Skip to content

October 5 2013

October 7, 2013

5October2013

Newswire

 

Springfield at center of Ohio’s UAS effort

State office here boosts area’s chances to land unmanned aircraft business.Thousands of jobs, billions of dollars at stake.

By Andrew McGinn

Staff Writer

Posted: 2:13 p.m. Monday, Sept. 30, 2013

Dayton Daily News

 

SPRINGFIELD — The lease at a local technology park for a state office tasked with enticing unmanned aircraft systems companies to Ohio was barely 60 days old when a Florida business announced it would relocate a program to Springfield to develop and commercialize an unmanned airship.

The state’s choice to locate the Ohio/Indiana UAS Center and Test Complex within 2,060 square feet of leased office space along U.S. 40 in the Nextedge Applied Research and Technology Park puts Springfield at the center of Ohio’s effort to claim a chunk of what promises to be a lucrative new industry.

“It provides the business center for the overall initiative,” said Tom Franzen, the city of Springfield’s assistant city manager and director of economic development. “It’s a big benefit to having them here.”

Call them UAS, UAVs or RPA — as in remotely piloted aircraft — or call them drones, but the commercial and civil market for them is predicted to generate more than $82.1 billion the first decade after they’ve been cleared for takeoff by the Federal Aviation Administration.

That could happen as soon as 2015.

The industry will create more than 34,000 new manufacturing jobs alone the first three years, according to a widely publicized report by the Association for Unmanned Vehicle Systems International.

That is, once the FAA is satisfied they can be flown safely and with the privacy of citizens protected.

The developer of that unmanned airship, World Surveillance Group, envisions the day when its Argus One — flying aloft with 30 pounds of sensors, cameras and electronics — will be available for purchase to assist first responders or to transmit wireless communications, or to keep watch over military forces in hostile lands.

World Surveillance will work to make it all a reality by tethering the Argus program in Springfield and working with several firms already established in Ohio.

The combined parties will “assist the Ohio/Indiana UAS Test Center by fostering the growth of Ohio as a preeminent aerospace and UAS center,” the company’s announcement read.

It’s hoped other companies follow suit.

“I hope that’s exactly what happens,” said Dick Honneywell, a retired Air Force Reserve colonel who was appointed by Gov. John Kasich last month to be the Ohio/Indiana UAS Center’s first director. “We want businesses to come in here, and they can absolutely succeed.”

For Honneywell, 58, it was the easiest sale he’s likely to have during his tenure — he didn’t know about World Surveillance Group’s decision to move the Argus One program here from Easton, Md., until it was announced.

“Besides being surprising,” he said, “it was good news. That’s exactly the kind of movement we’d like to see.”

Glenn Estrella, president and CEO of World Surveillance Group, has been to this part of Ohio and said he’s a “fan” of the area.

“The area is rich with space,” Estrella said. “It’s rich with open field testing opportunities. And it’s rich with very smart folks in this field. It’s the perfect package for a company like ours.”

The proximity to Wright-Patterson Air Force Base is itself a selling point for companies like Estrella’s, and arguably the reason why the Miami Valley as a whole has emerged as the state’s hub of unmanned aircraft technology.

Companies throughout the area already are involved in developing UAS, including SelectTech GeoSpatial, which has had a manufacturing facility at the Springfield-Beckley Municipal Airport since 2009.

From his new office in the Avetec building looking out toward what was once known as the National Road, Honneywell is eager to spur more commercial business development.

“We’re part of the solution,” he said.

After 32 years in the Air Force, leading research into power and propulsion at Wright-Patterson, that part of his new role is a welcome change.

His office falls under the Ohio Department of Transportation.

“You don’t get to do a lot of economic development in the Air Force,” Honneywell said.

Wright-Patt has been the military’s center of aircraft innovation since the 1920s, but most of the Air Force’s manufacturing, he said, is done in the West and South.

“A lot of the technology started in this region, but we weren’t able to capture the manufacturing base out of that,” Honneywell said.

Honneywell said he’d like to see the region both develop and manufacture UAS — and it arguably has a birthright to do both.

The Wright brothers aside, the world’s first unmanned aerial vehicle was invented and produced in Dayton.

In 1917, Dayton inventor Charles F. Kettering developed the Kettering Aerial Torpedo. Known as the “Bug,” it was meant to be used in World War I, but never saw combat.

More of an early guided missile than a UAV, it nonetheless set the stage, with a range of 75 miles. After a predetermined length of time, the Bug’s engine would shut off and its wings would release.

The resulting bomb packed 180 pounds worth of explosives.

A reproduction of the Bug has been on display since 1964 at the nearby National Museum of the U.S. Air Force, and it only takes a stroll through the museum to learn that unmanned aerial technology isn’t exactly new.

On display are such early military UAVs as the Teledyne-Ryan AQM-91A Compass Arrow, whose radar-absorbing body also constituted proto-stealth technology.

While never used, the Compass Arrow was ready as early as 1971 to fly deep into China — either automatically or manually by someone aboard the cargo plane that launched it — taking reconnaissance photos along the way.

However, it wasn’t until the Global War on Terror that the use of UAVs exploded and “drones” became a household word.

Commercial developers envision stripping drones of their weapons and putting them to work at a variety of civilian tasks, including weather monitoring and oil and gas exploration.

“I see it as an opportunity for the region to regain aerospace manufacturing,” Honneywell said.

That effort to lure UAS business to Ohio could be made much easier, or that much harder, at year’s end, when the FAA designates six sites nationally where unmanned aircraft will be tested.

Those six sites will help develop the safety and privacy parameters needed for full integration of drones into the nation’s airspace.

“A lot of folks are waiting to see what happens,” Franzen said.

The FAA received 25 applications from 24 states, according to spokesman Les Dorr, and is expected to make its picks by the end of 2013.

