Category Archives: Opinion

DoD Contractor Hit by Ransomware Infection

Electronic Warfare Associates (EWA), a well known defense contractor in DC, was hit by a ransomware attack.  The tagline on the homepage of their website says that they are enabling a more secure future.

A Google search last week for the company brought up these results:

ewa-ransomware.png

The researcher who discovered the problem said it seems to have affected, at least, EWA Government Systems Inc,  EWA Technologies Inc. , Simplickey and Homeland Protection Institute.

EWA has not made any public announcement of the issue.  As I write this, the EWATech web site does not respond.

The current information suggests this is the Ryuk ransomware.  It is used for high value targets and is known to exfiltrate data.  Exfiltrate is a big word for steal.  Source: ZDNet

One more thing we know.  When ZDNet called the company and spoke to their spokesperson asking for a comment on the story, he or she hung up on the reporter.

So what might we speculate?

You may remember that another Navy contractor lost over 600 gigabytes of very sensitive electronic warfare data (from project Seadragon) to the Chinese in 2018.  Were the Chinese looking for more EW data?  Certainly could be.  That data is very valuable in building better offensive weapons (figuring out how to defeat our weapons) and building better defensive weapons (it is cheaper to steal it than to invent it).

The Navy went crazy after the Seadragon breach.  This makes them look even more incompetent.

DoD contractors are required to notify the Pentagon within 72 hours of a breach.  Assuming they followed the law, the Pentagon’s people (NSA, for example) could be all over this.

Much of the information that the government eventually classifies starts out as commercial research and isn’t classified until later.  Which COULD mean that whoever hacked them was after high value, not-yet classified information.

All of this is speculation, but reasonable speculation.

Which brings us up to the Pentagon’s efforts to require defense contractors to get an independent, third party cybersecurity certification called CMMC.  Would a certifier have discovered a problem which allowed this to happen?   Assuming the Pentagon is in the middle of this investigation, we may never hear.  But I bet folks are looking at the forensics right now.

But this certainly bolsters the logic behind the CMMC certification requirement.  And it is on track for starting later this year.

For those of you who sell to the government – both civilian and military, this is just one more warning to protect your ass.ets.

And more ammunition for Katie Arrington (who runs the CMMC project).

Oh.  One last thing.

The spokesperson who hung up on the media.  That is a GREAT way to get even more media attention on the worst day of your career.

There is something called an Incident Response Plan.  Part of an IRP is a Crisis Communications Plan.

Perhaps they should think about writing one.  And training people.

PS – It is probably required by CMMC.

 

Survey Says: Americans Concerned About Data Collection Practices

Well maybe not concerned enough to change their practices, but concerned.

When asked if their data is more secure, less secure or about the same as compared to five years ago, 70 percent said their data was less secure.  6 percent said it was more secure.

On the side of “gee, you mean I have to do something about it?”, 97 percent say they are asked to approve privacy policy notices, but only 9 percent say that they always read it and another 13 percent say they often read it.  That means that three-quarters of the users don’t read what they are agreeing to.  38 percent say they sometimes read the polices and 36 percent say they never read them.

Of those people who say that they at least sometimes read the privacy policies, on 22 percent say they read it to the end.

On top of that 63 percent said that they know very little or nothing about the privacy laws that protect them.

When it comes to being tracked, 72 percent said that all, almost all, or most of what they do on their phone is being tracked with an additional 19% saying that some of what they do is being tracked.  That leaves 9 percent who think that they are not being tracked. Hmm?

47 percent think the government is tracking them.

69 percent feel that their offline behavior including where they are and whom they are talking with – OFFLINE – is being tracked by the government.

84 percent say that they feel that they have little to no control over the information that the government collects and 81 percent feel the same way about information companies collect about them.

81 percent of the people think that the risks of data collection about them outweigh the benefits and 66 percent say the same thing about government data collection.

72 percent say they personally benefit very little or none from the collection of their data by companies and even ore surprisingly, 76 percent say that they don’t get much benefit from government data collection.

Certainly an interesting set of information, which could explain why there was so much support for privacy legislation in a variety of states.

You can find more information about the Pew report here.

 

 

 

 

 

 

 

 

The Security Implications of the Federal Shutdown

O P I N I O N

The President says that the shutdown is about security and I think he is right, but not in the way he is thinking.

We have to take this agency by agency, but just look at the numbers.  The EPA, probably no one’s favorite agency for different reasons, says it is furloughing 13,000 out of its 14,000 employees.  Is it likely that some of those employees serve cybersecurity (or even physical security) functions?  Maybe the 1,000 people are all of the folks managing cybersecurity, but I doubt it.

TSA screeners are considered essential, so they are supposed to work even though they are not being paid.  Some number of them (TSA isn’t saying how many) have been calling in sick.  Given the horrible stats regarding TSA agents detecting contraband and the fact that TSA turnover is 80% or more a year in some cities, there is no way that this is not negatively impacting your security.  It is affecting my security less because I haven’t had to fly lately, but if I did, it would affect my security too.

