Arlington, VA

Arlington’s cybersecurity division is staffing up and training county employees in preparation for a growing wave of cyber attacks.

The Security, Privacy, Records and Regulatory Affairs division of the county’s Department of Technology Services reportedly blocked 90,000 virus and malware attacks last year, according to next year’s budget proposal.

The department said the number of attacks is expected to rise to 150,000 this year and continue to 200,000 by next year.

“The increase in viruses and malware blocked is due to increased detection efforts by additional security platforms… and an overall increase in security attacks,” the document read.

“We’re in a risk-reduction activity,” Richard Archambault, who helms the division, told ARLnow in a phone interview this week, “We’re not in a risk-elimination activity. We can’t prevent these things from happening. Someday everybody gets hacked.”

The department has asked for $60,000 to train all county employees in security best practices, especially how to avoid clicking on phishing emails which can introduce malware.

“The reason this cadence [of training] is so important is that these emails get more and more sophisticated every month,” Archambault said during a March presentation at the Metropolitan Washington Council of Governments.

“If we’re not constantly bringing people up to speed on where the threat actors are, we’re behind,” he added.

Archambault also added a new senior engineering role that junior staff can rise to: a bid to help with retention in an area hungry for cybersecurity professionals.

“One great part about working with a governmental entity is access to professional development across the region,” he said of Arlington’s location. “In most private sector companies, outsiders are competitors or customers. In government, there is a tremendous amount of cooperation and shared learning. This is fertile ground for growth as a cybersecurity practitioner.”

Local governments nationwide are also sharing lessons learned from a type of malware called “ransomware” that can hold data hostage until a “ransom” is paid, usually in bitcoin.

Ransomware attacks locked down Atlanta’s public computers, online bill payments, and airport wifi last year last year, and other hackers gained access to Dallas’ tornado sirens. All told, out of 2,216 security breaches found by a 2018 Verizon report, 304 affected public entities.

“Some of the basic things that they should have been doing to be prepared to recover were not done,” Archambault said of Atlanta. “In the most recent instance their backups were accessible to the hackers — so the hackers ransomed their primary data and their backups.”

Archambault said he was unable to share details about Arlington’s preparations for security reasons, and also said he was unable to comment on whether the county had ever been ransomed.

He did say the county purchases cybersecurity insurance.

After the attacks in Atlanta, Arlington’s then-chief information security officer David Jordan said “it’s going to be even more important that local governments look for the no-cost/low-cost, but start considering cybersecurity on the same level as public safety.”

“A smart local government will have fire, police and cybersecurity at the same level,” Jordan added.

Archambault told ARLnow that one of his “key priorities” since joining the office five months ago has been to create “an umbrella Privacy Policy for the County,” to “harmonize” the county’s many department’s policies with one another.

County spokeswoman Shannon Whalen McDaniel said Arlington is planning awareness events in October, which is National Cyber Security Awareness Month.

In the meantime, the division offered a few security tips for residents wanting to keep their own data safe from hackers:

  • “Ensure your devices are setup to automatically install software updates and security patches. You may have bad memories of patches that were recalled or rolled back by various vendors. Those mistakes are far less frequent and the additional benefits of frequent patching now outweigh the drawbacks of the occasional bad patch.”
  • “Don’t place your Wi-Fi router somewhere it can be seen easily from a window. Anyone peeking in might see your network name and password and then – they’re in. Change your Wi-Fi network password from time to time, but keep using strong passwords!”
  • “Use a password locker application. We often tell people not to use the same username and password across different websites, but we don’t always do a good job telling people how to keep all the resulting username and password data organized (pro tip: not on paper and not on your desk!) There are great password locker applications that will automatically memorize your passwords and even autofill password forms on web pages.”

Photo via Flickr user Blogtrepreneur

0 Comments

Amazon.com is famous for what cybersecurity expert Frederic Lemieux calls its “known resilience” to cyberattack.

But there have been breeches recently, and we can expect the tech giant to become an even more inviting target in the future. “As Amazon is growing, it will have more of these risks,” says Lemieux, Ph.D., faculty director of Georgetown University’s master’s programs in Applied Intelligence and Cybersecurity Risk Management.

Here, in conversation with Assistant Dean Joshua Meredith, Lemieux also predicts that when Amazon builds a new headquarters in Crystal City, Va., it will suck up much of the region’s cybersecurity talent. And that will make it harder for the federal government and smaller business to compete for skilled workers.

