Should Agency Websites Shutdown with the Rest of Government?

Some government websites were inaccessible during this week’s government shutdown. Content on other government websites was accessible, but only content published prior to the shutdown. In one instance, the National Science Foundation (NSF) suggested that maintaining its website during a government shutdown could pose cyber security risks. In contrast, the National Endowment for the Humanities (NEH) website remained opened but not updated. The NSF may run its own physical web server(s) onsite, while NEH and other agency sites that continued without interruption are hosted on the enterprise cloud. Conclusions cannot yet be drawn that government-run web servers went dark and cloud hosted sites remained up.

Could The Cloud Save Government Websites From Going Dark In The Next Shutdown?
Forbes | By Kalev Leetaru

Last April I wrote that rumors of the EPA’s open data website disappearing were merely the bureaucratic outcome of a potential government shutdown, but that perhaps the renewed attention to where the government’s scientific agencies host their data might yield changes that would make them more resilient to future government shutdown threats. Unfortunately, it appears that not all agencies learned from last year’s public outcry and earlier this week the US Government shutdown ended up turning off the lights on some US Government websites. How can it be in 2018, with the web such an important way of interacting with government agencies, that entire agency websites could simply vanish at the metaphorical stroke of midnight?
During this past weekend’s US Government shutdown, the EPA open data portal was spared, as was the USDA website, which simply added a brief message about the site not updating during the shutdown, in contrast to the 2013 shutdown, when they just removed their entire site. The data.gov portal largely shut down, though it made an archive of its metadata available via BitTorrent.
The National Science Foundation’s (NSF) website was a different matter. As with the EPA scare last year, I was first alerted to the disappearing site when I started receiving messages from colleagues looking for datasets, critical PDF documents, forms, references and other data from the now-vanished National Science Foundation’s website. Visitors to the NSF website were greeted with an homage to the simpler days of the web: a text-only one-page HTML homepage generated in Microsoft Word.
In contrast, the website of the National Endowment for the Humanities (NEH) remained completely open with the only modification being the addition of a small link to the agency’s shutdown plan. Unlike NSF, NEH’s shutdown directive provides that “public NEH websites such as http://www.neh.gov and edsitement.neh.gov will remain up, but will not be updated.” This is what one might expect from a government agency in 2018: websites simply freeze in time until the government resumes, but whatever was there prior to the shutdown remains accessible.
Similarly, websites for NIH, NASA, USGS, DOE and countless other agencies remained active.
When reached for comment, an NSF spokesperson responded that the agency had shut down its website in 2013 as well and that “The OMB memorandum [OMB-M-18-05] provides further guidance on continuity or suspension of IT operations for an agency, stating that continued access to agency websites does not warrant the retention of personnel or obligation of funds. Consistent with OMB guidance, NSF evaluated the potential operational impact and cyber security risks of maintaining agency websites, and decided it would be most prudent to suspend website operations.”
It is remarkable that NSF cited cyber security risk as a reason for shuttering its website during the shutdown. Given that many other agencies left their websites operating, does this mean they simply tolerated a higher risk of their sites being compromised? Or have they adopted a better cyber security posture that makes their sites more able to weather a shutdown without being hacked?
This also raises the question of what happens to US Government computing systems during a shutdown if they come under cyber-attack and whether website defacement and computer breaches would be detected and/or remediable during a shutdown. If NSF felt it would be unable to adequately detect or respond to a cybersecurity breach of its web site during a shutdown, does this mean that the US Government needs to develop a special cybersecurity policy to assist agencies during shutdowns?
Despite apparently feeling that the cybersecurity risks of leaving its website online during the shutdown were severe enough to warrant its deactivation, the agency did not suspend its social media accounts. When asked why it felt those accounts were not at risk from being taken over during the shutdown, the agency did not respond other than to confirm that it left its social accounts online, but did not update them.