Even if the TSA attrition rate is not climbing during the shutdown, they are not hiring anyone right now. That alone puts security at a disadvantage.  The TSA has 50,000 agents.  If you assume they have to replace only 25,000 every year, if the shutdown lasts a month and the stats don’t go up, they will have to replace about 2,000 people.  How easy will that be given that the government is/was shut down.  The TSA says that standards won’t suffer, but you can do your own math.

Many so called government employees are actually contractors.  It is possible that some companies are choosing to pay their employees to work at federal jobs even though they are not and likely will not be paid (historically, federal employees got back pay after they returned to work but contractors did not), but some companies do not have the resources to do that.  Combine that with the government issuing what they call “stop work” orders to contractors and you have to believe that there is an impact.  One stat I read tonight said that 40% of the federal labor force is contractors.  Assuming that is close to true, surely some of those people are not working as a result of the shutdown and probably some of them perform security functions.

Other parts of Homeland Security includes 187 departments and several hundred thousand employees.  At least some of them have been furloughed; others are working without pay, while others are looking for other jobs.

Who are the most likely to find other jobs?   Certainly it is not those with the least skills.  When it comes to cybersecurity, it is the ones with the most skills and likely, if they leave, they will get a pay raise.  And, they won’t come back.

So while the government will never admit how much the shutdown affected security, the longer it goes on, the greater the effect is.

Just my two cents.

 

 

Cybersecurity is not an IT Problem

O P I N I O  N

People sometimes ask why IT can’t fix the cybersecurity problem.  The reason is pretty simple.  Cybersecurity is not an IT problem.

IT can make systems very secure.  Only problem is that employees won’t be able to get their job done.  No mobile.  No WiFi.  No personally owned computers.  Really long complex passwords.  You get the idea.

Several British companies have decided that the way to improve security is to implant a microchip in the hand of several hundred thousand employees instead of giving them a badge.

After all, what could go wrong?

Kind of like your cat.  After all, the pet door that is supposed to open with your cat’s chip always works, right?

If an employee wants to go to the bathroom, wave your hand in front of the bathroom door.  If you have already taken a bathroom break this morning maybe the door won’t open.

What happens when your “badge” stops working (I am sure that those of you who have a work badge or have gone to a hotel have never experienced that)?

Who pays for the medical bills if there are complications?

What happens when you change employers?

And, of course, you can’t turn it off on the weekends or at night.

Can you opt out?  Your cat didn’t have a choice.

Now the PR Spin.

KPMG said it was not considering microchipping it’s employees and would, under no circumstances, consider doing so.

So while, apparently, some employers ARE considering microchipping their employees, think about this:

  • Equifax couldn’t patch all of their servers
  • Target didn’t isolate a server that a refrigeration vendor used to find out what cooler needed repair from their credit card system
  • Home Depot wasn’t PCI compliant when they were hacked;  their lead security engineer was a convicted felon (Ricky Joe Mitchell was convicted of sabotaging his former employer) and it has been widely reported that when the security team asked for more funding to improve security they were told that Home Depot was in the business of selling hammers – how does this help us sell more hammers.
  • It seems that every week we hear about another company that “accidentally” allows anyone on the planet to download the content of their Amazon S3 storage buckets containing userids, passwords and all kinds of confidential information.

If businesses cannot handle the security basics, microchipping their employees is not going to help.

99% of the time, security is about the basics.  Every now and then it requires heroic efforts, but those times are relatively few.

This issue is gonna be with us for a while.  A long while.  Anyone who is hoping for a silver bullet solution – I have a bridge in Brooklyn for sale cheap.

SORRY!

Information for this post came from Slate and The Guardian.

In Honor of Election Day

First of all, if you haven’t already voted, please vote!

Time did a nice piece on election security (see link at the end).  In a somewhat self-serving statement, Homeland Security Secretary Kirstjen Nielsen said that she FELT confident that this year’s election would be the most secure election we have ever had.  Ignoring for a moment that the paper ballots that we used for the first 150 plus years of our country are probably way more secure than what we are doing now and while I appreciate her feelings, they really don’t give me a lot of confidence.

That being said, we probably have improved the security of the election process since the last presidential election.  If she had said that we have the most secure election we have ever had since 2016, I would probably agree with her, but that would not offer a good sound bite.

Secretary Nielsen said that no matter that the U.S. Intelligence community and law enforcement officials sounded the alarm last month about ONGOING efforts by Russia, China and Iran to influence our elections, that is different.  Her view of election security is limited to hacking of voting machines, not changing the outcome of the election.

While my rant above is possibly a bit harsh, it does point out something that is important.

We need to be concerned about changing the outcome of the election, whether that is by hacking voting machines, spreading disinformation or voting early, voting often, as it was said about Chicago under Mayor Daley.   What matters is that this is our election and not Russia’s.  Or China’s.

