Jaime Chanaga, CISSP, CISA

On February 26, 2007, the Office of Inspector General (OIG) for the U.S. Department of Veterans Affairs (VA) issued a scathing report (http://www.va.gov/oig/52/reports/2007/VAOIG-04-03100-90.pdf) on the fraud and abuse committed by the Department of Veterans Affairs regarding a $250 million Information Technology (IT) security contract. 

According to the OIG Report the IT security contract was defined as:

"The purpose of the VA-CIRC (Central Incident Response Capability - CIRC) contract (contract) was to provide state-of-the-practice incident handling and response capabilities for the entire VA. VA had to expand the existing CIRC to a broader, world-class operational CIRC and Security Operations Center (SOC) environment to assure confidentiality, integrity, availability, and privacy of information and services for Veterans.

The contract also became VA’s mandatory source for Managed Security Services (MSS). The Request for Proposal (RFP) described MSS as: acquisition, installation, integration, configuration, and monitoring of VA’s enterprise infrastructure; vulnerability assessment and penetration testing; cyber security intelligence gathering and support of network operations; and supporting the Enterprise Cyber Security Infrastructure Project.

The procurement action was a 100 percent small business set-aside contract authorizing and encouraging joint ventures or teaming arrangements. On July 19, 2002, VA awarded a contract to Veterans Affairs Security Team, LLC. (VAST), a limited liability corporation incorporated in the State of Texas. VAST was formed by members of the joint venture that included SecureInfo Corporation, AEM Corporation, ADTECH Systems, DSD Laboratory, SEIDCON Incorporated, and TEAMBI Solutions Incorporated, all of which are small businesses. Compaq, SAIC, and SIGNAL, large businesses, were added to the VAST team, but were not identified as members of the joint venture.

The $102.7 million fixed-price contract included $82.9 million for recurring labor and $19.8 million for equipment and supply cost spread evenly over a term not to exceed 10 years. By March 2005, when the contract was allowed to expire, VA expended approximately $91.8 million (89.4 percent) of the total contract value."

Key findings of the report:

1.  Poor planning, contract award procedures, and contract administration resulted in lack of funding in 3 years. No surprise here.  Contract originally awarded in 2002.

2.  Contract awarded to Texas LLC, which was created (incorporated) 7 days before contract was awarded. Since member companies of joint ventures formed LLC they all have limited liability protection.  According to the OIG report:

"On July 19, 2002, a contract valued at $102.7 million over a possible 10-year time period was awarded to VAST. VAST was a limited liability corporation, incorporated in the State of Texas on July 12, 2002, just 7 days before the contract was awarded. The primary corporation behind VAST was SecureInfo, a small business located in Texas."

"Because the contract was awarded to VAST, not the joint venture or business entity in the joint venture, the individual companies who comprised the joint venture were protected from liability. Our review of VAST’s corporate and bank records revealed that the corporation had no assets, which may have left VA with no grounds to recover overpayments, which we estimate could be as high as $8.5 million." 

This is an outrageous example of the fleecing of Veterans and our national treasury by money hungry corporations. Is anyone as outraged by this legal maneuvering and financial fraud?  The VA and those corporations behind these legal entities should be held accountable!

3.  Original $102.8 million fixed-price contract modified to potential value of $250 million in size.  Additional work for $48.6 million completed outside of original contract scope due to contract modification authorization.

4.  $35 million for equipment and supplies unaccounted for.  No inventory of any equipment is available. According to the OIG report:  "VA does not know what equipment it has or where it may be located."

It is outrageous and really makes me upset that this type of fraud and waste is ongoing at a time when the United States federal government is facing funding shortages for Veterans services.  We have men and women who serve honorably in our armed forces coming home from theaters of war and the VA a government agency charted to provide services to them is wasting taxpayer dollars on contracts that have no accountability?  That is inexcusable.

I urge anyone reading this blog story to contact your U.S. Congress Representatives to express your opinions and demand further investigations of the VA's conduct and the companies behind VAST LLC be investigated also for their role in this egregious case of fraud and waste of taxpayer and Veterans resources.

I've already commented twice on this blog on the TJX Companies, Inc. (NYSE: TJX) data security breach. 

What is alarming is the fact that now TJX is letting the public know that potentially over 46 million credit card numbers may have been compromised over a time period of 18 months.  What is even more alarming is the fact that TJX readily admits they may never be able to provide a full and complete number of the total number of credit cards compromised.

That's a candid admission, one I'm sure is not easy in this day and age of rampant litigation.  However as a former Chief Information Security Officer (CISO), I'm grateful that TJX has the courage to be an honest corporate citizen in admitting their errors publicly and taking very public steps to correct  their technical IT security deficiencies. 

It takes real honesty to make such admissions.  While most companies would be running for cover wishing the news story to go away, TJX has been candid with details on their investigation and corrective steps to ensure this never happens again within their organization. 

To TJX:  Thanks for being honest about your mistakes. May your experience serve as a lesson to other companies and organizations.

To Business Owners and Executives:  Please learn from the TJX's experience.  Make information security a critical business issue and top priority in your organizations.

CNN - T. J. Maxx owner: 46M card numbers stolen
http://money.cnn.com/2007/03/29/news/companies/tjx/index.htm?cnn=yes

A blogger changed an image being linked to on Senator John McCain's MySpace to display a message stating Senator McCain supported gay marriage.

The prankster was actually the author of the prank is Mike Davidson, CEO of Newsvine.com.  Davidson claims no laws were broken, since the image displayed on John McCain's MySpace web page was hosted on Davidson's servers.

Lessons for McCain campaign: Don't use intellectual property of other's without proper attribution.  Don't steal data bandwidth from other web servers not under your financial support.

MSNBC
http://thenewshole.msnbc.msn.com/archive/2007/03/27/102866.aspx

Mike Davidson's Blog
http://mike.newsvine.com/_news/2007/03/27/633799-hacking-john-mccain

CNet News - Oops! John McCain's MySpace page gets pranked
http://news.com.com/2061-10802_3-6170883.html

The Associated Press is reporting that a laptop computer containing 16,000 social security numbers and payroll information of civilian employees for the U.S. Army Training and Doctrine Command (TRADOC) based in Fort Monroe, Virginia has been stolen.

My question for TRADOC is why was this data in the first place stored on a laptop computer?   Have the lessons the U.S. Department of Veterans Affairs learned when a laptop containing the personal information including social security numbers of 26.5 million U.S. military veterans and their spouses been lost?  TRADOC and the U.S. Army, moreover the U.S. Department of Defense should never allow this type of information to be stored on laptop computers.

According to the AP news story, a letter was sent to the potentially affected employees informing them the U.S. Army is committed to preventing similar events from happening again.  The news story does not mention if TRADOC or the U.S. Army will be providing free credit monitoring for those affected.

Call to action: To the Acting Secretary of the United States Army, Mr. Pete Geren, please investigate this egregious data security breach and help institute policies and procedures to prevent this type information security breach from happening again.  Please consider offering free credit monitoring to those affected by this data security breach.

Beyond the identity theft risks facing those civilian employees for TRADOC, I'm also very concerned with the potential national security implications for the loss of this data.  What if a foreign terrorist group were to get a hold of the social security numbers and payroll data for civilian employees of the U.S. Army?  Would this stolen information be of use for foreign terrorists to be able to exploit the information to gain access or information from the U.S. Department of Defense or the U.S. Army?   Perhaps, U.S. Army leadership should look into this incident beyond the identity theft or financial fraud implications.

I hope this type of event does not happen again, however that may be just wishful thinking on my part.

AP - Govt. Laptop With Employee Data Stolen
http://biz.yahoo.com/ap/070327/stolen_laptop.html?.v=1&printer=1

The Associated Press is reporting that on January 3 a computer hacker who broke into a State of Indiana web site.  The computer thief managed to access 5,600 credit card numbers belonging to individuals and businesses and in the process obtained the personal information including Social Security numbers for 71,000 health care workers.

The State of Indiana sent letters to those affected by this data breach in March after an audit was completed following the January 3 data security breach.  I find the delay unacceptable between January and March for notification to those affected .   Although data security investigations take time to complete, the state government should have been more open in disclosing this data theft much earlier to the general public. 

Note government agencies and business entities:   Please, please, please establish, continually test, and audit your on-line web applications for security vulnerabilities.  Research has been indicating for a several years that on-line attack are targeting the applications.  The technology and data security technologies for protecting personal and financial information are available today.  There is no excuse for poor information security governance and practices.

Note for consumers: When an organization tells you they have completed periodic security testing of their web sites which hold your personal information, ask for details on what type of security testing was conducted.  If a business or government agency touts they perform "periodic network security scans" that is not a true application security audit conducted by skilled application security specialists.  Most success data theft attacks happen because of poor application security.

As consumers and citizens, we need to start holding companies and government agencies more accountable for how they protect and manage the security of our personal and financial information. 

FortWayne.com
http://www.fortwayne.com/mld/fortwayne/news/local/16945009.htm

Federal Trade Commission
http://www.ftc.gov/idtheft

The Open Web Application Security Project
http://www.owasp.org

As I was traveling on business this week and had  a few minutes to spare while waiting at the airport, I ran across a report by Symantec Corporation, a leading security software company.   

Symantec publishes their "Internet Security Threat Report" twice a year.   Consider this report a summary of Internet threats that Symantec has tracked from July through December 2006.  The data Symantec collects is based on a network of 40,000 computer sensors deployed worldwide in over 180 countries, plus the data seen and sent to Symantec by over 120 million computers that run Symantec's security software.   The data is collected and analyzed for trends in how computer and data security threats are originating and evolving.

Some of the key findings by Symantec are worthy of noting not only by businesses but also by consumers.   

• Home computer users were the most targeted by all attacks (targeted 93% of the time).
• 86% of the credit/debit cards advertised for sale on hacker (underground) community were issued by U.S. Banks.
• Increase in using multiple attack methods to gain access to financial and personal data that could be used for financial fraud (i.e. identity theft).

