DHS Secret Databases Not Secure, Violations

In part from the report: Recognizing the importance of information security to the economic and national security interests of the United States, the Congress enacted Title III of the E-Government Act of 2002 (Public Law 107-347, Sections 301-305) to improve security within the Federal Government. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Title III of the E-Government Act, as amended, entitled Federal Information Security Management Act of 2002, provides a comprehensive framework to ensure the effectiveness of security controls over information resources that support Federal operations and assets.

Components are not consistently following DHS’ policies and procedures to update the system inventory and plan of action and milestones in the Department’s enterprise management systems. Further, Components continue to operate systems without the proper authority. We also identified a significant deficiency in the Department’s information security program as the United States Secret Service (USSS) did not provide the Chief Information Security Officer (CISO) with the continuous monitoring data required by the Office of Management and Budget (OMB) during Fiscal Year (FY) 2014. Without this information, CISO was significantly restricted from performing continuous monitoring on the Department’s information systems, managing DHS’ information security program, or ensuring compliance with the President’s cybersecurity priorities. Subsequent to the completion of our fieldwork, USSS established an agreement with the DHS Chief Information Officer (CIO) to provide the required data beginning in FY 2015.

Evaluation of DHS Information Security Program for Fiscal Year 2015 revealed the existence of dozens of top-secret unpatched databases.
SecurityAffairs: The story I’m about to tell you is staggering, the US Department of Homeland Security is running dozens of unpatched and vulnerable databases, a number of them contained information rated as “secret” and even “top secret.”
The discovery emerged from the “Evaluation of DHS’ Information Security Program for Fiscal Year 2015” conducted on the department’s IT infrastructure by the US Government.
The audit of the DHS Information Security found serious security issues in the Government systems, including 136 systems that had expired “authorities to operate,” a circumstance that implies the stop of maintenance activities. The principal problem discovered by the inspectors is that a number of systems, despite are still operative and under maintenance have no up-to-date security patches, leaving them open to cyber attacks.


Of the 136 systems, 17 were containing information classified as “secret” or “top secret.”
Giving a deep look at the report on the DHS Information Security Program, it is possible to note that the Coast Guard runs 26 vulnerable databases, followed by FEMA with 25, Customs and Border Protection with 14, and the DHS’ headquarters with 11.

Although Secret Services have only two vulnerable databases, they have failed other targets.
It implemented proper security checks just for 75 percent of its secret or top secret databases, and just 58 per cent of its non-secret databases. The DHS targets are 100 per cent and 75 per cent respectively. The experts discovered several security issues affecting the majority of assessed systems, including PCs, databases and also browsers.
The assessments conducted to evaluate the DHS Information Security Program, revealed several deficiencies in the systems analyzed, for example, Windows 8.1 and Windows 7 workstations which were missing security patches for the principal software.
“We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations,” the department’s inspector general noted in a 66-page report. “If exploited, these vulnerabilities could allow unauthorized access to DHS data.”
The inspectors have found many other security issues in the DHS Information Security Program, including weak passwords, websites susceptible to cross-site and/or cross-frame vulnerabilities and poor security settings.
The Government environments suffer bureaucratic obstacles in bug fixing and patch management, it could take more than a year to fix a leak from the moment it is reported.


The results of the evaluation confirm that improvements have been made but there are a lot of serious issues that have to be urgently addressed.
“While improvements have been made, the Department must ensure compliance with information security requirements in other areas. For example, DHS does not include its classified system information as part of its monthly information security scorecard or its FISMA submission to OMB. In addition, USCG is not reporting its PIV data to the Department, which is a contradiction to the Under Secretary for Management’s guidance that requires Components to submit this information to the Department.5 In addition, we identified deficiencies with DHS’ enterprise management systems, including inaccurate or incomplete data.”
The report also provides a set of recommendations to solve the security issued emerged after the assessment.
The DHS has 90 days to fix the issues, two of which have been already solved.
Pierluigi Paganini

Drills on Homeland Have a Reason

We are always suspicious and question what law enforcement is doing and why. We ask the same when it comes to the Department of Homeland Security and we do the same regarding the military. There were huge questions and theories when Operation Jade Helm was held in 5 Southern states this past summer.

