Malicious cyber actors have targeted US universities and colleges with typical cybercrime activities, such as spear phishing students and faculty with university-themed messages, creating fake university websites, and infecting computers with malicious software, likely in an attempt to gain access to student and faculty e-mail and bank accounts. We have no indication that cybercriminals target university systems and users more than any other cybercrime victims.
To facilitate efficiency and effectiveness on a global scale, massive amounts of data are stored and processed in systems comprised of hardware and software. Each digital transaction or interaction we make creates a digital footprint of our lives. Too often, we don’t take the time to assess not only the size of our digital footprint, but what risks are involved in some of the choices we make. Our data lives in our social media profiles, mobile devices, payment accounts, health records, and employer databases among other places. The loss or compromise of that data can result in an array of impacts from identity theft to financial penalties, fines, and even consumer loyalty and confidence. This results in both a shared risk and therefore shared responsibility for individuals, businesses, organizations and governments. The following product is intended to facilitate awareness of one’s digital footprint as well as offer suggestions for a unified approach to securing that data. This is not an all-encompassing product, but rather offers discussion points for all that hold a stake in the security of our data.
This Homeland Security (HLS) Geospatial Concept of Operations (GeoCONOPS) has been developed as a strategic starting point for understanding how the coordination of Homeland Security and Homeland Defense (HD) geospatial activities can be improved at the federal level. The intended audience for this document is the full geospatial community supporting the missions of the federal government under the National Response Framework (NRF) and Presidential Policy Directive 8 (PPD-8). This includes the stakeholders and actors representing the Emergency Support Functions (ESFs), the Joint Field Offices (JFO), Federal Operations Centers, the disaster preparedness exercise and evaluation community, and those involved in other NRF missions. Individuals representing these groups and activities have been extensively engaged in providing input for this document.
DHS National Cybersecurity and Communications Integration Center: Suspicious “Invoic” Email Sent to Government Personnel
An intelligence assessment released last month by the Department of Homeland Security’s Office of Intelligence and Analysis found that a domestic terrorist attack conducted by individuals affiliated with or inspired by the Islamic State of Iraq and the Levant (ISIL) would most likely “employ tactics involving edged weapons, small arms, or improvised explosive devices (IEDs).” The assessment, which was obtained by Public Intelligence, was released in October following several recent attacks conducted in Europe and Australia by individuals sympathetic to ISIL. Based on a review of these and other planned attacks, analysts at DHS evaluated the tactics and targets, as well as operational security measures employed in order to determine “tactics, targets, and tradecraft that potentially could be used in the Homeland by individuals associated with or inspired” by ISIL.
This Assessment highlights the tactics, targets, and tradecraft that potentially could be used in the Homeland by individuals associated with or inspired by the Islamic State of Iraq and the Levant (ISIL); we do not address the likelihood of an attack against the United States by the group. This Assessment is intended to support the activities of DHS to assist federal, state, and local government counterterrorism and law enforcement officials, first responders, and private sector security partners in effectively deterring, preventing, preempting, or responding to terrorist attacks against the United States.
This handbook contains standard security designs and procedures common to Sensitive Compartmented Facilities (SCIF) and physical security construction standard and established by the Director National Intelligence (DNI) for protection of classified intelligence information. Users should refer to Director of Central Intelligence Directives (DCIDS) and other documents cited under Authorities for guidance on specific security functions.
The most recent U.S. case, announced on 12 October 2014 is the first reported domestic transmission in the U.S. Three of the American EVD patients recovered and were discharged from the hospital, while three remain hospitalized. One American died while receiving treatment in Nigeria. The Liberian EVD patient was not symptomatic upon arrival and determined not to be infectious during travel. The Liberian patient died while in isolation on 8 October 2014. On 11 October 2014, the CDC and the Department of Homeland Security’s Customs & Border Protection (CBP) began enhanced entry screening of passengers with recent travel to West Africa at New York’s JFK International Airport. Enhanced entry screening is scheduled to begin on 16 October 2014 at Washington-Dulles, Newark, Chicago-O’Hare, and Atlanta international airports. Based on the recent domestic transmission, state and federal officials are re- examining whether equipment and procedures were properly followed, and whether additional protective steps and guidance are needed. The CDC believes the U.S. medical, public health infrastructure/responses are sufficient to prevent the spread of the Ebola virus in the U.S.
As of 3 October 2014, 43 states and the District of Columbia have reported 538 cases (+325 since 23 September 2014) of Enterovirus D68 (EV-D68) to the U.S. Centers for Disease Control and Prevention (CDC). Most of the cases have been identified among children; however, one case was identified in an adult. This outbreak was first announced in a media conference held on 8 September 2014. In this announcement, the CDC stated that EV-D68 was detected in clusters of individuals with respiratory illness in Kansas City, Missouri and Chicago, Illinois. Many of the initial identified cases had a history of asthma or wheezing. Recent increases in cases can be attributed to awareness of this issue among health officials and the amount of time necessary for disease investigation and confirmation. Current surveillance tools for influenza-like illness may not be appropriate for the detection of EV-D68 because many of the identified cases failed to develop fever. The CDC is involved in the ongoing investigation of a possible link between EV-D68 and acute paralysis. Furthermore, the CDC has identified EV-D68 in specimens from patients who have died, but the role of EV-D68 in these deaths remains unclear. EV-D68 has rarely been reported in the U.S. since first recognized in California in 1962. Enterovirus infections are not reportable in the U.S., so the illness is likely underreported because most enterovirus infections are self-limiting and do not require medical attention. The CDC estimates that non-polio enteroviruses are very common and are responsible for 10 to 15 million U.S. infections each year.
The Department of Homeland Security’s (DHS) Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) produced this National Risk Estimate (NRE) to provide an authoritative, coordinated, risk-informed assessment of the key security issues faced by the Nation’s infrastructure protection community from malicious insiders. DHS used subject matter expert elicitations and tabletop exercises to project the effect of historic trends on risks over the next 3 to 5 years. In addition, DHS used alternative futures analysis to examine possible futures involving insider threats to critical infrastructure over the next 20 years. The results are intended to provide owners and operators a better understanding of the scope of the threat and can inform mitigation plans, policies, and programs, particularly those focused on high-impact attacks.
On 8 August, the International Health Regulations Emergency Committee of the World Health Organization (WHO) declared the ongoing epidemic of Ebola virus to be a Public Health Emergency of International Concern (PHEIC). According to the WHO, regional health authorities in western Africa have reported 7,178 cases of Ebola virus disease with 3,338 deaths to the WHO since the outbreak was first recognized in March 2014. On 30 September 2014, The U.S. Centers for Disease Prevention and Control (CDC) announced that an unidentified man, who is receiving treatment at Texas Health Presbyterian Hospital in Dallas, Texas, has been diagnosed with Ebola virus. All previous cases associated with the U.S. were diagnosed in West Africa. One patient died while in Nigeria, and four were diagnosed in West Africa before traveling to the U.S. for treatment.
The FBI Cyber Division has issued a notification to private industry and law enforcement to be aware of the potential for retaliatory cyber attacks following recent U.S. military actions in the Middle East. While the FBI has “no information at this time to indicate specific cyber threats to US networks or infrastructure in response to ongoing US military air strikes against the terrorist group known as the Islamic State of Iraq and the Levant (ISIL)” the bulletin states that the FBI believes that “extremist hackers and hacktivist groups, including but not limited to those aligned with the ISIL ideology, will continue to threaten and may attempt offensive cyber actions against the United States in response to perceived or actual US military operations in Iraq or Syria.”
A bulletin issued by the Department of Homeland Security, the FBI and the National Counterterrorism Center earlier this month warns law enforcement and private security personnel that malicious cyber actors can use “advanced search techniques” to discover sensitive information and other vulnerabilities in websites. The bulletin, titled “Malicious Cyber Actors Use Advanced Search Techniques,” describes a set of techniques collectively referred to as “Google dorking” or “Google hacking” that are used to refine search queries to provide more specific results.
Malicious cyber actors are using advanced search techniques, referred to as “Google dorking,” to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks. “Google dorking” has become the acknowledged term for this malicious activity, but it applies to any search engine with advanced search capabilities. By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities. For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.
DHS National Cybersecurity and Communications Integration Center Bulletin: Hotel Business Centers Keyloggers
The following is an advisory for owners, managers and stakeholders in the hospitality industry, which highlights recent data breaches uncovered by the United States Secret Service (USSS). The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software. The malicious actors were able to utilize a low-cost, high impact strategy to access a physical system, stealing sensitive data from hotels and subsequently their guest’s information. The NCCIC and the USSS have provided some recommendations at the end of this document that may help prevent similar attacks on publicly available computers.
An intelligence assessment released July 22 by the Department of Homeland Security Office of Intelligence and Analysis warns of an increasing trend of “anti-government violence” from what are described as “domestic violent extremists” inspired by the recent standoff at the Bundy Ranch in Bunkerville, Nevada. The report, titled “Domestic Violent Extremists Pose Increased Threat to Government Officials an Law Enforcement,” was originally obtained and published by Public Employees for Environmental Responsibility, a non-profit alliance of local state and federal resource professionals that has been advocating for criminal charges against Cliven Bundy and “militia snipers” involved in the April standoff with the Bureau of Land Management. In recent months, the report suggests that there has been a notable increase in violence from domestic extremists motivated by “anti-government ideologies.”
