Wednesday, January 7, 2015

DHS: Oops! FOIA request nets sensitive info




Department of Homeland Security proudly proclaims the Mission on their site:

Safeguard and Secure Cyberspace
Circuit Board
The Department has the lead for the federal government for securing civilian government computer systems, and works with industry and state, local, tribal and territorial governments to secure critical infrastructure and information systems. The Department works to:
  • analyze and reduces cyber threats and vulnerabilities;
  • distribute threat warnings; and
  • coordinate the response to cyber incidents to ensure that our computers, networks, and cyber systems remain safe.





Apparently not all employees are applying those criteria to their work.  From Homeland Security NewsWire:


Critical infrastructureDHS releases the wrong FOIA-requested documents, exposing infrastructure vulnerabilities

7 January 2015


On 3 July 2014, DHS, responding to a Freedom of Information Act(FOIA) request on Operation Aurora, a malware attack on Google, instead released more than 800 pages of documents related to the Aurora Project, a 2007 research effort led by Idaho National Laboratoryto show the cyber vulnerabilities ofU.S. power and water systems, including electrical generators and water pumps. The research project found that once these infrastructure systems are infiltrated, a cyberattack can remotely control key circuit breakers, thereby throwing a machine’s rotating parts out of synchronization and causing parts of the system to break down.


A video of a live attack was featured on CNN in 2007. In 2013, Power Magazine described the scope of the Aurora vulnerability, saying it “affects much more than rotating equipment inside power plants. It affects nearly every electricity system worldwide and potentially any rotating equipment — whether it generates power or is essential to an industrial or commercial facility.”

Joe Weiss, a managing partner for Applied Control Solutions, who co-wrote the Power Magazine article, notes that only a few pages of the DHSdocuments released contained critical information. “Three of their slides constitute a hit list of critical infrastructure. They tell you by name which (Pacific Gas and Electric) substations you could use to destroy parts of grid. They give the name of all the large pumping stations in California.”

Launching an Aurora attack is difficult, but the documents released by DHS could certainly help a would-be hacker. ....


Read the rest here.  Don't know about you, but this news doesn't give me the 'warm and fuzzies' and makes me wonder how much other sensitive information has been handed to our enemies since July 2014.

Move along.  Nothing to see here.


No comments: