What the Heck? Dept of Interior has Rookie IT People or What?

Is this a joke? Those computers had/have malware installed that was never detected even after that major OPM hack that forced the mainframes to communicate with Russia…..yes RUSSIA. So, here comes that Inspector General audit report. We are bleeding data, even classified data….So we have tech companies and social media operations that are not protecting or safeguarding our data, now for sure we have government that cant do it either…..

There was a hearing though…..ahem

Federal Data Breach Reveals Weaknesses Of U.S ... photo

 

In part from the audit report: This memorandum transmits the findings of our evaluation of the U.S . Department
of the Interior’ s incident response program. We found that the Office of the Chief
Information Officer had not fully implemented the capabilities recommended by
National Institute for Standards and Technology (NIST) in its incident detection
and response program.
We make 23 recommendations to help the Department improve its incident response
program , so it can promptly detect and full y contain cyber threats to maintain the
availability, confidentiality, and integrity of Department and bureau computer
systems and data.
In response to our draft report, the Department concurred with all recommendations
and provided target dates and officials responsible for implementation.
We consider all 23 recommendations resolved but not implemented.
We will forward the recommendations to the Office of Policy, Management and
Budget for tracking and implementation. We understand that some of these recommendations may require significant investment in cyber security infrastructure
as well as the recruitment of additional staff, but the intended timeframe to implement
these recommendations remains a concern.
Five recommendations will not be addressed for more than 5 years, and four recommendations will not be addressed for more than 3 years.
In the interim, the Department should consider additional temporary or partial solutions.
Specifically, we found that the Department:
• Was not fully prepared to respond to incidents
• Did not promptly detect or fully analyze security incidents
• Did not fully contain or completely eradicate active cyber threats
• Did not continuously improve its incident response capabilities by
learning from prior incidents

Three years after Chinese hackers stole security clearance files and other sensitive personal information of some 22 million U.S. federal employees, cyber-defenses at the Department of Interior, which hosted White House Office of Personnel Management (OPM) servers targeted in the theft, were still unable to detect “some of the most basic threats” inside Interior’s computer networks — including malware actively trying to make contact with Russia.

In a 16-month examination of Interior’s ability to detect and respond to cyber-threats, evaluators from the department’s Office of Inspector General (OIG) also discovered that Interior’s technicians simply did not implement a sweeping array of mandatory, government-wide defensive measures ordered up after the disastrous OPM hack, didn’t investigate blocked intrusion attempts, and left “multiple” compromised computers on their network “for months at a time,” according to a redacted OIG report issued in March.

Ultra-sensitive security clearance files have since been moved to the Defense Department, but, among other things, the OIG report noted that:

● sensitive data at Interior could be taken out of the department’s networks “without detection.”

● network logs showed that a computer at the U.S. Geological Survey, an Interior bureau, was regularly trying to communicate with computers in Russia. The messages were blocked, but “the USGS facilities staff did not analyze the alerts.”

● dangerous or inappropriate behavior by network users — including  the downloading of pornography and watching pirated videos on Russian and Ukrainian websites — was not investigated.

● computers discovered to be infected with malware were scrubbed as soon as possible and put back into use—meaning little or no effort went into examining the scope and nature of any such threats to the broader network. This happened, the OIG team noted, with one intruder they discovered themselves.

● simulated intrusions or ransomware attacks created by the examiners were carried out with increasing blatancy without a response—in the case of ransomware, for nearly a month

● After the devastating OPM hack, which was discovered in April 2015, the department didn’t even publish a lessons-learned plan for its staffers based on the disaster. The OIG inspectors reported that Interior started to draft an “incident response plan” that month to deal with future intrusions, but “did not publish it until August 2017”— two months after the OIG team had finished their lengthy fieldwork.

● Distressingly, the report also notes that the department’s cybersecurity operations team was not privy to a list of Interior’s so-called “high-value IT assets” prepared by the Chief Information Officer, “due to its sensitive nature.” More here.

Foreign Espionage Spying on Cell Phones in Washington DC

There was an investigation and the report is complete…but who has it, where is it? Between the FBI, Secret Service, DHS, Capitol Police as well as other agencies…why the suspense? Why is it still going on?

