Category Archives: Technology

State/OIG Issues Alert on Recurring Weaknesses of State Department’s Computer Security

|| >    We’re running our crowdfunding project from January 1 to February 15, 2014. If you want to keep us around, see Help Diplopundit Continue the Chase—Crowdfunding for 2014 via RocketHub  <||

 

– By Domani Spero

In November 2013, Inspector General Steve Linick issued a management alert memo to the State Department’s Management Control Steering Committee concerning the “significant and recurring weaknesses” of its information system security program over the past three fiscal years (2011-2013).

The recurring weaknesses identified were in six areas: Authority to Operate (ATO), Baseline Controls, Scarming and Configuration Management Controls, Access Controls, Cyber Security Management, and Risk Management and Continuous Monitoring Strategies.

A backgrounder from the OIG report:

The Department of State (Department) is entrusted to safeguard sensitive information, which is often the target of terrorist and criminal organizations. Cyber attacks against Government organizations appear to be on the rise,’ including state-sponsored efforts to exploit U.S. Government information security vulnerabilities. The Department is responsible for preserving and protecting classified information vital to the preservation of national security in high risk environments across the globe. The Department also undertakes significant numbers of financial and other transactions, including, for instance, the daily collection of millions of dollars in consular fees. In addition, the Department maintains records on approximately 192 million current passports,5 which contain such sensitive personally identifiable information (PII) as dates of birth and social security numbers. To protect this information, the Department must ensure that its Information System Security Program and management control structure are operationally effective.

Some of the examples of weaknesses cited include the following:

  • In FY 2013, OIG found another instance of access control weakness. Specifically, OIG reported that 36 employees assigned to the [Redacted] (b) (5).  Pursuant to 12 FAM 232, those systems can only be accessed by individuals possessing appropriate clearances. The 36 employees did not possess such clearances.
  • On August 20, 2013, the Bureau of Information Resource Management (IRM) reported that the Department had a total of 6,369  system administrators. According to IRM officials, system administrators are given network-wide permissions to allow them to collaboratively manage and troubleshoot issues.“ However, such broad access by large numbers of system administrators also subjects the system to risk. The recent, highly-publicized breach of information pertaining to national security matters by Edward Snowden, a contract systems administrator, starkly illustrates the issue.”
  • The Bureau of Diplomatic Security did not have the administrative credentials needed for Demilitarized Zone servers  to perform periodic scanning.

State/OIG made three recommendations including directing the Office of the Chief Information Officer to employ the services of the National Security Agency (NSA) to conduct independent penetration testing to further evaluate the Information System Security Program and outline a range of technical and procedural countermeasures to reduce risks.

On December 13, 2013, James Millette, the chairman of the Steering Committee and the State Department’s Comptroller who also heads the State Department’s Bureau of the Comptroller and Global Financial Services (CGFS) sent the OIG a written response which says  that they “respectfully disagree on the level of severity these weaknesses collectively represent.” Part of the response also includes the following:

Your memo recommended that the MCSC direct IRM to employ the services of the National Security Agency (NSA) to conduct independent penetration testing. The Committee believes that DS, like the OIG, has direct lines to the Secretary and has the capability to be independent in these matters. In addition, DS assured the Committee that they have the capability and work with and have the confidence of NSA in these matters. We believe OIG would not disagree that DS has the capability to adequately perform the testing. However, we fully understand the issue of perception of independence. Therefore the MCSC is supportive of DS and IRM having further discussions with the OIG on this matter to determine the best plan of action to perform penetration testing that meets the needs of the OIG and Department management. In addition, at the meeting, we suggested that there may be other alternatives to NSA, such as using a 3rd party to review the methodology used by DS.

That’s an old timer at the State Department telling the new IG that the Committee believes that Diplomatic Security (DS)  like the Office of the Inspector General (OIG) has “direct lines” to the Secretary?  Really!  It is a fact that DS reports to “M” or the Under Secretary for Management  and not directly to the Secretary.  (Unless, the Committee thinks the OIG also reports to “M” just like DS)?  OIG is one of the ten offices at State that reports directly to the Secretary.  If  the Secretary in practice delegates that authority, he has two deputies above the under secretaries, and one of them is for management and resources.

