Cybercrime

 

 

https://sm.asisonline.org/Pages/When-The-Money’s-Gone.aspxWhen The Money’s GoneGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-04-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, https://adminsm.asisonline.org/pages/megan-gates.aspx<p>​It could not have come at a worse time. In the middle of the longest partial U.S. government shutdown in history, the National Cybersecurity and Communications Integration Center (NCCIC) issued an alert that it was aware of a global Domain Name System (DNS) infrastructure hijacking campaign affecting government, telecommunications, and Internet entities.</p><p>“Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve,” the alert from NCCIC said. “This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.”</p><p>Twelve days after the alert was is­sued, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said that the campaign had affected multiple executive branch agency domains and notified agencies that maintain them.</p><p>CISA then ordered all .gov and other agency-managed domains to audit public DNS records to verify that they were going to the intended location. CISA also mandated that all passwords for accounts on systems that managed agency’s DNS records be changed and that multifactor authentication be implemented. </p><p>To mitigate the campaign, the NCCIC recommended that organizations implement multifactor authentication on domain registrar accounts used to modify DNS records; verify that their DNS infrastructure directs to the proper Internet Protocol addresses or hostnames; search for encryption certificates related to domains—revoking fraudulent certificates; and monitor their certificate transparency logs.</p><p>CISA said it would provide technical assistance to agencies, along with additional guidance through emergency directive calls to accomplish this work. </p><p>However, government agencies faced significant challenges in carrying out CISA’s mandate due to the government shutdown because many federal workers, and contractors, were furloughed or reporting for work without pay. For instance, 43 percent of CISA’s own workforce was furloughed during the shutdown.</p><p>This was in addition to the immense pressure these employees face on a day-to-day basis, says Suzanne Spaulding, former undersecretary for the National Protection and Programs Directorate at DHS (later known as CISA).</p><p>“My experience at DHS is these are people that are already completely overwhelmed with all the things they have to do—even when they are at full strength,” explains Spaulding, now senior advisor for homeland security at the Center for Strategic and International Studies (CSIS). “They can never get to things as quickly as they would like, or as you would like them to. There aren’t enough of those professionals and the amount of work they have to do to keep those systems in compliance with cybersecurity requirements, or bring systems into compliance with cybersecurity requirements, is massive.”</p><p>Shortly after CISA’s mandate went out, U.S. President Donald Trump signed a continuing resolution to fund the rest of the government for three more weeks to give Congress an opportunity to pass a budget for the rest of the fiscal year.</p><p>However, concerns remain about the impact that the partial government shutdown had on the nation’s cybersecurity. Critical functions of the government were still operational, but other functions—such as routine maintenance of government websites and networks—ceased during the shutdown.</p><p>For instance, one of the most visible signs that the cyber workforce was not on the job was the expiration of roughly 130 federal government websites’ encryption certificates. When visitors went to those sites, they likely received warnings from their Internet browsers that the websites were unsafe—or inaccessible.</p><p>“These security certificates, which expired absent manual renewal during the shutdown, render a number of these government sites unreachable to the public, as popular browsers treat the expired certificates as a security risk,” wrote U.S. Senator Mark Warner (D-VA), vice chairman of the Senate Select Committee on Intelligence, in a letter to DHS Secretary Kirstjen Nielsen. “Long term, the effect is an undermining of public trust in the competence and security of federal websites and Web-based government services.”</p><p>The shutdown also meant that international dialogues about cybersecurity were not happening, casting doubt on the U.S. government’s ability to be an effective partner, Spaulding says.</p><p>“We don’t have specifics, but if there were international meetings happening to talk about and continue to improve the ways in which we can work together to reduce risk and respond more effectively to attacks like WannaCry and NotPetya, it’s very likely that our folks are not able to go to those meetings,” she explains. “And that’s a big problem.”</p><p>The shutdown also likely stalled outreach to U.S. state and local partners to enhance election security following the 2018 midterm elections and ahead of the 2020 U.S. presidential election. </p><p>“We are already behind schedule—even before the shutdown started—it was going to be hard for states to do all the things that they should do to secure elections for 2020, and a number of them—including Virginia—have elections in 2019,” Spaulding says. “Losing four weeks in that effort is problematic.”