient files.

The probe comes at a time when government and private hospitals are up against employees who inadvertently compromise health care records and bad guys who extort money in exchange for leaving health data unharmed, among other computer threats.

"Our objective is to determine whether the Army designed and implemented effective security protocols to protect electronic health records and individually identifiable health information from unauthorized access and disclosure," Carol Gorman, assistant inspector general for readiness and cyber operations, said in a memo.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

This inspection will be the first in a series of reviews of security controls for military electronic patient records and personal health information, she says.

Computer systems will be reviewed at the U.S. Army Medical Command; the enhanced Multi-Service Market led by the Army in the Puget Sound region; the Army medical center at Joint Base Lewis-McChord, Washington; and one Army hospital and clinic each at Fort Carson, Colorado.

During the audit, examiners may identify other locations they want to review, Gorman said.

Military health care IT is a high-risk, high-reward industry in a field where lives are at stake, according to recent developments.

The Pentagon last summer awarded Leidos and partners a $9 billion contract to build a next-generation electronic health records system. The setup was expected to be running at initial operating capability by December, but the DOD inspector general this spring signaled the system might miss that deadline.

More recently, on July 14, the Defense Health Agency awarded EHR Total Solutions a potential $70 million contract for workflow assistance at military treatment facilities that use "tri-service" electronic health record systems. The five-year deal would support the Army, Navy and Air Force.

Now, hackers are even trying to make money off patient file systems, by freezing the computer tools until the medical provider pays a ransom. Earlier this year, crooks reportedly held electronic records at Hollywood Presbyterian Hospital hostage for two weeks, before the health care center surrendered $17,000 in bitcoin, a digital currency.

So far, the Homeland Security Department isn't aware of any situations where federal agencies paid hackers to remove ransomware from a government system.

Hardly a week goes by without news of a patient data breach, according to updates on Databreaches.net. For instance, a former Veterans Affairs Department nurse in Florida was sentenced to five years in prison for manipulating a veteran's health care records to cover up deficient care, U.S. officials announced in March.

An internal investigation at the VA Medical Center Miami revealed Enrique Martinez Mathews altered the data while the patient recovered in a surgical intensive care unit.

"The defendant’s actions caused appropriate medical treatment to be withheld from the veteran, who later passed away," Justice Department officials said in a statement. The ex-VA nurse was convicted of causing damage to the computer system, among other things.

]]>

Hackers Pocket Credit Cards While Processing USPS Mail, Snap Selfies with Dying Patients and Leak DNC Donor Voicemails

Aliya Sternstein — Mon, 01 Aug 2016 05:00:00 -0400

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:

Former USPS Worker Allegedly Ripped Credit Cards from Envelopes to Buy Designer Handbags, Cars

An ex-U.S. Postal Service processing clerk has been charged with stealing credit cards from undelivered mail while working at a USPS center in California.

Chinh Vuong, 48, allegedly made at least $6,000 a month by selling the credit cards. He is accused of then spending the money on luxury items including designer handbags, boots and cars.

It’s unclear how long he had been illegally opening mail to pocket payment cards and sell the data. But during at least one year, he allegedly stole 6,240 credit cards by stuffing them into his waistband and then carrying them out to his car on his break.

Vuong had worked as a mail clerk since 1989.

As part of the scheme, he would steal cards issued to customers of Chase Bank and American Express and then sell 11 cards for $500, or 132 cards for $5,000, court documents say.

Beginning in June 2015, he allegedly sold hundreds of cards to two people whom he thought were customers but actually worked as law enforcement informants.

Last October, authorities searched his home and seized 199 stolen credit cards and luxury items bought using money from the scam, including two BMWs and about two dozen handbags made by brands including Prada, Louis Vuitton and Gucci, prosecutors said.

Paramedics Snapped Selfies with Unconscious Patients inside Ambulances

A pair of Emergency Medical Services personnel in Florida allegedly used their cellphones to take selfies and videos with patients inside ambulances, over an 8-month period.

Former Okaloosa County, Florida, paramedic Kayla Renee Dubois, 24, was arrested July 21, while the other suspect, Christopher Wimmer, 33, turned himself in to police that afternoon.

In one instance, Wimmer allegedly held open the eyelid of a sedated patient for a selfie. Investigators say he also posed with an elderly woman with her breast exposed.

Two of the patients pictured have died and three photos appear consensual. Of the remaining patients, 19 are female, 17 are male. Five of the individuals are homeless.

A 2-month long investigation was launched May 13, 2016, after a public safety official in Okaloosa County learned of the allegations from three other Emergency Medical Services employees a week earlier. A criminal investigation revealed "the defendants exchanged texts challenging each other to produce more selfies and to 'step up' their game."

"The patients were intubated sedated and otherwise unconscious," Okaloosa County Sheriff Larry Ashley said. "It was a sick juvenile game, I don't know any other way to describe it ... It was a game of who can be the most vile, who can I get a picture with, it's humiliating."

"This has more to do with an invasion of privacy and respect than anything," he added.

Selfies were shared with three other paramedics involved and possibly millions more on social media.

One of the victims was an Okaloosa County Sheriff's Deputy.

Officials said most of the victims have been notified and it was a complete violation of the Health Insurance Portability and Accountability Act.

County officials say all personal cellphones have now been banned from ambulances. Each EMT is provided a work cellphone. On those devices, the option to record video and take pictures is disabled.

U.S. Citibank Employee Erases Company's Servers, Crippling 110 Branches

The now former worker has been sentenced to nearly two years in jail after pleading guilty to issuing commands that wiped the configuration files on 10 core routers on the financial institution’s internal network.

The hack Lennon Ray Brown, 38, executed in December 2013 affected data network and phone access at branches nationwide – about 90 percent of all Citibank branch offices.

Brown's actions came after he had been reprimanded for poor performance by a manager.

He uploaded a series of commands to Citibank's Global Control Center routers, deleting the config files for nine of the routers and causing traffic to be re-routed through a set of backup routers. While there was not a complete outage, the re-routing led to "congestion" on the network and at branch offices, according to court records.

Brown said the following in a text message to a coworker shortly after the incident:

They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team.

Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.

WikiLeaks Uploads DNC Voicemails from Annoyed Donors

In one of the 29 hacked Democratic National Committee audio messages released, a funder complained the party was pandering to then-presidential nominee Bernie Sanders.

The series of voicemails show funders “plying top-level officials for favors,” CNN reports.

For example, a woman supporting Democratic presidential nominee Hillary Clinton phoned the party’s finance director and said she was angry the party was letting liberal activist and prominent Sanders surrogate Cornel West have a seat on the party's platform-writing panel.

"I'm furious about what you are doing for Bernie Sanders, he's getting way too much influence. I'm on a fixed income, I spent over $300, donated to Hillary, what I see is the DNC bending over backwards for Bernie and Bernie is the worst person in the world to even be running in the Democratic Party, because he's not a Democrat," said the unidentified woman in a voicemail sent to the director’s DNC email account.

The voicemails are related to the 20,000-some hacked DNC emails that WikiLeaks published earlier this week, which indicated elements within the supposedly neutral DNC were working to help Clinton clinch the nomination.

Most of the released voicemails amount to innocuous messages from one person trying to reach someone else.

]]>

Should Secret Service Protect Emails of Future Presidents?

Aliya Sternstein — Wed, 27 Jul 2016 17:56:02 -0400

Maybe it's time the Secret Service starts cracking down on the computer security of presidential candidates, in addition to their physical security, some private cyber investigators say, after a leak of Democratic party files right before the nomination of Hillary Clinton for president.

On Wednesday, President Barack Obama intimated Russians hacked into the Democratic National Committee’s correspondence to influence the political process.