I've always felt that information and data security is a two way street.  Although the business community has a great responsibility in protecting the personal and financial information of the customers, consumers also have to share in that responsibility.   An educated consumer should also do their part for protecting their personal and financial information.

If you would like to read the Symantec report, please visit:  http://www.symantec.com/threatreport

As on-line consumers, most of us are accustomed to shopping on-line.  When shopping on-line most consumers look for websites that use SSL encryption for protecting secure order forms that require credit card numbers and other personal information.  In most web browsers, there is a padlock icon that the web page we are visiting, perhaps an order form web page, securely encrypts the data from the website to our computer's web browser.   

In order for SSL to work on our computers, most web browsers have built-in certificate authority (CA) certificates that work with the remote website to verify its authenticity and ensure the data connection between the remote website and our computer's web browser is secure (i.e. encrypted). 

One reason consumers have been fooled by fake websites pretending to be major sites such as on-line banks, has been the relative ease by which fraudsters have obtained SSL certificates easily.  Thus we were ushered into the age of phising emails and fake websites that have many times fooled consumers into divulging personal information such as passwords, credit cards, and more.   Consumers don't realize how easy it has been for anyone running a website to get an SSL Certificate.

In the past few months the Certification Browser Forum (CA/Browser Forum) has developed working guidelines for the creation and support across CA's and web browser publishers for a new standard in SSL Certificates.  The Extended Validation (EV) SSL Certificate standard has emerged as a result of this work. 

The cornerstone of the EV SSL Certificate standard lies in the much stricter industry accepted validation process for ensuring the integrity of the organizations to whom the EV SSL certificates are granted. 

To learn more about the requirements organizations will need to complete to be eligible to receive SSL Certificates, please visit:  http://www.cabforum.org/vetting.html.

EV SSL Certificates won't eliminate the need for consumers to be diligent about their on-line security practices.  End point security solutions are only as strong as the commitment of people and the good use of technology.  Let's hope the EV SSL Certificate standard helps slow down the pace of on-line scams and identity theft.  Although if history teaches us anything, eventually someone will try to find a way around this good step in ensuring on-line safety and security.

Seagate Technology has begun providing system builders with a new computer hard disk with built-in AES encryption.  The hard disks are being offered under the Momentus® line of products. 

The Momentus® 5400 FDE.2 hard disk drive offers hardware based encryption with support for the AES encryption algorithm, 5400 RPM performance, built in 8-MB cache, and SATA 1.5GB/s interface support. 

Ok, beyond the geek factor this drive provokes some important thoughts in terms of recent news stories of stolen or "misplaced" computer laptops in recent months.  Hopefully more hard drive vendors will follow Seagate's efforts to provide hardware based solutions to protect data stored in mobile computers.  Although hardware vendors' efforts are commendable, the real responsibility for the protection of data stored in mobile computers lies squarely at the feet of those responsible for information security and technology in organizations. 

Hardware or software end point solutions will never be the cure-all to stop lapses in judgment, poor information security policies and enforcement, and most importantly human behavior.  What technologies like hard disks with firmware based encryption do provide is one less excuse for poor information security policies and management in today's business organizations. 

It is time for those in areas of responsibility to act responsibly and attempt to prevent serious lapses in corporate information security. 

For more information:

Seagate
http://www.seagate.com/www/en-us/products/laptops/momentus/momentus_5400_fde.2/

Politics.  Talk of politics can awaken strong agreements or disagreements even among friends.  Hence my hesitation for bringing the following news story for commentary and dialog.   I came across a political news story worthy of mention, based on the issues the story intersects, namely the crossroads of politics, technology, and ethics. 

A political firestorm is brewing in France.  The far right political presidential candidate Jean-Marie Le Pen, made accusations on Monday of this week, that a computer hacker working for or on behalf of the political opposition has stolen some sensitive information (i.e. a list of leaders willing to support Le Pen's candidacy for president).  Although this may seem to be a news story that has marginal value, we should all be concerned about the implications and ethical considerations this situation brings up.

Commentary: Political arguments aside, I find it reprehensible that any person (i.e. citizen) of a free and open society, would misuse technology in this alleged manner.  Breaking, entering, and stealing electronic data is unethical and inexcusable.   The ends do not justify the means--especially when conducted with malice and based ideologically driven political aims.   It is my hope this unfortunate incident in French politics, will not damage the freedoms of a free and open society in that country.

Associated Press - Forbes
http://www.forbes.com/feeds/ap/2007/03/05/ap3487120.html

The U.S. White House Office of Management and Budget (OMB) on March 1, 2007 released their fiscal year 2006 report on the progress of federal agencies to secure their computer and information systems.

Of note in FY 2006, U.S. Federal agencies spent $5.5 billion for information security out of an approximate total IT budget of $63 billion.  That's approximately 9 percent of all IT investments.  Although some Federal agencies have made significant progress in securing their systems, there are still many agencies and systems that need to do more to enhance their security posture. 

Glad to see our government doing more to secure their information systems.

FY 2006 Report to Congress on Implementation of The Federal Information Security Management Act of 2002 (March 1, 2007)http://www.whitehouse.gov/omb/inforeg/reports/2006_fisma_report.pdf