“There’s an obvious upside to getting the designation,” Franzen said.

According to that earlier report by the drone industry, the selection of the test sites will help determine where jobs flow.

Ohio and Indiana applied for a test site jointly. Honneywell, serving at the time as vice president of aerospace at the Dayton Development Coalition, led the application process.

While staffing for the Argus One development program initially will come from partnering companies, World Surveillance Group didn’t want to wait to make a move.

“We’re moving our products forward,” Estrella said. “For the Argus, Springfield was the right place. We never hesitated.”

The two-state test complex put forth for FAA consideration encompasses multiple locations, mostly all within the Dayton region, including Springfield-Beckley and the Wilmington Air Park for the takeoff and recovery of unmanned aircraft, along with restricted airspace in southeast Indiana.

Partners in Ohio’s endeavor include such R&D powerhouses as the Air Force Research Laboratory at Wright-Patt and NASA Glenn Research Center in Cleveland.

The Ohio-Indiana test complex also includes military airspace southeast of Wilmington and the National Center for Medical Readiness run by Wright State University at a former cement plant in Fairborn.

That plant has been converted into a 52-acre training site dubbed Calamityville for civilian and military first responders.

“The FAA has a very difficult decision,” Honneywell said.

The Ohio/Indiana UAS Center will manage the entire range, renting airspace to companies like World Surveillance Group that will want to flight test aircraft.

“We’ll be pleased to support any customer to the range,” Honneywell said.

Despite the competition — 10 to 12 sites in the running are “very strong,” Honneywell said — he’s admittedly not worried about losing out to, say, North Dakota, which scored an article last month in Popular Science headlined, “How North Dakota Plans to Become the Drone Capital of America.”

Ohio’s mix of airspace and research partners, plus its strong supply chain, means “it’s going to be tough for other communities to match,” Honneywell said.

But at the drone industry’s annual trade show last month in Washington, D.C., the state of North Dakota, which likes to tout its $2 billion state surplus thanks to fracking, was among the event’s top sponsors, right alongside the likes of aerospace behemoths Lockheed Martin and Northrop Grumman.

“Everybody’s trumpeting their own horn,” Franzen said.

The state of Ohio sponsored a booth at the show, and Franzen, for one, attended to both man the booth and work the floor.

“You can probably go to any state, and the folks involved say they’ve got it wrapped up,” said Joel Embry, president of Indiana-based Drone Systems, a company that markets drones.

Embry primarily sells two small quadcopters, the Scout and the SkyRanger, made by a Canadian company, Aeryon Labs.

Priced between $100,000 and $150,000 — “They’re serious tools,” he said, “They’ll fly in any weather” — they currently can be used by first responders who apply for special permission from the FAA.

The FAA doesn’t yet allow drones to be used by farmers, but Embry also envisions Scouts and SkyRangers at work on farms, flying over fields to spot areas of blight.

That would be in keeping with the drone industry’s prediction that agriculture and public safety will be the two biggest markets for UAS, with agriculture emerging as the most dominant by far. Of the $82.1 billion the UAS industry is calculated to generate by 2025, agriculture alone could generate $75.6 billion.

From his home base just north of Louisville, Ky., Embry has been watching closely Ohio and Indiana’s efforts to win an FAA test site.

“It’d be awfully convenient for us,” he said, adding that they could conceivably come flight test their quadcopters for the first time at distances of five, even six miles.

Even if Ohio isn’t picked as an FAA test site, the Ohio/Indiana UAS Center in Springfield won’t be without UAS to manage. The state has committed 12 full-time positions to the center, Honneywell said, and signed a two-year lease in the Avetec building at a cost of $70,000.

Regardless of the FAA’s decision, the range here will officially open in the spring to unmanned aircraft competing in a NASA contest intended to speed up development of “sense and avoid” technology.

The space agency picked this region to hold its UAS Airspace Operations Challenge.

Using the range’s airspace in Indiana, NASA will run intercepts with aircraft of its own, Honneywell said. It will be up to the competing UAS to sense and avoid the air traffic.

“If we’re going to integrate UAS into the airspace,” he said, “you want to maintain the level of safety we have today.”

NASA has put up $500,000 in prize money for the challenge, which “will bring an army of ideas forward,” Honneywell said.

A number of university teams are expected to take part, he said, but there are no guarantees anyone will win the pot of money.

All the while, the center will seek to support new business opportunities throughout the region.

“The commercial opportunity is too great,” Honneywell said.

 

 

Shutdown could test IT security at federal agencies

Agencies would have skeletal IT teams in place to manage systems

Jaikumar Vijayan

October 1, 2013 (Computerworld)

http://www.computerworld.com/s/article/9242837/Shutdown_could_test_IT_security_at_federal_agencies?pageNumber=1

 

A government shutdown that lasts more than a few days could test the ability of federal agencies to protect their information systems against security threats.

Several agencies, over the past few days, have released contingency plans showing that they will have to heavily scale down their IT teams to maintain, manage and protect IT infrastructure during a shutdown.

The U.S. Department of Veterans Affairs , for instance, said it will furlough more than 40%, or 3,267, of its 8,026 IT employees in the event of an appropriations lapse. Those remaining will be responsible for functions such as network maintenance and protection, information security and for keeping the data center and enterprise infrastructure running.

In some cases, the shutdown will leave barely a skeletal staff in place to run legally “excepted” activities.

The Federal Trade Commission exempted a total of six employees from taking a forced furlough. The six will be responsible for ensuring the integrity and availability of the agency’s IT infrastructure to other exempt employees at the agency. The six individuals will also be responsible for other tasks, including direct support of the agency’s network and telecommunication services, operating the FTC’s data center, rotating backup media for offsite store and provide on-site database administration support, the FTC said in its contingency plans.