"When you are running for president up and through [Republican National Committee] and DNC conventions, there are a lot of physical protections put in place for the potential president, however, on the cyber side we have not caught up in that world yet," Tony Cole, global government chief technology officer for cyber forensics firm FireEye, told Nextgov.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Last month, FireEye corroborated a report by DNC contractor CrowdStrike that Russian intelligence groups cracked the DNC network. Cole said could not comment on whether FireEye is assisting in the investigation or its clients.

The major threat actors this election, however, definitely are nation states with political agendas, Cole said.

"With world events taking place today, I would say probably Russia is the biggest concern in that area, in my opinion," he said. "We are not aware that North Korea is a player in this area, trying to impact policy." Cole also said some Middle Eastern countries and China also would have the capabilities to spy on politically sensitive data.

Potentially, attackers can manipulate data in a way that can physically hurt a candidate, Cole said.

Maybe a hacker "actually goes after a candidate, whoever their doctor is and changes their blood type" in the patient records system, he said.

Right now, until there is some type of specific intrusion, like the alleged DNC hack, there is not much the government specifically does to help prevent hack attacks against presidential nominees, Cole said.

The Secret Service, in most situations, "does not secure the computer systems" of political organizations, nor does it "secure the computer systems of individuals, to include protectees," like major presidential candidates, according to a legal summary the Secret Service provided Nextgov.

That said, Secret Service spokeswoman Nicole Mainor relayed in an email that the agency "plays a significant law enforcement role in ensuring that candidates are aware of a range of vulnerabilities – ranging from physical protection to cybersecurity."

She added, "The Secret Service continues to work vigorously with our local, state and federal partners to prevent and detect cyberthreats against the homeland, to include those against presidential candidates and their campaigns.”

The laws and policies for safeguarding presidential nominees have not kept pace with the internet age Americans live in, Cole said.

One of the gravest security breaches for prospective presidents, in the cyber realm, would be a compromise of correspondence about intelligence briefings the nominees are or soon will be receiving, he said.

"Being able to steal their email is a critical concern, and obviously, the DNC hack that took place, if valid, that is a major concern," Cole added.

The Secret Service backed by the National Security Agency should be charged with the digital protection of presidential nominees, he said.

The FBI has issued a statement on the Democratic party cyber incident, stating, "The FBI is investigating a cyber intrusion involving the DNC and is working to determine the nature and scope of the matter."

This is not the first time hackers have messed with electronic communications of major political candidates.

A college student in 2008 hijacked then-vice presidential candidate Sarah Palin's personal Yahoo mailbox reportedly to find content that could undermine her campaign. According to federal prosecutors, David C. Kernell reset Palin's account password by accurately guessing the answers to her security questions, read her messages and then posted online screenshots of the emails.

Republican National Committee Chairman Reince Priebus told MSNBC on Monday perhaps the RNC is better at securing its email and data than the opposition.

“We haven't been hacked," he said. "And we don't expect to be. And we're monitoring it every day."

Meantime, GOP presidential nominee Donald Trump seems all for Russia continuing to disclose the confidential messages of his rival Clinton, the former secretary of state.

“Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing, I think you will probably be rewarded mightily by our press,” Trump said during a press conference Wednesday, referencing missing emails Clinton had been storing on a private server while in office.

]]>

Obama Establishes Cyberattack Response Chain of Command

Aliya Sternstein — Tue, 26 Jul 2016 14:34:45 -0400

The White House has placed the Justice Department squarely in charge of responding to cyberthreats against the United States, under a presidential directive issued Tuesday.

At the same time, the Homeland Security Department will immediately help agencies and companies, if requested, stanch the bleeding from a hacker assault on networks, or "assets,” President Barack Obama said.

For years, there has been confusion in the private sector and internally among agencies about who's in charge when hackers hit the homeland.

Justice will take the lead in "threat response" or investigating a system attack on site, identifying the perpetrator and breaking up attack operations because foreign adversaries often are involved.

"In view of the fact that significant cyberincidents will often involve at least the possibility of a nation-state actor or have some other national security nexus, the Department of Justice, acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, shall be the federal lead agency for threat response activities," the directive states.

The latest data breach pinned on a foreign country, this time Russia, leaked Democratic National Committee emails in what some foreign policy experts say was a ploy to influence the presidential elections or the next administration's policies.

"This presidential policy directive sets forth principles governing the federal government’s response to any cyber incident, whether involving government or private sector entities," Obama says in the rules signed July 26.

In a Tuesday statement, DHS Secretary Jeh Johnson acknowledged: "I am often asked 'who’s responsible within the federal government for cybersecurity? Who in the government do I contact in the event of a cyberincident?'”

Now, the so-called U.S. Cyber Incident Coordination presidential directive "clarifies the answer to these questions,” Johnson added.

DHS’ role is providing technological help and figuring out what other organizations might be at risk, among other things.

Johnson explained asset response "involves helping the victim find the bad actor on its system, repair its system, patching the vulnerability, reducing the risks of future incidents, and preventing the incident from spreading to others."

In addition, DHS and Justice will produce "a fact sheet" with instructions on how private individuals and organizations can contact relevant agencies about a hack attack.

The director of national intelligence's job will be to assist in aggregating analysis of threat trends, along with helping "to degrade or mitigate adversary threat capabilities."

The military will be responsible for dealing with threats against its own Department of Defense Information Network. Likewise, the DNI will handle incidents that impact the intelligence community IT environment.

First Things First

Whichever federal agency first learns of a cyberincident "will rapidly notify other relevant federal agencies in order to facilitate a unified federal response and ensure that the right combination of agencies responds to a particular incident," the directive says.

Obama expects DHS to write, within the first month of the next administration, what he is calling a "National Cyber Incident Response Plan" that addresses attacks against private-sector networks.

Within 180 days, Homeland Security must submit the critical infrastructure risk plan to the president, which at that point would be either GOP nominee Donald Trump or presumptive Democratic nominee Hillary Clinton.

Tuesday's directive follows Obama's grand Cybersecurity National Action Plan, a strategy released in February along with a congressional request for $19 billion in information security funding.

The new dictate does not override current agency cyber laws, like the Federal Information Security Modernization Act, according to an accompanying annex.

If an incident equates to a "major incident" under FISMA, it counts as a "significant cyberincident" in the language of the new directive and would be managed accordingly. (A significant cyberincident is an episode likely to harm national security, foreign relations or the U.S. economy, or endanger Americans' public confidence, civil liberties or safety.)

In the final months of the administration, federal agencies will have to develop a series of new policies for executing Tuesday’s directive.

Within 180 days, DHS and Justice must finish a concept of operations for a rapid response team, or what the administration terms a "Cyber Unified Coordination Group."

During an incident, the group will act as "the primary method for coordinating between and among federal agencies in response to a significant cyberincident," as well as for looping in the private sector as appropriate, the directive says.

A cyber group will be propped up when hackers hit critical infrastructure operators so hard the effects could be catastrophic, according to the policy.

Earlier today, Lisa Monaco, assistant to the president for homeland security and counterterrorism, explained how the amount of government aid supplied to industry will be based on the risks posed by the hacker threat.

"For instance, what is the impact? How might it affect our national security or economy? Does it threaten the life or liberties of the American people? It also says that the government will appropriately safeguard the privacy, civil liberties, and information of those affected. It commits to unifying the government’s response across agencies. And it emphasizes that our response will be focused on helping victims of cyber incidents recover quickly," she said at the International Conference on Cybersecurity in New York.

]]>

Hackers Grab Illinois Voter Records and Dump ISIS Propagandist’s Internal Data; Glassdoor Accidentally Outs Users

Aliya Sternstein — Mon, 25 Jul 2016 05:00:00 -0400

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:

Voter Records Copied Off Compromised Illinois Voter Registry

The Illinois State Board of Elections online voter registration has been hacked.

“The attackers took advantage of a programming flaw in the website’s database," The Hill explains. The attack, known as a ‘SQL injection,’ occurs in databases using the SQL programming language."