</p><p>U.S. lawmakers have voiced concerns about the shutdown’s impact on the nation’s cybersecurity, including Warner. In his letter to Secretary Nielsen, Warner explained that after the last extended government shutdown in October 2013, forensic investigators discovered the first breach of the Office of Personnel Management (OPM). Additional breaches later compromised more than 21 million current and former federal workers’ personal data.</p><p>“It’s my sincere hope that we will not come to learn that malicious actors opportunely chose to exploit our defenses while hundreds of thousands of government employees were needlessly pulled away from their jobs,” Warner wrote. </p><p>He asked that Nielsen provide him with information about the federal government’s cybersecurity, including whether DHS noticed an uptick in attempted attacks during the shutdown; what percentage of DHS’s overall workforce—including contractors—was furloughed; the length of time it will take cybersecurity-related contracts that were suspended during the shutdown to resume; and the effect that the shutdown has on retention and morale of the federal workforce, which missed two paychecks during the lapse in appropriations.</p><p>FBI agents, many of whom work to investigate cybercrime, are considered essential personnel and were required to work without pay during the shutdown. The FBI Agents Association spoke to agents about the effect this had on their morale and commitment to the Bureau and shared their views anonymously in a report released to officials and the public.</p><p>“I’ve been an agent for more than four years and have a degree in computer science and work computer intrusions,” said one agent from the Washington, D.C., region. “Putting up with lower pay than the private sector only makes sense when you actually get paid.”</p><p>Another agent echoed those sentiments, adding, “I can’t imagine attracting new, qualified applicants to the FBI as a result of this shutdown—those folks will go elsewhere too, and we will get stuck with subpar applicants.”</p><p>Spaulding agrees and says that she is concerned that the United States will see an exodus of its “best and brightest” following the shutdown. </p><p>“Inertia will keep some people who are frustrated from leaving,” she adds. “But certainly, people who have not yet committed to coming in are going to think twice about whether they really want to come into an environment where this kind of thing happens. I think it makes recruiting that much harder; and yes, I think we need to be prepared for a lot more openings.”</p><p>The shutdown can also have ramifications on the ability of workers who remain to obtain or continue to hold a security clearance, which is often necessary for those who work in cybersecurity.</p><p>Danel A. Dufresne, senior counsel at Tully Rinckey PLLC who works under the firm’s Security Clearance Practice Group, says that one of the main reasons that individuals lose their clearance is because of financial concerns.</p><p>For instance, a federal employee who holds a security clearance misses a few paychecks due to a government shutdown and racks up a large credit card bill, or personal loans, to cover his or her expenses until receiving back pay. This puts the employee in a financially tenuous position, which could be a security risk.</p><p>“The reason is it’s the basis for coercion,” he explains. “If you owe $10,000 to Citibank, you might be desperate for money to pay that off. If you haven’t told your employer, I could threaten to tell th​em and blackmail you.”</p><p>The FBI Association warned of this exact scenario in its <a href="https://www.gao.gov/assets/700/696229.pdf">report </a>issued during the shutdown. </p><p>“FBI Special Agents are subject to high security standards that include rigorous and routine financial background checks,” the association said. “Missing payments on debts could create delays in securing or renewing security clearances and could even disqualify agents from continuing to serve in some cases.”</p><p>Warner had requested that Nielsen provide the information he requested by mid-February. As of <em>Security Management</em>’s press time and prior to another potential government shutdown, DHS had not responded to his request.</p>

Cybercrime

 

 

https://sm.asisonline.org/Pages/Book-Review-Hacking-for-Dummies.aspx2019-03-01T05:00:00ZBook Review: Hacking for Dummies
https://sm.asisonline.org/Pages/A-Warm-Up-Election.aspx2019-03-01T05:00:00ZA Warm-Up Election
https://sm.asisonline.org/Pages/The-Cost-of-a-Connection.aspx2019-02-01T05:00:00ZThe Cost of a Connection
https://sm.asisonline.org/Pages/Book-Review-Digital-investigations.aspx2019-02-01T05:00:00ZBook Review: Digital investigations
https://sm.asisonline.org/Pages/Book-Review-One-False-Click.aspx2019-01-01T05:00:00ZBook Review: One False Click
https://sm.asisonline.org/Pages/Avoiding-Breaches.aspx2018-12-01T05:00:00ZAvoiding Breaches
https://sm.asisonline.org/Pages/Book-Review-IT-Policies.aspx2018-12-01T05:00:00ZBook Review: IT Policies
https://sm.asisonline.org/Pages/Cyberthreats-Innovation-and-the-Future-of-AI.aspx2018-12-01T05:00:00ZCyberthreats, Innovation, And The Future Of AI
https://sm.asisonline.org/Pages/Top-Five-Challenges-for-Managing-Cybersecurity-Risk.aspx2018-12-01T05:00:00ZTop Five Challenges for Managing Cybersecurity Risk
https://sm.asisonline.org/Pages/Release-the-Robots.aspx2018-11-01T04:00:00ZRelease the Robots
https://sm.asisonline.org/Pages/Book-Review---Credit-Card-Fraud.aspx2018-07-01T04:00:00ZBook Review: Credit Card Fraud
https://sm.asisonline.org/Pages/Artificial-Adversaries.aspx2018-06-01T04:00:00ZArtificial Adversaries
https://sm.asisonline.org/Pages/Cyber-as-Statecraft.aspx2018-05-01T04:00:00ZCyber as Statecraft
https://sm.asisonline.org/Pages/The-Problem-with-Bots.aspx2018-04-01T04:00:00ZThe Problem with Bots
https://sm.asisonline.org/Pages/Global-Cyber-Awareness.aspx2018-01-01T05:00:00ZGlobal Cyber Awareness
https://sm.asisonline.org/Pages/Held-Hostage-.aspx2017-12-01T05:00:00ZHeld Hostage
https://sm.asisonline.org/Pages/An-Identity-Crisis.aspx2017-12-01T05:00:00ZAn Identity Crisis
https://sm.asisonline.org/Pages/Cutting-Edge-Criminals.aspx2017-12-01T05:00:00ZCutting-Edge Criminals
https://sm.asisonline.org/Pages/Driving-the-Business.aspx2017-10-01T04:00:00ZDriving the Business
https://sm.asisonline.org/Pages/Klososky-Opines-on-the-Future-of-Technology.aspx2017-09-27T04:00:00ZKlososky Opines on the Future of Technology

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Book-Review---Emergency-Planning-for-Nuclear-Power-Plants-.aspxBook Review: Emergency Planning for Nuclear Power Plants <p>​Published by Routledge; crcpress.com; 362 pages; $105.</p><p>Starting with a sound historical platform, <em>Emergency Planning for Nuclear Power Plants </em>prepares the reader to understand the complex nature and evolution of emergency preparedness requirements for nuclear power plants. The author focuses on the technical basis for nuclear emergency planning and provides the reader with a good understanding of issues and risks from a radiological dose perspective. He also leaves room to apply emergency management principles, such as fire and security, that also play a role in response planning. </p><p>The book explains how certain directions taken by the U.S. Nuclear Regulatory Commission have helped shape the industry abroad. A key example is a discussion on reactor consequence analysis and the probabilistic risk assessment that is used widely across the industry. The author's focus is on U.S. regulations, although one could argue that difference in regulation today across countries is not significant, thus increasing the relevance of the book to industry emergency managers around the world. </p><p>The discussion centers on emergency planning considerations that address the issues associated with two reactor types—pressurized water reactors and boiling water reactors—that are prevalent in the United States. Some risks attributed to other reactor types are not fully addressed in the book.</p><p>By effectively deploying mitigation strategies developed since the Fukushima nuclear accident in 2011, the expected radiological dose from large-scale nuclear accidents can be significantly reduced. The author provides good explanations of all aspects of emergency planning. However, too much detail in some sections might confuse the reader. Still, this book is a must-read for all nuclear industry emergency planning managers.</p><p><em>Reviewer: Dan McArthur has more than 30 years of experience in the nuclear industry and now serves as senior strategist at Bruce Power, where he focuses on regulatory and government affairs pertaining to emergency management policy. He is a member of the Canadian Standards Association providing technical input and guidance on emergency preparedness requirements for nuclear power plants in Canada.</em></p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Space-Jam.aspxSpace Jam<p>​Much of the western United States was put on notice earlier this year when the U.S. Air Force announced that it would be blocking GPS signals on its base south of Las Vegas, Nevada. The tactic—which occurred during an annual month-long military training exercise—could cause air traffic disruption and potentially require flight rerouting due to inconsistent GPS, the notice stated. While the Air Force would not confirm that the GPS disruption was a part of its yearly exercises, experts believe that the military is training its pilots to fly in conditions where GPS signals are inaccurate or nonexistent—a scenario that has become increasingly common.</p><p>Thirty-one satellites currently orbiting the earth transmit signals to civilian and military terrestrial receivers, essentially using time signals to run location-based devices and activities and syncing networks around the world. The satellites—called the GPS constellation—are owned by the United States and operated by the Air Force. Since 1978, the satellites have provided location, navigation, and timing capabilities to the military, and an unencrypted version became available for public use in the 1980s. Over the years, the signals from the GPS constellation have become critical for a variety of applications, including communications, precise time measurements, and critical infrastructure technologies—in addition to its military uses of navigation, target tracking, and missile guidance. </p><p>However, the signal—which is inherently weak—is susce​ptible to outside interference. Anything from space weather to malfunctioning machinery to malicious actors can cause problems with GPS, including blocking the signal—called jamming—and sending false signals, known as spoofing. Even small interferences can cause big headaches.