Category Archives: government

Should Lawmakers Be Able To Hold Hearings, Debate and Vote On Legislation Virtually From Their District Offices?

Applehu Akbar shares an old report raising a very good question for today's Congress: why not use today's videoconferencing tech to allow representatives to perform most Congressional activity from their home districts?" The ability to "work from home" would be especially beneficial during a government shutdown, like the one we're currently in, where money is tight and Congressional members are "sick and tired of Washington and don't want to show up anymore to vote." Slashdot reader Applehu Akbar writes: Because Congress people serve short terms and campaign largely on constituent service, they have to spend a large percentage of their time shuttling between home and Washington. Virtualizing most of their Washington presence would save fuel and energy while giving them more time with their constituents. In addition, there could be a long-term societal benefit in making Congress less vulnerable to lobbyist influence by keeping them out of the Beltway. Pearce told The Hill in a statement back in 2013: "Thanks to modern technology, members of Congress can debate, vote, and carry out their constitutional duties without having to leave the accountability and personal contact of their congressional districts. Keeping legislators closer to the people we represent would pull back Washington's curtain and allow constituents to see and feel, first-hand, their government at work. Corporations and government agencies use remote work technology; it's time that Congress does the same."

Read more of this story at Slashdot.

DHS Issues Emergency Directive on DNS Infrastructure Tampering

The Department of Homeland Security (DHS) has issued an emergency directive that requires federal agencies to mitigate the threat of Domain Name System (DNS) infrastructure tampering. In “Emergency Directive 19-01,” DHS explains that it’s been working with the Cybersecurity and Infrastructure Security Agency (CISA) to track a campaign of DNS infrastructure tampering. A hijack in […]… Read More

The post DHS Issues Emergency Directive on DNS Infrastructure Tampering appeared first on The State of Security.

DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains

The U.S. Department of Homeland Security (DHS) has today issued an "emergency directive" to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days. The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking, which security researchers with "

Securing Government Data with NIST 800-53

If you have ever heard of the Federal Information Security Management Act, then you are aware of the work done by the National Institute of Standards and Technology. The goal of the Act, not to  mention the subsequent documents that resulted from strategies designed around implementing it, led NIST to create works designed to bolster […]… Read More

The post Securing Government Data with NIST 800-53 appeared first on The State of Security.

How the Federal Shutdown Could Do Long-Term Digital Security Damage

Most people have at least heard of the partial shutdown plaguing the U.S. federal government. Now over three weeks old, the stoppage owes its existence to a conflict over border security funding. President Donald Trump wants $5.7 billion to build a new wall along the U.S. Mexican border, while Democrats say they will not fulfill […]… Read More

The post How the Federal Shutdown Could Do Long-Term Digital Security Damage appeared first on The State of Security.

The Government’s Secret UFO Program Funded Research on Wormholes and Extra Dimensions

Documents released by the Department of Defense reveal some of what its infamous Advanced Aerospace Threat Identification Program was working on. From a report: The Department of Defense funded research on wormholes, invisibility cloaking, and "the manipulation of extra dimensions" under its shadowy Advanced Aerospace Threat Identification Program, first described in 2017 by the New York Times and the Washington Post. On Wednesday, the Defense Intelligence Agency released a list of 38 research titles pursued by the program in response to a Freedom of Information Act (FOIA) request by Steven Aftergood, director of the Federation of American Scientists' Project on Government Secrecy. The list provides one of the best looks at the Pentagon's covert UFO operation or study of "anomalous aerospace threats." According to Aftergood's FOIA request, the document marked "For Official Use Only" was sent to Congress on January 2018. One such research topic, "Traversable Wormholes, Stargates, and Negative Energy," was led by Eric W. Davis of EarthTech International Inc, which describes itself as a facility "exploring the forefront reaches of science and engineering," with an interest in theories of spacetime, studies of the quantum vacuum, and the search for extraterrestrial intelligence.

Read more of this story at Slashdot.

Step Up on Emerging Technology, or Risk Falling Behind

Earlier last year, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) put out a call for public comment on criteria for identifying emerging technologies that could potentially be subject to future export control regulations. The tech industry responded in full force, providing recommendations for how the federal government can ensure U.S. competitiveness in the global market while supporting the development of emerging technology (read comments submitted by McAfee here).

Emerging technology poses an interesting challenge for tech companies and federal regulators alike. In many cases, technologies that BIS designates as “emerging,” such as AI and machine learning, are already in widespread use around the world. Other technologies like quantum computing are very much in the research and development phase but have the potential to alter the course of national security for decades to come. Many of these technologies are difficult to define and control, and many are software-based, which greatly complicates the development of regulation. Software technologies, by their very nature, are fundamentally different from physical items and physical process technologies. Their intangible, readily-reproducible character makes software-based technologies inherently difficult to define and control.

