Tag Archives: CISA

Security News for the Week Ending December 6, 2019

Caller Poses as CISA Rep in Extortion Scam

Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) says that they are aware of a scam where a caller pretends to be a CISA rep and claims to have knowledge of the potential victim’s questionable behavior.  The caller then attempts to extort the potential victim.

CISA says not to fall for the scam, do not pay the extortion and contact the FBI.  Source: Homeland Security.

Senate Committee Approves $250 Mil for Utility Security

The PROTECT  program would provide grants for utilities to improve their security.  Given that a carefully distributed government report says that the Russians (and not the Chinese) have compromised a number of US utilities already, improving security is probably a smart idea. The nice part is that it is a grant.  The important part is that the money would be spread out over 5 years, so in reality, we are talking about spending $50 million a year.  It also seems to be focused on electric and doesn’t seem to consider water or other utilities.  There are around 3,300 electric utilities alone in the US.  If we ignore everything but electric and spread the money equally (which of course, they won’t), every utility would get $15,000.  That will definitely get the job done.  NOT!  Source: Nextgov

Smith & Wesson’s online Store Hacked by Magecart

Lawrence Abrams of Bleeping Computer fame tried to warn Smith & Wesson that their online store had been compromised by the famous Magecart malware.  The join the likes of British Airways (183 million Euro fine) and thousands of others.  Abrams did not hear back from them by publication time.  Source: Bleeping Computer

Another MSP Hit by Ransomware Attack

CyrusOne, one of the larger MSPs was hit by a ransomware attack which affected some of their customers.  As I said in my blog post earlier this week, attacks against MSPs are up because they are juicier targets.

In CyrusOne’s case, they said the victims were primarily in a data center in New York (which hopefully means that they have segmented their network), it did not affect their colo customers, only their managed customers (because in a colo, the provider does not have credentials to their customer’s servers) and they are investigating.

This just is one more reminder that you can outsource responsibility to a service provider, but the buck still stops with you when the provider is hacked.  Source: MSSP Alert

Reuters Says Census Test Run in 2018 Was Attacked By Russia

Commerce outsourced the first digital census to Pegasystems and at last check the cost has doubled to $167 million.  More importantly, in a 2018 test, Russian hackers (not China) were able to penetrate a firewall and get into places where they should not have been.  In addition, the test was hit with DNS attacks.

Sources say this raises concerns whether T-Rex Solutions, the Commerce Department’s main security contractor, can keep the Russians out when the site actually goes live.  Or the Chinese. Or other countries that would like to embarrass us.

Census said (a) no comment, (b) no data was stolen (this was likely a reconnaissance test by the Russians, so no surprise) and (c) the system worked as designed (i.e. the Russians got in and we panicked).

Clearly if the Russians are able to compromise the Census, that would be a HUGE black eye for this President and the Executive Branch.

They can hide things during a test, but cannot hide them when it goes live, so lets hope they are able to fix it.  Source: Reuters

Newsbites: GoToMyPC, Carbonite, DHS and CISA and the FBI

Carbonite: Carbonite sent out an email to all customers to reset their passwords.  They claim that they have not been hacked but that they are seeing a large number of attempts to log in by third parties.

They say that based on their security review, they have no evidence that they have been hacked.

If none of these attempts to get in was successful, then why force millions of people to change their password?  Likely, at least some of these attempts were successful.

Source: Carbonite web site.

GoToMyPC:  GoToMyPC, a division of Citrix that allows users to remotely access their PCs, is also forcing all of their users to change their passwords.

Apparently so many users decided to do this at the same time that Carbonite had effectively performed a denial of service attack on their own web site.

Citrix provided little additional information about the situation.

Source: BBC News.

Both of these events point to the fact that as hundreds of millions of passwords are compromised every year, users are being forced to up their game.  Some recommendations are:

  1. Use a password manager so that you don’t have to remember all those passwords.  Many of them, such as LastPass, will automatically log you in, making the password step easier.  While this is a security risk in itself, it is likely less of a risk than using simple passwords.
  2. DO NOT reuse passwords across important sites like online backups, banking, email and remote access.  Unique passwords combined with a password manager is not just a best practice, it is a survival tip.
  3. For any important web site, such as banking, Amazon and others, use two factor authentication.  I know it adds an extra step to the login process, but it makes stealing passwords much less useful.

DHS and CISA:  DHS released the final rules for the data sharing rules of engagement that were part of the CISA bill that was sneaked into the Defense appropriations bill last year.  The bill created a voluntary system trying to encourage businesses to share threat data with the government.  The system has two automated tools, STIX or Structured Threat Information Exchange and TAXII or Trusted Automated eXchange of Indicator Information to scrub and categorize the data.  Out of the 30 million or so businesses in the United States, so far 30 are using it.  That would be .0001 percent.  I think it is going to need some more users to be effective.  To be fair, it is, pretty much, a new thing and around 70 more companies are planning to participate.