Mysterious unidentified spying cell towers found across ...

In related reading, this site published in November of 2017: Surveillance: China’s Big Brother, America’s Also?

U.S. Suspects Cellphone Spying Devices in Washington

(AP) — For the first time, the U.S. government has publicly acknowledged the existence in Washington of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages.

The use of what are known as cellphone-site simulators by foreign powers has long been a concern, but American intelligence and law enforcement agencies — which use such eavesdropping equipment themselves — have been silent on the issue until now.

In a March 26 letter to Oregon Sen. Ron Wyden, the Department of Homeland Security acknowledged that last year it identified suspected unauthorized cell-site simulators in the nation’s capital. The agency said it had not determined the type of devices in use or who might have been operating them. Nor did it say how many it detected or where.

The agency’s response, obtained by The Associated Press from Wyden’s office, suggests little has been done about such equipment, known popularly as Stingrays after a brand common among U.S. police departments. The Federal Communications Commission, which regulates the nation’s airwaves, formed a task force on the subject four years ago, but it never produced a report and no longer meets regularly.

The devices work by tricking mobile devices into locking onto them instead of legitimate cell towers, revealing the exact location of a particular cellphone. More sophisticated versions can eavesdrop on calls by forcing phones to step down to older, unencrypted 2G wireless technology. Some attempt to plant malware.

They can cost anywhere from $1,000 to about $200,000. They are commonly the size of a briefcase; some are as small as a cellphone. They can be placed in a car next to a government building. The most powerful can be deployed in low-flying aircraft.

Thousands of members of the military, the NSA, the CIA, the FBI and the rest of the national-security apparatus live and work in the Washington area. The surveillance-savvy among them encrypt their phone and data communications and employ electronic countermeasures. But unsuspecting citizens could fall prey.

Wyden, a Democrat, wrote DHS in November requesting information about unauthorized use of the cell-site simulators.

The reply from DHS official Christopher Krebs noted that DHS had observed “anomalous activity” consistent with Stingrays in the Washington area. A DHS official who spoke on condition of anonymity because the letter has not been publicly released added that the devices were detected in a 90-day trial that began in January 2017 with equipment from a Las Vegas-based DHS contractor, ESD America .

Krebs, the top official in the department’s National Protection and Programs Directorate, noted in the letter that DHS lacks the equipment and funding to detect Stingrays even though their use by foreign governments “may threaten U.S. national and economic security.” The department did report its findings to “federal partners” Krebs did not name. That presumably includes the FBI.

The CEO of ESD America, Les Goldsmith, said his company has a relationship with DHS but would not comment further.

Legislators have been raising alarms about the use of Stingrays in the capital since at least 2014, when Goldsmith and other security-company researchers conducted public sweeps that located suspected unauthorized devices near the White House, the Supreme Court, the Commerce Department and the Pentagon, among other locations.

The executive branch, however, has shied away from even discussing the subject.

Aaron Turner, president of the mobile security consultancy Integricell, was among the experts who conducted the 2014 sweeps, in part to try to drum up business. Little has changed since, he said.

Like other major world capitals, he said, Washington is awash in unauthorized interception devices. Foreign embassies have free rein because they are on sovereign soil.

Every embassy “worth their salt” has a cell tower simulator installed, Turner said. They use them “to track interesting people that come toward their embassies.” The Russians’ equipment is so powerful it can track targets a mile away, he said.

Shutting down rogue Stingrays is an expensive proposition that would require wireless network upgrades the industry has been loath to pay for, security experts say. It could also lead to conflict with U.S. intelligence and law enforcement.

In addition to federal agencies, police departments use them in at least 25 states and the District of Columbia, according to the American Civil Liberties Union.

Wyden said in a statement Tuesday that “leaving security to the phone companies has proven to be disastrous.” He added that the FCC has refused to hold the industry accountable “despite repeated warnings and clear evidence that our phone networks are being exploited by foreign governments and hackers.”

After the 2014 news reports about Stingrays in Washington, Rep. Alan Grayson, D-Fla, wrote the FCC in alarm. In a reply, then-FCC chairman Tom Wheeler said the agency had created a task force to combat illicit and unauthorized use of the devices. In that letter, the FCC did not say it had identified such use itself, but cited media reports of the security sweeps.

