Fedline

Federal Times Blogs

How hackers infiltrated federal agency

Bookmark and Share

In addition to the standard two forms of identification, offer letter and contact information, new hires at the U.S. Department of Education are required to bring along a certificate of completion for cybersecurity training course.

A recent internal investigation shows why that training is probably a pretty good idea.

In a previously undisclosed probe into a 2011 “spear phishing” campaign, hackers targeted senior staff and managed to break through the department’s security protections to steal data from the department.

Much about the incident, which was described in documents released through a Freedom of Information Act request by Federal Times, remains classified, including how much data and what sort of information hackers took.

One of the hackers used an email address — arne.duncan[at]ymail.com – to infiltrate the department’s security protections.

You can read for yourself the summary of the investigation by the technology crimes division of the department’s Inspector General, which passed along its findings to the FBI. That memo can be found here.

Federal Times recently reported on the incident, but the Education Department declined to comment. Still, there’s a lesson in all of this. Even if the name on an email address seems familiar, government employees ought to make sure the sender’s address is legitimate.

And call the IT department if you’re unsure.

Tags: , , , , ,

Anonymous says it hacked Booz Alllen Hamilton network

Bookmark and Share

Hackers operating under the name Anonymous said Monday that they infiltrated a server on Booz Allen Hamilton’s network, swiping some 90,000 military email addresses.

“We infiltrated a server on their network that basically had no security
measures in place,” the group posted on the website PirateBay. “We were able to run our own application, which turned out to be a shell.”

Titled “Military Meltdown Monday,” the post said the group gained access to about 90,000 military emails and password hashes and alluded to having other sensitive information.

On its Twitter account, Booz Allen Hamilton said as part of the company’s security policy, “we generally do not comment on specific threats or actions taken against our systems.”

 

 

Tags: , ,

Cybersecurity legislation could hit snag

Bookmark and Share

Providing limited liability protection to private companies could be a sticking point for lawmakers working to pass cybersecurity legislation.

Rep. John Tierney, D-Mass., ranking member of the national security, homeland defense and foreign operations questioned whether companies that adhere to federal  cybersecurity policies should not be held liable for the impact of a breach.

Tierney also raised concerns that government agencies like the Department of Homeland Security are conducting risk assessments for companies that should be responsible for doing them.

“I don’t know why we have to give you incentives,” said Tierney, in response to TechAmerica President Phil Bond’s remarks about providing incentives for businesses that adhere to government standards. “I don’t understand the shifting of responsibility and obligation.”

In contrast, Sen. Susan Collins, R-Maine, suggested the White House add such protections in its cybersecurity legislation proposal. At a Senate committee hearing Tuesday, Collins referenced legislation she co-authored that would provide companies limited protection for taking preventative measures.

Sen. Joe Lieberman, I-Conn., said the issue of liability protection could be a “real obstacle” to  passage of cybersecurity legislation.

Tags: ,

Some FBI cyber agents lack adequate skills, report finds

Bookmark and Share

A review of the FBI’s efforts to mitigate national security cyber incidents found that some field agents tasked with investigating these cases lack the technical skills and expertise to effectively do their jobs.

The redacted version of the report, released Wednesday by the Justice Department’s Office of the Inspector General, examined the ability of the FBI-led National Cyber Investigative Joint Task Force to defend against attacks on U.S. computer networks and efforts by the FBI field offices to investigate these attacks.

Of the 36 agents interviewed in 10 of the FBI’s field offices, 13 said they do not have the technical skills required by the agency’s Cyber Division to investigate national security cases. In addition, 5 of the 36 agents said they didn’t think they were “able or qualified to investigate national security intrusions effectively,” the report said.

Only 18 of the 36 agents had prior experience in computer networking, and some had never heard of the National Cyber Investigative Joint Task Force, which serves as the headquarters for the FBI’s cyber intrusions operations.

In nearly half of the 10 offices reviewed, agents said they were assigned to cases that “exceeded their technical abilities.”

A policy that requires field agents to rotate every three years to gain experience often puts inexperienced workers on cases left behind by skilled agents.

FBI agreed with the IG recommendations to address these issues. The agency has written draft information sharing protocols and will review the rotation policy, among other things.

Tags: , ,

Cybersecurity bill prohibits Internet “kill switch”

Bookmark and Share

Sens. Susan Collins, R-Maine, Joe Lieberman, ID-Conn., and Tom Carper, D-Del, introduced a cybersecurity bill Thursday that would prevent the president or any federal employee from shutting down the Internet.

The 2011 Cybersecurity and Internet Freedom Act would amend the 2002 Federal Information Security Act and set limits on what the government can do to protect information infrastructure.

“Our bill contains additional protections to explicitly prevent the president from shutting down the Internet,” Collins said in a released statement.  “While experts question whether anyone can technically ‘shut down’ the Internet in the United States, our bill has specific language making it crystal clear that such actions are expressly prohibited.”

Among the other key provisions, it would create national center to “prevent and respond to cyber attacks,” require critical infrastructure owners to shore up cyber vulnerabilities, and establish a strategy to secure the federal IT supply chain, Lieberman said.

View the updated legislation.

Tags: , , ,

Looking for a few honest cyber professionals

Bookmark and Share

John Berry

If you plan on landing a cybersecurity job with the federal government, above all, you’d better be honest, a good learner and resilient.

Oh yeah, make sure you can read and write. 

That’s according to most government cybersecurity workers and managers who participated in the Office of Personnel Management’s cybersecurity survey last fall.

OPM reached out to 50,000 feds for their thoughts about the most critical tasks and competencies required to be an effective cyber worker. Their responses were used to create a so-called cybersecurity competency model for information technology management, electronics engineering, computer engineering and telecommunications job series.

