IRS warns tax preparers about a new refund scam. Only a few days into the tax-filing season, the #IRS is sounding an alarm about a new tax scam. Specifically, it’s warning #tax preparers to be on guard about the scam, which is aimed at stealing #taxpayers’ refunds by using data compromised in tax preparers’ offices. Kathy Kristof | CBS News | MSN

thTJLDP985

The agency said it has already received a number of fake tax returns that had accurate taxpayer names, addresses, Social Security numbers and even bank account information for the victims.

In an unusual twist, some bogus refunds were actually directed to the real taxpayers’ bank accounts, the agency said. A criminal, posing as a debt collector, then contacted the taxpayers saying the refunds had been sent in error and the victims should forward the money to the crook.

Because these fake returns contained all of the taxpayer’s correct information, down to the right number of dependents, the IRS believes the scam started in tax-preparation offices. The agency assumes that the data was compromised because some preparers were taken in by phishing scams that then loaded malicious software onto their computer systems, making all the taxpayer information that was kept by these preparers vulnerable to theft.
Government website to help victims of identify theft. The IRS said it’s still in preliminary stages of investigating the con and can’t quantify how many people have been affected. But because this type of scam has a way of burgeoning overnight, the agency wanted to immediately warn preparers to secure their computer systems.

“Given the history that we have seen on scams like this, when these start, they tend to proliferate quickly,” said IRS spokesman Terry Lemons. “When a scam turns out to be successful, they tend to expand. We wanted to alert tax professionals to be on the lookout.”

Unfortunately for consumers — the ultimate victims of this con — those who find themselves hit by tax fraud have a far more difficult course than consumers whose credit card accounts have been stolen. In the latter case, consumers have a number of steps they can take to deter criminals from using that stolen information to open up new accounts.

In the former case, the first inkling that a taxpayer would get that they were victimized is when their electronically filed return gets rejected as a duplicate. At that point, in addition to reporting the fraud to the credit bureaus and the Federal Trade Commission, tax fraud victims need to fill out a special IRS form, 14039. The taxpayer’s 1040 must then be filed on paper, with the fraud affidavit attached to the front.
How the tax bill will affect the returns of three American families
Be prepared that this will dramatically slow your refund. Lemons said the typical tax identity fraud takes roughly four months to investigate and resolve.

Since tax ID theft peaked in 2013, the IRS has taken a host of steps, including forming a security partnership with preparers and software companies, to stamp out tax return fraud. The agency has also launched a pilot program that has added 16-digit identifiers to some employer’s W-2 information. The agency hopes this will help it spot and stop identity thieves before they take off with taxpayer refunds.

These efforts have helped cut ID theft reports nearly in half over the past year.

“We have stepped up our defenses, and the private sector tax community has worked to strengthen their security too,” Lemons said.

Still, this newly discovered fraud is ominous and suggests that individual taxpayers should also be on guard.

Make sure that you keep updated security software on your home computer and ask any tax preparer you hire how your data is protected, Lemons suggested. If any of your W-2 forms contain the new 16-digit identifiers, also make sure to include that number on your tax return. That will help the IRS know the return truly came from you, not an identity crook.

#SID2018 Is the Internet Safer? Today is the annual Safer Internet Day, an effort to promote safer and responsible use of the internet and mobile phones that is celebrated by over 120 countries. Several cyber experts and companies weigh in on the dangers that younger internet browsers face, and how government, industry, parents, and others in the community can help reduce usage risks.

th
#SID2018: Is the Internet Safer?

Infosecurity Magazine | By Dan Raywood | February 6, 2018

Today is the annual Safer #InternetDay, where the reality of online threats are detailed in the effort to encourage users to take better safety steps online.

According to research released by the UK Safer Internet Centre, a study of 2000 eight- to 17-year-olds, found that 11% had “felt worried or anxious on the internet,” while respondents had felt inspired (74%), excited (82%) or happy (89%) as a result of their internet use in the previous week.

This year’s event is using the slogan “Create, Connect and Share Respect: A better internet starts with you” with a strong emphasis on using the internet and what makes users feel good or bad. In a time where more is being done to deliver a safe experience online – including free SSL certificates, the launch of a new version of the TLS protocol and the ability to filter out certain words on Twitter – it does seem that more is being done to provide a safer and better experience for all online.

Margot James, Minister for Digital and the Creative Industries, said that the internet does have a positive effect on young people’s lives, but we must all recognize the dangers that can be found online. “Only by working together can government, industry, parents, schools and communities harness the power of the internet for good and reduce its risks.”