That task force appears to have accomplished little. A former adviser to Wheeler, Gigi Sohn, said there was no political will to tackle the issue against opposition from the intelligence community and local police forces that were using the devices “willy-nilly.”

“To the extent that there is a major problem here, it’s largely due to the FCC not doing its job,” said Laura Moy of the Center on Privacy and Technology at Georgetown University. The agency, she said, should be requiring wireless carriers to protect their networks from such security threats and “ensuring that anyone transmitting over licensed spectrum actually has a license to do it.”

FCC spokesman Neil Grace, however, said the agency’s only role is “certifying” such devices to ensure they don’t interfere with other wireless communications, much the way it does with phones and Wi-Fi routers.

___

Links:

DHS letter to Sen. Ron Wyden: http://apne.ws/eJ7JipM

DHS enclosure in letter to Sen. Ron Wyden: http://apne.ws/dBMPqWw

 

Cyberwar: The new Forever Battle, Indicators of Compromise

The United States is in the midst of the most resounding policy shift on cyber conflict, one with profound implications for national security and the future of the internet. The just-released U.S. Cyber Command “vision” accurately diagnoses the current state of cyber conflict and outlines an appropriate new operational model for the command: since cyber forces are in “persistent engagement” with one another, U.S. Cyber Command must dive into the fight, actively contesting adversaries farther forward and with more agility and operational partnerships.

The vision, however, ignores many of the risks and how to best address them. Most importantly, the vision does not even recognize the risk that more active defense – in systems and networks in other, potentially friendly nations – persistently, year after year, might not work and significantly increases the chances and consequences of miscalculations and mistakes. Even if they are stabilizing, such actions may be incompatible with the larger U.S. goals of an open and free Internet. More here including the critique of the report.

US Cyber Command gets unified military command status ...

*** Meanwhile we know all too well about Russia and China’s cyber espionage, yet when proof surfaces by hacking into their documents for evidence….both countries begin another denial session. And Trump invited Putin to a bi-lateral meeting at the White House? Any bi-lateral meeting should take place outside the United States in a neutral location like Vanuatu or the Canary Islands….

TheTimes: Russian attempts to fuel dissent and spread disinformation have been exposed by a cache of leaked documents that show what the Kremlin is prepared to pay for hacking, propaganda and rent-a-mob rallies.

Hacked emails sent by Moscow-linked figures outline a dirty-tricks campaign in Ukraine, which was invaded on the orders of President Putin in 2014. Experts said that they exposed the dangers faced by Britain and its allies because Russia used the same weapons of disinformation, bribery and distortion to attack the West.

Bob Seely, a Tory MP and expert on Russian warfare, said his analysis of the leaks, which comprise thousands of emails and a password-protected document related to the conflict in Ukraine, revealed a “shopping list of subversion”.

“There is overwhelming evidence that the tools and techniques of Russian covert conflict are being used in and against the UK, the US and the EU,” he added. “In the wake of the Skripal poisoning it’s more important than ever that we understand these methods.”

The cost and extent of tactics were disclosed in a third tranche of the so-called Surkov leaks, named after Vladislav Surkov, a Kremlin spin-master said by some to be Mr Putin’s Rasputin.

Two previous tranches, published online by Ukrainian Cyber Alliance, a hacker activist collective, were said to include emails from an account linked to Mr Surkov. He has been closely involved with the management of Donetsk and Luhansk People’s Republics, two Russian-controlled “statelets” in Ukraine established by pro-Moscow separatists.

The latest publication appears to contain emails found in accounts linked to Inal Ardzinba, Mr Surkov’s first deputy, and to a Ukrainian Communist party leader. They suggest that the Kremlin paid local groups and individuals in Ukraine that were willing to advance its aim to fracture the country.

One set of correspondence from October 2014, which appears to have been sent by a Russian politician to Mr Ardzinba, contained proposals to fund cyberoperations, including hacking email accounts for between $100 and $300. A wider plan to “troll opponents”, “demotivate enemies” on social media, and amass the personal data of targeted individuals in Ukraine’s second largest city, Kharkiv, was priced at $130,500.