The agency also did not respond beyond its statement above as to why it believed that it could not safely leave its website online, even while many of its peer agencies did so. When asked how “NSF determined that ‘cybersecurity risks’ warranted the deactivation of its website, while its peer agencies continued to operate their sites as normal” and whether “NSF has comment on whether its web infrastructure is notably different from its peers and thus at greater cybersecurity risk?” the agency responded “The OMB guidance stated that agencies should both evaluate potential operational impacts and cybersecurity risks of maintaining agency websites. Like in 2013, we decided it was most prudent to suspend website operations.”
Given that NEH felt so confident in the ability of its website to function unattended during the shutdown that it actually codified in its written shutdown policy that the site would continue to be available, it raises questions of why NSF believes its own website could not safely remain available. After all, if NSF believes its site is so vulnerable that it would be at risk during a shutdown, what does that say about its security posture and safety that it believes it cannot withstand even a few days on its own? NSF did appear to concede that it might learn from its peer agencies, saying “NSF is reviewing its plans and identifying ways where we can make changes while still complying with the law.”
While the agency itself would not comment on why it was unable to leave its website functioning, one clue might be a 2016 bulletin that suggests the agency may run its own physical web server(s) on premises, rather than outsourcing its website hosting to the enterprise cloud. In contrast, websites for NEH, NIH, and NASA all continued without interruption and all resolve to IP ranges in Amazon’s AWS cloud, meaning they could rely on Amazon’s enterprise-grade infrastructure and security to continue functioning even in the absence of Government IT staff to monitor them. DOE’s website, which resolves to an IP hosted by BlackMesh hosting services, similarly remained up. At the same time, however, data.gov, which was shut down, resolves to an AWS and CloudFront IP address, while the USGS website appears to resolve to a US Government IP range and remained up.
Thus, it is not as clear cut as saying that government-run web servers went dark and cloud hosted sites remained up. If the Department of Interior and NSF both indeed operate their own web servers, why is it that the Interior was able to configure those servers to safely and securely continue to function during the shutdown, while NSF felt it was unable to continue making its websites available without placing them at an unacceptable operational and cybersecurity risk? Why did data.gov shutdown even though it is hosted in the commercial cloud, while other sites also hosted in the same cloud remained available? GSA did not respond to a request for comment as to why data.gov was disabled during the shutdown.
Clearly, agency decision making played a key role as to which agencies decided to leave their sites running and which made the decision to wipe their agency from the digital world with a single keystroke in an erasure that would make Orwell’s 1984 government proud.
Putting this all together, it is remarkable that in 2018 a government shutdown could result in entire agency websites and the open data portal of the United States going dark. Even more remarkable is that at least one agency responded that its website shutdown was due at least in part to cybersecurity concerns of running its site unattended, suggesting the US Government may need a unified cybersecurity policy to protect agencies during shutdowns. It is noteworthy that it appears that even those agencies that shuttered their websites appeared to leave their social media accounts online, instead of similarly suspending them out of fears that attackers could leverage social engineering or other approaches to take them over while they were unattended during the shutdown.
That the Government’s outsourced communications platforms on Twitter, Facebook and elsewhere largely remained online even as some websites were turned off, raises the question of whether the US Government should simply outsource the rest of its public digital presence to the firms that power the modern digital age? It appears that many federal agencies have already outsourced their web hosting and that those cloud-hosted sites from the White House (Akamai) to the Department of Energy (BlackMesh) to NEH, NIH and NASA (Amazon AWS) largely remained up during the shutdown, though with the notable exception of data.gov.
In the end, many US Government agencies that shut down in 2013 seem to have learned their lessons and remained available this time, while others chose to wipe their agencies from the digital world in lieu of 1990’s-style one-page homepages written in Microsoft Word. The trend towards outsourcing Government hosting seems to have helped, with even those agencies shuttering their websites electing to keep their cloud-hosted social media accounts running. Perhaps as the last technology holdouts finally join the modern era and as Government moves the rest of its hosting infrastructure to the cloud, the US Government will no longer go digitally dark during the next shutdown.

