James Steidl - Fotolia
It seems the U.S. government really can't handle its email.
The recent Office of Personnel Management hack, IRS breach and U.S. Census Bureau breach got company this week with news of more government email security woes, including a Pentagon breach, presidential-hopeful Hillary Rodham Clinton's email classification issues and Secretary of State John Kerry admitting it is "very likely" hackers are reading his email.
Pentagon breach: Hackers penetrate email server
Anonymous U.S. officials told NBC News that a "sophisticated cyberattack" was launched against the Pentagon Joint Chiefs of Staff's unclassified email system on or around July 25, at which time the system was taken offline. The attack reportedly affected 4,000 military and civilian personnel. Employees were told it was a planned outage for a system upgrade. Email accounts were suspended and Web browsing restricted.
Officials have maintained that no classified data was compromised.
"It appears the attack relied on some kind of automated system that rapidly gathered massive amounts of data and -- within a minute -- distributed all the information to thousands of accounts on the Internet," NBC News wrote.
Officials alleged that Russian hackers coordinated the attack using encrypted social media accounts. While they are unsure whether the attack was by the government or individuals, officials maintain it was "clearly the work of a state actor."
A separate official told Fox News the attack could have originated from China.
NBC News reported Monday the systems were back online, more than two weeks after the alleged attack.
While the entry point of the hack is unclear, many attribute it to a spear-phishing attack. The Wall Street Journal reported the Pentagon held one-hour security awareness trainings for Joint Staff employees, namely on how to detect phishing scams.
"It was an opportunity to inculcate the Joint Staff with best cyber practices, to raise the level of cybersecurity awareness," a defense official told the The Wall Street Journal, adding that hackers are determined and will wait for complacent users to put their guards down. "Adversaries live by no rules and they have all the time in the world."
The Hillary email debacle continues
Former Secretary of State, Senator and First Lady Hillary Clinton came under fire in March for her decision to use a private email domain and server during her tenure as Secretary of State. While she has adamantly maintained the server was only used for unclassified purposes, a July 24 Wall Street Journal article reported a government review found four emails from Clinton's server contained classified data. CNN reported Wednesday that a total of five emails contained classified data.
The issue has been subsequently referred to the FBI for further investigation. Initially, it was reported as a criminal referral, but the classification was updated without explanation, with a Justice Department official only saying, "the department has received a referral related to the potential compromise of classified information. It is not a criminal referral."
Clinton, who at first only handed over copies of her emails and not the server itself, agreed Tuesday to give the private email server to the FBI, as well as a memory stick that contained copies of the emails.
The number of emails found may be a bit misleading, however. The inspector general only reviewed a small sample of Clinton's emails, approximately 40 of the over 62,000 total emails -- 31,830 of which Clinton said she deleted because they were personal in nature.
In a letter to Congress, Inspector General I. Charles McCullough wrote, "None of the emails we reviewed had classification or dissemination markings, but some included IC-derived classified information and should have been handled as classified, appropriately marked and transmitted via a secure network."
Jennifer Palmieri, Clinton's communications director, sent an email on Wednesday about the "complicated" issue to calm supporters. Palmieri stressed Clinton did not send nor receive material marked as classified, though some may have changed classification retroactively.
"It's common for information previously considered unclassified to be upgraded to classified before being publicly released," Palmieri wrote. "Some emails that weren't secret at the time she sent or received them might be secret now. And sometimes, government agencies disagree about what should be classified, so it isn't surprising that another agency might want to conduct its own review, even though the State Department has repeatedly confirmed that Hillary's emails contained no classified information at the time she sent or received them."
Kerry: Russia and China "likely" reading emails
During a CBS Evening News interview on Tuesday, government email security took another hit when Secretary of State John Kerry said it is "very likely" that Chinese and Russian hackers are reading his email.
"Unfortunately, we're living in a world where a number of countries -- China and Russia included -- have consistently been engaged in cyberattacks against American interests, against the American government," Kerry said, calling the problem an "enormous concern."
"It is not outside the realm of possibility and we know they have attacked a number of American interests over the course of the last few days," Kerry said.
Kerry said since his emails are likely read, he drafts communications with caution.
"I certainly write things with that awareness," he said.
"Spying has taken place for centuries, and the latest means of spying is to be going after peoples' cyber," Kerry said. "Companies spend billions of dollars in order to protect themselves, the United States government does the same. We are deeply involved in fighting back against this on a daily basis.
"It has huge consequences, and we're trying to create a code of conduct and a system of behavior that hopefully could rein some of it in. But, right now, it's pretty much the Wild West, so to speak."
In other news
- Following in the footsteps of an alleged wireless hack of a Jeep Chrysler last month, Wired reported Tuesday a group of researchers from the University of California at San Diego were able to wirelessly hack into a Corvette via text message. By sending a "carefully crafted" SMS message to a dongle plugged into the car's console, researchers were able to turn the windshield wipers on and off, as well as enable and even disable the brakes. Researchers noted, however, that this only works at low speeds due to limitations in the vehicle's automated computer functions.
