Generic

Cybersecurity News

 

DHS puts critical infrastructure on 'Heartbleed Bug' alert
SC Magazine
04/11/14

Critical infrastructure operators are now being alerted to the far reaching impact of a critical OpenSSL flaw, dubbed the "Heartbleed Bug." On April 11, the Department of Homeland Security warned of attackers potentially exploiting critical, unpatched systems impacted by the vulnerability. DHS' Industrial Control System-Cyber Emergency Response Team (ICS-CERT) reached out to vendors and asset owners to determine the potential vulnerabilities to computer systems that control essential systems – like critical infrastructure, user-facing, and financial systems.


DHS alert: Heartbleed may have been used against industrial control systems
The Christian Science Monitor
04/11/14

The threat from the Heartbleed cyber vulnerability could reach into the industrial systems that power the US economy, apparently including those used to operate the power grid.Unconfirmed reports that Heartbleed has already been used to attack encrypted communications systems of US industrial control systems are being investigated, the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced in an alert April 11.


Federal websites avoid Heartbleed risks, DHS says
Next Gov
04/11/14

The government's main public websites are not at risk from the security vulnerability Heartbleed, the Homeland Security Department said April 11, although many of the sites -- including HealthCare.gov -- were built on systems that were susceptible. Officials declined to provide details on how sites hosted by compromised systems were immune from the possibility of hacks exploiting the Heartbleed bug.


Govs run the Heartbleed bug test
Government Technology
04/10/14

Governments at all levels in the U.S. are not immune from the Heartbleed but's impact, and public sector agencies that host sites containing citizen data are absolutely worried about the newly discovered vulnerability. One state security official said "public agencies are scrambling to test their sites, and if they determine they are vulnerable, they are working to immediately put in place compensating controls and ultimately fix the problem."


NSA reportedly exploited Heartbleed for spying—But strongly denies the allegation
National Journal
04/11/14

The National Security Agency reportedly knew of and exploited the massive Internet bug recently revealed to the public and known now as "Heartbleed" in order to gather intelligence information on targets.Instead of trying to repair that flaw--which has potentially impacted countless people--the NSA reportedly manipulated it in secret. In a statement April 11, the NSA denied the report.


Website admins will be busy dealing with Heartbleed
Computer World
04/10/14

Website and server administrators will have to spend considerable time, effort and money to mitigate all the security risks associated with the Heartbleed vulnerability. The flaw is not the result of a cryptographic weakness in the widely used TLS (Transport Layer Security) or SSL (Secure Sockets Layer) communication protocols, but stems from a rather mundane programming error in OpenSSL, used by various operating systems, Web server software, browsers, mobile applications and even hardware appliances and embedded systems.


HHS CISO on healthcare cybersecurity
Gov Info Security
04/10/14

Many healthcare organizations need to improve their basic cybersecurity "blocking and tackling," and most also need to improve their willingness to share cyber-security information, says Kevin Charest, chief information security officer at the U.S. Department of Health and Human Services.In this interview, Charest also discusses emerging cybersecurity threats facing the healthcare sector and ongoing security efforts of HealthCare.gov.


Iranian-based cyberattack activity on the rise, Mandiant report says
Dark Reading
04/11/14

The worlds of politics and business often intersect in the physical world and in cyberspace, and 2013 saw a number of politically motivated attacks against companies across the world. In a new report from Mandiant, now part of FireEye, researchers describe a threat landscape where political conflicts have spurred hackers into action in attacks against the private sector. But while much attention has focused on Chinese cyberespionage and attacks, increased activity by attackers with suspected links to Iran and Syria is increasingly catching the attention of security experts.


Could Russia use cyberwarfare to further destabilize Ukraine?
Mashable
04/14/14

Eastern Ukraine is full of rioters ready to separate from their nation's government in Kiev — at least, that's the message the Russian government may want to project to the world. And analysts believe the Kremlin could use cyberattacks to create more chaos and support its objectives.The Kremlin is pushing that there is a widespread separatist movement in the eastern part of Ukraine that the government in Kiev cannot control, and experts think the Russian government could up its game with a subtle cyber strategy.


