GSA Proposing Changes To Fed Contracting CyberSec Rules

Defense contractors are wrestling with new contracting rules that went into place, sort of, as of December 31, 2017, with the requirement to be in compliance with NIST SP 800-171.

NIST SP 800-171 defines over 100 cyber security requirements that defense contractors and sub-contractors must comply with.  Prime contractors must ensure that their subs are in compliance with this and both primes and subs can be barred from government contracts if they fail to comply or lie about their compliance status.

For those familiar with the government contracting rules, this was implemented by creating a new DFAR.  NARA, the National Archives and Records Administration said last year that they planned to create the equivalent of a DFAR for the civilian government, called a FAR, and now they have begun the process.

The GSA has published a notice that they intend to create a set of contractor cyber security rules, similar to NIST SP 800-171.

Part of what GSA is doing is codifying existing rules to ensure that they are mandatory in the contracting process, but that is only part of it.  These rules call for protecting the confidentiality, availability and integrity of government information and also the reporting requirements for cyber incidents.  The reporting time frame for incidents for defense contractors is now 72 hours – way stricter than any state regulation.

Once this process is complete, which will happen toward the end of this year, these requirements will become mandatory for all GSA contracts.

Last year defense contractors started worrying about implementing good cyber security practices;  this year it is the civilian government contractors that need to pay attention.  Smart contractors will begin working on enhancing their cyber security program based on the concepts inside NIST SP 800-171 in order to get a head start of the requirements.

Information for this post came from Fedscoop.

Facebooktwitterredditlinkedinmailby feather

Google Creates New Security Center for G-Suite Enterprise Customers

Google is trying to keep up with the Jones (AKA Micosoft) and is building some security tools for its enterprise customers.  Microsoft is way ahead in this area and if Google wants to compete in the enterprise space it needs to offer enterprise class tools.

First of all, this only is available to G-Suite Enterprise customers.  Most Google users use the free version.  Above that is Basic at $5 per user per month, then Business at $10 and finally Enterprise at $25.  So this capability is only available to a small percentage of Google customers.

Still, those customers are the ones with the best revenue per customer and Google is losing some of them back to Microsoft.

For enterprise customers, this is a great addition.

For some customers, this may be motivation to upgrade to the next level of pricing plan.

The first piece of the security center is a dashboard that gives admins a view of their overall security posture.  It gives those admins a view across products like GMail, Google Drive and others.

The second feature gives the admin an overview of the company’s cyber security settings and make recommendations for improving security.

Google’s plan is to continue to enhance the dashboard so that it will have more features and functionality.

This is a smart move on Google’s part.  Hopefully, they will give Business class users access to this.  It may be that they are testing it on enterprise customers to tune it or maybe they will create a stripped down version for Business customers.  Clearly, this is a useful tool.

If you are a Google Enterprise customer, you should check this out.

 

Information for this post came from Techcrunch.

Facebooktwitterredditlinkedinmailby feather

Senators, Staffers Next on Russia’s Cyber Hit List

According to the cyber security firm Trend Micro, the members of the U.S. Senate and their staff could be the next target of the Russian hacking group Fancy Bear – the same group linked to the DNC hack an election meddling across the Middle East  and Europe.

Trend says that digital breadcrumbs found so far in spear phishing campaigns link back to the Russian hacking group,

And, in a way, it makes perfect sense.  If the Russian’s objective is to meddle in elections across the globe, then the U.S. mid-term elections later this year would be a perfect target.  Spear phishing emails are pretty low tech but they lead to compromised userids and passwords (and was pretty lethal during last year’s elections).  Also consider that politicians and bureaucrats are addicted to email.  That makes them  a perfect target.

Some of the emails pretend to be Microsoft Exchange messages warning of expired passwords.  Low tech but pretty effective, unfortunately.

The researchers said that these spear phishing attacks looked a lot like the attacks rolling up to last year’s French elections.

If it ain’t broke, don’t fix it.  If it worked against the DNC,  if it worked against the French.  It is well known art.  It may well work against the Senate.

Senator Sasse (R-Neb) said that he thinks Putin is very happy that Washington is obsessed with partisan politics and is ignoring 2018 and 2020.  He is likely right.  To really fix things will require a lot of work and at least some money – something Washington doesn’t seem to be concerned about.  And it is a very distributed problem.  There are 50 states, 3600+ counties, the feds, government organizations, social media – a lot of targets of opportunities.

Which is not terribly surprising given that, before last year’s election there were only 5 people between both houses that had a computer science degree (I don’t know how the election changed things, but it likely didn’t change much).

Given all of the events coming up in the next year, including the Olympics and elections world wide and the apparent lack of interest in doing anything about it, we should assume that Russia will continue to be successful in their efforts influence politics – conspiracies or not.

Information for this post came from FCW.

Facebooktwitterredditlinkedinmailby feather

It’s Back – The Mirai Botnet

A little over a year ago, the Mirai botnet launched a sustained attack on the servers of the Internet  provider Dyn, taking it offline and thereby knocking its customers, including Twitter, the Guardian, Netflix, Reddit, CNN and others, offline.  The Mirai botnet was simple – find Internet of Things devices (IoT) that still had their default passwords and take them over.  Use those IoT devices to launch an attack at your target.  At its peak, Mirai controlled about 600,000 devices.  The attack generated between 500 Gigabits and 1,000 Gigabits of traffic per second, the largest attack ever seen.

Well it’s back and it has a new plan.

Rather than taking over webcams and DVRs, this time it plans to take over light bulbs and other low end devices and there are way more light bulbs than cameras.  Since the attack itself is very simple, it does not require a powerful device to run the attack.  Just a lot of them.

And just to dispel any myths, Mirai was not a nation state attack.  It was the brainchild of a couple of college age kinds who wanted to knock their competitor’s Minecraft servers offline.  The FBI caught them and they pleaded guilty.

In this case, the target is the ARC processor, which sells over 1 billion units a year.  Very simple processor.  Used everywhere.

Do the math.  If 600,000 devices or less could take down Twitter, Netflix and a host of other sites, what damage could a billion devices do.

Of course we can’t assume all of those devices could be compromised, but 1% of those devices is a million and that is almost double the size of the original Mirai at its peak.

How many people change the password for their light bulb?

This variant is called Mirai OKIRU and a number of anti virus products detect it.   Only problem is that people don’t run A-V on their light bulbs.

Many people have been saying for a long time that the security of the IoT is a joke; as useful as a screen door on a submarine.  IF this botnet takes hold, we may see how useful that screen door is. IF it takes hold.  Maybe we caught this in time,but I am not holding my breath.

Information for this post came from The Inquirer.

Facebooktwitterredditlinkedinmailby feather

Not A Great Month for Intel

As if it wasn’t already a bad enough month for Intel, it just got a bit worse.

This is not related to Spectre or Meltdown;  this is an entirely new problem.

Intel processors have a remote management engine called Active Management Technology or AMT.  This allows corporate administrators to remotely take over those computers to manage them.

If the person “taking over” the computer is a good guy, then people don’t consider it a problem;  if it is a hacker “taking over” the computer, then it is a serious problem.

There are around 100 million computers that have been built in the last decade that have Intel’s Active Management Technology installed.

Last May Intel patched some bugs in AMT;  then last November they rushed out some more patches that fixed vulnerabilities that had been around since 2015.  Now there is a new vulnerability.

Except in this case, Intel is saying it is a feature.

This feature-bug was discovered last July and kept quiet until now.

The good news is that it does require physical access to the computer, but only for a minute or two.

All the attacker has to do is reboot the computer, enter the bios and configure the Intel Management Engine BIOS Extension (IMTBx).

The attacker will get a screen like this and can then set their own password.

Once they have done that, the hacker can bypass Bitlocker, Trusted Platform Module IDs and BIOS passwords.

One more time, Intel and PC Manufacturers configured the IMTBx with a single, default stupid password – ADMIN .  Technically, the password is admin – lower case.  Who would ever guess that?

This is one more example of SECURITY or CONVENIENCE, pick one.  Setting the password to admin is easier than making it unique to each machine or forcing people to change it the first time they power on the computer.

The hackers  can then enable remote access and take over the computer from anywhere in the world.

Of course, if the vendor or company changed the default password then this trick won’t work.

AND,  it would not have been a problem if Intel didn’t choose a stupid default password.

Intel tried to shift the blame on this one.  They said that they told OEMs in 2015 and again in 2017 to change the default password and improve security.

So if they thought this was a problem, why didn’t INTEL change that default password ?   Nice try blaming others, but it won’t work.

Also, this particular attack only works one computer at a time, so it would be used for targeted attacks.  Given that Intel announced the problem THREE years ago, you have to assume that the bad guys understand how to exploit this.

There is some good news, however, you can change the default password yourself and stop any attack.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Faxes are Secure, Right?

It is hard to believe that, in this day and age, people are still using faxes, but they are surprisingly popular, still, in businesses.

And extremely error prone.  There is no error checking mechanism in a fax machine.

You type in a number, stick the pages in and they are transmitted to the other end.  Where ever or whoever that might be.

Sometimes, if the other end is not where you were expecting, it is not a problem.  Maybe they throw the faxes in the trash.  Maybe they shred them.  Maybe, if you lucky, they call the sender and tell them that the faxes did not reach the intended recipient.

But what if you are a health authority and the information is confidential patient information.  And the actual recipient is a computer shop – not one where the patient is.

This was reported in Canada this week.  The Saskatchewan Health Authority sent confidential patient information to local computer shop.  The store owner said that his fax machine received a 21 page fax from a  local hospital destined for a local doctor.

The hospital has a solution to the problem – the computer shop should change its fax number (and somehow notify its customers of this).  Wonderful solution.  The shop owner was actually pretty accommodating about that.  Pay for the costs of the change and he would do that.

The computer shop says that it has received numerous faxes from the Health Authority over the last year.

We hear about this often.  Sometimes in the case of lawyers, they and even the courts, accidentally fax information to the opposing counsel or even unrelated third parties.  In situations like that, a simple mistake can result in a waiver of attorney client privilege.  That can get very messy.

In the cases where the party sending the fax is typing in the number directly, mistyping a digit will send the fax to the wrong place.

In some cases, the fax number is stored in the fax machine’s address book, but was entered incorrectly.

In a few cases, we have even heard of situations where the recipient phone number has been forwarded to another number, accidentally.

Given all these opportunities for error, why do companies continue to use fax machines, especially for sensitive information?

The simplest answer is that fax machines are universal.  Doctors and others have been using them for 50 years and don’t like to change.  Fax machines – at least simple ones – are pretty cheap and the training process is pretty simple.

But another reason is the perception that faxes are secure.  They are not.  There are a few, really high end fax machines that encrypt the faxes, but they are probably like one in 100,000 that can do that and that the users know how to use that.

Mostly it is because people don’t like change.

We use encrypted email all the time.  But it is a bit of a hassle. We use different encrypted email products with different clients.    You have to look at multiple email apps to make sure that you haven’t missed any emails.

So people, always looking for the easiest, least hassle solution, resort to faxes.

In the case of faxing medical records to the wrong person, even accidentally, it is likely a violation of privacy laws.

In this case, the computer shop owner notified the sender multiple times (remember the sender suggested that the shop owner change his phone number) and the sender refused to do anything.

Well now the computer shop owner has notified the  Saskatchewan information and privacy commissioner.   I don’t know what the penalties are going to be, but perhaps, now, given a combination of bad PR and fines, the hospital will come up with a better solution.  That are not very hard to find.

Are you still using fax machines to send sensitive information?

Information for this post came from CBC.

Facebooktwitterredditlinkedinmailby feather