At the recent White Hat Ball, it was revealed that in 2017, there were over 12,000 counselling sessions in which children spoke to Childline about experiences of online sexual abuse, bullying and safety.

Will Gardner, a director of the UK Safer Internet Centre and CEO of Childnet, said: “Safer Internet Day gives us the unique opportunity to collectively promote respect and empathy online, inspire young people to harness their enthusiasm and creativity, and support them to build positive online experiences for everyone. It is #inspirational to see so many different organizations and individuals come together today to build a better internet.”

After all, a #safer #internet means more young people are encouraged to learn more about the internet and its workings, and therefore see the benefits of a career in cybersecurity.

Raj Samani, chief scientist and fellow at McAfee, said the reality is that we need to continue raising awareness for codes of best practice online. “Cyber-criminals are constantly on the lookout for slip ups and mistakes which allow them to access lucrative private data – from bank account details to medical history: consumers must be aware of the threats online – not least because the blurring of work life boundaries today means bad habits online can quickly slip into the office.”

As a result, Samani recommended that businesses should offer staff training to build up a strong security culture across their entire organization.

He added: “Implementing the right technology is vital but, at the end of the day, it’s about looking for a blended approach which suits your specific organization. This means finding the right combination of people, process and technology to effectively protect the organization’s data, detect any threats and, when targeted, rapidly correct systems.

“Safer Internet Day acts as a timely reminder for organizations to ensure the correct training is in place so staff can remain cyber-savvy online.”

To tie-in with the day, ENISA published the Cybersecurity Culture in Organizations report, in order to promote both the understanding and uptake of cybersecurity culture programs within organizations. ENISA said that a decent culture is achieved by:

• Setting #cybersecurity as a standing agenda item at board meetings to underline the importance of a robust cybersecurity culture

• Ensure that employees are consulted and their concerns regarding cybersecurity practices are being considered by the cybersecurity culture working group

• Ensure that business processes/strategies and cybersecurity processes/strategies are fully aligned

“While many organizations and employees are familiar with related concepts such as cybersecurity awareness and information security frameworks, cybersecurity culture covers a broader scope. The idea behind this concept is to make information security considerations an integral part of an employee’s daily life,” ENISA’s announcement said.

Part of this was to appreciate that “cyber threat awareness campaigns alone do not provide sufficient #protection against ever evolving cyber-attacks,” and that technical cybersecurity measures need to be in accordance with other business processes, and it is important that employees need to act as a strong human firewall against cyber-attacks.

A safer internet is better for all, although a cynic of such awareness days would suggest that there should be year-round awareness of the issues and part of developing a culture is the constant awareness. Regardless, some action is better than none and it is reassuring to see such positivity about internet usage in 2018.

Army to Modernize Tracking System for Cyber Attacks

US Army Cyber CommandThe U.S. Army is preparing to modernize Blue Force Tracking, its friendly forces tracking system, to ensure continued operability in the event of cyber and electronic warfare attacks.

The Army Wants to be Able to Track Friendly Forces During a Cyber Attack
C4ISRNET | By Daniel Cebul

Washington — The U.S. Army is preparing to modernize its friendly forces tracking system so that it will continue to operate through cyber and electronic warfare attacks.

The service’s situational awareness network, known as Blue Force Tracking, already receives periodic updates, but a more significant upgrade is needed if troops are to be adequately equipped for future warfare. “This capability improvement is necessary as the United States faces increased cyber and electronic warfare threats from near-peer adversaries,” Lt. Col. Shane Sims said in an Army press release.

Defense News reported in November 2017 that Russia’s Zapad exercise took place in a largely EW-hostile environment. Because Russia proved it can jam its own forces relatively easily, military officials are concerned about how well NATO forces are prepared to operate in GPS- and communication-denied environments.

To address these issues, the program office partnered with the Army’s Communications Electronic-Research, Development and Engineering Center, or CERDEC, and ran concurrent studies that examined the capabilities and limitations of current blue force tracking technology.

The work included:

A traffic study that explored how the current blue force tracking system generates and receives data, as well as the requirements of moving data digitally to identify any network vulnerabilities.

A cyber and electronic warfare study that aimed to identify what emerging technologies need to be developed to stay ahead of adversaries. The Army announcement notes, “assured positioning, navigation and timing, known as PNT, for soldiers in GPS-denied environments was the primary goal in this study.”

A network study that examined how to communicate future data more efficiently within the network.

A transport study that identified the physical infrastructure — radios, satellites and antennas — needed to move larger quantities of information. Part of the solution is to build in redundancies into the network to use different radios and different frequency bands.

