now browsing by tag


40 year impact from OPM breach

OPM Breach

Source: FedScoop

Interesting article that states the impact of the OPM breach could cause an impact for the next 40 years.

I’m just going to say, after some conversations I’ve had with some people over this past weekend, I think the breach could last a whole lot longer than 40 years. In fact, I would go so far as saying that the damage caused by the breach, will never be repaired. Think of the long-lasting impact this will have on family members of those affected by the breach. If someone was able to pull up all the information, on say, your Grandpa, and was able to give you any/all information, you could ever want to know about him, wouldn’t that effect your trust with that person, and wouldn’t you be slightly more likely to release other information to him, as you see they already have a bunch of information? From an intelligence gathering operation, the amount of information contained in the SF-86 form, is crazy; there is so much information in the SF-86, it literally took me 3 days to fill out that form.

From the Article at FedScoop:

The theft of background investigation data on millions of federal employees and contractors has created a massive threat to U.S. national security that will last for decades and cost billions of dollars to monitor, current and former intelligence officials said.

The Office of Personnel Management announced last week that personal data on 21.5 million individuals was compromised by the hack of the agency’s background investigation database. That includes 19.7 million individuals that applied for a security clearance, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.

But while the focus continues to be on OPM’s efforts to fix vulnerabilities in the system used to manage background investigation data, known as Electronic Questionnaires for Investigations Processing (e-QIP), as well as the 30 day cybersecurity sprint ordered by the Office of Management and Budget, intelligence experts say there is little the agency can do to reverse the damage that has already been done.

Report: U.S. did carry out cyber attack against North Korea

Source: Yonhap News Agency

According to this report by the Yonhap News Agency, the U.S. did conduct a cyber operation against North Korea, in retaliation for their alleged attack against Sony.

From the article:

North Korea’s Internet connections suffered outages for days in late December after U.S. President Barack Obama blamed the communist nation for the massive hack on Sony and promised a “proportional response.”

If this is true, it is actually quite a scary situation for everyone involved. If you consider that a U.S. company, like Sony, has the U.S. Government to do its bidding for it; it really makes you think. I’m not concerned that that the U.S. has a cyber operations center, we’ve known about it for quite some time; what we haven’t known, is how, when, or why it would lead an attack against a nation. Now we know, all your nation-state has to do, is attack a very large corporation in the U.S. and it will draw the eye of U.S. cyber operations.

What do you think? Do you think the U.S. should launch a full scale cyber assault on a nation because it was behind a supposed “attack” on a large corporation. What is the precedence being set here? If my small business gets attacked by a group in North Korea, will the U.S. launch a full-scale attack against them? What size does my business need to be, where the U.S. government will carry out a full-scale cyber attack against North Korea to defend my business?

Civilian Considerations on Getting Government Security Clearance

Source: Rapid7 – Security Street

I read this post on Rapid7’s Security Street today, and it made me think about all the hardships, and difficulty I’ve had working with clearances in the past. Not to mention the contractor -> civilian -> contractor -> civilian -> contractor messes I’ve seen in regards to clearances.

This article covers the very tip-top of issues associated with getting a US Government security clearance, and doesn’t dive much deeper than the wading pool of issues associated with getting a government security clearance.

So, with my past experience with government security clearances, here are my issues, with them, in no particular order; and these are all associated with either me, or close friends of mine.

1. Lack or reciprocity between clearances. For this example, I bring up something similar to the Department of Energy (DOE) Q clearance vs. the Depart of Defense (DoD) Top Secret (TS) clearance. On paper, and responsibilities, many similarities between the two, many say they are 100% reciprocal with one another. However, that is not the case. Many security officers in the DoD are completely unfamiliar with what a Q clearance is; and are completely unaware of any reciprocity that exists between the two clearances. But the big question is, why is there 2 different clearance systems associated with the U.S. government? Why is there not a single standard (I’m guessing since the Top Secret clearance in the DoD is much more well-known, that it would be the predominant one)?

Many might say, the access I have with a DOE Q is different than what I have with a DoD TS, which is true, however, there are many different categorizations of each of these individual clearances that a person must get cleared for as well (You can read more about SCI here).

Not only do you have the differences between the DOE Q vs DoD TS, but you have differences between TS clearances. Completely theoretical here, but if you have a TS clearance that you received as a DoD contractor and then you were to go work for the FBI, with your TS clearance, they would need to start the entire process over again, to get you vetted for your FBI TS clearance. I’m not even talking any of the SCI programs here, just clearances in general.

So, specifically relating to the article at Rapid7; if a person has their Q clearance (because their primary business role is associated with the DOE), and the FBI wants to talk to them, about a sensitive subject, that requires a TS, they would be unable due to differences in clearances. Same could also apply for a DoD contractor in speaking with the FBI or the CIA.

2. Time to get clearances. When I original got my clearance, it took well over 18 months for them to process the paperwork, do the background information checks, and everything else associated with my clearance. Why would it take so long? At some point, you are going to blame government bureaucracy; and you’d probably be right.