Okay, it is good we question government, it is a duty yet there are reasons why events and activities do occur. Here are two reasons why which may help us come to understand motivations for exercises and training even in either rural or urban areas.

The fuel for a nuclear bomb is in the hands of an unknown black marketeer from Russia, U.S. officials say

The presence of identical fissile materials in three smuggling incidents indicates someone has a larger cache and is hunting for a buyer

With so many nuclear explosives held by governments around the world, US officials have long worried about the possibility of a terrorist-engineered nuclear or radiological blast within the United States. Multiple federal agencies have held almost 1,400 drills in cities around the country over the last decade to train local police and emergency personnel in how to behave after such a nightmare unfolds, according to a spokeswoman for the National Nuclear Security Administration.

CHISINAU, MoldovaThe sample of highly-enriched uranium, of a type that could be used in a nuclear bomb, arrived here on a rainy summer day four years ago, in a blue shopping bag carried by a former policeman.

According to court documents, the bag quickly passed through the hands of three others on its way to a prospective buyer. It was not the first time such material had passed through this city, raising international alarms: It had happened twice before. And mysteriously, in all three cases, spanning more than a decade, the nuclear material appeared to have the same origin – a restricted military installation in Russia.

This news would quickly reach Washington. But that day, the first to pick up the blue bag was the wife of a former Russian military officer, who handed it off to a friend while she went shopping in this former Soviet city’s ragged downtown.

Not long afterward, a 57-year old lawyer named Teodor Chetrus, from a provincial town near the Ukrainian border, retrieved it and brought it to a meeting with a man named Ruslan Andropov. According to an account by Moldovan police, the two men had, earlier in the day, visited a local bank, where Chetrus confirmed that Andropov had deposited more than $330,000 as an initial payment.

Andropov next examined the contents of the bag: a lead-lined cylinder, shaped like a thermos. It was meant to be the first of several shipments of highly-enriched uranium totaling 10 kilograms (22 lbs), a senior investigator here said. That’s about a fifth of what might be needed to fuel a Hiroshima-sized nuclear explosion — but almost enough to power a more technically-advanced “implosion-style” nuclear bomb. The full story is a MUST read in its entirety and exceptional work from Public Integrity.

*** Then last week, there was yet another event off the coast of California that forced air traffic to be halted and re-routed as well as some automobile traffic. A peculiar set of beams of light were noted in the sky. Bigger questions were asked. Some thought the U.S. military was training to bomb the homeland. Ah….not so much.

There Is a Secret U.S. Spy Plane Flying Over the Pacific

Here’s what we know … and what we don’t

In 2013, the U.S. Air Force sent a secret spy plane out over the Pacific region. The unknown aircraft – possibly a drone – flew “national collection missions” – a euphemism for strategic intelligence against states like North Korea or China.

It was one of five different types of aircraft flying these missions. The Pentagon’s top headquarters asked the flying branch to use its U-2 Dragon Ladies and RC-135V/W Rivet Joints to take high resolution pictures and scoop up radio chatter, according to an official history of the Air Force’s Intelligence, Surveillance and Reconnaissance Agency – a.k.a. AFISRA – for that year.

“Other USAF aircraft flying national collection missions included the RC-135U Combat Sent, the RC-135S Cobra Ball and the aforementioned [redacted],” the history stated.

So what is the mystery aircraft? The blacked-out portion of the document suggests the missing portion is five to seven characters long. With that in mind, the super secret RQ-170 Sentinel – a six character designation that would fit in the redacted segment – is one possibility.

Lockheed built an estimated 20 to 30 RQ-170s – also known as Wraiths– for the Air Force sometime in the early 2000s. The 30th Reconnaissance Squadron at Creech Air Force Base in Nevada owns all of these bat-winged pilotless spies.

In 2007, journalists first spotted the Wraith at Kandahar Air Field in Afghanistan, earning the nickname “the Beast of Kandahar.” On Dec. 4, 2009, the Air Force formally announced the Sentinel to the world … and little else.