This might entail deploying satellites of higher technological quality in larger quantities. A new satellite infrastructure that could handle more data and transmit information faster was credited with the improvements soldiers observed the last time the BFT system was upgraded in 2011.

“The goal of the next-generation BFTs is to reduce the cognitive burden on soldiers by creating a simply and intuitive network,” Sims said.

The Army issued a request for information on the system this month, and CERDEC is set to meet with Army leaders to discuss an acquisition strategy in February.

The Army hopes to issue a request for proposals from industry in early 2020, and could begin fielding the new BFT by 2025, the release said.

The Risk of Insider Threat

Research demonstrates that most fraud risk is attributed to insider threat. In a study almost one third of all cyber attacks were committed by ex-employees.

It’s Not Just Cybercriminals: Insider Threats Still a Top Cyber Risk for Corporations
Property Casualty 360° | By Rhys Dipshan

As cyber espionage and ransom ware attacks wreak increasing damage on the world economy, it makes sense that many companies think their biggest threats comes from external actors.
But most risk still emanates from inside the organization, according to the Kroll’s Global Fraud & Risk Report.
The report was based on a survey conducted among 540 senior executives across six continents and found that a significant amount of companies’ fraud, cybersecurity and security incidents were caused by current or former employees.
Risks from current & former employees
Ex-employees, for example, were key perpetrators in 37% of security incidents that happened outside the cyber realm. What’s more, 25% of security incidents were caused by middle- or senior-level employees, while 26% were by junior employees.
Junior employees were also the most likely to cause fraud incidents, followed by ex-employees.
And while most cybersecurity incidents were caused by random cyberattackers, at 34%, ex-employees still accounted for 28% of all attacks, while senior or middle management employees accounted for 19%, and junior employees 16%.
Alan Brill, senior managing director with Kroll’s cyber security and investigations practice, noted that oftentimes, organizations will concentrate too much on high-tech cybersecurity needs, such as protecting their networks, and miss the fact that their biggest “risk factor comes from those who have access to sensitive information.”
Ensure former employees don’t have access
One major shortcoming among organizations is not properly ensuring former employees do not have access to enterprise systems. “You need to be able to not just plan the steps the company is going to take [when an employee leaves], but you have to have a way of knowing that the steps are actually being done. I think in many cases, there is a disconnect from what managers believe is being done and what is happening on the ground,” Brill said.
Brill also advised organizations to ensure that “the right agreements are [in] place” to limit employees’ and contractors’ access to sensitive information, and train employees on the appropriate data handling procedures.
Most companies surveyed took measures to mitigate the risk of insider threats. Over 80%t restricted employees from installing software on company devices and had employee training programs. Over 75% had internal cybersecurity policies and procedures.
But Brill noted that it’s not enough to just have security programs and policies without constantly reviewing their usefulness. He said that many companies need to use “metrics to understand if what they’re doing is effective,” and build their security programs around tested results.
Fraud, information theft
Such proven programs are becoming increasingly necessary given the wide range of fraud and cybersecurity incidents that organizations face in the current economy. The survey found, for example, that 29% of respondent companies suffered fraud, which resulted in information theft, loss or attack, while 27% had theft of physical assets or stock, and 26% uncovered a conflict of interest.
Information theft and conflict of interest incidents were experienced by 5% more companies in 2017 than in 2016, the biggest increase among all types of fraud incidents.
Brill noted that such conflict of interest incidents are becoming more common as enterprises rely on more vendors in their supply chain and as compliance offices become “more able to detect conflicts of interest” through the use of better compliance technology.
More vulnerable to all types of threats in 2018
With regards to cyber incidents, the survey found the amount of companies attacked by malicious viruses rose 3% to 36% in 2017, while those suffering email phishing attacks rose 7% to 33%, which Brill attributed to such scams becoming more sophisticated.
When compared with the 2015 survey results, respondents believed they’re more vulnerable to all types of threats in 2017 than they were two years prior, with the exception of theft of physical assets or stock. Areas where respondents believe their vulnerability had increased the most since 2015 included IP theft, management of conflicts of interest, and market collusion.

Should Agency Websites Shutdown with the Rest of Government?

Some government websites were inaccessible during this week’s government shutdown. Content on other government websites was accessible, but only content published prior to the shutdown. In one instance, the National Science Foundation (NSF) suggested that maintaining its website during a government shutdown could pose cyber security risks. In contrast, the National Endowment for the Humanities (NEH) website remained opened but not updated. The NSF may run its own physical web server(s) onsite, while NEH and other agency sites that continued without interruption are hosted on the enterprise cloud. Conclusions cannot yet be drawn that government-run web servers went dark and cloud hosted sites remained up.

