The US and China tensions continue as the Department of Homeland Security (DHS) seek to tighten their national security against
Two U.S. Senators expressed their concern that federal government employees could be undermining the United States’ national security by using VPNs made by foreign companies. In a letter dated 7 February 2019, U.S. Senators Marco Rubio (R-FL) and Ron Wyden (D-OR) brought up the issue of VPN usage in the federal government to Christopher Krebs, […]… Read More
The post U.S. Senators Concerned by Government Employees’ Use of Foreign VPNs appeared first on The State of Security.
Naked Security - Sophos
As part of an emergency directive, the Department of Homeland Security (DHS) ordered federal government agencies to carry out audits
DHS has issued a notice of a CISA emergency directive urging federal agencies of improving the security of government-managed domains (i.e. .gov) to prevent DNS hijacking attacks.
The notice was issued by the DHS and links the emergency directive
Emergency Directive 19-01 titled “Mitigate DNS Infrastructure Tampering.”
“In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is
“To address the significant and imminent risks to agency information and information systems presented
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
The emergency directive requests federal agencies to check public DNS records for all .gov and other domains they manage to ensure that they have not been tampered with. The check must be completed in 10 days and includes Address (A), Mail Exchanger (MX), and Name Server (NS) records.
Within 10 business days, agencies will have to change the passwords for their DNS account and enable multifactor authentication where available, but CISA warns risks for SMS-based MFA.
DHS also instructed federal agencies to monitor Certificate Transparency logs for any abuse related to fraudulently issued certificates.
The overall process and signs of progress will be monitored by the DHS, the agencies must submit a status report by January 25 and a final report for all the
“Beginning February 6, 2019, the CISA Director will engage Chief Information Officers (CIO) and/or Senior Agency Officials for Risk Management (
“By February 8, 2019, CISA will provide a report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) identifying agency status and outstanding issues.”
The emergency directive is probably related to a recently disclosed campaign of DNS hijacking attacks uncovered by FireEye.
The DNS hijacking campaign targeted government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America
FireEye researchers tracked access from Iranian IPs to machines used to intercept, record and forward network traffic. The same IPs were previously associated with cyber attacks conducted by Iranian cyberspies.
The attackers are not financially motivated and targeted several Middle Eastern governments whose data would be of interest to Iran.
It is interesting to note that FireEye confirmed that this campaign is different from other operations carried out by Iranian APT groups due to the use of DNS hijacking at scale. Attackers used three different ways to manipulate DNS records to enable victim compromises.
After the FireEye’s report, the US-CERT published an alert on January 10 to warn organizations of DNS hijacking campaigns.
(SecurityAffairs – DHS, DNS hijacking attacks)
The post DHS issues emergency Directive to prevent DNS hijacking attacks appeared first on Security Affairs.
The Department of Homeland Security (DHS) has issued an emergency directive that requires federal agencies to mitigate the threat of Domain Name System (DNS) infrastructure tampering. In “Emergency Directive 19-01,” DHS explains that it’s been working with the Cybersecurity and Infrastructure Security Agency (CISA) to track a campaign of DNS infrastructure tampering. A hijack in […]… Read More
The post DHS Issues Emergency Directive on DNS Infrastructure Tampering appeared first on The State of Security.
As of this writing, the government shutdown of 2019 is the longest ever in America. The only good news about this situation is that, with each passing day, a new group of people in the country seems to rediscover just how essential government services are, now that they’re unavailable.
The next likely casualty is the government’s stable of cybersecurity talent. Here’s why—and what it might mean for us in the long run.
How much government talent is furloughed?
Some of us might be surprised to learn the federal government has a workforce dedicated solely to cybersecurity. Many of these completely essential institutions and teams are now reduced to skeleton crews. This has the potential for long-lasting harm when it comes to the government’s ability to retain these specialists.
At time of writing, the Department of Homeland Security has furloughed 20 percent of its staff dedicated to “main cyber operations,” as well as administrative and supporting roles. But when you look at the entire cybersecurity apparatus of the federal government, the total potential loss of talent is far greater than the DHS alone. According to a planning document, 43 percent of the entire US cybersecurity workforce is currently furloughed.
Taking the top spot, however, is the National Institute of Standards and Technology, or NIST, with 85 percent of its staff furloughed.
This represents a danger today on a number of levels. But there’s a longer-lasting kind of harm, too, that few are talking about right now.
Will federal employees flock to the private sector?