Source: IAPP.

FBI:  The FBI, by way of those super secret National Security Letters or NSLs, has been asking for the kitchen sink and leaving it up to companies to tell them no.  Big companies with lots of expert attorneys such as Microsoft, Google, Apple and Yahoo, have told them to have a nice day, but small tech companies don’t have an army of lawyers and likely have given the government whatever they asked for.

Michael German, of the Brennan Center said “there’s a behind the curtains push” to get information from “groups who either don’t want to fight or are otherwise inclined to help the FBI get the records they want.  And it’s all happening in secret.”

The FBI also keeps any data that it is illegal for them to ask for if uninformed companies give it to them.  The DoJ Inspector General said that at least one company turned over email messages including images, which is expressly prohibited in the statute.

Now they (the FBI) are going to have to pick a fight in Congress to get the law changed if they want to get more data from companies and Congress-critters are unlikely to approve that in an election year.

Source: IAPP

Office Of Personnel Management Breach and CISA

Congress has been trying to pass some sort of cyber security bill for 3 or 4 years now, but up until last December, was never able to pass one.  Part of the reason is that knowledgeable people understand that this information sharing will likely not help you or me at all.

Last December, Congress quietly placed what was the CISA bill (S.754) inside the federal budget bill that was passed quickly so as to avoid shutting down the government.  There was very little debate – there was no time – and the intelligence community was able to negotiate the weakening of language that required companies that share information with the government – in exchange for which they get immunity in case anyone sues them for doing that – to make sure that there is no personally identifiable information being shared,  While some people read the law as protecting privacy, others read it in the opposite manner.

The weakened privacy protections say that a company cannot share information that they KNOW to be personally identifiable and KNOW that is irrelevant to cyber security.  That seems like a pretty big loophole to share almost anything.  The good news is that many companies will try to avoid sharing any information with the government because of the negative business PR when they get outed as sharing data with the government. See Wikipedia for more information.

What we don’t know is how the government might use this law to “encourage” companies to share information if they want, say, government help or government contracts.

One note.  The law requires DHS and ODNI to provide procedures for sharing information within 60 days of enactment of the law.  If enactment, in this case, means when the President signed it, that means they the procedures must be sent to Congress this week, so stay turned.

So how does this relate to OPM?

Whether the data provided by private industry directly contains your PII or not, it is likely that the data may be sensitive to the company sharing it.  As a result, those companies are counting on the government to protect that information.

Almost a year ago the U.S. Office of Personnel Management acknowledged the fact that hackers made off with information on around 20-25 million Americans – many in positions of trust and who have access to sensitive classified information.

Based on my background, I assumed I was one of those people.

So, I waited for a letter to arrive.  By October I still had not received a letter, which I thought odd.

So I went to the OPM web site and there is a process, they say, that will tell you whether OR NOT your information was breached.  No response.

So I called the OPM call center and asked them to resubmit my request.  And, still, no letter.

Remember, in both of these cases I should have received a letter either way – whether my information was compromised or not.

So I wrote to my Senators and and asked for their help.  One did not respond to my letter;  the other talked to the OPM who said, go their web site.

So I did, again.

Finally, today, about 10 months after the breach was announced, I got a letter.  Yes, I was included.

What was taken?  Name, address, social security number, date and place of birth, where I have lived, education including dates and degrees, employment history, personal foreign travel history, immediate family members (and actually I would call that extended family – it includes brothers and sisters, their spouses and their children),  business acquaintances and personal acquaintances.

Oh yeah, also all 10 of my fingerprints. OPM says they are not sure how an attacker would misuse them, but they are pondering the question.

Based on that, here is my – and a lot of other people – thought on CISA.

If the government cannot keep information such as the list above out of the hands of hackers, how likely is it that they can keep information that I share with them regarding threats – which certainly could include enough information for another hacker to figure out how the original hacker planned to attack me or other sensitive information- including an attack vector that might still be valid – safe and secure.

Especially since once I share it with Homeland Security they can share it with a whole raft of other agencies. so not only do we have to worry if DHS is keeping the information secure, but we also have to worry about the other agencies that get that information from DHS keeping it secure.

It will be interesting to see what the procedures say when they come out – maybe this week.

Addendum:  BestVPN reported that there was a private, invitation only meeting between the government and the CIOs of the largest companies where DHS tried to convince the CIOs that they were from the government and were here to help them.  As Ronald Reagan said, those are the most terrifying words in the English language (see the clip on YouTube).

