Tag Archives: Department

Pentagon CMMC program to vet contractor cybersecurity

The U.S. Department of Defense is aiming to secure its supply chain with the cybersecurity maturity model certification, or CMMC program, which will vet potential third-party contractors.

Ellen Lord, the undersecretary of defense for acquisition and sustainment, said at a news conference at the Pentagon that the CMCC program “will measure technical capabilities and process maturity” for organizations in the running for new defense contracts.

Although the full details of the CMMC program won’t be made public until January, Lord described it as a five-tier framework in which each level of certification is specifically designed based on how critical the work of the contractor would be. The CMMC program is scheduled to be fully implemented by June 2020.

Dan Fallon, senior director of public sector systems engineers at Nutanix, said programs like CMMC “create or enhance standard practices and responsibilities around cybersecurity are essential to improving security posture.”

“It is great to see the DOD engaged in a strategic, comprehensive, and measured approach to ensuring the security of the products and vendors with whom they work,” Fallon told SearchSecurity. “Furthermore, the Department’s concerted effort in sourcing input from the private sector in developing these standards is a strong indication of its understanding that even with additional cybersecurity policy, overall security will always remain a shared responsibility between vendors and government agencies. After all, there is no one silver bullet to make an agency invulnerable to attack.”

Theresa Payton, president and CEO of Fortalice Solutions and former White House CIO, said the CMMC program “is a good next step to improve supply chain security for the DOD through its contractors and sub-contractors.” 

“In the wake of data breaches where the weakest link was a contractor, these are important next steps,” Payton told SearchSecurity via email. She added that if she “were to prioritize security elements for every contractor and subcontractor to meet it would be: 1. ensure that all data in rest and in transit and at points of consumption are encrypted; 2. have a regular review process of user access controls and authorizations to include third party applications and system to system interactions that are tested; 3. create kill switches that can be flipped if there is a suspected intrusion; 4. ongoing training and awareness.”

The full details of the CMMC program requirements won’t be known until next month, but Lord did promise the expectations, measurements and metrics used will be “crystal clear,” and audits of potential contractors will be done by a third party that should be chosen by next month as well.

Additionally, Lord said at the Ronald Reagan National Defense Forum in Simi Valley, Calif. earlier this week that the DOD expects the weakest links in the supply chain to be the lower tier, smaller companies who may not be able to afford to meet the requirements. As such, the DoD is planning ways to ensure smaller contactors can meet a basic level of cybersecurity via “broader certifications” that will be detailed more in the next three months.

Payton said she was “encouraged to see that the DOD specifically noted that it will help smaller contractors to meet requirements.”

“This will encourage many to embark on this endeavor,” Payton said. “A rising tide lifts all boats so if the DOD would extend free software, tools, and tips and techniques to their supply chain they will naturally lift the security of the DOD ecosystem.”

Government contractor risks

The history of cybersecurity risks and third-party contractors can be traced back years. The most famous example was whistleblower Edward Snowden, a contractor for Booz Allen, who stole and leaked information about NSA phone metadata tracking practices in 2013.

In 2015, a breach of the Office of Personnel Management affected millions and the ensuing investigation found that the threat actors gained access to systems in part by using credentials stolen from government contractors.

The DOD had two issues in 2017 linked to contractors. In August, an AWS S3 bucket containing unclassified data from the DOD was discovered to be publicly accessible due to misconfiguration by Booz Allen Hamilton. In November, another S3 bucket containing DOD data, this one built by contractor VendorX, was discovered to be exposed.

Payton said there’s a simple reason why these past issues didn’t lead to faster action by the government.

“There is a fundamental disconnect between the rate at which technology evolves and the rate at which bureaucracy reacts. What we’re dealing with here is a failure of systems,” Payton said. “It’s never too late to learn from past mistakes, but ultimately, we need real-time solutions not just to today’s obstacles and threats but to tomorrow’s as well.” 