This task is enormous and must be handled cautiously, as history has provided countless examples of how overregulation has the capability to hamper development. A poignant example of overregulation at the cost of progress is the automobile industry. According to Deloitte, although tough restrictions on automobiles were nothing but well-intentioned in the late 1800’s, regulation greatly hampered research and advancement. The early days of the automobile industry should serve as a cautionary tale when it comes to regulating new and innovative technology.

The U.S. is in a unique position to act to protect our technological interest and secure the nation’s position as a global leader. The U.S. secured a pivotal tech leadership role, having spearheaded the development of the internet in the early 1990’s. The nation has immense power and potential to take the mantle on emerging technology, and the stakes are high. Some of the country’s greatest accomplishments have stemmed from empowering the private sector and encouraging innovation. For example, tremendous strides in private sector space exploration have been made possible due to the support and administration of empowering legislation. Companies like SpaceX and Boeing are creating next generation space technology, working each day to ensure that the U.S. maintains competitiveness.

Cybersecurity is another area that requires particular attention. Given the global availability of cybersecurity tools, many of which make use of the emerging technologies under review, McAfee understands that great care needs to be taken by our government before imposing additional export controls on American cyber companies. These rules can have the unintended and harmful consequence of stunting the growth and technical capabilities of the very companies that currently protect vital U.S. critical infrastructure, including federal and state government infrastructure, from cyber-attacks. As a leading nation, it is critical to stay ahead of threats by criminal actors. This is only possible if cyber companies have the ability to access global markets to fund the research and development needed to keep pace with rapid innovation. Controls should be implemented with a great understanding of the need to stay competitive in global innovation, particularly when it comes to cybersecurity.

Overregulation could cause great harm, and the U.S. government must tread carefully in administering a carefully-crafted, targeted approach. Rather than burdening U.S. software companies with new and substantial export control compliance costs, the U.S. should seek to empower these companies. Any controls deemed essential by the government should be as narrowly tailored as possible, especially given the broad range of current and future companies and technologies. A multilateral approach to export controls on emerging technologies is vital for U.S. companies to remain innovative and competitive in the global marketplace. This cautious approach would ensure alignment between the private and public sectors, ultimately allowing for emerging technology to be front and center. Providing an ecosystem in which the technology of tomorrow can flourish is essential to the U.S. continuing to blaze the trail on emerging technologies.

The post Step Up on Emerging Technology, or Risk Falling Behind appeared first on McAfee Blogs.

Report: Iranian APT Actors Regroup After Main Security Forum Shuts Down

Iranian state-sponsored hackers are regrouping after the shutdown last year of their main security forum, migrating to other forums and making new connections for potential cyber-response against mounting political pressures from the United States and Europe, according to a new report.

The post Report: Iranian APT Actors Regroup After Main...

Read the whole entry... »

Related Stories

How the government shutdown is influencing cybersecurity jobs

As of this writing, the government shutdown of 2019 is the longest ever in America. The only good news about this situation is that, with each passing day, a new group of people in the country seems to rediscover just how essential government services are, now that they’re unavailable.

The next likely casualty is the government’s stable of cybersecurity talent. Here’s why—and what it might mean for us in the long run.

How much government talent is furloughed?

Some of us might be surprised to learn the federal government has a workforce dedicated solely to cybersecurity. Many of these completely essential institutions and teams are now reduced to skeleton crews. This has the potential for long-lasting harm when it comes to the government’s ability to retain these specialists.

At time of writing, the Department of Homeland Security has furloughed 20 percent of its staff dedicated to “main cyber operations,” as well as administrative and supporting roles. But when you look at the entire cybersecurity apparatus of the federal government, the total potential loss of talent is far greater than the DHS alone. According to a planning document, 43 percent of the entire US cybersecurity workforce is currently furloughed.

Taking the top spot, however, is the National Institute of Standards and Technology, or NIST, with 85 percent of its staff furloughed.

This represents a danger today on a number of levels. But there’s a longer-lasting kind of harm, too, that few are talking about right now.

Will federal employees flock to the private sector?

Some of the more important staff and talent initiatives taken on during the Obama administration concerned the treatment, compensation, and benefits of federal employees and contractors. The goal was to make the public sector (the government) more competitive with the private sector. That’s how corporations retain talent, and it’s how the government can do so as well.

It’s no secret that job prospects for computer scientists, and cybersecurity specialists in particular, are rather cushy right now. Software developers enjoy a median income of more than $100,000 per year.

But now that the government is shut down, Washington, D.C. (and all of our state governments) will struggle even more not only to win talent over from the private sector, but keep it. With paychecks potentially off the table for a while, it’s becoming more likely that this already fragile situation will be pushed to the breaking point.

In an interview with the Washington Post, a former DHS cyber official named Greg Garcia explained the situation: “There’s unpredictability and uncertainty and instability [for DHS cyber employees],” he said. “Add on top of all that not getting paid, and I do not envy them.”

The problem here is one of morale. We have not been trying hard enough in recent years to maintain the government’s competitiveness with industry, and now we’re paying the price.

What does the future hold for cybersecurity talent at the federal level?