Some of the more important staff and talent initiatives taken on during the Obama administration concerned the treatment, compensation, and benefits of federal employees and contractors. The goal was to make the public sector (the government) more competitive with the private sector. That’s how corporations retain talent, and it’s how the government can do so as well.
It’s no secret that job prospects for computer scientists, and cybersecurity specialists in particular, are rather cushy right now. Software developers enjoy a median income of more than $100,000 per year.
But now that the government is shut down, Washington, D.C. (and all of our state governments) will struggle even more not only to win talent over from the private sector, but keep it. With paychecks potentially off the table for a while, it’s becoming more likely that this already fragile situation will be pushed to the breaking point.
In an interview with the Washington Post, a former DHS cyber official named Greg Garcia explained the situation: “There’s unpredictability and uncertainty and instability [for DHS cyber employees],” he said. “Add on top of all that not getting paid, and I do not envy them.”
The problem here is one of morale. We have not been trying hard enough in recent years to maintain the government’s competitiveness with industry, and now we’re paying the price.
What does the future hold for cybersecurity talent at the federal level?
The bottom line with this government shutdown, just like with any other, is that sending your employees home without pay, and without a timetable for when their jobs and offices will be back up and running, is a bad way to do business.
What we’re likely to see is a “chilling effect” on the next generation or two of potential government employees. Holding these positions hostage in budget negotiations, positions for which applicants earned degrees and accreditation, is the equivalent of telling them the government isn’t an honorable employer and their talent isn’t valued—and that we don’t care if they take it elsewhere.
And there’s plenty of “elsewhere” for them out there, it turns out. In 2017, there were nearly 300,000 jobs available in the “cyber sciences.” That sounds like a lot of opportunities—but it will actually blossom into a full-blown talent shortage of 1.8 million jobs by 2022.
We don’t really want to be turning people off from this line of work—especially not when the stakes are so high. Moreover, it’s clear the government can’t afford to lose the talent it’s already brought together. There’s not going to be enough of it to go around before too long—and the priorities, arguably, should rest with national security.
Remembering the stakes
Barely a day goes by where we’re not reminded that, just as it has brought us closer together, Internet connectivity has also provided new tools for potential disruptive influences.
Reports are available now detailing the degree to which critical national infrastructure—such as our nuclear and other power plants, water treatment facilities, and electrical grids—are surprisingly vulnerable to domestic as well as foreign hacking attempts. This is a bright and wonderful age, but it’s clear that many of the systems we rely on for civilized living aren’t as safe as they’re supposed to be.
We should remember that even our voting machines are outdated and stand a good chance of being hacked or otherwise tampered with. But while public awareness of these issues has increased, furloughing and devaluing cyber talent at the federal and state levels is not a good way to drum up attention and support for such important issues.
Are there any foreseeable solutions to this problem?
The first solution involves remembering that the US Defense Department, even before the government was shut down, was already losing some 4,000 employees to the private sector every year, a sign that our government was already a dissatisfactory place to work. In point of fact, “dissatisfied” or “very dissatisfied” was how 20 percent of DHS employees described their jobs in a survey that made the rounds in 2018.
Even some of the most critical resources on the Internet have been taken offline by this shutdown. NIST maintains catalogs of government cybersecurity standards that are essential for maintaining webpage uptime and HTTPS certificates. With 85 percent of their staff sitting at home, security certificates will expire and websites will be taken down.
When resources like these are unavailable, the Internet becomes a manifestly less safe place to spend time. And that’s the last thing we want.
The post How the government shutdown is influencing cybersecurity jobs appeared first on Malwarebytes Labs.
The Vote Hacking Village at Defcon 26 in Las Vegas was an overwhelming jumble of activity — a mock vote manipulated, children hacking election results websites, machines being disassembled — and among it all were representatives from local and federal government, learning and sharing information and in the case of Jeanette Manfra, assistant secretary for the office of cybersecurity and communications in the Department of Homeland Security (DHS), deflecting the reality of the situation.
In her DEF CON keynote address, Manfra discussed government cybersecurity in general as well as the ways election security could be improved, but she contradicted herself by refusing to acknowledge the value of the work done by DEF CON and deflecting actions to bring about real change.
The old standby arguments
“The way the government runs, naturally it’s somewhat more complicated. We don’t do IT [in] government particularly well,” Manfra said as an explanation of the DHS’ role. She said DHS was responsible for the cybersecurity of 99 different federal agencies, which have traditionally been isolated in terms of managing security. “We’re trying to get to think about enterprise risk and think about the government as a whole.”