It is good that we haven’t seen any sustained effort by foreign powers to hack voting machines.  That, to me, is the absolute hardest way to change the election.  Maybe hacking the central tabulating system at the County or State level might make sense, but hacking individual machines – that is a lot of work.

Time says that 44 states and the District of Columbia did participate in a three day exercise this past summer to put election systems to the test.  Part of the exercise was to test the Fed’s ability to share hacking data with local election officials.  All that seems like a good thing.

Since the Feds, under President Obama, declared election systems critical infrastructure, over the objections of many local officials (fearing that the feds were saying that they were not doing a good job), the Feds created an Information Sharing and Analysis Center or ISAC for Election Infrastructure as a formal way to share information all around.  Another good idea.

1,300 of the 8,880 local election jurisdictions are participating in this system.  Why the rest are not is scary.  Maybe these should publish their membership list so the voters can vote on that!

The Feds have developed a threat detection system that they use called Einstein.  All Federal Internet connections use it and while it is not perfect, it is way better than was was being done before.  Einstein has a cousin called Albert (cute huh?) that the Feds have given (or sold, it is not clear) to 43 states to help them detect threats.  These two are similar in function but completely different implementations.  Still both achieve the same goals – look at Internet traffic and try to ferret out the bad guys.  See this article in Fedscoop for info on Albert.

The Feds also offered to conduct a penetration test of election infrastructure for the states.  Only 21 states asked for help.  While some states do their own pen tests, if you can get another one for free, exactly why wouldn’t you accept?  Unless you were worried.

DHS is also doing remote weekly scanning for 36 state and 94 local governments and providing them with vulnerability reports.

The fact that everyone has not asked for help is just an indication that, for politicians, ego often wins.

Oregon solved the problem (as does Colorado).  Oregon uses paper ballots.  Hack that from Russia! Of course there are counting machines, but hopefully they are not on the Internet.

I do believe, in spite of the above, that we have IMPROVED the security of election systems somewhat since 2016, but there is a long way still to go.  The ExpressPoll-5000 voting machine still uses a root password of “password” and a master administrator password of “pasta” .  That’s got to be pretty secure, no?

And of course, we really have not done much about the disinformation campaigns, which are way easier than hacking a voting machine and, apparently, pretty effective.

The Cybersecurity 202 newsletter talks about disinformation campaigns like Twitter “news” that says that Immigration officials will be at polling stations to check citizenship status which might deter legal immigrants that don’t want to be hassled or hacks to local election or news sites.  We have also seen disinformation email campaigns telling people to go to the wrong place to vote.  DHS says check your information source, but sometimes that is easier said than done.

What do you think?

Information for this post came from Time.

 

 

 

U.S. Election System Under Attack

O P I N I O N

Christopher Krebs, The Undersecretary for the National Protection and Programs Directorate (NPPD) of DHS said individuals voting rights were safe despite persistent attacks on the voting infrastructure.

He said, that by law, if you show up to vote and there is a problem with your registration,  you have the right to request a provisional ballot.  It can take time and be disruptive, but if you are persistent, you can get a ballot.

Krebs says that they haven’t seen as persistent an effort by the Russians to compromise this year’s election as they saw in 2016 – that statement by itself seems at odds with what his boss, the President has said.

DHS is planning to launch an initiative to manage the risk.

I agree that if you are willing to create a scene, you can get a provisional ballot, but is that really where the risk is?

Certainly, it is possible that an attacker could try to delete voters from the voting rolls, but that seems like a hard way to effect the outcome of the election.  After all, how do you know how that voter will really vote.

Much more likely and not mentioned by Krebs since DHS isn’t doing much about it, is the likely attacks on campaigns web sites and email of candidates and their teams.  When the President says that there is no evidence that Russian interference in 2016 didn’t change any votes, I have no idea how he can prove that.  If what he means is that the Russians didn’t cast any fraudulent ballots one waay of the other on behalf of a voter, I believe that.

If, however, he means that the relentless social media attacks for and against different candidates, illegally funded by Russian controlled front companies recently indicted by the federal government didn’t change people’s choices as to who to vote for, that is completely unprovable and likely just wrong.

For the last year and a half DHS has not processed the security clearance requests of state and local voting officials so that they can receive classified intelligence.  A few officials have gotten their clearances, but many more have not.

All in all the administration is picking and choosing their talking points to make things look better.  Overall, they have done very little to improve the situation as compared to 2016.

When Krebs said that they have not seen Russian interference at the levels of 2016 this year, he should have added the word YET.  This is still early and likely the Russians will increase their efforts in that direction.

I have no clue which side they plan to attack; but which ever side it is, it will be to further their own interests, not ours.

Stay tuned, this is far from over and we don’t have an effective strategy to counter it.

Information for this post came from FCW.