Go to Original Article
Author:

Business and innovation tips for your Imagine Cup project

Editor’s note: This blog was contributed by the U.S. Department of Global Innovation through Science and Technology (GIST)GIST is led by the U.S. Department of State and implemented by VentureWell 

Microsoft’s Imagine Cup empowers student developers and aspiring entrepreneurs from all academic backgrounds to bring an idea to life with technology. Through competition and collaboration, it provides an opportunity to develop an application, create a business plan, and gain a keen understanding of whats needed to bring a concept to market to make an impact.We’ve partnered with GIST to provide some top tips for turning your idea into a marketable business solution and prepare you to present it effectively on a global stage. 

Key things to consider when developing a business idea

1. Assess whether your product is truly novel 

In the early development stages of a new idea, it’s important to assess whether your idea already exists in the current market and if so, what unique solution your application can provide. 

In the world of intellectual property law, “prior art” is the term used for relevant information that was publicly available before a patent claim. For example, if your company is working on a new type of football helmet, but another company has already given an interview about their own plans to invent such a helmet, that constitutes prior art – and it means your patent claim is likely to face a steep uphill battle. Start by asking yourself if your project is truly novelWhat problem does your application solve?  Are there similar solutions already on the market? If necessary, work with your university to establish if a patent already exists. 

2. Learn to take feedback  

It’s easy to get attached to an invention. However, being too lovestruck with your technology can prevent you from absorbing vital feedback from customers, professors, mentors, even teammates. “Feedback is learning,” says Dr. Lawrence Neeley, Associate Professor of Design and Entrepreneurship at Olin College of Engineering“Sure, feedback can hurt, but understand that you can’t improve your invention without learning what’s wrong with it. Feedback is a mechanism for growth.” In addition, don’t lose sight of the passion that originally drove you to developing a solution, as it can put you in the right mindset to listen to feedback. By keeping the core problem at the forefront, you can more effectively pivot your technology and business model to better address market demands. Read more about how to balance your passion with real-life data to make your project shine.

3. Incorporate diversity & inclusion 

Empower everyone to benefit from your solution by considering diversity and inclusion in your project early on. “When accessibility is at the heart of inclusive design, we not only make technology that is accessible for people with disabilities, we invest in the future of natural user interface design and improved usability for everyone,” says Megan Lawrence, an Accessibility Technical Evangelist at Microsoft. Check out some resources to help you build inclusion into your innovation: 

  • Use Accessibility Insights to run accessibility testing on web pages and applications. 
  • Learn how to create inclusive design through video tutorials and downloadable toolkits. 
  • Read the story of two Microsoft teams at Ability Hacks who embraced the transformative power of technology to create inclusive solutions now used by millions of people. 

Read more tips on using inclusion as a lens to drive innovation. 

4. Consider environmental responsibility 

To maximize impact from the start, it’s critical that student innovators develop an environmentally responsible mindset at the earliest stages of their innovation, business, or manufacturing process. Here are some examples from student innovators of how they integrated environmental responsibility into their business models: 

  • Use renewable energy sources where possible, such as solar power or implementing recycling processes. 
  • Incorporate sustainable processes through things like reducing packaging, limiting plastic waste, and sourcing materials that are reusable or biodegradable.  
  • Create an innovation that solves a key environmental issue or repurposes harmful by-products, such as recovering metal water contaminants or converting ocean waste.  

Read more about how they leveraged sustainability in their projects. 

Maximizing resources for your innovation 

It can be a challenge to seek support resources as a student entrepreneur.  Here are some top tips for maximizing on and off-campus benefits while you’re still in school  – check out additional advice if you’re interested in learning more.  

1. Take stock of university resources 

Assess what skills you may need beyond just technical and talk to faculty or administrators to develop a roadmap for your time in school. For instance, seek out seminars or courses in different departments to help sharpen writing or public speaking skills, or visit your university library to find out what resources they have to offer student entrepreneurs such as makerspaces, workshops, or guest lectures. 

2. Maximize networking opportunities 

Connect with others through LinkedIn, your university’s alumni network, classes, hackathons, and more to network with industry-specific experts. Pro-tip: Imagine Cup connects you to a global community of like-minded tech enthusiasts to collaborate and innovate together, in addition to giving you access to industry professionals. 

3. Take advantage of competitions  

Approach competitions as not just an opportunity to win, but also to further refine your project and go-to-market planLeverage feedback and insights from judges, mentors, and peers to continue ideating and developing a marketable solution.   

