via superlative reportage from DJ Pangburn, we now learn of the ineptitude of US governmental oversight officials (and the Agencies, Bureaus, Departments, and Branches of Federal Government they service) tasked with protecting gathered and stored biometric data (amongst other things). Simply asotounding.
Astounding flaws, reported by both Symantec and Ars Technica... What happended to OpSec? As importantly: The true ramifications for our country are yet unknown... Unless of course, this and other 'leaks' of the same or similar ilk - are, in fact - structured information operations of the highest caliber. Crafted to ensnare the miscreant espionage bounders wandering amongst us... You be the judge.
- The Buckeye attack group was using Equation Group tools to gain persistent access to target organizations at least a year prior to the Shadow Brokers leak.
- Variants of Equation Group tools used by Buckeye appear to be different from those released by Shadow Brokers, potentially indicating that they didn't originate from that leak.
- Buckeye's use of Equation Group tools also involved the exploit of a previously unknown Windows zero-day vulnerability. This zero day was reported by Symantec to Microsoft in September 2018 and patched in March 2019.
- While Buckeye appeared to cease operations in mid-2017, the Equation Group tools it used continued to be used in attacks until late 2018. It is unknown who continued to use the tools. They may have been passed to another group or Buckeye may have continued operating longer than supposed. - via Symantec Corporation's Threat Intelligence Blog
Meanwhile, in Governance By Imbeciles news, a troubling a story, via Betsy Woodruff, writing at The Daily Beast, targeting the shuttering of an intelligence analysis group (ostensibly focused on domestic terrorism) at the United States Department of Homeland Security, monikered the 'Office of Intelligence and Analysis (I&A)'. Also, claims by David Glawe (the new Trump Administration appointee that the grpup's closing makes for enhanced output, yet simutaneously, California's Los Angeles County Sheriff’s Department reports work product from DHS (regarding actionable domestic terrorism intelligence) is slowing to a trickle). Read it all in Ms. Woodruff's well crafted reportage, and try not to weep for our Law Enforcement Agegenies at both the Federal and Local levels. Today's Must Read.
"Aaron Peskin, a member of the city’s Board of Supervisors, proposed the ban Tuesday as part of a suite of rules to enhance surveillance oversight. In addition to the ban on facial recognition technology, the ordinance would require city agencies to gain the board’s approval before buying new surveillance technology, putting the burden on city agencies to publicly explain why they want the tools as well as the potential harms." - via Gregory Barber, writing at Wired regarding the proposed *ban
via Nikhil Pahwa, reporting for Wired UK, comes a glimpse into an Indian version of Big Brother, in this case, a database monikered Aadhaar, in which is contained the apparently problematically managed biometric identity data of over 1.2 Billion Indian Citizens. I fear for the freedom of the justly proud and wonderful people of India with the existence of this system. Nice logo though, eh?
"The Aadhaar number is a 12 digit identity code, based on a person's biometric and demographic information, that has been made mandatory for a large number of government welfare and private services in India: at present you need one to open a bank account, get a mobile phone, pay taxes, or even get an ambulance. It is the largest biometric identity project in the world and has enrolled more than 1.22 billion people. Russia, Algeria, Morocco and Tunisia are interested in adopting similar systems." - via Nikhil Pahwa, reporting for Wired UK
Department of Homeland Security to Begin Creating Lists of Bloggers and Journalists... Oh good, I like lists, don't you? Remember the DHS - TSA No-Fly List? That went well, didn't it... Meanwhile, in other news - George Washington and Thomas Jefferson have been observed spinning in their graves (the former - the first President of the United States, and the latter - the third President of the United States). And, of course, there's this...
News - via Rick Falkvinge, writing at Privacy News Online Blog (a blog run by Virtual Private Network company Private Internet Access), regales us with sorry tale of the Kingdom of Sweden's government-data-gone-wild, in this case, the wild is the IBM Cloud infrastructure.
