The votes are in for the 2025 FedScoop.

See the winners!

White House launches ‘Write’ API for We the People platform

2014_10_Screen-Shot-2014-10-23-at-3.58.43-PM The “We the People” petitioning platform’s website. (Credit: The White House)

The “We the People” petition platform isn’t just for the White House’s website anymore.

Three years after the launch of the platform, which allows citizens to gather signatures on a petition for causes that range from the development of a Death Star to action on gun control, the White House announced Thursday the launch of an application programming interface called “Write” to enable petitions to be embedded on other websites.

“Starting today, people can sign ‘We the People’ petitions even when they’re not on WhiteHouse.gov,” Leigh Heyman, the White House’s director of new media technologies, said in a blog post. “Now, users can also use third-party platforms, including other petitions services, or even their own websites or blogs. All of those signatures, once validated, will count towards a petition’s objective of meeting the 100,000-signature threshold needed for an official White House response.”

Through the API, users can sign already-existing petitions on interfaces other than petitions.whitehouse.gov. According to the post from the White House, more hackathons will be held in the future to “highlight the opportunities on the platform, and to give the community the ability to collaborate around building new applications.”

“The Petitions ‘Write’ API takes a strong step toward making it easier than ever for people to petition their government,” Heyman said in the post. “At the same time, we also hope it serves as a model for a new way of delivering government services online.”

Heyman also said the API is built on an infrastructure that created and supported by the General Services Administration’s 18F and the work of Presidential Innovation Fellows.

Developers need to request a “Write” API key to use the API. To request the API, developers must provide their names, email addresses, phone numbers and organization and accept the terms of use for the API.

Through the terms of use, developers are required to indicate that the app or website uses data pulled from the “We the People” platform but is not endorsed or certified by the White House. The document also said any data that passes through the API is subject to the Presidential Records Act and may be archived.

The newly released API comes just less than a year after the White House announced a beta version of the “Write” API. In May 2013, the “Read” API, which provided read-only access to all petitions that passed the 150 signature threshold, was launched. According to the White House, petitions that pass 150 signatures are publicly displayed on the “We the People” main page; however, a petition must receive more than 100,000 in order to receive an official response from the White House. In 2012, just a year after the platform’s launch, the White House shifted it to open source and posted the code for the platform on GitHub.

Health Data Consortium appoints new director

The Health Data Consortium, noted for throwing annual Health Datapaloozas, has appointed Chris Boone as its new executive director.

Boone, an expert in health systems design, health informatics, health IT policy and the use of health data to improve patient care, will join the consortium Nov.3, replacing Dwayne Spradlin, who acted as interim CEO for HDC and but will continue to serve on its board of directors.

Chris Boone (Credit: Boone) Chris Boone (Credit: Boone)

A few years in now, the consortium is at a critical point for growth, scaling and sustainability, and Boone said that will be his focus when he steps in to his executive role.

“The first thing we have to do is really build a sustainable business model for the Health Data Consortium,” he said. “We’ve been operating heavily upon grants and revenues we received from the Datapalooza, but there’s an opportunity for us to do greater things by essentially building out a plan that aligns with out business model that allows for expansion.”

To be successful in the coming years, Bonne said it’s imperative to focus on branding the health data movement. “It’s part of getting people to buy into what open data really means,” he said. “We’re challenged with branding the movement in a way that people are drawn to it and branding the consortium and really drawing out those distinguishing factors.”

That also includes fostering community around the consortium and encouraging collaboration to get more organizations involved.

“We’ll continue to focus on the government data and making that open, but we also ultimately would like to make this more collaborative, which includes potentially even private data being open data as well,” Boone said.

Prior to joining the Health Data Consortium, Boone was a vice president in Avalere Health’s evidence translation and implementation practice and served as the director of outpatient quality and health IT for the American Heart Association. Boone will be the third to take the chief executive position with HDC, behind the aforementioned Spradlin and health data champion Todd Park, who since moved on to a role as chief technology officer for the federal government and now holds a position in Silicon Valley as a government liaison. Building off of their momentum will be one of Boone’s focuses.