That same year, the drones were flying missions in the Pacific from Andersen Air Force Base on Guam and Kunsan Air Base in South Korea, according to previous Air Force histories we obtained through FOIA. During the latter deployment, the Wraiths likely gathered information about North Korea’s nuclear, ballistic missile and space programs.

In December 2011, one RQ-170 crashed in Iran.

And as of April 2014, at least one of these stealthy flying wings was still on duty, according to an accident report in Combat Edge, Air Combat Command’s official safety magazine. ACC owns the bulk of the Air Force’s combat aircraft, including its spy planes and the RQ-170s.

If the RQ-170s are still in service, the flying branch would have every incentive to keep using them. And the Sentinels and their crews already had experience in the Asia-Pacific theater.

Of course, the censored plane could be something entirely new. For decades, the Pentagon and the CIA have repeatedly acknowledged advanced aircraft projects — after the fact — only to decline to release any significant information about them. Hat tip to War is Boring for doing the investigative work, the rest of the work is found here.

Chinatown had Ordered Murders

Raymond Chow Kwok-cheung (traditional Chinese: 周國祥; simplified Chinese: 周国祥; pinyin: Zhōu Guóxiáng; Jyutping: zau1 gwok3 coeng4); born 1960), nicknamed “Shrimp Boy“, is a Hong Kong-born ex-felon with ties to a San Francisco Chinatown street gang and an organized crime syndicate, including the American branch of the Hong Kong-based triad Wo Hop To[1] and the Hop Sing Boys.

In 2006, Chow became the leader of the Ghee Kung Tong, a Chinese fraternal association based in San Francisco, California. In 2014, Chow along with 28 other defendants including former California State Senator Leland Yee, were indicted for racketeering, money laundering, and a host of other alleged criminal activities. Leland Yee pled guilty to racketeering in July of 2015 for conspiring with his campaign fundraiser to defeat donation limits through money laundering. Despite initial press releases, Chow was not indicted in a racketeering conspiracy with Leland Yee. Chow was indicted in a racketeering conspiracy which alleged that he oversaw a criminal faction of the Ghee Kung Tong. Chow is the only co-defendant of 29 to publicly profess his innocence and ask for an expedited jury trial. He is scheduled for trial in November of 2015.

Prosecutor: Chinatown crime defendant ordered murder

SAN FRANCISCO (AP) — A defendant in a San Francisco crime probe ordered the murder of a rival and was at the center of a criminal organization in Chinatown that laundered money and trafficked in guns and drugs, a prosecutor said during an opening statement on Monday.

Federal prosecutor Waqar Hasib recreated the scene when Allen Leung, the head of the Chinese fraternal group, the Ghee Kung Tong, was shot in February 2006, calling the slaying a “cold-blooded, gangland-style hit” ordered by defendant Raymond “Shrimp Boy” Chow.

Chow was the focus of a lengthy organized crime investigation in Chinatown that ended up snaring a corrupt California senator and more than two dozen others. He has pleaded not guilty to murder, racketeering and money-laundering charges that could put him away for life.

Hasib said Chow was the sun at the center of a criminal universe.

Chow repeatedly accepted money from an undercover FBI agent posing as a member of the mafia despite denying he had any involvement in the agent’s money laundering and other crimes, Hasib said.

Jurors will hear a chilling recording of Chow talking to the agent about another murder Chow has been charged with and hear testimony from one of Chow’s co-defendants that Chow had ordered Leung’s murder, Hasib said.

Federal investigators say Chow took over the Ghee Kung Tong in 2006 after having Leung killed.

“This case is about this group of people engaging in this pattern of criminal activity,” Hasib said. “But most importantly, this case is about the person who is at the center of that, around whom all of that criminal activity revolved, around whom all those people revolved.”

Chow’s attorneys, led by veteran San Francisco lawyer Tony Serra, are expected to make their opening statement later Monday.

They have argued in court papers that the government’s multiyear probe was a costly fishing expedition that induced innocent people into crime.

Legal observers say the racketeering conviction of state Sen. Leland Yee in July has largely validated the government’s probe and lowered the stakes for prosecutors in Chow’s trial.

