GovernmentExecutive.com

Revealing some of the inside frustration that comes with leaks to the press, John Grimes, chief information officer and assistant secretary of networks and information infrastructure at the Defense Department, said a “disloyal” person was to blame for disclosing information about President Bush’s Cyber Initiative, reportedly totaling several billion dollars.

It was unclear whether the disloyal individual Grimes referred to in his morning session at the Information Processing Interagency Conference was the person inside government that leaked the information or the reporter with The Wall Street Journal that decided to run with the story. Regardless, he seemed to take personally the release of details on the White House cybersecurity directive signed by President Bush in January.

“We did not want this public until we got [various issues] resolved,” including those relating to privacy, Grimes said, referencing the numerous hearings that have been scheduled since the story broke. each hearing requires executives at Defense, the departments of Homeland Security and State, and the Office of National Intelligence to prepare to testify.

“This comes down to political [culture] of decisions,” Grimes said. “Whether an attack is an act of war or criminal -- who makes that decision?”

Reports from news outlets seem to have prompted the release of some details – though not many – about the cybersecurity initiative. Most recently, DHS secretary Michael Chertoff released remarks made to a roundtable of bloggers.

"We are beginning our cyberstrategy," he said. "That will not be done this year, but I'm hoping we can get it, a cybercenter, up and running, and have a full set of plans and a funding budget to move forward over the next several years to get to the next level of cybersecurity."

The Federal Bureau of Investigation reported today more than 400 seizures of counterfeit Cisco equipment and labels worth more than $76 million filtering into the United States from China.

The effort, which has been ongoing since 2005, is being driven by DHS and FBI. Immigration and Customs Enforcement, and the Customs and Border Protection conducted 28 investigations and managed six indictments and four felony convictions, with more than 74,000 fakes seized, while the FBI’s portion of the initiative, dubbed Operation Cisco Raider, resulted in 36 search warrants with approximately 3,500 counterfeit network components identified, and a total of 10 convictions.

So why is government focusing on Cisco? Because the counterfeiters do. They go where the money is, and in terms of networking gear, which many regard as commodity items that can be easily copied, no manufacturer rakes in more revenue than Cisco. It’s the same reason that hackers focus on Microsoft: Market saturation.

The government is among the most profitable markets for Cisco. That makes federal agencies as susceptible as any to getting duped. Check out what happened to the Navy in 2004 for example, when counterfeit Cisco switches landed in one of its secure facilities. (You can read the whole sordid story at GovernmentVAR.com). One contractor involved was recently found liable, and now the circumstances are being investigated by the Navy’s Acquisition Integrity Office.

The lesson learned? Check those serial numbers.

The Government Accountability Office released Feb. 14 a report on the state of information security in the federal government. On page 21 is a pie chart that shows the types of security incidents agencies reported to the U.S. Computer Emergency Response Team in 2007.

GAO notes that "the three most prevalent types of incidents reported to US-CERT in fiscal year 2007 were unauthorized access, improper usage, and investigation." The first two accounted for 44 percent of the incidents.

But the investigation category is the most telling, and not fully discussed by GAO. GAO defines investigations as "unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review." That's another way of saying, "We have no idea what it is."

Agencies can't immediately identify nearly one-third of the cyberattacks they experience -- that's one-third. They believe something is going on, but they just can't put their finger on it. That nearly matches what CIO Magazine and PriceCoopersWaterhouse found when conducting its 2007 security survey of public and private sector organizations. About 32 percent of respondents said they couldn't identify the type of cyberattack that hit them.

The other question GAO could have asked agencies is: Do you know how many cyberattacks your systems experienced? If federal IT managers were honest, GAO would find that 40 percent of agencies had no clue. That’s the figure reported by the CIO/PWC survey.

The scary thing is that those are the cyberattacks that we know of. The real malicious attacks are the ones that occur under agencies' intrusion detection radar screens and are never detected.

We always knew computer specialists have a mischievous side, and the recent disclosure of documents about the Homeland Security Department's Cyber Storm exercise only gives more weight to that view. DHS -- along with the departments of State, Defense, Justice, and the CIA and National Security Agency -- conducted the Cyber Storm war game in February 2006 to test the United States' response to hackers infiltrating federal and corporate computer networks, as well as other scenarios. The Associated Press recently obtained 328 pages of censored documents about the exercise and among its findings: some of the computer specialists participating in the game responded to the mock attacks by attacking the network that operated the game, according to Bruce Schneier, who writes an information security blog called Schneier on Security. DHS offered this explanation for the shenanigans:

"Any time you get a group of (information technology) experts together, there's always a desire, 'Let's show them what we can do,'" said George Foresman, a former senior Homeland Security official who oversaw Cyber Storm. "Whether its intent was embarrassment or a prank, we had to temper the enthusiasm of the players."

Hat tip: boingboing

It's no secret that terrorists use the Internet to communicate, but the use is becoming more sophisticated, according to Jeff Bardin, a blogger for CSO online. Bardin, who worked for the National Security Agency and served as a chief security information officer for several private corporations, recently downloaded the Mujahedeen Secrets 2 Program (بـرنـامـج // أســرار المجاهـديـن) and wrote in his blog:

This toolset provides groups like Al-Qaw-eda methods to securely transmit and wipe their files. Not that they haven’t had such tools in the past, but a second edition toolset demonstrates a software development lifecycle with some level of sophistication and planning.

Bardin said a look at the tool set -- which contains automatic (instantaneous-instant) message/messaging encryption/authentication and file encryption, as well as code signing and checking (digital signature creation/checking) and file shredding -- "reinforced [his] decision that the cyber jihad is ongoing and continuous."

Bardin wrote that Secrets 2 was easy to find, and that this comment from ‘alHambra’ was posted on the download site:

Mujahedeen Secrets #2 (Encryption Program) has been released today, and i just took a short look at it, but it is really a vast improvement compared to the first version, and seems like a really nice encryption program now. here's post and downloadinfo...

Late last year we blogged about a feature from CSO Magazine on the dos and don'ts of disclosure letters, those messages to customers and citizens informing them that their personal information may have been stolen. The feature compared how Monster.com and USA Jobs, the federal government’s site for job openings, informed the public when after a hacker infiltrated monster.com’s database of resumes in August. About 146,000 names and contact information of job seekers on the USA JOBS Web site were stolen.

At the time, CSO hadn't posted the article, but the site recently posted the comparison on line. The interesting take away here is that the federal government, according to public relations experts, did a better job in communicating to the public than Monster did.