The Russian foreign ministry has denied in the past that Mr Ardzinba has had anything to do with propaganda in Ukraine. According to Mr Seely, the leaks appear to reveal plans to plant new historical and philosophical ideas. The emails also include an event and two books that would claim that an area of Ukraine had Russian heritage.

Other proposals included the orchestration of anti-Ukraine, pro-Russia rallies. These involved the transport of “sportsmen” trained in martial arts to agitate at the rallies, bribes to local media to feature the protests and bribes to police to turn a blind eye. A month of rallies in Kharkiv was priced at $19,200. It included 100 participants, three organisers and two lawyers. It is unclear if the rallies took place, though others orchestrated by the Kremlin did happen, the research said. Moves to get 30 ex-communist figures elected to local government were floated in June 2015, at $120,460, the leaks said.

The Kremlin has claimed in the past that the Surkov leaks are fabricated and in the information war between Ukraine and Russia falsehoods may have been planted. However, the authors of correspondence in the first two tranches confirmed their authenticity. They were supported by the Atlantic Council, an international affairs think tank, after an analysis of metadata.

In their analysis of the third tranche, Mr Seely and his co-researcher Alya Shandra, managing editor of an English-language Ukrainian news website, say the leaks are “very likely to be authentic”. Ms Shandra and Mr Seely plan to publish their report with the Royal United Services Institute.

Peter Quentin, a research fellow at the Royal United Services Institute, said: “There is no reason to believe these leaks are any less credible than the previous tranches. This third tranche certainly seems to fit with the trend of well-documented subversion by Russian activists in the region.”

China and Russia Military Collaboration Against the West

Imagine the conversations in meetings between respective military officers of these two countries. As the United States has very little in the way of remote espionage in China and due to the expulsion of U.S. diplomatic personnel from Russia, the U.S. has even less intelligence officers in and around Russia….so, what could be coming that we may soon miss?
CHINA’S EVOLVING OVERSEAS ACCESS
China is expanding its access to foreign ports to pre-position the necessary logistics support to regularize and sustain deployments in the “far seas,” waters as distant as the Indian Ocean, Mediterranean Sea, and Atlantic Ocean. In late November, China publicly confirmed its intention to build military supporting facilities in Djibouti “to help the navy and army further participate in United Nations peacekeeping operations (PKO), carry out escort missions in the waters near Somalia and the Gulf of Aden, and provide humanitarian assistance.” This Chinese initiative both reflects and amplifies China’s growing geopolitical clout, extending the reach of its influence and armed forces.
China’s expanding international economic interests are increasing demands for the PLAN to operate
in more distant seas to protect Chinese citizens, investments, and critical sea lines of communication
(SLOC).
China most likely will seek to establish additional naval logistics hubs in countries with which it has a
longstanding friendly relationship and similar strategic interests, such as Pakistan, and a precedent for hosting foreign militaries. China’s overseas naval logistics aspiration may be constrained
by the willingness of countries to support a PLAN presence in one of their ports.
So far, China has not constructed U.S. – style overseas military bases in the Indian Ocean. China’s leaders may judge instead that a mixture of preferred access to overseas commercial ports and a limited number of exclusive PLAN logistic facilities—probably collocated with commercial ports—
most closely aligns with China’s future overseas logistics needs to support its evolving naval requirements.
Preferred access would give the PLAN favored status in using a commercial port for resupply,
replenishment, and maintenance purposes. A logistics facility would represent an arrangement in
which China leases out portions of a commercial port solely for PLAN logistics operations.
Such a logistics presence may support both civilian and military operations. China’s current naval logistics footprint in the Indian Ocean is unable to support major combat operations in South Asia. A greater overseas naval logistics footprint would better position the PLAN to expand its participation in non-war military missions, such as non-combatant evacuation operations (NEO), search-and-rescue (SAR), humanitarian assistance/disaster relief (HA/DR), and sea lines of communication (SLOC) security. To some extent, a more robust overseas logistics presence may also enable China to expand its support to PKO, force protection missions, and counterterrorism initiatives.
For example, in 2015, the PLAN’s naval escort task forces performing counterpiracy escort duties in the Gulf of Aden were able to utilize Djibouti and Oman for basic resupply and replenishment. The 156 page report is here.
*** http://www.combataircraft.net/wp-content/uploads/sites/5/2016/03/CA-Mar-12-Pic-12-1.jpgElectronic attack J-16
A dedicated electronic warfare (EW) version of the Shenyang J-16 fighter completed its maiden flight on December 18 last year. The first images of the aircraft — sometimes described as the J-16D or even J-16G — reveal several changes compared to the standard J-16 fighter-bomber: most obviously, two large EW pods on the wingtips that are very similar in appearance to the AN/ALQ-218 tactical jamming receivers used by the Boeing EA-18G Growler. The aircraft also features a new, shorter radome and the standard 30mm cannon and the optical sensor in front of the starboard side of the windshield have been removed. In addition, several conformal dielectric EW arrays can be seen around the fuselage, front section (behind the radome), and intakes. Photo
In the wake of Russia’s demonstrations of advanced electromagnetic spectrum and communications jamming capabilities, most recently displayed in their incursion into Ukraine, China also is upping its game in this space, demonstrating similar capabilities in the Pacific.