On Jan 13, 2014, the Inspector General sent another memo to the Management Control Steering Committee. The memo indicates closure of one recommendation but left the other two issues “unresolved.” This is also where the OIG patiently explains to the Committee what it means by “independence.”

OIG considers Recommendation 3, pertaining to independent penetration testing, unresolved. The MCSC indicated that it is supportive of the Bureau of Diplomatic Security (DS) and IRM having further discussions with OIG on this matter, but it further stated that “OIG would not disagree that DS has the capability to adequately perform the testing.” The issue, however, is not about DS’s “capability” but its independence and perceived independence.

According to the National Institute of Standards and Technology (NIST):

An independent assessor is any individual or group capable of conducting an impartial assessment of security controls employed within or inherited by an information system. Impartiality implies that the assessor is free from any perceived or actual conflicts of interest with respect to the development, operation, and/or management of the information system or the determination of security control effectiveness.

Because DS is actively involved in the Department’s Information System Security Program, it cannot be considered an independent, impartial assessor. The recommendation will remain open until OIG reviews and accepts documentation showing that independent penetration testing has been implemented. The penetration testing must be performed by the National Security Agency or an equally qualified organization independent of the Department and approved by OIG.

The NSA is already conducting pentest on critical U.S. infrastructures among other things.  Why is State thinking only DS, or third party and not NSA?

* * *

Related item:

-01/13/14   Mgmt Alert on OIG Findings of Significant and Recurring Weaknesses in the Dept of State Info System Security Program (MA-A-0001)  [6298 Kb]

About these ads

Leave a comment

Filed under Diplomatic Security, Federal Agencies, Leadership and Management, Security, State Department, Technology, Technology and Work

Telephone Scam: Infected Computer? But…But…I Live in a Tent and Don’t Have a Computer

—By Domani Spero

The Internet Crime Complaint Center (IC3®) released its 2012 report recently.  Here’s one of the scams described:

In a twist to the pop-up scareware scheme, victims began receiving telephone calls from individuals allegedly claiming to be from legitimate well-known software companies. The victims of these calls were advised malware had been detected on their computers and posed an impending threat. The fraudsters tried to instill a feeling of urgency so victims would take immediate action and log on to their computers. Once the victims logged in, the fraudsters directed them to the utility area of the computers, where they appeared to demonstrate how the computers were infected. The fraudsters offered to rid the computers of the malware for fees ranging from $49 to $450. When the victims agreed to pay the fees, they were directed to a website where they entered a code or downloaded a software program that allowed the fraudsters remote access to their computers.

These folks are actually quite persistent.  The first time I got this call, the caller spoke in heavily accented English. I told the person politely that I have difficulty understanding what he was saying. The person connected me to his supervisor who was no better at it. Finally they gave up on me since I was dumb and dumber and they had to repeat half a dozen times their explanation of what’s a malware. That was fun!

Another time, I scolded the caller for implying that my computer is some sort of ET who can call “home.” That was not even fun and a waste of time since they interrupted my favorite chore of laundry making.

Now when these folks call, I just tell them I live in a tent and do not own a computer.  You can hear their minds literally crash.  Oh, and they haven’t called since.

(^-^)V

 

 

 

 

 

 

Leave a comment

Filed under Funnies, Hall of Shame, Scams, Technology

Take Time Today to Tell Your Senators to #StopCISPA

Via the Electronic Frontier Foundation.  Click on the image below to use EFF’s automated system to email your senators.  Sunlight Foundation shows that backers of the Cyber Intelligence Sharing and Protection Act had $605 million in lobbying expenditures from 2011 through the third quarter of last year compared to $4.3 million spent by opponents of the bill. Lopsided resources in action.

Screen Shot 2013-04-21

EFF: U.S. House of Representatives Shamefully Passes CISPA; Internet Freedom Advocates Prepare for a Battle in the Senate

ACLU:  CISPA Explainer #1: What Information Can Be Shared?

ACLU: CISPA Explainer #2: With Whom Can Information Be Shared?

ACLU:  CISPA Explainer #3: What Can Be Done With Information After It Is Shared?