“Dwayne [Spradlin] has been highly instrumental in where the organization is today,” Boone said. “If you think about it, Todd Park had the vision of doing Datapalooza. Dwayne was challenged with coming in and operationalizing that vision, and making and building HDC what it is today. So really what I want to take what Todd envisioned and Dwayne build the foundation for and build on top of those things, to really build and expand that community and foster that innovation.”

USAID establishes its first open data policy

Members of the U.S. Navy help delivering USAID supplies in Indonesia. (Credit: Wikimedia) Members of the U.S. Navy help deliver USAID supplies in Indonesia. (Credit: Wikimedia)

The U.S. Agency for International Development jumped on the open data wave last week, announcing its first-ever policy to share its data sets and tools with the public on a central repository.

Referred to as Automated Directives System 579, the open data policy is a hat tip to President Barack Obama’s directive on transparency and open government five years ago and comes after the agency’s Frontiers in Development Forum in September addressing pathways for innovation for its mission to provide support to impoverished countries. With the new policy, USAID will provide a framework to open its agency-funded data to the public and publish it in a central location, making it easy to consume and use.

“USAID has long been a data-driven and evidence-based Agency, but never has the need been greater to share our data with a diverse set of partners—including the general public—to improve development outcomes,” wrote Angelique Crumbly, USAID’s performance improvement officer, and Brandon Pustejovsky, chief data officer for USAID, in a blog post. “For the first time in history, we have the tools, technologies and approaches to end extreme poverty within two decades. And while many of these new innovations were featured at our recent Frontiers in Development Forum, we also recognize that they largely rely on an ongoing stream of data (and new insights generated by that data) to ensure their appropriate application.”

With the overarching policy for governing USAID’s publication on data throughout its many bureaus internationally, ADS 579 also introduces its Data Development Library, the hub in which USAID will present the sets of data it opens to the public in machine-readable formats. The policy is broad in the data it requests, but it specifically includes performance-monitoring data, survey results, research data, USAID information system data, supporting documentation and metadata.

According to ADS 579, “USAID staff, as well as contractors and recipients of USAID assistance awards (e.g. grants and cooperative agreements), must submit any Dataset created or collected with USAID funding to the DDL in accordance with the terms and conditions of their awards.” Likewise, the data is open to the public for use.

Finally, ADS 579 establishes several positions, what it refers to as “data stewards,” responsible for overseeing the policy and the handling of USAID’s data. Within that will be a new Information Governance Committee that reports to USAID’s Management Operations Council.

USAID’s DDL and open data will be hosted on the USAID website, where there’s already a long list of databases hosted. USAID also started a GitHub page for any feedback on the data.

USAID did not comment by publication.

The war on botnets evolves

A carefully orchestrated campaign led by the FBI to dismantle the most damaging botnets on the Internet continues to register notable successes in the effort to put an end to a cybercrime problem that drains $113 billion a year from economies around the world.

Code-named Operation Clean Slate, the FBI-led initiative involves nearly a dozen federal agencies and departments, private Internet service providers, technology companies and law enforcement agencies around the world. The goal is to prioritize and take down the biggest botnets — armies of compromised computers infected with malware and under the control of cybercriminals who use the systems to spread spam, conduct distributed denial of service attacks and carry out identity theft on a massive scale. It is estimated that 378 million computers — about 12 systems per second — are compromised and become unsuspecting participants in botnets every year.

But the FBI’s war on botnets and the cybercriminals behind them is beginning to show signs of sustained progress. More important, anti-botnet operations increasingly involve a combination of law enforcement arrests and large-scale cooperation on the technical aspects of stopping botnet activity among a variety of government and private sector organizations, said FBI Supervisory Special Agent Thomas Grasso, who briefed industry representatives Monday during an event hosted by the Financial Services Roundtable in Washington, D.C.

Grasso is part of a 10-member FBI team at the National Cyber-Forensics & Training Alliance, a nonprofit organization that also includes agents from the Secret Service and experts from Fortune 500 companies. It is a critical component of Operation Clean Slate.

“The initiative is really about focusing resources and focusing firepower on the botnet problem,” Grasso said. But the three most important parts of the initiative stem from how the FBI is reducing the botnet threat, he said. “Our viewpoint is there are three ways that we can go after this. One is to arrest people. And I think that’s a very effective way to reduce the threat,” he said. The other ways the operation is helping to reduce the threat include taking the botnet down. “We can attack the botnet … and put the botnet in jail, so to speak” Grasso said. “And the other thing that we can do is share mitigation information with the private sector.”