Malware found on computers of Germany's space center, evidence points to China
Softpedia
04/14/14

The German Aerospace Center (DLR), the country's national center for aerospace, energy and transportation research, has been reportedly targeted in a cyberattack apparently launched by a Chinese intelligence agency. According to Der Spiegel, computers used by administrators and scientists have been found to be infected with Trojans and spyware, and the cyberattacks appear to be sophisticated. The attacks are said to impact all operating systems used by the DLR.


Wearables sales tripled in a year—and will grow 500 percent by 2018, study says
PC World
04/10/14

Research firm IDC says sales of wearables have more than tripled in one year's time, and will grow about 500 percent in the next four years. In its just-released forecast analysis, IDC reports that total global wearables sales will exceed 19 million units this year and will hit 111.9 million units in 2018, resulting in compound annual growth rate of 78.4 percent and a total sales increase of just under 500 percent.


Wearables market to take off, hit 112M devices in 2018
Computer World
04/10/14

Wearable computers "took a huge step forward" in the last year and shipments of smartwatches and related devices will grow by 78% a year until 2018, IDC said in a report issued April 10.IDC for the first time issued a wearables forecast that divides the market into three categories ranging from low-cost, simple devices to higher-cost products with expanded capabilities. The three categories are dubbed complex accessories, smart accessories and smart wearables.


Feds are OK with cyberthreat info sharing, say it's not an antitrust violation
Computer World
04/10/14

U.S. businesses can share most cyberthreat information with competitors without facing antitrust enforcement action, two U.S. enforcement agencies said April 10.The policy statement came from the Department of Justice and the Federal Trade Commission.White House cybersecurity coordinator Michael Daniels added that the U.S. government wants companies to share threat information with each other and with government agencies focused on cybersecurity.


US says cybersecurity sharing not an antitrust issue
Security Week
04/10/14

Amid heightened concerns about data breaches and malware that can foil online encryption to allow hackers to steal passwords or other personal data, US officials announced April 10 that companies sharing information about cybersecurity would not face prosecution on antitrust grounds. The Justice Department and Federal Trade Commission said they have issued formal guidance telling companies that there would be no antitrust issues from the sharing of technical information about cyberattacks, malware or similar threats.


U.S. rallied 120 nations in response to 2012 cyberattack on American banks
The Washington Post
04/11/14

In 2012, some of the largest U.S. banks were under cyberattack, with hackers commandeering servers around the world to direct a barrage of Internet traffic toward the banks' Web sites and bringing the sites down for hours at a time. Wary of provoking even more intense attacks, the Obama administration rejected an option to hack into the adversary's network in Iran and squelch the problem at its source, and instead appealed to more than 100 countries to choke off the debilitating computer traffic at nodes around the world.


Obama lets N.S.A. exploit some Internet flaws, officials say
The New York Times
04/12/14

President Obama decided in January that when the NSA discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks. But he carved a broad exception for "a clear national security or law enforcement need," a loophole that is likely to allow the NSA to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.


Obama backs disclosure of most software flaws
Computer World
04/14/14

According to the Office of the Director of National Intelligence, the Obama administration favors disclosing to the public vulnerabilities in commercial and open source software in the national interest, unless there is a national security or law enforcement need. This statement also denied a report that said the NSA knew about the recently identified Heartbleed vulnerability for at least two years and had used it for surveillance purposes.


DoD to scrutinize GSA prices
Federal Times
04/11/14

The GSA promotes its supply schedules as offering agencies the lowest prices for commercial products and services, but the Defense Department believes it doesn't always get the best deals on GSA schedules. A DoD class deviation policy dated March 13 requires contracting officers to determine whether GSA's prices are in fact fair and reasonable, and a Pentagon official said DoD is working to address the variable pricing on its schedules and has taken several steps to lower prices.


Marines test mobile tablets
C4ISR & Networks
04/11/14

The Marine Corps is testing hand-held tablet computers designed to give ground troops real-time target intelligence, and officials say this technological development will change how the service carries out crisis-response missions in hostile parts of the world.