Could The Cloud Save Government Websites From Going Dark In The Next Shutdown?
Forbes | By Kalev Leetaru

Last April I wrote that rumors of the EPA’s open data website disappearing were merely the bureaucratic outcome of a potential government shutdown, but that perhaps the renewed attention to where the government’s scientific agencies host their data might yield changes that would make them more resilient to future government shutdown threats. Unfortunately, it appears that not all agencies learned from last year’s public outcry and earlier this week the US Government shutdown ended up turning off the lights on some US Government websites. How can it be in 2018, with the web such an important way of interacting with government agencies, that entire agency websites could simply vanish at the metaphorical stroke of midnight?
During this past weekend’s US Government shutdown, the EPA open data portal was spared, as was the USDA website, which simply added a brief message about the site not updating during the shutdown, in contrast to the 2013 shutdown, when they just removed their entire site. The data.gov portal largely shut down, though it made an archive of its metadata available via BitTorrent.
The National Science Foundation’s (NSF) website was a different matter. As with the EPA scare last year, I was first alerted to the disappearing site when I started receiving messages from colleagues looking for datasets, critical PDF documents, forms, references and other data from the now-vanished National Science Foundation’s website. Visitors to the NSF website were greeted with an homage to the simpler days of the web: a text-only one-page HTML homepage generated in Microsoft Word.
In contrast, the website of the National Endowment for the Humanities (NEH) remained completely open with the only modification being the addition of a small link to the agency’s shutdown plan. Unlike NSF, NEH’s shutdown directive provides that “public NEH websites such as http://www.neh.gov and edsitement.neh.gov will remain up, but will not be updated.” This is what one might expect from a government agency in 2018: websites simply freeze in time until the government resumes, but whatever was there prior to the shutdown remains accessible.
Similarly, websites for NIH, NASA, USGS, DOE and countless other agencies remained active.
When reached for comment, an NSF spokesperson responded that the agency had shut down its website in 2013 as well and that “The OMB memorandum [OMB-M-18-05] provides further guidance on continuity or suspension of IT operations for an agency, stating that continued access to agency websites does not warrant the retention of personnel or obligation of funds. Consistent with OMB guidance, NSF evaluated the potential operational impact and cyber security risks of maintaining agency websites, and decided it would be most prudent to suspend website operations.”
It is remarkable that NSF cited cyber security risk as a reason for shuttering its website during the shutdown. Given that many other agencies left their websites operating, does this mean they simply tolerated a higher risk of their sites being compromised? Or have they adopted a better cyber security posture that makes their sites more able to weather a shutdown without being hacked?
This also raises the question of what happens to US Government computing systems during a shutdown if they come under cyber-attack and whether website defacement and computer breaches would be detected and/or remediable during a shutdown. If NSF felt it would be unable to adequately detect or respond to a cybersecurity breach of its web site during a shutdown, does this mean that the US Government needs to develop a special cybersecurity policy to assist agencies during shutdowns?
Despite apparently feeling that the cybersecurity risks of leaving its website online during the shutdown were severe enough to warrant its deactivation, the agency did not suspend its social media accounts. When asked why it felt those accounts were not at risk from being taken over during the shutdown, the agency did not respond other than to confirm that it left its social accounts online, but did not update them.
The agency also did not respond beyond its statement above as to why it believed that it could not safely leave its website online, even while many of its peer agencies did so. When asked how “NSF determined that ‘cybersecurity risks’ warranted the deactivation of its website, while its peer agencies continued to operate their sites as normal” and whether “NSF has comment on whether its web infrastructure is notably different from its peers and thus at greater cybersecurity risk?” the agency responded “The OMB guidance stated that agencies should both evaluate potential operational impacts and cybersecurity risks of maintaining agency websites. Like in 2013, we decided it was most prudent to suspend website operations.”
Given that NEH felt so confident in the ability of its website to function unattended during the shutdown that it actually codified in its written shutdown policy that the site would continue to be available, it raises questions of why NSF believes its own website could not safely remain available. After all, if NSF believes its site is so vulnerable that it would be at risk during a shutdown, what does that say about its security posture and safety that it believes it cannot withstand even a few days on its own? NSF did appear to concede that it might learn from its peer agencies, saying “NSF is reviewing its plans and identifying ways where we can make changes while still complying with the law.”
While the agency itself would not comment on why it was unable to leave its website functioning, one clue might be a 2016 bulletin that suggests the agency may run its own physical web server(s) on premises, rather than outsourcing its website hosting to the enterprise cloud. In contrast, websites for NEH, NIH, and NASA all continued without interruption and all resolve to IP ranges in Amazon’s AWS cloud, meaning they could rely on Amazon’s enterprise-grade infrastructure and security to continue functioning even in the absence of Government IT staff to monitor them. DOE’s website, which resolves to an IP hosted by BlackMesh hosting services, similarly remained up. At the same time, however, data.gov, which was shut down, resolves to an AWS and CloudFront IP address, while the USGS website appears to resolve to a US Government IP range and remained up.
Thus, it is not as clear cut as saying that government-run web servers went dark and cloud hosted sites remained up. If the Department of Interior and NSF both indeed operate their own web servers, why is it that the Interior was able to configure those servers to safely and securely continue to function during the shutdown, while NSF felt it was unable to continue making its websites available without placing them at an unacceptable operational and cybersecurity risk? Why did data.gov shutdown even though it is hosted in the commercial cloud, while other sites also hosted in the same cloud remained available? GSA did not respond to a request for comment as to why data.gov was disabled during the shutdown.
Clearly, agency decision making played a key role as to which agencies decided to leave their sites running and which made the decision to wipe their agency from the digital world with a single keystroke in an erasure that would make Orwell’s 1984 government proud.
Putting this all together, it is remarkable that in 2018 a government shutdown could result in entire agency websites and the open data portal of the United States going dark. Even more remarkable is that at least one agency responded that its website shutdown was due at least in part to cybersecurity concerns of running its site unattended, suggesting the US Government may need a unified cybersecurity policy to protect agencies during shutdowns. It is noteworthy that it appears that even those agencies that shuttered their websites appeared to leave their social media accounts online, instead of similarly suspending them out of fears that attackers could leverage social engineering or other approaches to take them over while they were unattended during the shutdown.
That the Government’s outsourced communications platforms on Twitter, Facebook and elsewhere largely remained online even as some websites were turned off, raises the question of whether the US Government should simply outsource the rest of its public digital presence to the firms that power the modern digital age? It appears that many federal agencies have already outsourced their web hosting and that those cloud-hosted sites from the White House (Akamai) to the Department of Energy (BlackMesh) to NEH, NIH and NASA (Amazon AWS) largely remained up during the shutdown, though with the notable exception of data.gov.
In the end, many US Government agencies that shut down in 2013 seem to have learned their lessons and remained available this time, while others chose to wipe their agencies from the digital world in lieu of 1990’s-style one-page homepages written in Microsoft Word. The trend towards outsourcing Government hosting seems to have helped, with even those agencies shuttering their websites electing to keep their cloud-hosted social media accounts running. Perhaps as the last technology holdouts finally join the modern era and as Government moves the rest of its hosting infrastructure to the cloud, the US Government will no longer go digitally dark during the next shutdown.

