Proactive Computing | Optimizing IT for usability, performance and reliability since 1997

Category: #Government (Page 1 of 3)

Auto Added by WPeMatico

Stolen computers are the least of the government’s security worries


Reports that a laptop from House Speaker Nancy Pelosi’s office was stolen during the pro-Trump rioters’ sack of the Capitol building has some worried that the mob may have access to important, even classified information. Fortunately that’s not the case — even if this computer and others had any truly sensitive information, which is unlikely, like any corporate asset it can almost certainly be disabled remotely.

The cybersecurity threat in general from the riot is not as high as one might think, as we explained yesterday. Specific to stolen or otherwise compromised hardware, there are several facts to keep in mind.

In the first place, the offices of elected officials are in many ways already public spaces. These are historic buildings through which tours often go, in which meetings with foreign dignitaries and other politicians are held, and in which thousands of ordinary civil servants without any security clearance would normally be working shoulder-to-shoulder. The important work they do is largely legislative and administrative — largely public work, where the most sensitive information being exchanged is probably unannounced speeches and draft bills.

But recently, you may remember, most of these people were working from home. Of course during the major event of the joint session confirming the electors, there would be more people than normal. But this wasn’t an ordinary day at the office by a long shot — even before hundreds of radicalized partisans forcibly occupied the building. Chances are there wasn’t a lot of critical business being conducted on the desktops in these offices. Classified data lives in the access-controlled SCIF, not on random devices sitting in unsecured areas.

In fact, the laptop is reported by Reuters as having been part of a conference room’s dedicated hardware — this is the dusty old Inspiron that lives on the A/V table so you can put your PowerPoint on it, not Pelosi’s personal computer, let alone a hard line to top secret info.

Even if there was a question of unintended access, it should be noted that the federal government, as any large company might, has a normal IT department with a relatively modern provisioning structure. The Pelosi office laptop, like any other piece of hardware being used for official House and Senate business, is monitored by IT and should be able to be remotely disabled or wiped. The challenge for the department is figuring out which hardware does actually need to be handled that way — as was reported earlier, there was (understandably) no official plan for a violent takeover of the Capitol building.

In other words, it’s highly likely that the most that will result from the theft of government computers on Jan. 6 will be inconvenience or at most some embarrassment should some informal communications become public. Staffers do gossip and grouse, of course, on both back and official channels.

That said, the people who invaded these offices and stole that equipment — some on camera — are already being arrested and charged. Just because the theft doesn’t present a serious security threat doesn’t mean it wasn’t highly illegal in several different ways.

Any cybersecurity official will tell you that the greater threat by far is the extensive infiltration of government contractors and accounts through the SolarWinds breach. Those systems are packed with information that was never meant to be public and will likely provide fuel for credential-related attacks for years to come.

Note: Changes to the Full-Text RSS free service

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Devin Coldewey

FAA lays out its Remote ID ‘license plate for drones’ requirements

76774510-4963-11eb-bc5b-487766cac41aOn Monday, the Federal Aviation Administration (FAA) shared its latest set of drone regulations. When the new rules go into effect early next year, they’ll allow licensed drone operators to fly their UAVs at night, provided they complete additional t…

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By:

New FAA rule requires Remote ID for drones


The FAA today announced that it will be issuing two new rules for drone pilots in the U.S. The first is the implementation of a long-awaited Remote ID. The system effectively works as a kind of digital license plate for unmanned aircraft, broadcasting identifying details, including the location of the craft.

The full text of the finalized new rule can be found here. In short, drone operators will have one of three methods for complying:

1. Operate a standard Remote ID drone that broadcasts identification and location information of the drone and control station;

2. Operate a drone with a Remote ID broadcast module (may be a separate device attached to the drone), which broadcasts identification, location, and take-off information; or

3. Operate a drone without Remote ID but at specific FAA-recognized identification areas.

While some drone operators are likely to be put off by additional regulations, their arrival is understandable given the sheer volume and speed of drone adoption. The FAA says that more than 1.7 million drones have been registered in the U.S., along with around 203,000 certifications for drone pilots. Those numbers will likely only snowball as more drones are deployed for commercial purposes.

Notably, the FAA sees the new rules as a method for accelerating drone deliveries in the U.S. “The new rules make way for the further integration of drones into our airspace by addressing safety and security concerns,” FAA Administrator Steve Dickson said in a release tied to the news. “They get us closer to the day when we will more routinely see drone operations such as the delivery of packages.”