Federal agents say that one of Chow’s associates was Keith Jackson, a former San Francisco school board president and well-known political consultant who raised money for Yee’s unsuccessful mayoral run in 2011 and bid for secretary of state.

Jackson led investigators to Yee, who acknowledged as part of his plea deal that he accepted thousands of dollars in exchange for favors and discussed helping an undercover FBI agent buy automatic weapons from the Philippines.

Yee is scheduled to be sentenced in December and faces a maximum of 20 years in prison. Jackson pleaded guilty to the same racketeering charge as Yee and is also scheduled to be sentenced in December.

“The government has gotten what it wanted to get out of this investigation by already putting down Leland Yee,” said Peter Keane, a professor at Golden Gate University School of Law in San Francisco and a former public defender. “He was their trophy.”

The investigation also sent a message to other politicians and Chinatown power brokers, said Rory Little, a law professor at the University of California, Hastings and a former federal prosecutor.

“‘Even Chinatown can be penetrated by government investigations, so stay on the up and up,'” he said. “‘And if you’re a state senator, don’t assume you’re safe.'”

The judge overseeing Chow’s trial, Charles Breyer, said it could continue into February.

Per FBI: Foreign Telecoms Likely Hacked Hillary Emails

The Justice Department officials also used the words “reckless”, “stunning,” and “unbelievable” in discussing the controversy swirling around Clinton’s use of a private, nongovernment email account.

FBN Exclusive: DOJ Officials Fear Foreign Telecoms Hacked Clinton Emails, Server

FBN: Officials close to the matter at the Department of Justice are concerned the emails Hillary Clinton sent from her personal devices while overseas on business as U.S. Secretary of State were breached by foreign telecoms in the countries she visited—a list which includes China.

“Her emails could have easily been hacked into by telecoms in these countries. They got the emails first, and then routed them back to her home server. They could have hacked into both,” one Justice Department official close to the matter says.

Another Justice Department official adds: “Those telecommunications companies over there often have government workers in there. That telecom in that foreign country could then follow the trail of emails back to her server in the U.S. and break into the server” remotely over the Internet. At various points in this process, there were multiple entry points to hack into Clinton’s server to steal information, as well as eavesdrop, the Justice Department officials say.

This is the first indication that officials at the Justice Department are concerned that foreign telecom workers may have broken into Clinton’s emails and home server. The Federal Bureau of Investigation is currently investigating the national security issues surrounding Clinton’s emails and server.

The Justice Department officials also used the words “reckless”, “stunning,” and “unbelievable” in discussing the controversy swirling around Clinton’s use of a private, nongovernment email account, as well as her use of a personal Blackberry (BBRY), an Apple (AAPL) iPad, and home server while U.S. Secretary of State. The officials did not indicate they have any knowledge of a breach at this point.

As for the effort to designate Clinton’s emails as classified or unclassified, the Justice Department officials agreed that, as one put it: “Every email she sent is classified because she herself is classified, because she is both Secretary of State and a former first lady.”

In addition, there’s a growing belief among cyber security experts at web security places like Venafi and Data Clone Labs that Clinton’s emails were unprotected in the first three months of her tenure in 2009 as the nation’s top diplomat, based on Internet scans of her server Venafi conducted at that time.

“For the first three months of Secretary Clinton’s term in office, from early January to late March, access to her home server was not encrypted or authenticated with a digital certificate,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi tells FOX Business. “That opens the risk that Clinton’s user name and password were exposed and captured, particularly in places she traveled to at this time, like China or Egypt. And that raises issues of national security,” adding “Attackers could have eavesdropped on communications, particularly in places like China, where the Internet and telecom infrastructure are built to do that.”

Digital certificates are the bedrock of Internet security. They verify the Web authenticity and legitimacy of an email server, and they let the recipient of an email know that an email is from a trusted source. Essentially, digital certificates are electronic passports attached to an email that verifies that a user sending an email is who he or she claims to be.

Because it appears Clinton’s server did not have a digital certificate in the first three months of 2009, “a direct attack on her server was likely at this time, and the odds are fairly high it was successful,” says Ira Victor, director of the digital forensic practice at Data Clone Labs.