DHS: More Fed Cyber Services Could Be Outsourced

Barry West, the Department of Homeland Security’s senior accountable official for risk management, believes that federal agencies may pursue outsourced cyber security services from contractors more frequently, due to the ongoing global shortage of and competition for cyber talent.

Government Could Shift to Security-as-a-Service, DHS’s West Says
Fedscoop | By Carten Cordell

With cyber talent in high demand, Barry West said Thursday that the government may soon to lean more heavily on the private sector for cyber security help.

West, the Department of Homeland Security’s senior accountable official for risk management, said that an ongoing global shortage of cyber talent could soon push agencies to more frequently pursue outsourced cyber security services from contractors rather than try to compete with the private sector.

“When I look at a visionary view of cyber, I think this is really where we are headed,” he said at ATARC’s Federal CISO Summit. “This would have been far-fetched probably five years ago, saying you were going to have a private sector company perform your security.”

West pointed to research from Gartner that predicted that there would be a global cyber shortfall of 1.8 million by 2022 — with the federal government struggling to compete with the private sector for talent, it may be more beneficial for agencies to contract for it, he said.

“This isn’t to say that there’s not going to be government oversight; there’s still not going to be a [chief information security officer] in charge,” he said, “but I really think we are headed for a model where we are going to see security-as-a-service and you are going to see [security operations center, or SOCs] as a service.”

West added that DHS is already in talks to consolidate 12 to 13 “disparate SOCs” — which help monitor cyber security posture from across the agency’s networks — saying that it is a key priority for Secretary of Homeland Security Kirstjen Nielsen.

“She really wants to see that happen,” he said. “It really shows when you have a major incident — when we had the WannaCry incident last year, it became real clear some of the disorganization we had around reporting.”

Consolidation would precede SOC-as-a-service, West said, with DHS beginning to merge SOC operations in the National Capital Region.

“I think it’s the way we’re headed. I think you will hear more of the SOC consolidation at DHS next year. That’s going to be a big focus for us,” he said.

After that, West said, DHS would likely craft some prototypes to test the SOC-as-a-service model over the next three to four years.

“I think we have to start thinking about it now and planning, but I think it’s the way of the future,” he said.

Symantec, McAfee Let Russia Search Through Their Software

A Reuters investigation found that global technology providers Symantec and McAfee allowed Russian authorities to search for vulnerabilities in the source code of some of their products that are also used by the U.S. government. U.S. lawmakers and security experts believe the practice could potentially jeopardize the security of networks in at least a dozen federal agencies.

Tech Firms Let Russia Probe Software Widely Used by U.S. Government
Reuters | By Dustin Volz, Joel Schectman, Jack Stubbs

WASHINGTON/MOSCOW (Reuters) – Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O) and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.

The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.

In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.

But those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.

Reuters revealed in October that Hewlett Packard Enterprise (HPE.N) software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services.

Now, a Reuters review of hundreds of U.S. federal procurement documents and Russian regulatory records shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.

Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department’s intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.

McAfee, SAP, Symantec and Micro Focus (MCRO.L), the British firm that now owns ArcSight, all said that any source code reviews were conducted under the software maker’s supervision in secure facilities where the code could not be removed or altered. The process does not compromise product security, they said. Amid growing concerns over the process, Symantec and McAfee no longer allow such reviews and Micro Focus moved to sharply restrict them late last year.

The Pentagon said in a previously unreported letter to Democratic Senator Jeanne Shaheen that source code reviews by Russia and China “may aid such countries in discovering vulnerabilities in those products.”

Reuters has not found any instances where a source code review played a role in a cyber attack, and some security experts say hackers are more likely to find other ways to infiltrate network systems.

But the Pentagon is not alone in expressing concern. Private sector cyber experts, former U.S. security officials and some U.S. tech companies told Reuters that allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine U.S. network defenses.

“Even letting people look at source code for a minute is incredibly dangerous,” said Steve Quane, executive vice president for network defense at Trend Micro, which sells TippingPoint security software to the U.S. military.

Worried about those risks to the U.S. government, Trend Micro has refused to allow the Russians to conduct a source code review of TippingPoint, Quane said.

Quane said top security researchers can quickly spot exploitable vulnerabilities just by examining source code.

“We know there are people who can do that, because we have people like that who work for us,” he said.

In contrast to Russia, the U.S. government seldom requests source code reviews when buying commercially available software products, U.S. trade attorneys and security experts say.

OPENING THE DOOR

Many of the Russian reviews have occurred since 2014, when U.S.-Russia relations plunged to new lows following Moscow’s annexation of Crimea. Western nations have accused Russia of sharply escalating its use of cyber attacks during that time, an allegation Moscow denies.

Some U.S. lawmakers worry source code reviews could be yet another entry point for Moscow to wage cyberattacks.

“I fear that access to our security infrastructure – whether it be overt or covert – by adversaries may have already opened the door to harmful security vulnerabilities,” Shaheen told Reuters.

In its Dec. 7 letter to Shaheen, the Pentagon said it was “exploring the feasibility” of requiring vendors to disclose when they have allowed foreign governments to access source code. Shaheen had questioned the Pentagon about the practice following the Reuters report on ArcSight, which also prompted Micro Focus to say it would restrict government source code reviews in the future. HPE said none of its current products have undergone Russian source code review.