The Security Skeptic:  What you (still) need to know about CISPA

– DS

 

 

 

 

 

Leave a comment

Filed under Congress, Current Stuff, Privacy, Technology, Uncategorized

Mubarak Govt shuts down Internet, Egypt is now in an undisclosed location online

Via Renesys CTO, James Cowie:

Confirming what a few have reported this evening: in an action unprecedented in Internet history, the Egyptian government appears to have ordered service providers to shut down all international connections to the Internet. Critical European-Asian fiber-optic routes through Egypt appear to be unaffected for now. But every Egyptian provider, every business, bank, Internet cafe, website, school, embassy, and government office that relied on the big four Egyptian ISPs for their Internet connectivity is now cut off from the rest of the world. Link Egypt, Vodafone/Raya, Telecom Egypt, Etisalat Misr, and all their customers and partners are, for the moment, off the air.

At 22:34 UTC (00:34am local time), Renesys observed the virtually simultaneous withdrawal of all routes to Egyptian networks in the Internet’s global routing table. Approximately 3,500 individual BGP routes were withdrawn, leaving no valid paths by which the rest of the world could continue to exchange Internet traffic with Egypt’s service providers. Virtually all of Egypt’s Internet addresses are now unreachable, worldwide.

Read the whole thing here.

This may turn out to be a dumb and dumber move. Roll back the tape to 1986 and the people power in the Philippines. That was before Google, Facebook and Twitter.  One dictator, family and best friends booted out of that country after years of plunder. Before ISPs.       

 


Leave a comment

Filed under Countries 'n Regions, Current Stuff, Dissent, Foreign Affairs, Technology, US Embassy Egypt

Which part of the US has been googling WikiLeaks the most?

Here’s a clue – 10% of all U.S. federal procurement money is spent in this state. 

Clue #2, this state hosts several federal agencies which include  the Central Intelligence Agency, the Department of Defense, the National Geospatial-Intelligence Agency (NGA) and others.

Ta-dah!

What’s in Virginia? Besides the headquarters of several federal agencies? About 263,552 federal employees and retirees according to 2008 stats, not to mention a host of defense contractors that call the state home.  And within Virginia, the most googlers come from — Sterling –

What’s in Sterling, Virginia?

Screen capture above from Google Insights for Search which “analyzes a portion of worldwide Google web searches from all Google domains to compute how many searches have been done for the terms you’ve entered, relative to the total number of searches done on Google over time.” The snapshots change according to search parameters.

Probably just interesting to nerdy cats like us …


Leave a comment

Filed under Federal Agencies, Google Stuff, Leaks|Controversies, Technology

New FS Blog: Former FS Brat writes about FS Brat 2.0

Four Globetrotters is “the (most likely) incoherent ramblings of a sleep-deprived single mother living overseas with her trio of kiddos.” The blog is by a Foreign Service Officer who have almost 10 years with State, “currently live overseas in a country which for now shall remain unnamed.” She also has the distinction of being a former FS brat (brat used in a good way) or third culture kid now looking at FS kids growing up in the white glare of the web 2.0 galaxy. Excerpt below:

Foreign Service Brats — That Was Then, This Is Now

I’m an old school Foreign Service brat.

In some of the places where I grew up we only got mail every couple months.  We didn’t have a telephone.  We didn’t have cable.  We didn’t have internet.

Our social lives consisted of other families at post and our classmates at school.  If we wanted to talk to each other we’d use our radio and everyone and their mother would listen in (“Gunsmoke Alpha, this is Cherry Bravo.  Would you like to come over for a Sierra Lima Echo Echo Papa Oscar Victor Echo Romeo, over?”).
[...]
When I was a kid, you left post and you knew that was it.  You said your goodbyes, you grieved, and you moved on and focused on your next post, your next school, your next set of friends.  Now with the Internet, Skype, Vonage, Facebook, Twitter, APO/DPO, etc making it much easier to stay connected, you can maintain a virtual presence pretty much anywhere in the world.
[...]
What I’m seeing around me, both with my own children and the children of some of my colleagues, are much longer “transition periods”.  Thanks to Facebook and Skype primarily, the FS Brat 2.0 clings to his or her past and refuses to see the possibilities in front of them.  They’re bogged down in an information overload, emotions pulled between the past and the present — loyalties are questioned.  Are you betraying your friends at post X by going out and building a life in post Y?