In and around January 13, 2009, the day of Clinton’s Senate confirmation hearings, the clintonemail.com domain name was registered. An estimated 62,320 emails were sent and received on Clinton’s private email account during her tenure as U.S. Secretary of State. Later, 31,830 emails were erased from her private server because they were deemed personal.

Although Clinton previously has argued that there was no classified material on her home server in Chappaqua, N.Y., the U.S. Department of State has deemed 403 emails as classified, with three designated “top secret” (the State Dept. itself has been the subject of cyber hacking).

Clinton has maintained her home server did have “numerous safeguards,” but it’s unclear specifically what security measures were installed, and what those layers were. In September, Clinton apologized on ABC News for using a home server to manage her U.S. Department of State electronic correspondence.

Although Clinton and her team have indicated her emails were not hacked, not knowing about a breach is different from being hacked, cyber analysts tell FOX Business. Her campaign staffers did not return calls or emails for comment. “Even the NSA, the CIA, and Fortune 500 companies know they cannot make that claim that they have not been hacked. Everyone can be hacked,” says Bocek.

FOX News recently reported that an intelligence source familiar with the FBI’s probe into Clinton’s server said that the FBI is now focused on whether there were violations of the federal Espionage Act pertaining to “gross negligence” in the safeguarding of national defense information. Sets of emails released show that Clinton and top aides continuously sent information about foreign governments and sensitive conversations with world leaders, among other things, FOX News reported.

Secure communications and devices are routine in the federal government. For example, President Barack Obama received a secure Blackberry from the National Security Agency after he was elected, a former top NSA official tells FOX Business.

“I could not recall that I ever heard that a secure Blackberry was provided to Hillary Clinton.  No one else can either,” the former NSA official says, adding, “There is no way her calls were properly secured if she used her [personal] Blackberry.” Blackberry declined comment.

The former NSA official says the same issue is at play for Clinton’s iPad. “While there have been recent advances in securing iPhones and iPads, these were not available, in my opinion, when she was Secretary of State and there would have to be a record that she sought permission to use them with encryption,” the former NSA official says.

When traveling overseas, U.S. secretaries of states use secure phones that ensure end-to-end encryption, and in some cases, mutual authentication of the parties calling, the former NSA official said. Communications are conducted via secured satellite, digital networks or Internet telephony.

“I think I can say, with some confidence, that once any decent foreign intelligence service discovered she was using her personal phone and iPad, she would be targeted and it would be a high priority operation,” the former NSA official said, adding, “if the calls were unencrypted, it would be no challenge at all while she was overseas — they just have to get to the nearest cell tower.”

The first three months of her tenure as Secretary of State would have been an ideal time for hackers to break in, cyber security experts say.

Specifically, experts point to work done by cyber security experts at Venafi, which has revealed a three-month gap in security for Clinton’s home server after the Palo Alto, Calif. firm’s team had conducted routine, “non-intrusive Internet scanning” in January 2009.

Venafi’s Bocek tells FOX Business that he and his team had picked up Clinton’s domain, clintonemail.com, at that time, and found that her home server had not been issued a digital certificate. That means email traffic to and from her server was unprotected from early January to late March 2009. During that time, Clinton traveled as U.S. Secretary of State to China, Indonesia, South Korea, Japan, Egypt, Palestine, Israel, Belgium, Switzerland, and Turkey.

“It also means anyone accessing her home server, including Clinton and other people, would have unencrypted access, including from devices and via web browsers,” says Bocek. “This means that during the first three months of Secretary Clinton’s term in office, web browser, smartphone, and tablet communications would not have been encrypted.”

Digital certificates are vital to Internet security. All “online banking, shopping, and confidential government communications wouldn’t be possible without the trust established by digital certificates,” says Bocek. “Computers in airplanes, cars, smartphones, all electronic communications, indeed trade around the world depend on the security from digital certificates.”

The Office of Management and Budget has now mandated that all federal web servers must use digital certificates by the end of 2016, Bocek notes.

If cyber hackers broke into Clinton’s server, they also could have easily tricked it into handing over usernames, passwords, or other sensitive information, Bocek noted.

