New Federal InfoSec Initiatives; CENTCOM Social Media Hacked
Update 1/13: CENTCOM released a statement regarding the compromise.
A number of new cybersecurity initiatives, including newly proposed acts and efforts to partner with private companies to prevent attacks, will be unveiled at President Obama’s sixth State of the Union Address, scheduled for next Tuesday, January 20 at 9pm ET.
The news precedes a series of attacks on the U.S. Central Command’s (CENTCOM) social media accounts, including their Twitter (currently suspended) and YouTube accounts, as BBC.com reports. The hacker group appears to be supportive of the Islamic State.
Several internal military documents were also posted, as well as links to zip files via Pastebin. BBC reports one document as unclassified and already publicly available on the Pentagon’s website. Other information includes contact info of top military officers, as the Wall Street Journal reports, as well as military scenarios specific to potential conflicts with North Korea and China.
While the statement on Pastebin claims they’ve broken into “networks, personal devices...and PCs,” news reports from several major sources claim they’ve only really breached social media accounts for a brief time. One could only assume that those accounts were not protected by two-factor authentication, a security tool offered by Twitter in the form of SMS codes, which can be found in Settings > Security and Privacy.
Hootsuite and Buffer both rolled out two-factor authentication soon after Twitter implemented SMS-based two factor. As Mark Stanislav wrote about in HootSuite and Buffer: Social Media Giants Enable Two-Factor, Twitter’s turn to the security solution came on the heels of the AP Twitter account hack that caused a 145-point dip in the Dow Jones industrial average, in addition to wiping out $136 billion from the Standard & Poor’s 500 Index, according to Bloomberg.
Security researcher @pwnallthethings theorizes that some of the data appears to be old and taken from the Lincoln Laboratory of MIT, as well as from Army Knowledge Online last year by the Syrian Electronic Army, as The Hacker News reports. But until more information is revealed from the investigation, a brief word from XKCD may suffice (also posted by @pwnallthethings):
Either way, it sets an even more interesting stage for the President’s upcoming speech. A press release from the White House details more about the new security initiatives, including:
The Personal Data Notification & Protection Act: This proposal indicates a national standard for breach notification, establishing a 30-day notification requirement from the date of discovery of a breach. It will supersede individual state notification laws, which vary and, sometimes, don’t even exist (if you’re located in Alabama, New Mexico, and South Dakota). I assume it will also supersede different regulatory standards, such as industry-specific ones like HIPAA for healthcare, but we’ll see. The proposal also criminalizes illicit overseas trade in identities.
Identifying and Preventing Identity Theft: To help consumers identify and protect against identity theft, JPMorgan Chase, Bank of America, Fair Isaac Corporation (FICO), USAA and State Employees’ Credit Union will join a group of firms making credit scores available free to consumers. Ally Financial is also making credit scores available to auto loan customers.
The Student Digital Privacy Act: This act prevents advertisers from targeting students based on any data collected in school, and ensures that data collected in school is used only for education purposes. It also prevents companies from selling student data to third parties for unrelated purposes separate from the education mission.
Private Sector Supports Student Privacy: Seventy-five companies have signed a pledge to provide parents, teachers and children with important protections against misuse of their data. I don’t really know what this specifically entails or even means, but they say it was led by the Future of Privacy Forum and the Software & Information Industry Association.
Dept. of Education Also Supports Student Privacy: The Dept. of Education and its Privacy Technical Assurance Center is providing a developing model terms of service, including teacher training assistance to help ensure that educational data is used appropriately.
Smart Grid Customer Data Privacy Code of Conduct: A new Voluntary Code of Conduct (VCC) is released to protect electricity customer data (e.g., energy usage information), applicable to utilities and third parties. VCC was released by the Dept. of Energy and Federal Smart Grid Task Force, with input from industry stakeholders, privacy experts and the public.
Consumer Privacy Bill of Rights: The Commerce Dept. has announced completion of its public consultation on revised draft legislation that would write the principles of the Consumer Privacy Bill of Rights into law, promising to release a legislative proposal within 45 days with a call to Congress to begin consideration.
All of this is in addition to the BuySecure initiative that sought to secure federal financial transactions by requiring agencies to use multiple factors of authentication whenever using web applications to provide citizens with personal data. Learn more about the initiative in Executive Order Mandates 2FA to Protect Consumer Financial Transactions.