The researchers said the hack is not unique to Corvettes; it also works against Toyota Prius, Ford Escape and a plethora of other modern vehicles. The OBD2 dongles tested -- which are often used by insurance firms and trucking companies to monitor vehicle location, speed and efficiency -- were manufactured by France-based Mobile Devices and distributed by multiple businesses. Researcher Stefan Savage said, "We acquired some of these things, reverse-engineered them and, along the way, found they had a whole bunch of security deficiencies" -- including the devices having developer mode enabled, storing private keys on every device and accepting commands via SMS.
The company the researchers acquired the devices from said a security patch was released wirelessly from the manufacturer. Mobile Devices stated its latest version of the dongle is not vulnerable to the attack, while the researchers claim there are still thousands of vulnerable devices in the wild. This is not the first time such dongles have made the news. Insurance provider Progressive Corp. offers a similar device, not manufactured by Mobile Devices, that is fraught with vulnerabilities; separate researchers found the Zubie -- a personal OBD2 -- also had hackable flaws. The researchers presented their findings at the Usenix Security Conference on Tuesday. "Think twice about what you're plugging into your car," researcher Karl Koscher told Wired. "It's hard for the regular consumer to know that their device is trustworthy or not, but it's something they should give a moment's thought to. Is this exposing me to more risk? Am I ok with that?"
- Along with vehicles, Android is having a tough time security-wise lately. Following the news of two Android security vulnerabilities last week, MWR Labs disclosed details of an unpatched Android flaw that allows attackers to bypass sandbox restrictions. The flaw, which affects the current version of Android and lower, involves "when the Google Admin application receives a URL via an IPC call from any other application on the same device," MWR's blog post said. "The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass same-origin policy and retrieve data out of the Google Admin sandbox." Researchers disclosed the vulnerability to Google in March, which acknowledged the issue the next day. Twice in the following months, MWR asked for updates and Google subsequently asked for more time. Finally, last week, MWR informed Google it was disclosing the vulnerability and then published an advisory Thursday. As a temporary workaround, MWR researchers urge users never to install untrusted, third-party apps on their Androids.
- The security community has been reeling since the posting on Monday -- and subsequent deletion on Tuesday -- of a blog post by Oracle's CSO Mary Ann Davidson, in which she urged customers not to reverse-engineer the company's product code, stating that doing so not only violated customer licensing agreements, but also caused other problems. "Now is a good time to reiterate that I'm not beating people up over this merely because of the license agreement," Davidson wrote. "More like, 'I do not need you to analyze the code since we already do that, it's our job to do that, we are pretty good at it, we can -- unlike a third party or a tool -- actually analyze the code to determine what's happening and at any rate most of these tools have a close to 100% false positive rate, so please do not waste our time on reporting little green men in our code.' I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise." The blog was deleted in less than a day, but copies remain on the Internet. Speaking against bug bounties, Davidson wrote, "We find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is "whack a code mole") when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on. This is one of those "full immersion baptism" or "sprinkle water over the forehead" issues -- we will allow for different religious traditions and do it OUR way -- and others can do it THEIR way. Pax vobiscum."
Many in the industry -- including Oracle itself -- have spoken out against Davidson's stance. Casey Ellis, CEO and co-founder of Bugcrowd Inc., said, "Cybercriminals and nation-state aren't going to honor Mary Ann's request, nor will they heed Oracle's EULA. When the crowd contains the smartest folks around the table, the last thing you want to do is silence them." Chris Wysopal, CTO and CISO at Veracode, said, "We now rely on software for everything -- health, safety and well-being -- and crafting a policy of 'see something, say nothing' puts us all at risk. Application security is an enormous software supply chain issue for both enterprises and software vendors, because we all rely on software provided by others. Vendors need to be responsive to their customers' valid requests for assurance, and to security researchers who are trying to make the software we all consume better. Leaders in the industry -- Google, Apple, Microsoft, Adobe -- all encourage third-party code audits and bug bounty programs as a valuable extension of their own security processes. Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse-engineering code is an attempt to turn back the progress made to improve software security." Katie Moussouris, chief policy officer for HackerOne Inc., said, "No one can handle security alone -- defenders need all hands on deck and hackers are among them. Creating incentives for security research should augment and direct the proactive security assurance efforts that companies invest most heavily in to protect their users. It's not an either/or type of investment, but rather an intelligent harmony between the orchestra of a vendor's internal security efforts and the rebel music of the hacker community. There is always room to improve security investments made on the proactive internal security assurance side by opening the doors to penetration testing by companies and independent security researchers." Edward Screven, executive VP and chief corporate architect at Oracle, released a statement saying, "We removed the post, as it does not reflect our beliefs or our relationship with customers. The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance, and works with third-party researchers and customers to jointly ensure that applications built with Oracle technology are secure."
Learn more about Android vulnerabilities and securing Android in the enterprise
Can bug bounties improve enterprise software security? Despite the benefits, skepticism remains