DHS: More Fed Cyber Services Could Be Outsourced

Barry West, the Department of Homeland Security’s senior accountable official for risk management, believes that federal agencies may pursue outsourced cyber security services from contractors more frequently, due to the ongoing global shortage of and competition for cyber talent.

Government Could Shift to Security-as-a-Service, DHS’s West Says
Fedscoop | By Carten Cordell

With cyber talent in high demand, Barry West said Thursday that the government may soon to lean more heavily on the private sector for cyber security help.

West, the Department of Homeland Security’s senior accountable official for risk management, said that an ongoing global shortage of cyber talent could soon push agencies to more frequently pursue outsourced cyber security services from contractors rather than try to compete with the private sector.

“When I look at a visionary view of cyber, I think this is really where we are headed,” he said at ATARC’s Federal CISO Summit. “This would have been far-fetched probably five years ago, saying you were going to have a private sector company perform your security.”

West pointed to research from Gartner that predicted that there would be a global cyber shortfall of 1.8 million by 2022 — with the federal government struggling to compete with the private sector for talent, it may be more beneficial for agencies to contract for it, he said.

“This isn’t to say that there’s not going to be government oversight; there’s still not going to be a [chief information security officer] in charge,” he said, “but I really think we are headed for a model where we are going to see security-as-a-service and you are going to see [security operations center, or SOCs] as a service.”

West added that DHS is already in talks to consolidate 12 to 13 “disparate SOCs” — which help monitor cyber security posture from across the agency’s networks — saying that it is a key priority for Secretary of Homeland Security Kirstjen Nielsen.

“She really wants to see that happen,” he said. “It really shows when you have a major incident — when we had the WannaCry incident last year, it became real clear some of the disorganization we had around reporting.”

Consolidation would precede SOC-as-a-service, West said, with DHS beginning to merge SOC operations in the National Capital Region.