0 Comments

It might seem odd that the consulting firm Accenture would open a second Arlington office in Rosslyn, just a 10-minute drive from its current location in Ballston and a brief Metro ride away from its office in D.C.

But company executives believe Arlington’s pool of talented tech workers is so deep that such a move makes perfect sense — and state leaders are hoping tech giants from Apple to Amazon are similarly swayed by the strength of the county’s workforce.

Gov. Ralph Northam (D) and Rep. Don Beyer (D-Va.) helped Accenture christen its new “cyber fusion center” inside the new CEB Tower at Central Place (1201 Wilson Blvd) today (Wednesday), hailing the company for its plans to create 1,000 high-paying tech jobs in the D.C. region by 2020.

Marty Rodgers, Accenture’s metro D.C. office managing director, says the firm ultimately plans to have 4,500 employees at its Arlington locations alone, and they’ll have plenty of company. As of last year, the Bureau of Labor Statistics estimates that more than 17,000 people in Arlington work in IT-focused jobs, and Rodgers adds that 185 cybersecurity startups in the area won outside funding in 2017.

Observers have speculated that those numbers are part of why Jeff Bezos and Tim Cook are eyeing Arlington so closely for expansion. Northam hopes they’re right.

“I’ve always been a big believer that if we bring talent to the area, talent will attract other talent,” Northam told reporters Wednesday. “We’ve made that pitch and we’re excited about that opportunity, and we’ve had those discussions with Amazon. But whether it’s Amazon or Apple or any other company, in order for them to grow or come here, we’ve got to be able to train our workforce.”

Northam credits his predecessor, ex-Gov. Terry McAuliffe, for putting a focus on tech training programs at both the higher education level and in K-12 schools. But it also helps that many of those workers have gained experience in the area’s bevy of federal government tech jobs, making them even more attractive to companies like Accenture that do plenty of business in D.C.

“This is where all the talent is,” Rodgers said. “You need people who have that combination of experiences, with for-profits, with nonprofits, with government.”

Rodgers noted that those sorts of employees will be particularly important at the company’s new Rosslyn center. It’s designed as not only a cybersecurity research hub, but also as a meeting space for Accenture to help its clients, from governments to massive corporations, investigate cyberattacks in real time.

Accenture executives demonstrated for the gathered elected officials and journalists how the company might educate an oil and gas company about how to prevent a phishing attack on a refinery. After hackers tried, and failed, to blow up a Saudi Arabian refinery by breaking in to a company’s networks via a fraudulent email, company officials warned that such a scenario isn’t terribly far-fetched.

Rodgers believes the center will even be innovative enough to help the D.C. region become the top global destination for cybersecurity companies.

“This region is fundamental to cybersecurity for the country and the world,” Rodgers said. “This is a mantle we hope this cybersecurity fusion center can claim here, as compared to Silicon Valley.”

0 Comments

Arlington voters can rest easy that Tuesday’s primary contest will be safe from cyberattacks, as local and federal election officials alike tout the county’s sound methods for counting ballots.

County election administrators welcomed a contingent from the U.S. Department of Homeland Security today (June 12), who swung by to study how Arlington is managing its voting technology as the threat of foreign meddling continues to loom large ahead of the fall’s midterms.

County Registrar Linda Lindberg touted her office’s “practical and low-key approach” during the visit, noting that the county uses paper ballots for all its elections. Though it may seem like an antiquated approach in the age of smartphones, election security experts have increasingly urged localities to abandon electronic voting machines in favor of having a paper record of all ballots cast, should intruders find a way to breach their systems and attempt to alter vote totals.

“Arlington takes a very pragmatic and a keep-it-simple approach,” Chris Krebs, a senior DHS official focusing on cybersecurity, told reporters. “We need to continue that trend toward a voter-verifiable paper trail… That’s the progress that we’re seeing nationwide.”

Krebs says he’s spent the last few months making similar trips and sitting down with state and local officials to make sure they understand the cybersecurity risks associated with voting technology. He added that federal officials are hoping to offer any help they can to localities struggling with securing their systems, though he noted that Arlington doesn’t need much in the way of resources.

Lindberg says her office has all manner of “checks and balances” throughout the process of testing vote-counting machines to insure that nothing was amiss before voters started showing up at the polls. She also noted that she’s set up a robust screening system for “spear phishing” attacks, after would-be hackers targeted elections officials in other states to try and trick them into clicking on fraudulent emails, giving them access to election systems.