Take heed, my friends in the 'digital transformation' world, do not weep for the Swedish Government and IBM (by the way - as of this writing, while the issues still exist, there is a way out for future efforts, and possibly the noted debacle):
For without the crucial components of attention to detail and truly effective security automation - coupled with meticulous security architecture and the all-important expert execution by competent security professionals, you might as well be hosting your data in the open for all to see - Just Like The Swedes. Simply Astounding. H/T
"At present, these databases are known to have been exposed, by moving them to “The Cloud” as if it were just a random buzzword: The weight capacity of all roads and bridges (which is crucial for warfare, and says a lot about what roads are intended to be used as wartime airfields); Names, photos, and home addresses of fighter pilots in the Air Force; Names, photos, and home addresses of everybody and anybody in a police register, all of which are classified; Names, photos, and home addresses of all operators in the military’s most secret units – equivalent to the SAS or SEAL teams; Names, photos, and home addresses of everybody in a witness relocation program or who has been given protected identity for other reasons; Type, model, weight, and any defects of any and all government and military vehicles, including their operator, which says a ton about the structure of military support units;" via Rick Falkvinge, writing at Privacy News Online Blog
via Gizmodo investigative reporter Dell Cameron, comes the astounding news of the systemic incompetence in properly handling secret documents and other artifiacts stored within the cloud (in this case, AWS S3 Buckets) by a well established contractor to the National Geospatial-Intelligence Agency (NGA). Certainly, a first-rate example of an Expanding Cloud of Lethal Stupidity (ECOLS).
Where does the organization in question fall within the Noel Burch Hierarchy of Competence model?. Should the culprits in this scenario be prosecuted? You be the judge. Truly astounding, indeed.
"A cache of more than 60,000 files was discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors. What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance." - via Gizmodo reporter Dell Cameron
Yes, you read it correctly, at least 70% of the District of Columbia's Police surviellance cameras were infected with ransomware immediately prior to the 2017 Inauguration of the President and Vice President of the United States.
The singularly astonishing aspect of this debacle was the Department still managed to keep the streets of Washington, D.C. safe for the throngs of visitors at the 2017 Inauguration. Quite simply, testimony to the hard work of the Department's Officers and Staff.
DRAFT (Inclusive of errors, et cetera - Editor) HatTip
Executive Order - Strengthening U.S. Cyber Security and Capabilities
STRENGTHENING U.S. CYBER SECURITY AND CAPABILITIES
By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:
Section 1. Policy.
It is the policy of the United States to defend and enhance the security of the Nation?s cyber infrastructure and capabilities. Free and secure use of cyberspace is essential to advancing US. national interests. The Internet is a vital national resource. Cyberspace must be an environment that fosters efficiency, innovation, communication, and economic prosperity without disruption, fraud, theft, or invasion of privacy. The United States is committed to: ensuring the long-term strength of the Nation in cyberspace; preserving the ability of the United States to decisively shape cyberspace relative to other international, state, and non-state actors; employing the full spectrum of our capabilities to defend US. interests in cyberspace; and identifying, disrupting, and defeating malicious cyber actors.
Sec. 3. Findings.
America?s civilian government institutions and critical infrastructure are currently vulnerable to attacks from both state and non-state actors. Criminals, terrorists, and state and non-state actors are engaging in continuous operations that impose signi?cant costs on the US. economy and signi?cantly harm vital national interests. These operations may disrupt or disable the functioning of important economic institutions and critical infrastructure, and may potentially cause physical effects that could result in signi?cant property damage and loss of life.
The cyber realm is undergoing constant, rapid change as a result of the pace of technological innovation, the explosive global growth in Internet use, the increasing interdependencies between the networks and the Operations of infrastructure and key economic institutions, and the continuously evolving nature of cyberattacks and attackers.
As a result of these changes, cyberSpace has emerged as a new domain of engagement, comparable in signi?cance to land, sea, air, and space, and its signi?cance will increase in the years ahead.
The Federal Government has a reSponsibility to defend America from cyberattacks that could threaten US. national interests or cause signi?cant damage to Americans? personal or economic security. That responsibility extends to protecting both privately and publicly operated critical networks and infrastructure. At the same time, the need for dynamism, ?exibility, and
innovation in cyber security demands that government exercise its responsibility in close cooperation with private sector entities.
