wave whacks European banksTwo major media outlets fall prey to hackers
Banks across Europe are now coping with a wave of cybercrime in which
crooks are transferring funds out of customer accounts through a scam involving
bypassing some two-factor authentication systems to steal large sums, according
to a security firm assisting in the investigation.The funds transfers are affecting 34
institutions, in a crime wave seen first in Germany during the spring, and now
across several countries, including Austria, Switzerland and Sweden. So far,
the crimes are being traced to Romania and Russia. The amount of money that’s
been fraudulently whisked out of both consumer and commercial bank accounts
appears to be running in the millions.
successfully bypass two-factor authentication at some European banks
Cybercriminals are successfully bypassing two-factor authentication systems
at some European banks and transferring funds out of victim accounts, Trend
Micro said. The sophisticated attack campaign uses malicious email attachments,
phishing sites, rogue DNS servers, fake SSL certificates, and malicious Android
apps to steal session tokens used by banks as part of the two-factor
authentication scheme. To date, 34 financial institutions have been affected
across several countries, including Germany, Austria, Japan, Switzerland, and
launches cross border cyber crime taskforce
IT News (Australia)
The European Union will commence a six-month pilot of a cyber crime unit
charged with investigating cross-border attacks perpetrated by botnets, banking
Trojans and the darknet. The Joint Cybercrime Action Taskforce (J-CAT) will be
housed at the European Cybercrime Centre (EC3) in The Hague, with its board
comprised of senior figures from EC3, the FBI, the NCA and Germany's Federal
Criminal Police Office. Cyber crime police investigators from across Europe
will reside permanently at the center and will be charged with building
criminal cases. They will co-ordinate investigations with other countries
including Australia, Canada and Columbia.
cyberweapons cross-pollinating commercial malware, analysis claims
Sophisticated code of the sort used in Russian Government cyberweapons
could be seeping into the commercial malware wielded by the country's
criminals, a security firm has suggested after analyzing the apparent
cross-pollination in a previously unknown piece of malware.
damage of Snowden leaks being felt in cyber, public trust
Federal News Radio
The National Security Agency's top lawyer said the disclosures from former
contractor Edward Snowden not only hurt U.S. intelligence gathering
capabilities, but also created a gap in the trust relationship between the
agency and Congress. NSA general
counsel Raj De said the disclosures also may have damaged the nation's ability
to move the ball forward on improving its own cybersecurity posture.
intel chief fears 'unseen war' in Gaza
Rep. Mike Rogers (R-MI) said July 27 that new cyber threats are causing
concern in the ongoing conflict in Gaza. "There is an unseen war in this
particular event and that's the new cyber front," Rogers, chairman of the
House Intelligence Committee, said on "Face the Nation."
online exchange facilitates fast acquisition
The National Geospatial-Intelligence Agency is undertaking an initiative to
expand industry partnerships and to make critical capabilities speedier to
acquire. The GEOINT Solutions Marketplace, described in an article at
defense.gov as "a newly expanding pilot" program, "operates as
an online exchange for government and vendors, commercial partners, academic
institutions and the broader geospatial intelligence community."
bills cued up for house
Three cybersecurity bills are set for House action July 28: House Homeland
Security Chairman Mike McCaul’s National Cybersecurity and Critical
Infrastructure Protection Act, Rep. Patrick Meehan’s Critical Infrastructure
Research and Development Advancement Act and Rep. Yvette Clarke’s Homeland
Security Cybersecurity Boots-on-the-Ground Act. The bills would (1) codify and
articulate the Department of Homeland Security’s role in cybersecurity,
including through the National Cybersecurity and Communications Integration
Center; (2) establish a DHS clearinghouse for critical infrastructure security
technology; and (3) require DHS to set occupation classifications for
cybersecurity and conduct a cybersecurity workforce assessment.
committee seeks EHR interoperability investigation
Members of the Senate Appropriations Committee are seeking an investigation
into whether taxpayer-supported software is preventing the free exchange of
patient records between non-partnering healthcare organizations. The senators
pointed to so-called "information blocking," and detailed steps the
Office of the National Coordinator for Health Information Technology (ONC) --
which oversees electronic health records (EHRs) -- should take to ensure the
free flow of patient data between healthcare organizations.