Build business skills through hands-on innovation 

What better way to put these tips into practice than through bringing your own solution to life? The Imagine Cup is your opportunity to build a technology innovation from what you’re most passionate about. Regardless of where you place in the competition, youll have the chance to connect with likeminded tech enthusiasts across the globe, including joining a network of over two million past competitors. In addition, teams who advance to the Regional Finals will receive mentorship from industry professionals and in-person entrepreneurship workshops from GISTled by the U.S. Department of State and implemented by VentureWellthelp elevate their solutions.   

Learn by doing, code for impact, and build purpose from your passion. Register now for the 2020 competition. 

 

Go to Original Article
Author: Microsoft News Center

Microsoft wins $10 billion JEDI contract over AWS

Microsoft has been awarded the U.S. Department of Defense’s controversial JEDI contract over AWS in a surprise development that could be remembered as a watershed moment in the battle for market share among hyperscale cloud computing providers.

AWS had widely been expected to win the Joint Enterprise Defense Infrastructure contract, which was first announced in September 2017 and vigorously pursued by IBM, Oracle, Google and Microsoft. The DoD narrowed the field of candidates to AWS and Microsoft in April, and in July a judge tossed out a federal lawsuit brought by Oracle in protest of the process.

AWS had a perceived leg up on competitors for the JEDI contract, thanks not only to the breadth and depth of its cloud platform, but due to precedent. Several years ago, AWS landed a $600 million contract with the CIA centered on further development of the intelligence agency’s big data analytics capabilities.

Still, in May 2018, Microsoft said it had won a contract worth hundreds of millions of dollars that would see a panoply of U.S. intelligence agencies use its Azure Government service.

The DoD’s JEDI proposal, as laid out in a November 2017 memo, calls for a 10-year contract with a single provider to create a “highly available, exponentially elastic, secure, resilient cloud computing environment that seamlessly extends from the homefront to the tactical edge.”

The JEDI contract is worth up to $10 billion over the life of the agreement, but the base contract period is for just two years with $1 million guaranteed, according to the DoD.  About $210 million is expected to be spent during the initial two years, but the remainder of the contract is subject to rigorous ongoing reviews, the DoD said.

AWS could not immediately be reached for comment, but in published reports, a company spokesperson expressed surprise at the result.

“AWS is the clear leader in cloud computing, and a detailed assessment purely on the comparative offerings clearly lead to a different conclusion,” the company said.

The specter of presidential politics has loomed over the JEDI contract saga, with President Donald Trump – a harsh critic of Amazon CEO Jeff Bezos – saying in July that his administration planned to scrutinize Amazon’s JEDI bid in the wake of complaints about the award process from AWS competitors.

It isn’t immediately clear whether Amazon can or will pursue additional recourse following the JEDI contract award to Microsoft.

“All offerors were treated fairly and evaluated consistently with the solicitation’s stated evaluation criteria,” the DOD said in a statement. “Prior to the award, the department conferred with the DOD Inspector General, which informed the decision to proceed.”

While the Pentagon plans to eventually move 80% of its internal systems to the platform created by JEDI, it maintains many other cloud services. It also “continues to assess and pursue various cloud contracting opportunities,” according to a statement.

The cloud infrastructure market is worth about $100 billion at present, according to new numbers from Synergy Research. AWS has about 33.5% share of that market, with Microsoft at about 16.5%, Synergy reported.

AWS may still have a healthy lead over Microsoft, but the JEDI award gives the latter not only bragging rights but also a high-profile testimony to Azure’s readiness for the world’s most critical and sensitive workloads, which could prove quite valuable in negotiating other large-scale deals.

More details of the DoD’s decision-making process could be learned in coming days. In recent months, there had been some speculation the DoD would add an additional vendor to the JEDI contract after an initial award, both to hedge its strategic bets and mollify critics.

This is a breaking news story. More details to follow.

Go to Original Article
Author:

Lazarus Group hacker charged in Wannacry, Sony attacks

The Department of Justice has officially charged one member of the North Korean Lazarus Group for his role in the Wannacry attacks, the Sony Pictures breach, theft on the SWIFT banking system and more.