Army intelligence system gets new geospatial tools
Defense Systems
04/09/14

As an improvement for the Army's Distributed Common Ground System-Army (DCGS-A), the service's common system for gathering, analyzing and sharing intelligence information from different echelons, Esri has provided a revised set of customized templates that include maps, analytic capabilities and other visualization tools.DCGS-A is capable of providing planning and direction, collection, processing/exploitation, analysis, prediction and production, battlespace awareness data dissemination, and relay capabilities.


Navy struggles to streamline IT
C4ISR & Networks
04/11/14

Across the Defense Department, IT consolidation serves as a prime way to achieve cost efficiencies in the search for savings. Indeed, data center consolidation a high priority across the government, not just for DoD. But just because it's widespread doesn't mean it's easy. The Navy has been on a multi-year mission to pare down its duplicative networks, data centers and business systems, achieving savings along the way, but the process remains difficult and rife with challenges, according to officials.


DOD expands use of IT Dashboard
FCW
04/11/14

In its fiscal 2015 submission to the federal IT Dashboard, the Defense Department has reported more than $2.5 billion in ongoing IT projects that were not listed last year, raising the number of DoD IT projects from 93 to 118.
Those are not new projects, but rather an update that reflects the increasing pressure to get DoD to comply with OMB's IT reporting requirements. Congress hopes uniform reporting will give a more accurate picture of the department's $31 billion worth of non-classified IT spending.

Deltek suffers cyber attack putting 80,000 employees of vendors at risk
Federal News Radio
04/09/14

About 80,000 employees of federal contractors are at risk of identity theft after a hacker broke into business research firm Deltek's GovWin IQ system.  In an email to vendors, Deltek said it discovered on March 13 it had suffered a cyber attack where a hacker obtained GovWin IQ usernames and passwords, and potentially the credit card information of about 25,000 of those 80,000 customers. Deltek said the widespread cyber attack also affected a number of federal agencies and other companies.


State, local governments turn attention to cybersecurity capabilities
The Washington Post - Capital Business
04/06/14

A growing concern over cybersecurity is permeating federal, state and local governments. A confluence of factors — evolving technologies, the rise of state-sponsored corporate espionage and a talent drain of valuable public-sector IT personnel — has created an environment in which state governments (and the valuable personal data they store about their citizens) are under constant threat from millions of cyberattacks and intrusion attempts every day.


Public or private cloud? The decision comes down to risk, DISA CIO says
Next Gov
04/08/14

For federal agencies, deciding whether information, data or applications belong in a public or private government cloud, or a hybrid combination of the two, myriad factors play into these decisions – projected cost savings, information sensitivity and availability, to name a few. But according to U.S. Defense Information Systems Agency CIO David Bennett, the single most important element continues to be risk.


Interior trusts other agencies' cloud security judgments
Next Gov
04/08/14

The Interior Department is among the few agencies operating in the commercial cloud without testing for security holes. Interior is throwing its trust behind the Federal Risk and Authorization Management Program (FedRAMP), a cloud evaluation program that offers agencies documentation showing that a vendor's storage, streaming video or other online service meets basic safeguards, including data backups. Among the perceived negatives is reliance on another agency's due diligence.


GAO sees opportunity for IT savings in duplication report
FCW
04/08/14

The annual report of the Government Accountability Office sees a number of potential IT savings. GAO wants stronger oversight from OMB in the PortfolioStat reviews, especially with regard to data quality on commodity IT investments. GAO sees opportunities to strengthen agency-level CIO authorities under existing law to give more visibility into troubled IT projects, and it hopes to realize significant savings from the use of reverse auctions in acquisitions, including for IT products.


CDM, before and after
FCW
04/08/14

The agency charged with tracking down cybercriminals is looking forward to the progression of continuous diagnostics and mitigation (CDM) into federal networks, even though on-the-ground cyberforensics experience with the technologies is still hypothetical. CDM will allow agencies to have a clearer view of vulnerabilities in their networks, and could enrich the forensic path for cybercrime investigators. Agency- and federal-level dashboards associated with CDM will serve as a starting point for cyber-intrusion investigations.


OMB seeks more money to tackle IT effectiveness
FCW
04/09/14

OMB has identified three management issues that need to be fixed to help IT procurement: 1) putting in place stronger connections between business owners and IT specialists; 2) shifting from a waterfall approach to development to a more iterative process; and 3) improving end-to-end accountability on projects.  OMB also wants to focus on attracting more highly skilled IT developers and managers and more agile vendors, and improving best practices for procurement and project management.