The Social Security Administration exempted 10%, or 310 of its 3,187 IT employees, for infrastructure and program support purposes. The U.S. Department of Housing and Urban Development asked all but 349 of its 8,709 administrative and management staff to go on furlough. Among those exempted from the furlough are 13 IT employees out of 244 in the agency CIO’s office. The 13 will be responsible for keeping critical systems running and protecting them against security threats.

Most other federal agencies are expected to have a similar handful of IT security staff and other essential personnel to run infrastructure operations.

“I believe that most CIOs will have their security and network analysts deemed ‘essential,’ and they will be on a heightened [state] of awareness,” said Karen Evans, former de facto federal CIO during the George W. Bush administration.

Many IT services will need to be available through a shutdown so most IT staff will also be deemed essential, she noted. “But, the short of it is, because of all the services online and how government accesses these services, there are going to be risks,” associated with a prolonged shutdown, she said.

Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University said the contingency plans that federal agencies have set up should be adequate for a few days but not for a long stretch.

Even with systems shut down, functions like patching and installing key maintenance upgrades are important and could pose a challenge for skeletal teams that have been assembled to manage IT systems during a shutdown, he said.

If the shutdown were to persist through the second Tuesday of October for instance, many agencies could find themselves scrambling to install Microsoft’s monthly security updates, Spafford said.

 

Mike Brown, vice president and general manager at security firm RSA’s global public sector unit, noted that security risks to federal agencies overall should not increase dramatically as a result of the shutdown. However, the potential for agencies to make mistakes increases during times of reduced staffing.

“I would expect that most of the infrastructure would be maintained by personnel who have been designated as essential, and that planning has taken place to ensure security remains a priority,” Brown said. “However, any time there is an event like this, there is the potential for mistakes to take place,” Brown said. “Not only will the impact of nonessential personnel weigh on an organization, but additional issues could arise based on the overall status of personnel and priorities.”

A Sept. 16 directive issued by the White House Office of Management and Budget requires federal agencies to wind down all IT activities other than “excepted” activities, including those that are essential to safety and protection of property, in the event of a government shutdown.

The directive leaves it up to agency heads to determine what systems can be kept running, but it makes clear that the only systems allowed to run will be those that directly support an exempted activity. If that system happens to be interconnected with other system, the agency has to figure out a way to keep it running without affecting the safety and security of the other systems, the directive noted.

“Given that websites represent the front-end of numerous back-end processing systems, agencies must determine whether the entire website can be shut down or components of the website will be shut down,” to ensure compliance with procedures during an appropriations lapse, the OMB memo noted.

 

Pilot Projects Aim to Replace Passwords

Feds Ante Up $7 Million in New Round of NSTIC Funding

By Eric Chabrow, September 19, 2013. Follow Eric @GovInfoSecurity

http://www.govinfosecurity.com/pilot-projects-aim-to-replace-passwords-a-6075/op-1

 

The federal government sees big potential in ID.me, an online service that helps merchants securely identify members of the armed forces to offer them discounts. That’s why it has awarded the company a $1.2 million grant for a pilot program to evolve its service into a trusted identity solution to let military families securely access sensitive information online from government agencies, financial institutions and healthcare.

ID.me is one of five groups receiving a total of more than $7 million in taxpayer money in a second round of grants under a program designed to bolster development of reliable, easy-to-use online credentials that the government hopes will help build trust in online commerce and boost the economy.

Creating an “identity ecosystem” will fuel the next generation of online businesses, says Jeremy Grant, senior executive adviser for identity management at the National Institute of Standards and Technology, which oversees the National Strategy for Trusted Identities in Cyberspace program, known as NSTIC (pronounced n-stick).

NSTIC is a collaborative effort among business, not-for-profits and the government to create secure and interoperable identity credentials to access online services. NIST last year awarded $9 million to five other pilot programs, and it expects in the coming days to announce two more pilots aimed at state governments.

 

ID.me, founded as Troop ID by former Army Rangers who served in Iraq, will use its grant to expand its identity solution by incorporating multifactor authentication to access sensitive information online. The company’s key partners include federal government agencies and a leading financial institution serving the nation’s military community and its families.

“This is a company that already made tremendous strides just by doing a low-level credential as a startup,” Grant says. “Now, they’re looking to take a grant and really build a solution that’s NSTIC aligned that would offer a lot more value to them. There are a lot of service providers online who will, if the pilot goes well, trust those credentials and get people to login to their sites.”

Exponent received $1.6 million to issue secure, easy-to-use and privacy-enhancing credentials to users to help secure applications and networks at a leading social media company, a healthcare organization and the Defense Department.

Exponent and partners Gemalto and HID Global will deploy two types of identity verification: mobile devices that leverage so-called derived credentials stored in the device’s SIM card and secure wearable devices, such as rings and bracelets. Solutions will be built upon standards, ensuring an interoperable system that can be easily adopted by a wide variety of organizations and companies.

Georgia Tech Research Corp. will use its $1.7 million grant to develop and demonstrate a “trustmark framework” that seeks to improve trust, interoperability and privacy. Trustmarks are a badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization.

Defining trustmarks for specific sets of policies would enable website owners, trust framework providers and individual Internet users to more easily understand the technical, business, security and privacy requirements and policies of the websites with which they interact.

NIST says supporting consistent, machine-readable ways to express policy can enhance and simplify the user experience, raise the level of trust in online transactions and improve interoperability between service providers and trust frameworks.

Privacy Vaults Online will apply its $1.6 million grant to the development of a solution that provides families with Children’s Online Privacy Protection Act-compliant credentials that would let parents authorize their children to interact with online services in a privacy-enhancing way.

NIST says parents need better tools to ensure their children safely use of the Internet; online service providers need to comply with the requirements of the COPPA when they deal with minors under the age of 13.

