Information Security Archives

Who knows what really happened to a railway in the Pacific Northwest last month? Nobody who's willing to say, apparently. Nextgov's reporting on a Transportation Security Administration memo that stated unequivocally hackers executed a "targeted attack" on a railroad and disrupted signals leaves a lot of unanswered questions. For starters:

• According to the handout, which summarized a transportation working group's Dec. 20 meeting on the crisis, TSA provided the transit sector with live updates to explain the source of the intrusion. This week, rail industry representatives refuted the accuracy of its contents, saying no targeted attack occurred. Why was an inaccurate TSA memo that asserted a targeted cyberattack on a rail distributed?
• If there wasn't a railway cyber strike, why wasn't a subsequent corrected memo issued?
• What actually caused the signal interference?
• Why didn't the memo carry a "For Official Use Only" stamp or some other confidential label, if the notes were not for public consumption?
• Is it TSA or the rail company that gets to decide the cause of a malfunction?
• Will this mess frighten industry away from asking the government for help in the event of a real cyber emergency?

The irony here is that the memo praised the government-industry collaboration in responding to this breach. But maybe that too was inaccurate. So much for effective outreach.

Hackers posing as members of the U.S. Computer Emergency Readiness Team are emailing feds using the bogus sender address SOC@US-CERT.GOV, according to federal officials.

The real U.S. CERT -- we think -- issued an alert saying that today it began receiving reports of a phishing campaign that uses spoofed US-CERT email addresses to apparently target federal, state, and local governments, as well as many private sector organizations. The fake messages contain an attachment, but the alert does not say whether the file is malicious or what it does to a person's computer. Phishing emails typically install viruses when opened or they direct users to enter personal information for a seemingly legitimate, but actually fraudulent, purpose.

According to the real US-CERT officials, the subject of this message is "Phishing incident report call number: PH000000XXXXXXX." The name of the attachment is "US-CERT Operation Center Report XXXXXXX.zip," with the "X" possibly indicting a random value or string. The attachment executes a file with the name "US-CERT Operation CENTER Reports.eml.exe."

The instigators also are using other invalid email addresses, according to officials.

The alert advises that computer users immediately delete the email without opening the message or any of its attachments.

Criminals and U.S. adversaries are usually blamed for such attacks. Last week, an Internet security researcher reported that China-based attackers have been sending federal agencies and contractors infected emails about drones apparently to spy on U.S. intelligence matters. That phishing campaign used email addresses from military and other government organizations, said AlienVault Labs manager Jaime Blasco, who was not at liberty to specify the addresses.

Information technology managers and federal employees should be on high alert for e-mail scams and malicious software this holiday shopping season, Homeland Security Department officials warn.

The U.S. Computer Emergency Readiness Team, part of DHS, has reissued a cyber activity notice from last year, reminding computer users there is a higher incidence around gift-giving time of reported "phishing" schemes that steal banking passwords and other credentials. The specific gambits users should be wary of include requests for donations from shady charitable organizations, credit card applications targeting holiday shoppers and infected e-greeting cards.

The activity report urged system administrators and users to update antivirus software as well as verify the authenticity of charities by calling the phone number listed for the organization on the Better Business Bureau national charity report index.

The Senate plans to hold a vote on comprehensive cybersecurity reforms during the first work period of 2012, according to senators on the committee with jurisdiction over federal computer protections.

In a letter sent late Wednesday, Majority Leader Harry Reid, D-Nev., informed Senate Republicans of his decision to bring legislation to the floor early next year, according to members of the Homeland Security and Governmental Affairs Committee. Reid's bill is expected to include measures proposed by the committee that would automate federal information security practices and charge the Homeland Security Department with regulating safeguards for civilian public and private networks.

Efforts to pass broad legislation this year fell victim to job creation and deficit reduction priorities. Most computer privacy and security laws were enacted before social media and smartphones increased the country's reliance on the Internet.

"Hackers, criminals, and antagonistic foreign powers are maliciously probing our cyber defenses every day on an unprecedented scale, and it is no secret they have found our defenses to be vulnerable," Committee Chairman Sen. Joe Lieberman, I-Conn., Ranking Member Sen. Susan Collins, R-Maine, and Federal Financial Management Subcommittee Chairman Sen. Tom Carper, D-Del., said in a joint statement. "Defense Secretary Leon Panetta has warned that the next Pearl Harbor 'could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.' For that reason, we are grateful Majority Leader Reid has scheduled debate on this important national and economic security legislation shortly after Congress reconvenes next year."

