News in Brief
USDS additions, Google dorking and more
Naming names at USDS
U.S. Deputy CIO Mikey Dickerson is moving quickly to build the U.S. Digital Service team -- and tapping some familiar federal IT talent in the process.
In an Aug. 29 blog post on WhiteHouse.gov, Dickerson announced that the Office of Science and Technology Policy's Erie Meyer and Vivian Graubard had joined USDS, along with White House Senior Technology Adviser Haley Van Dyck.
Dickerson also announced two recruits from the private sector: Fuse Corps CEO Jennifer Anastasoff and Google software engineer Brian Lefler. And he praised the Office of Management and Budget's existing e-government team, saying those individuals' "expertise and knowledge about IT delivery within government has really helped us hit the ground running."
Former FCC chairman named to Intelligence Advisory Board
President Barack Obama tapped his old law school classmate and former chairman of the Federal Communications Commission to serve on the President's Intelligence Advisory Board. Julius Genachowski currently works as a managing director of the Carlyle Group, a private equity firm.
The board advises the president on intelligence activities and the organization and management of intelligence agencies. Its members all work outside the federal government. Other new appointees include James Crown, president of a private investment company; Scott Davis, chairman and CEO of United Parcel Service; Jamie Dos Santos, chairman and CEO of Cybraics and formerly CEO of Terremark Federal Group; Shirley Ann Jackson, president of Rensselaer Polytechnic Institute; and Neal Wolin, former deputy secretary of the Treasury and a onetime special assistant to three different CIA directors.
DHS warns against dangers of 'Google dorking'
Beware the Google dork, said the Department of Homeland Security in an unclassified but restricted memo sent to law enforcement and private-sector security groups in July.
The DHS memo, posted on the Public Intelligence open-source website on Aug. 28, warns that advanced search techniques can allow malicious actors to locate information on organizations' websites that is not intended to be public and find website vulnerabilities that can be used for later cyberattacks.
By searching for specific file types and keywords, malicious cybercreeps can locate usernames and passwords, email lists, sensitive documents, bank account details, and website vulnerabilities, DHS said.
"'Google dorking' has become the acknowledged term for this malicious activity, but it applies to any search engine with advanced search capabilities," the memo states. The practice is also known as Google hacking.
According to the memo, last October, unidentified attackers used Google dorking to find websites running vulnerable versions of a proprietary Internet message board software product and wound up compromising 35,000 websites and creating new administrator accounts. The memo added that the Diggity Project, a free online tool suite, enables users to automate Google dork queries.
Along with recommending that website owners minimize the sensitive information they host, DHS pointed to an online tool that can help sniff out Google dorks.
A very real threat to virtual systems
Malware innovators are evading automated analysis on virtual machines, forcing agencies to secure virtual machines and networks as intensely as other classic IT, GCN reports.
"One of the more recent exploits involves attacks that are designed to wait out the automatic malware detection and analysis defenses that are increasingly being built into virtual systems," GCN reports, citing a recent Symantec study. "Some trojans will simply wait for multiple mouse clicks to occur before they decrypt themselves and start up their payload, and that can make it all but impossible for automated systems to come to any timely conclusion about the threat."
FTC doles out prizes to robocall fighters
The Federal Trade Commission is on a mission to squelch recorded marketing calls and is asking hackers for help.
The agency announced three winners from a contest dubbed Zapping Rachel, held earlier this month at the DEF CON 22 conference in Las Vegas. Participants were challenged to design a honeypot to attract robocalls in order to analyze the identity spoofing and other techniques used in the marketing scams, to develop methods robocallers might use to avoid detection and to use data from existing honeypots to predict which calls are robocalls.
Jon Olawski won the honeypot-building competition. Jan Volzke took the prize for developing attack methods, while Yang Yang and Jens Fischer built the winning robocall detection algorithm. The total prize pool, including two honorable mentions, totaled just over $12,000.