Nathan Shields, special agent for the FBI, filed an affidavit of complaint against the Lazarus Group hacker, Park Jin Hyok, on June 8, 2018, but the charges were made public Sept. 6.

Park was charged with conspiring to commit “unauthorized access to computer and obtaining information, with intent to defraud, and causing damage, and extortion related to computer intrusion” and wire fraud.

“The evidence set forth herein was obtained from multiple sources, including from analyzing compromised victim systems, approximately 100 search warrants for approximately 1,000 email and social media accounts accessed internationally by the subjects of the investigation, dozens of orders issued … and approximately 85 formal requests for evidence to foreign countries and additional requests for evidence and information to foreign investigating agencies,” Shields wrote in the affidavit.

Shields wrote that the affidavit was “made in support of a criminal complaint against, and arrest warrant” for Park, but there is no indication the DoJ knows where Park is currently located. The last mention in the affidavit noted Park returned to North Korea in 2014 after spending three years working for North Korean company Chosun Expo in China.

Although Park was the lone Lazarus Group hacker named in the filing, the entire North Korean team was implicated in the 2014 Sony Pictures breach, the 2016 theft of $81 million from Bangladesh Bank via the SWIFT network, the 2017 Wannacry ransomware attack as well as “numerous other attacks or intrusions on the entertainment, financial services, defense, technology and virtual currency industries, as well as academia and electric utilities.”

“In 2016 and 2017, the conspiracy targeted a number of U.S. defense contractors, including Lockheed Martin, with spear-phishing emails. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea,” the U.S. Attorney’s Office for the Central District of California wrote in its  press release. “The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful.”

Confirmation of North Korean involvement

Park is the first Lazarus Group hacker named and officially charged by the U.S. government, but the Lazarus Group and North Korea has been connected to attacks before.

As far back as Dec. 2014, the FBI stated there was enough evidence to conclude that North Korea was behind the attack on Sony Pictures. And, in Dec. 2017 both the U.S. and U.K. governments blamed the Wannacry attacks on North Korea.

The affidavit detailed the use of the Brambul worm, which was malware attributed to the Lazarus Group in a US-CERT security alert issued by the FBI and Department of Homeland Security in May 2018.

However, while the confirmation of North Korean involvement was generally praised by experts, not all were happy that Park was the only Lazarus Group hacker to be named and charged.

Jake Williams, founder and CEO of Rendition Infosec, based in Atlanta, wrote on Twitter that it was a “human rights issue” to charge Park because the Lazarus Group hacker “likely had zero choice in his actions.”

DHS details electrical grid attacks by Russian agents

The Department of Homeland Security has offered more details on electrical grid attacks by Russian agents, and experts said the details show how air-gapping isn’t as secure as some may think.

In a briefing on Monday, DHS officials expanded on details of electrical grid attacks by Russian groups like Dragonfly 2.0. The briefing was the first time DHS released this amount of information in an unclassified setting, according to a report by The Wall Street Journal.

DHS said Russian hackers first targeted key industrial control vendors in order to steal credentials and access air-gapped and isolated utility networks. DHS also expanded the scope of the electrical grid attacks, saying there were “hundreds of victims,” although it is unclear if “victims” in this case refers to systems, substations, or utilities and vendors combined. Attackers reportedly stole confidential information about the utilities to learn how the industrial control systems (ICS) work and DHS said they had enough access to “throw switches.”

Ray DeMeo, COO and co-founder of Virsec, noted that “relying on air-gapping for security is a dangerous anachronism.”

Air gaps are easily being bridged by social engineering, password theft, or, in the case of Stuxnet, a few rogue USBs left in Tehran coffee houses. With the increasing convergence of IT and OT systems, the control systems that manage critical infrastructure are increasingly networked and connected,” DeMeo wrote via email. “Plus, conventional security tools that rely on signatures must be connected in order to get the latest updates. Almost all of the recent attacks, successful attacks on power plants and other critical infrastructure have bypassed air gaps.”

Rohyt Belani, CEO and co-founder of Cofense, said even with isolation electrical grid attacks are still possible.