The bottom line with this government shutdown, just like with any other, is that sending your employees home without pay, and without a timetable for when their jobs and offices will be back up and running, is a bad way to do business.

What we’re likely to see is a “chilling effect” on the next generation or two of potential government employees. Holding these positions hostage in budget negotiations, positions for which applicants earned degrees and accreditation, is the equivalent of telling them the government isn’t an honorable employer and their talent isn’t valued—and that we don’t care if they take it elsewhere.

And there’s plenty of “elsewhere” for them out there, it turns out. In 2017, there were nearly 300,000 jobs available in the “cyber sciences.” That sounds like a lot of opportunities—but it will actually blossom into a full-blown talent shortage of 1.8 million jobs by 2022.

We don’t really want to be turning people off from this line of work—especially not when the stakes are so high. Moreover, it’s clear the government can’t afford to lose the talent it’s already brought together. There’s not going to be enough of it to go around before too long—and the priorities, arguably, should rest with national security.

Remembering the stakes

Barely a day goes by where we’re not reminded that, just as it has brought us closer together, Internet connectivity has also provided new tools for potential disruptive influences.

Reports are available now detailing the degree to which critical national infrastructure—such as our nuclear and other power plants, water treatment facilities, and electrical grids—are surprisingly vulnerable to domestic as well as foreign hacking attempts. This is a bright and wonderful age, but it’s clear that many of the systems we rely on for civilized living aren’t as safe as they’re supposed to be.

We should remember that even our voting machines are outdated and stand a good chance of being hacked or otherwise tampered with. But while public awareness of these issues has increased, furloughing and devaluing cyber talent at the federal and state levels is not a good way to drum up attention and support for such important issues.

Are there any foreseeable solutions to this problem?

The first solution involves remembering that the US Defense Department, even before the government was shut down, was already losing some 4,000 employees to the private sector every year, a sign that our government was already a dissatisfactory place to work. In point of fact, “dissatisfied” or “very dissatisfied” was how 20 percent of DHS employees described their jobs in a survey that made the rounds in 2018.

Even some of the most critical resources on the Internet have been taken offline by this shutdown. NIST maintains catalogs of government cybersecurity standards that are essential for maintaining webpage uptime and HTTPS certificates. With 85 percent of their staff sitting at home, security certificates will expire and websites will be taken down.

When resources like these are unavailable, the Internet becomes a manifestly less safe place to spend time. And that’s the last thing we want.

The post How the government shutdown is influencing cybersecurity jobs appeared first on Malwarebytes Labs.

Authorities Can’t Force Suspects to Unlock Phones with Biometrics, Rules California Court

A California court has ruled that government agencies can’t compel suspects to unlock their smart devices with biometric authentication because it violates the self-incrimination clause in the Fifth Amendment, writes Forbes. This applies even if a warrant has been granted to search the person’s residence.

The decision was made after law enforcement filed for a search warrant while investigating two suspects in Oakland, California, allegedly involved in a Facebook extortion case. The men were accused of using Facebook Messenger to harass and threaten another man with publishing a humiliating video online.

While searching the suspects’ house, federal authorities wanted to also investigate the contents of all mobile devices on premises but, to be unlocked, the individuals would have to use biometric features such as fingerprint of facial recognition to unlock them. Their warrant request was denied.

“The Government cannot be permitted to search and seize a mobile phone or other device that is on a non-suspect’s person simply because they are present during an otherwise lawful search,” reads the ruling.

Courts in the US earlier ruled that “a passcode cannot be compelled under the Fifth Amendment, because the act of communicating the passcode is testimonial,” but didn’t include biometrics. Judge Kandis Westmore now ruled that biometric features are innovative passcodes and should benefit from the same protection, so police can no longer force suspects to unlock their devices.

“While the judge agreed that investigators had shown probable cause to search the property, they didn’t have the right to open all devices inside by forcing unlocks with biometric features,” says Forbes.

“If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device,” the judge wrote.

“The undersigned finds that a biometric feature is analogous to the 20 nonverbal, physiological responses elicited during a polygraph test, which are used to determine guilt or innocence, and are considered testimonial.”

Government shutdown impacts .gov websites, puts Americans in danger

If you are in the United States, then you likely already know that we are on our 24th day of a government shutdown. While it is considered a “partial” shutdown, there are still plenty of government workers who are furloughed, which impacts the services they run—both online and off.

Last week, TechCrunch posted a concerning story about the shutdown, which covered the findings of NetCraft, a UK Internet service company, who discovered that numerous US government websites are now inaccessible due to expired security certificates.

This is a quick post to explain what happened, and more importantly, how cybercriminals will use this situation to their advantage.

Security certificates

We aren’t going to dig deep into how security certificates work for websites, but the gist is that every vendor or organization that uses a website requires a security certificate for users to access their site with trust. Today, a few browsers, like Chrome, require these certificates before they even let users access the websites. You can recognize when a website uses a valid security certificate, usually indicated by a green lock on the URL bar.