Time becomes a very critical issue when you’re dealing with computer threats, and if you need to wait any significant amount of time, in order to get vetted for what the government is going to tell you, then it’s already taken far too long.

3. How about all the issues needed to get a clearance in the first place. How easy is it, for a “regular” non-governmental business (or employees of) to get clearances? I’m going to go out on a limb here, and guess extremely difficult. I found it hard enough to get clearances when working for contractor, that required clearances, let alone, a business that doesn’t specifically require clearances. I can only imagine the entire vetting process for a business like this to get clearances would be pretty extreme.

4. After the Snowden revalations, the government began to cut-back on the number of clearances they issue. How does this affect “regular” businesses attempting to get clearances? You’ve began restricting clearances to those people that need them, through their direct work with the DoD or the DOE, and now you want to offer them to general businesses that may, or may not have direct ties to any government agency?

5. What are the actual requirements to get a clearance anyways? Who knows all the guidelines? If you want to see the official cases on why people are denied or granted clearances, you can check out this website: Industrial Security Clearance Decisions

Are these reasons for people not getting clearances acceptable in your mind, or are they too stringent. That’s not for me to decide, but should be something you think about when applying for a clearance.

Malware Investigator released

As of today, the FBI/U.S. Government’s own Malware Investigator tool has been released to a wider audience of people. I believe all members of Infragard, along with the select few people offered it before this wider release.

I’m going to be loading it up with some samples that I have, and test out the tool, and determine if it can assist with forming details about malware.

I will update the blog in the next couple of days, and provide details to my experience in using the Malware Investigator tool.

Report: NSA Hacked North Korea Before Sony Breach

Source: PCMag

More details are being released in regards to North Korea, and the breach that occurred at Sony.

What is now being reported is that the NSA has had access to North Korea’s computer (read: hacked) since 2010. Some are now reporting that the hack at Sony was in retaliation to the hacking that NSA had done against North Korea.

I’m still very hesitant to call the Sony breach as being a hack perpetrated by North Korea, even with the additional evidence/details about NSA being inside North Korea’s computers.

From the article:

As it turns out, the U.S. had some inside information. According to reports from Der Spiegel and The New York Times, the U.S. knew that North Korea hacked Sony because the U.S. had hacked North Korea.

The National Security Agency (NSA), in fact, has had access to North Korean networks and computers since 2010, the Times said. Officials wanted to keep tabs on the country’s nuclear program, its high-ranking officials, and any plans to attack South Korea, according to a document published by Der Spiegel.

North Korea did attack South Korea in 2013, crippling several of the nation’s leading financial and media organizations. At one point, however, the hackers revealed their IP addresses – the same IP addresses that popped up again in the Sony hack.


US Centcom’s twitter account hacked

Sources: Way too many to name them all. . . ComputerWorld, SecurityAffairs, Defense One, and the list continues about where this was reported. . .

So, being reported on, like crazy right now, are the details about the hacking of the U.S. Centcom twitter page.

More details to follow soon. . .

Americans Say They’ve Lost Control of Their Privacy — Again

Source: Re/Code

Interesting new research out by the Pew Research Center suggesting that Americans are no longer in control of their privacy. All this is probably based upon certain NSA disclosures about how it is targeting Americans.

Quote from the article:

A significant majority of Americans say that they feel they have lost control over the personal information that is collected by companies, and worry about sharing personal information on social media sites and messaging services and in email and text messages.

The findings come from the Pew Research Center, which conducted a survey of 607 American adults. The survey demonstrates in pretty stark terms how concerned people have become in the last year amid disclosures about spying programs by the National Security Agency and repeated breaches of corporate computer systems that store payment and other personal data.

Among the findings is a significant lack of confidence for several everyday communications tools used to convey personal information: 81 percent say they feel “not very” or “not at all secure” in using a social media site like Facebook to share personal information with a trusted person or organization. But those numbers shrink correspondingly with the age of the technology in question. For instance, 68 percent of people felt the same way about chat and instant messaging while 57 percent worried about using email. Only about a third — 31 percent — worried they couldn’t trust a land-line telephone.


Read more at Re/Code

US Government Probes Medical Devices for Possible Cyber Flaws

Source: Re/Code

So, the US Government is now concerned about flaws with medical devices. I feel that if they were really concerned, the FDA would implement policies requiring that devices are built securely.

From my experience in the medical world, I can tell you, that medical devices are currently far, very far from being secure. In fact, I have specific security experience with the Hospira infusion pumps being insecure.

The U.S. Department of Homeland Security is investigating about two dozen cases of suspected cyber security flaws in medical devices and hospital equipment that officials fear could be exploited by hackers, a senior official at the agency told Reuters.

The products under review by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, include an infusion pump from Hospira and implantable heart devices from Medtronic and St. Jude Medical, according to other people familiar with the cases, who asked not to be identified because the probes are confidential.