2014_10_Screen-Shot-2014-10-22-at-4.34.19-PM Anatomy of a botnet. (Credit: FBI)

One of the earliest cases to target botnet operators was Operation Trident Breach in 2010. A group of five Ukrainian cybercriminals targeted small and medium-sized businesses using a custom variant of the Zeus botnet. The malware captured passwords, account numbers, and other data used to log into online banking accounts. Losses in the U.S. along totaled $70 million.

The case involved “one of the first pieces of malware that was able to get around two-factor authentication,” according to Grasso. But the arrest of the suspects led to the disappearance of the custom variant of Zeus.

A year later, the FBI made a daring move to actually take over a massive botnet known as Coreflood that had infected more than 2 million computers around the world. Because the 13 suspects were located overseas in a region that made it unlikely the FBI would be able to apprehend them, the decision was made to actually take down the botnet.

“This was a watershed event for the U.S. government because this was the first time the U.S. government got involved in the business of taking over a botnet,” Grasso said.

Dell SecureWorks detailed an expert to the FBI who was able to reverse engineer the malware and develop a way to take it down. Likewise, Microsoft Corp. developed an update to its malicious software removal tool and pushed the update out on the same day the FBI took down the botnet.

The coordinated effort with industry reduced the number of infected computers within six months from more than 800,000 to about 2,000, according to Grasso.

A two-year FBI investigation code-named Operation Ghost Click resulted in the arrest of six Estonian hackers who had compromised millions of systems with malware called DNSChanger. But critical intelligence on the activities of the criminals was provided to the FBI over the course of five years by a host of private sector companies, including SpamHaus, PayPal, Trend Micro, and various U.S. and Canadian ISPs.

“We developed this great play where we were going to go out and arrest these guys and seize all of their servers,” Grasso said. But as the FBI was going through its checklists to make sure it had all of the evidence for a successful prosecution, agents realized there were still four million victims using the compromised Domain Name System (DNS) servers.

So the bureau took over the DNS servers and ran them for about eight months and relied on the private sector to help remove the malware. The result was a 75 percent reduction in infections in the U.S. and a 66 percent reduction globally, according to Grasso.

“By taking over this botnet … we were able to avert what could have been a disastrous situation on the Internet,” he said.

Earlier this year, the FBI launched Operation Tovar to disrupt two cybercrime schemes responsible for more than $100 million in losses to businesses and consumers around the world.

Working with European law enforcement agencies, including Europol, the Justice Department authorized the FBI to seize control of servers that ran the GameOver Zeus botnet. Predominately spread through spam email or phishing messages, the GameOver Zeus malware used stolen credentials to initiate or redirect wire transfers to accounts overseas controlled by the criminals.

GameOver Zeus was generating more than 1,000 domains every day and was “designed to be impervious to any law enforcement actions,” Grasso said. But the domain registrars helped FBI seize the domains, and a dozen ISPs in the U.S. and around the world helped with technical take-down of botnet.

“We’ve seen about a 50 percent reduction in the botnet globally … with 30 to 40 percent remaining in the U.S.,” Grasso said. “There’s still a lot of remediation work that needs to be done.”

USDA announces more funding for rural broadband in states, territories

More than $190 million for advanced communication infrastructure, including broadband, is headed to several states and territories, the Agriculture Department announced Wednesday.

The funding comes through the USDA’s Community Connect Grant program, the Public Television Digital Transition Grant program and the Telecommunications Infrastructure Loan program.

In all, the latest round of funding includes provisions for 25 projects and 19 states, plus Puerto Rico and the U.S. Virgin Islands. However, according to the release, the funding to different projects is “contingent upon the recipients meeting the terms of their grant or loan agreements.”

USDA document with the funding information says the most funding to a single state went to establish a fiber-to-the-premises network in Tennessee for more than $29 million. Washington state also received more than $24 million to establish a similar network, as did South Carolina, which received more than $23 million.

In Arkansas, 4,000 customers are slated to receive access to voice, broadband and Internet television through a more than $24 million Telecommunications Infrastructure Loan that will establish a fiber-to-the-home-network.