“I think it’s the way we’re headed. I think you will hear more of the SOC consolidation at DHS next year. That’s going to be a big focus for us,” he said.

After that, West said, DHS would likely craft some prototypes to test the SOC-as-a-service model over the next three to four years.

“I think we have to start thinking about it now and planning, but I think it’s the way of the future,” he said.

Symantec, McAfee Let Russia Search Through Their Software

A Reuters investigation found that global technology providers Symantec and McAfee allowed Russian authorities to search for vulnerabilities in the source code of some of their products that are also used by the U.S. government. U.S. lawmakers and security experts believe the practice could potentially jeopardize the security of networks in at least a dozen federal agencies.

Tech Firms Let Russia Probe Software Widely Used by U.S. Government
Reuters | By Dustin Volz, Joel Schectman, Jack Stubbs

WASHINGTON/MOSCOW (Reuters) – Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O) and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.

The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.

In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.

But those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.

Reuters revealed in October that Hewlett Packard Enterprise (HPE.N) software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services.

Now, a Reuters review of hundreds of U.S. federal procurement documents and Russian regulatory records shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.

Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department’s intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.

McAfee, SAP, Symantec and Micro Focus (MCRO.L), the British firm that now owns ArcSight, all said that any source code reviews were conducted under the software maker’s supervision in secure facilities where the code could not be removed or altered. The process does not compromise product security, they said. Amid growing concerns over the process, Symantec and McAfee no longer allow such reviews and Micro Focus moved to sharply restrict them late last year.

The Pentagon said in a previously unreported letter to Democratic Senator Jeanne Shaheen that source code reviews by Russia and China “may aid such countries in discovering vulnerabilities in those products.”

Reuters has not found any instances where a source code review played a role in a cyber attack, and some security experts say hackers are more likely to find other ways to infiltrate network systems.

But the Pentagon is not alone in expressing concern. Private sector cyber experts, former U.S. security officials and some U.S. tech companies told Reuters that allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine U.S. network defenses.

“Even letting people look at source code for a minute is incredibly dangerous,” said Steve Quane, executive vice president for network defense at Trend Micro, which sells TippingPoint security software to the U.S. military.

Worried about those risks to the U.S. government, Trend Micro has refused to allow the Russians to conduct a source code review of TippingPoint, Quane said.

Quane said top security researchers can quickly spot exploitable vulnerabilities just by examining source code.

“We know there are people who can do that, because we have people like that who work for us,” he said.

In contrast to Russia, the U.S. government seldom requests source code reviews when buying commercially available software products, U.S. trade attorneys and security experts say.

OPENING THE DOOR

Many of the Russian reviews have occurred since 2014, when U.S.-Russia relations plunged to new lows following Moscow’s annexation of Crimea. Western nations have accused Russia of sharply escalating its use of cyber attacks during that time, an allegation Moscow denies.

Some U.S. lawmakers worry source code reviews could be yet another entry point for Moscow to wage cyberattacks.

“I fear that access to our security infrastructure – whether it be overt or covert – by adversaries may have already opened the door to harmful security vulnerabilities,” Shaheen told Reuters.

In its Dec. 7 letter to Shaheen, the Pentagon said it was “exploring the feasibility” of requiring vendors to disclose when they have allowed foreign governments to access source code. Shaheen had questioned the Pentagon about the practice following the Reuters report on ArcSight, which also prompted Micro Focus to say it would restrict government source code reviews in the future. HPE said none of its current products have undergone Russian source code review.

Lamar Smith, the Republican chairman of the House Science, Space and Technology Committee, said legislation to better secure the federal cyber security supply chain was clearly needed.

Most U.S. government agencies declined to comment when asked whether they were aware technology installed within their networks had been inspected by Russian military contractors. Others said security was of paramount concern but that they could not comment on the use of specific software.

A Pentagon spokeswoman said it continually monitors the commercial technology it uses for security weaknesses.

NO PENCILS ALLOWED

Tech companies wanting to access Russia’s large market are often required to seek certification for their products from Russian agencies, including the FSB security service and Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage.

FSTEC declined to comment and the FSB did not respond to requests for comment. The Kremlin referred all questions to the FSB and FSTEC.

FSTEC often requires companies to permit a Russian government contractor to test the software’s source code.

SAP HANA, a database system, underwent a source code review in order to obtain certification in 2016, according to Russian regulatory records. The software stores and analyzes information for the State Department, Internal Revenue Service, NASA and the Army.

An SAP spokeswoman said any source code reviews were conducted in a secure, company-supervised facility where recording devices or even pencils “are strictly forbidden.”