“Even though SCADA networks and other critical infrastructure may be segmented, there are always legitimate remote access systems in place from where administrators of those systems can log in and control them,” Belani wrote via email. “Attackers often gain their initial foothold in a corporate network via spear phishing and then move laterally to identify such key systems, which they then attempt to compromise to further their sphere of influence into critical systems.”

Michael Magrath, director of global regulations and standards at OneSpan Inc., said these electrical grid attacks, like other hacks “exploit the weakest link in the security chain — the people.” Magrath was also concerned about part of The Wall Street Journal report that claimed DHS was investigating if Russian hackers had ways to defeat multifactor authentication.

“To be clear, multifactor authentication is not ‘one size fits all.’ There are numerous approaches and technologies available with varying degrees of security and usability. For example, one-time passwords transmitted via SMS are very convenient and widely deployed. However, this multifactor authentication approach has been proven to be unsecure with [one-time passwords] being intercepted,” Magrath wrote via email. “Other solutions such as fingerprint biometrics, adaptive authentication, and utilizing public key cryptography techniques are far more secure and have gained widespread adoption. It remains to be seen what DHS learns.” 

DHS claimed it has been warning utilities about potential attacks since 2014. Joseph Kucic, CSO at Cavirin, said via email the utilities “have failed to implement the necessary changes so DHS went public to embarrass the utilities into taking the needed actions (timing was on the DHS side with all the Russia media attention).” 

David Vergara, head of security product marketing at OneSpan Inc., said “this is big game hunting for cybercriminals.”

“The motivation may pivot between political and monetization, but the impact to the target is the same, terror through vulnerability and exposure,” Vergara wrote via email. “It’s not difficult to extrapolate the outcome when an entire power grid goes offline during peak hours and the attack follows the weakest link, unsophisticated utility vendors or third parties.”

Potential damage of electrical grid attacks

It was unclear from the DHS report what the extent of damage these electrical grid attacks could be.

Katherine Gronberg, vice president of government affairs at ForeScout Technologies, said in the past, electrical grid attacks were “ostensibly motivated by money, business disruption, hacktivism or espionage.”

“Now, we are facing a very real and targeted threat to U.S. national security. A successful attack on systems such as power plants, dams or the electric grid could have severe repercussions and could possibly lead to the loss of human life and disruption of society,” Gronberg wrote via email. “With so much on the line, securing critical infrastructure must be top of mind. Recent efforts by the DHS, DOE and key congressional committees suggest that it is. But we have to tackle this problem as the shared responsibility it is. It likely will entail some difficult decisions at all levels, from policymakers to power producers to consumers.”

Andrea Carcano, co-founder and CPO of Nozomi Networks, noted that since the electrical grid attacks reported by DHS didn’t result in blackouts, it raises the “question if the attackers intentionally only went so far.”

“Attacks on the grid will be difficult to control and will undoubtedly lead to lots of collateral damage. This, combined with the risk of retaliation, may be keeping attackers at bay,” Carcano wrote via email. “It is reminiscent of the mutually assured destruction model of the Cold War when restraint was used on all sides. We are likely in the midst of a Cyber Cold War with all sides holding back from enacting the destruction they are truly capable of.”

Healthcare APIs get a new trial run for Medicare claims

In the ongoing battle to make healthcare data ubiquitous, the U.S. Digital Service for the Department of Health and Human Services has developed a new API, Blue Button 2.0, aimed at sharing Medicare claims information.

Blue Button 2.0 is part of an API-first strategy within HHS’ Centers for Medicare and Medicaid Services, and it comes at a time when a number of major companies, including Apple, have embraced the potential of healthcare APIs. APIs are the building blocks of applications and make it easier for developers to create software that can easily share information in a standardized way. Like Apple’s Health Records API, Blue Button 2.0 is based on a widely accepted healthcare API standard known as Fast Healthcare Interoperability Resources, or FHIR

Blue Button 2.0 is the API gateway to 53 million Medicare beneficiaries, including comprehensive part A, B and D data. “We’re starting to recognize that claims data has value in understanding the places a person has been in the healthcare ecosystem,” said Shannon Sartin, executive director of the U.S. Digital Service at HHS.

