Fed Employees, Contractors, and Spouses Identities Compromised

According to the U.S. Office of Personnel Management, the personal information of all current, former, and prospective Federal employees, contractors, and their spouses, who have been subject of a background investigations since 2000. The 21.5 million individuals compromised includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, primarily spouses or co-habitants of applicants.

Types of information in the incident involving background investigation records:

• Social Security Numbers
• Residency and educational history
• Employment history
• Information about immediate family and personal and business acquaintances
• Health, criminal and financial history

Some records could also include:

• Findings from interviews conducted by background investigators
• Fingerprints. 
• Usernames and passwords used to fill out your forms

This is probably the worst possible data breach for the Federal government, and not because they're going to have to offer credit monitoring for everyone affected.

Noticeably absent from the release is any mention of "who" was responsible for this breach.
Many news sources believe the breach was the work of the Chinese government.

U.S. Senator Sasse believes the database will be used for spy recruitment, and even blackmail, according to Wired.

As a Federal contractor, I'm quite honestly terrified. While the Federal Government is offering identity theft protection, they are taking no steps to protect affected employees and contractors from blackmail attempts - and how could they? At this point, the only way to protect affected employees and contractors would be to give them, as well as their families, a completely new identity. Obviously, with 21.5 million affected individuals, this won't happen.

At the same time, I feel very betrayed, as I'm sure many Federal contractors and employees currently feel. If the Federal government did not take the protection of our personal information seriously, what's to ensure they will do so in the future? This could seriously impact the ability of the Federal government to gain new or retain existing employees or contractors - including myself.

Private sector - now's your chance! There are a lot of disgruntled Federal contractors who will probably jump at a chance to leave, and go somewhere their personal information will actually be protected. Start posting those open positions, and let the mass exodus from Federal contracting begin.

NASA Open Source - Cyber Security Applications in Space and on the Ground

This is the third article in my series on Space Security.

NASA has recently released its 2014 Software Catalog, featuring a comprehensive list of software titles available for US Government Only, as well as Public use.

Here is an overview of some of the more interesting titles available.  Note that some titles may need to be acquired by contacting NASA directly.

There are multiple publicly available applications in the list which could be tremendously helpful to public and private organizations helping to secure their networks. It is clear to me that NASA is leading the way in the public sector helping to provide resources which can help secure not only other agencies, but private industry as well.

I'd like to give a HUGE shout-out to NASA for releasing all of these great applications!

DISA Gold Disk FOIA Request Sent

UPDATE: My FOIA request was denied, and these tools will remain lost forever.  Details here.

I have sent a FOIA request to DISA for public release of the DISA FSO Gold Disk.  It is my hope that this request will be rather painless, and that DISA will release all requested materials.

If/when DISA does release the requested materials, I will establish an open source project on either SourceForge or Google Code for continued development of the Gold Disk.

My letter is below. I should receive a response within 30 days.

Hello,

I am writing to you to request public release of the following:

DISA FSO Gold Disk binaries

DISA FSO Gold Disk source code

DISA FSO Gold Disk developer documentation

DISA FSO Gold Disk user/administrator manuals

Per http://iase.disa.mil/stigs/index.html

"The DISA FSO Windows Gold disk tool provides an automated mechanism for compliance reporting and remediation to the Windows STIGs. The FSO Windows Gold Disks are an unlicensed tool developed by the FSO, the use of this tool is completely at the user's own risk. Currently, the Gold Disk supports Windows XP, Windows Vista, Windows 2003, Windows 2008 R1. There are no plans to develop Gold Disks for future technologies or products, FSO will utilize the SCAP standards for compliance reporting for Windows 7."

Since the tool is unlicensed and developed by FSO, that puts the tool in Public Domain. Furthermore, the DISA FSO Gold Disk is no longer supported for use within DoD, and development has ceased, meaning the tool is no longer in use within the DoD.

This tool could be of great use to the private sector, and would help increase the security of our nation.

I understand that the DISA Gold Disk does contain IAVM information which is still FOUO. As such, I am agreeable to this information being sanitized prior to public disclosure.

Since this is a FOIA request for public interest, I would like to request that any fees be waived.

I look forward to your response.

Thanks,

Ken Buckler

Caffeine Security

Guest Post: Hacker’s Breakfast: TrainACE and n2grate Team Up for a Free Hacking Seminar

The following is a Guest Post from TrainACE. I attended the last Hacker's Breakfast, and found it a very informative training seminar. You can read my thoughts on the last Hacker's Breakfast here.

TrainACE and their cyber security training extension, Advanced Security are announcing another installation in their series of free hacking seminars, dubbed Hacker’s Breakfast. Previously having planned an event with FireEye, they have teamed up with n2grate Government Technology Solutions this time around to host the latest installation featuring multiple speakers and training demonstrations. Blue Coat and Solera Networks will have Subject Matter Expert technicians talk about mission assurance technologies and web-based security.

