Cybersecurity , Privacy , Risk Management

Government Seeks to Boost IT, InfoSec Staff by 3,500 This Year Eric Chabrow (GovInfoSecurity) • July 12, 2016     Office of Management and Budget Director Shaun Donovan

The Obama administration has issued a federal cybersecurity workforce strategy that calls for identifying, recruiting, developing, retaining and expanding "the best, brightest and most diverse cybersecurity talent" for federal service.

See Also: 2016 State of Threat Intelligence Study

The strategy establishes four key goals:

Expand the cybersecurity workforce through education and training; Recruit the nation's best cyber talent for federal service; Retain and develop highly skilled talent; and Identify cybersecurity workforce needs.

Administration officials see the strategy as a long-term initiative, a first step toward furnishing resources needed to establish, strengthen and grow a pipeline of cybersecurity talent well into the future.

"We must recognize that these changes will take time to implement, and the workforce strategy's long-term success will depend on the attention, innovation and resources from all levels of government," says a White House blog, posted July 12. It was signed by Office of Management and Budget Director Shaun Donovan, Office of Personnel Management Acting Director Beth Cobert, White House Cybersecurity Coordinator Michael Daniel and U.S. Chief Information Officer Tony Scott.

6,500 New Positions

The officials say the strategy is needed because federal agencies' lack of cybersecurity and IT talent affects their ability to protect information and assets. How big is the cyber skills gap? A White House spokesman did not respond to a question on identifying the number of IT security personnel the government employs and how many new ones are needed. But the administration blog said the government hired 3,000 new cybersecurity and IT professionals from October through March and agencies are committed to hire another 3,500 individuals to fill critical cybersecurity and IT positions by January.

Nationwide, IT and IT security personnel is in short supply for government and business. An Information Security Media Group analysis of U.S. Bureau of Labor Statistics data puts the IT unemployment rate at 2.7 percent, which economists consider full employment.

The consultancy Frost and Sullivan estimates a global gap between security openings and skilled people to fill them will reach 1.5 million by 2020. "Even when positions are created and funded, they are difficult to fill, both in private industry and in government," says Peter Singer, strategist at the think tank New America. "For example, at last report, 40 percent of the cybersecurity positions at the Federal Bureau of Investigation remained unfilled, leaving many field offices without expertise."

Administration officials say another restraint is the failure of agencies to consistently implement continuing federal initiatives to bolster IT security employment.

"This shortfall affects not only the federal government, but the private sector as well," the blog authors point out. "Recent industry reports project this shortfall will expand rapidly over the coming years unless private sector companies and the federal government act to expand the cybersecurity workforce pipeline to meet the increasing demand."

Many of the elements in the strategy are not new; they were outlined in the administration's Cybersecurity Strategy and Implementation Plan, issued last October (see Federal Cybersecurity Strategy Revised). But codifying them in a new strategy could prove useful, not only as guidance to federal agencies that are responsible for their own cybersecurity and staffing but also to the next administration.

Roadmap for Next Administration

"What you want to do, especially during this time of transition, is to make sure that plans are solidified," says former federal CIO Karen Evans, national director of the U.S. Cyber Challenge, which sponsors programs to attract more individuals to IT security careers. "Things like [the strategy] are going to be important to the incoming administration so they know exactly what the agencies are focused on and what they're doing."

The strategy proposes some out-of-the-box approaches to recruiting, noting that federal agencies should "pursue individuals with cyber talent who, historically, may not have sought out government careers." That includes women and minority students, who, according to OPM estimates, represent 25 percent and 32 percent of the federal cyber workforce, respectively.

To improve employee retention and development efforts, according to the strategy, OPM will work with agencies to develop cybersecurity career paths, credentialing programs and rotational assignments, as well as foster opportunities for employees to obtain new skills and become subject matter experts.

The workforce strategy directs agencies to adopt a new way to identify their skills gaps by using the National Cybersecurity Workforce Framework that identifies 31 discrete specialty areas within the cybersecurity workforce. By defining specific specialty areas, agencies could identify their needs and the types of skilled individuals required to fill them.

Those specialty areas are found in seven categories: securely provision, protect and defend, oversight and development, collect and operate, operate and maintain, analyze and investigate.

Singer, the think-tank strategist, says the strategy is much needed, "but it will fail if it only puts new people in old organizational boxes, using the same pipelines."

Anti-Malware , Privacy , Technology

Police and Security Experts Issue Warnings; Fixes on the Way Mathew J. Schwartz (euroinfosec) • July 12, 2016     Pokéman: Gotta catch 'em all? (Photo: David Martín)

The Pokémon Go smartphone app, released last week, is already a smash hit, sending maker Nintendo's stock price soaring as the app gets installed on numerous iOS devices as well as an estimated 5 percent of all Android devices.

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

But the game's rapid rollout and breakaway success has also sparked some information security, physical security and privacy concerns.