Edging toward government mobile management
Federal Times
04/04/14

As the demand for mobile devices on the job in federal agencies grows, corresponding management policies for secure mobility are taking off in government offices across the country. The policies are in various stages of development. Some organizations are leading the charge, providing services for other offices, while others struggle to balance the pressing information-sharing needs both spurred and solved by mobility and its inherent security concerns.


DHS seeks next-gen security operations center
Federal Times
04/07/14

The Homeland Security Department is laying the foundation for a next-generation security operations center, one with more sophisticated technologies for thwarting cyberattacks. The Next Generation Enterprise Security Operations Center (NextGen ESOC) would revamp DHS' current security operations center, which today provides 24/7 continuous monitoring, analysis and reporting of DHS security events as well as other services, according to a request for information to industry.


Justice cancels 7 IT procurements over China links
FCW
04/08/14

The Justice Department has canceled seven federal IT procurements, due to a 2013 law requiring a cybersecurity review of procurements by the departments of Justice and Commerce, NASA, and the National Science Foundation for vendors that had links to the Chinese government or military. The rule seeks to eliminate IT gear from firms known to be responsible for cyberattacks on U.S. companies or to have links to the Chinese military.


DoD plots third chapter in Better Buying Power initiative
Federal News Radio
04/09/14

DoD says it is in the very early stages of creating a "3.0" version of its ongoing Better Buying Power initiative, which will focus on making sure the military doesn't fall behind in technological superiority even though research dollars are shrinking. Undersecretary for acquisition, technology and logistics Frank Kendall said that Better Buying Power 3.0, the next edition of the Pentagon's effort to improve its acquisition system, will zero in on the need to continue to support technology advances. 


Defense IT: Past lessons, future evolution
C4ISR & Networks
04/08/14

Defense Information technology reform efforts from the past, such as data center consolidation, and present challenges like big data, teach us how we can improve and learn. Emerging technologies will continue to chart a course for network modernization to help save more than $5 billion over the next 5 years.


Cyber warfare research institute to open at West Point
Army Times
04/07/14

The U.S. Military Academy has established a cyber warfare research institute at West Point to groom elite cyber troops and solve thorny problems for the Army and the nation in this new warfighting domain. The Army Cyber Institute, which aims to take on national policy questions and develop a bench of top-tier experts for the Pentagon, will be defining how cyber warfare is waged, to steer and inform the direction of the Army.


Navy accelerates NGEN completion
C4ISR & Networks
04/08/14

After a contract-protest delay of more than three months temporarily halted progress on its Next Generation Enterprise Network, the Navy is declaring full speed ahead on the migration process that originally was slated to end this month. The target deadline for transitioning from the Navy-Marine Corps Intranet to NGEN, is at the end of this calendar year, but officials are shooting for a September end date and could even finish up initial phases as early as June.


Navy to finish moving IT network to NGEN contract by September
Federal News Radio

04/07/14

Following a long series of delays, the Navy says it intends to fully migrate its massive, one million user enterprise IT network onto a new contract structure known as NGEN by the end of September. The Navy and its prime contractor, HP, are racing to move NMCI to NGEN's government-owned, contractor-supported model by the end of this fiscal year, which will mean shaving about three months off of the $3.5 billion contract's original transition schedule.


JIE may enable faster mobile app deployment
Signal Online
04/07/14

Once the Joint Information Environment (JIE) is in place, the U.S. Defense Department may be able to deploy secure mobile apps much more quickly than it can with today's cumbersome process, according to Teri Takai, Defense Department chief information officer. Currently, mobile devices require access to encryption through the user's common access card (CAC), but department officials are seeking a solution for encrypting communications without the need for a second device.


Lightening the workload for Cyber Command
Signal Online
04/03/14

The U.S. military is moving to the Joint Information Environment (JIE) in part because the current architecture is too complex to be easily defended, according to Teri Takai, Defense Department CIO. The end state of JIE is a secure, joint information environment comprising shared infrastructure, enterprise services and a single security architecture. It will enable full-spectrum superiority, improve mission effectiveness, increase security and realize technology efficiencies.