“But the problem is, how do you take a document that is mostly codes with very high-level information that’s not digestible and make it useful for a nonhealth-savvy individual? You want a third-party app to add value to that information,” Sartin said.

So, her team was asked to work on this problem. And out of their work, Blue Button 2.0 was born.

More than 500 developers have signed on

To date, over 500 developers are working with the new API to develop applications that bring claims data to consumers, providers, hospitals and, ultimately, into an EHR, Sartin said. But while there is a lot of interest, Sartin said this is just the first step when it comes to healthcare APIs.

“The government does not build products super well, and it does not do the marketing engagement necessary to get someone interested in using it,” she said. “We’re taking a different approach, acting as evangelists, and we’re spending time growing the community.”

And while a large number of developers are experimenting with Blue Button 2.0, Sartin’s group will be heavily vetting to eventually get to a much smaller number that will release applications due to privacy concerns around the claims data.

Looking for a user-friendly approach

We’re … acting as evangelists, and we’re spending time growing the community.
Shannon Sartinexecutive director of the U.S. Digital Service at HHS

In theory, the applications will make it easier for a Medicare consumer to let third parties access their claims information and then, in turn, make that data meaningful and actionable. But Arielle Trzcinski, senior analyst serving application development and delivery at Forrester Research, said she is concerned Blue Button 2.0 isn’t pushing the efforts around healthcare APIs far enough.

“Claims information is not the full picture,” she said. “If we’re truly making EHR records portable and something the consumer can own, you have to have beneficiaries download their medical information. That’s great, but how are they going to share it? What’s interesting about the Apple effort as a consumer is that you’re able to share that information with another provider. And it’s easy, because it’s all on your phone. I haven’t seen from Medicare yet how they might do it in the same user-friendly way.”

Sartin acknowledged Blue Button 2.0 takes aim at just a part of the bigger problem.

“My team is focused just on CMS and healthcare in a very narrow way. We recognize there are broader data and healthcare issues,” she said.

But when it comes to the world of healthcare APIs, it’s important to take that first step. And it’s also important to remember the complexity of the job ahead, something Sartin said her team — top-notch developers from private industry who chose government service to help — realized after they jumped in to the world of healthcare APIs. 

“We have engineers who’ve not worked in healthcare who thought the FHIR standard was overly complex,” she said. “But when you start to dig in to the complexity of health data, you recognize sharing health data with each doctor means something different. This is not as seamless as with banks that can standardize on numbers. There, a one is a one. But in health terminology, a one can mean 10 different things. You can’t normalize it. Having an outside perspective forces the health community to question it all.”

Russian intelligence officers indicted for DNC hack

The Department of Justice announced Friday the indictment of 12 members of Russia’s GRU intelligence agency in relation to the 2016 breaches of the Democratic National Committee and Hillary Clinton’s presidential campaign.

The grand jury indictment, which is part of Special Counsel Robert Mueller’s investigation into Russian interference with the 2016 presidential election, claimed the 12 intelligence officers were engaged in a “sustained effort” to hack into the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC) and the Clinton campaign. The DNC hack led to confidential emails becoming public via WikiLeaks, which negatively impacted the Clinton campaign and Democratic Party.

The grand jury indictment alleged the Russian intelligence officers, operating under the online personas “DCLeaks” and “Guccifer 2.0,” leaked information through another entity known as “Organization 1.” The indictment does not mention WikiLeaks by name.

The Justice Department claimed that in 2016, members of Unit 26165 in the Russian government’s Main Intelligence Directorate (GRU) began spearphishing campaign officials and volunteers for Clinton’s presidential campaign; intelligence officers were able to steal usernames and passwords and use those credentials to obtain confidential emails and compromise other systems. The threat actors used similar techniques in the DNC hack as well as the breach of the DCCC’s network.

In addition, the Justice Department claimed Unit 26165, with members of the GRU’s Unit 74455, conspired to release the stolen emails and data in order to influence the election. According to the Department of Justice, Unit 74455 also “conspired to hack into the computers of state boards of elections, secretaries of state, and US companies that supplied software and other technology related to the administration of elections to steal voter data stored on those computers.”