The Federal Bureau of Investigations is teaming up with West Virginia University in national security efforts using biometric technology. According to a press announcement released yesterday, WVU will serve as the academic arm of the FBI's Biometric Center of Excellence, providing biometrics research support to the FBI and its law enforcement and national security partners.

The center will coordinate biometric and identity management activities within the FBI and partner with other U.S. government agencies to develop and train users on biometric technologies and systems. The goal is to leverage biometric technology in the fight against terrorism and intelligence efforts.

Thomas Bush, assistant director of the FBI's Criminal Justice Information Services Division, credited WVU as having "comprehensive, integrative research and education programs in biometrics," and being known around the world for identification technology research. Perhaps. But there's much to say about the value of proximity -- Clarksburg is home to the Criminal Justice Information Services Division, and Fairmont hosts the Internet Crime Complaint Center.

One has to also wonder how much of a role Sen. Byrd, D-WV, played in the decision, too. The FBI has Byrd to thank for driving the construction of a new Biometrics Fusion Center building at the Harrison County campus, with the addition of $7 million to the fiscal year 2006 Defense Appropriations bill signed into law. He also secured more than $141 million to launch and expand Defense's own biometrics initiatives, which of course contribute to FBI's efforts.

Of course, what came first? The chicken or the egg. Did Byrd's support of FBI efforts come because of its presence in West Virginia, or did the FBI's presence in West Virginia grow with support from Byrd. No doubt state government doesn't much care. This is not to discredit WVU contributions in the area of biometrics. It's National Science Foundation Center for Identification Technology Research teams up with other universities to drive research, which had earned praise in and outside federal government.

When you read the Bush administration's just-released fiscal 2009 budget, the first-ever online budget, you'll see this seal on top of each PDF page:

The Government Printing Office developed this digital signature, called the "Seal of Authenticity." When visible "on an online PDF document," according to a GPO press release, the seal "serves the same purpose as handwritten signatures or traditional wax seals on printed documents. This signature assures the public that the document has not been changed or altered. A digital signature, viewed through the GPO Seal of Authenticity, verifies the document’s integrity and authenticity.

“It is important in today’s digital world to assure the public that their documents are authentic and have not been altered in any way,” said Public Printer Bob Tapella.

Interestingly, the PDF pages for the 2009 budget posted on the Office of Management and Budget's Web site do not have the Seal of Authenticity, or any digital signature that assures authenticity.

Charlotte, N.C., mayor Pat McCrory sent out an email news release this week announcing his candidacy for governor of North Carolina. The only problem was that in the letterhead in the email, governor was spelled "governer," according to an article in The News and Observer in Raleigh, N.C.









When contacted by a reporter asking about the misspelling, Victoria Smith, McCrory's campaign manager, said a hacker broke into the campaign's computer system and changed the spelling. Later a campaign spokeswoman said it was a simple mistake made by a tired graphic designer. Smith later stuck to the hacker story. Finally McCrory himself put an end to the mystery: He said it was a simple mistake by the graphic designer.

Hat tip: Wired

Privacy and security has always been a tug-of-war issue: The argument is you have to give up some privacy to get some security. Mike McConnell, the director of national intelligence, is working on a cybersecurity plan that would ask Americans to give up a lot of privacy to get their security, according to a New Yorker article. (Subscription required.)

The proposal that is getting the most attention is giving the government the ability to search "the content of any email, file transfer or web search," according to an article on vnunet.com.

According to that article, the New Yorker author, Lawrence Wright:

suggested that this kind of monitoring is already going on. He spoke to an AT& T employee, Mark Klein, who claimed that he installed data switching systems in the company's exchange that copied all internet traffic to the National Security Agency.

"I know that whatever went across those cables was copied and the entire data stream was copied," said Klein. "We are talking about domestic as well as international traffic."

He added that previous claims by the Bush administration that only international communications were being intercepted are not accurate.

A Wisconsin government agency, like some companies, federal agencies and other organizations, has decided that the way to avoid accidentally exposing Social Security Numbers is to, well, not use them at all to identify citizens. The state's Department of Health and Family Services, which administers the state's Medicaid program, said this week that it would randomly generate ID numbers for the state's 800,000 Medicaid recipients instead of using their Social Security Number. The announcement immediately follows an incident in which EDS, which holds the contract to process the state's Medicaid claims, accidentally printed and mailed the Social Security Numbers of Wisconsin Medicaid recipients on newsletters. Another Wisconsin agency made a similar mistake last year.

Universities, companies and the state of California -- a leader in passing laws to protect personal information -- have issued rules and guidelines to limit the use of Social Security Numbers. The Office of Management and Budget has weighed in as well.

Ironically, Wisconsin was a pioneer in protecting privacy. In 1993, the state established the position of privacy advocate, whose job it was to make sure the state was following policies and procedures that protected Wisconsinites' private information. But just two years later, Wisconsin Gov. Tommy Thompson (R) (who served as secretary of the Department of Health and Human Services from 2001-2004) eliminated the privacy office in his 1995-1997 budget. Now the state's ability to protect privacy has eroded so much, that Carole Doeppers, Wisconsin's only privacy advocate, told the The Capital Times that the state government has no manageable way to protect data. "We've totally lost control of how government collects and uses and reuses and shares and disseminates information. We've just lost all control of that."

California has led the nation in passing laws to protect private data, and it continues to hold true to the role. This past Tuesday, a California law went into effect expanding the state's groundbreaking security breach notification law, the nation's first law requiring companies to notify customers if a cyberattack exposes personal financial information.

The law now applies to personal health records. Security breaches that expose unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses are covered under the law. The law also applies to the insurance industry. If unencrypted insurance policy or subscriber numbers, insurance applications, claims histories or appeals are exposed through a security breach, insurance companies or the medical facilities storing the data must notify the individuals whose records were possibly stolen or viewed.

The law becomes effective at an auspicious moment, notes the San Francisco Chronicle:

In July 2006, Republican Gov. Arnold Schwarzenegger issued an executive order to store medical records on computers, which probably will result in more data breaches, said Robert Herrell, a legislative assistant to Assemblyman Dave Jones, D-Sacramento, who wrote the bill.

In December, Sutter Lakeside Hospital in Lakeport (Lake County) notified 45,000 patients, doctors and employees after a contractor downloaded their records onto a hospital laptop, took it home and the machine was stolen."

The expanded law led editors of the SANS Institute's “newsbites” section to wonder when Congress will finally pass legislation that protects personal data for all Americans: "Other states will undoubtedly once again follow California's lead. A disturbing question, however, is why the U.S. government has not yet passed legislation with similar provisions."

The Federal Aviation Administration issued rules to Boeing last week to tighten up the information security of the networks on board its much touted Dreamliner, fearing a hacker could take over control of the jet.