The executive departments and agencies (agencies) tasked with protecting civilian government networks and critical infrastructure are not currently organized to act collectively/ collaboratively, tasked, or resourced, or provided with legal authority adequate to succeed in their missions.
- De?nitions. As used in this order:
The term ?critical infrastructure? means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
The term ?national security system? means any telecommunications or information system Operated by the Federal Government or any contractor on its behalf, the function, operation, or use of which?
involves intelligence activities;
(ii) involves activities related to national security;
involves command and control of military forces;
(iv) involves equipment that is an integral part of a weapon or weapons system; or
is critical to the direct fulfillment of military or intelligence missions (but does not include a system used for routine administrative and business applications, including payroll, finance, logistics, and personnel management applications).
Policy coordination, guidance, diSpute resolution, and periodic in-progress reviews for the functions and programs described and assigned in this order shall be provided through the interagency process established in National Security Presidential Directive of January 21,
2017 (Organization of the National Security Council and the Homeland Security Council), or any successor.
Q. Review of Cyber Vulnerabilities. Scope and Timing.
A review of the most critical U.S. cyber vulnerabilities (Vulnerabilities Review) shall commence immediately.
(ii) Within 60 days of the date of this order, initial recommendations for the protection of US. national security systems shall be submitted to the President through the Secretary of Defense.
Within 60 days of the date of this order, initial recommendations for the enhanced protection of the most critical civilian Federal Government, public, and private sector infrastructure, other than US. national security systems, shall be submitted to the President through the Secretary of Homeland Security.
(iv) The recommendations shall include steps to ensure that the responsible agencies are appropriately organized, tasked, and resourced, and provided with adequate legal authority necessary to ful?ll their missions.
Review Participants. The Secretary of Defense shall co?chair the Vulnerabilities Review with the Secretary of Homeland Security, the Director of National Intelligence, the Assistant to the President for National Security Affairs, and the Assistant to the President for Homeland Security and Counterterrorism.
(0) Operation ofthe Vulnerabilities Review. The Co-Chairs of the Vulnerabilities Review shall assemble all information in the possession of the Federal Government that pertains to the most urgent vulnerabilities to national security systems, the most urgent vulnerabilities to civilian Federal Government networks, and the most critical private sector infrastructure. All agencies shall comply with any request of the Co-Chairs to provide information in their possession or control pertaining to US. cyber vulnerabilities. The Secretary of Defense, the Secretary of Homeland Security, the Assistant to the President for National Security Affairs, and the Assistant to the President for Homeland Security and Counterterrorism may seek further information relevant to the Vulnerabilities Review from any appropriate source.
Review of Cyber Adversaries. Scope and Timing.
A review of the principal U.S. cyber adversaries (Adversaries Review) shall commence immediately.
(ii) Within 60 days of the date of this order, a ?rst report on the identities, capabilities, and vulnerabilities of the principal U.S. cyber adversaries shall be submitted to the President through the Director of National Intelligence.
Review Pariiczpanis. The Director ofNational Intelligence shall co-chair the Adversaries Review with the Secretary of Homeland Security, the Secretary of Defense. the Assistant to the President for National Security Affairs, and the Assistant to the President for Homeland Security and Counterterrorism.
(0) Operation ofthe Adversaries Review. The Co-Chairs of the Adversaries Review shall assemble all information in the possession of the Federal Government that pertains to the identities, capabilities, and vulnerabilities of US. cyber adversaries. All agencies shall comply with any request of the Co-Chairs to provide information in their possession or control pertaining to US. cyber adversaries. The Co~Chairs may seek further information relevant to the Adversaries Review from any appropriate source.
- US. Cyber Capabilities Review. Scope and Timing.
Based on the results of sections 5 and 6 of this order, a review of the relevant cyber capabilities of the Department of Defense, the Department of Homeland Security, and the National Security Agency (Capabilities Review) shall identify an initial set of capabilities needing improvement to adequately protect U.S. critical infrastructure.
(ii) The Capabilities Review?s recommendations shall include steps to ensure that the responsible agencies are appropriately organized, tasked, and resourced, and provided with adequate legal authority necessary to ful?ll their missions.
Participants. The Secretary of Defense shall co?chair the Capabilities Review, with the Secretary of Homeland Security and the Director of the National Security Agency.
(0) Operation ofCapobz?lz?ries Review. The Co-Chairs of the Capabilities Review shall assemble all information in the possession of the Federal Government that pertains to relevant cyber capabilities of the Department of Defense, the Department of Homeland Security, and the National Security Agency. All agencies shall comply with any request of the Co? Chairs to provide information in their possession or control pertaining to US. cyber capabilities. The Secretary of Defense, the Secretary of Homeland Security, and the Director of the National Security Agency may seek further information relevant to the Capabilities Review from any appropriate source.
Workforce DeveZopmenr Review. In order to ensure that the United States has a long-term
cyber capability advantage, the Secretary of Defense and Secretary of Homeland Security shall also gather and review information from the Department of Education regarding computer
science, mathematics, and cyber security education from primary through higher education to understand the ?ll] scope of US. efforts to educate and train the workforce of the future. The Secretary of Defense shall make recommendations as he sees ?t in order to best position the US. educational system to maintain its competitive advantage into the future.
Sec. Private Sector Infrastructure Incentives Report.
Scope and Timing.
Preparation of a Report on options to incentivize private sector adeption of effective cyber security measures (Report) shall commence immediately.
(ii) Within 100 days of the date of this order, the Report recommending options shall be submitted to the President through the Secretary of Commerce.
Participants. The Secretary of Commerce shall co-chair the group preparing the Report, with the Secretary of the Treasury, the Secretary of Homeland Security, and the Assistant to the President for Economic Affairs. The Secretary of Commerce may also invite the Chair of the Securities and Exchange Commission and the Chair of the Federal Trade Commission to participate.
(0) Operation ofReport. The Co-Chairs of the group that prepared the Report shall review and expand on existing reports on economic and other incentives to: induce private sector owners and operators of the Nation?s critical infrastructure to maximize protective measures; invest in cyber enterprise risk management tools and services; and adopt best practices with respect to processes and technologies necessary for the increased sharing of and response to real-time cyber threat information. All agencies shall comply with any request of the Co-Chairs to identify those economic policies and incentives capable of accelerating investments in cyber security tools, services, and software. The Secretary of the Treasury, the Secretary of Commerce, the Secretary of Homeland Security, and the Assistant to the President for Economic Affairs may seek further information relevant to the Report from any appropriate source.
Sec. 2. General Provisions.
This order shall be implemented consistent with applicable law and subject to the availability of appropriations.
Nothing in this order shall be construed to impair or otherwise affect:
the authority granted by law to an executive department or agency, or any head thereof; or
(ii) the functions of the Director of the Of?ce of Management and Budget relating to budgetary, administrative, or legislative proposals.
(0) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods. Nothing in this order shall be interpreted to supersede measures established under authority of law to protect the security and
integrity of speci?c activities and associations that are in direct support of intelligence and law enforcement Operations.
This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its of?cers, employees, or agents, or any other person.
Apparently, the United States Supreme Court has been asked (via Petition) to weigh-in on the Department of Homeland Security's Standard Operating Procedure 303, originally developed by the National Security Telecommunications Advisory Committee. My take on it - Not Going To Happen.
via journalist Malena Carollo reporting for the eponymous Christian Science Monitor, comes an astonishing news item of what is perhaps the single most egregious failure in federal information security this century (so far...).
"Moving forward, Archuleta assured the committee that OPM would continue to improve their cybersecurity efforts and work on the recommendations given by the Inspector General "to the best of our ability." "That’s what frightens me, Mrs. Archuleta," said Rep. Mick Mulvaney (R) of South Carolina, "that this is the best of your ability." - via Malena Carollo reporting at the Christian Science Monitor