“Arlington County actually has very strong, stringent controls in terms of the phishing attacks we’ve seen, mostly through emails,” Lindberg said. “We have good training, good screening of spam emails. In fact, important emails sometimes end up in my spam folder so you have to go back and look at that sort of thing.”

By and large, however, Krebs says DHS hasn’t seen the same sort of attacks on election officials that they did ahead of the 2016 election. But with intelligence leaders continuing to warn that Russian operatives could very well try to interfere with the midterms as a preamble to the presidential race in 2020, Krebs also doesn’t want to see local officials let their guard down.

“Even though we haven’t seen any activity the way we did in 2016 with direct threats to election infrastructure, we don’t need that direct threat,” Krebs said. “We take this issue very seriously.”

0 Comments

Sponsored by Monday Properties and written by ARLnow.com, Startup Monday is a weekly column that profiles Arlington-based startups and their founders, plus other local technology happenings. The Ground Floor, Monday’s office space for young companies in Rosslyn, is now open. The Metro-accessible space features a 5,000-square-foot common area that includes a kitchen, lounge area, collaborative meeting spaces, and a stage for formal presentations.

Several Arlington startups, including Clarendon-based Adlumin, attended the SXSW conference on technology, music culture and film more than a week ago in Austin, Texas.

Adlumin, a cybersecurity company that uses machine learning to track client behavior and sends alerts for suspicious activity, participated in an AED-organized panel called “War Games: From Battlefield to Ballot Box.” The discussion touched on innovations and changes in the industry.

The discussion touched on innovations and changes in the industry, including trends in how cyber attacks are being perpetrated that panelists have encountered. Adlumin’s CEO Robert Johnston was on the panel for his experience dealing with the cyber attacks in 2016 on the Democratic National Committee.

“[Rob’s] seen it go from really a complete use of malware to get into a network to now it’s really on more stealing credentials,” said Timothy Evans, co-founder and VP of business development of Adlumin. “It’s more along the lines of what nation states are doing to hack into networks. Your regular criminal hacker is acting much more like a nation state,”

 “That is a real question — I think the U.S. citizens, we’re really concerned about what we’re doing to stop interference next year or this year in 2018,” he said, adding that there were at least six questions regarding efforts to prevent Russia from meddling in the 2018 midterms.

Andrea Limbago, chief social scientist at Endgame, a different cybersecurity company for enterprises also based in Clarendon, held a talk called “Bots, Trolls, Warriors & The Path Ahead” at SXSW. She discussed the intersection of policy and innovation needed to fight the bots and trolls.

Limbago said that the audience at her talk was engaging, which is something that she doesn’t always experience at tech conferences.

“It’s great having a growing tech community in Arlington, and then representing that out here [in Austin],” Limbago said.

Several other Arlington businesses were at SXSW, including Axios, Trustify, and Fortalice, said Cara O’Donnell, Arlington Economic Development’s public relations director.

Photo courtesy of Endgame

0 Comments

Arlington Agenda is a listing of interesting events for the week ahead in Arlington County. If you’d like to see your event featured, fill out the event submission form.

Also, be sure to check out our event calendar.

Tuesday, March 13

Trivia Night: Are you smarter than a Catholic sister?*
Ireland’s Four Courts (2051 Wilson Boulevard)
Time: 6:30-9 p.m.

Test your pop culture and general knowledge against a team of Catholic Sisters, with drink specials and free appetizers. Prizes for top trivia teams.

Wednesday, March 14

Shaping Arlington for a Smart & Secure Future*
County Board Room (2100 Clarendon Blvd)
Time: 6-8 p.m.

Listen to a panel discussion on how technology will shape Arlington, featuring government and cybersecurity experts. A reception with light refreshments will also be held.

Arlington Committee of 100 Virginia Hospital Center Expansion*
Marymount University (2807 N. Glebe Road)
Time: 7-9 p.m.

The Committee of 100 is hosting a panel discussion on Virginia Hospital Center’s expansion, the county’s population growth and evolving community healthcare needs. Optional dinner served.

Thursday, March 15

Parenting Lecture: Parenting an Anxious Child
The Sycamore School (4600 N. Fairfax Drive)
Time: 7-8:30 p.m.