Force gets a move on dynamic cyber defense
As cyber threats continue to loom for private industry and the military
alike, the Air Force is looking to improve its own defenses. In a solicitation
released July 23, the Air Force has requested white papers for the development
of a command and control capability that could orchestrate Moving Target
Defense across the entire enterprise. MTD strategies seek to move cyber
defenses from static configurations to a more dynamic, changing set of system
parameters that would make it more difficult for attackers to discover and take
advantage of vulnerabilities.
to DoD: Help private-sector innovators help you
It’s well past time for the Pentagon to revamp its acquisition processes so
the private sector can boost its role in technology development, a key Pentagon
advisory panel says. The Defense Business Board has unanimously approved
far-reaching recommendations meant to improve DoD’s business dealings with the
private sector, particularly companies that have not traditionally sought defense
contracts. The recommendations came from a report by a DBB task force set up in
the wake of much talk about the private sector’s ability to rapidly develop new
products, while the military has difficulty getting a program off the ground
before its technology is nearly obsolete.
demand evolves, Army simplifies WIN-T
C4ISR & Networks
It has been more than a decade since the Army began working on the
Warfighter Information Network-Tactical, incrementally updating and fielding
communications capabilities to deployed soldiers around the world. With the
first increment fully fielded and developments and upgrades ongoing, Army
officials now say they are focused on modernizing WIN-T, particularly on making
it easier for soldiers to use.
Army creates common technology
marketplace for communications hardware
The Army is creating a standard marketplace of tactical communications
hardware to support the Common Operating Environment initiative and deliver a
familiar and intuitive experience for Soldiers. The Common Hardware Systems, or CHS, program
office maintains a portfolio of commercial technologies that satisfy tactical
requirements including servers, clients, network routing and switching devices,
ruggedized laptops, handheld devices, operational transit cases and other
exercise tests people, partnerships
American Forces Press Service (news
Partners from across government, academia, industry and the international
coalition recently completed Cyber Guard 14-1, a two-week exercise designed to
test operational and interagency coordination as well as tactical-level
operations to protect, prevent, mitigate and recover from a domestic cyberspace
incident. Elements of the National Guard, reserves, National Security Agency
and U.S. Cyber Command exercised their support to Department of Homeland
Security and FBI responses to foreign-based attacks on simulated critical
infrastructure networks, promoting collaboration and critical information
sharing in support of a "whole-of-nation" effort.
still plugging gaps in smart card security
Personal identity verification, or PIV, smart cards allow agency employees
and contractors to access both federal facilities and agency networks and are a
key part of the 2004 Homeland Security Presidential Directive-12, which
required a common ID credential for federal personnel. Agencies have now taken
most of the big steps toward HSPD-12 implementation, but the latest audit
reveals some are still vexed by plugging all the gaps in the process, according
to security experts.
digital certs poised for growth
Secure ID News
Public Key Infrastructure is still the gold standard when it comes to
identity management and the market is poised for growth, according to the
latest report from Frost & Sullivan which finds that the market earned
revenues of $357.4 million in 2013 and estimates this to reach $532.8 million
in 2017. The government sector is expected to account for the largest share of
the total revenue owing to the implementation of several identity document
projects. This growth is due to the increased number of data breaches and
security bugs, and increasing use of mobile devices will further highlight the
need to identify people, devices, and transactions, spurring the demand for
Once again, media outlets have been targeted by attackers seeking to gain attention and disseminate false information. The Wall Street Journal's Facebook page was hacked July 20, and in a separate incident, MSNBC.com had some of its short link addresses redirected.The attacks on The Wall Street Journal and MSNBC.com show insecurity on major media platforms that can potentially be mitigated, according to security experts.