For anyone who's not au courant with the game, it uses augmented reality to display virtual creatures - in real-world locations, called Pokestops - that players can capture, train and trade. While only "officially" available in Australia, New Zealand and the United States so far, the app has also seen massive use by people in Brazil, India, Great Britain, Mexico, Spain and Turkey, among other countries, reports market researcher SimilarWeb. While the app is "free," it also allows for microtransactions via "Pokecoins," which can be collected inside the game or purchased using real-world cash.

Regardless, this geocaching game - meaning it's tied to real-world locations - is earning plaudits for getting kids, and older players, off the living room couch and into the real world as they seek out Pokémon and then take aim, via their screen, using a virtual ball designed to capture the critters. And the augmented-reality technology is well-tested. It's from Niantic, a Google spin-off that makes Ingress, which is a massively popular multiplayer game that allows players on opposing teams to capture virtual portals that exist in places of cultural significance, such as parks, museums and a variety of other real-world locations that were submitted by Ingress users. Nintendo is an investor in both Niantic and the Pokémon Company, which receives about 30 percent of Pokémon Go's revenues, according to the Financial Times.

But Pokémon Go has already hit several security and privacy-related speed bumps, and not all of them are virtual.

Arrest Report: Armed Robbers Created Pokestop

In Pokémon Go, players can meet up to do virtual battle, and police in O'Fallon, Mo., say that a group of four individuals apparently used that feature to lure other players to remote locations with the intention of robbing them.

Police said they responded to an armed robbery report at 2 a.m. on July 10, and arrested four suspects - one of whom was a juvenile - who were in a BMW. They also said they recovered a handgun. The adult suspects have been identified as Shane Michael Baker, 18; Brett William Miller, 17; and Jamine James D. Warner, 18. "It is believed these suspects targeted their victims through the Pokémon Go smartphone application," police said. The three adult suspects have been charged with first-degree robbery - a felony - and each had their bail set at $100,000 cash.

Police in O'Fallon, Mo., have released photographs of three armed robbery suspects - from left: Michael Baker, Brett William Miller and Jamine James D. Warner - accused of using Pokémon Go to lure victims.

Responding to queries about how the suspects allegedly employed the app, the police department said via its Facebook page: "The way we believe it was used is you can add a beacon to a Pokestop to lure more players. Apparently they were using the app to locate [people] standing around in the middle of a parking lot or whatever other location they were in.

Police said that the functionality is a reminder to not give away one's location to strangers. "If you use this app - or other similar type apps - or have children that do, we ask you to please use caution when alerting strangers of your future location," police said.

Capturing Users' Google Data

Meanwhile, multiple security researchers have been warning that the Pokémon Go app has access to many more device permissions than it requires, thus posing a privacy risk. Some information security experts - such as Veracode CTO Chris Wysopal - have even been urging users to create "burner" Apple or Google accounts that get used only with the game.

If you are on iOS create a throwaway Google account to use with #PokemonGO, otherwise the game has access to your full Google account.

What specific privacy risks face Pokémon Go users? Security researcher Adam Reeve, a principal architect at security analytics platform RedOwl, on July 8 warned that Pokémon Go requires full access to a user's Google account, thus giving the app the ability to read a user's email, send email using their identity, access and delete all Google drive documents, review a user's search history, access private photos stored in Google Photos and more.

"Now, I obviously don't think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness," Reeve said.

Niantic has responded to Reeve's warning, confirming on July 11 that the iOS version of its app has been requesting full access permission for a user's Google account, due to coding errors. In a statement provided to gaming news site Polygon, Niantic says it's been "working on a client-side fix" that will restrict the data the app can see to only be a user's Google user ID and email address, which it says is all the app requires. "Google has verified that no other information has been received or accessed by Pokémon Go or Niantic," Niantic says. "Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."

Trojanized Apps Appear

Less than 72 hours after Pokémon Go was first released, attackers had already Trojanized a legitimate version of the free Android app to include malware and potentially released it via unofficial, third-party app stores, warn researchers at security firm Proofpoint.

The malicious Android application file "was modified to include the malicious remote access tool called DroidJack - also known as SandroRAT, which would virtually give an attacker full control over a victim's phone," the researchers warn in a blog post. While the app was spotted in a malicious-file repository service, they say, it's unclear how many people, if any, have actually installed this or some other Trojanized version of the app.

When the Trojanized Pokémon Go first appeared, the app had yet to be made officially available outside of the three aforementioned countries. But gaming websites had begun publishing instructions about how users could download the app, including using side-loading - evading Google's official app store - to install them. Anyone who installed a backdoored version, however, would likely be unaware, Proofpoint says, since it appears to behave normally, even when it's attempting to phone home to a command-and-control server. "In the case of the compromised Pokemon Go APK we analyzed, the potential exists for attackers to completely compromise a mobile device. If that device is brought onto a corporate network, networked resources are also at risk," they note.

Anyone feeling the Pokémon Go "gotta catch 'em all" fever should stick to "officially vetted and sanctioned corporate app stores ... [which] have procedures and algorithms for vetting the security of mobile applications," Proofpoint recommends.

In Development

Receive Invite When Available

In Development

Receive Invite When Available