This is a good example of the tone Manfra tried to establish: self-deprecating, but honest about the situation, even if she omitted key pieces of information — such as the challenge of having a holistic view of federal cybersecurity when so many infosec leadership roles in government remain empty — which would contradict the point she made.
Manfra continued to bring up the fact that we live in confusing times in terms of cybersecurity, especially because “the internet has challenged everything when it comes to how we think about the role of government in defending and securing its citizens and its infrastructure.”
“For the first time in a national security space, the government is not on the front lines. Our companies are on the front lines; our citizens are on the front lines; all of you are on the front lines,” Manfra said and concluded this means everyone — government, the intelligence community and the private sector — needs to think differently about their roles in cybersecurity and how to work together. “Our adversaries have been taking advantage of us for a long time. They’ve been taking advantage of our traditional principles for a really long time. And, we’ve got to come up with a way to turn it back on them.”
The idea that the roles of government and the private sector are in flux because of changes in technology is arguably accurate, but the situation is more complex than Manfra portrays. One could just as easily point to the privatization of critical infrastructure and lack of regulations surrounding necessary security and system upgrades in that infrastructure as contributing risk factors.
Manfra’s call for more cooperation between the public and private sectors in terms of security has been a common theme from the government for the past few years. However, the government’s appeal to the private sector to cooperate out of the pride of helping the country has largely fallen on deaf ears, because as was true with Manfra’s speech, the government often fails to make a compelling case.
The government wants to share, but the private sector has little incentive to do so, and experts have said the private sector doesn’t necessarily trust it would benefit from such cooperation, nor that security would improve. Despite the continued reluctance from the private sector and the lack of specifics from the government about what such cooperation would look like, the government seems ready to continue pushing the idea.
Election deflection and contradictions
Once Manfra got to the topic of election security, she began to combine omissions of information with statements that contradicted and attempts to deflect suggestions to make meaningful improvements to security.
“Elections are more than just the voting machines … The complexity is actually a benefit,” Manfra said. “Going back to 2016 when we first started to understand that the Russians were attempting to undermine and sow chaos and discord and undermine our democracy in general — which by the way, they’ve been trying to do for decades, it’s just the technology has allowed them to do it at a better scale.”
Despite acknowledging that attempts to undermine our democracy have been happening “for decades,” Manfra failed to explain why efforts to investigate risk factors and offer aid to improve security did not begin until 2016.
Manfra went on to claim the research the government has done led to the conclusion that it is “really really difficult to try to manipulate the actual vote count itself.” She said there were a lot of reasons for this, including that election machines are “physically secured.” This claim garnered chuckles from the DEF CON crowd, who have little respect for things like padlocks.
Manfra said that while misinformation on social media was an issue, DHS was focused on manipulation of voter rolls and the systems that tally the votes. She gave an example of voters becoming disenfranchised with the system because their names weren’t on the rolls at their polling places. She admitted the local officials running these systems are often under-resourced and need help because they could be using old systems.
“They’re trying to undermine our democratic process and confidence that we have in the democratic process,” Manfra said. “There’s a lot of ways to do that without actually manipulating the vote. We’re very much focused on the state and local process that you and I all participate in — I hope — all the time.”
Manfra explicitly mentioned the effect in undermining the trust in the election that could occur if an adversary were to manipulate the unofficial tally being reported by states. However, Manfra contradicted herself by discounting the efforts by DEF CON — where an 11 year old girl hacked into a mock reporting website in 10 minutes and changed the results — telling reporters after the keynote, “If all you’re saying is ‘Look, even a kid can hack into this.’ You’re not getting the full story which could have the impact of the average voter not understanding.”
Manfra admitted the DHS has begun researching more experimental security technologies, like blockchain, to see what their effects could be on election security. But, it’s unclear how serious the DHS is about making changes that would improve security because she also shied away from mandating proven election security measures such as risk-limiting audits.
“I’m not there yet in terms of mandatory requirements,” Manfra told reporters. “I think mandatory requirements could chill, so then people are only about the compliance with the requirement and not the intent.”
Ultimately, it’s unclear if the DHS has real, actionable plans to improve election security beyond the nebulous idea of helping local officials — assuming those officials ask for help in the first place. DEF CON showed vulnerable areas (reporting websites) and ways to improve security (paper trails and risk-limiting audits), but DHS seemed more interested in waiting and watching than learning from the event.
The post DHS cybersecurity rhetoric offers contradictions at DEF CON appeared first on Security Bytes.