Curiously, only 58% of the CIOs in attendance think that CISA will increase corporate cooperation with the government.  Because the government, they say, is useless at cyber security.  The FBI even admitted it, the article says, after the OPM breach.

As part of the roll out, DHS and/or NSA has created at least two new systems.  TAXII, a messaging system to exchange information and STIX, a threat parsing system.

DHS says that they will start this program – maybe already done – with a few select companies.  Who might those be?  They have not said and I bet those companies are not going to tout that they are participating.

Information for this post came from BestVPN and other news.

E.U. Safe Harbor Deadline Nears – What Will Happen?

As the self imposed (by the E.U.) deadline (for coming up with a replacement for Safe harbor) of January 31st looms near, we don’t really know what is going to happen.  My guess is not much, but stay tuned.

The background is that when the European Court Of Justice struck down Safe Harbor last year, Working Party 29, the group responsible for cleaning up the mess in the aftermath of the ruling, created a deadline of January 31 of this year for a new agreement to be in place or else.  Or else what?  Not really clear.  What could happen is ALL that data transfer which was done under the old Safe Harbor agreement stops.  I don’t believe that will happen.

There are a lot of negotiations happening behind the scenes.

One critical piece, a U.S. law that gives E.U. residents the right to sue for redress in  U.S. court for privacy violations – a right that they do not have today and a right which the E.U. said was critical to not shutting down data transfer, passed a vote in a Senate committee.  Typically, there is a long and winding path between a committee vote and the President signing a bill into law, but still, this is a move in the right direction.  Do I think this will get signed by January 31?  No.

On the other side of the coin is the data sharing provisions (what used to be called CISA) in the recent budget bill.  Since the Senate took out many of the privacy provisions, some say that even if an agreement is signed, the ECJ might say that CISA is a huge hole in E.U. citizens’ privacy rights since the law says that you can’t sue companies if they share your private data with the NSA.  Oh, wait, companies share it with Homeland Security.  Who is free to share it with NSA, FBI, DoJ and a whole raft of three letter agencies.

The E.U. has basically approved the new data protection agreement for Europe called the General Data Protection Regulation or GDPR.  It is actually much stricter in terms of provisions than the old law.

I think February could be very interesting.

Information for this post came from The Register and Dark Reading.

The Law Of Expected Consequences – China Reacts To CISA

In the last weeks of the year, Congress did what Congress does and took a controversial bill, CISA, which experts say expands government spying on citizens in the name of protecting them, and stuck it inside a must pass bill – in this case the omnibus spending bill – at the last minute.

Since Congress has been unable to muster the votes to pass this bill as a standalone bill for several years, this seemed like an expedient way for Congress to get it passed.  And, while it worked, as many people predicted, it has already had unintended consequences.

China has announced that since it is now OK for the U.S. government to increase the level of spying on Internet traffic, China will do the same.

The draft legislation would require companies to install “back doors” or hand over encryption keys to the Chinese government.  Not only that, but they would be required to hand over user information to the Chinese government as well.  In the name of countering terrorism.

This includes Financial institutions and manufacturing companies.

China actually said that they looked at U.S. law, along with other countries, when drafting this legislation.

Of course the recent announcement that the NSA may have been bugging Juniper routers for years likely did not make the Chinese any happier.

Apparently, things move a little quicker in China than in the U.S. – China, on the same day that the draft legislation was proposed, passed that legislation into law.  Among other things, that law requires “ISPs and telecomm providers “shall provide technical interfaces, decryption and other technical support and assistance to public security and state security agencies”.

Now we have to see what China actually demands.

The challenge is that for many companies, China is a significant market and walking away from China will cost them money.  On the other hand, if they do not turn over their encryption keys, they could see their sites blocked by The Great Firewall.

It looks like the Cold War is heating up – this time in cyber space.  Other countries, such as France and England, are considering similar laws.  Will every country now demand the encryption keys from every company?

If so, I give it about a week before those keys are leaked to the hacker community.

Companies will be forced to make hard decisions.  Do we allow governments across the globe to paw through our users’ traffic or do we stop doing business in certain countries.

And, from the user’s standpoint, they now have total plausible deniability for any cyber crime that they are charged with.  “Your Honor, as you already know, the French, English, Chinese, U.S. and other governments all have my encryption keys.  Given that,  and the fact that, at least, the U.S. Government has a bad track record for keeping keys secret – after all, we just have to look as far as the TSA and OPM to see that – it is likely that hackers have my keys as well.  Since I have no ability to control who has my keys, it is just as likely that a hacker in China committed this crime.  While I don’t have the resources to prove this, you cannot deny this is possible.  I submit that the government cannot, beyond a reasonable doubt, prove that it was me who did this.  I request that the charges against me be dropped.”  This may seem far fetched, but it isn’t.