It’s like pulling a bandaid off s-l-o-w-l-y and suffering the pain over a longer period of time.  Or to be even more dramatic, it’s like dating again after your spouse has died.  Are you betraying your spouses’ memory by going out and continuing to live your life?  Except in the case of the poor FS Brat 2.0 their “spouse” never dies; he or she just lingers on life support forever.
[...]
My heart really goes out to this new generation.  At least when I was a kid the bandaid was yanked off as soon as the plane went wheels up.

Radio? what’s a radio?  She’s a fun read.  See the whole thing here.

And while you’re visiting her blog, do not/not miss reading her story on why you must be kind to your OMS.

Leave a comment

Filed under Foreign Service, FS Blogs, FSOs, Realities of the FS, Technology

Want an iPod Touch? Get Touched by TSA on 11/24

iPod touch - My PDA.Image by MJTR (´・ω・) via FlickrWhy TSA did not think of this first, baffles my brain.  An iPad would be nice, too. Or anything that’s in short supply this holiday season would probably do the trick (jobs are in short supply, of course, but that may be too tricky for giveaways). Want a turkey? Get touched by TSA (just make sure it’s not a frozen turkey). Want a tussle? Get touched by TSA. But absolutely no biting! Oh, my – one can go on and on with this with a beginning rhymes dictionary.

Via Loopt.com:

National Opt-Out Day – the day before Thanksgiving – is the busiest travel day of the year. In light of recent controversy, many plan to refuse a backscatter scan at airport security, and instead choose a (fairly invasive) pat-down. Either way, people can count on longer-than-usual airport lines.

As a slight gift to opt-outers out there, Loopt is giving away 10 iPod Touches for TSA touching. Just check into your airport on Loopt* on Wednesday, November 24 (with iPhone, iPod Touch or Android), share a bit about your experience, push it to Twitter with the hashtag #touchedbyTSA, and you can win an iPod Touch. That simple.

The company Loopt was formed in 2006 “to build mobile applications that use location to help you enjoy the friends, places, and events around you right now.” Loopt offers a suite of mobile applications that run on over 100 different phones and are enjoyed by more than 4 million people.


Leave a comment

Filed under Current Stuff, Federal Agencies, Huh? News, Technology

Quickie: Biometric bureaucracy swaps sanity for safety in Turkey

Biometrical Turkish PassportImage via Wikipedia

Işıl Eğrikavuk has a first person account in Turkey‘s Hürriyet Daily News about the country’s new biometric passports:

The biometric passports, or e-passports, introduced June 1 in Turkey are supposed to make travel easier and reduce the amount of time spent at borders and customs checkpoints.
[...]
These features give e-passports a higher level of security and make it easier to verify a traveler’s identity, hence preventing identity theft and document forgery. Officials say they also represent an important phase in Turkey’s EU harmonization process.
[...]
On June 9, I went to the Eyüp police station, right at the appointed time, and with all my papers ready. I was still confident that I could apply for a passport, but as I moved through the bureau, the cold truth hit me. “We can’t see the online appointments, you have to come here at 6 a.m. and put your name on the list,” an officer said. He was not joking. My eyes started to well up with tears.

For the third time, I had been turned away, and I had a valid passport in my hand. What could I say? I had even received a text message the day before reminding me about my appointment. I tried explaining this, but they repeated the same words: “We cannot see the online appointments. You have to come here early.”

The next day I woke up at 5 a.m. and went to Eyüp. I was in front of the police station at 6 a.m., yet I was already the 26th person on the list. A police officer told me that people had started to show up at 3 a.m. “We started writing their names at 5:30 a.m.,” he said. “You are lucky to have put your name down, because they only take 40 people a day.”
[...]
I waited for six long hours at the police station. At a quarter to noon, my name was called. I was fingerprinted and joined the line to present my papers.

“I cannot see your passport registration in the archives,” the officer said. “You need to either go to the police office where you first got your passport, or you need to apply for a new one. But if you apply for a new one, we can’t transfer your valid dates into your new passport. You have to pay to extend your new passport’s date.”