The certificate confirms that the identity of the website that you are communicating with is legitimate. In addition, these certificates make it possible for users to establish a secure connection with the web server hosting the site, which is incredibly important when sending financial or personal information over the Internet.

Since some of the most popular browsers won’t even let users visit a website if it doesn’t have a valid certificate, we now have a lot of users who can’t access government websites because the certificates have expired.

Why did they expire?

If a security certificate lasted forever, what would be the assurance that it hasn’t been stolen by criminals who could then use it on their own malicious websites? Because of this, the organization that owns the website must purchase and deploy a new certificate each year. Think of it as a yearly registration fee, not unlike renewing your car tags.

The reason these certificates were allowed to lapse is because no one’s at work renewing them. Apparently, most US government websites maintain their own certificates. This is why not all US .gov websites are down—just a few of them (at least for now). With the partial shutdown, the people in charge of making sure citizens can access their websites by keeping these certificates up-to-date are unable to do their jobs, which eventually leads to users being unable to access these sites at all.

What’s the problem?

Obviously, not being able to access some government websites is a pain, but is it dangerous? The answer is: yes, because you can bet that cybercriminals are going to take advantage of the situation.

That is why we want to share some vital warnings about how this shutdown may help cybercriminals. Please, share this with everyone you know, at least until the shutdown is over.

Cybercriminals frequently use real-world events to trick users into clicking on a link or opening an attachment. You can look back at a couple of instances where events in Syria directly influenced the actions of cybercriminals, be it state sponsored or otherwise. In another case, the Boston bombing was used to try and scam people. From terrorist attacks to natural disasters, threat actors jump on the chance to exploit episodes of fear and uncertainty.

Fake YouTube page set up to infect Syrian rebels

You can expect that users who are looking for government websites, especially if they offer a service or require personal information or a login to access, are going to find copies of these sites presented as an alternative to access the same website.

Fake Singapore government website. Photo credit: Gov.SG

Users who rely on social services—typically older folks, veterans, or the disabled—will be looking for a way to access the government sites they frequent. When they search for the site, their first link might take them to a dead end, since the security certificate has expired. However, the second or third link might work and take the user to a page that looks exactly like where they want to go.

Classic phishing attack.

What to do about it

The best thing to do right now is share this information with those closest to you so they don’t make a mistake and give away valuable personal info just because the government has issues keeping itself open. Also, be vigilant moving forward, not just in this case but anytime there is sensational news. Don’t just accept what the Internet tells you. Investigate. Think twice. And please, please, when in doubt, do not submit your personal information online.

The bad guys know human behavior, and they know that people can’t help clicking on links that are either convenient or scandalous and sensational. Prove them wrong.

Stay safe out there!

The post Government shutdown impacts .gov websites, puts Americans in danger appeared first on Malwarebytes Labs.

The Dark Overlord Claims to Have Stolen Secrets of 9/11 Attacks in Law Firm Data Breach

The threat group known as The Dark Overlord has claimed responsibility for a law firm data breach involving files allegedly related to the 9/11 terrorist attacks.

The Dark Overlord first announced on New Year’s Eve that it had stolen files belonging to Llyod’s of London, Silverstein Properties and Hiscox Syndicates Ltd., according to Motherboard. Although the group’s announcement on the Pastebin messaging service has been deleted, Motherboard confirmed the hack with Hiscox.

The stolen information reportedly includes email and voicemail messages as well as legal files such as non-disclosure strategies and expert witness testimonies.

9/11 Data Held for Ransom

In a Dec. 31 tweet, The Dark Overlord claimed it had managed to steal more than 18,000 secret documents that would provide answers about 9/11 conspiracy theories. Twitter has since suspended the group’s account.

SC Magazine reported that the law firm paid an initial ransom, but then violated terms of agreement by reporting the incident to law enforcement. The threat group is now demanding a second ransom be paid in bitcoin and said it will also sell information obtained in the breach to interested third parties on the dark web.

According to a post on Engadget, The Dark Overlord also attempted to prove it had committed the data breach by publishing nonsensitive material from other law firms as well as organizations such as the U.S. Transportation Security Administration (TSA) and Federal Aviation Authority (FAA).

How to Limit the Threat of Groups Like The Dark Overlord

This latest attack from The Dark Overlord is further proof that data breaches can not only create a PR nightmare, but also put organizations’ survival and, in some cases, national security at risk.

Unfortunately, the exact details around how The Dark Overload accessed the law firm’s network are unknown. Security experts recommend conducting a short but comprehensive 15-minute self-assessment to gauge the organization’s IT security strengths and weaknesses. The results can be benchmarked against similar firms, and security leaders can gain access to the expertise they need to keep groups like The Dark Overlord away from their data.

The post The Dark Overlord Claims to Have Stolen Secrets of 9/11 Attacks in Law Firm Data Breach appeared first on Security Intelligence.

Sensor-y Overload: Cyber Risk and the Merrimack Valley Gas Explosions

Let's be clear: the natural gas explosions that rocked the Merrimack Valley north of Boston in September weren't the result of a cyber attack. Unfortunately: well known vulnerabilities affecting the security of remote sensors and industrial control system software mean they easily could have been. 