Lamar Smith, the Republican chairman of the House Science, Space and Technology Committee, said legislation to better secure the federal cyber security supply chain was clearly needed.

Most U.S. government agencies declined to comment when asked whether they were aware technology installed within their networks had been inspected by Russian military contractors. Others said security was of paramount concern but that they could not comment on the use of specific software.

A Pentagon spokeswoman said it continually monitors the commercial technology it uses for security weaknesses.

NO PENCILS ALLOWED

Tech companies wanting to access Russia’s large market are often required to seek certification for their products from Russian agencies, including the FSB security service and Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage.

FSTEC declined to comment and the FSB did not respond to requests for comment. The Kremlin referred all questions to the FSB and FSTEC.

FSTEC often requires companies to permit a Russian government contractor to test the software’s source code.

SAP HANA, a database system, underwent a source code review in order to obtain certification in 2016, according to Russian regulatory records. The software stores and analyzes information for the State Department, Internal Revenue Service, NASA and the Army.

An SAP spokeswoman said any source code reviews were conducted in a secure, company-supervised facility where recording devices or even pencils “are strictly forbidden.”

“All governments and governmental organizations are treated the same with no exceptions,” the spokeswoman said.

While some companies have since stopped allowing Russia to review source code in their products, the same products often remain embedded in the U.S. government, which can take decades to upgrade technology.

Security concerns caused Symantec to halt all government source code reviews in 2016, the company’s chief executive told Reuters in October. But Symantec Endpoint Protection antivirus software, which was reviewed by Russia in 2012, remains in use by the Pentagon, the FBI, and the Social Security Administration, among other agencies, according to federal contracting records reviewed by Reuters.

In a statement, a Symantec spokeswoman said the newest version of Endpoint Protection, released in late 2016, never underwent a source code review and that the earlier version has received numerous updates since being tested by Russia. The California-based company said it had no reason to believe earlier reviews had compromised product security. Symantec continued to sell the older version through 2017 and will provide updates through 2019.

McAfee also announced last year that it would no longer allow government-mandated source code reviews.

The cyber firm’s Security Information and Event Management (SIEM) software was reviewed in 2015 by a Moscow-based government contractor, Echelon, on behalf of FSTEC, according to Russian regulatory documents. McAfee confirmed this.

The Treasury Department and Defense Security Service, a Pentagon agency tasked with guarding the military’s classified information, continue to rely on the product to protect their networks, contracting records show.

McAfee declined to comment, citing customer confidentiality agreements, but it has previously said the Russian reviews are conducted at company-owned premises in the United States.

‘YOU CAN‘T TRUST ANYONE’

On its website, Echelon describes itself as an official laboratory of the FSB, FSTEC, and Russia’s defense ministry. Alexey Markov, the president of Echelon, which also inspected the source code for ArcSight, said U.S. companies often initially expressed concerns about the certification process.

“Did they have any? Absolutely!!” Markov wrote in an email.

”The less the person making the decision understands about programming, the more paranoia they have. However, in the process of clarifying the details of performing the certification procedure, the dangers and risks are smoothed out.”

Markov said his team always informs tech companies before handing over any discovered vulnerabilities to Russian authorities, allowing the firms to fix the detected flaw. The source code reviews of products “significantly improves their safety,” he said.

Chris Inglis, the former deputy director of the National Security Agency, the United States’ premier electronic spy agency, disagrees.

“When you’re sitting at the table with card sharks, you can’t trust anyone,” he said. “I wouldn’t show anybody the code.”

Third Largest County in U.S. Almost Lost $888K in Phishing Attack

Back in September 2017, a cybercriminal exploited Hurricane Harvey repair and rebuild efforts in the Houston area to dupe Harris County, the third largest county in the U.S., into releasing $888,000. While the county managed to recoup the payment, they plan on hiring a cyber security firm to review their internal policies and security controls, as increasingly sophisticated attacks from all over continue to target local governments.

Phishing Attackers Almost Steal $888K from Harris County, Texas, Prompting Cyber security Review
Government Technology | By Mihir Zaveri

On Sept. 21, not three weeks after Houston was ravaged by Hurricane Harvey, the Harris County auditor’s office received an email from someone named Fiona Chambers who presented herself as an accountant with D&W Contractors, Inc.