Transglobal Secure Collaboration Participation, also known as TSCP, will use its $1.3 million grant to deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange. Employees of participating businesses will be able to use their existing credentials during the pilot to securely log in to retirement accounts at brokerages, rather than having to obtain a new credential.

NIST says the key to enabling these cross-sector transactions will be TSCP’s development of an open source, technology-neutral trust framework development guidance document that can provide a foundation for cross-sector interoperability of online credentials.

 

Becoming a ‘Shining Star’

Grant says last year’s five pilot projects are progressing satisfactorily. “A pilot could have troubles one month and the next month find a way to overcome them and become a shining star,” he says (see Creating Trust: The $9 Million Pilots).

 

The 2012 pilot projects will report to NSTIC next month on their progress and will continue for another year. “We’re learning a lot on where things are working out as well as to where they’re running into challenges,” he says.

One common theme culled from the pilots is the importance of the Identity Ecosystem Steering Group to the NSTIC initiative, Grant says. The steering group is a mostly private-sector led organization, chaired by Bob Blakely, Citigroup director of security innovation, that will facilitate trusted identities once the government withdraws from the NSTIC initiative in about three years.

The steering group is creating a legal and policy framework to enable identity providers to set up contracts and conduct transactions. “Every one of the pilots [from 2012] have found that they spent more time than anticipated working on how to get these agreements signed,” Grant says.

 

Furloughed Federal Employees Flood State Unemployment Offices

On the first day of the shutdown, some state unemployment offices received an unusually high number of applications from federal employees.

BY J.B. WOGAN / OCTOBER 2, 2013 0

http://www.govtech.com/federal/Furloughed-Federal-Employees-Flood-State-Unemployment-Offices.html

 

Federal employees who can’t work due to a government shutdown that began on Oct. 1 are applying for unemployment benefits in droves. State offices in the mid-Atlantic region — where much of the federal workforce is located — reported an immediate surge in applications. It’s just one consequence of a shutdown that’s also rendered federal websites inoperable and caused some state departments to furlough employees whose jobs are partly dependent on federal funds.

Between 7 a.m. and 1 p.m. on the first day of the shutdown, Maryland’s Department of Labor, Licensing and Regulation received roughly 4,000 applications, according to Maureen O’Connor, an agency spokeswoman. That’s more federal claim applications than the department usually receives in an entire year, she said.

The federal government has not released an official estimate on the total number of workers being furloughed, but shutdown plans from different agencies suggest it could be higher than 818,000 employees, according to an analysis by the Wall Street Journal. Several state offices that handle unemployment insurance, including in Maryland, Virginia, Pennsylvania and Washington, D.C., have posted notices about how federal workers can collect unemployment benefits. If Congress decides to retroactively grant back pay (as it did in the last shutdown 17 years ago), then the employees would be required to return the unemployment money they received.

Last week officials from the U.S. Department of Labor held conference calls with states in the mid-Atlantic region, assuming they would be hardest hit if both federal employees and federal contractors were suddenly out of work, according to Bill Walton, the unemployment insurance director for the Virginia Employment Commission. A recent tabulation of federal employees in the executive branch shows Virginia with the second most employees (144,753) of any state or the District of Columbia. The district was third (143,573) and Maryland was fifth (119,816).* (The counts were based on place of employment, not place of residence.)

After the shutdown, the district’s Department of Employment Services received an increase in the number of inquiries by federal workers wanting to know if they were eligible for unemployment benefits, said Najla Haywood, a spokeswoman for the agency. Applications were also up, she said. In Virginia, it will be a few days before the Employment Commission can tally incoming applications, Walton said, but simply by virtue of the uptick in activity on his email inbox he knows that Virginia was experiencing a steep increase. He attributed it to the concentration of federal employees and contractors working in Northern Virginia and Virginia Beach. While the benefits themselves were in no danger of losing federal funding, the state staff who processes those claims are also reliant on federal funding; on that front, “we have about a 30-day window,” he said, or “we have to potentially ask state government for additional monies.”

In Virginia, the employment commission created a special process for reviewing federal claims in preparation for a surge that might otherwise overwhelm staff, Walton said. The agency is directing everyone to its website, where they can print an application and read a Q&A. To save time, the agency is instructing people to provide either a pay stub or W-2 form; otherwise, the agency has to ask the employer (in this case, the federal government) for a wage history for the past four quarters and — due to the shutdown — that process would be abnormally slow. While state unemployment compensation requirements differ, compensation is usually available to individuals who have been in a non-pay status for seven or more consecutive days and meet other eligibility requirements.

 

Microsoft to patch zero-day IE bug now under attack

Eight updates will plug holes in IE, Windows, Office, SharePoint and Silverlight

http://www.computerworld.com/s/article/9242950/Microsoft_to_patch_zero_day_IE_bug_now_under_attack?source=CTWNLE_nlt_security_2013-10-04

By Gregg Keizer

October 3, 2013 04:00 PM ET

Computerworld – Microsoft today said it will ship eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), with the one aimed at IE plugging the hole attackers have been exploiting for months.

“The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505,” confirmed Dustin Childs on the Microsoft Security Response Center (MSRC) blog today.

Security experts identified the IE update as the one to deploy first, citing the fact that one of the vulnerabilities has been used by cyber criminals in targeted attacks against users in Japan and Taiwan.

“IE is always top of the list,” said Andrew Storms, director of DevOps at cloud security vendor CloudPassage, in an interview today.

On Sept. 17, Microsoft confirmed that hackers were exploiting a critical unpatched vulnerability in Internet Explorer 8 (IE8) and Internet Explorer 9 (IE9). The bug, however, existed in all versions of the browser, including the 12-year-old IE6 and the newest IE11.

Over the next two weeks, security companies reported that attacks had been aimed at Japanese and Taiwanese organizations since July. And earlier this week, exploit code went public as a working module was added to the open-source Metasploit penetration framework. Researchers predicted that the Metasploit appearance would result in an increase in attacks as less-capable hackers copied the code and added it to their weaponized toolkits.