The post Sensor-y Overload: Cyber Risk and the...

Read the whole entry... »

Related Stories

New DHS Agency Will Provide Needed Emphasis on Cybersecurity

Cybersecurity is playing an increasingly greater role in our government and economy. As our world becomes more interconnected, the cyberthreat landscape is growing and rapidly evolving. To address both physical threats and cyberthreats, the leading federal agency must have the flexibility and resources to quickly mitigate any potential interruptions or harm.

Last week, a critical step was taken in how the Department of Homeland Security (DHS) manages cybersecurity. The long-awaited Cybersecurity and Infrastructure Security Agency (CISA) Act was signed into law by the president, reorganizing the former National Protection and Programs Directorate (NPPD) into CISA. The permanent establishment of a stand-alone federal agency equipped to deal with cyberthreats is long overdue and welcome among the cybersecurity community.

CISA will be its own department within DHS, similar to the Transportation Security Administration (TSA), and will be led by cybersecurity expert, NPPD Under Secretary Christopher C. Krebs, who has had a distinguished career in both the public and private sectors. Establishing CISA as a stand-alone agency within DHS elevates both the mission of cybersecurity in the federal government and cybersecurity’s importance and solidifies the position of cybersecurity in our economy.

This is a smart decision on the part of Congress and the White House. It will help the newly created agency outline its priorities, advocate for a separate budget, and further develop recruitment efforts. CISA’s leaders will have the ability to continue to drive a culture of cybersecurity within our federal agencies and workforce while enhancing their capabilities to partner with the private sector to address our nation’s most critical cybersecurity threats.

McAfee looks forward to continuing to work with Christopher C. Krebs and his able team, led by CISA Assistant Director for Cybersecurity Jeanette Manfra.

 

The post New DHS Agency Will Provide Needed Emphasis on Cybersecurity appeared first on McAfee Blogs.

NIST’s Creation of a Privacy Framework

On Tuesday, Oct. 16, the National Institute of Standards and Technology (NIST) held its “Kicking off the NIST Privacy Framework: Workshop #1” in Austin, Texas. I was honored to be asked to participate. This was the first in a series of public workshops focusing on the development of a useful and voluntary Privacy Framework, like the NIST Cybersecurity Framework (CSF).

Event participation was outstanding. NIST’s initial registration for the event was filled in less than 90 minutes. Realizing they needed a bigger room, NIST moved to a space that nearly doubled the potential attendance. When the reopening of the registration was announced, it was filled in less than an hour. Many well-known names in the privacy field attended, with the audience primarily consisting of privacy consultants, lawyers, and other professionals trying to figure out how the Privacy Framework fits into their future.

NIST previously brought together both public and private sector individuals interested in solving problems that face us all. The CSF was a highly successful effort to develop a lightweight, valuable, and adoptable framework focused on improving the “security programs” of organizations. While initially developed in response to presidential executive order 13636, the CSF was never meant to be a government document. Speaking to critical infrastructure and cybersecurity organization representatives at the first Cybersecurity Framework meeting, previous NIST director Dr. Pat Gallagher said, “This is not NIST’s framework, this is yours.” He was absolutely right.

Over the next year, more than 3,000 professionals participated in CSF workshops, responded to requests for information, and provided comments on work-in-progress drafts. The result was something that achieved the CSF’s initial goals: It’s beneficial to all sectors and is usable by a range of organizations from small businesses to some of the largest corporations on the planet. The CSF is having a positive global influence with its adoption by various countries. It’s also assisting in the global alignment of cybersecurity languages and practices.

NIST has established many of the same goals for the Privacy Framework. These goals include:

  1. Developing the Privacy Framework through a consensus-driven, open, and highly transparent process
  2. Establishing a common language, providing for a consistent means to facilitate communication across all aspects of an organization
  3. Ensuring it is adaptable and scalable to many differing types of organizations, technologies, lifecycle phases, sectors, and uses
  4. Developing a voluntary, risk-based, outcome-based, and non-prescriptive privacy framework
  5. Ensuring it is usable as part of any organization’s broader corporate risk management strategy and processes
  6. Taking advantage of and incorporating existing privacy standards, methodologies, and guidance
  7. Establishing it as a living document that is updated as technology and approaches to privacy change and as stakeholders learn from implementations

During the Privacy Framework Kickoff, I was pleased to hear questions that were similar to what I heard during the initial CSF Kickoff. There was real tension in the room during the CSF Kickoff—a sense of not knowing how it was going to impact organizations’ cybersecurity-related responsibilities. The same tension was present during the Privacy Framework Kickoff conversations. We are just beginning to try to understand a solution that doesn’t yet exist.

It’s hard to see the result of a Privacy Framework from where we sit today. How can we develop and position a framework like this to be valuable for both U.S. and global businesses? What is intended for this effort? What are potential definition needs? What is harm? What new technology could influence this? How do we position this for the next 25 years of privacy, not just the past five?