The contractor was repairing a Harvey-damaged parking lot, cleaning up debris and building a road for the county, and wanted to be paid. Chambers asked if the county could deposit $888,000 into the contractor’s new bank account.

“If we can get the form and voided check back to you today would it be updated in time for our payment?” read a Sept. 25 email from Chambers.

On Oct. 12, Harris County sent the money out. The next day, the county quietly was scrambling to get it back, after being alerted that the account did not belong to D&W, that Chambers did not exist and that county employees had been duped by a fraudster.

The county recouped the payment, but the ongoing investigation into who tried to take the county’s money and nearly got away with it has ignited a debate over the financial security and cyber security of the third-largest county in America. That debate comes as experts point to a growing number of increasingly sophisticated attackers from around the world, homing in on untrained employees or system vulnerabilities.

The incident now has become wrapped into an FBI investigation into a group that has attempted to extort local governments around the world, law enforcement officials said.

Meanwhile, some officials are moving to revamp their practices as others say further scrutiny of county defenses is necessary.

“We live in a rapidly changing world of technology that you can’t just sit pat and expect that the bad guys aren’t going to come after you,” Harris County Judge Ed Emmett said. “I think we need to look at all of our systems to be sure that somebody can’t get in and steal taxpayer money.”

The investigation into the incident comes as the cyber security of local governments has received increased scrutiny after reports in 2016 of Russian-sponsored attempts to hack campaign finance databases and software used by poll workers.

Harris County information technology officials last year acknowledged a “spike” in attempts to hack servers from outside of America’s borders, but, citing concerns over emboldening the hackers, they declined to say how big of a surge in hacking attempts the county was experiencing, whether it was election-related or which systems had been targeted.

Alan Shark, executive director and CEO of the Washington, D.C.-based Public Technology Institute, which partners with the National Association of Counties, said the attempt to steal money from Harris County was not typical, but local governments increasingly are becoming targets for hackers or other cyber criminals.

Shark said statistics to illustrate the trends specific to governments are hard to find, though he said they “mirror” those of the private sector. One firm estimates that by 2021, cybercrime will cost the world $6 trillion each year, up from $3 trillion in 2015.

“This is not somebody sitting in a college dorm somewhere, dreaming this up,” Shark said. “In most cases these are very sophisticated, more often happening from another nation or another country.”

Shark said local governments are particularly vulnerable after disasters.

Harris County Precinct 1 Constable Alan Rosen said his office has “worked the case as far as you can go,” and said that no county employee had been implicated.

“We’re working with the FBI because there have been multiple attempts by this group throughout the United States and abroad to phish in county governments, city governments, things like that,” Rosen said. “We’re working very closely with them.”

He declined to provide more information about the group being investigated, referring questions to the FBI office in Los Angeles.

An FBI spokeswoman said Wednesday she could not confirm or deny the investigation.

Rosen said he had never investigated such an incident before.

“But that doesn’t mean it hasn’t happened,” he said. “I just have not heard of it.”

The county makes nearly 10,000 payments to vendors each month totaling about $141 million, about a third of those in the form of electronic transfers like that set up in September to send out the $888,000.

Harris County Auditor Michael Post said he had never seen an attempt like the one from the fraudulent D&W contractor.

“I’m calling it a near miss,” Post said. “It was (nearly) $900,000. Oh my God, that happened. We did not want this to ever happen.”

He said while he cannot say for sure that it has not happened in the past, it likely would have been caught when whoever was supposed to receive the money did not.

Post said in the days after the incident, he created a five-person team that would begin reviewing every outgoing payment and double-checking that recipients are, in fact, who they say they are by calling and asking for verifying information. That team includes one individual certified by the Association of Certified Fraud Examiners.

Earlier this month, the auditor’s office staff went through training on how to review for fraudulent requests for payment.

Some say the changes so far do not go far enough.

Orlando Sanchez, the Harris County treasurer, who writes the actual checks for the county, said he would like to see a more comprehensive analysis of the county’s vulnerabilities. He said he has to write checks that are directed by the county auditor’s office, and he would like to see an outside agency or another county department audit the county’s payments.

On Jan. 9, Sanchez sought to hire an outside forensic financial investigation firm Briggs and Veselka to “review the county’s payment processes and controls” but a vote on the proposal was postponed by Harris County Commissioners Court after the county attorney’s office said it objected to some technical terms of the proposed contract.