“Once it went into Metasploit, I anticipated an early release of a patch by Microsoft,” said Storms today. “Obviously the patch is done, but Microsoft’s and its partners’ telemetry must have shown that there were no reasons to go out-of-band.”

Historically, Microsoft has issued “out-of-band” updates — those outside the normal monthly release schedule — only when it believes large numbers of its customers are at risk. The company has never publicly disclosed how it decides when to ship an out-of-band security update.

The early date of October’s Patch Tuesday — always the second Tuesday of the month — may have played a part in Microsoft’s decision to hold the update and not go out-of-band, Storms said.

The IE update was just one of four rated “critical” by Microsoft. The remaining three critical updates were all aimed at Windows, including one that applied to the newest Windows 8, Windows RT, Windows 8.1 and Windows RT 8.1, according to Microsoft’s advanced notification distributed today.

Experts recommended that customers install the Windows updates as soon as possible after their release. “Bulletins 2 and 3 are through the stack and might end up rating more attention than the IE update,” warned Storms.

Microsoft said Bulletin 3 did not affect Windows 8.1 or Windows RT 8.1, but that Bulletin 2 did.

The other four updates will patch vulnerabilities in Excel, other pieces of Office, the SharePoint collaboration server software and Silverlight, a media format Microsoft seems to have discarded or at least isn’t interested in developing further.

Because the Office-related vulnerabilities were ranked as “important” even though Microsoft said hackers could exploit them to plant malware on customers’ PCs, Storms said it was probable that any attack code required considerable user interaction to work, such as downloading files, opening shared folders or clicking through multiple warnings.

“Being exploited via a drive-by is not going to happen,” said Storms, referring to the most dangerous attacks, which only require a user to visit a malicious website to trigger exploits.

Microsoft will release next week’s security updates on Oct. 8 around 1 p.m. ET.

 

Hackers steal data on 2.9 million Adobe customers

Source code for some Adobe products also was stolen

Lucian Constantin

October 3, 2013 (IDG News Service)

http://www.computerworld.com/s/article/9242963/Hackers_steal_data_on_2.9_million_Adobe_customers?source=CTWNLE_nlt_security_2013-10-04

 

Hackers broke into the internal computer network of Adobe Systems and stole information on 2.9 million customers, as well as source code for several of the company’s products.

Adobe’s security team discovered “sophisticated attacks” on the company’s network “very recently,” Brad Arkin, Adobe’s chief security officer, said Thursday in a blog post announcing the incident.

So far, Adobe’s investigation has revealed that attackers managed to access Adobe customer IDs and encrypted passwords, as well as obtain information on 2.9 million customers, including names, encrypted credit or debit card numbers with their expiration dates, and other customer order details.

“At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems,” Arkin said.

“Our investigation to date indicates that the cyber attackers removed certain customer information between September 11 and September 17, 2013,” an Adobe spokeswoman said via email. As far as the timeline for the source-code compromise is concerned, the investigation is ongoing, she said.

It’s not clear if the same attackers are responsible for the compromise of customer information and accounts and the theft of source code.

Adobe is in the process of resetting the passwords of all affected Adobe ID accounts and notifying customers whose credit or debit card information was involved in the security breach. The company is offering U.S.-based customers a one-year complimentary membership in a credit monitoring service.

Adobe has alerted the banks processing customer payments and is working with external partners and law enforcement to address the incident.

According to Arkin, hackers also appear to have accessed the source code of “numerous Adobe products.” However, only Adobe Acrobat, ColdFusion and ColdFusion Builder have been named so far.

“Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident,” Arkin said in a separate blog post, adding that Adobe is not aware of any zero-day exploits — exploits against previously unknown vulnerabilities — being used to target Adobe products.

Arkin credited security journalist Brian Krebs, as well as Alex Holden, chief information security officer of Hold Security, a company that monitors the Internet underground for stolen business data, with helping Adobe respond to the incident.

According to Hold Security, more than 40GB of encrypted archives that appear to contain the source code for the Adobe Acrobat and Adobe ColdFusion product lines were found on servers used by cybercriminals who are believed to have also hacked into computer systems of major data brokers Dun and Bradstreet, LexisNexis and Kroll Background America.

The breach appears to have occurred in early August, and it’s unclear whether the hackers analyzed the source code or used it for malicious purposes, Holden said on its website.

The firm seems to disagree with Adobe on the potential security impact of the source code being stolen.

 

“Adobe products are installed on most end-user devices and used on many corporate and government servers around the world,” Holden Security said in a blog post. “While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for [a] new generation of viruses, malware, and exploits.”

Adobe could not confirm whether the popular Adobe Reader product was also affected, or if the security breach also resulted in the theft of encryption keys or code-signing certificates.

“Our investigation is still ongoing,” the Adobe spokeswoman said.

This is not the first time hackers have compromised Adobe’s internal computer systems. Last year, attackers gained access to an Adobe code-signing server and used it to digitally sign malware.

 

Lockheed, Boeing to Start Furloughing Employees Next Week

Defense News

Oct. 4, 2013 – 02:45PM |

By AARON MEHTA and MARCUS WEISGERBER         

 

WASHINGTON — Defense giants Lockheed Martin and Boeing will begin furloughing thousands of employees Monday if the US government shutdown continues next week, according to company officials.

Maryland-based Lockheed Martin will furlough approximately 3,000 employees on Monday, a number the company says will likely increase as the government shutdown continues. Employees from across Lockheed’s businesses will be impacted by the furloughs.

“We expect the number of employees affected by the shutdown to grow as we experience contractual actions and the impact of furloughs among [Defense Contract Management Agency] and other customer inspectors across our business and our suppliers’ businesses,” Lockheed CEO Marillyn Hewson said in a memo to employees.