'History may be repeating itself' in cyberspace
Ten years after issuing a damning report on the intelligence failures leading up to the Sept. 11 terrorist attacks, the 9/11 Commission has warned of parallel U.S. vulnerabilities in cybersecurity.Cyber threats have since multiplied with advances in IT, and a comprehensive assessment of the nation’s cyber-readiness was beyond the scope of the report. The document instead touched on the growing nexus between terrorism and cybersecurity, the American public's supposed lack of awareness of cyber threats, and the need for "comprehensive" legislation from Congress.
9/11 Commission report authors warn nation of cyberattack threats
The Washington Post
The authors of the 9/11 Commission report describe the threat of a cyberattack as a significant concern, likening it to the threat of terrorism before the Sept. 11, 2001, attacks. They describe the “cyber domain as the battlefield of the future” and say the country needs to take further steps to prevent the cyber equivalent of 9/11.They urge Congress to pass cybersecurity legislation to let private companies work with the government to counter threats, despite concerns about privacy provisions.
Obama adviser on cybersecurity: Limit cyber capabilities, regulate sometimes
A new report by the left-leaning Center for New American Security says the U.S. screwed it up from the start when designing the architecture of digital computing — security just wasn’t drawn into those original blueprints -- and now we have to live with it. The report, helmed by Richard Danzig, a former Navy secretary who currently serves as a member of the Defense Policy Board and The President’s Intelligence Advisory Board, makes recommendations on how, including adopting a national security standard for cyberspace.
Modern electric grid fighting cyber vulnerabilities
Utility companies are spending millions annually in cyber security costs, and the trend will continue with investments in smart meters and other technology meant to bring the electric grid up to date.
DoD, DHS see more, earlier testing as a possible fix to troubled programs
Federal News Radio
Two of the largest agencies are looking at increasing the amount of testing and evaluating of their often-troubled acquisition programs as the panacea to systemic problems.The Defense and Homeland Security departments are pushing project managers to test technology or weapons systems earlier in the acquisition lifecycle to understand and solve potential roadblocks sooner.
Agencies move past the FedRAMP deadline
As of early June, cloud service providers that want to do business with the government should be in compliance with the Federal Risk and Authorization Management Program, an initiative to assess the security of cloud solutions and authorize them for government use. And at this point, agencies looking to realize the benefits of cloud computing should be using FedRAMP-authorized providers.
Significant deficiencies found in Treasury’s computer security
Weaknesses in Treasury Department computer systems that track federal debt are severe enough to disrupt accounting, according to a Government Accountability Office (GAO) audit. Newly discovered security vulnerabilities at the Bureau of the Fiscal Service, coupled with older unfixed problems, constitute a "significant deficiency" for financial reporting purposes, the GAO found.
GAO: Weaknesses remain in FDIC's information security
The Federal Deposit Insurance Corporation enforces banking laws and regulates financial institutions across the country, yet weaknesses in its security posture place information at unnecessary risk, according to a new Government Accountability Office report. The GAO report posits that while FDIC has “made progress in securing key financial systems” following a series of GAO audits dating back to 2011, its failure to implement specific recommendations by the watchdog agency has led to vulnerabilities in the “confidentiality, integrity and availability of financial systems and information.”
Government IT priorities: Security reigns, cloud crawls
A new survey shows that federal agencies are focusing more on security, as they should, but they're still behind the times with cloud use, data center consolidation, and overall innovation.
Agencies inch toward solutions on BYOD
The BYOD phenomenon is becoming more entrenched in government, but as with any emerging technology, the transition to this new paradigm presents a range of hurdles to IT managers trying to do what’s best for the jurisdiction while simultaneously supporting the desires of end users. Security is a primary concern, as work data increasingly commingles with private information and travels outside the office walls. But there are other sticking points, including concerns about privacy, issues of overtime and the burden on IT of having to support a broad range of devices, to name a few. Public-sector technology leaders say these challenges can be overcome, but it takes some creativity and forethought.
