Uh-oh! @StateDept’s Travel Provider Gets Hacked, Pays $4.5M in Bitcoin

 

Reuters reported last week that CWT (formerly Carlson Wagonlit Travel) was hit with a strain of ransomware called Ragnar Locker, which encrypts computer files and renders them unusable until the victim pays for access to be restored. “Hackers who stole reams of sensitive corporate files and said they had knocked 30,000 computers offline.”
Elsewhere it is reported that the hackers “may have stolen 2 terabytes of data, allegedly including thousands of global executives credentials. This is particularly worrisome given CWT provides travel services to as much as 33% of the Fortune 500.”
ITNews notes that “CWT, which posted revenues of US$1.5 billion last year and says it represents more than a third of companies on the S&P 500 US stock index, confirmed the attack but declined to comment on the details of what it said was an ongoing investigation.”
The news mainly talks about the 2 terabyte of sensitive files exfiltrated which supposedly include global executive credentials, but a CWT division, CWTSatoTravel is one of two contractors awarded a master contract by GSA “responsible for soliciting and managing travel for the U.S. military and government clients.” Government clients include the State Department where Carlson Wagonlit manages its travel management center.
According to GSA, the U.S. Federal Government is the largest consumer of travel services in the world.  ETS2, the government’s current Travel & Expense management solution, serves an active user base of over 1 million Civilian Government employees, and was used for 86 percent of all civilian agency travel in 2017.

ETS2 is a competitively bid master contract with two vendors providing agencies travel and expense software, hosting, and support services based on fixed-price transaction fees, which is a unique program within the Federal Acquisition Service (FAS).

Competitively bid ETS2 contracts were awarded to:

      • Concur Technologies, Inc., of Redmond, WA, in June 2012; and
      • CWTSatoTravel, of Arlington, VA, in September 2013.

CWTSatoTravel is the division of Carlson Wagonlit Travel (CWT) responsible for soliciting and managing travel for the U.S. military and government clients. CWT is a global leader specialized in managing business travel and meetings and events.

The 2019 DOS Financial Report describes its Travel Systems Program

In 2016, the Department successfully transitioned to the next generation of the E-Government Travel Services (ETS2) contract with Carlson Wagonlit Travel. In 2016, the Department also implemented the Local Travel module allowing for the submission of local travel claims for expenses incurred in and around the vicinity of a duty station. The Department expanded the use of the Local Travel feature to also accommodate non-travel employee claims previously submitted through an OF-1164. In the Local Travel module, approvers will electronically approve claims and provide reimbursement to the employee’s bank account via EFT. The Department has completed this implementation for 118 posts overseas.

The Department continues to work with our bureaus and posts to identify improvements that can be made to the travel system. The Department also participates with other agencies to prioritize travel system enhancements across the Federal Government landscape. The Department worked with Carlson Wagonlit Travel to enhance the functionality of the Local Travel feature to more closely align with the temporary duty travel functionality for foreign currency and approver expense reduction options. The Department continues to work with Carlson Wagonlit Travel on enhancements to support integration improvements with our financial systems. The Department continues to work with Carlson Wagonlit Travel on enhancements to support the implementation of the Local Payments module domestically and has initiated work to implement mobile capabilities for approvals and reservations.

Somebody asked if anyone has  publicly acknowledged that the initial hack may imply a massive potential personally identifiable information  (PII) leak on the scale of the eQIP compromise.” 
The company released a statement to The Register saying “we have no indication that PII/customer and traveller information has been affected.”
Has Foggy Bottom said anything?

 

OPM Hack Victims Must Re-Enroll Starting December 1 to Keep Monitoring Services

Posted: 12:37 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

Some former and current federal employees whose personal data was compromised in the OPM data breach will have to re-enroll starting December 1 to continue receiving monitoring protection from a USG contractor. OPM doesn’t say what will happen to the data, feds and former feds have already submitted to CSID, but folks who have enrolled in that service will no longer have access to their CSID account when that contract expires on December 1. The Government Executive is reporting that as many as 600,000 individuals impacted by the initial hack will need to re-enroll to continue monitoring services through ID Experts. How is it that CSID is not able to port data over to ID Experts? Below from OPM:

OPM is announcing a change to the credit monitoring and identity protection service provider that will affect a subset of individuals impacted by the personnel records cyber incident announced in the summer of 2015. Most impacted individuals will not experience any change to their current coverage, and do not need to take any action, but a subset of individuals will need to re-enroll to continue coverage.

OPM currently uses two different companies to provide credit monitoring and identity protection services free of charge to impacted individuals. Winvale/CSID covers the 4.2 million individuals impacted by the personnel records cyber incident and ID Experts (MyIDCare) covers the 21.5 million individuals impacted by the background investigations cyber incident. As of December 1, coverage under Winvale/CSID will expire.

Credit monitoring and identity protection services from Winvale/CSID expire on December 1, 2016. Once services with Winvale/CSID expire, you will no longer have access to information in your Winvale/CSID account. If you wish to review or print your credit reports or other monitoring information from your Winvale/CSID account, please log in to your account prior to December 1.

As of December 2, 2016 all individuals impacted by either incident will be eligible for coverage through ID Experts (MyIDCare).