While breaches have been common for years, more companies and governments are publicly speaking about them to put an end to the economically-costly invasions, experts say.

"There is no such thing as 100 percent security, on or offline, but we must take action to strengthen our defenses against those who are constantly working to do us harm," the lawmakers added.

While the Obama administration hurries to save billions of dollars by moving federal computing online, a new study shows that few information technology managers at leading-edge companies believe Internet "cloud" storage is as secure as in-house data centers.

One third of private-sector IT practitioners questioned by the Ponemon Institute believe so-called infrastructure-as-a-service providers protect e-mail, documents and other business data as well as on-site data centers. The administration aims to wind down many of the government's more than 2,000 computer warehouses to save $5 billion, largely by outsourcing the computer processing to Web services providers, like Amazon.

Interestingly, in the business survey, a larger percentage, 50 percent, of the folks paid to worry about security and privacy safeguards -- compliance officers -- believe the cloud offers equivalent protections.

The independent survey of 1,018 professionals, including about 600 IT managers and 400 compliance supervisors, was sponsored by data security firm Vormetric. All respondents were familiar with the principles of cloud computing.

"The findings reveal the gulf between those working in IT and those in compliance about service provider controls, top security measures and roles and responsibilities," the report states. "The study's goal is to learn how organizations resolve (or fail to resolve) the tradeoff between cloud efficiencies and IT security."

A new roadmap from the National Institute of Standards and Technology, highly-anticipated within Washington contracting circles, defines IAAS as an online product that provides the customer with a complete computer processing environment. The cloud standards, which were released on Tuesday, explain that the consumer does not have the power to control the underlying networks, but can manage operating systems, storage and software programs.

The Energy Department paid more than $2 million to recover from several recent cyberattacks, according to agency auditors.

An annual review of Energy's unclassified cybersecurity observed network weaknesses have increased 60 percent between fiscal 2010 and fiscal 2011, the department's inspector general reports. The security holes include weak access controls, software flaws and poor employee training, among other deficiencies.

"As noted by recent successful attacks at four department locations, exploitation of vulnerabilities can cause significant disruption to operations and/or increases the risk of modification or destruction of sensitive data or programs," writes Energy IG Gregory H. Friedman in an Oct. 20 evaluation. "The estimated cost to the department for the recent cyberattacks at three of the four sites was over $2 million."

Tests at 25 facilities, including headquarters, revealed 32 previously unidentified vulnerabilities plus an additional 24 left unresolved from the prior year, Friedman notes.

The report does not say where the four breaches occurred or name the specific weaknesses discovered elsewhere due to security concerns, the document states.

Friedman attributes the problems, in part, to management's failure to monitor the performance of security safeguards.

For example, the agency neglected to block unauthorized users from accessing or modifying data on Web programs. "At least 32 web applications, used to support functions such as procurement and safety, did not perform validation procedures," he writes. "Such procedures ensure that changes made to information and programs are only allowed in a specified and authorized manner and that the system's operation is not impaired by deliberate or inadvertent unauthorized manipulation, such as through software flaws and malicious code."

The government office charged with declassifying confidential information cheered President Obama's new directions to agencies on thwarting insiders who feed websites like WikiLeaks with secret files before their classification time is up.

On Friday, Obama issued a long-awaited executive order in response to the scandal surrounding a soldier accused of extracting a boatload of files from a classified military system to share with the anti-secrets site.

"This executive order recognizes that the primary responsibility lies with departments and agencies to carry out this initiative, while it also reinforces the responsibilities of individuals entrusted with access to classified information," John Fitzpatrick, director of the Information Security Oversight Office, said in a statement.

The order aims to hold agency heads accountable for preventing insider threats and safeguarding classified information on computers. At the same time, the directive tries to strike a balance between blocking unauthorized users and expediting authorized disclosures.

"Strengthening standards and practices of protection will lead to greater trust and cooperation and increased information sharing," Fitzpatrick said.

According to ISOO's mission statement, the office's goal is to "provide for an informed American public" by limiting the amount of information kept classified and declassifying files as soon as they are safe to release.

Materials are supposed to be automatically released 25 years after they are classified if not earlier, according to previous executive orders. Authorities can keep files under wraps longer if they can show that disclosure would expose an intelligence source, code-making data, directions for building weapons of mass destruction, or certain other extraordinarily sensitive information.

But researchers say that department heads often disregard declassification instructions.