Former Navy secretary calls for minimalist approach to IT security
Former Navy Secretary Richard Danzig has unusual advice for the U.S. government: Enhance cybersecurity by cutting back on overly complex IT systems.Eschewing a common narrative of society's inexorable march toward the Internet of Things, Danzig called on Washington to "forsake some efficiencies, speed or capabilities" in critical systems "in order to achieve greater security."
Army rolling 4G out to theater
C4ISR & Networks
The Army is pushing high-speed 4G LTE infrastructure out to the battlefield, offering deployed soldiers the ability to carry out missions and in more flexible, agile ways. The Army’s Tactical Network Transmissions (TNT) package was introduced at Network Integration Evaluation (NIE) 14.2, held in March at Fort Bliss, Texas and White Sands Missile Range, New Mexico. The TNT package offers soldiers and coalition partners access to 4G bandwidth and capabilities that allow faster access to mission-critical applications via devices such as smart phones and tablets.
Army building a marketplace for tactical comm equipment
In support of its push toward seamless frontline tactical communications, the Army is creating a one-stop shop for tactical communications hardware. The Common Hardware Systems program office will establish the technical standards—and a contract vehicle—for hardware used to support the Army’s Common Operating Environment (COE). The COE is an initiative to provide the same operational picture throughout the ranks, from headquarters to soldiers on the battlefield, incorporating everything from geospatial maps to video and other sensor data from unmanned systems to mobile devices carried by soldiers.
Ground commanders with cyber skills
Ground commanders are already learning how to counter cyber threats in the field, but the Army’s cyber boss wants them to start launching their own attacks. "The way we’re going to have to do this is stand up the capability and start experimenting with it," said Lt. Gen. Edward Cardon, commander of Army Cyber Command. "From that we will develop the commander’s guidance for cyber." Cardon said the first step in educating and empowering brigade commanders is to incorporate the offensive capabilities as part of combat training center rotations.
US government conducts largest cyber-defense exercise to protect critical infrastructure
Fierce Government IT
The U.S. government has just wrapped up one of the largest cyber exercises to date, involving more than 500 participants from the military, law enforcement, civilian agencies, academia and the commercial sector.Cyber Guard 14-1was a two-week event testing how the services and federal agencies coordinated with each other at the strategic and tactical levels to protect, prevent, mitigate and recover from a cyber attack on U.S. national cyber infrastructure. U.S. Cyber Command, or Cybercom, was the lead organization for the event, which was envisioned as a "holistic, whole-of-nation effort" that also brought in observers from academia, private industry and state utilities.
National Guard, feds double down for foreign hack against US
The federal government deployed twice as many cyber professionals this year as in 2013 during a simulated foreign-based cyberattack on U.S. soil. About 550 participants recently completed "Cyber Guard 14-1," a two-week exercise executed by the U.S. Cyber Command and hosted at the FBI's National Academy in Quantico, Virginia. The annual rehearsal tests government-wide cooperation as well as tactical-level operations, according to the Defense Department.This year, the National Guard, Reserves, National Security Agency and CYBERCOM practiced supporting civilian agency responses to attacks on model "critical infrastructure" networks.
How to talk about blowing things up in cyberspace, according to the military
The Washington Post
The precise demands of military operations require very specific definitions, particularly when it comes to cyberspace.To avoid confusion regarding how to effectively use offensive cyberweapons, the Pentagon has developed its own glossary of sorts, published in 2009 by the U.S. Strategic Command. The document is a fascinating look into the military's ever-evolving cyber doctrine.
IT departments feel the heat on mobile initiatives
Both employees and senior managers feel strongly that IT departments must help them increase existing mobile technology capabilities, according to a recent survey from Aruba Networks. Providing support and resources for an all-wireless workplace remains at the top of the must-have list for organizations. An Aruba executive said, "The workplace of the future will not only need to be right-sized to align with IT budgets, but it will also require a mobility-centric and secure wireless infrastructure—a move toward employee self-service."