“All governments and governmental organizations are treated the same with no exceptions,” the spokeswoman said.

While some companies have since stopped allowing Russia to review source code in their products, the same products often remain embedded in the U.S. government, which can take decades to upgrade technology.

Security concerns caused Symantec to halt all government source code reviews in 2016, the company’s chief executive told Reuters in October. But Symantec Endpoint Protection antivirus software, which was reviewed by Russia in 2012, remains in use by the Pentagon, the FBI, and the Social Security Administration, among other agencies, according to federal contracting records reviewed by Reuters.

In a statement, a Symantec spokeswoman said the newest version of Endpoint Protection, released in late 2016, never underwent a source code review and that the earlier version has received numerous updates since being tested by Russia. The California-based company said it had no reason to believe earlier reviews had compromised product security. Symantec continued to sell the older version through 2017 and will provide updates through 2019.

McAfee also announced last year that it would no longer allow government-mandated source code reviews.

The cyber firm’s Security Information and Event Management (SIEM) software was reviewed in 2015 by a Moscow-based government contractor, Echelon, on behalf of FSTEC, according to Russian regulatory documents. McAfee confirmed this.

The Treasury Department and Defense Security Service, a Pentagon agency tasked with guarding the military’s classified information, continue to rely on the product to protect their networks, contracting records show.

McAfee declined to comment, citing customer confidentiality agreements, but it has previously said the Russian reviews are conducted at company-owned premises in the United States.

‘YOU CAN‘T TRUST ANYONE’

On its website, Echelon describes itself as an official laboratory of the FSB, FSTEC, and Russia’s defense ministry. Alexey Markov, the president of Echelon, which also inspected the source code for ArcSight, said U.S. companies often initially expressed concerns about the certification process.

“Did they have any? Absolutely!!” Markov wrote in an email.

”The less the person making the decision understands about programming, the more paranoia they have. However, in the process of clarifying the details of performing the certification procedure, the dangers and risks are smoothed out.”

Markov said his team always informs tech companies before handing over any discovered vulnerabilities to Russian authorities, allowing the firms to fix the detected flaw. The source code reviews of products “significantly improves their safety,” he said.

Chris Inglis, the former deputy director of the National Security Agency, the United States’ premier electronic spy agency, disagrees.

“When you’re sitting at the table with card sharks, you can’t trust anyone,” he said. “I wouldn’t show anybody the code.”

Third Largest County in U.S. Almost Lost $888K in Phishing Attack

Back in September 2017, a cybercriminal exploited Hurricane Harvey repair and rebuild efforts in the Houston area to dupe Harris County, the third largest county in the U.S., into releasing $888,000. While the county managed to recoup the payment, they plan on hiring a cyber security firm to review their internal policies and security controls, as increasingly sophisticated attacks from all over continue to target local governments.

Phishing Attackers Almost Steal $888K from Harris County, Texas, Prompting Cyber security Review
Government Technology | By Mihir Zaveri

On Sept. 21, not three weeks after Houston was ravaged by Hurricane Harvey, the Harris County auditor’s office received an email from someone named Fiona Chambers who presented herself as an accountant with D&W Contractors, Inc.

The contractor was repairing a Harvey-damaged parking lot, cleaning up debris and building a road for the county, and wanted to be paid. Chambers asked if the county could deposit $888,000 into the contractor’s new bank account.

“If we can get the form and voided check back to you today would it be updated in time for our payment?” read a Sept. 25 email from Chambers.

On Oct. 12, Harris County sent the money out. The next day, the county quietly was scrambling to get it back, after being alerted that the account did not belong to D&W, that Chambers did not exist and that county employees had been duped by a fraudster.

The county recouped the payment, but the ongoing investigation into who tried to take the county’s money and nearly got away with it has ignited a debate over the financial security and cyber security of the third-largest county in America. That debate comes as experts point to a growing number of increasingly sophisticated attackers from around the world, homing in on untrained employees or system vulnerabilities.

The incident now has become wrapped into an FBI investigation into a group that has attempted to extort local governments around the world, law enforcement officials said.

Meanwhile, some officials are moving to revamp their practices as others say further scrutiny of county defenses is necessary.

“We live in a rapidly changing world of technology that you can’t just sit pat and expect that the bad guys aren’t going to come after you,” Harris County Judge Ed Emmett said. “I think we need to look at all of our systems to be sure that somebody can’t get in and steal taxpayer money.”

The investigation into the incident comes as the cyber security of local governments has received increased scrutiny after reports in 2016 of Russian-sponsored attempts to hack campaign finance databases and software used by poll workers.