Participants ranked technical and general competencies in order of importance from one to 34.

Here are the top 10:

Competencies

Current Importance

Future Importance

Integrity/Honesty

1

1

Computer Skills

2

2

Technical Competence

3

3

Teamwork

4

4

Attention to Detail

5

6

Interpersonal Skills

6

7

Communications Security Management

7

5

Self-Management

8

9

Reading

9

11

Customer Service

10

10

Security and computer network defense didn’t stand a chance against learning and resilience, which took the #15 and #18 spots. 

In a Feb. 16 memo, OPM director Jerry Berry encouraged chief human capitol officers to use the list of competencies in “workforce planning, training and development, performance management, recruitment and selection.”

And in case agencies forgot…

“When used for selection, the competencies must be used in conjunction with the appropriate qualification standard,” Berry said.

Apparrently, the cybersecurity survey is only a fraction of what’s to come. OPM is heading the federal workforce track of a larger initiative to support the president’s cybersecurity, education and innovation goals.

Tags: ,

TechAmerica calls on lame-duck Congress to tackle R&D tax credit, cybersecurity

Bookmark and Share

An extension of the federal research and development tax credits and passage of a comprehensive cybersecurity bill top the list of priorities that trade group TechAmerica is calling on Congress to take up during the lame-duck session.

TechAmerica president Phil Bond said he is hopeful the tax credit will see some action given that the White House has been supportive of a strengthened and permanent measure. Bond said the credit “needs to go, and it needs to stand on its own.” “It’s overdue and, again, it’s jobs for today and competitive edge for tomorrow.”

Officially known as the research and experimentation tax credit – the credit rewards companies that invest in the development or improvement of products in the United States. Since its creation in 1981, the credit has expired and been extended several times until the current Congress allowed it to expire in December 2009.

TechAmerica estimates this has put more than 100,000 jobs at risk, up from 83,000 jobs in September.  The bulk of research and development investments, or 75 percent, is spent on employment.

Bond called the lame-duck session a window to pass consensus items that have been vetted such as a national data breach policy, a cybersecurity bill and legislation to reform the 2002 Federal Information Security Management Act.

A security and data breach bill introduced by Rep. Bobby Rush, D-Ill., passed the House, and a bill by Sen. Mark Pryor D-Ark., closely aligns with the House version and could “move very rapidly” in the lame-duck session, said Liesyl Franz, TechAmerica’s vice president for information security and global public policy.

“We are holding out some hope because these are priorities that have been voiced and supported by leadership on all sides,” Bond said.

Last week, the trade association joined a list of 112 members of the Government Withholding Relief Coalition in a letter urging Congress to delay the 3 percent tax withholding for government contractors until the “ramifications can be better understood,” said TechAmerica spokesperson Charlie Greenwald.  

The law, which will take effect in Januray 2012, requires federal, state, and local governments to withhold 3 percent of nearly all contract, Medicare and farm payments, the letter said. Greenwald called the tax an “onerous and “unnecessary burden” on companies and agencies.

Tags: , , ,

193 policies for securing DoD’s networks

Bookmark and Share

Good luck trying to decipher the Defense Department’s color-coded chart of policies it uses to “build, operate and secure” its networks.

The two-foot-long IA policy chart outlines 193 documents (including directives, strategies, policies, memos, regulations, strategies, white papers and instructions) that many information assurance professionals
“may not be aware of,” Noah Shachtman points out on his Danger Room blog.

Designed by the Deputy Assistant Secretary of Defense for Cyber Identity & Information Assurance, the chart is supposed to help these workers familiarize themselves with the policies that govern how they do their job. I guess the legend may be a good place to start, but even that could change as the chart is updated.

Here’s what the Information Assurance Technology Analysis Center said about the chart on its website:

“Because IA Policy development is a wide-ranging and ongoing process, we ask for input from all who download this chart, advising us of any policies that may have been overlooked, but should be included. In addition, we ask for any policy updates that may not be properly reflected on the IA Policy Chart or any suggestions to improve the chart.”



Tags: ,

Flash drive cause of 2008 military breach

Bookmark and Share

The Washington Post is reporting that a flash drive containing malicious code was the source behind a major breach of U.S. military computers in 2008. The drive was “inserted into a U.S. military laptop on a post in the Middle East,” according to the article.

Revelations of the breach’s root cause further underscore the challenges facing federal government to identify vulnerabilities and defend against cyberattacks.

On November 3-5, experts from government, industry and academia are set to discuss these issues, and more, during the 2010 Cyber Security Readiness Summit.

Attendees will learn best practices for:

  • Cultivating a complete approach to government cyber security readiness: people, culture, language, governance, policy
  • Using the most economical, efficient and reliable means for developing an information security infrastructure and protecting critical networks and systems
  • Developing cyber talent including best practices for identifying, attracting and retaining the cyber workforce
  • Enhancing information sharing and developing the foundation for cooperation
  • Ensuring proper training of all personnel to improve compliance
  • overcoming siloed systems
  • discovering the costs and benefits of available tools and technologies

Tags:

DHS gets federal cybersecurity portfolio

Bookmark and Share

The Office of Management and Budget has officially tabbed the Homeland Security Department to oversee cybersecurity in the executive branch, as OMB indicated would be the case in April.

A memo this week from OMB Director Peter Orszag and federal cybersecurity coordinator Howard Schmidt gives DHS responsibility for:

• overseeing the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance;
• overseeing and assisting government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity;
• overseeing the agencies’ compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report;
• overseeing the agencies’ cybersecurity operations and incident response and providing appropriate assistance; and
• annually reviewing the agencies’ cybersecurity programs.

Tags: , , ,