The indictment accused the following individuals of being part of Unit 26165 and Unit 74455, and engaging in the DNC hack and other malicious activity: Viktor Borisovich Netyksho, Boris Alekseyevich Antonov, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev,  Sergey Aleksandrovich Morgachev, Nikolay Yuryevich Kozachek, Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev, Aleksandr Vladimirovich Osadchuk, Aleksey Aleksandrovich Potemkin and Anatoliy Sergeyevich Kovalev.

The 12 GRU officers are accused of 11 criminal counts, including criminal conspiracy against the United States “through cyber operations by the GRU that involved the staged release of stolen documents for the purpose of interfering with the 2016 president election”; aggravated identity theft; conspiracy to launder money; and criminal conspiracy for attempting to hack into certain state boards of elections, secretaries of state, and vendors of U.S. election equipment and software.

The Justice Department emphasized there is “no allegation in the indictment that the charged conduct altered the vote count or changed the outcome of the 2016 election,” and no allegation that any American was a knowing participant in the alleged criminal activity.

DHS, SecureLogix develop TDoS attack defense

The U.S. Department of Homeland Security has partnered with security firm SecureLogix to develop technology to defend against telephony denial-of-service attacks, which remain a significant threat to emergency call centers, banks, schools and hospitals.

The DHS Science and Technology (S&T) Directorate said this week the office and SecureLogix were making “rapid progress” in developing defenses against call spoofing and robocalls — two techniques used by criminals in launching telephony denial-of-service (TDoS) attacks to extort money. Ultimately, the S&T’s goal is to “shift the advantage from TDoS attackers to network administrators.”

To that end, S&T and SecureLogix, based in San Antonio, are developing two TDoS attack defenses. First is a mechanism for identifying the voice recording used in call spoofing, followed by a means to separate legitimate emergency calls from robocalls.

“Several corporations, including many banks and DHS components, have expressed interest in this technology, and SecureLogix will release it into the market in the coming months,” William Bryan, interim undersecretary for S&T at DHS, said in a statement.

In 2017, S&T handed SecureLogix a $100,000 research award to develop anticall-spoofing technology. The company was one of a dozen small tech firms that received similar amounts from S&T to create a variety of security applications.

Filtering out TDoS attack calls

SecureLogix’s technology analyzes and assigns a threat score to each incoming call in real time. Calls with a high score are either terminated or redirected to a lower-priority queue or a third-party call management service.

SecureLogix built its prototype on existing voice security technologies, so it can be deployed in complex voice networks, according to S&T. It also contains a business rules management system and a machine learning engine “that can be extended easily, with limited software modifications.”

Over the last year, SecureLogix deployed the prototype within a customer facility, a cloud environment and a service provider network. The vendor also worked with a 911 emergency call center and large financial institutions.

In March 2013, a large-scale TDoS attack highlighted the threat against the telephone systems of public-sector agencies. An alert issued by DHS and the FBI said extortionists had launched dozens of attacks against the administrative telephone lines of air ambulance and ambulance organizations, hospitals and financial institutions.

Today, the need for TDoS protection has grown from on premises to the cloud, where an increasing number of companies and call centers are signing up for unified communications as a service. In 2017, nearly half of organizations surveyed by Nemertes Research were using or planned to use cloud-based UC.

Accused CIA leaker charged with stealing government property

The Department of Justice has formally charged the suspected CIA leaker with stealing government property and more in connection with the theft and transmission of national defense information.

The accused CIA leaker, Joshua Adam Schulte, has been in the custody of law enforcement since August 2017 when he was charged with possessing child pornography; the FBI reportedly thought it had enough evidence to charge him with stealing and leaking the Vault 7 files to WikiLeaks as early as January. Government prosecutors said in mid-May that there was a new indictment set to be filed and that superseding indictment was filed on Monday, June 18, by the U.S. Attorney’s Office for the Southern District of New York.

The new indictment lists 13 charges against Schulte, including charges of illegally gathering and transmitting national defense information, theft of government property, unauthorized access of a computer to obtain information from a government agency and obstruction of justice, in addition to three charges related to child pornography.