“I’m disappointed that we must take these actions and we continue to encourage our lawmakers to come together to pass a funding bill that will end this shutdown,” Hewson added.

A Boeing spokeswoman said the Chicago-based company would begin furloughs next week if the shutdown continued. The company was still tabulating the number of impacted employees.

“Boeing is seeing increasing effects on certain daily operations that involve U.S. government facilities and people,” Meghan McCormick, a company spokeswoman said in an email. “Boeing will continue working with its customers and suppliers to maintain normal operations in as many parts of our business as possible. While the company is working to limit the negative impact of the shutdown on customers and employees, we expect more consequences could emerge in the coming days, including limited furloughs of employees in some areas.”

Earlier this week, Lockheed released a statement indicating it hoped to avoid furloughs.

“We will continue to conduct business with the same dedication to our purpose and commitment to our customers,” the company said then. “Unless we are directed otherwise by our customers, our facilities will remain open, and our employees will continue to receive their pay and benefits.”

When asked what changed, a spokesman for Lockheed said ongoing discussions with the Pentagon led the company to make a decision to begin furloughs.

“It’s in their interest and our interest to keep production moving,” the spokesman said. “They need what they bought, but they’re working within confines of the government shutdown as well.”

Just a day earlier, Boeing issued a much more positive statement that said it had “contingency plans in place to deal with interruptions to normal operations. Boeing has maintained an open dialogue with its customers and suppliers to maintain normal operations in as many parts of the business as possible. We continue to monitor the situation and provide updates on any interrupted operations.”

 

Defense Companies Warn Thousands Of Layoffs Imminent Due To Shutdown

WASHINGTON

| http://www.forbes.com/sites/lorenthompson/2013/10/04/defense-companies-warn-thousands-of-layoffs-imminent-due-to-shutdown/

10/04/2013 @ 9:47AM

 

The Sikorsky unit of United Technologies that makes this Black Hawk helicopter and other rotorcraft for the joint force says it will have to furlough 2,000 workers on Monday because production can’t continue in the absence of federal inspectors who audit and approve processes. Other military contractors will be forced to take similar action if federal workers remain furloughed, with the economic consequences rippling through the defense supply chain and related industries.

Military contractors are warning government officials that they are only days away from furloughing thousands of workers if the government’s partial shutdown continues. The Sikorsky helicopter unit of United Technologies UTX +0.16% says it will furlough 2,000 workers on Monday due to the absence of federal inspectors from its plants who audit and approve various stages in the production process. UTX’s Pratt & Whitney engine business expects to furlough an additional 2,000 at week’s end if the shutdown continues.

Some industry employees have already begun to head home. Linda Hudson, CEO of fifth-ranked Pentagon contractor BAE Systems BAE Systems, Inc., told employees in an internal communication yesterday that, “The impact on our Intelligence & Security sector has been significant, with about 1,000 employees already excused from work at their customer sites.”

Much of BAE’s work in defense electronics, armored vehicles and ship repair is funded by prior-year budgets and thus does not immediately require additional appropriations to continue into the new fiscal year. However, without representatives from the Defense Contract Management Agency to perform required inspections, production activity at all of the major military contractors is beginning to slow. DCMA has furloughed 85% of its personnel for the duration of the government shutdown.

A letter to Secretary of Defense Chuck Hagel from the industry’s two biggest associations yesterday noted that the Defense Finance and Accounting Service will also cease functioning next week, slowing the disbursement of funds that are still available to contractors. It warned that, “The impact on credit lines for small businesses and cash flow for other than small businesses will be significant in short order.” That’s a diplomatic way of saying companies won’t have the money to pay their workers or their suppliers.

One senior industry executive told me that within days, the layoffs at prime contractors and their hundreds of subcontractors will number in the tens of thousands. Defense plants are concentrated in a handful of states such as Florida and Texas, where industry layoffs will exacerbate the economic impact already being felt from furloughs of federal workers. The defense department has deemed about 400,000 of its civilian employees to be non-essential, and most of them work at bases scattered across the nation (especially in the South).

The impact of the shutdown varies considerably from company to company, depending on how their products are funded and regulated by the military customer. For example, the number of government inspections and certifications required at various stages in the production process is very different at Sikorsky’s helicopter facilities in Alabama, Connecticut and Florida than it is at the sprawling shipyards Huntington Ingalls Industries operates in Mississippi and Virginia.

However, because the defense industry is the most heavily regulated sector of the U.S. economy, there is little doubt that if government acquisition personnel remain furloughed for a long time, virtually all defense production will eventually cease. That will inevitably impact company results across the supply chain, and also in other industries that generate revenues indirectly as a result of defense production. About 10% of the manufacturing workforce in the U.S. is engaged in some aspect of defense production.

 

How the Adobe hack could fuel next wave of cyberattacks

Byron Acohido

USA TODAY

4:52 p.m. EDT October 4, 2013

 

SEATTLE – Adobe has taken several steps to calm concerns among its corporate users about the loss of customer account data and critical source code to hackers.

The company has begun advising enterprise customers that Adobe product users will be required to change their account password at their next login attempt.

The breach does not affect users of Adobe Creative Cloud or Digital Publishing Suite — other than a password reset.

Adobe will also be sending notification letters over the next two weeks to customers whose individual accounts were breached.

“There are no indications to date that attackers have leveraged the illegally accessed source code to harm Adobe customers,” says Adobe’s CSO, Brad Arkin. “We are not aware of any specific increased risk to customers as a result of a potential theft of the product source code.”

The fact that it took an exposé by krebsonsecurity.com to prompt Adobe to alert customers of this devastating breach is not surprising, says Peter Toren, a former federal prosecutor of computer crimes, who is now with Weisbrod Matteis & Copley.