"Presidents Clinton, Bush and Obama each ordered that all 25 year old classified records, unless they were specifically exempted, 'shall be automatically declassified whether or not the records have been reviewed.' But agencies have refused to implement this provision or to permit automatic declassification without review, thereby crippling the presidential initiative for streamlining the declassification process," Steven Aftergood, director of the project on government secrecy at the Federation of American Scientists, wrote in March.

Aftergood, an open government proponent whom WikiLeaks once contacted for advice, has criticized the site for practicing reckless disclosure.

Navigation service OnStar has scrubbed a planned policy that would have kept tabs on drivers after they canceled their subscriptions, amid a backlash from customers and privacy activists.

A recently proposed change to the General Motors subsidiary's terms and conditions stated that starting in December it would continue to collect data from vehicles whose owners dropped the service, unless those individuals opt-out. On Tuesday, OnStar officials scratched the plan and said any future offers to preserve two-way communications will require that customers opt-in with preferences on how their data is to be used.

"We realize that our proposed amendments did not satisfy our subscribers," OnStar President Linda Marshall said in a statement. "This is why we are leaving the decision in our customers' hands. We listened, we responded and we hope to maintain the trust of our more than 6 million customers."

Civil liberties advocates are pressing for stronger limits on the use of GPS-location information in the public and private sectors. This coming Supreme Court term, justices will take up a controversial case filed by the Obama administration that will decide whether government authorities violated a suspect's 4th Amendment rights by slipping a mobile-tracking device onto his Jeep without a warrant.

On Wednesday, the American Civil Liberties Union and the conservative Heritage Foundation, will host separate events previewing the high court's next session, including the GPS surveillance case.

OnStar's now-scrapped plan to track ex-customers would have allowed the firm to provide them with emergency information about natural disasters and vehicle recalls, OnStar officials said. The data also would have helped the company plan future offerings, they said.

The Pentagon expects to release by the first quarter of 2012 a single disk containing licensed, standard security settings that all troops can pop into desktops to quickly access the information they need during battle without messing with configurations, Defense Department officials said on Thursday.

The effort is an offshoot of several, existing so-called golden masters, typically code stored on a DVD disk, that are in use servicewide within the Army, at U.S. Central Command and several other Defense agencies. Golden masters are replicas of operating systems and security settings required to run a computer safely.

"The unified master gold disk: that's an important disk to remember because there are a lot of gold disks around," Jim Clausen, co-chair of the Defense Enterprise Software Initiative working group, said at an event hosted by the SANS Institute, a security research center, and Government Executive Media Group, which includes Nextgov. This one will be issued by a central Defense office for use on military PCs departmentwide.

Pentagon officials plan to issue updates every six months but will leave it to each component to apply its own patches or bug fixes that protect against newly-discovered software vulnerabilities.

In the future, the department may require that contractors integrate the new standard disk into all computers, Clausen said.

"It will in time" be mobile-ready too, added David DeVries, deputy Defense chief information officer for information management, integration and technology. "We take out of the equation the many different certification processes -- that gives time back to the warfighter."

The Obama administration has rescinded a much-maligned, paper-intensive requirement that agencies test the security controls on computer systems every three years or when upgraded.

This year, the annual instructions for complying with the 2002 Federal Information Security Act, or FISMA, say that new governmentwide procedures for automatically testing and tracking security, called continuous monitoring, fulfill the antiquated 3-year reauthorization policy. So, chief information officers can skip that lengthy, expensive step this fall when they report to Congress on fiscal 2011 cyber incidents.

Here's a snippet from the Sept. 14 FAQ:

"Is a security reauthorization still required every 3 years or when an information system has undergone significant change as stated in OMB Circular A-130? No.

Rather than enforcing a static, three-year reauthorization process, agencies are expected to conduct ongoing authorizations of information systems through the implementation of continuous monitoring programs. Continuous monitoring programs thus fulfill the three year security reauthorization requirement, so a separate re-authorization process is not necessary."

CIOs, you may rejoice.

All you have to do is install software and sensors that can execute the following:

"Continuous monitoring programs and strategies should address: (i) the effectiveness of deployed security controls; (ii) changes to information systems and the environments in which those systems operate; and (iii) compliance to federal legislation, directives, policies, standards, and guidance with regard to information security and risk management. Agencies will be required to report the security state of their information systems and results of their ongoing authorizations through [the data collection application] CyberScope in accordance with the data feeds defined by DHS."