We have started down a path that will likely take more than a year to complete. I envision the emerging Privacy Framework as addressing best practices in privacy while being compatible with and supporting an organization’s ability to operate under the various domestic and international legal or regulatory regimes. The Privacy Framework should not be focused on the legal aspects of privacy, but rather on what organizations need to consider in their own privacy programs. This is a journey just begun. From my perspective, the workshop on Oct. 16 was an outstanding start to the development of a consensus-driven Privacy Framework. I look forward to the active discussions and work ahead.

The post NIST’s Creation of a Privacy Framework appeared first on McAfee Blogs.

State County Authorities Fail at Midterm Election Internet Security

One of the things we at McAfee have been looking at this midterm election season is the security of election infrastructure at the individual county and state levels.  A lot of media and cybersecurity research focus has been placed on whether a major national attack could disrupt the entire U.S. voting infrastructure. Headlines and security conferences focus on the elaborate “Hollywood-esque” scenarios where tampering with physical voting machines allows them to be hacked in 45 seconds, and the entire election system falls apart via a well-orchestrated nation state attack.  The reality is, information tampering and select county targeting is a more realistic scenario that requires greater levels of attention.

A realistic attack wouldn’t require mass voting manipulation or the hacking of physical machines. Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels. Attackers will generally choose the simplest and most effective techniques to achieve their goal, and there are certain targets that have been overlooked which could prove to be the most practical avenues an attacker could take if their objective was to influence the outcome of an election cycle.

A well-crafted campaign could focus on specific states or congressional districts where a close race is forecasted. An attacker would then examine which counties would have a substantive impact if barriers were introduced to reduce voter turnout, either in total, or a specific subset (such as those in rural or urban parts of a district which generally have a strong correlation to conservative and liberal voting tendencies respectively).

Actors could use something as simple as a classic bulk email campaign to distribute links to fraudulent election websites that give voters false information about when, where and how to vote.  Given the fact that voter data can be purchased or even freely obtained from numerous recent breaches, a very specific and targeted campaign would be trivial.  As we will see – there are multiple challenges for a typical voter to identify legitimate from fraudulent sites, and the legitimate sites are often lacking the most basic security hygiene.

With this in mind we looked at how constituents get information from their election boards at the county level. County websites are typically the first place a citizen would go to look up information on the upcoming local elections.  Such information might include voter eligibility requirements, early voting schedules, deadlines to register, voting hours and other critical information.

McAfee ATR researchers surveyed the security measures of county websites in 20 states and found that the majority of these sites are sorely lacking in basic cybersecurity measures that could help protect voters from election misinformation campaigns.

What’s in a Website Name?

Our first disturbing revelation was that there’s no consistency as to how counties validate that their websites are legitimate sites belonging to genuine county officials.

I stumbled upon this initially because I live in Denton County Texas, where the voter information site is votedenton.com. When I saw that, I was a little perplexed because the county actually uses a website address with a .com top level domain (TLD) name rather than a .gov TLD in the name.

Domain names using .gov must pass a U.S. federal government validation process to confirm that the website in question truly belongs to the official government entity. The use of .com raised the question of whether such a naming process is common or not across county websites in Texas and in other states.

This is important, because unlike .gov sites where there is a thorough vetting process and background checks (including government officials as references), anyone can buy a .com domain.

We found that large majorities of county websites use top level domain names such as .com, .net and .us rather than the government validated .gov in their web addresses. Our findings essentially revealed that there is no official U.S. governing body validating whether the majority of county websites are legitimately owned by actual legitimate county entities.

Our study focused primarily on the swing states, or the states that were most influential in the election process, and thus the most compelling targets for threat actors.  Minnesota and Texas had the largest percentage of non-.gov domain names with 95.4% and 95% respectively. They were followed by Michigan (91.2%), New Hampshire (90%), Mississippi (86.6%) and Ohio (85.9%).

McAfee researchers found that Arizona had the largest percentage of .gov domain names, but even this state could only confirm 66.7% of county sites as using the validated addresses.

The other thing that was very concerning was that significant majorities of county sites did not enforce the use of SSL, or Secure Sockets Layer certificates. These digital certificates protect a website visitor’s web sessions, encrypting any personal information voters might share and ensuring that bad actors can’t redirect site visitors to fraudulent sites that might give them false election information.

SSL is one of the most basic forms of cyber hygiene, and something we expect all sites requiring confidentiality or data integrity to have at a minimum.  The fact that these websites are lacking in the absolute basics of cyber hygiene is troubling.

Maine had the highest number of county websites protected by SSL with 56.2%, but the state was something of an outlier. West Virginia had the greatest number of websites lacking in SSL security with 92.6% unprotected, followed by Texas (91%), Montana (90%), Mississippi (85.1%) and New Jersey (81%).

Above all, there was no consistency within states, let alone across the nation, in website naming or in how effectively SSL was applied to protect voters.