<img src="/ASIS%20SM%20Callout%20Images/0518%20NS%20Chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:466px;" /> </p><p>For example, a man who drove a company car purchased a GPS jammer to keep his boss from knowing his whereabouts, but when he passed near Newark airport in New Jersey, the jammer blocked signals from reaching the air traffic controller system. Although the sale and use of jammers is illegal in the United States, they can be purchased online for less than $50 and can successfully hide a vehicle's location.</p><p>In January 2016, a routine equipment switch caused a series of 13-microsecond timing errors in half of the GPS constellation satellites, which triggered about 12 hours of confusion for computers, networks, and timing devices around the world. </p><p>The U.S. government has referred to GPS as a single point of failure for critical infrastructure and, in 2004, called for the U.S. Department of Transportation to acquire a backup capability for GPS. However, an alternative has never come to fruition. </p><p>U.S. President Donald Trump reemphasized the need for redundancy by including a section in the 2018 National Defense Authorization Act that requires the U.S. Departments of Defense, Transportation, and Homeland Security to demonstrate a GPS backup capability within the next 18 months.</p><p>"We were concerned that the federal government was not doing all of the things it said it would do in order to protect GPS signals, which are being interfered with on a regular basis," says Dana Goward, the president of the Resilient Navigation and Timing Foundation (RNTF). He established the nonprofit in 2013 to protect, toughen, and augment GPS signals. "Since we started, over the last five years, GPS has been interfered with more and more," he notes.</p><p>Goward and other members of RNTF are also members of the National Space-Based Positioning, Navigation, and Timing (PNT) Advisory Board, which has existed since the call for a GPS backup capability was issued in 2004. </p><p>It's hard to tell exactly how big an impact a widespread GPS outage would have on critical infrastructure sectors around the world, but Goward notes that glitches such as the January 2016 blip can foreshadow what systems might be affected. "The implementation and use of GPS signals is so widely spread for so many different things it was never intended to be used for that it's really impossible to outline all the bad things that would happen and the sequence in which they would occur," he says. "But there are some things we do know." </p><p>Say a terrorist plants a high-powered GPS jammer hidden in a suitcase in the middle of a city. Transportation will probably be the first system visibly affected, which could quickly impact an entire metropolitan area, Goward says. Traffic lights will become desynchronized and GPS-based apps will no longer function, creating distracted and dangerous driving conditions. Airplanes and other forms of mass transportation will have to slow down or alter routes to stay in contact with people who can keep them on course. Package delivery routes as well as land, sea, and air-based supply chain operations will be disrupted. "All forms of transportation will be forced to carry less capacity in the area," Goward notes.</p><p>Countless systems that rely on GPS's perfectly synchronized timing—including data networks, financial activities, the electric grid, and other utilities—will slowly become out of sync, causing system failures. </p><p>"When the networks start to fall apart, it's hard to tell how much of a cascading failure you're going to see," Goward notes. "Networks depend on each other. It's really such a vast and hyper complex system, the structures of which are not known and may not be knowable."</p><p>Preventing GPS glitches is a multifaceted challenge. The GPS satellites themselves are fairly resilient—they are replaced on a rotating basis depending on their estimated operational life. Still, mechanical glitches like the one that caused the January 2016 blip are possible. The signals transmitted from the satellites are even weaker than cosmic background noise, and Goward notes that even upgraded equipment won't substantially change the strength.</p><p>"The basic problem is fundamental physics," Goward says. "Satellites are 12,500 miles up in space and powered by solar panels and transmitting all the time—unlike other satellites that can store up their solar power, GPS satellites have to transmit all the time. They will always be really weak and easy to interfere with."</p><p>An inherent area of weakness is the equipment used to receive the GPS signal sent by the satellites—anything from cell phones to networks to military ground stations that encrypt the signal.</p><p>"Most GPS receivers in use right now are very vulnerable to jamming and spoofing," Goward notes. "The technology in terms of antennas and software is available to make them much less susceptible to jamming and spoofing, but it costs a little extra and users don't feel motivated to incorporate anti-jamming and spoofing technology into their receivers and systems, even when they involve and support critical infrastructure like phone and IT networks."</p><p>RNTF is working with the government to establish guidance or best practices to improve GPS receiver security.While a fix is relatively simple, Goward says he doubts most companies will make the upgrade unless they are told to do so or they experience a GPS-induced crisis. "We think that for critical infrastructure applications there's a government role there to advocate for, encourage, and perhaps require users to have the latest anti-jamming and spoofing technology."