Also new is the “Operations Over People and at Night” rule, which, as the name implies, regulates both the ability to fly over people and fly at night. The rule features a number of different qualifications for compliance, including weighing less than 0.55 pounds to fly overhead.

According to the rule, “small unmanned aircraft must not cause injury to a human being that is equivalent to or greater than the severity of injury caused by a transfer of 25 foot-pounds of kinetic energy upon impact from a rigid object, does not contain any exposed rotating parts that could lacerate human skin upon impact with a human being, and does not contain any safety defects.”

In order to fly at night, drones need to sport operational anti-collision lights that can been see for three miles. The rules are set to be officially published next month, officially becoming effective 60 days later. Drone makers will have a year-and-a-half to begin adding Remote ID to their devices. In August, the FAA granted Amazon permission for delivery trials.

Note: Changes to the Full-Text RSS free service

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Brian Heater

Nuclear weapons agency updates Congress on hacking attempt


The Department of Energy and the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, told congressional staffers in several briefings this week that there is currently no known impact to its classified systems from a massive hack that targeted its networks, according to an official with direct knowledge of the briefings.

The officials told staffers, however, that the incident has proven how difficult it is to monitor the Energy Department’s unclassified systems, and acknowledged that an issue with a network extension within the Office of Secure Transportation — which specializes in the secure transportation of nuclear weapons and materials — had been discovered.

Energy Secretary Dan Brouillette, DOE’s Chief Information Officer Rocky Campione, and NNSA CIO Wayne Jones all participated in the briefings to the relevant congressional oversight bodies.

The officials told congressional staffers that there was an attempt to breach Los Alamos National Laboratory and the nuclear administration’s field office in Nevada via the vulnerability in a software developed by SolarWinds — a company whose IT management tools are used across the government. The supply-chain attack has affected dozens of federal and private sector entities, who were exploited by suspected Russian hackers as early as March of this year.

The officials said they do not consider either the lab or the field office to have been compromised, and noted that all national labs have been instructed to shut down and fully remove SolarWinds products from their systems.

Still, the department’s investigation is ongoing, the officials said, and neither DOE nor NNSA has a full picture of the impact of the hack — or what it will cost to fix it. The officials said it will probably be expensive to mitigate the damage and prevent it from happening again, but that they are still determining what kind of extra funding and resources the department will need.

The internal investigation has been complex and time-consuming because the compromised SolarWinds software was used widely throughout the nuclear security administration, officials told the staffers — including at the Los Alamos, Lawrence Livermore, and Sandia national labs; NNSA headquarters; NNSA’s Emergency Communication Network; NNSA’s Mixed Oxide Fuel Fabrication Facility, where fuel is made for reactors; the Nevada National Security Site, a disposal site; and Naval Reactors, which provides propulsion plants for nuclear powered ships.

DOE first found evidence of the hack last Monday, officials familiar with the matter said, and began coordinating notifications about the breach to their congressional oversight bodies on Thursday after being briefed by Campione, who oversees DOE’s cybersecurity. Campione told DOE officials last week that, in addition to the labs and the Office of Secure Transportation, suspicious activity had also been found in networks belonging to the Federal Energy Regulatory Commission (FERC), which stores sensitive data on the nation’s bulk electric grid.

Shaylyn Hynes, a DOE spokesperson, said in a statement last week that an ongoing investigation into the hack had found that the perpetrators did not get into critical defense systems.

“At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration,” Hynes said. “When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Natasha Bertrand

How U.S. agencies’ trust in untested software opened the door to hackers


The massive monthslong hack of agencies across the U.S. government succeeded, in part, because no one was looking in the right place.

The federal government conducts only cursory security inspections of the software it buys from private companies for a wide range of activities, from managing databases to operating internal chat applications. That created the blind spot that suspected Russian hackers exploited to breach the Treasury Department, the Department of Homeland Security, the National Institutes of Health and other agencies. After embedding code in widely used network management software made by a Texas company called SolarWinds, all they had to do was wait for the agencies to download routine software updates from the trusted supplier.

As investigators race to assess the damage from the hacks, experts and lawmakers are calling for increased scrutiny of the third-party code that government agencies allow on their networks and demanding a fix for a long-known weakness.