This has certainly NOT played out yet – stay tuned.

Information for this post came from SC Magazine .

There is another article in SC Magazine with an update.

Senate Passes Information Sharing Bill

The Senate, on Tuesday, passed their version of CISA, the Cybersecurity Information Sharing Act.  The House passed their own version of it months ago.

The stated purpose of the act is to allow private companies to share “threat” information with the government and have immunity from being sued by their users for doing this.

Because of the poorly defined terms – like what threat information is- and the broad array of government agencies that the information can be shared with – like the FBI and NSA, along with the pretty weak protections against using this information against American citizens, many cyber security experts are calling this bill an intelligence gathering bill disguised as a bill to improve security.

In reality, this bill, in whatever form the House and Senate conference committees make it become, will do almost nothing to improve either the average citizen’s security or the government’s security.   It would, for example, do nothing to stop the OPM breach because that was a unique attack – there were no indicators of that attack in the wild because the only place it existed was at OPM.  Same for Anthem.  Same for Home Depot.

Ignoring that, post Snowden, tech companies are extremely wary of sharing anything with the government – it is, to be honest, not good for business.  To be seen as voluntarily sharing your and my data with the government is the kiss of death from a reputation standpoint.

In fact, Microsoft and the Justice Department are locked in mortal combat.  The FBI wants Microsoft to bring data from Ireland back to the United States and give it to them.  Microsoft says that doing that, absent an Irish court order would subject them to criminal charges in Ireland, so if you want the data, get an Irish court to tell us to do so.  In Ireland.  They have been fighting over this for almost two years (see article).   Microsoft is fighting this because (a) it is good for PR and (b) they do not want to set a precedent that would likely get them sued in Europe.  And, given the sentiment inside the EU after the Max Schrems/ECJ Safe Harbor decision, I don’t blame Microsoft.

More importantly, this will do little to nothing to improve security.

There has been an FBI-private industry relationship for over 10 years now called FBI-Infragard.  This is a very simple way to share information with the government.  Sharing data is not a problem.

There are dozens of ISACs or Information Sharing and Analysis Centers and ISAOs or Information Sharing and Analysis Organizations (there really isn’t much difference between the two.  ISACs were originally focused on critical infrastructure, but many of them allow anyone in their particular vertical, like finance, to join).  Companies that want to share data with their ISAC or ISAO can already do that.

At least for industry leaders, they are already sharing all the data they need.  Sometimes informally, sometimes formally.  They do not need CISA to do that because threat indicators rarely require the sharing of personally identifiable information.

So why is Congress pushing so hard for this new law.

Two reasons, in my opinion – other people may not want to be quite as cynical as me – but they might be.

Voter approval of Congress is in the single digits.  It is worse than the approval rating of used car salespeople or debt collectors.  With a Presidential, Congress and Senate election coming up next year, incumbents want to be able to pretend that they did something useful to reduce the number of cyber breaches when they go out and campaign.  They are counting on people being too ill-informed to know that this law is next to useless.

More useful would be to provide oversight (which is their job) and provide funding.  Just this week Congress refused to give OPM $38 million dollars to deal with their hundreds of millions of dollars in budget shortfall to improve their computer systems security.  This is the agency that is still running at least one core system built in the 1960s.

The people who built that system likely have all died of old age by now, but the system is still running.  Do you think that some threat information shared by, say, Facebook (who appears to be the only tech company in favor of CISA – even though that is political suicide – unlike Google, Microsoft and others, Facebook refuses to say that they oppose CISA) will help OPM protect against a mainframe based, COBOL system written in the 1960s?  I didn’t think so.

Will sharing threat information solve the problem of tech executives who say that they won’t spend $10 million to avoid a possible $1 million loss – I will accept the risk (that would be Jason Spaltro, SVP of Information Security at Sony)?  Sony accepted the risk and look what happened to them.  The problem of course is that while you may guess that the $10 million number is right, you have no idea if the $1 million number is correct or is really $100 million, as Sony found out.

Will sharing some threat information stop 25% of a government agency’s employees from clicking on phishing emails? And almost none of them reporting it to their security team – 7% reported it.  (That would be the USPS, by the way).  I don’t think so.

So, as is often the case, Congress is taking the easy way out with CISA, rather than actually dealing with the real problem inside government – which is their responsibility to fix.  Private industry is way ahead of the government, for the most part, even though private industry knows that they have a lot more work to do.

Sorry, I know this is mostly a rant, but it is important for people to understand that CISA will not make a difference no matter what some politician tells you in a sound bite.

Read the article below for more experts takes on the issue.


Information for this post came from Net-Security.