The following Orange County site protects user information with SSL at the voter registration section of the site, but not at the main home page, meaning an attacker could manipulate the content of the top-level site and replace the legitimate registration link with a fraudulent one. Those accessing the site would subsequently never be able to navigate to the legitimate protected site.

Florida’s Broward County became famous (perhaps infamous) during the 2000 presidential election as one of the state’s counties for which then-Vice President Al Gore requested a vote recount. Today, the site is not protected by SSL and has a .org address that is not distinguishable from a fake .org domain.  The browser itself actual calls out “Not Secure” when you go to the site.

Even sites that report election results are utilizing non-.gov domains, such as the Glades County site below.

This following site from Scioto County in Ohio uses an unvalidated .NET top level domain and doesn’t protect site visitors with SSL.

The Fulton County Ohio site uses an unofficial .com top level domain and is also missing enforced SSL support.

The following site from New York’s Albany County uses an unvalidated .com TLD. It also fails to use SSL protection on the site’s critical voter information pages.

Lacking Basic Protection

Because SSL protection is a very well understood website security practice, the lack of it does not instill confidence that other systems managed at local levels are adequately secured.

Given how important the democratic process of voting is to our society and way of life, we must work to better secure these critical information systems.

If you think about a close election race with rural or urban district elements to it, a malicious actor could simply send emails to hundreds of thousands of voters in rural or urban parts of the municipality and direct voters to the wrong voting locations. Such an actor would essentially be disrupting, misdirecting and perhaps even suppressing voter turnout through misinformation.  No systems would be taken off line, no physical harm done, and likely no one would even notice until election day when angry voters showed up to the wrong sites.

We developed the following phishing email message to provide an educational example of what such an election campaign message might look like (we did NOT uncover it as a part of a real phishing campaign currently in progress):

To avoid early detection, it is most likely that a coordinated attack would take place just hours, perhaps a few days before a critical vote; the threat actors would want to provide enough time to reach a critical mass for election disruption, but little enough time to avoid detection and remediation.  At that point what could you even do?

Influencing the electorate through false communications is more practical, efficient and simpler than attempting to successfully hack into hundreds of thousands of voting machines. Such a scenario is much easier to execute than tampering with voting machines themselves, and it scales to achieve the broad election objective any malicious actor might desire.

What Must Be Done Nationally

Regardless of whether central regulation or best practice publication are the best approaches to election security, we need better security standardization for all of the supporting systems that deal with elections.

While it might be difficult to pass a federal law that would mandate things like .gov naming standardization or utilizing SSL protection, an organization like the U.S. Department of Homeland Security could take a leading role by recommending these best practices.

How Voters Can Protect Themselves Locally

First, regarding SSL protection, anyone can always determine whether or not their communication with a website is protected by SSL by looking for an “HTTPS” in a site’s website address in the address bar of their browser. Some browsers also show a key or lock icon to make SSL protection easier for users to spot before they share street addresses, dates of birth, Social Security Numbers, credit card numbers or other sensitive personal information.  

As for the validity of election websites, McAfee encourages voters across the country to rely on state voter registration and election sites.  Such sites have a better track record of utilizing .gov TLDs and generally enforce SSL to protect integrity and confidentiality.   These sites may navigate voters to their local sites which may suffer from the security issues described in this blog, but utilizing a state secured .gov site as a starting point is better than a search engine.

State voter registration websites:

  1. Alabama
  2. Alaska
  3. Arizona
  4. Arkansas
  5. California
  6. Colorado
  7. Connecticut
  8. DC
  9. Delaware
  10. Florida
  11. Georgia
  12. Hawaii
  13. Idaho
  14. Illinois
  15. Indiana
  16. Iowa
  17. Kansas
  18. Kentucky
  19. Louisiana
  20. Maine
  21. Maryland
  22. Massachusetts
  23. Michigan
  24. Minnesota
  25. Missouri
  26. Montana
  27. Nebraska
  28. Nevada
  29. New Hampshire
  30. New Jersey
  31. New Mexico
  32. New York
  33. North Carolina
  34. North Dakota
  35. Ohio
  36. Oklahoma
  37. Oregon
  38. Pennsylvania
  39. Rhode Island
  40. South Carolina
  41. South Dakota
  42. Tennessee
  43. Texas
  44. Utah
  45. Vermont
  46. Virginia
  47. Washington
  48. West Virginia
  49. Wisconsin
  50. Wyoming

Finally, state governments provide information phone numbers allowing voters to confirm election information. McAfee encourages voters to call these official phone numbers to confirm any seemingly contradictory information sent to them, particularly if voters received any email or other online messages regarding changes to planned election processes (time, location, ballots, etc.).

Our country’s democracy is worth a phone call.

 

For more perspectives on U.S. election security, please read here on the topic.

The post State County Authorities Fail at Midterm Election Internet Security appeared first on McAfee Blogs.

Securing the Social Security Number to Protect U.S. Citizens

With cyber criminals having more flexibility in funding and operations than ever before, U.S. citizens are vulnerable not only to breaches of security but also of privacy. In the United States, no article of personal information is meant to be more private or secure than the Social Security Number (SSN). This is for good reason. The SSN has become a common identifier in the U.S. and is now integrated into many identification processes across different institutions.

The SSN is also the gateway to all sorts of other personal information – health records, financial positions, employment records, and a host of other purposes for which the SSN was never designed but has come to fulfill. What do all these pieces of information have in common? They are meant to be private.

Unfortunately, the unforeseen overreliance on the SSN as an identifier has left citizens’ identities vulnerable. The reality is that the SSN can easily be stolen and misused. It is a low-risk, high-reward target for cybercriminals that is used for fraudulent activities and also sold in bulk on the cybercrime black market. This has resulted in major privacy and security vulnerabilities for Americans, with some estimates saying that between 60 percent and 80 percent of all SSNs have been stolen. For example, Equifax and OPM breaches exposed probably millions of SSNs.

This is not a new problem.

Twenty-five years ago, computer scientists voiced concerns about sharing a single piece of permanent information as a means of proving a person’s identity. The issue has only recently gained national attention due to major breaches where cyber criminals were able to access millions of consumers’ personal online information. So, why hasn’t there been any significant measure put in place to safeguard digital identities?

A major reason for a lack of action on this issue has been a lack of incentives or forcing functions to change the way identity transactions work. But it’s time for policymakers to modernize the systems and methods that identify citizens and enable citizens to prove their identity with minimal risk of impersonation and without overtly compromising privacy.

The good news is that the U.S. has the technology pieces to put in place a high-quality and high security identity solution for U.S. citizens.

There are reasonable and near-term steps we can take to modernize and protect the Social Security Number to create better privacy and security in identification practices. McAfee and The Center for Strategic and International Studies (CSIS) recently released a study on Modernizing the Social Security Number with the aim of turning the Social Security Number into a secure and private foundation for digital credentials. The report’s ultimate recommendation is to replace the traditional paper Social Security card with a smart card — a plastic card with an embedded chip, like the credit cards that most people now carry. Having a smart card rather than a paper issued SSN would make the SSN less vulnerable to misuse.

A smart card is a viable solution that already has the infrastructure in place to support it. However, there are other potential solutions that must not be overlooked, such as biometrics. Biometrics measure personal features such as voice, fingerprint, iris and hand motions. Integrating biometrics into a system that relies on two-factor authentication would provide a security and privacy threshold that would make it very difficult for cybercriminals to replicate.

What is most critical, however, is that action is taken. This is an issue that deserves immediate attention and action. Every day this matter remains unresolved is another day cyber criminals continue their efforts to compromise consumer data in order to impersonate those whose data has been breached.

With the Social Security Number serving as the ultimate identifier, isn’t it time that we modernize it to address today’s evolving privacy vulnerabilities? Modernizing the SSN will help with authentication, will provide more security, and will help safeguard individual privacy. Modernizing the SSN must be a high priority for our policymakers.

The post Securing the Social Security Number to Protect U.S. Citizens appeared first on McAfee Blogs.

QOTD – SEC Chair Clayton on Need for Cooperation

Cybersecurity must be more than a firm-by-firm or agency-by-agency effort. Active and open communication between and among regulators and the private sector also is critical to ensuring the nation’s financial system is robust and effectively protected. Information sharing and coordination are essential for regulators to anticipate potential cyber threats and respond to a major cyberattack, should one arise.
-- Jay Clayton, SEC Chair 

Src: Written Remarks before the Committee on Banking, Housing and Urban Development United States Senate, September 26, 2017

QOTD – SEC Chair Clayton on Cyber Risk Disclosures

[W]e are continuing to examine whether public companies are taking appropriate action to inform investors, including after a breach has occurred, and we will investigate issuers that mislead investors about material cybersecurity risks or data breaches.
-- Jay Clayton, SEC Chair 

Src: Written Remarks before the Committee on Banking, Housing and Urban Development United States Senate, September 26, 2017

QOTD – Raskin on Cybersecurity as Shared Responsibility

Understanding and dealing with the cyber threat has, due to your efforts, seeped from the IT shop and into the CEO shop.  Responsibility is now shared. In fact, this new shared responsibility, among IT experts, the CEO, and the board of directors, has been the most noticeable trend in governance from my time in the industry, in state government, and in the federal government.  Bankers rarely used to talk to me much about cybersecurity.  Now, this is one topic that comes up every day.
-- Treasury Deputy Secretary Sarah Bloom Raskin

Src: Remarks of Deputy Secretary Raskin at The Texas Bankers’ Association Executive Leadership Cybersecurity Conference

QOTD – Admiral Rogers on Cyber War

Cyber war is not some future concept or cinematic spectacle, it is real and here to stay.
[...]
Conflict in the cyber domain is not simply a continuation of kinetic operations by digital means, nor is it some Science Fiction clash of robot armies.

-- Admiral Michael Rogers, Commander of US Cyber Command,
Testimony before US House Committee on Armed Service (May 2017)

Src: Docs.House.Gov