In the Virgin Islands, a $750,000 grant will work to replace analog facilities with high-definition digital equipment through a public television grant. Puerto Rico will also received more than $450,000 to replace analog microwave radio transmitters with a digital alternative.

“Modern telecommunications and broadband access is now as essential to the businesses and residents of rural America as electricity was in the 1930s,” Secretary of Agriculture Tom Vilsack said in the release.

Agriculture Secretary Tom Vilsack (Credit: Wikimedia) Agriculture Secretary Tom Vilsack (Credit: Wikimedia)

The latest round of grants come almost two months after the department awarded a round of loans to rural Midwest areas to increase broadband service in three states on the heels of President Barack Obama’s 2012 executive order establishing the White House Rural Council, which allowed a venue for a multibillion-dollar funding program for rural development.

In addition to the Telecommunications Infrastructure Loan program, the Community Connect Grant version focuses on boosting economic growth through establishing broadband service. The public television grants are designed to help refresh rural public television stations with digital broadcasting technology and were congressionally authorized under the 2014 Farm Bill.

“USDA is committed to ensuring that rural Americans have robust broadband and telecommunications systems,” Vilsack said in the release. “The investments we are announcing today will provide broadband in areas that lack it, help rural-serving public television stations begin using digital broadcasts and support other telecommunications infrastructure improvements.”

‘Over capacity’ FedRAMP refines goals in new two-year roadmap

2014_09_Optimized-iStock_000024695613_Large FedRAMP Director Matt Goodrich says the program is refining its goals, even as his team works beyond its capacity.

Matt Goodrich, the acting director of the General Service Administration’s Federal Risk and Authorization Management Program (FedRAMP), says his team will continue to refine ways for federal agencies to adopt cloud computing even as the majority of agencies have failed to adhere to the mandatory June compliance date. 

Goodrich outlined the recent past and future of FedRAMP Wednesday at the National Institute of Standards and Technologies’ Information Security and Privacy Advisory Board open meeting. He estimated that of all federal agencies using cloud, only 25 to 40 percent of those cloud service providers are FedRAMP compliant. All federal agencies were supposed to have FedRAMP-compliant cloud by June 5.

When someone from the advisory board pressed Goodrich on why more agencies weren’t closer to meeting the deadline, he said that with the way the system is set up, his team can only do so much.

“As with any new IT initiative, no one is going to be 100 percent compliant the second there is a mandatory date,” Goodrich said.  “There is not enough funding to meet every single IT policy that is out there for agencies to meet.”

With that in mind, Goodrich highlighted a new two-year roadmap for FedRAMP that will focus on three core efforts: increasing cloud adoption and compliance, improving efficiencies in the approval system and continuing to adapt to changing technology.

A key part of the changing technology is a focus on open source solutions. Goodrich says open source gives agencies a chance to adopt cloud much more quickly than before since security implementations and details aren’t proprietary.

“There’s obviously a big push within the administration to start using open source code and not having to pay for everything we do,” Goodrich said. “Open source code really has some great things that agencies can leverage.”

2013_06_FedRAMP-cloud-computing

Agencies who do decide on open source could be giving FedRAMP some breathing room. Goodrich said that his Program Management Office’s and Joint Authorization Board’s workload is “50 percent over capacity,” currently working with 10 to 12 cloud service providers so they can earn Authority to Operate (ATO).

Another program Goodrich highlighted was FedRAMP Ready, which according to the cloud.cio.gov website “will “allow potential agency customers and authorizing officials a starting point to initiate an authorization.” 

Goodrich says FedRAMP has already been working on FedRAMP Ready with a number of CSPs, including Dell Inc., International Business Machines Corp., Microsoft Corp. and Oracle Corp.

“What we were trying to demonstrate was providers had given us documentation that they were ready to initiate the assessment authorization, but no one has initiated that assessment with them,” Goodrich said Wednesday.

FedRAMP Ready is just one way Goodrich wants to speed up the process. According to him, it currently takes between 8-12 months for a CSPs to earn a Joint Authorization Board provisional ATO.

Goodrich’s remarks build on what former FedRAMP Director Maria Roat highlighted during a cloud computing convention earlier this year. Roat said FedRAMP would have “eight or nine initiatives over the next two years, including raising the security control baseline within the program.