One third of phishing attacks aimed at stealing money
Help Net Security
04/08/14

According to data collected as part of Kaspersky Lab's 'Financial cyber threats in 2013' study, cybercriminals are trying harder than ever to acquire confidential user information and steal money from bank accounts by creating fake sites mimicking financial organizations. In 2013, 31.45 per cent of phishing attacks were trading on the names of leading banks, online stores and online payment systems - an increase of 8.5 percentage points from the previous year.


DISA tests a move away from CAC
C4ISR & Networks
04/09/14

DISA is taking a first step away from the Defense Department's longtime security backbone, the common access card (CAC), with a small, early pilot exploring derived credentials, which store security certificates directly on a device instead of through a separate piece. DISA appears to be the first defense agency, if not the first government agency, to begin testing derived credentials. So far the pilot program, in its earliest stages, is very small and is limited to unclassified data.


State pilots test ID management for online services
GCN
04/08/14

Establishing the identity of online users is a big issue for electronic delivery of government services. Identity proofing ensures the right person receives services, but can be burdensome to both citizens and the state, while more user-friendly techniques can open programs up to fraud. To address this, NIST has awarded $2.4 million to Michigan and Pennsylvania to test innovative tools and techniques for identity proofing and enable use of secure credentials across departmental boundaries.


5 biometric alternatives to the password
CNN
04/04/14

The password has had its moment, but those hard-to-remember strings of number and letters are increasingly insecure and clumsy to manage. The next wave in computer security will be biometric authentication, the futuristic practice of using unique behavioral and biological traits such as fingerprints, gait and yes, even ear shape to confirm your identity. Here are five biometrics that are part of the next wave of identification technologies.


The cyberwarfare market worth $15.9bn in 2012
ASD News
04/06/14

Analysis done for ASD's Cyberwarfare Market 2012-2022 indicates that the global cyberwarfare market will have reached a value of $15.9 billion in 2012, as governments continue to invest in a range of cyberwarfare systems and solutions despite massive cuts in other defense sectors in a number of countries.The cyberwarfare market is likely to be driven by increasingly networked systems requiring increasing levels of protection from a continuing, persistent threat.


U.S. tries candor to assure China on cyberattacks
The New York Times
04/06/14

The Obama administration has quietly briefed Chinese military leadership on DoD's emerging doctrine for defending against cyberattacks against the U.S. and for using its cybertechnology against adversaries, including the Chinese. The hope was to prompt the Chinese to give Washington a similar briefing about the many People's Liberation Army units believed to be behind escalating attacks on American corporations and government networks, but so far, the Chinese have not reciprocated.


Russia vs. Ukraine: The cyber front unfolds
Atlantic Council
04/02/14

Russia's battle with Ukraine is being fought partly in cyberspace, where it may have greater room for escalation as nations increasingly accept covert cyber attack as a valid form of international pressure when more traditional options are too violent or visible. Unlike past Russian cyber conflicts with Estonia and Georgia, this appears so far to be pitting strong hacker communities in each nation against each other in hundreds of attacks that have disrupted websites or e-mail systems.


New federal rule requires banks to fight DDoS attacks
Network World
04/04/14

In a ground-breaking regulation, the Federal Financial Institutions Examination Council (FFIEC) has issued notice defining six steps it wants banks and other financial institutions to follow, including first setting up a program to assess risk to IT systems, then monitoring Internet traffic to the institution's website to detect distributed denial-of-service (DDos) attacks, and being prepared to activate incident response plans with ISPs.


Version 2 of cloud cybersecurity standards coming soon
Federal News Radio
04/02/14

As agencies face an impending deadline to implement the current set of cloud security standards, the next version is already under development. GSA and the Defense and Homeland Security departments are kicking off Federal Risk Authorization and Management Program (FedRAMP) 2.0 by incorporating new cyber requirements from NIST Special Publication 800-53, Rev 4. NIST released the latest version of the privacy and computer security controls for federal information systems in April 2013.


