News in Brief

Malware warning, good and bad news on contracting, and more

gloved hands

US-CERT warns of malware for firms with remote desktop access

In a July 31 advisory, the U.S. government's computer security watchdog warned that businesses are vulnerable to malware being used to extract consumer payment data.

Suspects are hacking into companies that use remote desktop access and then deploying the point-of-sale (POS) malware known as Backoff, said the Department of Homeland Security's U.S. Computer Emergency Readiness Team.

As of July 31, antivirus vendors were mostly unable to detect variants of Backoff, but that will soon change, according to US-CERT. Those vendors will "quickly begin detecting the existing variants, [so it is] important to maintain up-to-date AV signatures and engines as new threats such as this are continually being added to your AV solution," the advisory states.

US-CERT recommends a slew of remedial actions that companies can take to guard against the malware, including limiting the number of users who can log in using a remote desktop program.

"The lessons to learn from the latest retailer breaches are: Don't expose critical systems such as POS devices to the Internet, especially if you are running [Microsoft] Remote Desktop or similar," said Jaime Blasco, director of AlienVault Labs, in a statement.

Small-business contracting on target

Federal agencies hit the government's small-business contracting goal for the first time in eight years in fiscal 2013, according to the Small Business Administration.

SBA's latest study of small-business contracting shows that federal agencies awarded 23.39 percent of federal contracts to small businesses last year, totaling $83.1 billion. The federal government aims to award 23 percent of its contracts to small businesses but has fallen short for almost a decade.

SBA said performance in four out of five of the small-business prime-contracting categories showed significant improvement, with increases in performance against statutory goals.

The Small Business Procurement Scorecard provides an assessment of each agency's achievement against its goal, with 20 agencies receiving an A or A-plus. Overall, the federal government received an A.

GAO: Grants and loans get lost in the shuffle

Although federal agencies are dutifully reporting their required contract expenditures on the website set up by the Office of Management and Budget to gather data on annual spending, they're not adequately reporting billions of dollars distributed through grants and loans, according to a Government Accountability Office study.

Those grants and loans totaled more than $600 billion in fiscal 2012. Auditors said 33 of 37 agencies with a budget authority of at least $400 million reported at least one contract. The remaining four claimed exemptions from reporting, such as the use of non-appropriated funds, GAO said. OMB's guidance on the issue is not clear on whether such exemptions are appropriate, according to the report.

"Few awards on the website contained information that was fully consistent with agency records," the report states. GAO estimated that only 2 percent to 7 percent of the awards contained information that was fully consistent with agencies' records for all 21 data elements auditors examined.

GAO recommended that OMB clarify guidance on reporting award information and maintaining supporting records, and on developing and implementing oversight processes to ensure that award data is consistent with agency records.

Pentagon comes up short on innovation, says report

The Defense Business Board, a private-sector advisory group, said the Defense Department could do a lot better at innovating.

In a recent report titled "Innovation: Attracting and Retaining the Best of the Private Sector," the board said the acquisition process was riddled with barriers to entry, reported Washington Technology, an FCW sister publication.

Among the report's recommendations is that the Pentagon focus on output-based performance rather than input-based design requirements to help prevent the quality of projects from dropping along with agency budgets.

Reader comments

Mon, Aug 4, 2014

"The lessons to learn from the latest retailer breaches are: Don't expose critical systems such as POS devices to the Internet, especially if you are running [Microsoft] Remote Desktop or similar," said Jaime Blasco, director of AlienVault Labs, in a statement.

Kind of hard to avoid Remote Desktop when most places do not have a true computer nerd running herd on the computers and use the default, microsoft approved, AUTO-UPDATE feature which installs the remote desktop software. I keep trying to avoid downloading/turning it on, but microsoft (if my memory is correct) has changed the title of the update from remote desktop to something like 'important windows update', making it seem like it is fixing another 'feature' (bug) that is no longer hidden, which means I have to go look at all the hidden blurbs that use to be out in the open.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above