“Do as I say, Not as I do”…General Services Administration (GSA) Exposes Personal Data March 16, 2013
Posted by Chris Mark in Uncategorized.Tags: cyber security directive 23, cybersecurity, data breach, data security, GSA, InfoSec, SAM
add a comment
The infamous GSA, who in 2012, was identified for gross fraud, waste, and abuse, sent an email today disclosing to me, and every other company that has participated in Government contracting that the System for Award Management (SAM) system had a vulnerability that exposed sensitive data. Here is a copy of the email I recieved today: (bold is my emphasis)..Before I go into more detail, I would personally like to thank the GSA for exposing my bank account data and SS# through their blind incompetence. At least they “apologized” in their email.
Dear SAM user
The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.
Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. As a precaution, GSA is taking proactive steps to protect and inform SAM users.
The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.
Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge.
In the meantime, we wanted you to be aware of certain steps that all SAM users may want to take to protect against identity theft and financial loss. Specific information is available at www.gsa.gov/samsecurity. If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.
We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this situation. The security of your information is a critical priority to this agency and we are working to ensure the system remains secure. We will keep you apprised of any further developments.”
Interestingly, the FAQ posted on their website does not indicate how long the data was exposed. Since SAM went into effect over a year ago, I am guessing that the vulnerability had been in place for at least a year.
Maybe, just maybe, instead of sending GSA employees to ‘cooking class’, and funding parties in Hawaii, the Federal Government should focus on protecting the data to which it is entrusted. The Federal Government recently passed a CyberSecurity directive…again, maybe they should focus on cleaning their own house.
“Pleased to meet you…hope you guessed my name…” – Sophisticated CyberAttack hits US Dept of Energy February 4, 2013
Posted by Chris Mark in Uncategorized.Tags: AT&T, china, cyber espionage, cybersecurity, cyberwar, department of energy, privacy, The Counter Terrorist
add a comment
UPDATE: A new report released shows that Chinese military is involved in CyberAttacks. Read the full story here and download the report.
Foxnews released an article today that outlines a sophisticated cyberattack targetting the US Dept of Energy. Surprisingly, the suspect is China. According to the story, the attack compromised the information of several hundred employees with the expected outcome to be to compromise more information . According to the article:
“It’s a continuing story of negligence,” former Energy Department security official Ed McCallum told the Free Beacon, explaining that the department continues to have security problems despite controlling some of the most “sophisticated military and intelligence technology the country owns.”
He said China, as well as Iran, have been after Energy Department secrets. Several groups and agencies have warned about stepped-up cyber activities out of China.
“China continues to develop its capabilities in the cyber arena,” the U.S. China Economic and Security Review Commission said in a November 2012 report to Congress. “U.S. industry and a range of government and military targets face repeated exploitation attempts by Chinese hackers as do international organizations and nongovernmental groups including Chinese dissident groups, activists, religious organizations, rights groups, and media institutions.”
Chris Mark & Heather Mark in Feb 2013 TransactionWorld February 1, 2013
Posted by Chris Mark in Uncategorized.Tags: AT&T, Chris Mark, cybercrime, cybersecurity, Heather Mark, Maritime Security, PCI, risk management, somali pirates
add a comment
February’s edition of TransactionWorld was released today and both Chris and Heather have articles in the issue. Chris (that is me) wrote “Security in Dangerous Waters; Pirates & CyberCrime” while Heather wrote “Shifting Targets; Dealing with Regulatory Shifts in Data Security & Privacy”. Please be sure to check out the articles..
Chris Mark’s Article in “The Counter Terrorist Magazine” January 28, 2013
Posted by Chris Mark in cyberespionage, cybersecurity.Tags: china, Chris Mark, cyber espionage, cybersecurity, Duqu, Flame, security, The Counter Terrorist, Unlimted warfare
add a comment
I received my copy of February/March 2013 International edition of The Counter Terrorist Magazine and imagine my surprise when I am the cover article! I have written for a number of publications but I have to say my favorite is The Counter Terrorist. It is a great periodical for anyone interested in World affairs, Terrorism, and Counter Terrorism. My article is titled “World Cyber War”. In the article I talk about the differences in the perspectives of war between the East and the West, as well as provide examples of how cyber operations have already been used to further national interests. China is highlighted for their interpretations of war and warfare in “Unlimited War”, as well as Russia, and a few others. Overall, I think it is one of my better articles. To read The Counter Terrorist, you must subscribe either online or in print. Check out…The Counter Terrorist Magazine.
Offensive Cyber Attacks – A Dangerous Proposition December 8, 2012
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, cyber attaks, cybercrime, cybersecurity, deterrence, failed state of security, homeland security, jim cilluffo, mark consulting group, security
add a comment
Let me preface this by saying I have been outspoken about passive cyber defensive strategies and their failure. You can read my paper: “Failed State of Security” to learn more. On that note, Foxnews had a story today that had me scratching my head. The recommendations were pedestrian at best, and dangerous in the most severe cases. In short the article suggests that companies should take a more ‘offensive approach’ to preventing cyber attacks. Some of the recommendations include:
“Misinformation campaigns” such as planting fake documents and data for criminals to steal. As stated in the article: “One such strategy involves creating a disinformation campaign by distributing fake documents throughout a company’s own network to confuse and potentially misguide potential adversaries.” Companies today have a difficult time managing their own ‘real’ documents. This approach is inefficient, and bound to cause confusion among employees. How do you differentiate between the “real” and the “fake” internally?
Jim Cilluffo, Director of George Washington Universitie’s Homeland Security Policy Institute stated in front of Congress: “We should provide opportunities and responsibilities to the private sector to hack back,” REALLY? Vigilante justice is being proposed by a Director of a major universities’ homeland security institute? We are going to trust commercial entities to use the authority to ‘hack back’ judiciously? What about when they hack into a competitor and claim they were being hacked? What if a company hacks into a personal computer and the person decides to exact revenge on their employees for the act by escalating the issue to violence? Many of these ‘cyber criminals’ are associated with organized crime. These are not the types of groups you generally want to attack. This ‘mall cop’ mentality has not place in corporate America.
More disturbingly is the correlation between vigilante justice and bank robberies. “If someone were to rob a bank today, doesn’t the bank have a responsibility to protect its customers and employees from someone armed? They don’t simply wait until someone shoots innocent victims,” said Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute. The difference is stark. A person walking into a bank with a weapon is a ‘clear and present danger’ to people’s safety. A company being hacked may e angry, offended, insulted, etc. but the hacker is endangering a person’s safety in the same way a person with a gun would be.
While an executive order from the White House could be forthcoming, Cilluffo said legislation from Congress would be far more helpful and could even indemnify companies from lawsuits.
“We need to have these conversations because the current approach is doomed for failure. We’re losing too much,” said Cilluffo.
Global Security, Privacy, & Risk Management 