The U.S. Department of Defense, in an annual report to Congress on China’s military and security developments, assessed that the country is placing greater importance upon EW, on par with traditional domains of warfare such as air, ground and maritime.

“The [People’s Liberation Army] sees EW as an important force multiplier, and would likely employ it in support of all combat arms and services during a conflict,” the 2016 report asserts. “The PLA’s EW units have conducted jamming and anti-jamming operations, testing the military’s understanding of EW weapons, equipment, and performance. This helped improve the military’s confidence in conducting force-on-force, real-equipment confrontation operations in simulated EW environments.”

According to the report, China’s EW weapons include “jamming equipment against multiple communication and radar systems and GPS satellite systems. EW systems are also being deployed with other sea- and air-based platforms intended for both offensive and defensive operations.”More here.

***
Collaboration on Satellites
….uh huh…. Joint military operation locations:
Before Russia and China began their recent series of bilateral exercises, the key tie between Moscow and Beijing was arms sales and military technology cooperation — totaling about $26 billion from 1992 to 2006 — according to estimates cited in the report.

Moscow sold Beijing, “export versions of the Su-27 and Su-30 fighter, the S-300 SAM defense system, Sovermennyy-class guided missile destroyer, and Kilo-class diesel-electric submarine,” the report said, citing data from the Stockholm International Peace Research Institute.
Fears of China copying Russian systems led to a drop off in arms sales between the two countries – especially higher end weapon systems. Chinese arms manufactures are notorious for taking, modifying and reproducing weapon designsMore here.

Russia and China are planning to merge their satellite tracking systems, RT.com is reporting.

The giant system will be able to cover most of an area including China, Kazakhstan, Kyrgyzstan, Russia, Tajikistan, Uzbekistan, India and Pakistan. according to RT, the Russian-funded news outlet.

The two nations will reportedly negotiate terms of the merger in May during a conference in China.

Russia and China will be able to share data on positions of navigation satellite groups and to improve efficiency in a real-time environment, RT reported.

The merger was initiated by Chinese officials.

“If the project is implemented, it will allow for an improvement in accuracy for both systems,” a spokesman for the Russian Federal Space Agency, Roscosmos was quoted.

Japan and India are getting set for their own regional navigation satellite systems, RT reported. The system is expected to be operational by the end of the year.

 

4 Days of Food Left…Panic? National Grid Hacked

If there is no transportation, there is no food, medicine or basic supplies….what country is ready to deal with this?

British cities would be uninhabitable within days and the country is only a few meals from anarchy if the National Grid was taken down in a cyber attack or solar storm, disaster and security experts have warned.

Modern life is so reliant on electricity that a prolonged blackout would quickly lead to a loss of water, fuel, banking, transport and communications that would leave the country “in the Stone Age”.

Russia plot to cut off UK with hackers taking down ... photo

The warning comes weeks after the Defence Secretary, Gavin Williamson, said Russia had been spying on the UK’s energy infrastructure and could cause “thousands and thousands and thousands” of deaths if it crippled the power supply.