Commissioners Court is expected to consider at its Jan. 30 meeting a proposal to hire a firm to look over the county’s internal policies and cyber security controls when it comes to the payment process.

“We are a big operation,” Emmett said. “Harris County has got more people than 26 states. We’re well into the billions of dollars on an annual budget. I think the more eyes the better.”

Strava Reviewing Features After Heat Map Exposes Military Locations

The App That Exposed the Location of Military Bases With a Heat Map is Reviewing Its Features
CNBC | By Ryan Browne

Strava, the fitness app that exposed the locations and activities of soldiers at U.S. military bases, is reviewing its features to prevent them from being compromised for malicious purposes.

The app, which calls itself a “social network for athletes,” lets users connect a GPS device to the service so that they can upload their workout logs online. This, in turn, revealed the movements of service personnel using the app and additional information about how frequently they were moving.

Strava Chief Executive James Quarles said that the company was “committed to working with military and government officials to address potentially sensitive data.” He added that Strava’s engineering and user experience teams were “simplifying” its privacy and safety features to inform users about how they can control their data.

“Many team members at Strava and in our community, including me, have family members in the armed forces,” Quarles said in an open letter Monday.

“Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us.”

Quarles also emphasized that users could find existing details on how to manage their privacy on Strava’s website.

A U.S. military spokesperson told the Washington Post on Monday that it was revising its guidelines on the use of wireless devices on military facilities.

Vickvapor

I can’t believe how long it took for me to find a mentol in my local pharmacy.background

Vickvapor is excellent for the flue season. It’s strong smell helps you breath better and definitely help with congestion. So next time you feel a little congested or unable to breath try mentol or vickvapor. Hopefully it will take you less time to find it !

Homeland Security: Data Breach in 2014, Over 240K Workers Affected

The Inspector General for Homeland Security found that the personal information of more than 247,000 employees and others connected with the agency was compromised in 2014.

Data Breach Affected More Than 240,000 Homeland Security Workers, IG Confirms
Nextgov | By Joseph Marks |

Personal information about more than 247,000 Homeland Security Department employees and other people connected with the agency was compromised in 2014, the department’s internal auditor said Wednesday.

In May, the Homeland Security inspector general’s office found a copy of its investigative case management system—and the reams of personal information it contained—in the possession of a former inspector general’s office employee, according to a department statement.

Inspectors found the case management system as part of a criminal investigation but did not say if the former employee is the target of that investigation.

The statement also did not provide details about how the system ended up in the former employee’s possession except to say that it was not the result of a third-party cyberattack and that other employees’ personal information was not the target of the “unauthorized exfiltration.”

USA Today described the breach in November based on leaked documents but Homeland Security did not confirm the breach at that time.

The case management system contained personal information on 247,167 Homeland Security employees who worked for the department when the information was removed in 2014, the department said.

It also contained information about non-employees who were subjects, witnesses or complainants in inspector general investigations between 2002 and 2014, the department said. The statement does not say how many non-employees were in that group.

The department is “implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns” in the future, according to the statement.

The statement did not describe what personal information was compromised. Personal information can range from less sensitive information, such as names and phone numbers, to highly sensitive information, such as Social Security numbers and financial data.

The department is offering free credit monitoring to employees and other people whose information was compromised. Employees were informed about the breach in a Wednesday letter, but the department won’t directly notify non-employees because of “technological limitations.”

The notice includes a contact number for non-employees who were associated with Homeland Security inspector general investigations to request credit monitoring.

Security experts have often said credit monitoring is less effective at preventing criminals from profiting off your leaked information than other steps such as freezing your credit.

“The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information [with] which they are entrusted,” the notice states.

New Bill to Give Government Power to Penalize Companies Who Suffer Data Breach

In efforts to motivate entities to protect their stores of sensitive consumer data, lawmakers want to penalize organizations who suffer major cyber-attacks.  The proposed bill would grant the Federal Trade Commission clearer authority to fine credit-reporting agencies.  The fines incurred by the companies would be paid to the millions of Americans affected by the breach.

Equifax could face a massive fine for another security breach — if two top Senate Democrats get their way

Redcode| By Tony Romm| January 10, 2018

Two top Senate Democrats are seeking broad new powers for the U.S. government to slap Equifax and its peers with massive fines if they suffer major cyber attacks — money that would then be returned to the millions of Americans affected by such a breach.