According to OPM, individuals currently covered by ID Experts (MyIDCare) will not experience a change in their coverage or service at this time and do not need to take any action. More:

Starting December 1, individuals previously covered by Winvale/CSID will be offered services through IDExperts (MyIDCare). Impacted individuals will also still be automatically covered by identity restoration and identity theft insurance, but you will need to re-enroll with ID Experts (MyIDCare) if you would like to continue to receive monitoring services.

Most of the individuals covered by Winvale/CSID were also impacted by the background investigation records cyber incident. These individuals should already have received a letter from OPM inviting them to enroll in services with ID Experts (MyIDCare) and providing them with a 25-digit PIN code.

If you previously received a notification letter in connection with the background investigation records incident and wish to enroll with ID Experts (MyIDCare) now, you will need to use the 25-digit PIN code provided in this letter. Click here if you have your 25-digit PIN code and wish to enroll now.

If you believe you previously received a notification letter in connection with the background investigation records incident, but no longer have your original notice, you can visit the Verification Center to obtain a duplicate copy by U.S. Postal Service.

If you are in the subset of individuals who were not impacted by the background investigations incident, you will be receiving a new notification letter from OPM via the U.S. Postal service with a 25-digit PIN that you can use to enroll with ID Experts (MyIDCare). We expect to mail the majority of these notifications in November 2016.

Note that OPM makes clear that ID Experts cannot enroll victims without the 25-digit PIN code and cannot provide former/current employees with a PIN code over the phone.

Read more here: https://www.opm.gov/cybersecurity/ and https://www.opm.gov/cybersecurity/personnel-records/.

And while you’re reading how to re-enroll, you might want to read about grafted fingerprints and hackers’ long term intention, because why not?  If the data has not surfaced for sale, we have to wonder what was that hack about?

 

#

 

 

State/OIG Reviews @StateDept Policies and Controls Protecting PII and National Security Data

Posted: 2:03 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

State/OIG recently posted online its review of the State Department’s policies and controls protecting personally identifiable information (PII) data and national security data. Below is an excerpt:

The Consolidated Appropriations Act, 2016,1 Section 406, Federal Computer Security, requires the Inspector General of each covered agency to submit a report that contains a description of controls utilized by covered agencies to protect sensitive information maintained, processed, and transmitted by a covered system. Specifically, the Consolidated Appropriations Act requires a description of controls utilized by covered agencies to protect two types of data contained within covered systems: personally identifiable information (PII) data and national security data. Information related to national security data is covered in a classified annex to this information report.
[…]
Specifically, Williams Adley selected and reviewed 4 systems from a Department-provided listing of 216 systems (Electronic Medical Records System (eMED), Integrated Personnel Management System (IPMS), Consular Consolidated Database (CCD), and Consular Lookout and Support System (CLASS)) that provide access to PII. In addition, Williams Adley reviewed 2 National Security Systems (NSS) from a Department-provided listing of 60 systems (Chief of Mission and Special Embassy Programs Database (NSDD 38), and Principal Officers Executive Management System (POEMS)).

This report describes the policies and controls used by the Department for five specific topics identified in the Act:

(1) logical access policies and practices;

The review found only two of the six systems reviewed (eMED and IPMS) had system-specific logical access control policies.

(2) logical access controls and multi-factor authentication used;

With respect to why logical access controls or multi-factor authentication are not being used, according to Department officials, two of the six systems (IPMS and one NSS) did not implement multi-factor authentication to govern system-level privileged user access because functional capabilities are not available. According to Department officials, IPMS is currently planning multi-factor implementation, while the one NSS is waiting for the Department to provide the functional capabilities necessary to implement multi-factor authentication to govern privileged user logical access.

(3) the reasons logical access controls or multi-factor authentication have not been used;

With respect to access and multi-factor authentication, Williams Adley found the Department has not fully implemented multi-factor authentication at the entity level; however, it had implemented other logical access compensating controls to govern privileged user access. Four of the six systems reviewed (eMED, CCD, CLASS, and one NSS) had either fully or partially implemented multi-factor authentication to government system-level privileged user logical access. The two systems that did not utilize multi-factor authentication to govern logical access of privileged users (IPMS and one NSS) relied on username and password combinations. Nevertheless, all six systems had some type of logical access controls in place.

(4) information security management practices used for covered systems;

With respect to information security management practices used for covered systems, Williams Adley found the Department uses a federated model to manage software inventory. In addition, the Department has implemented a defense-in-depth information system program. Further, the Department monitors network traffic, detects and responds to incidents, and scans for security compliance and vulnerabilities. However, the Department has only partially implemented a data loss prevention system and has not implemented digital rights management technology.

(5) policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors.

With respect to policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors, Williams Adley found the Department has a number of policies related to this topic. The relevant Department policies and procedures are established within the Department’s Foreign Affairs Manual (FAM).

The report notes that the Bureau of Information Resource Management, the Executive Secretariat’s Office of Information Resource Management, and the Bureau of Diplomatic Security, provided comments to a draft of the report. Because the comments were marked sensitive, the comments have been reprinted, in their entirety, in the classified annex of the report (AUD-IT- 16-45A).

The publicly available report is available here: https://oig.state.gov/system/files/aud-it-16-45.pdf

#