The Dreamliner, which Boeing introduced last summer, will provide passengers unprecedented Internet access and other entertainment from networks. But networks also will operate the jet's flight controls and monitor other operations. "Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane," the FAA wrote.

The FAA won’t certify the jet for flights until Boeing can prove the networks are secure. Boeing officials insist the networks are adequately secured by firewalls, but as some security experts point out (and here), hackers have been known to get around most any firewall.

We think you, the technology manager in the federal government and industry, have a pretty good insight into just what are the hot issues and events that will unfold in 2008 for the federal IT market. Over the past few weeks we've invited you to take an online survey to let us know what you think; we just want to take this opportunity to invite you to take the survey again, if you haven’t.

We are conducting the survey in conjunction with our friends at Government Futures, which is also offering readers a chance to place bets on what’s going to happen in the federal IT community using the prediction markets on Government Future's Web site.

If you have taken the survey and placed your bets, thank you. If you haven't, please visit the site and give us your opinions. The questions cover a number of hot areas, including information security, the next-generation Internet and federal information technology spending.

In January, we’ll host a webinar to discuss the results of the survey and present an analysis of the predictions.

In the December issue of Government Executive, we discuss some trends that IT experts told us would be important. Now, we want your opinion. So, please take the survey and join the government futures market to help us figure it out.

Shannon Kellogg, director of government and industry affairs at RSA Security, recently recounted a decision by a federal agency to encrypt everything (systems, emails, devices) to avoid the dreaded security breach that so many other agencies have reported. Apparently, after the decision was made, a contractor working with the agency (Kellogg declined to name the agency or the contractor) accessed sensitive information while on the network, saved it on a USB memory stick -- and then walked out the door. Kellogg didn’t say if the agency reported any data loss – but who's to know? Exposure is exposure, and the risks still apply.

This story certainly isn't unusual, but it bears repeating because this plays out in every agency routinely. Among the most important lessons that can be learned may be to avoid knee-jerk reactions to security threats -- such as believing an encrypt-everything policy will insulate you from security breaches. Such policies are, by definition, reactionary – not strategic. Encryption – like any security strategy – works in specific circumstances, but should not be the end-all-be-all security policy.

And this lesson comes from a security vendor.

Like companies in the private sector, federal agencies may eventually be required to notify citizens of an information security breach on a federal computer network that exposes citizens’ personal information, such as Social Security numbers, financial data, addresses and credit card numbers. (The Federal Agency Data Breach Protection Act, introduced by Rep. Tom Davis, R-Va., in May, would establish standards for how an agency informs the public if it loses personal information as does like legislation passed by more than two dozen states.)

As is the case in most comparisons with the private sector, the federal government would likely not do as a good a job in notifying the public, most people would say. But that isn’t the case in one, real-world example. In its December/January issue (not yet posted online), CSO Magazine compares how Monster.com and the USAJOBS, the federal government’s site for job openings, handled the security breach of monster.com’s database of resumes in August. About 146,000 names and contact information of job seekers on the USAJOBS Web site were stolen.

CSO Executive Editor Scott Berinato offers a side-by-side comparison of the notification letters that the organizations sent out to notify customers of the breach. (He describes such notification letters as requiring “verbal contortionists who must twist words unnaturally and move sentences in awkward, sometimes contradictory directions.”)

The upshot: USAJOBS did a relatively better job in its letter than Monster.com did, according to the two anonymous public relations executives CSO asked to critique the letters. Here’s a synopsis of CSO’s critique:

-- While neither organization should have started out their letters using the “dear” salutation (the personal touch doesn’t match the urgent tone of the notice), USAJOBS executives wrote a better letter by stating the facts immediately and clearly versus Monster’s “hollow marketing spin” opening. (“We value the trust you place in Monster,” the company’s CEO wrote.)
-- USAJOBS avoids saying sorry and uses the more legally safe word “regrettably.” Monster tells readers that they, too, are a victim in this crime (a no-no) and that many other companies have experienced security breaches as well (another non-no). USAJOBS dos not offer similar excuses.
-- Monster violated the rule more than USAJOBS in urging customers to learn more about online fraud. (That makes it sound like customers/citizens are partly to blame for the breach, which is an implication you don’t want to make.)
-- Both organizations failed in putting the breach into fuller context of what the breach could mean to the customer.

Maybe one reason for why Monster’s letter was less effective than USAJOBS’ letter is the fact that Monster’s letter had more of a lawyer’s influence. The federal government may be less afraid of being hauled into court over a security breach.

An article in today’s Wall Street Journal claims that the head of the Office of Special Counsel, Scott Bloch, may have improperly deleted files on his office computer. The story lays out an odd sequence of events, in which Bloch, in December 2006, bypassed his own IT shop and called Geeks on Call to come to his office to erase all files on his hard drive and the drives on two laptops used by deputies. Bloch claims in the article that the he was trying to rid the computers of a virus, and asked Geeks on Call to conduct a “seven-level” wipe of the hard drive, one of the most thorough cleansing operations for hard drives, which leaves virtually every file unreadable. The WSJ quotes a Geeks on Call executive saying the company typically doesn’t conduct seven-level wipes to remove viruses and that it is unusual to get calls from government officials. The article doesn’t say why Bloch felt it necessary to ignore using his own IT staff to rid the computers of the virus, and a WSJ examination of the $1,149 Geeks bill mentions nothing about a virus.

Bloch, whose office is conducting an investigation into the White House’s political operations, is himself under investigation by the Office of Personnel Management's inspector general, who is looking into claims that Bloch retaliated against employees and dismissed whistleblower cases before thoroughly examining the charges. The IG has asked Bloch for emails; Bloch says the hard-drive erasure did not affect files pertinent to any investigation. In June, Bloch sent a report to President Bush recommending he punish General Services Administration chief Lurita Doan to the “fullest extent” for violating the law prohibiting federal employees to use federal resources for political purposes.

Criticism of Microsoft’s latest release of the Windows operating system Vista isn’t exactly uncommon, but few critics have gone so far as to identify Vista as among the most vulnerable targets for cyberattacks in 2008. McAfee did exactly that yesterday during a media call. That makes the Office of Management and Budget’s mandate, issued in March, that much more important. (Ever since Microsoft released Vista, security experts have questioned the company's security claims. Also, here.)