The idea is the centerpiece of the so-called Data Breach Prevention and Compensation Act, a bill to be introduced on Wednesday by Democratic Sens. Elizabeth Warren and Mark Warner. Cyber attacks may be inevitable, but the lawmakers feel that the federal government for too long has lacked the power to penalize entities that fail to protect their stores of sensitive consumer data.

Specifically, the bill would grant the Federal Trade Commission — an arm of the government that oversees companies’ security practices — clearer authority to fine credit-reporting agencies. That category includes TransUnion, Experian and Equifax, the latter of which was subject to a breach last year compromising the names, Social Security numbers and other sensitive information of more than 145 million Americans.

If the Democrats’ measure had been law at the time of the incident, Equifax would have been forced to fork over $1.5 billion to the feds, the lawmakers estimate. That’s because their measure would allow the FTC to fine credit-reporting agencies $100 for each consumer whose personal information was stolen by a hacker — and an another $50 for each additional piece of personal information compromised per individual. Total fines would be capped based on a credit-reporting agency’s revenue, but could increase further if the likes of Equifax failed to follow basic cybersecurity practices.

The bill by Warren and Warner would further ensure that half of the money paid to the U.S. government would ultimately be returned to affected consumers. Meanwhile, the Democratic duo would empower the FTC to probe and regulate the data security practices of credit-reporting agencies.

“Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax — and provides robust compensation for affected consumers — which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again,” Warren said in a statement.

For Warren and Warner, their proposal originates out of a broader frustration about the power and reach of credit-reporting agencies. These entities aren’t widely known, but they amass virtual warehouses of information about all Americans. The credit scores they compute affect consumers’ ability to purchase cars, rent apartments, obtain loans and more — but the watchdog FTC is limited in its oversight of the industry.

Yet even these powerful Democrats still face a daunting challenge in advancing their legislation to a vote on the Senate floor.

Lawmakers convened months of hearings in the aftermath of the Equifax breach, repeatedly grilling its top executives for their misdeeds. Disgust and outrage transcended party lines, leading Democrats and Republicans to expand their inquiries to include other major breaches, including a 2013 incident at Yahoo that affected three billion users.

Somehow, though, their intense, widespread criticism failed to translate into any new, meaningful movement on a slew of bills that might have addressed the problem. Congress couldn’t even advance basic legislation that aimed to refund consumers who had to purchase credit freezes from the very credit-reporting agencies, like Equifax, that had been hacked. Warren, in fact, had been a key driver of that idea.

Nor was it the first time that lawmakers failed to translate their outage into action: Similar breaches affecting Sony, Home Depot, Target and scores of other major companies in recent years have failed to convince Congress to adopt new federal rules governing how and when companies inform customers of a data breach. Many states have their own rules, which one major company — Uber — may have flouted in its handling of a 2016 security incident.

For now, though, Senate Democrats stressed that their new bill is necessary to fix the “out of whack” economics of cybersecurity, as Warren explained — the reality that there’s currently very little the FTC can do, even in the wake of a cyber attack that affected 40 percent of the U.S.

“In today’s information economy, data is an enormous asset,” added Warner in a statement. “But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place.”

Border Agents are Searching Through More Travelers’ Devices Than Ever

Nextgov | By Jack Corrigan |

Customs and Border Protection released fresh guidelines on Friday detailing how and when border officials can examine information on electronic devices of travelers entering and leaving the country.

The new directive keeps intact most of the broad authorities given to federal officials at the border while putting some limits on how extensively they can search personal electronic devices. CBP dug through the electronic devices of 30,200 people entering and leaving the country in fiscal 2017, up from 19,051 the previous year.

The order comes as the Trump administration looks to tighten border security and travelers enter the U.S. with record numbers of phones, laptops and tablets in tote.

The policy replaces the previous directive issued in 2009, adapting and providing more thorough instructions on how officials should handle encryption and other advanced technologies.

“In this digital age, border searches of electronic devices are essential to enforcing the law at the U.S. border and to protecting the American people,” said CBP Deputy Executive Assistant Commissioner John Wagner in a statement. “CBP’s authority for the border search of electronic devices is and will continue to be exercised judiciously, responsibly, and consistent with the public trust.”