State and local government cybersecurity
The White House (blog)
04/02/14

White House Cybersecurity Coordinator Michael Daniel writes that state, local, tribal, and territorial government stakeholders are critical partners in the overall drive to improve cybersecurity protections for the nation's critical infrastructure via the Cybersecurity Framework developed by NIST. A recent meeting of a broad array of stakeholders held a discussion of how to support Framework implementation and cybersecurity improvements for local governments.


Data breach response leaves something to be desired
FCW
04/03/14

The number of government data breaches involving personal identifiable information has more than doubled since 2009, and the Government Accountability Office wants federal agencies to adhere more closely to existing security protocols to better protect people's data.GAO found that many agencies have struggled to address the eight required components of an information security program, specifically in implementing security controls.


DHS prepares overhaul of internal security operations
Next Gov
04/04/14

The Homeland Security Department is planning to overhaul an organization that defends DHS' own internal networks with a counter-hack mechanism called the intrusion defense chain, or "kill chain," expected to drive the revamp. A kill chain predicts an intruder's attack plan and breaks it down into steps that must be taken to achieve the hack, and operators then devise a countermeasure for each action that, if applied at any point in the chain, will thwart the criminal's plan.


How to find cyber security opportunities in the fiscal 2015 budget
Baltimore Business Journal
04/02/14

As the federal information technology industry explores deeper and deeper into the 2015 budget request, the interesting story lies in how the administration will devote dollars to cyber security initiatives.DoD's cyber spending is pegged at $5 billion and DHS' proposed cyber budget is almost doubling to $1.3 billion. The government has developed a kind of architecture that can help suppliers take advantage of this growth area of spending in several areas of cyber business.


House lawmakers lose patience with VA, introduce prescriptive cyber bill
Federal News Radio
04/03/14

Members of the House Veterans Affairs Committee are no longer waiting for the Veterans Affairs Department to fix what lawmakers and outside auditors believe are systemic cybersecurity problems, and have introduced legislation to explicitly require VA to take specified steps to repair operational and procedure holes in its network and computer security processes. A hearing was held on the legislation March 25.


DoD adopts NIST security standards
C4ISR & Networks
04/02/14

DoD recently officially adopted NIST's government-wide IT security standards to make compliance simpler, abandoning the longstanding, military-specific DoD Information Assurance Certification and Accreditation Process (DIACAP) in favor of NIST's risk-management framework. The move includes the Pentagon's republishing and reissue of its 8500 and 8510 instructions for IT security standards to reflect the changes.DoD CIO Terry Takai discussed the move April 2nd.


Pentagon gives weight to electronic warfare
Defense Systems
04/02/14

The Defense Dept. has refined its plan for electronic warfare as "a cross-cutting capability" of joint operations with components sharing tactics, techniques and technologies. A new directive updates DoD's electronic warfare policy, setting out goals and assigning responsibilities for tasks such as acquisition, development, validation and oversight. Among the goals is integration of electronic warfare into the full range of military operations, including conventional, space and cyberspace operations.


Rogers takes over top NSA, Cyber Command posts
American Forces Press Service
04/03/14

Navy Adm. Michael S. Rogers assumed command of U.S. Cyber Command and became director of the National Security Agency and the Central Security Service during a ceremony at Fort Meade, Md. on April 3. He succeeds Army Gen. Keith B. Alexander, who retired the previous week, in all three posts. Previously, Rogers was commander of the Navy's 10th Fleet, the service's cyber arm.He has already been confirmed by the Senate.


Identity, visitor management solutions come of age
Security Info Watch
04/04/14

Recognizing that no organization is immune to risk, there has been an increased emphasis within both the private and public sector about insider threats and the potential for security breaches. With the emergence of solutions in physical identity and access management (PIAM) and visitor management, it's now possible to track and audit someone's physical and logical access patterns, which could be the data an organization or federal agency needs to prevent Snowden-style leaks.


Facebook's new face recognition knows you from the side
CNN Money
04/04/14

Facebook researchers published a paper last month in which they detailed the capabilities of a new artificial intelligence system known as "DeepFace." Most current facial-recognition software struggles with images that don't include clear, frontal views of their subjects. That's not the case with DeepFace, which creates 3-D models of the faces in photos and then analyzes them using artificial-intelligence technology known as "deep learning."