“Now that the acceptance of the cloud has been happening [and] more and more agencies are embracing the cloud as a solution, I think the timing is right to really get that high baseline out there,” Roat said in July. 

OIG report highlights concerns with FDA’s computer network

An OIG reprt highlights issues with FDA's computer network. (iStockphoto.com) An OIG report pinpoints issues with FDA’s computer network. (iStockphoto.com)

An audit of the FDA’s computer network immediately after a cybersecurity breach last year detected vulnerabilities in the agency’s system.

The report, released Tuesday by the Department of Health and Human Services’ Office of Inspector General, said investigators weren’t able to gain unauthorized access to the FDA network. However, they found problems that could allow unauthorized users to view or change FDA data and cause key FDA systems to go unavailable.

“In general, we recommended that FDA fix the Web vulnerabilities identified, implement more effective procedures to protect its computer systems from cyber attacks, and periodically assess the security of all of its Internet-facing systems,” the report said.

The report comes after a major cybersecurity breach last October in the Center for Biologics Evaluation and Research’s system that exposed sensitive information from 14,000 user accounts.

For the review, investigators conducted a penetration test of the agency’s network and information systems from Oct. 21 to Nov. 10, 2013. Investigators received permission from FDA officials to conduct the test, however, they requested that staff not be notified.

Investigators uncovered external FDA systems that did not enforce an automatic lockout after a certain number of consecutive invalid login attempts, as required by the National Institute of Standards and Technology. They also identified FDA Web pages that did not execute adequate input validation on data entered by the user. OIG officials told FedScoop, “An example could be the submission of malicious code as input to the vulnerable website, which then gets executed on the server or within a user’s browser.”

At the same time, they said they could not conduct tests on seven external systems because officials said they were mission critical and couldn’t risk going offline. Only one of those systems had previously undergone a security assessment – and only within a preproduction environment, the report said.

The OIG report said it made seven recommendations to FDA, but it did not list them “because of the sensitive nature of the information.”

When asked whether FDA had taken steps to put the OIG’s recommendations into place, Jeff Ventura, a spokesman for the FDA, said via email: “We worked with the IG back in 2013 to perform this assessment. As we informed the IG, we resolved the issues identified in this report expeditiously.”

Two months after the FDA breach incident, Republican leaders of the House Energy & Commerce Committee sent a letter to FDA Commissioner Dr. Margaret Hamburg requesting a third-party audit “to assess and ensure the adequacy of FDA’s corrective actions taken in response to this incident.” They also called on the Government Accountability Office to launch a review of cybersecurity protections in place at critical HHS agencies.

“To restore public confidence in the FDA’s information security, we request that you immediately obtain a third-party audit from a qualified expert to assess and ensure the adequacy of FDA’s corrective actions taken in response to this incident,” lawmakers wrote to Hamburg at the time.

FTC hires new CTO with deep links to Snowden documents

Ashkan Soltani (Credit: www.ashkansoltani.org) Ashkan Soltani (Credit: www.ashkansoltani.org)

The Federal Trade Commission has hired privacy and technology expert Ashkan Soltani to serve as the commission’s chief technology officer. But security experts and former senior U.S. intelligence officials are questioning the FTC’s decision, given Soltani’s very public role as a consultant for The Washington Post, where he co-authored multiple articles based on classified documents stolen from the National Security Agency by former contractor Edward Snowden.

The FTC said in a press release that Soltani will join FTC in November and will replace Latanya Sweeney, who is returning to Harvard University, where she founded and directs the school’s Data Privacy Lab. His job will be to advise the commission on evolving technology and policy issues, a role similar to one he held previously at the FTC before leaving government to become an independent consultant.

But some experts are raising serious questions about the FTC’s hiring process and how somebody with such high-profile involvement in media stories that deliberately exposed classified government information could be appointed to a senior federal technology position. Soltani served as an in-house technology consultant to The Washington Post since 2013, working on the series of Pulitzer Prize-winning stories on the leaked NSA documents. He’s also been an outspoken proponent of privacy who, at times, has taken an adversarial approach to the government’s role in cyberspace.

“I’m not trying to demonize this fella, but he’s been working through criminally exposed documents and making decisions about making those documents public,” said Michael Hayden, a former NSA director who also served as CIA director from 2006 to 2009. In a telephone interview with FedScoop, Hayden said he wasn’t surprised by the lack of concern about Soltani’s participation in the Post’s Snowden stories. “I have no good answer for that.”