Silk Road Lawyers Poke Holes in the FBI’s Story

Source: Slashdot and Krebs on Security

From Brian Krebs about the court proceedings against Ross Ulbricht for his involvement in Silk Road, the online drug marketplace that was shut down (at least temporarily) by law enforcement last year. Ulbricht’s lawyers have demanded information from the FBI in the course of discovery, and the documents provided by the government don’t seem to confirm the FBI’s story.For starters, the defense asked the government for the name of the software that FBI agents used to record evidence of the CAPTCHA traffic that allegedly leaked from the Silk Road servers. The government essentially responded (PDF) that it could not comply with that request because the FBI maintained no records of its own access, meaning that the only record of their activity is in the logs of the seized Silk Road servers. … The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story. … “What happened is they contacted that IP directly and got a PHPMyAdmin configuration page.” See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.

The Government Attack on the Internet

Source: Re/Code

Former FCC Commissioner Robert McDowell recently wrote that “the Internet is the greatest deregulatory success story of all time.” It has remained free of intrusive government controls, facilitating the rapid development of entrepreneurial and innovative companies. Many of these firms started small before generating massive valuations, such as the likes of Facebook, Twitter, and recently BuzzFeed. These are some of the big names, but there are tens of thousands of others, like our members’ startups and firms, who have used the Internet to innovate, grow, compete and transform their industries.

However, the Internet is under attack by government. This unjustified regulation would cause irreversible damage to investment and U.S. leadership on innovation.

Small businesses and entrepreneurs routinely harness the power of the Internet to successfully run their operations — from connecting to consumers and suppliers; to mobile apps and cloud software that help them manage their finances and workforce; to accessing capital through lending and investment platforms. The Internet has fostered a collaborative and dynamic environment, and more people have the opportunity to become successful entrepreneurs because of the tools and opportunity it provides.

If the Federal Communications Commission (FCC) succumbs to the small but vocal few calling for utility-style regulation of broadband networks, much of what we are experiencing today will dramatically change, and not for the better. The FCC is considering wrapping archaic telephone rules around high-speed broadband. These rules are designed for the long-gone domestic telephone oligopoly of the 1930s. In regulatory speak, broadband may be reclassified as a Title II telecommunications service, which means that onerous rules and red tape would interfere with existing competition among high-speed broadband providers.

Under these rules, the government could micromanage common business decisions of companies large and small, like managing Internet traffic or determining the various prices for speeds and services consumers could choose from. Imagine how quickly the dynamism of the Internet would disintegrate if Washington bureaucrats were allowed to intrude in these technically complex and market-driven areas.

Internet service providers have invested more than a trillion dollars into maintaining the privately owned networks that serve as the central infrastructure of the Internet.

Internet service providers (ISPs) have invested more than a trillion dollars into maintaining the privately owned networks that serve as the central infrastructure of the Internet. But with unwarranted government interference potentially coming into play, these businesses will have significantly less incentive to make large-scale investments. In Europe, for example, where utility-style regulation of the Internet has been in place for decades, investment per household is $300 less than in the U.S.

At the local level, regional and medium-sized ISPs have invested in rural areas and small towns to extend access to remote communities — a critical undertaking for economic development and job creation in these areas. Perhaps that is why even the smaller ISPs engaged in rural expansion have expressed grave concerns about the FCC’s upcoming regulatory decision. These ISPs assert that a heavy-handed regulatory approach is unnecessary, and could add additional costs and burden to their operations. For smaller ISPs, their survival is at stake.

The online marketplace has grown organically, and has prospered without government interference. The marketplace is competitive, meaning consumers unhappy with the actions of one company can move to another. A competitive broadband market ensures that customers can access the content they desire at the speed and price that is right for them. That will remain the case as long as the FCC maintains a “light-touch” regulatory framework. This cautious approach to regulation has been in place since President Bill Clinton’s FCC argued that “classifying Internet access services as telecommunications services could have significant consequences for the global development of the Internet.” This remains true today.

A survey for the Small Business & Entrepreneurship Council’s Center for Regulatory Solutions found that the public is overwhelmingly concerned about intrusive government regulation. For example, 70 percent believe that regulation “mostly hurts” the economy, with 84 percent saying that “too many special interests” drive a process that is out of touch, and does not consider real-world impact. Clearly, without any market failure to point to as rationalization to regulate the Internet, the FCC feels the need to act at the behest of a vocal minority. Too much is at stake to let agitators ruin the Internet for everyone else.

Especially now, government policies must protect the investment and innovation that have been vital to the Internet’s development, which remains vital to the modern entrepreneurial ecosystem. With the economy still in a weak state, small businesses and entrepreneurs need a cautious government, not an activist one. The FCC can take heed by rejecting Title II regulations.

Karen Kerrigan is the president and CEO of the Small Business & Entrepreneurship Council (SBE Council). Reach her @KarenKerrigan.