Actually, cyberattacks on Vista is one of 10 security threats identified by McAfee as the most significant in the coming year. The prediction makes sense: adoption of the latest iteration of Windows is expected to increase dramatically, and with more licenses comes more opportunity for attacks. Other threats that made the list (none terribly surprisingly) include:

• Continued distribution of malicious software and data mining of personal information through popular online applications (think MySpace and Monster.com) and lesser-known Web sites that people are not as apt to lock down properly (think online banking applications for regional financial institutions);

• Increasing proliferation of Storm Worm, a malicious program that began infecting computers in January 2007, giving hackers complete control over personal computers;

• Viruses spread through Instant Messaging programs;

• “Parasitic” viruses that modify existing files on a computer;

• Attacks on Voice over IP;

• Adware, though high-profile lawsuits and bad publicity drove a decline in the arguably intrusive form of advertising.

“[A breach in] cybersecurity will be the next Pearl Harbor.” While not original (Win Schwartau, president of security consulting firm Interpact Inc., claims to have coined the phrase "electronic Pearl Harbor" more than 10 years ago), that’s what former Sen. Sam Nunn, D-Ga., said during a media dinner in D.C. last night. "We’re making as many problems as we are solving,” as vulnerabilities proliferate and hackers reverse-engineer patches released by vendors like Microsoft to enable access to the network. That leaves government vulnerable and to some degree unaware of the impending danger, until an attack serves as a wakeup call, he said, not unlike the infamous bombing during World War II. What should the government be doing? Nunn didn’t claim to know. He was just as elusive on another subject: a potential run for the White House in 2008, saying only that if it did happen, he’d run as an Independent candidate.

Rumors of a pending “cyber-jihad” led by Al Qaeda that was set to take place yesterday seemed to have been overblown.

Information security expert Paul Henry, vice president of Technology Evangelism at Secure Computing, told us last week, “The bottom line is that this is nothing to panic over. The Internet is not going to come crashing down on Nov. 11.”

The Israeli online military intelligence magazine DEBKAfile was the first to report rumors that followers of Osama Bin Laden were planning to launch a large-scale attack on Western networks and servers on Sunday, Nov. 11, using an “Electronic Jihad” program. The report was met with a good bit of skepticism across the web. DEBKAfile also reported in 2003 that Saddam Hussein would be using weapons of mass destruction against U.S. troops. Still, Henry cautioned that while the threat isn’t serious, he said organizations should still exercise caution.

“The program is real, we have seen screenshots,” he said. “They are now using centralized targeting. When you log on, it automatically contacts one of three command servers and downloads a target list. We are still talking about an incredibly rudimentary attack. The program uses ping packets with a payload to overwhelm the host. It also has the ability to place enough HTTP requests to overload a web server.”

According to Henry, indications are that the organization behind the program is attempting to recruit students in the United States and Canada. He said the program’s attacks usually focus on Israeli targets and Web sites and are largely originated from countries with no cybercrime laws and that are home to Al Qaeda sympathizers, including Malaysia, Indonesia and much of Southeast Asia. Henry also added that it has been years since he had seen attacks using similar DDOS technology.

Henry called the possible attack “a good exercise to see how well they are recruiting and how the defenses react.” He also added that all three command control servers are categorized as nefarious by security software, and that most universities and institutional networks have defenses in place and anti-malware software to prevent downloads of the e-Jihad program. Henry added that blocking traffic from the three domains in question: Al-jinan.org, Jo-uf.net, and jofpmnytrvcf.com would be “viable risk mitigation.”

Biometric vendors have always had the “Big Brother” image problem to do deal with when trying to sell their wares to organizations that are considering using fingerprints, hand geometry or iris scans to identify individuals. The public worries that their biometric identification could be stolen or used by the government in a way they wouldn't approve of. It looks like they still do, especially when children are involved, as Oregon’s Stayton Middle School officials found out.

In an item posted today in his blog, “The Risk Factor,” risk management expert Bob Charette calls into question OMB's announcement yesterday that the number of IT projects on its Management Watch List had dropped 61 percent – in seven months. “This is truly amazing,” Charette writes. “Sixty-one percent of government IT projects on the OMB watch list, which indicates whether they are well-positioned to execute, all got better at the same time. One can only conclude that the government has found a new, secret way to manage IT project risk.”

The skepticism doesn’t stop there. In an article posted today on Government Executive’s Web site, government project management expert J. Donaldson Frame says, “When I see miracle improvements occur very quickly, I wonder whether the improvements are genuine or reflect statistical artifacts."

And Ray Bjorkland, chief knowledge officer at federal marketing research firm FedSources, wonders how IT projects get on (and presumably then come off) the Management and High Risk lists in the first place.

For the 212 IT projects that came off the Management Watch List, OMB officials said those “agencies were able to adequately address deficiencies and weaknesses identified in these 212 investments by mitigating planning deficiencies, or in some cases, providing and completing additional documentation supporting their management activities.” No word on how well the projects are meeting budget, deadlines or performance measures, which Bjorkland says are the best indications of success in oversight of technology investments.

And the reason given for more IT programs going on the High Risk List? Again, better reporting from agencies, OMB said.

Interesting, better reporting was the reason OMB gave yesterday for the doubling of the number of reported security breaches exposing personally identifiable information. “An increase in reporting isn't necessarily a bad thing,” said Karen Evans, who holds the Bush administration’s top IT executive position at OMB.

This reason given when on the same day, Microsoft reports that phishing scams had increased more than 150 percent in the first six months of 2007 and the number of malware incidents increased 500 percent. Not to mention the 90 percent increase (over nine months) in the number of cyberattacks directed at electric utilities.

It still hurts my head to try to follow this logic. The message seems to be: It's good to know how bad things are. That could be helpful, if you then used that information to develop a plan to fix the bad things. No word on that, yet.

The Defense Information Systems Agency periodically releases security guides for networks and devices connected to its networks, but the latest version of its Desktop Application Security Checklist would boggle the average end-user’s mind with its complexity.

Take for example, the guide’s instructions on how to check for file and directory permissions:

There are multiple ways to check file and directory permissions:

On Windows NT systems, the DumpSec utility can be used. Details on the usage of DumpSec can be found in the section Using DumpSec in the Windows Security Checklist document.

On Windows 2000 systems, the Microsoft Management Console (MMC) can be used with the Security Configuration and Analysis snap-in. Details on the usage of this tool set can be found in the sections Using the Microsoft Management Console and File and Directory Permissions in the Windows Security Checklist document.

The Windows NT Explorer application on Windows NT or the Windows Explorer
application on Windows 2000, XP and 2003 can be used. Details on this approach follow.

On Windows NT, the Windows NT Explorer application can be used to manually check the permissions on a Windows file or directory. Navigate to the object and right click on it. Select the Properties item, the Security tab, and then the Permissions button.

On Windows 2000, XP, and 2003, the Windows Explorer application can be used to manually check the permissions on a Windows file or directory. Navigate to the object and right click on it. Select the Properties item, the Security tab, and then the Advanced button.