The FTC declined to comment, as did the NSA. The White House Office of Personnel Management, which has come under increased scrutiny since it was forced to cut ties with its main security clearance contractor after the company suffered a major cyberattack that exposed information on more than 25,000 federal employees, did not respond to FedScoop’s repeated requests for information on the FTC’s ability to hire Soltani given his role in consulting with the Post as it disclosed the Snowden documents.

Stewart Baker, a former NSA general counsel, said, while he’s not familiar with the role Soltani would play at the FTC, there are still problems with his appointment. “I don’t think anyone who justified or exploited Snowden’s breach of confidentiality obligations should be trusted to serve in government,” Baker said.

Bruce Rosen, a lawyer with the New Jersey-based law firm McCusker, Anselmi, Rosen & Carvelli P.C. who specializes in media law and First Amendment issues, said Soltani’s work with the Post is considered protected speech under the Constitution. “Although I understand why people may look askance at the arrangement with the Post vis-a-vis his return to government, his activities with the media were always constitutionally protected,” Rosen said. “He is not accused of stealing anything or aiding and abetting Snowden. He assisted a media entity in its analysis of the Snowden documents; there [is] case after case from the U.S. Supreme Court that puts that into an entirely different category.”

Soltani describes his research into the NSA’s surveillance programs on his website. “The documents leaked by Edward Snowden had a profound impact on how we understand the capacity of the government’s surveillance capabilities,” Soltani wrote. “My work focuses on understanding and describing the technical nature and details of these programs. I have released several comments arguing that it is necessary to have a technical expert advising those tasked with keeping this system in check.”

Soltani is scheduled to give a presentation Nov. 19 at the Strata+Hadoop World conference in Barcelona, Spain, on “how commercial tracking enables government surveillance.” According to the conference website, Soltani’s presentation will explore how “the dropping costs of bulk surveillance is aiding government eavesdropping, with a primary driver being how the NSA leverages data collected by commercial providers to collect information about innocent users worldwide.”

FedScoop reached out to Soltani for comment without success.

Soltani would not be the first prominent technologist whose efforts to assist the media with the stolen NSA documents have raised questions about conflict of interest. Last October, FedScoop profiled the work of noted cryptographer Bruce Schneier, who consulted for The Guardian newspaper in the U.K. on its trove of Snowden documents. Schneier, who at the time was employed as a senior executive with a global IT and telecommunications company that held U.S. government contracts, took his advocacy a step further by calling publicly for other government employees to leak classified information. Schneier announced his departure from his former employer six weeks after the apparent conflict of interest came to light.

A look at Ashkan Soltani’s Tweets on NSA and surveillance.

— ashkan soltani (@ashk4n) October 4, 2013

Point-of-sale crisis: Anatomy of a cyberattack

2014_10_point-of-sale

Federal law enforcement agencies are stepping up their outreach efforts to educate businesses about how to detect cyberattacks targeting point-of-sale systems, as office supply giant Staples Inc. confirmed Monday it is investigating an incident that may add the company to a growing list of retail chains that have suffered massive data breaches.

A group of special agents from the Secret Service and the FBI briefed industry representatives Monday during a special awareness event hosted by the Financial Services Roundtable in Washington, D.C. Agents presented a detailed explanation of the steps cybercriminals go through when they target a POS system and try to make off with thousands or even millions of credit card numbers.

The briefing came only hours before Staples confirmed for the first time publicly that it was investigating a potential data breach and had contacted law enforcement for help. If confirmed, the breach would add to an alarming escalation in the number of credit and debit cards that have been stolen from U.S.-based retailers during the past year.

But officials are emphasizing that the high-profile incidents involving some of the nation’s largest retail chains are not the only such crimes taking place. In fact, Ari Baranoff, the assistant special agent-in-charge of the Secret Service’s Criminal Investigative Division, said the Secret Service has responded to 350 network intrusions so far this year, and the majority of the incidents involved small and medium-sized businesses.

“We view those small and medium-size businesses as ground zero for a lot of the malware that is introduced into the wild,” Baranoff said. “Many of the actors that we look at on a daily and weekly basis have capabilities that far exceed the capabilities of most nation-states.”