Harris County information technology officials last year acknowledged a “spike” in attempts to hack servers from outside of America’s borders, but, citing concerns over emboldening the hackers, they declined to say how big of a surge in hacking attempts the county was experiencing, whether it was election-related or which systems had been targeted.

Alan Shark, executive director and CEO of the Washington, D.C.-based Public Technology Institute, which partners with the National Association of Counties, said the attempt to steal money from Harris County was not typical, but local governments increasingly are becoming targets for hackers or other cyber criminals.

Shark said statistics to illustrate the trends specific to governments are hard to find, though he said they “mirror” those of the private sector. One firm estimates that by 2021, cybercrime will cost the world $6 trillion each year, up from $3 trillion in 2015.

“This is not somebody sitting in a college dorm somewhere, dreaming this up,” Shark said. “In most cases these are very sophisticated, more often happening from another nation or another country.”

Shark said local governments are particularly vulnerable after disasters.

Harris County Precinct 1 Constable Alan Rosen said his office has “worked the case as far as you can go,” and said that no county employee had been implicated.

“We’re working with the FBI because there have been multiple attempts by this group throughout the United States and abroad to phish in county governments, city governments, things like that,” Rosen said. “We’re working very closely with them.”

He declined to provide more information about the group being investigated, referring questions to the FBI office in Los Angeles.

An FBI spokeswoman said Wednesday she could not confirm or deny the investigation.

Rosen said he had never investigated such an incident before.

“But that doesn’t mean it hasn’t happened,” he said. “I just have not heard of it.”

The county makes nearly 10,000 payments to vendors each month totaling about $141 million, about a third of those in the form of electronic transfers like that set up in September to send out the $888,000.

Harris County Auditor Michael Post said he had never seen an attempt like the one from the fraudulent D&W contractor.

“I’m calling it a near miss,” Post said. “It was (nearly) $900,000. Oh my God, that happened. We did not want this to ever happen.”

He said while he cannot say for sure that it has not happened in the past, it likely would have been caught when whoever was supposed to receive the money did not.

Post said in the days after the incident, he created a five-person team that would begin reviewing every outgoing payment and double-checking that recipients are, in fact, who they say they are by calling and asking for verifying information. That team includes one individual certified by the Association of Certified Fraud Examiners.

Earlier this month, the auditor’s office staff went through training on how to review for fraudulent requests for payment.

Some say the changes so far do not go far enough.

Orlando Sanchez, the Harris County treasurer, who writes the actual checks for the county, said he would like to see a more comprehensive analysis of the county’s vulnerabilities. He said he has to write checks that are directed by the county auditor’s office, and he would like to see an outside agency or another county department audit the county’s payments.

On Jan. 9, Sanchez sought to hire an outside forensic financial investigation firm Briggs and Veselka to “review the county’s payment processes and controls” but a vote on the proposal was postponed by Harris County Commissioners Court after the county attorney’s office said it objected to some technical terms of the proposed contract.

Commissioners Court is expected to consider at its Jan. 30 meeting a proposal to hire a firm to look over the county’s internal policies and cyber security controls when it comes to the payment process.

“We are a big operation,” Emmett said. “Harris County has got more people than 26 states. We’re well into the billions of dollars on an annual budget. I think the more eyes the better.”

Strava Reviewing Features After Heat Map Exposes Military Locations

The App That Exposed the Location of Military Bases With a Heat Map is Reviewing Its Features
CNBC | By Ryan Browne

Strava, the fitness app that exposed the locations and activities of soldiers at U.S. military bases, is reviewing its features to prevent them from being compromised for malicious purposes.

The app, which calls itself a “social network for athletes,” lets users connect a GPS device to the service so that they can upload their workout logs online. This, in turn, revealed the movements of service personnel using the app and additional information about how frequently they were moving.

Strava Chief Executive James Quarles said that the company was “committed to working with military and government officials to address potentially sensitive data.” He added that Strava’s engineering and user experience teams were “simplifying” its privacy and safety features to inform users about how they can control their data.

“Many team members at Strava and in our community, including me, have family members in the armed forces,” Quarles said in an open letter Monday.

“Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us.”

Quarles also emphasized that users could find existing details on how to manage their privacy on Strava’s website.

A U.S. military spokesperson told the Washington Post on Monday that it was revising its guidelines on the use of wireless devices on military facilities.

Vickvapor

I can’t believe how long it took for me to find a mentol in my local pharmacy.background

Vickvapor is excellent for the flue season. It’s strong smell helps you breath better and definitely help with congestion. So next time you feel a little congested or unable to breath try mentol or vickvapor. Hopefully it will take you less time to find it !