“The concern is that log-on credentials could have been compromised during this time, especially given travel to China and elsewhere,” Bocek says opening the door to more lapses. “As we’ve seen with so many other breaches, to long-term, under-the-radar compromise by adversaries, hacks that Clinton and her team may not be aware of.”

Bocek adds: “Essentially, the cyber hacker would have looked to Clinton’s server like it was Secretary Clinton emailing.”

Digital forensic analyst Victor agrees. “It’s highly likely her emails sent during this time via her devices and on her server were not encrypted. More significantly, her log-on credentials, her user name and passwords, were almost certainly not encrypted,” says Victor, who has testified in cyber security cases as an expert forensic witness. “So that means emails from Clinton’s aides, like Huma Abedin, or anyone who had email accounts on her server, their communications were also likely unencrypted.”

Victor adds: “It’s highly likely all of their user names and passwords were being exposed on a regular basis to potential cyber attackers, with the high risk they were stolen by, for instance, government employees who could get the passwords for everyone Clinton was communicating with.”

Victor explains how Clinton’s emails from her devices could have been hacked, and malware could have been planted on her server. “Say Clinton emailed from her device during her Beijing trip in that 2009 period. Her emails would first get routed through the local, state-controlled Chinese telecom. The Chinese telecom captures those bits of emails that are broken up into electronic packets by the device she uses,” Victor explains.

Any device Clinton emailed from, Victor says, was constantly “polling and authenticating communications” between her device and her server. But all of the back-and-forth communication goes through, say, the Chinese telecom. When the device is polling her server with non-secure communications, it’s giving attackers repeat opportunities to breach.”

He continues: “If the connection was not protected, a state actor at the China telecom transmitting her email back to her server in the U.S. could breach both the device and the server at that point.”

Martin C. Libicki, a senior management scientist and cyber expert at Rand Corp., says that security on Clinton’s devices could have been higher than feared. But he says that, while the Blackberry device does have strong encryption, once Clinton zoomed emails from her Blackberry through the foreign telecom networks during those first three months of her tenure, “it was much easier to hack both the device and the server then.”

Venafi’s team, which included analysts Hari Nair and Gavin Hill, found Clinton and/or her team did eventually purchase digital certificates for the server and the clintonemail.com domain name starting in March 2009.

Victor added: “But the question that needed to be asked then was, once the certificate was installed, did Clinton and her team warn anyone she had emailed during those first three months about the poor security during that time, did they warn them to reset their security passwords on all their devices?”

Govt Warns: Raise Your Shield

When one considers all the major hacking events including the Office of Personnel Management, this is truly a warning.

Sounds like they are telling us we are on our own but the advise is good and must be heeded.

NEWS RELEASE

National Counterintelligence and Security Center
Releases Social Media Deception Awareness Videos

Videos are second in a series released in the wake of the OPM records breach
FOR IMMEDIATE RELEASE                                                                      
ODNI News Release No. 21-15
October 23, 2015

Today the ODNI’s National Counterintelligence and Security Center released the second in a four-part series of videos from its “Know the Risk—Raise Your Shield” campaign.

The latest campaign videos focus on social media deception, and are intended to help build public awareness of the inherent dangers that the use of social media—Facebook, Twitter, etc.—could present when appropriate protective measures are not taken.  There are two videos: a shorter attention-grabber and a second longer video which provides details about social media deception, how government officials or the public can recognize threats and what steps can be taken to minimize the risk of being deceived.

“The information the social media deception videos and overall campaign convey will increase individuals’ awareness of the dangers in cyberspace and provide common-sense tools to protect themselves from bad actors, be they criminals or foreign intelligence entities,” said NCSC Director Bill Evanina.

The NCSC launched the campaign last month in the wake of the Office of Personnel Management records breach to help those individuals, government or otherwise, whose personal information has been compromised.  The launch videos focused on “Spear Phishing Attacks,” while the final sets of videos—to be released in November and December, respectively—will focus on human targeting and awareness for travelers.  Each release contains a 30-45-second overview video and a more in-depth two minute video.

The NCSC provides effective leadership and support to the counterintelligence and security activities of the U.S. Intelligence Community, the U.S. government, and U.S. private sector entities who are at risk of intelligence collection or attack by foreign adversaries.