The Syracuse connection

In July, several banking institutions notified the Secret Service that they had detected credit and debit card fraud trends that pointed to a small store in Syracuse, New York, as a so-called “common point of purchase” for stolen credit card data.

Two agents were dispatched to analyze the server that managed the store’s point-of-sale terminal, and they soon discovered malware on the system. The agents removed the malware from the store’s network and brought a sample back to Secret Service headquarters, where forensics experts were able to reverse engineer the code.

Analysis of the malware revealed the code was what is known as an “initial finding, that this malware had not been seen yet by traditional anti-virus companies,” Baranoff said. The Secret Service then issued an advisory to industry, leading network security specialists at United Parcel Service Inc. to discover the malware on UPS’ network. It had gone undetected for six months.

“They were able to contain the issue to just 1 percent of their stores, just under 50 stores out of 5,000 in 25 states,” Baranoff said.

Anatomy of a hack

The most sophisticated cybercriminals are difficult to detect, Secret Service Special Agent Katherine Pierce said. “They do their homework. Their goal is financial gain. This is their job, this is their livelihood,” she said.

But there is a process that most attackers generally follow and understanding that process can help businesses know what to look for on their networks. According to Pierce, the six steps in the attack process are reconnaissance, initial compromise, establishing a foothold, escalating privileges, exfiltrating data and maintaining presence.

Once an attacker has conducted a thorough reconnaissance and gained initial entry into your network, one of the first things a cybercriminal will attempt to do is escalate their privileges on the network, according to FBI Supervisory Special Agent Jason Truppi.

“This is where the rubber meets the road. Any hacker can get in your front door … but to really escalate privileges and start moving laterally takes a different level of skill,” Truppi said. And this is also an opportunity for the defender to catch the attacker in the act. Not only can this process take a long time, but “depending on the skill set, it may be very loud, it may be very noisy,” he said.

“You’re going to see internal scanning, internal access to authentication servers, password dumping utilities are going to be sitting on internally compromised hosts [and] brute force attacks on servers,” he said. Victims may also see typical recon tools, such as nmap and ping requests, as well as Mimikatz — a tool that dumps plain text passwords out of memory.

To help defend against attacks at this stage, Truppi suggests companies deploy host-based intrusion detection systems, use strong domain passwords and limit the use of service accounts that have administrative privileges.

“Limit local admin access,” he said. “It’s the basic hygiene of any network. This is the No. 1 killer.”

The heist

There are generally two phases to the actual exfiltration of credit card data from a victim’s network and both are more or less impossible to defend against, according to Truppi. This is the stage of the attack you don’t want to find yourself defending against, he said.

The first phase involves staging the data for removal. Since cybercriminals are there to steal as many card numbers as possible in as few steps as possible, they will need to compress the data to get it off the network.

The second stage involves placing the compressed data file on a server where it can be masked. “They need to move it to a higher volume server to mask the data so you don’t see it,” he said, referring to the process of hiding the compressed file in a data stream where it won’t look out of place.

“Look for things like FTP, believe it or not,” Truppi said. Other tools used include Secure FTP, SSH, P-LINK command-line utility for Windows and Web Dropboxes since most companies aren’t defending against the use of drop boxes.

The POS connection

Almost every POS system compromise comes to the attention of the Secret Service because one or more banks notice an uptick in fraudulent activity on cards that were all used at the same retail location. That’s exactly how Secret Service Special Agent Matt O’Neill busted a Romanian cybercrime ring that compromised the POS systems used by 150 Subway restaurants and 50 other retailers around the country between 2008 and 2011.

“The bad actors were simply port scanning for folks who had remote desktop applications on their point-of-sale terminals,” O’Neill said. Then they would use known generic passwords or passwords that they knew POS manufacturers used as default passwords. From there, they would crack the administrator password and install a keystroke logger on the merchant POS system.

O’Neill managed to find where the hackers stored all of their cracking tools, and, for five months, he was able to identify new breaches as they occurred and notified the victims in near real-time to allow them to remove the malware.

The two main suspects were logging into a compromised system owned by a trucking company in Pennsylvania, where they would engage in chat sessions and email malware.