I’m better than an average reader but have little idea what any of the above means. So, I assume this security guide must be designed for advanced techno-geeks – as the entire Defense Department would otherwise grind to a halt while end users plowed through similar verbiage on the other 143 pages of the guide.

U.S. and coalition forces are the single largest source of jamming of Global Positioning System (GPS) receivers in Iraq, according to a co-inventor of the system.

As much as 85 percent of the jamming of GPS receivers in Iraq was caused by U.S. and coalition forces, according to GPS co-inventor Bradford Parkinson with Stanford University, and Martin Faga, former president and CEO of MITRE Corp. and a former director of the National Reconnaissance Office. Parkinson and Faga reported their findings in a briefing given this month to the multi-agency National Space Based Positioning, Timing and Navigation Meeting.

The origins of the GPS jamming was made by personnel from the 14th Air Force, which provides space support to operational missions, but the 14th Air Force did not identify which U.S. or coalition systems had inadvertently jammed GPS receivers. The14th Air Force did not know how many GPS receivers were in use in Iraq, according to the briefing, reporting only that a “significant number” of receivers were in use.

The 14th Air Force team also determined that 15 percent of jamming incidents in Iraq were of unknown origin, raising the possibility that opposing forces or groups in Iraq have access to GPS jamming gear.

In March 2003, prior to the invasion of Iraq, President Bush called Russian President Vladimir Putin to voice his concern that Russian companies were supplying the Iraqi military with GPS jamming equipment.

The following item was posted by Jill Aitoro.

A glimpse at enrollment in the Homeland Security Department’s Transportation Worker Identification Credential (TWIC) program provided one very interesting truth: While sexy in concept, the process of credentialing is pretty mundane.

The Transportation Security Administration held a media event yesterday in Wilmington, Del., to show what workers will go through when enrolling for TWIC. (Video of the enrollment process is available for download at the Coast Guard web site. For those who care to take a look, you’ll see people seated, documents being filled out and photocopied, some movement of a computer mouse, and – easily most exciting of all – fingerprints being scanned. Take away the latter, and it could just as easily be a trip to the Department of Motor Vehicles.

Maybe more telling than the actual enrollment preview was the drive into the port in Wilmington. Not surprising, security gates guarded the entry, with cars lined up at all but one of the gates – the gate that was reserved for TWIC card holders. That lane moved quickly. Sexy or not, it got the point across.

This news item certainly will heap more suspicion on the Bush administration’s tactics for fighting terrorism.

A law firm in Vermont, which represents a client in Afghanistan and a prisoner at Guantanamo Bay, is accusing the federal government of tapping its phones and hacking into a computer used by one of the firm's partners, according to an article posted by the Burlington Free Press. Three partners in the law firm Gensburg, Atwell & Broderick recently sent a letter to clients telling them the firm "can't guarantee their communications were confidential," according to the article. The firm said it had found its phone lines crossed and that a computer forensic examination of the computer used by Robert Gensburg "found an application that disabled all security software and would have given someone access to all information on the computer," according to the article.

Gensberg said there may be an innocent explanation for the problems -- such as he may have accidentally downloaded some malware from the Internet -- but "we are quite confident that it is the United States government that has been doing the phone tapping and computer hacking," the lawyers wrote in their Oct. 2 letter to clients.

According to the article, there's no comment from U.S. officials or Verizon, which operates the phone lines for the law firm and is one of the telecommunication firms named in the Bush administration’s wiretapping program after 9/11:

U.S. Attorney Thomas D. Anderson, the federal government's top law enforcement official in Vermont, said Thursday that he couldn't comment. Verizon has consistently refused to comment on whether it is involved with national security issues, spokeswoman Beth Fastiggi said Thursday.

The Homeland Security Department has been working for years with the private sector to develop an operational plan it can follow in case a cyberattack takes down computers maintaining the critical infrastructure that supports the U.S. economy, such as networks operating the transportation, energy and financial systems. Or the electrical grid. They may want to hurry; cyberattacks on networks operated by electric utilities have jumped 90 percent in the past nine months, according to a security consultant that serves utilities. DHS has been criticized for the slow pace of creating a plan.

Hat tip: SANS Institute.

An article on a Web site operated by the Detroit Free Press about a driver's license fraud scheme in Michigan's Secretary of State's office raises an interesting question.

This month, a pair of Michigan state employees was caught selling fake driver's licenses, license plates and vehicle registration tags. The employees would identify a customer interested in obtaining the fake licenses and registration, would take the person's photo and then "use the name and personal information of an unwitting person already in the Secretary of State computer system" to produce the fake documents, according to the article.

This is the unnerving part: "The case broke after a sheriff's deputy noticed a fraudulent temporary license plate during a routine traffic stop," according to the article. The two employees' illegal activity on the state computer system was never flagged by the network. With the knowledge that most computer crimes come from within an organization, not from outside hackers, why wasn't the state system programmed to flag this unusual activity?

In addition, the article quotes Wayne County Sheriff Warren Evans musing about how "it is incredible in a post-Sept. 11 world that a government employee would provide anyone with picture identification under a false name." Maybe it's not that incredible, as illustrated by this Washington Post article. (As was the situation in the Michigan fraud case, this case was not broken by the state Department of Motor Vehicles but by the U.S. State Department's Bureau of Diplomatic Security.)

In the end, this Michigan case is what the Homeland Security Department can point to in its ongoing effort to enforce Real ID.

For years, most information technology publications have reported on how computer hacking has increasingly turned away from the teenage hackers who play adolescent tricks by defacing Web sites to the more serious hacking involving malware and stealing corporate trade secrets and government data. Here’s an example of both: Recently hackers embedded pornography and serious virus and malware in California government Web sites, reports the Sacramento Bee. The General Services Administration even got involved, according to the article.

When officials at the General Services Administration, which oversees all .gov addresses, discovered the porn links this week, they began yanking Internet access to all ca.gov Web sites, [California Chief Information Officer Clark] Kelso said.

Among those briefly losing access were the California Parks and Recreation site and some e-mail to Gov. Arnold Schwarzenegger's office, Kelso said.

State officials scrambled to contact the GSA, which reversed its decision and restored service.

If you had a hard time believing that most system administrators don't change vendors' default passwords on equipment (making it extremely easy for hackers to break into networks), then here's some more evidence: The Edmonton [Canada] Sun reports that Alberta government offices and educational institutions experienced breaches into computer systems because system administrators hadn't followed proper security procedures "as simple as not having proper password policies in place."