Unless properly configured, SQL databases can be tricked into running commands entered by any website visitor.

The attack on the statewide Illinois Voter Registration System occurred July 12, and the system was shut off July 13 as a precaution once the board realized the severity of the attack.

The registration database is a frequent target of cyberattacks, said Ken Menzel, the board’s general counsel, but “this is the first time that we’re aware of that anybody’s gotten into anything -- not for lack of trying.”

A statement from Kyle Thomas, director of the board’s voting and registration systems division, says the board believes the attack was the work of foreign hackers.

Board officials are in the process of determining the number of records exposed and the names of all the individuals affected.

Officials have no evidence the attackers added, changed or deleted any information in the database. Efforts to extract voter signature images and voter histories were not successful.

Incident cleanup has caused online voting outages for about a week.

Admin of ISIS Propaganda Website Hacked

The correspondence of a programmer for a top-tier ISIS web forum has been compromised.

On July 17, an independent researcher known as “Switched” tweeted content from a data dump that allegedly contained messages belonging to Abu Alaaina Khorasani, who is an administrator of the “Shumukh al Islam” website. Shumukh al Islam, or “Glory of Islam,” regularly hosts official ISIS propaganda.

The hacker apparently broke into the account to prove his worth to the administrators. Before the leak, he had asked for a position in the forum as its “tech guy.”

“He posted as the admin that he was one of the brothers, 'but if you don't do as I say, I'll dump the [database],’” Switched told Motherboard.

It’s not totally clear how the account was hacked. Switched tweeted message screenshots that suggest part of the gambit involved a phishing email attempt.

Laith Alkhouri, the director of research and analysis for the Middle East and North Africa at security firm Flashpoint, said Khorasani has been an administrator on the forum since around 2009 or 2010.

The breach "shows that the myth of a highly secure jihadi underground, is exactly that: It's a myth,” he said.

Alkhouri said he was able to authenticate some of the names dumped, and said they all appear to be members of Shumukh al Islam. The messages deal with the conflict between ISIS and al-Quaida supporters, the procedures around obtaining new members for the forum and other correspondence with current members.

Motherboard notes, "A small number of messages also appear to have been encrypted with Asrar al-Mujahideen, a custom jihadi encryption program similar to PGP."

Immediately after the leak became public, the forum went down, “under repair,” Alkhouri noted.

Glassdoor Accidentally Blasts out Email Addresses of 600K+ Users

The workplace ratings website sent out an email announcing it had changed its terms of service, but instead of blindly copying recipients, Glassdoor pasted their addresses in the clear.

The error was inadvertent and because of a technical glitch, company spokeswoman Samantha Zupan said. She declined to elaborate further.

Each recipient was able to see the email addresses of 999 other Glassdoor users.

The company sent out the message to multiple sets of users, 1,000 at a time, Zupan said. Ultimately, the messages exposed the addresses of more than 2 percent of the company’s users, she said.

Last month, the company said it had some 30 million monthly active users, meaning more than 600,000 were affected by the exposure.

“Among those affected by the gaffe was Larry Karson, an assistant professor of criminal justice at the University of Houston-Downtown. Karson, who’s used Glassdoor for about 18 months, was outraged his and other email addresses were exposed. But he was even more upset that when he tried to contact the company about the problem, no one picked up the phone or quickly responded to his message,” Silicon Beat reports.

2M Email Addresses Compromised in UbuntuForums Hack

The breach was disclosed after someone claimed to have a copy of the database behind UbuntuForums.org, a discussion group for users of the popular Linux distribution.

An investigation revealed an attacker indeed did obtain access to the website’s user records through a software flaw.

The SQL injection flaw was located in the Forum Runner add-on for vBulletin, widely used web forum software that powers more than 100,000 community websites on the internet. The vulnerability was known and publicized, but the company that builds Ubuntu, Canonical, had failed to apply the patch.

“The attacker had the ability to inject certain formatted SQL to the Forums database on the Forums database servers,” Canonical's security team said in a blog post. “This gave them the ability to read from any table, but we believe they only ever read from the ‘user’ table.”

The user table contained usernames, email addresses and internet protocol addresses for 2 million users.

Although the community relied on Ubuntu's single sign-on service, the passwords were hashed and salted. The encryption technique turned them into randomized strings of data. But the company's disclosure notice did not say which hashing algorithm was used -- some algorithms, like MD5, can be easily cracked.

The company announced the security incident on its website July 15.

"While there is no immediate danger to Ubuntu Forums accounts, users should be wary of potential spam and phishing emails that might attempt to distribute malware," PCWorld reports. "Attackers typically launch such attacks following large data breaches, since they can take advantage of known relationships between users and the compromised websites."

]]>

House Committee Chair Opens Inquiry Into Foreigners’ Access to OPM Data

Aliya Sternstein — Tue, 19 Jul 2016 17:29:06 -0400

The House Science, Space and Technology Committee is questioning whether foreign nationals may have had direct access to sensitive Office of Personnel Management data before a historic OPM hack attack was disclosed last summer.

The agency recently told federal auditors that nation state-sponsored cyberattacks are the gravest and most common threat to its IT security.

"In other words, an agency that identifies foreign nations as the source of the most serious and frequently occurring threat either failed to realize that foreign nationals had access to its database, or knew it and failed to correct the situation,” committee Chairman Rep. Lamar Smith, R-Texas, said in a July 19 letter to the administration.

Last July, OPM announced adversaries had copied national security background checks and personnel records containing 21.5 million people's Social Security numbers and other private data. Security researchers and U.S. intelligence officials have said the theft likely was a Chinese spy operation.

Smith has requested documents and information pertaining to foreigners' potential access to OPM data.

He says that, reportedly, some OPM contractors may have handed "foreign governments direct access to data long before the recent reported breaches."

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Allegedly, an administrator for a project was in Argentina, while his co-worker was physically located in China, Smith says. Both individuals had sweeping "root" access to every row of data in every database, he continues.

Separately, there were reports that two employees with passports from China led a team working on the database, Smith says.

The backdrop for the lawmaker’s inquiry is a Government Accountability Office report released in June that found OPM and other agencies that run "high-impact" systems, which, if disrupted, could cause catastrophic harm, still do not always use effective access controls.

The most severe and most frequent avenues of attack against high-impact systems were through email, the web, or an employee's improper use of technology, the auditors said.

Smith is directly asking the administration whether OPM or any OPM contractor ever allowed foreign nationals entry into systems that would provide access to sensitive data or personal information. He also wants to know how many foreigners work for OPM and its contractors, as well as the extent of their access to that agency's IT systems.

During the GAO review, auditors reported pushback from OPM staff on some recommendations made at the time, Smith notes. OPM said it ensures vendor-operated systems are secure through "contractor oversight," but GAO said each agency is responsible for seeing to it that those systems are secure.

"It is OPM's responsibility to ensure that all contractors have in place the appropriate security controls to protect its information and information systems," Smith says.

In response to an earlier draft of the report, OPM argued the auditors did not supply the agency with enough details to cross-check the weaknesses categorized as "boundary protection" and "authorization” vulnerabilities.

The agency also contended GAO did not fully describe the nature of the vulnerabilities until a week before a response to the draft was due May 2. GAO said, to the contrary, it was back on March 9 the auditors briefed OPM on technical findings. Last month, OPM officials told Nextgov they continue to dispute the final audit report.

"While OPM and GAO are in agreement on most of their recommendations, we continue to disagree with GAO’s security control assessments recommendation as written because it does not address the issues identified within the technical assessment, and suggests another cause for which no analysis was conducted and/or provided to OPM for review,” OPM spokesman Sam Schumach told Nextgov in an email in June.

Smith sent letters to OPM and the White House Office of Management and Budget, which promulgates policies for federal agency IT security.