All but four states have enacted data loss disclosure laws modeled after the pioneering California statute that was the first to require companies to notify customers, should any personal data held by the business turn up lost or stolen. Only Alabama, Kentucky, New Mexico and South Dakota do not have data loss disclosure laws, according to datalossdb.org.

But adherence to such laws has been uneven. “As this highlights, data loss disclosure laws are not nearly as effective in protecting consumers as they should or need to be,” Toren says. “Presently, there is no federal law addressing this issue and the state laws that do exist are patchwork of different standards and requirements.”

Despite the law, there remains minimal incentive for companies to do the right thing. “Many companies believe that it is worth the risk of not reporting since reporting could mean a loss of consumer confidence in the brand,” Toren says. “Until there is a federal law with real penalties for not reporting, these type of incidents are likely to continue.”

Meanwhile, corporations would be wise to brace for a fresh wave cybercriminal activity that is likely to spin out of the Adobe breach, security experts say.

Now out in the Internet wild are personal and financial data for 2.9 million more individuals — Adobe product users. Perhaps more worrisome, source code for Adobe Acrobat PDF reader and Adobe ColdFusion web app developer’s tool has begun circulating.

Concern is brewing that the bad guys seem certain to use knowledge of Acrobat source code to intensify already widespread attacks revolving around corrupted PDFs.

“Having the source code to an application is like having the blueprints to a product,” says George Tubin, senior security strategist at Trusteer, an IBM company, “having access to it expedites the vulnerability identification process — leading to more weaknesses being identified and used for cybercrime.”

Dave Jevans, CTO and founder of mobile security vendor Marble Security, concurs. “It is 100 times easier to find new exploits if you have the source code, than if you have to disassemble the binary,” Jevans says. “Plus you may discover exploits on other platforms, like the Mac.”

The fact that ColdFusion’s source code is out in the open is particularly ominous. ColdFusion supports the new HTML5 standard being used for the new generation of mobile apps, and it is widely used in building websites, business apps and mobile apps for corporate use.

“Now that attackers have access to the ColdFusion source code they can much more easily find exploits and attack enterprises through their own web apps and mobile apps,” Jevans says. “This could create the next wave of advanced attacks against enterprises.”

Tubin points out that the bad guys have already started using ColdFusion vulnerabilities to deliver malicious content to computing devices.

By reverse engineering ColdFusion’s code, bad guys are likely to find fresh security holes, that “can give hackers full access to the web server, all files on the server and admin rights to the server,” Tubin observes. “Further, this type of compromise can be used as a stepping stone into the broader corporate network in an APT (advanced persistent threat) type of attack.”

 

Pentagon to recall most furloughed workers, Hagel says

http://www.washingtonpost.com/politics/pentagon-to-recall-most-furloughed-workers-hagel-says/2013/10/05/eb7ed346-2deb-11e3-8ade-a1f23cda135e_story_1.html


By Craig Whitlock, Updated: Saturday, October 5, 6:29 PM

The Pentagon will recall almost all of its 350,000 furloughed civilian workers in the coming days, Defense Secretary Chuck Hagel announced Saturday, in a move that could substantially ease the impact of the government shutdown on the federal workforce.

Hagel’s decision is based on a liberal interpretation of a bill passed by Congress last week and signed by President Obama that ensures uniformed members of the military will not have their paychecks delayed by the shutdown. The law, titled the Pay Our Military Act, includes broad language exempting Defense Department civilians from furlough if they provide direct support to the military.

Robert F. Hale, the Pentagon comptroller, estimated that more than 90 percent of about 350,000 furloughed Defense Department employees would return to work, many of them as soon as Monday. “We hope to move very quickly,” Hale told reporters.

The Defense Department directly employs about 750,000 civilians. Pentagon officials had previously said about 400,000 of them had been furloughed because of the government shutdown. Hale revised that number Saturday, saying that 350,000 was a more accurate figure.

He said he could not precisely say how many people would be able to return to work because officials were still determining which employees qualified under the new law. He said he hoped that “no more than a few tens of thousands will remain on furlough,” and maybe even fewer than that.

“Although we’re very happy we’re getting most of our people back,” Hale added, “we haven’t solved all the problems.”

Regardless, the Pentagon announcement will dramatically scale back the government shutdown. Defense Department civilian employees had represented nearly half of the estimated 800,000 federal workers who have been furloughed for the past week.

After consulting with Pentagon lawyers and other Obama administration officials in recent days, Hagel decided that he could justify recalling almost of the Pentagon’s furloughed workforce based on provisions in the Pay Our Military Act.

In a statement, Hagel said the Justice Department advised that the law would not permit a blanket recall of all civilians working for the Pentagon. But he added that attorneys for the Justice and Defense departments agreed that the law does permit the Pentagon to eliminate furloughs “for employees whose responsibilities contribute to the morale, well-being, capabilities and readiness of service members.”

Hagel said he has directed the armed services and defense agencies to determine exactly how many employees can come back to work. Workers, he said, can expect to hear from their managers starting this weekend whether they can return to their jobs.

“I expect us to significantly reduce – but not eliminate – civilian furloughs under this process,” he said. “We will continue to try to bring all civilian employees back to work as soon as possible. Ultimately, the surest way to end these damaging and irresponsible furloughs, and to enable us to fulfill our mission as a Department, is for Congress to pass a budget and restore funds for the entire federal government.”

Paradoxically, however, the Pentagon’s announcement could actually relieve political pressure on lawmakers to end the shutdown by cancelling furloughs for at least 300,000 federal employees.

Moreover, Hagel’s decision could bring some relief to thousands of private contractors who work for the Defense Department but had faced the threat of layoffs because of the government shutdown. On Friday, for example, Bethesda-based Lockheed Martin said it would furlough about 3,000 employees next week and expects that number to grow if the budget standoff doesn’t end soon.