Think security on government networks is inferior to the security found on corporate networks? Well, you may want to consider this article posted by InformationWeek, in which convicted hacker Robert Moore talks about how easy it was to hack into 15 telecommunications companies and hundreds of businesses. The 23-year-old hacker was able to get into the systems through well known security holes. Most of the holes could have been plugged with available patches or by following basic security practices taught in any information security introductory course.

Hacking into these business systems was “so easy, a cave man can do it,” Moore said. Moore found that 70 percent of all corporations he scanned had a known security vulnerability that would allow him into a network. Moore was looking for ways into networks to steal voice over IP services.

The No. 1 security hole Moore found? Companies using default passwords. A quote from the interview:

“I'd say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.

Not managing known security holes is among the top security mistakes organizations make. Government Executive magazine recently published a series of articles on the subject: here, here and here.

Information security managers in government, corporations and universities are about as frustrated as they can get in trying to find ways to tighten network security and protect privacy. (Just last month, as posted in Tech Insider, a well respected cybersecurity expert from Georgia Tech figuratively threw up his hands, saying securing the Internet against cybercrime isn’t going to happen.)

But the gloomy outlook hasn’t stopped security experts from trying new approaches. The University of Toronto this year launched the Identity, Privacy and Security Initiative (IPSI), which includes two related interdisciplinary masters level programs: a Masters of Professional Engineering and a Masters of Information Studies with concentration in security, reports InterGovWorld.com.

The program’s chair, Dimitrios Hatzinakos, says security managers have not been trained in programs that combine identity, privacy and security technology, processes and management. “Most of them are self-trained after they joined companies, but they have never been trained to have a holistic understanding of security,” according to the article.

Ontario's Information and Privacy Commissioner, Ann Cavoukian, said:

The IPSI program will not only educate future generations on how to build privacy into technology, but it will also hopefully develop a culture of privacy, a way of thinking that is committed to better information management and the protection of privacy. Even the most advanced technologies and the most rigorous privacy policies will not be wholly effective if organizations do not accept the protection of privacy as part of their institutional culture.

Changing culture. Not sure if a masters degree is the tool that can make that happen.

News that a special agent with the Commerce Department's Office of Export Enforcement was indicted yesterday by a federal grand jury for accessing a government database to track the travels of a former girlfriend raises the question: Just how often do federal employees misuse government computers? For sure, the case of Benjamin Robinson, a 40-year-old special agent for Commerce who had been with the department for 10 years is rather extreme. He accessed the database 163 times, lied to his supervisors and threatened his former girlfriend's life. It’s not the only one. Another extreme case of improper use of a government computer was posted in Tech Insider here. (I urge you to read the comments that accompany the item to get a complete picture.)

Discussing the former case with a source who has spent nearly 30 years working and consulting on federal IT projects here in Washington, D.C., tells me that this is just the tip of the iceberg. Of course, we hear about the more egregious, yet infrequent, abuses. But this source says less serious misuse, such as accessing private information for purely prurient interests and using powerful government applications for personal use is, if not common, widespread. In an upcoming "Managing Technology" column in Government Executive Magazine, a long-time General Services Administration employee says that the GSA has a well-publicized policy of monitoring Internet and network use, but it is widely known among employees that the logs are rarely scanned, leaving no check against misuse. I'll post a link to this story when it is published.

What's your experience at your agency or contractor's office of employees improperly using or accessing government databases or applications? Is it widespread? Let us know by clicking the comment link below.

News that a government agency or corporation exposed private information such as Social Security numbers is rather common these days. The public routinely asks, "Why can't organizations take more care in securing my personal information?"

One reason may be that agencies use personal information such as the Social Security number as part of their everyday work in processing information, making it difficult to not expose personal information. For example, the Department of Veterans Affairs recently installed software that scans each outgoing email for Social Security numbers. Under the VA's security policy, servers will block from being sent emails that contain Social Security numbers. In one month, 7,000 emails that the software determined could possibly contain a Social Security number were blocked, according to Robert Howard, assistant secretary of information and technology at the VA, who testified today before the Senate Committee on Veterans' Affairs.

That may seem like a lot. But looking at it another way, it's surprising that only 7,000 emails were blocked (which, of course, most likely includes some false positives.) According to the VA's Web site, the VA has 244,032 employees. If each employee sends on average, say, 100 emails a month (that's about five emails a day), that would mean less than 0.03 percent of all VA emails contained a Social Security number. And that doesn't include emails that VA contractors sent. However, Howard did not tell the committee if all VA emails are scanned, which if not, would increase the percentage of emails containing a Social Security number.

Nevertheless, for those who have their personal information exposed because it was emailed out of an organization's firewall, no solace can be had knowing it was highly unlikely.

The Defense Department inspector general released a report last week that shows despite releasing over the past year a grand total of 36 investigations and reports on Defense’s managerial shortcomings in information assurance weaknesses, Defense still has real problems with information security basics.

Investigations conducted between Aug. 1, 2006, and July 31, 2007, by the Defense IG, the Army Audit Agency, the Air Force Audit Agency and the Naval Audit Service repeatedly found problems with system access control, safeguarding of privacy information, poor security policy and procedures, training and education, according to the latest IG report, which is a bibliography of sorts of all the other info sec reports.

A total of 15 reports over the past year identified problems with system access control, the Defense IG said, including allowing unauthorized users to gain access to protected health information covered by the Privacy Act and “For Official Use Only” information.

Ten reports over the past year covered Privacy Act violations, and it seems that the message not to throw documents containing protected privacy information into the trash still needs reinforcement.

The audit agencies also identified weaknesses with security policies and procedures in 33 reports and poor security training, awareness and education in eight reports.

“Without adequate security program management and security polices and procedures in place, DoD cannot provide and maintain appropriate security for managing, protecting and distributing information,” according to the Defense IG.

Add this stark view to threats posed by Chinese zombie computers and it looks like Defense really needs to work on network defense.

After some big information security scares – stolen laptops, lost hard drives and reports of hackers gaining access to networks – government agencies responded over the past year by beefing up their security practices, according to a worldwide security survey released last week. The Global State of Information Security survey, conducted by CIO and CSO magazines and PriceWaterhouseCoopers, found government security managers worldwide had added more security staff and processes to their business practices. But governments as a whole still lag the financial industry, which leads all others in putting in place security strategies and technologies.

Among the highlights from the security survey:

-- The percentage of government organizations employing a chief security officer increased from 56 percent in 2006 to 72 percent in 2007. (86 percent of financial industry organizations employ a CSO.)

-- Percentage of government agencies that had an overall security strategy: 42 percent in 2006 vs. 60 percent in 2007. (71 percent in the financial industry.)