On Tuesday afternoon, Schumach said in an email to Nextgov, "OPM will be responding to the congressional inquiry in a timely fashion."

]]>

Defense Intelligence Agency Is Scoping Out Social Media Background Checkers

Aliya Sternstein — Mon, 18 Jul 2016 16:25:03 -0400

The Pentagon is conducting market research for a planned 12-month "social media checks" pilot that would analyze public posts to help determine an employee's suitability for Defense Intelligence Agency classified work.

The effort is part of a shift away from screening intelligence and military staff every five years, as is current practice. The program is meant to support “continuous evaluation” through automated searches of various data sources, including social media posts, DIA says.

The scope of this particular trial run would involve generating "social media reports" that provide "comprehensive and objective data" and expertise to carry out a "whole of person review," in line with Office of Director of National Intelligence guidelines, states a newly released January draft statement of work.

In May, DNI chief James Clapper issued a directive approving the use of social media in the public domain to vet personnel.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

If DIA goes through with a contract, "at a minimum, the service would have to analyze foreign comments and postings, foreign contacts and any information regarding: allegiance to the United States, foreign influence and/or preference, sexual behavior, personal conduct, financial, alcohol, legal and/or illegal drug involvement, psychological conditions and criminal conduct," the work statement says.

A DIA official told Nextgov there is no guarantee the agency will solicit any vendor; rather, DIA is figuring out what features companies might be able to offer.

The social media reports would help out that agency's existing Personnel Security, Insider Threat, Continuous Evaluation, Counterintelligence and Investigation program, DIA spokesman James Kudla said.

"This is part of the larger government effort" for "continuous evaluation monitoring," Kudla said in a brief interview. It's not restricted to the intelligence community; "it’s really part of the Department of Defense program as well."

"Social media reports are required to identify national security concerns on individuals who are required to obtain and retain a national security clearance" for handling sensitive material, states a July 14 sources sought notice accompanying the work description.

The reports should include checks of "all publicly available social media sites," the work statement says.

DIA does not specify particular websites, like Facebook, Twitter or other online networks.

The analyses also would cross-check an individual's various online personas through "social media profile comparisons," the work statement adds.

Clapper's policy states that security clearance investigators cannot create shadow accounts to "follow" or "friend" an employee under review. In addition, social media content about other people inadvertently collected during a check cannot be retained unless the information is relevant to the review of the employee, the directive says.

Other intelligence agencies have experimented with social media monitoring to aid the background investigation process.

The National Security Agency, for example, says it performed a successful social media test that tracked 175 NSA employees on their online networks.

About 45 percent of the searches returned information that aligned with criteria NSA currently uses to judge candidates -- "some of which we didn’t know before," Kemp Ensor, NSA director of security, said in April at an Intelligence and National Security Alliance symposium in Chantilly, Virginia.

The DIA market research notice says the agency would like social media reports for routine investigations turned around within five days and two-day delivery for most "expedited" social media reports.

The agency is looking for prospective vendors that would be able to use a secure, encrypted internet website or document transfer tool to furnish the social media reports, the work statement says.

Defense writ large is building a massive information-sharing system that can profile security clearance-holders, to flag who among them might become traitors or other "insider threats."

The DOD Component Insider Threat Records System is part of the governmentwide reaction to the 2010 sharing of classified diplomatic cables with WikiLeaks by former Pfc. Chelsea Manning.

]]>

Hackers Target Sports Training Clinic, N.C. State; Alabama and Oklahoma Accidentally Leak Security-Sensitive Data

Aliya Sternstein — Mon, 18 Jul 2016 05:00:00 -0400

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:

Sports Clinic Owner Alleges MLB Hacked His Social Media Presence

DNA Sports Labs, a training and sports science lab in Florida, relied on social media, including YouTube and Facebook for advertising, and depended on PayPal for sales transactions.

The lab’s owner Neiman Nix now alleges in a lawsuit filed in federal court July 14 that Major League Baseball attacked him online over a belief that he was “selling illegal substances to MLB players” and in so doing, ruined his business.

A computer expert Nix hired traced attacks on his YouTube page and his Facebook page to an IP address in New York "where MLB is located," Nix’s suit states.

Nix also claims Neil Boland — currently the league’s vice president of information security — personally directed the hack attack.

MLB released a statement saying, in part, “the allegations in this lawsuit, including the allegations relating to the hacking of DNA Sport Lab’s social media accounts, to be sanctionable under New York law.”

Improperly Set Up Database Exposed Oklahoma Police, Bank to Physical Intruders

The goof was discovered by security researcher Chris Vickery.

But not before the leaky database potentially compromised the physical security of multiple Oklahoma Department of Public Safety facilities and at least one Oklahoma bank, the Daily Dot reports.

Vickery said he discovered the flawed system one day before the July 7 Dallas police shooting, which claimed the lives of five officers. He initially was concerned about publicly disclosing a vulnerability that could affect law enforcement.

“I was very cautious at first about it,” he said, “but I decided the risk of doing harm with the information I was putting out there wasn’t that great.”

Vickery provided the Daily Dot with images from the database, which were accessible without a username or password. The photos show various doors, locks, RFID access panels and the controller board of an alarm system -- a device typically obscured for security purposes.

The database also contained “details on the make, model, location, warranty coverage and even whether or not the unit was still functional,” Vickery said.

The security risk persisted for at least a week. Vickery said he notified an executive at the company that manages the database, Automation Integrated, on July 9. Reached July 12, however, an Automation Integrated employee said “no one” in the office was aware of the problem.

The Daily Dot contacted Oklahoma’s statewide law enforcement agency, the Oklahoma Highway Patrol, to give notice of the breach, which specifically affected the building housing Troop A.

"An official became hostile with the reporter during the call, responding with disbelief and insisting that the reporter did not know what he was talking about," according to the Daily Dot.

MidFirst Bank of Oklahoma City also was affected. “I was even able to get images from within the bank's safe deposit box vault,” Vickery said.

Hack Impacted 38,000 Current, Former N.C. State Students

North Carolina State University says tens of thousands of past and present students may have had some of their personal information compromised.

A hacker breached a university email account using a "sophisticated phishing scam,” N.C. State says.

Inside the account, the attacker found a 2013 file that included names, mailing addresses, university ID numbers and Social Security numbers.

University officials say they learned of the hack June 3 and took steps to identify and notify potentially affected students.

Officials say there is no evidence any of the personal information has been retrieved or misused yet.

Government Accidentally Leaves Alabama State Retirees at Risk of ID Theft

A flawed website for the Public Education Employees Health Insurance Plan publicly displayed the personal information of plan members.

A Mobile, Alabama, woman who was helping her parents with their insurance coverage saw names, dependent's names, dates of birth and Social Security numbers of other members on the site.

Amanda Murdick called a Teachers Retirement System counselor, who told her the website was undergoing maintenance and that the agency was aware of problems.

The counselor told Murdick she would report her concerns to the IT department.

By July 11, the problem was fixed, according to Murdick. Leura Canary, general counsel for the Retirement Systems of Alabama, said the agency still is trying to find out exactly what happened.

]]>

An Inside Look At a CYBERCOM Dress Rehearsal

Aliya Sternstein — Fri, 15 Jul 2016 09:06:55 -0400

During a recent hack attack drill, Cyber Command troops botched an attempt to stop compromised energy machinery from leaking oil -- and that was the intention, the Pentagon says.

"We do that because at the point of failure, that's where learning will occur," Rear Adm. Kevin Lunday, CYBERCOM director of exercises and training, told a small group of reporters.

Last month, in Suffolk, Virginia, Lunday supported the annual "Cyber Guard" practice session with civilians and an all-military "Cyber Flag" session.

Key to both exercises is the nascent "persistent training environment," or PTE, a closed network with a so-called transport layer that connects players at various locations.