Treasury Secretary warns of cyber threats to financial sector
Treasury Secretary Jacob Lew warned of the dangers of cyberattacks on the financial sector in a July 16 speech in New York City, calling the cyber defense of businesses and government "a central test for all of us going forward."Lew beseeched financial services firms and vendors that serve them to use the Obama administration’s framework document for managing cyber risk for critical infrastructure, and joined other administration officials calling on Congress to pass a cybersecurity bill to bolster public-private information sharing of threats and to protect firms from liability for sharing such information.
Lew says financial industry could do more to prevent cyberattacks
The Washington Post
Treasury Secretary Jack Lew said July 16 that banks and credit unions have faced 250 distributed denial-of-service attacks since 2011 — a type of cyberassault that officials believe could disrupt the U.S. financial system.Lew said the Treasury Department will launch the Financial Sector Cyber Intelligence Group to circulate warnings about cyber threats and thwart electronic incursions.
Feds declare big win over Cryptolocker ransomware
Even as security researchers reported that the hacker gang responsible for the Gameover Zeus botnet had begun distributing new malware, U.S. government officials claimed victory over the original and said that the Cryptolocker ransomware that the botnet had been pushing has been knocked out.
A new age in cyber security: Public cyberhealth
Dark Reading (commentary)
Managing mass cyber infections is challenging. Our adversaries are well funded, agile, and adaptive. They are also constantly seeking the next weakness to exploit. Clean-up operations require broad global cooperation from law enforcement, domain registrars, security vendors, sinkhole operators, and most importantly, victims -- who must largely "opt-in." The recent Justice Department DOJ effort aimed at disrupting several mass cyber infections was one of the first and largest experiments of its kind in cyberhealth notification and inoculation, and is a blueprint for good public cyberhealth.
Report: Administration, Congress, others must better shield electricity grid vs. cyber attack
A high-level report on the security of the electricity grid is complimentary of the Obama administration’s efforts to protect it and faults Congress for not doing enough. Yet protecting the grid — "the most critical of critical infrastructure" and "the backbone of our modern society" — requires more action from everyone, from the executive branch to the Hill to industry, the report for concludes. It
details the nature of the threat, from which countries it emanates, what has been done about it and should be done about it in all branches of government, from the state regulatory level to within the private sector.
Chinese hackers extending reach to smaller U.S. agencies, officials say
The New York Times
After years of cyberattacks on the networks of high-profile government targets like the Pentagon, Chinese hackers appear to have turned their attention to far more obscure federal agencies. Law enforcement and cybersecurity analysts in March detected intrusions on the computer networks of the Government Printing Office and the Government Accountability Office.
Tech decisions driving Michigan's public safety expansion
In the last decade, the state of Michigan has achieved near blanket coverage of its Public Safety Communications System (MPSCS), a digital voice IP network of federal, state, tribal and private public safety agencies and police departments across the state.Today, 1,460 agencies are knitted together via the network, an order of magnitude more than the 152 linked in 2002. The growth is attributed to three primary factors: economies of scale, increased equipment interoperability and resiliency in the network.
How to approach declining federal IT spending
More efficient federal information technology systems will require fewer dollars, according to a new report from Deltek that predicts agency IT spending will fall from $101 billion to $94 billion in five years. Deltek factors in IT spending that often is left out of the overarching budget numbers, such as technology for the judicial and legislative branches and the intelligence community, as well as IT embedded in large defense systems.
How to spot opportunities in VA's health record quest
The story of federal electronic health records (EHRs) has taken another turn, with solicitations released by of the Defense and Veterans Affairs departments.. The VA thinks its Veterans Health Information Systems and Technology Architecture (VistA) Evolution Program could be the standardized EHR format across VA and the DOD – and they aim to prove it by pursuing DOD’s Department Healthcare Management Systems Modernization (DHMSM) contract, now in its third revision.
DeSalvo: Time for the heavy lifting on health record interoperability
The federal government is fleshing out the details of a 10-year plan to put in place interoperability standards for electronic health records. The Office of the National Coordinator for Health IT recently outlined basic policy building blocks in a vision paper.Six months into her tenure, ONC head Dr. Karen DeSalvo is now leading the charge to get comments from vendors, clinicians and other stakeholders to develop technical standards, certification for EHR systems, and privacy and security protections for health records, while also guaranteeing consumer access to individual records.