So this was my choice: Go to another station and wait for another six hours, or pay 754 liras to get a new passport valid for five years. I was out of time, strength and patience. I paid the money.
[...]
Getting an e-passport costs 71 euros in Belgium and 28 euros in Estonia (both valid for five years.) In Italy, the cost is 44 euros and the passport is valid for 10 years. In Russia, a passport valid for 10 years costs the equivalent of 66 euros.

Mine cost me the equivalent of 394 euros.

At prices like that, Turkey surely has the world’s most expensive passport.
[...]
If the e-passports really make Turkey more prestigious, give me humble and simple any day.

Read the whole thing here.


Leave a comment

Filed under Consular Work, Countries 'n Regions, Technology, Technology and Work

Video of the Week: Jonathan Zittrain on the Web as random acts of kindness

Feeling like the world is becoming less friendly? Social theorist Jonathan Zittrain begs to difffer. The Internet, he suggests, is made up of millions of disinterested acts of kindness, curiosity and trust.

from ted.com  

Feeling like the world is becoming less friendly? Social theorist
Jonathan Zittrain begs to difffer. The Internet, he suggests, is made
up of millions of disinterested acts of kindness, curiosity and trust.

The increasing proliferation of “tethered” devices, from iPhones to Xboxes, is only one of countless threats to the freewheeling Internet as we know it. There’s also spam, malware, misguided legislation and a drift away from what Internet law expert Jonathan Zittrain calls “generativity” — a system’s receptivity to unanticipated (and innovative) change instigated by myriad users.

Harvard law professor Zittrain, as an investigator for the OpenNet initiative and co-founder of Harvard’s Berkman Center for Internet and Society, has long studied the legal, technological and world-shaking aspects of quickly morphing virtual terrains. He performed the first large-scale tests of Internet filtering in China and Saudi Arabia in 2002. His initiatives include projects to fight malware (StopBadware) and ChillingEffects, a site designed to support open content by tracking legal threats to individual users.

“Zittrain’s book, The Future of the Internet and How to Stop It, sounds … a klaxon calling to arms everyone who believes that platforms open to user innovation should rule the world, not tethered, sterile appliances that are controlled only by their designers.” – ArsTechnica



Leave a comment

Filed under Technology, TED, Video of the Week

MAPLight.org shines bright lights on politics, money and influence

The United States Capitol in Washington, D.C..Image via Wikipedia

This being a big weekend for health care vote on the Hill, I thought I’d post something about a group that’s doing a lot to shine some bright lights on politics, money and influence in Washington, D.C. 

MAPLight.org, a groundbreaking public database, with offices located in Berkeley, California, illuminates the connection between campaign donations and legislative votes in unprecedented ways. Elected United States officials collect large sums of money to run their campaigns, and they often pay back campaign contributors with special access and favorable laws.

This common practice is contrary to the public interest, yet legal. MAPLight.org makes money/vote connections transparent, to help citizens hold their legislators accountable.

Last week, during Sunshine Week, the group launched an all-new version of its website shining a light on money and influence in Congress. The new site here includes new tools to analyze (filter) legislator money/votes by:

  • Political party
  • State
  • Committee membership
  • How they voted
  • Voted with or against their donors
  • Any ad-hoc/custom group of legislators
Each amendment and each bill text now has its own support and opposition interests. This important change reflects that amendments often have different supporting and opposing interests than the bill being amended. This improvement will help surface more interesting findings with more specific connections between money, votes and policy outcomes. This change required extensive research and programming work including:
  • Created new internal data model to track any vote, not just “on-passage” final votes on bills—including amendment votes and voice votes.
  • Created information design and user interface to support working with this new data model.
  • Revised scripts to import Congressional legislative data from GovTrack.us.
MAPLight.org combines three data sets:
  • Bill texts and legislative voting records
  • Supporting and opposing interests for each bill
  • Campaign contribution data from the Center for Responsive Politics and the National Institute on Money in State Politics

MAPLight.org
, a 501(c)(3) nonprofit organization, is nonpartisan. Contributions to MAPLight.org are tax-deductible as provided by law.

Click here to see a video tour.

Below is a brief newsclip about MAPLight.org’s project for my video of the week.


Leave a comment

Filed under Congress, Politics, Technology, Transparency, Video of the Week