Between June 21 and June 29, CYBERCOM troops in Fort Meade, Maryland, San Antonio, Texas, and overseas locations, among other places, participated in Cyber Flag. In all, 800 U.S. military members and allied partners deployed to the cyber range, organizers said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

During the previous two weeks, service members had partnered with other U.S. government personnel and industry for Cyber Guard, which is co-sponsored by the Homeland Security Department and FBI.

"We actually had one of the National Laboratories bring in the actual industrial control systems – that were networked, and we brought it through the transport layer into the actual exercise environment," Lunday said. CYBERCOM members had to defend the machinery from a pretend, live opposing force.

CYBERCOM, when called on by DHS, helps repel incoming cyberattacks of catastrophic consequence.

“Now, this control system could have opened an access gate to a port facility,” while another “operated a machine control for the oil and gas plant, which resulted in the spillage in the scenario,” Lunday said.

Paul Nakasone, commander of the CYBERCOM Cyber National Mission Force, added: "If you’re there, it’s fascinating because you can actually see when it goes offline. I mean, it’s pretty powerful, right? 'Hey, you guys just failed," said Nakasone, whose division is responsible for aiding domestic network defense.

‘We Cannot Afford Failure’

While the fossil fuel spill perhaps was anticipated, it was not preplanned, a CYBERCOM official told Nextgov on background.

Having cyberwarriors watch the network go down speaks to Lunday’s earlier point: "We can afford to learn and fail in an environment like Cyber Flag, where in an actual operation we cannot afford failure.”

Members of the 6-year-old CYBERCOM now are starting to maneuver as teams, Nakasone said, but they need this kind of shakedown year-round and it’s not fully operational.

The persistent training environment is designed to run scenarios for trainees, with colleagues role-playing adversaries and assessors watching. Aside from supporting DHS, CYBERCOM also defends military networks and supports overseas joint force commander objectives.

"But we don’t yet have a PTE where we can do this training on a continuous basis," Lunday said.

One CYBERCOM National Mission Force team member who participated in the drill said on background the virtual firing range "is necessary for us to grow and mature."

A 2017 House defense authorization bill proposes mandatory, specialized training for opposition troops who perform the role of Iran, China and other adversaries in the environment. The legislation stresses the importance of being able to tell the difference between actual and fictional network threats during practices.

Congress “recognizes that special arrangements will be needed to deconflict training from real-world activities that may happen on mission networks,” the legislation states. The Defense Department is urged to “address these kinds of issues in developing agreements with the combatant commands to integrate cyber opposition force training into continuous and ongoing training activities.”

All the same, the simulated cyberattacks are supposed to feel authentic.

"They say the finest steel is tempered in the hottest furnace," Lunday said. "That’s what we’re trying to get after in Cyber Flag."

The critical infrastructure perils CYBERCOM confronted in Cyber Guard continued into Cyber Flag, where key military allies – Australia, Canada, United Kingdom and New Zealand – joined in.

Lunday continued, the point is "to create that crucible of a training environment, so that the lieutenant and the people he serves with are put under that pressure, so that when they get into an actual contact in cyberspace in DOD networks or off DOD networks, as the mission demands, that they are the best prepared and that what they find is actually not as hard as what they encountered in Cyber Flag.”

]]>

It’ll Be Brains vs. Bots in Vegas Cyberwar Sponsored by the Pentagon

Aliya Sternstein — Wed, 13 Jul 2016 17:33:42 -0400

The Pentagon agency that brought you robotic cars will bring robotic hackers to a Vegas resort next month.

The $2 million Cyber Grand Challenge, sponsored by the Defense Advanced Research Projects Agency, will pit machines against insecure software to pierce the holes -- and fix 'em.

The entire event will be shown on screens in the Paris Las Vegas Hotel’s 5,000-person auditorium while sportscasters narrate the competition, according to DARPA organizers. The tournament will run in conjunction with an annual Vegas hacker conference called DEFCON.

The hope is that computers will be able to discover and patch bugs, like the Heartbleed vulnerability, in any commercial software, including the variety that goes into the F-35, organizers say.

The top seven teams from a 2-year-long contest will let their computers run wild at a daylong Capture the Flag-style tournament of code Aug. 4. Competitors range from Raytheon contractors to former University of California, Santa Barbara students now flung all over the world.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Today, it can take about 312 days to discover a vulnerability in software already out on the market, according to the Pentagon.

The aim of the competition is to "bring that entire discovery-comprehension-patch-response timeline down from a year to minutes or seconds," said Mike Walker, DARPA program manager for the challenge.

Admittedly, the nature of automated cybersecurity does not lend itself to the visual spectacle of robocar "Stanley" navigating the Mojave Desert with no one behind the steering wheel during a 2005 DARPA self-driving car challenge.

"Autonomy in the domain of vehicles is easy to see and grasp," Walker told reporters on Wednesday. "Bringing autonomy to the cyber domain is harder to see because it happens inside the logic and memory of networked computers, and it's an adversarial pursuit."

Killer Robot Hackers?

The results of the coding experiment might be more tangible, if one considers that more than an estimated 20 billion objects containing software will be hooked to the internet by 2020.

“When you buy something that is part of the internet of things on the shelf today, when you look on the back, what you don't have is a sticker that tells you what machine investigated its security and what machine will guard its security in the future," Walker said. "That’s something we could [have] as part of an open technology revolution in computer security automation."

By an open technology revolution, in this case, he means every piece of software the rival machines write will be placed on a public server in perpetuity.

What are the odds that one of these robotic hackers could be repurposed for malicious use by a foreign intelligence agent or cybercrook?

"We believe that all computer security tools are dual use," meaning the systems can be used for commercial or military purposes, Walker said. "They become defensive through openness."

He continued, "If we have an open technology revolution, where the availability of the software is democratized, then we don’t believe that the nefarious misuse will be feasible because the bugs that could be found will already have been patched."

It is unclear how many years it'll be before robots can beat humans at breaking into networks.

"The answer is, ‘I don’t know,’” Walker said. “We are actually trying to prove autonomy before we can say it exists and start speculating about its future development path."

Another test for the concept of robot hackers might come as early as the next day. DEFCON, which every year hosts a human capture the flag game among programmers, has invited the winning automaton to vie against fingers and brains Aug. 5. Walker said he does not expect any machine to win against humans at DEFCON.

"Stanley was a remarkable vehicle that earned its place in the Smithsonian, but it does not belong on an F1 Course," he said.

]]>

Federal Government Expects to Bring on 3,500 More Cyber Pros by 2017

Aliya Sternstein — Tue, 12 Jul 2016 12:48:06 -0400

The White House on Tuesday unveiled a recruitment agenda that envisions a tour of duty fighting hackers for the U.S. government as part of any private cyber pro's career.

"The supply of cybersecurity talent to meet the increasing demand of the federal government is simply not sufficient," officials from the White House and Office of Personnel Management said in a government blog post. "This shortfall affects not only the federal government, but the private sector as well."

The newly released Federal Cybersecurity Workforce Strategy was characterized as a first step toward building a sustainable pipeline of government and industry data security talent that will last well into the future. It also "sets forth a vision where private sector cybersecurity leaders would see a tour of duty in federal service as an essential stop in their career arc," according to the post.

One of the short-term actions calls for agencies to hire 3,500 more people to fill "critical cybersecurity and IT positions" by January 2017.

The administration says it will find ways under existing law and current hiring authorities to expedite recruiting.

For example, the administration will consider establishing "a cybersecurity cadre" within the Presidential Management Fellows program. The cadre would be patterned off existing efforts to lure bright techies into federal agencies, specifically, the Presidential Innovation Fellows program and “other dynamic approaches for bringing top technologists and innovators into government service."

Congress has recently criticized the management of two such rotational programs: U.S. Digital Service, an IT troubleshooting team originated by some of the Silicon Valley tech experts working to salvage HealthCare.gov, and 18F, a tech consultancy guiding other agencies in projects such as agile software development.