As cyber attackers get more sophisticated, so must agencies' protections
Federal News Radio
At a recent panel discussion, federal agency and private sector information security experts examined cyber prevention tactics and warned cyber criminals are stepping up their game with no signs of stopping. This includes launching more sophisticated attacks, yet on the opposite end, skewing simple in hacking tactics too.
Why a detection-centric approach to cybersecurity is the wrong path for federal
Next Gov (op-ed)
Surely, detection is a key component of any security program. But should our government be spending more time on detection than prevention? The answer is no. Here's what’s wrong with a detection-centric approach, how to build prevention into systems and ways to strike an appropriate balance between prevention and detection.
Teaming up to train, recruit cyber specialists
Two of the Department of Energy's advanced research laboratories are joining with Bechtel to recruit and train cybersecurity specialists to protect critical infrastructure.Lawrence Livermore National Laboratory said in a July 15 statement that it was joining Bechtel BNI and Los Alamos National Laboratory in a program aimed at training a new class of cyber defense professionals. Bechtel co-manages both labs with the University of California and other partners.
Senate hearing calls for changes to cybercrime law
In the wake of Microsoft's seizure of No-IP servers and domains, private and public sector representatives met to discuss what can be done to address the problem of botnetsk with panelists at a Senate Judiciary Committee hearing calling for changes to the Computer Fraud and Abuse Act (CFAA) and other legislation that addresses cybercrime.
Northern Command nominee: U.S. behind in cyber defense
A Navy admiral nominated to head the joint command responsible for defending the U.S. homeland and aerospace acknowledged in his confirmation hearing that the country is lagging in its cyber-defense of critical infrastructure.Adm. William Gortney, who has been tapped to head the U.S. Northern Command and the North American Aerospace Defense Command, also told the Senate Armed Services Committee on July 10 that he was unaware of a formal coordinating mechanism between Northern Command and the Department of Homeland Security for responding to cyberattacks.
DISA shutters Alabama DECC
C4ISR & Networks
The Defense Information Systems Agency is moving forward with plans to centralize IT operations, closing a defense enterprise computing center (DECC) in Huntsville, Alabama. The latest closure is expected to save the Defense Department $3.2 million per year. DISA now has 10 DECCs, a decrease from 18 in 2008. Overall the closures—part of the broader Federal Data Center Consolidation Initiative, and also in line with the department’s transition to the Joint Information Environment (JIE)—are expected to save DoD $17 million per year.
Army moving enterprise apps to core data centers
In line with its data center consolidation plan started three years ago, the Army has begun moving its enterprise systems and applications to designated core data centers.The migration represents the first step in establishing policies and procedures for the centralization of data hosting, according to an Army release. The entire migration is slated to be completed by the end of fiscal 2018.
Senate would trim president's defense IT budget by $500M
The Senate Appropriations Defense Subcommittee approved a bill July 15 that would provide $500 million less for defense IT than President Barack Obama’s budget requested.A bill summary provided by the subcommittee justified the lower figure -- which it said was 3 percent below the president’s request -- by saying, :trimming IT funding will help prioritize and better target non-cybersecurity IT investments in an era of fiscal constraint."
Senate bill proposes $61.6M in cuts to Pentagon IT programs
C4ISR & Networks
The Obama administration requested about $11 billion for all Defense Department information technology activities next year. However, in a report accompanying its 2015 military spending bill, the Senate Appropriations Defense subcommittee proposes several sizable cuts, and is calling on DoD to trim duplicative programs.
Identity management will get a mobile makeover by 2017
Information Week - Bank Systems & Technology
The proliferation of mobile devices has led to a new consumer paradigm -- many consumers think and act in a “mobile-first” way. In financial services, devices are moving from simple information servicesto transaction providersor more complex solutions, with adoption growing. A key building block to this trend is a high-quality method of determining identity. In the first of a two-part series, how mobile will change user authentication and risk management in financial services is explored.