Manhattan U.S. Attorney Geoffrey S. Berman wrote in a public statement that the accused CIA leaker, Schulte, was a former employee of the CIA and “allegedly used his access at the agency to transmit classified material to an outside organization.”

“We and our law enforcement partners are committed to protecting national security information and ensuring that those trusted to handle it honor their important responsibilities,” Berman wrote. “Unlawful disclosure of classified intelligence can pose a grave threat to our national security, potentially endangering the safety of Americans.”

The Vault 7 data provided to WikiLeaks by a CIA leaker included close to 9,000 documents, including hacking tools and zero-day exploits for iOS, Android, Windows and more. The CIA has never admitted that the Vault 7 data was its own and the indictment itself does not refer to the stolen data being from the CIA.

However, the press release from the DOJ did write: “On March 7, 2017, Organization-1 released on the Internet classified national defense material belonging to the CIA (the “Classified Information”). In 2016, SCHULTE, who was then employed by the CIA, stole the Classified Information from a computer network at the CIA and later transmitted it to Organization-1. SCHULTE also intentionally caused damage without authorization to a CIA computer system by granting himself unauthorized access to the system, deleting records of his activities, and denying others access to the system. SCHULTE subsequently made material false statements to FBI agents concerning his conduct at the CIA.”

FBI fights business email compromise with global crackdown

The United States Department of Justice this week announced the arrests of 74 individuals alleged to have committed fraud by participating in business-email-compromise scams.

The arrests are the result of an international enforcement effort, coordinated by the FBI, known as Operation Wire Wire, which was designed to crack down on email-account-compromise schemes targeting individuals and businesses of all sizes.

Business email compromise (BEC) is a growing problem, accounting for the highest reported losses, according to the FBI’s “2017 Internet Crime Report.” Criminal organizations use social engineering to identify employees who are authorized to make financial transactions, and then send fraudulent emails from company executives or foreign suppliers requesting wire transfers of funds.

Some schemes are directed at individuals in human resources or other departments in an effort to collect personally identifiable information, such as employee tax records. Others target individual victims, especially those involved in real estate transactions and the elderly.

In January, according to the Department of Justice, the U.S. federal agencies worked with international law enforcement on Operation Wire Wire to find and prosecute alleged fraudsters. The six-month coordinated effort involved the U.S. Department of Homeland Security, the U.S. Department of the Treasury and the U.S. Postal Inspection Service, and it resulted in 42 arrests in the United States, 29 in Nigeria and three in Canada, Mauritius and Poland. Law enforcement recovered $14 million in financial wire fraud during the operation, and they seized close to $2.4 million.

‘Nigerian princes’ turn to BEC

The techniques and tactics of Nigerian criminal organizations have become more sophisticated, according to Agari Data Inc. The email security company captured and analyzed the contents of 78 email accounts associated with 10 criminal organizations — nine in Nigeria — and reported increased BEC activities against North American companies and individuals between 2016 and 2018.

The research involved 59,692 unique messages in email communications originating from 2009 to 2017. According to the findings, business email compromise represented the largest attack vector for email fraud at 24%, even though many of these criminal groups migrated to BEC attacks, starting in 2016. Previously, these groups had focused predominantly on “romance” fraud schemes.

Business email compromise often overlaps or has similarities with cyberfraud schemes involving romance, lotteries, employment opportunities, vehicle sales and rental scams. In some cases, money mules “hired” using romance schemes or fraudulent employment opportunities may not be aware of the BEC scams. Mules receive the ill-gotten funds stateside and transfer the monies to difficult-to-trace, off-shore accounts set up by criminals.

Since January, up to $1 million in assets has been seized domestically, and 15 alleged money mules have been identified by FBI task forces and charged “for their role in defrauding victims.”

BEC schemes are hard to detect, because they do not rely on victims downloading malicious email attachments or clicking on fake URLs. Instead, this type of cyberfraud uses identity deception — 82%, according to Agari — email spoofing or corrupted email accounts, accessed via malware or credential theft. Researchers found 3.97% of intended targets who responded to the initial emails used in business email compromise became victims.