There will also be an orientation program for new cybersecurity professionals entering the government. The aim there would be to improve information sharing and employees’ knowledge of upcoming developmental and training opportunities.

The White House says the government onboarded 3,000 new cyber and IT pros in the first six months of the fiscal year, which started October 2015.

In addition, the administration plans to explore opportunities to expand the use of new or revised pay authorities, as well as work to retain talent who give public service a try and like it. This will involve the Office of Personnel Management coordinating with agencies to develop cybersecurity career paths, badging and credentialing programs, and rotational assignments, so employees can become subject matter experts in their field.

The White House is asking agencies to identify the types of security pros in most need by consulting a cybersecurity workforce framework organized by the National Initiative for Cybersecurity Education.

The workforce strategy builds off goals outlined in February by President Barack Obama inside a $19 billion cybersecurity budget and accompanying Cybersecurity National Action Plan.

According to the White House, the strategy supports the plan’s proposed $62 million investment in expanding higher education opportunities for promising cyber students. The fund will help cover scholarships and full tuition for college and university students through the CyberCorps: Scholarship for Service program. The pool of money also will go toward "program development grants" that would allow universities, among other things, to hire or retain professors and stand up a cybersecurity core curriculum.

The Cybersecurity National Action Plan followed a major theft of data at OPM, in which suspected Chinese hackers copied the Social Security numbers and other private details on 21.5 million national security workers and contacts.

"Every day, federal departments and agencies face sophisticated and persistent cyberthreats that pose strategic, economic and security challenges to our nation," the officials said Tuesday. "Addressing these cyberthreats has required a bold reassessment of the way we approach security in the digital age and a significant investment in critical security tools and our cybersecurity workforce."

]]>

Treasury Says It Needs Some New Security Features for Next-Gen Money

Aliya Sternstein — Mon, 11 Jul 2016 16:26:41 -0400

Now's the chance to make your mark on the next series of U.S. dollar bills. The Bureau of Engraving and Printing later this month is expected to start competing a contract for the creation of features -- like special fibers and optical tricks -- to prevent forgery.

The anti-counterfeit markers will be visible to the naked eye and detectable by special tools, according to a pre-solicitation notice.

The plan is to issue a solicitation around July 28 "for the research and development of a new overt and device-assisted security features," the bureau says.

It would be preferable that the protections incorporate "intaglio print" with a raised feel, and "optical waveguide" technology, according to the notice.

The maximum 4-year contract could go to one or multiple companies.

The bureau does not say when the next-gen money will go into circulation.

In April, Treasury Secretary Jack Lew announced new bills with some different historical faces will enter circulation in 2020.

Slave owner Andrew Jackson will be replaced by abolitionist and one-time slave Harriet Tubman on the $20 bill.

The back of a new $5 bill will depict the 1939 performance at the Lincoln Memorial of African-American singer Marian Anderson. She had not been allowed to sing at the nearby, segregated Constitution Hall. Also on that side, there will be pictures of Eleanor Roosevelt, who arranged the special concert and Martin Luther King Jr., who orated his “I Have a Dream” speech on the monument's steps.

The safeguards for "the next generation of United States Federal Reserve Notes" partly are intended to help consumers see the difference between fake and real dollars, according to the notice.

They will offer "a user-friendly feature to quickly and confidently validate notes passed in common, everyday transactions," the bureau says.

There already are some intricate anti-fraud elements embedded into today's dollars.

The $10 bill glows orange under UV light. When held up to a normal light, a portrait of Alexander Hamilton can be seen from both sides of the note. And there's a color-changing number 10 in the lower right-hand corner.

The $20 currency contains fibers that glow green when illuminated by UV light. An image of Jackson is visible on both sides, and a color-shifting number 20 is at the bottom, on the right.

]]>

Hackers Post Police Records after Sterling Shooting, Show NATO Gen. Plotted Against Obama, and Broach NASA Twitter Account

Aliya Sternstein — Mon, 11 Jul 2016 05:00:00 -0400

In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:

Activist Leaks Law Enforcement Database after Louisiana Police Shooting

Days after the killing of a black man by Baton Rouge officers prompted global outrage, an individual posted online 50,000 poached city police records.

The cache, which was confirmed as legitimate, contained names, addresses, emails and phone numbers.

The administrators of the website apparently had failed to implement proper security measures.

The "breach"—for lack of a better term—appears to have been a case of unauthorized access using discovered login credentials rather than any kind of technical attack.

A hacker named @0x2Taylor claimed responsibility for accessing the database, but it is unclear whether @0x2Taylor obtained the data or was given it by a third party and took credit.

"The website had its permissions set wrong and shouldn't have been left open for the public to see this data," explained Jamie-Luke Woodruff, a security intelligence analyst who works at Patch Penguin, a British cybersecurity firm. "They seem to have obtained credentials to the Oracle server in which they extracted the database information. But they didn't set out to get the data that they obtained it was just random that the credentials was found."

Eric Romero, who runs information services for Baton Rouge, said he heard "rumors of a breach" but was unable to confirm it had occurred.

Baton Rouge police officers shot Alton Sterling, 37, after a confrontation in front of a convenience store in response to reports of an armed man.

Multiple cellphone videos of the shooting, captured by bystanders and released online, call into question some police claims that Sterling, who faced multiple criminal prosecutions in the past, was holding a gun when he was shot.

When @0x2Taylor first announced the hack, he accompanied the tweet with three hashtags suggesting the motivation behind the leak: #AltonSterling, #Hacked, and#BlackLivesMatters.

"The reason i did it is because of what that officer did to alton sterling," @0x2Taylor told the Daily Dot in a private Twitter message. "i'm sick of seeing police abuse their power and all the killings."

Hacked Emails Suggest Former NATO Commander Plotted Against Obama during Ukraine Conflict

Leaked emails from the Gmail account of retired Gen. Philip Breedlove, the recent supreme commander of allied forces of NATO, reveal he privately plotted against President Barack Obama's wishes during the Russian-Ukrainian conflict.

A new website called DCLeaks posted the hacked messages.

Phillip Karber, an academic who corresponded regularly with Breedlove, verified the authenticity of several of the emails. He also told The Intercept that Breedlove confirmed to him that his Gmail account was hacked and that the incident had been reported to the government.

Citing his own leaked emails, Karber said: “I turned this over to the U.S. government and asked them to investigate. No one has given me any answer.”

Breedlove, while briefing Congress in 2014, disagreed with the Obama administration about the situation in Ukraine. (Obama was reluctant to provide lethal assistance to the Ukrainian government, fearing that doing so would increase the bloodshed and provide Russian President Putin the justification for deeper incursions into the country.)

In a series of 2014 messages to Colin Powell, Breedlove sought meetings with the former secretary of state for advice on pressuring the administration to take a more hawkish posture toward Russia.

Powell responded by accepting an invitation to meet and discuss the dilemma.

DCLeaks is a database run by self-described “hacktivists” who collect the communications of high-profile influencers such as political parties, politicians, political campaigns and the military. The website currently also has documents revealing some internal communications from the Hillary Clinton presidential campaign and George Soros’ Open Society Foundation.

NASA Kepler Spacecraft Tweets Image of Woman's Derriere

A photograph of a woman's face and red panty-clad bottom briefly appeared on the official Twitter account for NASA's Kepler, a mission surveying parts of the Milky Way Galaxy for hospitable planets.

The defacement was visible the morning of July 6. It is unclear how the hacker broached NASA's social media account.

"Unfortunately for NASA, the tweet also shows up in the mission website," Gizmodo reported.

Around 10 a.m. Wednesday, the unauthorized user, who changed Kepler's name on Twitter to r4die2oz, posted the butt photo with the caption "waiting for ya: <3," followed by a link to a porn site, localsex2.com, according to Motherboard.