Electronic device searches help combat terrorism and other illegal activity like child pornography and visa fraud, according to CBP. Despite the nearly 60 percent increase in searches, only about one in every 13,600 international travelers has their devices searched.

Officials still can check local data, but under the new guidance they cannot conduct a more thorough search unless they have reasonable suspicion that the person broke the law or presents “a national security concern.” The order maintains that “many factors” can cause suspicion and justify an “advanced search,” which uses external equipment to review, copy and analyze the contents of a device.

Federal agents also have the power to access encrypted or password-protected information stored on personal electronics. If individuals don’t cooperate in unlocking an inaccessible device, CBP can seize and open it with technical assistance.

The guidance also details the conditions under which CBP can store and share information gathered from personal devices and how agents should deal with sensitive information like medical records and attorney-client communication. Officials also shouldn’t detain devices for more than five days without extenuating circumstances, according to the order.

While the policy change marks a shift away from the more ambiguous, wide-ranging authority given to border officials under the Obama administration, some civil liberty advocates don’t think it goes far enough.

“It is positive that CBP’s policy would at least require officers to have some level of suspicion before copying and using electronic methods to search a traveler’s electronic device,” said Neema Singh Guliani, legislative counsel at the American Civil Liberties Union, in a statement. “However, this policy still falls far short of what the Constitution requires: a search warrant based on probable cause.”

Guliani reiterated travelers should not be obligated to give officials access to their private information and called on Congress to push CBP to further change its policy.

#1 Password Found in Data Dumps for 2017: “123456”

Splash Data, a password management utilities provider, compiled a list of five million user credentials leaked this year and found the most commonly used password to be 123456. Attackers use these leaked records to build similar lists of leaked passwords, which are assembled as “dictionaries” for carrying out account brute-force attacks.

“123456” Remains Most Common Password Found in Data Dumps in 2017

Bleeping Computer | By Catalin Cimpanu |
For the second year in a row, “123456” remained the top password among the millions of cleartext passwords exposed online thanks to data breach incidents at various providers.

While having “123456” as your password is quite bad, the other terms found on a list of  Top 100 Worst Passwords of 2017 are just as distressing and regretful.

Some of these include an extensive collection of sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees), car brands (Mercedes, Corvette, Ferrari, Harley), and various expressions (iloveyou, letmein, whatever, blahblah).

But, by far, the list was dominated by names, with the likes of Robert (#31), Matthew (#32), Jordan (#33), Daniel (#35), Andrew (#36), Andrea (#38), Joshua (#40), George (#48), Nicole (#53), Hunter (#54), Chelsea (#62), Phoenix (#66), Amanda (#67), Ashley (#69), Jessica (#74), Jennifer (#76), Michelle (#81), William (#86), Maggie (#92), Charlie (#95), and Martin (#96), showing up on the list.

List compiled from five million leaked credentials

The list was put together by SplashData, a company that provides various password management utilities such as TeamsID and Gpass. The company said it compiled the list by analyzing over five million user records leaked online in 2017 and that also contained password information.

“Use of any of the passwords on this list would put users at grave risk for identity theft,” said a SplashData spokesperson in a press release that accompanied a two-page PDF document containing a list of the most encountered passwords.

This is because attackers use these same leaked records to build similar lists of leaked passwords, which they then assemble as “dictionaries” for carrying out account brute-force attacks.

Attackers will use the leaked terms, but they’ll also create common variations on these words using simple algorithms. This means that by adding “1” or any other character combinations at the start or end of basic terms, users aren’t improving the security of their password.

Advising users on best password policies is a doctoral paper in its own right, but for the time being, users should look into using unique passwords per account, possibly employing a password manager, using more complex passwords, and above all, staying away from the terms below.

1 – 123456 (rank unchanged since 2016 list)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (Up 2)
5 – 12345 (Down 2)
6 – 123456789 (New)
7 – letmein (New)
8 – 1234567 (Unchanged)
9 – football (Down 4)
10 – iloveyou (New)
11 – admin (Up 4)
12 – welcome (Unchanged)
13 – monkey (New)
14 – login (Down 3)
15 – abc123 (Down 1)
16 – starwars (New)
17 – 123123 (New)
18 – dragon (Up 1)
19 – passw0rd (Down 1)
20 – master (Up 1)
21 – hello (New)
22 – freedom (New)
23 – whatever (New)
24 – qazwsx (New)
25 – trustno1 (New)