“One of the suspects liked gambling and the ladies,” O’Neill said. So the Secret Service created an online persona of a young woman working at a hotel casino and worked with the hotel chain to actually list the undercover agent on the hotel employee directory.

“Over the period of about six months, I developed what I’ll call a quasi-romantic relationship with him,” O’Neill said. The operation succeeded in luring the suspect to Boston, where he made a full confession upon arrest. The ringleader of the group was also identified and was extradited to the U.S., where he was sentenced to 15 years in prison.

“These guys were gaining access into approximately 100 to 200 victim locations every single day,” O’Neill said. “The bad guys that I’ve spoken to have all said ‘we could have tried to obtain the payment card data from a variety of locations, but quite frankly the easiest is through the merchant.’”

DHS sees wearables as the future for first responders

 

2014_10_fire The Science & Technology Directorate at the Department of Homeland Security wants wearables that can operate in these conditions. (Credit: iStockphoto.com)

Robert Griffin, the new deputy undersecretary for the Department of Homeland Security’s Science and Technology Directorate, knows data is the last thing people are thinking about in a life-threatening situation. He also knows that first responders aren’t like most people.

“Sane people don’t run into burning buildings,” Griffin said Tuesday. “But I need data to let me run into those buildings.”

Griffin’s remarks came during a presentation at a wearable technology conference in Arlington, Virginia, outlining a new research and development vision for the S&T office that will focus on how DHS can leverage emerging technology for the nation’s first responders.

After spending a portion of this year reaching out to state and local governments as well as private industry, S&T has established a soon-to-be-released five-point vision that will make first responders and their technology more intuitive, instinctive and interoperable.

“Because we saw there was such an interest in having a participatory conversation, we’re looking to expand that on a series of specific dialogues about different areas, and the first one is going to be about wearables,” Griffin told FedScoop.

The part about wearables Griffin is referring to is a multimillion-dollar project that will help create public-safety-grade wearables from existing technology over the next three to five years.

“What we’re looking for is not government-off-the-shelf products, but commercial-off-the-shelf products,” Griffin said. “What wearable technology can we adapt that already exists to realize the dream we laid out.”

2014_10_fire A picture that shows the various technological advances the Department of Homeland Security wants to for first responders. (Courtesy of DHS)

This project coincides with the relaunch of S&T’s website on Nov. 17, which DHS expects to help further a national conversation about the next generation of first responders. The new website will feature meetups, hackathons, webinars and challenges all geared toward new S&T directives. The site will also have a big crowdsource component run on the Ideascale platform.

“We’re going to try and take multiple approaches because one size doesn’t fit all,” Griffin said. “[Ideascale] is a better way to crowdsource some of these ideas, particularly where some of these areas can get pretty down into the weeds. This is part of what we are trying to do to be more transparent but also to begin a process of engaging industry and users and begin to think about the operators.”

The wearables project is one part of what DHS sees as a larger vision that could span decades into the future.

“The long-term vision is that fully aware, fully connected, fully integrated responder,” Griffin says. “We recognize that it could take us 20 to 30 years, maybe longer to get there. It’s not just a technology issue, it’s usage, it’s operating procedures, it’s governance, training. It’s part of the whole continuum we need to think about.”

Part of that continuum includes FirstNet, the nationwide public safety broadband network for first responders that will be built in the coming years. Griffin said, while DHS fully supports the network, he wants to take the technology discussion beyond FirstNet.

“It’s no good to come to depend on a technology that you can only use during pristine, perfect conditions,” Griffin said. “We need to think about how first responders are able to use this technology in situations when there is even degraded or no communications.”

As for the wearables project, Griffin drove home what he saw as “huge market potential” when he painted a scene for the crowd on how a first responder differs from how the rest of the public uses wearables.

“When I’m in a 1700-degree fire, I can’t roll up my sleeve to look at a wearable,” Griffin told the crowd. “We need to start to think about how to integrate and connect, because you can help me do my job in ways I can’t imagine.”

While Griffin may not be able to currently imagine the products future first responders will use, he does know that DHS’s new vision will ultimately lead to lives being saved.

“The beauty of wearables is that we haven’t even begun to scratch the surface of what it could potentially mean to a safer community,” Griffin told FedScoop. “Once we can get this into the hands of first responders and into the hands of the community, it’s going to do amazing things.”