The account was restored around 10:45 a.m. Eastern the same day.

"As you may have seen, we recovered the account and are back in business," NASA's social media manager John Yembrick said in an email to Motherboard. "We’re investigating the cause of this incident with Twitter. We have hundreds of official NASA Twitter accounts, and this is a very rare occurrence. We work to safeguard our accounts as much as possible. Although we monitor all of our accounts closely, we want to thank our followers for flagging the incident for us."

Signs of Ransomware Pop Up At Colorado Allergy Clinic

A Glenwood Springs, Colorado, medical office has sent out cautionary notices after a discovery a month ago of possible ransomware on its computer system.

Kari Hershey, an attorney for Allergy, Asthma & Immunology of the Rockies, P.C., said the problem became apparent when staff had trouble accessing a few documents on its system.

Because the system holds protected health information, such as test results and Social Security numbers, the clinic immediately shut down the server and contacted a forensic IT company to troubleshoot the disturbance.

The ransomware was still in its early stages when detected. There is no evidence any of the information on the system has been copied or used in any way, although it did pass through a password protected firewall.

“They weren’t able to track exactly what the hackers did, but what they did find was a draft of the ransom letter on the system,” Hershey said. “The way it was explained to me is that it essentially looked like the hackers were still testing out the ransomware.”

She said by this point in the investigation, it likely would be known if sensitive information had been harvested.

The Glenwood Springs Police Department says the case is currently closed and inactive because the IP address of the attacker was traced back to Russia, far beyond the department’s jurisdiction. The rest of the investigation likely will be handed over to the FBI.

]]>

House Committee OKs Bill Letting the FBI Use Rapid DNA Profiling

Aliya Sternstein — Fri, 08 Jul 2016 11:34:09 -0400

A DNA evidence bill that would let police in the field, not just technicians in an accredited lab, quickly test the genetic material of suspects has advanced to the House floor.

The measure centers around a relatively new screening instrument the size of a printer, called Rapid DNA.

The idea behind the technology is to swiftly clear innocents, detain criminals and free up technicians to clear rape kit backlogs, among other things, say Judiciary Committee members who crafted the bill.

Currently, only DNA swabs analyzed in a crime lab, a process that can take many weeks, are permitted to be run against the FBI's central DNA database for matches.

The bipartisan House Rapid DNA Act, which the Senate unanimously approved in June, would authorize a cheek swab processed by the automated tool to be uploaded into the database, named CODIS.

Rapid DNA analysis would have "profound implications" for criminal justice, said Rep. James Sensenbrenner, R-Wisc., who co-sponsored the measure.

"Arrestees may be exonerated in crimes in two hours rather than waiting for up to 72 hours for release or months for more standard DNA testing," he said before Thursday's voice vote of approval.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The measure is not expected to come up for a floor vote until the panel wraps up a package of related criminal justice reforms, a Judiciary Committee aide told Nextgov on background.

Committee ranking Democrat Rep. John Conyers, D-Mich., said the bill will have "real-world consequences" in places like his district, where there is a backlog of DNA evidence from sexual assaults.

While Rapid DNA is not suited to handle rape kits and other forensic evidence, use of the instrument to identify booked offenders could make more technicians available for backlog processing.

As of March, Detroit technicians had tested about 10,000 backlogged rape kits, resulting in the identification of 753 potential serial rapists and 36 convictions, Conyers said.

Genetic Analysis on the Fly Could Lead to Abuse, Say Critics

But some civil liberties advocates are concerned the ease with which nonscientists can instantly process DNA samples might increase domestic surveillance. Long before Congress took action, the FBI had been planning to incorporate Rapid DNA results into its massive Next Generation Identification biometric system, the successor to the FBI's old Automated Fingerprint Identification System.

"Police officers are already using mobile tools to collect other biometrics like fingerprints and face recognition when they detain people on the street, and there have been cases where officers have collected DNA on the street as well — even from kids they have detained," said Jennifer Lynch, senior staff attorney at the Electronic Frontier Foundation.

At a June 2015 Judiciary subcommittee hearing, FBI Executive Assistant Director Amy Hess, testified that the bureau is working "to determine the interfaces necessary for the integration of the Rapid DNA components into the criminal history record and booking station infrastructure originally established for the Automated Fingerprint Identification System.”

FBI Director James Comey, in addressing privacy concerns, has said people need to understand that Rapid DNA is not about collecting genetic material from more people.

"It's about the DNA that's collected when someone is arrested being able to be analyzed much more quickly," he said, testifying at a December Senate Judiciary Committee hearing. "That can show us in some cases this is the wrong person or can show us in some cases this is someone we have to be very worried about."

Could 'Change the World'

Comey said authorizing Rapid DNA technology to hook up with the FBI DNA database would "change the world."

The legislative proposal would allow authorities, "in booking stations around the country, if someone's arrested, to know instantly -- or near-instantly -- whether that person is the rapist who's been on the loose in a particular community before they're released on bail and get away, or to clear somebody, to show that they're not the person," he said. "We are very grateful that we're going to have the statutory authorization if that passes to connect those rapid DNA technologies to the national DNA database."

Lynch said the intent of the bill and the outcome of the bill’s passing may be very different.

"Despite Comey’s statements, this bill will likely result in DNA collection from more people," she said. "Allowing Rapid DNA to be entered into CODIS will incentivize more law enforcement agencies to purchase and use Rapid DNA technology."

The Homeland Security Department, which is testing the technology to verify relationships among immigrants, estimates the price per profile is about $235 with the machine, versus $500 with a lab technician.

"Like all law enforcement technologies, once agencies have already invested money, they will try to use that technology in as many contexts as they can—in the case of Rapid DNA, there is nothing in the bill to stop agencies from using it to collect DNA from people stopped on the street," Lynch said. “The technology is portable, and, apparently not difficult to use, so there’s nothing to prevent an officer from using the machine right out of the trunk of a squad car.”

Responding to civil liberties concerns, the Judiciary aide pointed to a 2013 Supreme Court decision that ruled the warrantless collection of DNA from those arrested for a serious crime does not violate the Fourth Amendment prohibition against unreasonable search and seizure.

]]>

Bill Banning Porn, Personal Email on Agency Computers Under Fire on Unrelated Grounds

Aliya Sternstein — Wed, 06 Jul 2016 17:42:26 -0400

As the House moved to take up legislation that would prevent employees from accessing personal email and pornography on government computers, the White House threatened to veto the measure because of objections to civil service provisions included in the legislative package.

House Republicans have positioned the package as a piece of government reform legislation. But the broader package contains several other workforce provisions that the Obama administration and many Democrats find unpalatable. These include expedited firing procedures for senior federal executives and additional reporting requirements about labor union activities in federal agencies.

In a statement on the legislation issued Tuesday evening, the White House called these provisions “misguided.”

The bill, known as the Federal Information Systems Safeguards Act, also would allow agencies to block access to personal webmail without consulting unions, and mandate that the White House create guidelines that prohibit access to porn or explicit websites on government computers.

"It's embarrassing and hard to believe that this committee and the Congress actually has to firm up this law, but the committee has heard numerous examples of federal employees spending significant amount of time viewing explicit materials on their federal computer during federal workforce hours and being paid by federal taxpayers," Oversight Chairman Rep. Jason Chaffetz, R-Utah, said at Rules Committee meeting Tuesday evening.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Some of the more high-profile episodes of porn viewing were recounted in audits of the Interior Department, the National Science Foundation, the Securities and Exchange Commission and the Environmental Protection Agency.

But Democrats take issue with other pieces of the government accountability package. For instance, the broad brush nature of the email use crackdown could violate other federal laws, according to Democratic members of the Oversight and Government Reform Committee.

The measure allows an agency to "take any action" it determines is needed to reduce security weaknesses.