“I am very pleased to see so many of our national security workforce will be able to return to work,” Rep. Howard P. McKeon (R-Calif.), Chairman of the House Armed Services Committee, said in a statement. “Congress gave the Executive Branch broad authority to keep our Armed Forces and dedicated defense civilians working throughout the government shutdown. Though I do not believe the law required these hundreds of thousands of workers to be furloughed in the first place, it is welcome news.”

In a memo, Hagel noted that the Pay Our Military Act appropriates funds “as are necessary to provide pay and allowances to contractors” working for the Pentagon. He said that government lawyers are still “analyzing what authority is provided by this provision.”

Hagel’s memo offers some general guidance for which furloughed Defense Department employees can expect to return to work.

Those who will likely receive a green light include people who provide health care to troops and their families; buy, repair or maintain weapons systems; work at commissaries or acquire other supplies for the military.

Those who might not be covered include auditors, employees who work in public affairs or legislative affairs, or civilian employees of the Army Corps of Engineers, according to the memo.

The Pentagon’s announcement will affect a vast global workforce. Hale said that 86 percent of the department’s civilian employees work outside the Washington, D.C. metropolitan area.

 

What They Told Us: Reviewing Last Week’s Key Polls

Rasmussen Reports

Bottom of Form

Saturday, October 05, 2013

The longer the federal government remains partially shut down, the more the partisan blame game escalates. But voters remain conflicted, just as they are about the health care law at the heart of the dispute.

Most voters still don’t like the health care law, and 54% expect it to increase, not reduce, health care costs.

One-out-of-two voters continue to oppose the law’s requirement that every American have health insurance. Most also were still unaware at the beginning of the week if their state has a health care exchange even as those exchanges were scheduled to start signing up insurance applicants.

In mid-September, 51% of voters liked the idea of a government shutdown until spending for the health care law was cut, while 40% favored no shutdown and keeping spending on the law at existing levels. By the beginning of this past week, though, support for a shutdown until cuts were made to slow or stop Obamacare was down five points to 46%. Just as many (45%) wanted to avoid a shutdown by authorizing spending for the law at existing levels.

Sixty percent (60%) said a partial shutdown of the federal government would be bad for the economy even though payments for things like Social Security, Medicare and unemployment benefits would continue.

Negative reviews for Congress are now at their highest level in nearly two years. Nine percent (9%) of voters rate the way Congress is doing its job as good or excellent, but 70% say it’s doing a poor job. Tellingly, however, while Democrats are more critical of Congress than they were two weeks ago, Republicans are giving the legislators more positive ratings now.

Voters in general are slightly more likely to identify with President Obama and congressional Democrats these days, but a surprising problem for congressional Republicans is that 21% think they are too liberal.
A closer look suggests that Republicans don’t think their representatives in Congress are conservative enough.

This helps explain why while freshman Texas Senator Ted Cruz may not be popular with the Republican establishment, 57% of GOP voters view him favorably, including 30% with a Very Favorable opinion. In March, 52% of Republicans had a favorable view of Senator John McCain, one of Cruz’s harshest critics, but that included only 16% with a Very Favorable one.

Among all voters, 50% view the agenda of Republicans in Congress as extreme, while 46% say the same of the Democratic congressional agenda.

In a survey completed just before the shutdown, Democrats extended their lead over Republicans to four points on the latest Generic Congressional Ballot.

After three days of slightly improved job approval ratings as the government shutdown took effect, numbers for Obama appear to have returned to levels seen for much of his presidency.

The president’s total job approval inched up a point to 48% in September, his highest rating since May. Still, that’s down eight points from December’s high of 56%.

Forty-nine percent (49%) of Americans think the Founding Fathers would view the United States today as a failure.

Still, 93% consider it at least somewhat important to be an American citizen, with 79% who think it is Very Important. However, 26% believe it is too easy to become a citizen of the United States.

Eighty-three percent (83%) of Americans regard themselves as informed citizens, but only 12% think most of their fellow countrymen are informed voters.

Americans still get most of their news from television, and a plurality (41%) says U.S. politics is the type of news they are most likely to look at first. Thirty percent (30%) are most likely to look at local news first, while 12% look first at business news.

The Internet. E-mail. Social media. With easy access to information at any hour of the day, Americans claim to be pretty well informed about the world around them.  But are they?

Eighty-six percent (86%) of voters think it is important for the economic system to provide everyone with an opportunity to succeed, but just 41% think the U.S. economy now is even somewhat fair.

The Rasmussen Employment Index, which measures worker confidence, fell four points in September to its lowest level this year.

Consumer and investor confidence have also fallen back from the highs they hit earlier this year but still remain well above levels seen from 2009 through 2012.

Forty-two percent (42%) of Working Americans believe their earnings will be higher a year from today, the highest level of optimism since the beginning of the year. Most (66%) also continue to consider themselves to be middle class.

One-in-four (24%) is looking for work outside his or her current company.

In other surveys last week:

— For the second week in a row, 28% of Likely U.S. Voters say the country is heading in the right direction.

— The U.S. Justice Department announced Monday that it is challenging North Carolina’s new voter ID law on the grounds that it is racially discriminatory. But 70% of voters believe all voters should be required to prove their identity before being allowed to vote. Fifty-nine percent (59%) do not believe such laws discriminate.

— Voters are evenly divided over the need for stricter gun control, but 73% think the United States needs stricter enforcement of gun control laws already on the books.

Fewer voters than ever give the president positive ratings on gun control-related issues. Just 34% now rate his handling of issues related to gun control as good or excellent.

— Fifty-seven percent (57%) still favor building the Keystone XL pipeline.

— Sixty percent (60%) think most Supreme Court justices have their own political agenda.

— Seventy-one percent (71%) of Americans say they have returned a lost wallet that they have found, but just 31% have had a lost wallet returned to them.

Advertisements

From → Uncategorized

Comments are closed.

%d bloggers like this: