Navy Trying to Fix Their Cybersecurity Mess and Congress is Not Helping

After a horrifying independent review of the Navy’s current cybersecurity posture,  the Navy asked Congress to approve a new position of Assistant Secretary of the Navy to handle  cyber.  This comes after the Navy eliminated the role of CIO last year.

Congress turned them down, so now they are going around Congress to create a Special Assistant to the Secretary for Information Management/Chief Information Officer, which does not require Congressional approval.  They are also going to assign about 15-20 people to a team to work on the task.  Since there is no new money for this, many of these people will be getting additional jobs.  That, of course, will make them less effective, but at least the Navy is trying.

The Navy will also be hiring four senior leaders to run directorates inside this new office: a chief technology officer, a chief data officer, a chief digital strategy officer and a chief information security officer.  Congress has authorized special pay in certain areas like this at the rate of 1.5 times that of the Vice President of the US or about $300,000 a year per person.  They hope to attract folks from industry with numbers like this.

Their objective is to improve security across the Defense Industrial Base in light of the Chinese (and others) threat.  A key priority is to get second, third and fourth tier suppliers to implement strict cybersecurity regulations, specifically NIST SP 800-171.

Many contractors have ignored the requirements of 800-171, in part because of the cost and in part because the DoD has not been enforcing it.  In combination with the new proposed third party cybersecurity certification requirement (CMMC) that the DoD is talking about implementing next year, contractors who ignore these requirements may effectively eliminate themselves from getting any DoD contracts.  A good strategy would be to up your cybersecurity program effort in advance of these new rules going into effect, because it will take a while to get your program up to speed.

Source: Federal Computer Weekly.

 

Facebooktwitterredditlinkedinmailby feather

Number of Data Breaches Up 54% in First Half of 2019

Remember, this only counts reported breaches.  Marriott, for example, didn’t detect its breach for FOUR  YEARS.  And tens of thousands of breaches likely go both undetected and unreported.

The midyear data breach review by Risk Based Security said there were 3,816 breaches REPORTED in the first half of 2019, up 54% from the first half of 2018.

Those breaches exposed 4.1 billion records, up 52% over the same time last year.  3.2 billion of those records were related to 8 big breaches but that still doesn’t account for the uptick in the number of breaches reported.

This means a couple of things:

The hackers are still winning this war and with billions of passwords compromised, that is unlikely to get better any time soon.

It also means that as consumers, we need to be aware of these breaches and the impact that they might have on us.  That includes watching for breach announcements, changing passwords and using two factor authentication.  It also means being alert to scams and attempts to compromise your devices and your accounts.  Remember that if hackers empty your bank account or retirement account, you are unlikely to be pleased.

Finally, it means that businesses need to up their game.  Businesses are almost always the target of attackers.  Businesses of all sizes from Equifax to a mom and pop retailer are all potential attack targets.  This is because that almost all attacks are not targeted.  The Sony attack was targeted.  Attacks on the Defense Department are targeted.  Beyond that, not much is targeted.

The challenge for small businesses (meaning a couple hundred employees or less) is that they don’t have either the technical resources to DETECT the attacks or the financial resources to deal with the attack.  Some do go out of business.

Regarding technical resources, that likely means paying outside experts.  While no one likes spending money, it is almost always less expensive to spend that money to avoid an attack rather than spending it to fight an attack.  And there is way less brand damage in preventing an attack.

If you were not successful in preventing an attack then insurance does HELP pay to mitigate the consequences – assuming you have the right kind of insurance and we often see that businesses do not have the correct insurance.

Bottom line here is that it is only going to get worse – kind of like traffic – so hoping that the problem will go away is likely not an effective solution.

 

Source: SC Magazine.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 16, 2019

Unencrypted Biometric Data Database Found

A database called Biostar2,  of the fingerprints and face Scans of over a million people that are used by police, defense contractors and banks was found unencrypted and exposed on the Internet.  That was bad enough.

Then the article said that the database included user names, passwords and other personal information.  Can this get worse?

Yes.  The database was writable, so a hacker could add names to it.  How could that possibly be used for bad purposes?

The story goes downhill from there.  Source: UK Computing.

 

Is Your MacBook Allowed to Fly?

15 inch MacBook Pros purchased between September 2015 and February 2 017 are now banned from airliners by the FAA, even in the cabin due to the risk of catching fire.  I am not sure how the airlines plan to deal with this ban as it is basically serial number related.  In any case, if you own one, Apple will repair it for free, so you probably should do that.  Source: PCMag.

 

Capital One Hacker Breached Many Companies

Paige Thompson, the hacker being charged in the Capital One breach, may have hacked as many as 30 companies, although the Justice Department is not saying who.  Media reports say the companies include Vodafone, Ford, Michigan State University and the Ohio Department of Transportation, among others.  I am guessing that at some point these organizations will be forced to disclose that they were breached.  Source: Techcrunch.

 

Facebooktwitterredditlinkedinmailby feather

Ransomware, The Next Generation

Hackers are nothing if not creative.  Combine that with businesses not paying enough attention to security and you get a mess.

Researchers discovered an unprotected database with over 5 million client records belonging to Choice Hotels.

The hotel says there is good news.  Only 700,000 of those records were from real customers.  Doesn’t that make you feel better already?

However, that good news is limited.  The researchers were not the first ones there.  They found a ransom note in the database.  It appears that the bad guys copied the data and tried to delete it but something went wrong.    They wanted 0.4 Bitcoin or about $4,000 for the data.  Given the company and the data, they must have been hoping for an easy payday because that much data should be worth a lot more.

That is the next generation of ransomware.  COPY the data, then encrypt it or DELETE IT.  Then demand a ransom to get it back.  If you don’t pay the ransom, they RELEASE the data.  Or SELL it.  For this generation of ransomware, backups do not help.  The only thing that helps is keeping the bad guys out.  Call it ransomware 2.0 .  Luckily in the case, the bad guys were incompetent.  Maybe not the next time.

The database was set up for or buy a vendor.  The hotel says as a result of breach, they won’t be working with that vendor any more.

The hotel did not initially launch an investigation, but eventually did.

So what is the message here?

Just because you are working with a vendor does not let you off the hook.

What was the hotel thinking giving a vendor live data to test with?  What might the consequences be if the data was released publicly?

How much due diligence did the hotel do on the vendor’s cybersecurity program before they gave them the data.  Under some state laws (like Colorado), the hotel would be responsible for ensuring that the vendor had the ability to protect the data BEFORE they handed the data over.

Now the hotel chain will have to face the regulators and the lawsuits and the fines. 

All of this should be part of a company’s vendor cyber risk management program.  Maybe Choice Hotels needs to rethink it’s vendor cyber risk management program.  I can think of about 700,000 reasons why.  Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

What Does Foreign Influence in Elections Look Like?

The issue of foreign influence in US Presidential elections has been and continues to be a hot button.

Sometimes the focus on election hacking is on hacking the ballot box, but while this is possible, it would be very hard to do that on a national scale, so it is unlikely that this is the tactic that they would take.  However, since we know that Russia attempted to penetrate election systems in all 50 states during the 2016 elections, we should not rule this out completely.

Whether the foreign powers want to help or hurt a particular candidate (and there are likely some of each), there are many things they could do.

Obviously, they could hack the emails and other systems of candidates and release embarrassing emails.  They could also hack candidates personal phones and computers in addition to the campaign’s systems.

More likely, these powers will launch disinformation campaigns.  The number of emails that I get on a daily basis that are designed to inflame or contain outright lies is amazing an will only increase as we get closer to the election.    Same thing with social media.  Whether people will disregard these campaigns is not clear.  It seems that people tend to accept spam that they agree with and reject spam that they disagree with as opposed to treating it all with a whole lot of skepticism.

While it is illegal, foreign governments have been injecting money into campaigns of candidates that they like.  This is done via proxies who can contribute, so figuring out who is a shill for, say, China, might be hard.

Remember also that hacking elections is a time honored tradition.  While the techniques  have gotten better, hacking elections is not new.  One source says that the US interfered with 81 foreign elections (that we know about) since 1946.

The bigger issue is that people THINK that the elections are rigged and do not vote at all.  If this happens, the bad guys win. 

Voters need to be on the alert for all kinds of tricks that a foreign OR DOMESTIC actor might try.  Smart voters will reduce the impact of the bad actor’s work.  And you must vote.

Sources: Nextgov and The Washington Post.

Facebooktwitterredditlinkedinmailby feather

The Challenge of Privacy

Everyone has heard about the Federal Trade Commission fining (tentatively) Facebook $5 billion for sharing your data – with Cambridge Analytica  – without your permission.

The FBI has sought proposals for third parties to hoover up everything that is visible on social media and build a database so the FBI can search it for information on activities that you do that they think is sketchy.

The FBI wants to search your stuff by location (neighborhood), keywords and other functions.

Which seems to me precisely what cost Facebook $5 billion for allowing Cambridge Analytica to do.

Except the FBI wants to do this not just with Facebook, but with all social media platforms combined.

Not to worry.  I am sure that it will be secure.  And not abused.  And not used for political purposes.  After all, we are from the government and…..

The FBI wants to capture your photos as well.

Of course, doing so would violate the terms of service of every social media platform, so unless the do it secretly or Congress passes a law nullifying the social media terms of service, it is likely that social media platforms will terminate the accounts if they detect it.  *IF* they detect it.  Given the relationship between social media and DC, they may be motivated to stop it.

However, it is already being done by private companies, in spite of the prohibition, to sell to marketers, so who knows.

Facebook and Instagram actually have a ban on using the platform for surveillance purposes.

From a user perspective, there is likely nothing that you can do other than stop using social media.  It is POSSIBLE that if you stop making posts public (and instead only make them visible to your friends), that MIGHT stop them from being hoovered up.

If you stop using the platforms, that will make Facebook, Twitter and other platforms sad.

Smart terrorists will shift to covert platforms to make detection harder.

The good news is that there are not very many smart terrorists.

Source: ZDNet

Facebooktwitterredditlinkedinmailby feather