On Tuesday, Chaffetz described the package of measures as a "good government" bill, while Rep. Gerry Connolly, D-Md., called it an "anti-federal employee" measure.

The Obama administration agrees with the Democrats, for the most part.

The White House statement said the bill "would set policy that would undermine existing governmentwide cybersecurity and records management policies."

The email safeguards measure stems from recent incidents at the Homeland Security Department and the Office of Personnel Management, where labor groups fought efforts there to shut off personal email access.

The American Federation of Government Employees filed a grievance against DHS’ Immigration and Customs Enforcement bureau in 2014 for blocking webmail, and the Federal Labor Relations Agency sided with the union. When OPM last July locked employees out of Gmail, Facebook and other social networks after a massive background check hack, the union threatened to sue.

The legislative proposal, which the committee approved by a nearly party line vote in March, is designed to overturn the 2014 FLRA decision.

It is "not clear that blocking personal email is necessary," Committee Ranking Member Rep. Elijah Cummings, D-Md., said in written minority viewpoints. "The committee has not held a single hearing on this bill to explore the potential impact it might have on security, human rights, privacy, contracting, or transparency protections."

Committee Republicans argued rules protecting federal unions increase the likelihood of data breaches.

“If agency directors are obstructed from taking immediate action to protect employees’ information without first going through collective bargaining, federal agencies are more vulnerable to attack,” Chaffetz and bill sponsor Rep. Gary Palmer, R-Ala., said in a Feb. 24 Washington Times op-ed. “Putting collective bargaining rights above security is preposterous.”

]]>

DHS: Security Holes in All Symantec Programs a ‘Very Serious Event’

Aliya Sternstein — Tue, 05 Jul 2016 18:06:15 -0400

On Tuesday, the Homeland Security Department warned of severe security holes in all Symantec and Norton antivirus programs, including those widely used throughout the government.

Late last year, Congress granted DHS new powers to scan agency networks for intruders using a federal firewall called EINSTEIN.

DHS spokesman Scott McConnell said in an email Tuesday that the department “provides a common baseline of security across the civilian government and helps agencies manage their cyber risk,” and "each federal agency is responsible for its cybersecurity."

As for its own internal response, the DHS Enterprise Security Operations Center is tracking patches of the Symantec vulnerabilities across the department, a Homeland Security official told Nextgov on background.

The weaknesses impact 24 security products, including Symantec Endpoint Protection, Symantec Email Security, Norton Security and Symantec Protection for SharePoint Servers.

"Some of these products are in widespread use throughout government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system," DHS officials said in an alert published through the National Cyber Awareness System.

The federal government has awarded Symantec contracts worth $63 million since 2008, according to USASpending.gov.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Homeland Security also provides a link to a Google researcher's depiction of the situation.

"These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," Tavis Ormandy, of Google's Project Zero team, wrote in a company blog post June 28.

The DHS U.S. Computer Emergency Readiness Team recommends users and system administrators fix their Symantec programs immediately.

But some of the products cannot be automatically updated, requiring administrators to take manual action on their networks.

Google’s Ormandy reported the security flaws to Symantec and helped devise fixes, according to the antivirus company.

Symantec's official advisory regarding the security issue is here.

The large number of vulnerable products -- across Apple, Windows and Linux operating systems -- "and the severity of these vulnerabilities ... make this a very serious event," Homeland Security officials said.

While U.S. CERT does not have evidence indicating hackers have exploited the holes, the ubiquity of the products and gravity of the security problem essentially make Symantec software a bull's eye, or, as the department terms it, "a popular target."

]]>

Justice Wants Drones to Try Reconstructing Car Crashes

Aliya Sternstein — Tue, 05 Jul 2016 17:00:22 -0400

The Justice Department plans to run drone tests to measure how well unmanned aircraft systems can help reconstruct automobile crashes.

Trials are expected to take place in various jurisdictions across the country.

The National Criminal Justice Research, Test and Evaluation Center on Thursday is scheduled to begin seeking interest from police departments that currently investigate accident scenes using drones.

"The center has identified a number of agencies that have operational UAS capabilities configured to support law enforcement. The center is now seeking to partner with those or other interested agencies in order to complete the operational evaluation," National Institute of Justice Director Nancy Rodriguez said in a pre-publication request for information.

The research likely will start in 2017 and continue until there have been enough motor vehicle accidents to draw data from, an Office of Justice Programs official told Nextgov on background.

Police departments in Florida, Kansas and Texas are just a few of the local agencies nationwide authorized to patrol the skies, in certain situations, for public safety.

There are some concerns that data captured remotely by, essentially flying video cameras, might compromise the privacy of citizens and data reliability.

Among other things, Justice wants to hear about procedures cops have in place for "preserving the integrity of collected data for use as evidence."

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

In March, a security researcher demonstrated the ease of hacking a high-end drone thought to be deployed by police departments. The unidentified aircraft model used weak Wi-Fi encryption and an insecure radio connection, according to Wired.

When police use drones, it is key they follow chain of custody rules for evidence, said Jeramie Scott, director of the Electronic Privacy Information Center’s Domestic Surveillance Project.

While the focus of the study is on crash reconstruction, the government also is interested in "information on alternative uses of UAS in law enforcement,” Rodriguez said.

In this case, Scott said it is imperative that police protect against mission creep. There should be public, transparent policies spelling out specific use cases to “ensure law enforcement drones acquired for one purpose,” like crash scene reconstruction, “are not then used for secondary purposes that undermine privacy and civil liberties,” like mass surveillance of the public, he said.

The Justice evaluation also aims to assess potential future applications of unpiloted aircraft systems, Rodriguez said.

Some municipalities, here and abroad, plan on or already are using the unmanned flight systems for search and rescue.

Earlier this year, officers in Warwickshire, England, reportedly spotted a missing person using a drone during the first week of a trial run with the aircraft.

Other jurisdictions have begun authorizing police to use weaponized drones.

In North Dakota, a 2015 bill allowed for nonlethal drone use (i.e. using rubber bullets, tear gas and pepper spray), notes TechRepublic.

The crash reconstruction testing will occur during normal operations or scheduled exercises, depending on the preference of the partnering agency.

Justice also wants input on metrics for gauging the performance of drones used for law enforcement purposes.

Follow-up discussions will take place between department officials and select police forces that respond to the survey.

Other information Justice is seeking: the “number of crash scene reconstructions in the past year using UAS only" and "types of data currently stored in reconstruction records database."

In addition, Justice is interested in the make of the drone each agency is using. The survey asks about the types of UAS sensors available, extra accessories, prices and types of real-time monitoring features.

Comments are due to Justice by Aug. 31.

The American Civil Liberties Union’s stance is that police should not be flying drones until agencies establish a formal privacy policy.

"We don’t have a problem with police use of drones for accident or crime scene photography," said Jay Stanley, ACLU senior policy analyst.

However, he added, “no police use of drones should take place until a department has in place a good overall policy for their use . . . covering, for example, the handling of incidentally collected sensitive data," such as, "where a drone captures people on private property adjacent to an accident scene.”

National Institute of Justice spokesman Chuck Wagner said in an email to Nextgov law enforcement departments already have regulations, and in some cases, there are state laws, which mandate how recorded video and audio is handled.

Newton, Kansas, police reportedly need a search warrant to capture surveillance imagery, unless there is an emergency, like a train derailment involving hazardous materials.

“Video, whether it comes from an in-car camera system, pole camera, body-worn camera … or in this case a UAS, is still treated the same (video is video),” Wagner said.

An ACLU report listing recommendations for government use of drones stresses it is important rules are "not made on the fly by police departments simply by virtue of federal grants."

Justice has tapped the Johns Hopkins University Applied Physics Laboratory to run the crash project and will not provide funding to law enforcement agencies for operating the unmanned aircraft, the official said.

]]>