-- Continuity or disaster recovery plan in place: unchanged from 2006 to 2007 at 55 percent. (Financial industry: 71 percent.)

-- According to the survey, 38 percent of government organizations said they had standards and policies in place for mobile and handheld devices, and only 60 percent said they encrypted the data in transmission to and from the devices. Less than half – 44 percent – encrypt data at rest and only 39 percent encrypt data on laptops.

Overall, security in government agencies is improving, say PWC security experts, but it is slow. Very slow, they say.

An article posted yesterday by New Scientist (full article requires a subscription) appears to have serious implications for those who use encryption to secure information, which means everything that underpins online banking, e-commerce – and what secures most government information. Two researchers – one in Australia and another in China – have come one step closer to building a “laser-beam quantum computer” capable of breaking common encryption, according to the article abstract.

The article requires more than a passing knowledge of computer science and mathematical theory, as well as the ability to understand Shor’s algorithm, which involves prime number factorizing. New Scientist does provide an explanation of Shor’s algorithm.

But it doesn’t take a mathematician or physicist to understand the implications; most IT managers should get it. From the New Scientist: “Both groups have built rudimentary laser-based quantum computers that can implement Shor's algorithm - a mathematical routine capable of defeating today's most common encryption.”

If you can shed light onto this development, Tech Insider invites you to click the comment link below and share your thoughts and opinions.

Hat tip: Slashdot

Yesterday, Lurita Doan, head of the General Services Administration, announced an ambitious plan to have half of the agency's eligible workforce teleworking by 2010. Yes, the ambitious part may be convincing more GSA employees to telework. (Only 10 percent of those eligible do so now.) The ambitious part also may be overcoming managers’ fear that employees will goof off and be less productive (although many studies indicate employees are more productive).

The most ambitious part of the effort may very well be the hazard involved – the risk of information security. Near the end of the Government Executive article on Doan’s announcement was this paragraph:

Later, Joseph Hungate, the chief financial officer and former chief information officer for the Treasury Department's inspector general for tax administration, told the audience that the top risk with telework is not "some technology" but "someone." In other words, the greatest danger is staff not following security policy.

Many news organizations last month reported on the fact that security wasn’t a big concern among federal security managers, according to a study. The Telework Exchange, an advocacy group that sponsored the telework symposium, released a study in August that concluded that “94 percent of federal chief information security officers [CISOs] do not consider official telework programs a security threat.” (The study was funded by computer manufacturer and federal supplier HP.)

Still, CIOs like Hungate and CISOs are reluctant to embrace telework because few agencies (and corporations, for that matter) invest in the technology, including information security hardware and processes, needed to make telework digitally safe. In a blog item on telework posted in July for CSO Magazine, Dan Lohrmann, citing the GSA report with the title “Telework Technology Cost Study,” writes:

One big take-away from this study is that to save money with telework, we require “real” initial investment. This may seem obvious, but I’ve lost count of the number of times that business areas have pushed for telework programs with a $0 budget.

Basically, they wanted employees to use home PCs. That was it. No laptops, no home network checks for security, nothing.

Of course I just said no – and tried to explain the risks and the laws we need to enforce. But again, that makes security the Party Poopers. Not good. We generally end up with the same slower approach that the feds have used, because no one wants to make big upfront investments.

All this still leaves the fear that employees inadvertently will leave sensitive information exposed while teleworking. As has been posted in Tech Insider before, creating effective security policies and then providing the necessary training on those policies is seriously lacking in agencies and, as Hungate points out, likely is holding back many government managers from embracing telework more.

For those supporting telework, the wait to see more agencies embracing it may be a long one. In its annual Global Information Security Survey, released just this week, CIO Magazine reports that 61 percent of public-sector organizations do not require employees to complete training on the organization's privacy policies and practices.

That’s more than 50 percent, as in 50 percent of eligible employees teleworking by 2010.

French government officials say they are now the fourth victim of cyberattacks originating from China, saying the attacks are similar to those reported by other countries. In the past three weeks, government officials in Germany, the United States and the United Kingdom have claimed that cyberattacks on government systems have originated from China. Chinese officials have denied they are behind the attacks. French officials were careful not to implicate the Chinese government as the source of the attacks.

What was once thought to be theoretically possible is no longer. The Justice Department has arrested a Seattle man charging him with using peer-to-peer software to snoop through personal computers to commit identity theft, according to an Associated Press article. Gregory Thomas Kopiloff used the peer-to-peer software LimeWire to steal personal financial information stored on individuals' computers. The Justice Department said it is the first case in which someone used peer-to-peer software to commit identity theft.

LimeWire allows users who have downloaded the software the ability to primarily share music but it can also be used to share any file on the computer. Many users are not aware of the risk that LimeWire and other peer-to-peer applications present. In a hearing this summer, Rep. Henry Waxman, D-Calif., grilled Lime Group CEO Mark Gorton about how the peer-to-peer software, which had been downloaded onto government computers, put sensitive government information at risk of theft. Here’s a related Tech Insider post on the subject.

According to the AP, Kopiloff used LimeWire to steal identities this way:

When other users might search on LimeWire for "Madonna," Kopiloff would search for "federal tax return," or for student financial aid forms or other financial information, [assistant U.S. attorney Kathryn] Warma said. And instead of getting access to a few hundred files containing "Like a Virgin" or "Papa Don't Preach," he would get a few hundred files containing tax returns.

He would vet his victims before opening accounts in their name, ensuring they earned at least $150,000 a year and had good credit, Warma said.

In what may prove to be prescient, Rep. Darrell Issa, R-Calif., during the summer congressional hearing on peer-to-peer software, warned Gorton about lawsuits if LimeWire is proved to be used to steal identities. According to a ZDNet article:

Rep. Darrell Issa, R-Calif., warned Gorton that LimeWire's practices may open the company up to serious legal liability.

“Would it surprise you if you have a string of lawsuits for inherent defect in your product if people like Charlie Mueller of Missouri finds out he's lost his IRS filings and feels he's been damaged?” Issa asked.

Gorton repeatedly defended his company's practices and said he wasn't aware of the extent to which national security information was being accessed through his network.

LimeWire strives to make its product easier to understand and is working on a new version even more tailored to the “neophyte” user, Gorton said. The software incorporates a number of warnings intended to stave off inadvertent file sharing, he added. For instance, pop-up messages appear when users attempt to share folders, such as the all-encompassing “My Documents” folder and the root directory, which are considered likely to contain sensitive information.

“A lot of the information that gets out there now is because people accidentally share directories that they wouldn't mean to share clearly," Gorton said. "Those warnings are not enough, at least in a handful of cases.”