(U//LES) DHS Assessment: Domestic Violent Extremists Pose Increased Threat to Law Enforcement and Government Officials
After years of only sporadic violence from violent domestic extremists motivated by anti-government ideologies, I&A has seen a spike within the past year in violence committed by militia extremists and lone offenders who hold violent anti-government beliefs. These groups and individuals recognize government authority but facilitate or engage in acts of violence due to their perception that the United States Government is tyrannical and oppressive, coupled to their belief that the government needs to be violently resisted or overthrown. Historically, spikes in violence have followed high-profile confrontations involving the United States Government, such as Ruby Ridge and Waco. The April 20 14 Bunkerville, Nevada standoff likely represents a similar event that could inspire further violence.
The Department of Homeland Security Office of Cyber and Infrastructure Analysis (DHS/OCIA) Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) produces Sector Resilience Reports to improve partner understanding of the interdependencies and resilience of certain sectors. Specifically, this report provides a brief overview of the electric power system, and analysis of key electric power system dependencies and interdependencies. Additionally, this product includes an assessment of, and best practices for, improving community, system, and facility resilience. This Sector Resilience Report was produced to complement other sector-specific guidance, analysis, and scholarly papers on infrastructure resilience by applying data obtained from DHS site visits and assessments analyzing the resilience of critical infrastructure assets and systems.
(U//FOUO) DHS-FBI-NCTC Bulletin: Medical Treatment Presents Opportunity for Discovery of Violent Extremist Activities
Efforts to gain expertise with explosive, incendiary, and chemical/biological devices may lead to injuries and emergency treatment, which may provide potential indicators of violent extremist activities to responding emergency medical service (EMS) personnel. Scene size-up and patient assessment provide first responders the opportunity to view both the scene and any patient injuries. EMS personnel and other first responders should consider the totality of information gleaned through direct observation and the statements of patients, witnesses, and bystanders to evaluate whether an injury is a genuine accident or related to violent extremist activity.
We analyzed these locations to determine the factors pushing child migration to the US Border. We assess these reasons vary regionally. For example, many Guatemalan children come from rural areas, indicating they are probably seeking economic opportunities in the US. Salvadoran and Honduran children, on the other hand, come from extremely violent regions where they probably perceive the risk of traveling alone to the US preferable to remaining at home. This violence, combined with poor economies and other secondary factors will make stemming the flow of UACs to the US a very complex issue to address.
Terrorists in late December 2013 conducted three attacks targeting people using public transportation systems in Russia, emphasizing terrorists’ persistent interest in attacking locations where large congregations of people are confined to small, often enclosed spaces. Russian officials claim North Caucasus-based violent extremists associated with the Imirat Kavkaz (IK) probably conducted these attacks to embarrass the Russian government in the build-up to the 2014 Olympic Games in Sochi. The IK, a violent extremist group based in Russia, has no known capability in the Homeland and is unlikely to directly target Western interests overseas.
Walter Bond’s path to animal rights extremism was driven by witnessing what he perceived as animal abuse and by frustration stemming from his perception that lawful, nonviolent actions appeared to have little impact on advancing the goals of the animal rights movement.* Prior to becoming violent to advance animal rights, Bond showed a tendency to use violence to advance other beliefs, such as protesting illicit drug sales by committing arson against a drug trafficker’s home and protesting against religion by burning a pentagram symbol inside a church.
Security researchers from Google Security recently discovered a vulnerability with the Heartbeat extension (RFC6520) to OpenSSL’s Transport Layer Security (TLS) and the Datagram Transport Layer Security (DTLS) protocols. According to open source reports, the vulnerability has existed within certain OpenSSL frameworks since at least 2012. The Heartbeat extension is functionally a “keep-alive” between end-users and the secure server. It works by sending periodic “data pulses” of 64KB in size to the secure server and once the server receives that data; it reciprocates by re-sending the same data at the same size. The out-of-bounds “read” vulnerability exists because the Heartbeat extension in OpenSSL versions 1.0.1 through and 1.0.2-beta (including 1.0.1f and 1.0.2-beta1) do not properly validate the data being sent from the end-user. As a result, a malicious actor could send a specially-crafted heartbeat request to the vulnerable server and obtain sensitive information stored in memory on the server. Furthermore, even though each heartbeat only allows requests to have a data size limited to 64KB segments, it is possible to send repeated requests to retrieve more 64KB segments, which could include encryption keys used for certificates, passwords, usernames, and even sensitive content that were stored at the time. An attacker could harvest enough data from the 64KB segments to piece together larger groupings of information which could help an attacker develop a broader understanding of the information being acquired.