Dr. Christine Golden will discuss the challenges of parenting a child with anxiety and offer some helpful strategies for managing behaviors. The lecture is free to attend.

Friday, March 16

St. Agnes Soup Supper*
St. Agnes Catholic Church (1910 N. Randolph Street)
Time: 5:30-7 p.m.

The church will offer meatless soups and a noodle dish, and more every Friday during the Lenten holiday. Guests are invited to stay for confession and the stations of the cross afterwards.

Saturday, March 17

Whitlow’s St. Patrick’s Day Celebration
Whitlow’s On Wilson (2854 Wilson Boulevard)
Time: 9 a.m. – Close

Live Irish music and an open rooftop welcome you at Whitlow’s On Wilson’s St. Patrick’s Day celebration. Special Irish menu and March Madness games on the TVs all day.

WJAFC Open Day*
Virginia Highlands Park (1600 S. Hayes Street)
Time: 9 a.m. – 12 p.m.

A co-ed, free clinic to learn the Australian football game. Kids from 5-15 will learn starting at 9 a.m., with an adults clinic and co-ed non-contact game at 10:30 a.m.

Guinness and Gold*
Ten at Clarendon (3110 10th Street N.)
Time: 12-5 p.m.

Tour the Clarendon apartment building with a free Guinness and cash in on leasing deals. Leasing specials are subject to terms and conditions.

Wine Dinner*
Osteria da Nino (2900 S. Quincy Street)
Time: 6:30-10:30 p.m.

Join Tre Monti winery over a four course meal with five wines, including theThea Passito 2012 Romagna Albana DOCG raisin wine. Tickets are $75 per person.

Yorktown High School Presents “Almost, Maine”*
Yorktown High School (5200 Yorktown Boulevard)
Time: 7-9:30 p.m.

Students will be performing John Cariani’s “Almost Maine,” about a remote, mythical town and the effect of the northern lights on the lovestruck residents. Tickets are $10.

Sunday, March 18

St. Joseph’s Table Celebration
St. Agnes Catholic Church (1910 N. Randolph Street)
Time: 1-4 p.m.

Join the church following the noon mass for a procession to celebrate this feast day with a potluck lunch, live music, and a kids woodworking shop.

*Denotes featured (sponsored) event

0 Comments

Startup Monday header
Sponsored by Monday Properties and written by ARLnow.com, Startup Monday is a weekly column that profiles Arlington-based startups and their founders, plus other local technology happenings. The Ground Floor, Monday’s office space for young companies in Rosslyn, is now open. The Metro-accessible space features a 5,000-square-foot common area that includes a kitchen, lounge area, collaborative meeting spaces, and a stage for formal presentations.

Cybersecurity currently is a frequently discussed but often misunderstood field. At Adlumin, though, it’s a well-understood topic that’s more than just a buzzword. The employees design solutions to identify and prevent potential breaches in clients’ networks.

Adlumin logoCybersecurity is a broad term, but the Adlumin team targets what co-founder and VP of business development Timothy Evans calls “the Edward Snowden problem,” when a seemingly authorized user enters part of the network they’re not allowed to access.

“I realized that corporate breaches were continuing to succeed because attackers were able to steal the identities of employees and use that identity to attack the infrastructure as if they were that person,” said Adlumin president and CEO Robert Johnston. “The problem we set out to solve is the identity access and management piece.”

A small breach such as a user figuring out a computer password can compromise an entire business structure because the illegitimate user often gains access to other accounts with locally-saved passwords, such as Gmail or Twitter.

“Eventually [an intruder can] end up with the keys to the entire kingdom and they can literally access any system or cloud resource they want,” Johnston said.

That’s what happened during the Democratic National Committee hack last year when more than 100 users’ private email accounts were accessed, Johnston said. He led the response effort to the DNC breach and said those hackers “were able to access the system as if they were a user.”

Adlumin team membersAdlumin’s software can “see” and monitor every single user on a client’s network, even on a global scale. It incorporates user behavior analytics — which Johnston said not all cybersecurity companies deal with — to determine if a network is in danger.

“Rob decided we needed to solve a hard problem, which is to find intruders in a network. They don’t use things like malware or ransomware, they’re in the network and they look like your legitimate users,” Evans said. “There’s only one way to find them and that’s based on their behavior patterns to determine whether they’re a real user or a fake user.”