“The government desperately needs to set minimum security requirements for software and services, and refuse to buy anything that doesn’t meet those standards,” said Sen. Ron Wyden (D-Ore.). “It is incredibly self-defeating for federal agencies to spend billions on security and then give government contracts to companies with insecure products.”

Over the past week, agencies rushed to scrub the malicious code from their networks while senior officials huddled in emergency meetings — all amid reports of more victims in the federal government, state governments and private industry. As the extent of the attack became clearer, cyber experts warned that cleaning up the mess could take months or years.

SolarWinds, whose 330,000 customers include key federal agencies, major telecommunications firms, every branch of the military and four-fifths of the Fortune 500, is one of the most extreme examples of the dysfunction that made this hack possible, but it is far from the only poorly guarded vendor with hooks into the most important computer networks in the world.

The U.S. government relies on private vendors of all sizes to supply its agencies with software. Some have expert security teams, such as Amazon, which provides cloud hosting services, and SAP, whose software helps agencies process large quantities of data. But others, both large and small, have less rigorous security testing procedures and are more vulnerable to this kind of compromise, cyber analysts say.

On Thursday, federal investigators said SolarWinds’ Orion software was not the only way the hackers had invaded their targets, warning of “additional initial access vectors and tactics, techniques, and procedures … that have not yet been discovered.”

And now that the hackers have had months to establish a foothold in the federal networks, the Cybersecurity and Infrastructure Security Agency warned, removing them “will be highly complex and challenging.”

Building better software

The SolarWinds hack — which officials have linked to Russia’s foreign intelligence service, the SVR and which Secretary of State Mike Pompeo late Friday publicly pinned on Russia — reflects a level of sophistication that may be impossible to completely block, but technical professionals and policymakers say new approaches to software development and procurement could at least give defenders a fighting chance.

Attacks on vendors in the software supply chain represent a known issue that needs to be prioritized, said Rep. Jim Langevin (D-R.I.), the co-founder of the Congressional Cybersecurity Caucus.

“The SolarWinds incident … underscores that supply chain security is a topic that needs to be front and center,” Langevin said.

He said Congress needs to “incentivize” the companies to make their software more secure, which could require expensive changes.

Some others are calling for regulation.

“Absolutely there needs to be more oversight of these kinds of companies,” said Emile Monette, the former chief of CISA’s supply chain risk management program. He said the government should require contractors to certify their software is free of even “moderate-impact bugs.” Typically, vendors assure only that their software is free of particularly dangerous vulnerabilities, labeled as “critical” or “high impact.”

Private companies regularly deploy software with undiscovered bugs because developers lack the time, skill or incentive to fully inspect them.

Monette said agencies must “be prepared to pay for increased security” in their purchases and encouraged the government to “double down on investments” in areas such as software security.

Buyer beware

It can be hard, however, for federal agencies and Fortune 500 companies to identify weaknesses when they don’t understand the complexity of what they’re buying or the ways in which it could be defective.

“Security is not a significant consideration or even well understood,” said Bryan Ware, CISA’s former assistant director for cybersecurity. “Plenty of sophisticated [chief information officers] bought and deployed [SolarWinds’ software], so it’s not just the vendor I’m questioning.”

There is no central inventory of which government agencies use which software in which offices, which is part of why it has taken agencies so long to determine if they have been hacked.

“The first-order problem is still trying to get our arms around all of the applications and software that reside on the 101 civilian executive branch networks,” said former CISA Deputy Director Matthew Travis.

Travis bemoaned the decentralized approach and encouraged Congress to authorize CISA and OMB “to re-architect the archaic federal enterprise” and push more applications to the cloud.

The automated gatekeepers that do exist — two CISA-run network security programs — also weren’t equipped to identify the SolarWinds intrusion, much less stop it.

One program, dubbed “Einstein,” is supposed to stop threats from crossing the threshold into federal civilian agencies’ networks, but can only spot malicious activity that it has seen before, a shortcoming that the hackers carefully exploited by using servers not previously flagged as malicious.

The other, Continuous Diagnostics and Mitigation, brings together scanning and monitoring services that are supposed to spot and block suspicious behavior on those networks. But CDM’s understanding of what should generate a red flag is limited to clearly suspicious activity, such as offsite transfers of massive encrypted files — which didn’t occur with the infected SolarWinds updates.