</p><p>Military-level encrypted GPS signals aren't exempt from jamming or spoofing, either. While the use of a secured ground system to control the broadcast of an encrypted signal, along with military-grade receivers, provides an inherent level of protection, it's not foolproof—and it only works when it's used properly.</p><p>"Because of the encryption, that makes military receivers as a practical matter more difficult to use, so we had seen any number of photographs of military folks in the field with GPS receivers they bought at Walmart strapped to their arms and using them instead of military receivers," Goward notes. Encrypted equipment tends to be stored under lock and key—and is usually unwieldy—making it more cumbersome to use. </p><p>It's suspected that the infamous straying of a U.S. naval ship into Iranian waters in 2016 was a result of the sailors using unencrypted receivers that allowed Iran to spoof the signal and direct them into the country's territory. And headlines were made when the movements of U.S. military personnel at several overseas bases could be tracked via a GPS-based fitness app—no jamming or spoofing required.  </p><p>The U.S. Department of Defense (DoD) is in the middle of upgrading the military ground systems and replacing the current GPS constellation—which is near the end of its intended operational life—but the efforts have faced a series of setbacks. The new generation of satellites, called GPS III, are expected to provide a stronger signal that is more resistant to spoofing and jamming and will permit interoperability with other global navigation systems. But, according to the U.S. Government Accountability Office (GAO), the acquisition and timeline of deploying the new satellites has run into several roadblocks, delaying the launch of the new equipment. </p><p>For example, the first GPS III satellite built, which is slated to become operational in 2019, includes energy storage devices that had not been appropriately tested by the subcontractor. When the Air Force discovered the failure to test the equipment, it made the subcontractor remove the devices from the second and third satellites currently being built, but "decided to accept the first satellite and launch it 'as is' with the questionable capacitors installed," the GAO reports. The rest of the GPS III satellites are expected to be launched and operational—replacing the current devices—by 2021.</p><p>Three components of the upgrade—the new ground control systems, GPS III satellites, and contingency operations programs—are expected to face "numerous challenges" over the next 18 months, GAO notes. "If any of the three programs cannot resolve their challenges, the operation of the first GPS III satellite—and constellation sustainment—may be delayed."</p><p>Meanwhile, Goward and the RNTF are continuing to encourage the government to promote more secure GPS receiver technology and build a backup capability when—not if—the GPS signal fails. </p><p>"We are concerned that the federal government does not have a central point of accountability for protecting GPS," Goward explains. "It's possible that this lack of responsibility and governance will mean that nothing is going to happen until the nation has suffered substantial damage because of the failure to protect, toughen, and augment GPS." ​</p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Hacked-Again.aspxBook Review: Hacked Again<p>​ScottSchober.com Publishing; ScottSchober.com, 202 pages; $34.95</p><p>If you are seeking useful security advice on how to mitigate or prevent cybersecurity breaches, <em>Hacked Again</em> is a good resource to have in your library. </p><p>Author Scott Schober, a business owner and wireless technology expert, discusses pitfalls that all businesses face and the strategies used to mitigate cyberattacks. He discusses malware, email scams, identity theft, social engineering, passwords, and the Dark Web. </p><p> Another important concept is having systems in place to enable information access both as the data breach is occurring and afterwards. Most companies’ IT departments will have an incident response team; however, the individual user needs to know what to do when breached. Schober offers advice for that. </p><p> The abundance of personal information on social media is another concern of the author’s. He states that we are twice as likely to be victims of identity theft from these sites. He also reminds us that no matter how we try to eliminate risk, we’re never completely protected from a cyberattack. </p><p> Many cybersecurity books are more advanced, but Schober’s style is easy to follow, and he explains concepts and theories without confusing the reader. When concepts become overly technical, he incorporates scenarios to explain what these technical terms mean. Students, IT professionals, and novices would benefit from this book. They will learn that everyone must be aware of cybersecurity and stay on top of evolving trends.</p><p>--</p><p><em><strong>Reviewer: Kevin Cassidy</strong> is a professor in the security, fire, and emergency management department at John Jay College of Criminal Justice. He is a member of ASIS.</em><br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465