This may be one of those cases.

First the Chinese government was accused of hacking into German government networks. Then they were accused of infiltrating Pentagon systems. Now government officials in the United Kingdom say they have found evidence of Chinese cybersnooping in its networks.

While the Chinese government denies they are behind the hack attempts, media reports indicate governments are alarmed about the attacks. But most cybersecurity experts who closely follow international cybersecurity issues acknowledge that these kinds of cyberattacks aren't really new. In fact, one expert in Washington, D.C., known for his careful use of language when it comes to describing the threat of state-sponsored cyberattacks, told me a year ago that almost anything worth stealing in commercial and government networks (with the exception of top-secret, classified information) has already been stolen. It's too late to close the barn door because the cows have already escaped.

Yes, the cyberattacks are more "flagrant and brazen," according to a security expert quoted in an Associated Press article. But the expert says such attacks have been going on for more than four years.

The difference now, the AP reports, is that the political stakes have been raised. What will the response be?

At first blush, a law the California Senate passed seems a bit paranoid. Last week the California Senate passed by a 28-9 vote a bill to ban the implantation of a Radio Frequency Identification (RFID) tag in anyone who objects to the practice, according to an article posted by InformationWeek. The bill's sponsor, Sen. Joe Simitian, D-Palo Alto, calls the forced implantation of RFID tags into humans as "the ultimate invasion of privacy." Wisconsin and, oddly, North Dakota (which isn't known for leading the nation in technology-related legislation) also have passed similar laws.

It's difficult to imagine any individual, company or government agency forcing someone to be tagged. But then again, in 2004 the Food and Drug Administration approved the VeriChip RFID tag, which could be used for human implantation so that clinicians could obtain an individual's medical history if that person is unconscious. Mexico's attorney general and 18 staff members have the implanted chips, and a total of about 2,000 individuals have, presumably, agreed to be implanted, according to the article. The military is considering using the chip, and the military is known for insisting on certain requirements that infringe on the privacy of troops.

But forcing employees to have the chip implanted? That seems unlikely, until you consider CityWatcher.com, a Cincinnati video surveillance company. (Note: I could not access any Web site with that address.) However, the company is cited in several articles (vnunet.com, dailytech.com, WorldNetDaily, and the Associated Press) as having injected RFID chips into two employees who work in the company's secure data center. (WorldNetDaily also reported in 2005 that Tommy Thompson, former secretary of the U.S. Department of Health and Human Services, pledged to have a subcutaneous RFID chip injected into his arm to prove it was safe. Thompson served on the board of directors of Applied Digital Solutions, maker of the VeriChip.)

Even though the Citywatcher employees agreed to the implantation (and Thompson did end up having a chip implanted), it seems less far fetched that workers could be coerced into having a chip implanted as a requirement for employment.

Much was made of Homeland Security Department Secretary Michael Chertoff's comment last week that residents of states that fail to follow the Real ID Act's requirement to issue more secure driver's licenses will be required to show a passport to gain entry into state parks, to board airplanes, or to enter any federal building. According to a CNN article:

"This is not a mandate," Chertoff said. "A state doesn't have to do this, but if the state doesn't have -- at the end of the day, at the end of the deadline -- Real ID-compliant licenses then the state cannot expect that those licenses will be accepted for federal purposes."

Just how serious DHS is about requiring these residents to show passports, or how much power the department has to make it happen, is highly questionable, points out security expert Bruce Schneier. In his blog last week, Schneier wrote that Chertoff's threat is "a lot of bluster." Schneier explained, "The federal government just can't say that citizens of -- for example -- Georgia (which passed a bill in May authorizing the Governor to delay implementation of REAL ID) can't walk into a federal courthouse without a passport. Or can't board an airplane without a passport -- imagine the lobbying by Delta Airlines here. They just can't."

Seventeen states have passed legislation opposing the law and other states are considering similar bills. Washington, Vermont and Arizona have already found some common ground.

It's one thing to have a hacker stealthily navigate past your firewall, slither by your intrusion detection software, and fiendishly gain access to a database to steal customers' personal information. It's another to have your operations department just send the information out through the mail.

That's exactly what the California Public Employees' Retirement System, better known as CalPERS, did this month when it sent about 400,000 brochures containing members' Social Security numbers clearly visible through the address window. A CalPERS spokesman downplayed the incident, saying the Social Security numbers printed on the brochure did not have hyphens, making it more difficult to identify the string of numbers as a Social Security number.

CalPERS sent a letter to members apologizing for the mistake and is conducting an investigation to find out why the SSNs were printed on the brochures. The organization also is providing privacy security awareness training for employees.

Hat tip: Pensions and Investments

Federal agencies increasingly have been the subject of phish scams this summer, and there seems to be no end to it. Below is an email I received late last night in my Outlook inbox. The email successfully eluded the spam filter.

The IRS confirms that the email is a fraud, making it part of the 161 phishing scams that the IRS has identified this year, an IRS spokeswoman says. The IRS has received 14,000 emails from individuals who have forwarded on suspicious looking emails to phishing@irs.gov, a mailbox the IRS set up last year for individuals to send emails that look like they may be scams.

IRS has issued a number of warnings in the past 18 months warning individuals about fraudulent emails coming form the IRS.

Phishers are also using the Justice Department and Federal Trade Commission to launch attacks designed to trick individuals to give up personal information or to download malware. The agencies report that emails look quite sophisticated. However, this email doesn't look professional enough to come from the IRS, although I would hazard to guess that many individuals would be fooled by the official IRS logo and the screened copyright statement at the bottom.

But I'm not too convinced that the IRS would use phrases such as "the last annual calculations of your fiscal activity," and the pedestrian Courier font gives the email more than a hint of illegitimacy.

Again, sadly, it must be working.

As we all know, moving is a painful experience eased by careful planning. The National-Geospatial Intelligence Agency (NGA) seems to be trying to lessen the pain as much as possible.

The NGA kicked off this week the process for moving 8,500 of its employees, and a whole mess of classified gadgets and gizmos, to new digs at Ft. Belvoir, Va., by 2011.

NGA said in the only procurement notice it plans to issue for the move that it needs a contractor that has the “the proven ability to plan, integrate, organize, synchronize and execute a complex sustained, classified move of equipment, materials” and all the NGA personnel and their office stuff from six locations in the Washington, D.C., area to its new 2.4 million-square-foot building.

NGA is looking for more than a bunch of Irish guys with strong backs and a fleet of trucks. The agency says it needs folks to handle the move who are cleared at the Top Secret/Special Intelligence/Talent Keyhole level.

If anyone knows what all the above means, they’re probably a quarter of the way to getting the job.