Calls for action on the Hill

Some in Congress are ready to act. In a statement, Rep. Ted Lieu (D-Calif.) said he was “working on legislation to ensure that vendors doing business with the United States government maintain a vulnerability disclosure policy.”

But new regulations might not solve the problem, technical specialists said.

“Government-mandated security requirements are probably more likely to HARM security than to HELP it,” Andy Keiser, a former top House Intelligence Committee aide and Trump transition national security adviser, wrote in an email. “The standards would be slow, outdated, cumbersome [and] pick incorrect winners and losers.”

Congress should “carefully explore penalties for negligence” in software design, Ware said, but only in a limited way, “because it could lead to negative unintended consequences.”

The government already runs security certification programs for cloud platforms and defense industrial base contractors. Congress could examine and modify them, Ware said, to confront this new challenge.

Regardless of who controls the Senate in the 117th Congress, the Democratic-led House will likely be more open to new federal mandates. A House Homeland Security Committee aide, who requested anonymity to discuss internal planning, said that it was too early to discuss regulation but added, “I’m sure we will have hearings on [SolarWinds] in the new year.”

Getting under the hood

Rather than imposing new security requirements on vendors, some experts say agencies should pay more attention to the software they buy and routinely test it for flaws.

James Lewis, a cyber expert at the Center for Strategic and International Studies, floated the idea of an executive order instructing agencies “to monitor and better manage their use of these kinds of platforms,” and requiring sector-specific regulators to demand the same of companies in critical industries, such as electricity and health care.

“Require something similar to what Apple does on the App Store,” Lewis said, noting that the tech giant reviews every submitted app and only approves those it certifies to be secure.

Some private companies do monitor third-party software in this way, but routine software auditing would likely be a massive burden on federal agencies, few of which have enough security personnel to handle this work on top of their existing tasks.

One approach would be to centralize software testing at one agency. The most natural fit might be CISA, which in April became the operator of a central marketplace for government cybersecurity services.

Ware said this could prevent a situation where one agency discovered a problem in software used across the government but failed to report it to those other customers.

Not everyone is convinced that this centralization would work.

“Talent is in short supply everywhere, no one [is] going to volunteer people for transfer, and DHS doesn’t have the clout to steal from the agencies with talent — the [intelligence community], DoD and FBI,” Lewis said. He suggested instead that the software security oversight start at OMB, whose authority to issue edicts to other agencies is more established.

Nascent efforts

Some parts of the government are already working to encourage better coding practices, though it’s slow going.

For more than two years, one federal agency has been convening meetings of outside experts to discuss the creation of a kind of ingredient label for software, a “bill of materials” that would provide transparency about the code used in each program. While this software bill of materials wouldn’t completely solve the problem that led to the SolarWinds crisis, Ware and other cyber experts say it would encourage more careful coding by making an application’s digital contents more transparent.

The agency behind this effort is the Commerce Department’s National Telecommunications and Information Administration, one of the first agencies to discover that it had been hacked as part of the SolarWinds campaign.

Martin Matishak contributed to this report.

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Eric Geller

Foreign state hackers reportedly breached the US Treasury

71573590-3d79-11eb-9e8b-7df2b79e7698Foreign hackers may be running rampant in the US government. Reuters sources said a group backed by a foreign government stole data from the Treasury Department and the internet policy-focused NTIA. While details are still limited, it was reportedly…

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By:

FBI, Homeland Security detail how Iranian hackers stole US voter data

3d3cf9f0-13a5-11eb-87af-93707e03be91US officials are shedding more light on how Iran-linked hackers stole voter info to send intimidating emails to Democrat voters. The FBI and Homeland Security’s CISA have issued an advisory (via Bleeping Computer) explaining the campaign, which ran f…

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By:

Minecraft Mock Poll Aims To Educate Kids About Voting

Rock The Vote

The voting simulation is hosted by Rock The Vote and aims to demystify the voting process by allowing kids to cast mock ballots on a number of issues. The results will be released before Election Day.

(Image credit: Rock The Vote)


Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Reese Oxner

Why the Internet Should Be a Public Utility


The internet is here, it’s just not evenly distributed. While some people have access to high-speed fiber-optic cable running to their house or phones ready to connect to 5G, there are also swaths of broadband deserts where people can’t access internet at reliable speeds.

Read more…

Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Brian Kahn and Alex Cranz

« Older posts