***

The U.S. government has just released an important cybersecurity alert that confirms Russian government cyberattacks targeting energy and other critical infrastructure sectors in the United States.

While there has recently been a significant rise in cyberattacks in these industries, up to now we’ve only been able to speculate on who the actors are, or what their motives may be. In this case the threat actor and their strategic intent has been clearly confirmed, something the U.S. government rarely does publicly.

In addition, the US-CERT alert provides descriptions of each stage of the attack, detailed indicators of compromise (IOCs), and a long list of detection and prevention measures. Many of the attack tactics are like Dragonfly 2.0, so much so that one might call this an expanded playbook for Dragonfly. The Nozomi Networks solution ships today with an analysis toolkit that identifies the presence of Dragonfly 2.0 IOCs.

This article is intended to help you gain perspective on this recent alert, provide additional guidance on what security measures to take, and describe how the Nozomi Networks solution can help.

Russian-Cyberattacks-on-Infrastructure

U.S. energy facilities, like this one, are one of the critical infrastructure targets of the Russian cyberattacks.

Multi-Stage Campaigns Provide Opportunities for Early Detection

The US-CERT alert characterizes this attack as a multi-stage cyber intrusion campaign where Russian cyber actors conducted spear phishing and gained remote access into targeted industrial networks. After obtaining access, the threat vectors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).

This pattern of behavior is typical of APTs (Advanced Persistent Threats). APTs occur over an extended period, meaning there is an opportunity to detect and stop them before damage is done. With the right technology monitoring the industrial network, it is much harder for them to go unobserved before their final attack.

In this case the Russian cyberattacks started by infecting staging targets, which are peripheral organizations, such as trusted third-party suppliers, as pivot points for attacking the final intended targets.

The attackers used a multitude of tactics involving information relevant to industrial control professionals for initial infection of the staging targets. Examples include:

  • Altering trade publication websites
  • Sending emails containing resumes for ICS personnel as infected Microsoft Word attachments
  • Analyzing publicly available photos that inadvertently contained information about industrial systems

The credentials of staging targets’ staff were in turn used to send spear phishing emails to the staff of the intended targets. They received malicious .docx files, which communicated with a command and control (C2) server to steal their credentials.

The SMB (Server Message Block) network protocol was used throughout the spear phishing phases to communicate with external servers, as was described for the Dragonfly 2.0 attacks.This is a distinctive tactic. SMB is usually only used to communicate within LANs, not for outbound communications. Now that this is known, asset owners should ensure their firewalls are locked down for outbound service restrictions.

The credentials of the intended targets were used to access victim’s networks. From there, the malware established multiple local administrator accounts, each with a specific purpose. The goals ranged from creation of additional accounts to cleanup activity. For the report, click here.

***

What Is Known

Forensic analysis shows that the threat actors sought information on network and organizational design and control system capabilities within the organization. In one instance, the report says, the threat actors downloaded a small photo from a publicly accessible human resource page, which, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background. The threat actors also compromised third-party suppliers to download source code for several intended targets’ websites. They also attempted to remotely access corporate web-based email and virtual private network (VPN) connections.

Once inside the intended target’s network, the threat actors used privileged credentials to access domain controllers via remote desktop protocols (RDP) and then used the batch scripts to enumerate hosts and users, as well as to capture screenshots of systems across the network.

The threat is inside. US-CERT on March 15 warned that threat actors associated with the Russian government had infiltrated ICS and SCADA systems at power plants using a variety of tactics. This image is a DHS reconstruction of a screenshot fragment of a human machine interface (HMI) that the threat actors accessed. Source: US-CERT

The threat is inside. US-CERT on March 15 warned that threat actors associated with the Russian government had infiltrated ICS and SCADA systems at power plants using a variety of tactics. This image is a DHS reconstruction of a screenshot fragment of a human machine interface (HMI) that the threat actors accessed. Source: US-CERT

Along with publishing an extensive list of indicators of compromise, the DHS and FBI recommended that network administrators review IP addresses, domain names, file hashes, network signatures, and a consolidated set of YARA rules for malware associated with the intrusion authored by the National Cybersecurity and Communications Integration Center. YARA is an open-source and multiplatform tool that provides a mechanism to exploit code similarities between malware samples within a family.