Tag Archives: NDAA

Security News for the Week Ending August 21, 2020

August 13th, a Day That Will Live in Confusion

August 13th is the day that Part B of Section 889 of the 2019 National Defense Authorization Act went into effect. It bans the use of equipment and services tied to certain Chinese companies that have been deemed security threats by the United States. Companies that have this equipment won’t be able to sell to the federal government without a waiver. Contractors have 24 hours to report if they discover, after August 13th, that they are breaking the law. But contractors are allowed to self certify. While the ban went into effect on August 13th, the GSA training session for contractors has been delayed until mid-September – because they weren’t ready to coherently explain the rules. Ellen Lord, chief of the Pentagon’s acquisition branch asks contractors to take notes on how this is screwing up their business so that, maybe, they can get Congress to change the law. By the way, this is not a contract flow down clause, so primes are responsible for what their subs do, I guess. Sorry contractors. Credit: Federal Computer Weekly

Senators Say WikiLeaks Likely Knew He Was Helping Russia

The US Senate Select Committee on Intelligence says, in a report, that Vladimir Putin personally ordered the hacking of the DNC and WikiLeaks likely knew that it was helping Russia. The Senate report says WikiLeaks received internal DNC memos FROM Russian hackers. Senators wrote that Trump’s campaign staff sought advance notice of WikiLeaks releases. Paul Manafort is named as the person who was the link between the campaign and Russia. It seems odd that this Republican controlled committee would release this report days before the Republican National Convention’s nomination of Trump for President. Credit: The Register

Hide Your Breach – Go to Jail

The Feds have charged Uber’s Chief Security Officer with hiding information about the breaches they had in 2014 and 2016 and about payments they made to the hackers to keep the breach quiet. He is being charged with obstruction of justice and misprision of a felony (i.e. hiding it). He faces up to 8 years in prison if convicted. Credit: DoJ

Ever Wonder What Happens to All That Location Data that Apps Collect?

Well, the answer to that is, it depends. This week we found out one thing that happens to that data. The U.S. Secret Service buys it and uses it instead of having to get a warrant to get that same information from the phone company. Nothing illegal about it. Obviously, the Secret Service is not using it to market any products. Curiously, the company that they bought it from does not advertise that they sell your data to the police. In fact, their agreement, similar to the agreement that Stingray’s provider makes the police sign, says that they are forbidden from mentioning it in legal proceedings at all. When this has been an issue with Stingray’s the police have dropped charges rather than break the agreement. Credit: Hackread

Securus Sued For Recording Attorney-Client Jail Calls and Providing to Police

Securus provides pay phone services in prisons at what most people say are exorbitant prices. Sometimes they charge 100 times the going price outside. According to theory (and law), Securus is not supposed to listen to or record phone calls between inmates and their lawyers. The only reason they were caught was that a detective was listening to recordings provided to him by Securus and recognized the attorney’s voice. He then reported Securus to the Attorney General. The attorney who was illegally recorded is now suing Securus. The interesting thing is that Securus just settled a similar case in another state. You would think they would learn. Credit: The Register

OPM Breach, USA Freedom Act, Net Neutrality and Other Items

Several short items  – The battle over NSA spying is not over, the OPM breach is better or worse than we thought, The first ruling on net neutrality is here, Senator McConnell is trying to insert the cyber protection bill CISA inside the defense appropriations bill in a way that does not allow for debate.  Crazy Thursday.

First, The House voted today to defund two NSA backdoor spying programs that Rep. Thomas Massie (R-KY) said are worse than the NSA bulk data collection.  The NSA admitted that it sometimes spies on Americans communications under an authority that was intended to apply only to foreigners.  The amendment would require the NSA to get a warrant first.  The other amendment would block funds for NSA projects to build vulnerabilities INTO security products (see article).  These amendments to the NDAA are far from certain as there is a lot of mischief going on in the Capital over the NDAA.

The OPM is now saying that people’s SF-86 security questionnaires were not compromised in the breach.  However, AFGE union head David Cox wrote to the OPM saying that based on sketchy information released by the OPM, the target of the hackers was the central personnel repository database, which contains information on every federal employee, retiree and a million former employees.  Cox said that the data that the hackers stole included Social Security numbers, birthdays, addresses, military records, job and pay histories, and various insurance information, in addition to age, gender, and race data.  Since the OPM is being pretty quiet, we do not yet know the truth (see article).

The U.S. Court of Appeals for the D.C. Circuit has ruled against the telecom and cable companies to block the FCC plan to regulate Internet providers like other telecom carriers (the so called Title II classification).  The court did grant the request from both sides to expedite the hearing on the merits, but in the mean time, the rules go into effect on Friday, baring a ruling to the contrary from a higher court (see article).

Sen. Mitch McConnell is at it again.  This time he is trying to insert the long delayed cyber security bill known as CISA into the National Defense Authorization Act in a way that does not allow for debate or amendment.  The NDAA is a must pass bill, but President Obama has already said me may veto it for other reasons.  Adding other, totally unrelated bills into that bill will not improve its chances for passing.  McConnell says that because of the OPM breach, he is resorting to this strange approach.  The fact that CISA only applies to private companies, which does not include the OPM seems to make this argument misplaced (see article).  There are a number of Senators who are not happy with McConnell right now, so stay tuned.

ICANN, The organization that currently manages Internet names and numbers has been talking about giving up control, which currently rests with the Department of Commerce, to an independent international organization.  Some folks do not like the U.S. giving up power that it has over the Internet while others think it is a good idea.  In any case, ICANN said that there is no way it will be ready to do this by the September 30th target date.  September 30th is the end of the current existing contract between DoC and ICANN.  ICANN won’t even submit a proposal to the government on how this might work until mid October and who knows how long the evaluation process might take (see article).