A difference from this Hacker’s Breakfast and the previous event in the series is the inclusion of live demonstrations. The session for product demonstrations will feature kiosks related to advanced threat protection from Blue Coat, Netronome, and Packet Shaper. Event sponsor Solera Networks will have an exhibit for big data security intelligence and analytics.

The seminar itself will start off with a presentation on web-based security and its significance to mobile workers, social networking, and threat protection. The speakers will address web-based security on a number of devices, covering users who own desktops, laptops, and mobile platforms. Next up on the itinerary will be the break for kiosk. For the rest of the seminar, a session will cover how the Department of Defense and other federal agencies should handle mission-critical program security. The seminar will close with another period allotted to additional product and training demonstrations.

However, the opportunity is only available to Government and Department of Defense employees and the event is capped at 70 registrants. Sign up immediately in order to reserve a place at this leading edge event!

Hacker’s Breakfast will be held at TrainACE in Ashburn, VA on July 24, 2013. The event opens with registration and breakfast at 8:00AM and will finish at 12:30PM.


Learn more and register online here: Hacker’s Breakfast – The FREE Hacking Training Seminar Series by TrainACE.

@USNISTGOV CVE Alerts Now On @CaffSec Twitter

Thanks to the folks at NIST for providing an RSS feed of new CVEs, I have incorporated CVEs into my automated #exploitAlert feed on Twitter.

In addition to CVE content, the #exploitAlert feed provides information on new vulnerabilities/exploits found on PasteBin and similar sites.

If you're interested in how the CVE feed works, I have made the feed available on my IFTT profile.

The NSA's Guide to Internet Research

The NSA recently released on their Declassification and Transparency page "Untangling The Web - A Guide to Internet Research".

This 642 page document contains search techniques and tips for everything from basic search fundamentals to "Google Hacking" and even how to find information on the "Invisible" internet.

OpUSA Updated Target List Posted

I've managed to get a copy of the OpUSA target list.  If you're at one of these organizations, be extra vigilant.

HIGH profile target list

http://www.defense.gov/

http://pentagontours.osd.mil/

http://www.pentagonchannel.mil/

http://www.archives.gov/

http://www.whs.mil/

http://www.nsa.gov/

http://nsa.nato.int

http://www.fbi.gov/

http://www.whitehouse.gov/

Additional targets are listed in the updated Threat Watch brief.

OpUSA to Strike US Government and Banking Infrastructure May 7

Anonymous and several other hacking groups are planning to attack the US Government and Banking Infrastructure on May 7, 2013.

I added a threat briefing on OpUSA, what's being targeted, and by who, to my Threat Watch site.

Currently, the only named targets of this attack are Whitehouse.gov, FBI, and Bank of America.  However, I'm sure other targets will be included.

If you work for a government agency, or in the banking agency, be vigilant, and be on the lookout for highly targeted phishing attacks.

You can read the full briefing at my Threat Watch site.

White House to Issue Cyber Security Executive Order

According to TheHill.com the White House will release an executive order this week to address cyber security and critical infrastructure.

I'd like to share with everyone a letter I wrote in January 2012 as part of an application to the White House Fellowship program (my application was turned down).

FDA Fails to Properly Evaluate Medical Device Security per U.S. GAO Report

Warning: The contents of this blog post could (literally) give you a heart attack.

The U.S. Government Accountability Office website has published an interesting report on Information Security and Medical Devices.  Unfortunately this report has probably been missed amid all the U.S. elections news.

The 62 page report calls out the FDA on their 2001 and 2006 premarket review of two medical devices with known vulnerabilities and states that "FDA considered information security risks from unintentional threats, but not risks from intentional threats".  While it is comforting to know that the FDA is looking at issues such as accidental electromagnetic interference, it worries me that the FDA is not considering more serious threats, such as intentional malicious interference with a device.

Specifically, FDA considered risks from unintentional threats for four of the eight information  security control areas GAO selected for its evaluation —software testing, verification, and validation; risk assessments; access control; and contingency planning. However, the agency did not consider risks from intentional threats for these areas, nor did the agency provide evidence of its review for risks from either unintentional or intentional threats for the remaining four information  security control areas —risk management, patch and vulnerability management, technical audit and accountability, and security- incident - response activities. According to FDA, it did not consider information security risks from intentional threats as a realistic possibility until recently. In commenting on  a draft  of this  report, FDA said it intends to reassess its approach  for evaluating software used in medical devices, including an assessment of information  security risks.

This report is definitely an eye opening read, and also shows that the Federal Government is starting to think outside the box when it comes to Information Security.

Report:
Highlights - FDA Should Expand Its Consideration of Information Security for Certain Types of Devices


Download Full Report (PDF)