Adlumin’s software monitors a business’ network 24/7 to detect changes in user behaviors. Evans explained that it uses artificial intelligence and machine learning to continuously update information about user habits. If the software detects a potential anomaly, it sends an alert. Think of it like a credit card company tracking a card user’s spending habits and sending a warning notification when an odd purchase occurs.

In addition to providing the monitoring software, Adlumin manages customers’ cyber infrastructure and training.

Clarendon-based Adlumin incorporated in June 2016 and was assisted by the Herndon-based Mach37 cybersecurity business incubator. It now has five full-time employees and plans further expansion this year.

“The Washington, D.C. metro area, and specifically Arlington, is an awesome place to do this business,” Evans said.

Noting the proximity to the country’s top intelligence agencies, Johnston said there’s “a lot of untapped human capital in this area” for cybersecurity.

As far as what’s in store for the future, Johnston said the Adlumin team will continue updating its software algorithms and wants to “dominate the identity and access management piece” of cybersecurity.

0 Comments

Morning Notes

Ballston time lapse photo (Flickr pool photo by Kevin Wolf)

Fmr. Arlington Resident John Glenn Dies — John Glenn, the first American to orbit the earth, has died at the age of 95. In an article first published in 2012, the Arlington Public Library blog recounted the five years that Glenn and his family lived on N. Harrison Street in Arlington. [Arlington Public Library]

Soon: Central Place Apartments, Restaurants — Residents are expected to start moving into the new Central Place apartment tower in Rosslyn at some point during the first three months of 2017. Restaurants coming to the ground floor of the building include Sweetgreen, Little Beet, Nando’s Peri-peri and McDonald’s, while Cava Grill and Compass Coffee has signed leases for the Central Place office tower. [Washington Business Journal]

Fort Myer Getting Drone Detector — Officials from Joint Base Myer-Henderson Hall said at a recent Arlington civic association meeting that the base is working to procure a drone detection system. The base commander said he’s worried about “miniaturized tools of terror, specifically drones carrying home-made bombs.” [Pentagram]

Video: Ovi Delivering Pizzas in Arlington — Okay, it’s just a commercial and didn’t really happen. But a new 30-second TV spot from Papa John’s imagines Capitals star Alexander Ovechkin delivering pizzas in Arlington in 2001 as he pursues a childhood dream to become “the best pizza delivery boy in the world.” [Russian Machine Never Breaks]

Local Startup Scores Big Military Contract — Clarendon-based cybersecurity firm Endgame has won a $18.8 million contract from the U.S. Air Force. It’s believed to be “one of the largest endpoint protection software purchases in the Air Force’s history.” [Fedscoop]

Startups Recognized By County — Arlington County recognized four of the county’s fastest-growing companies this week as part of its second-annual “Fast Four” competition. The honorees were the Nicecream Factory ice cream shop in Arlington, Ballston-based Deep Learning Analytics, Clarendon consulting firm Enterprise Knowledge and Ballston-based software company Convoke. [Arlington County]

Flickr pool photo by Kevin Wolf

0 Comments

Startup Monday header

Editor’s Note: Sponsored by Monday Properties and written by ARLnow.com, Startup Monday is a weekly column that profiles Arlington-based startups and their founders, plus other local technology happenings. The Ground Floor, Monday’s office space for young companies in Rosslyn, is now open. The Metro-accessible space features a 5,000-square-foot common area that includes a kitchen, lounge area, collaborative meeting spaces, and a stage for formal presentations.

Cybersecurity breaches cost companies billions of dollars each year, and according to research from IBM Security, the vast majority involve human error. Security training is the best way to combat such errors, but getting employees excited about cybersecurity can be a challenge.

“Like a great many businesses, Ataata was born out of a simple question,” said Michael Madon, CEO of the Arlington company. “After sitting through another series of security awareness training courses for my job, I wondered, ‘Why does security training have to be so long and boring?'”

“I realized that security awareness training doesn’t have to be miserable,” Madon added.

ataataThe name Ataata is a Maori word meaning “video” — and that’s just what the company offers. Ataata’s interactive security awareness videos are available through a data-driven online and mobile platform. The videos work with computers, smart phones and tablets, meeting employees on whatever device they use.

All industries are vulnerable to human error, but Madon said Ataata “is the antidote to human error” because it gives employees incentive to care about cybersecurity.

“Through innovative approaches to increasing employee engagement, Ataata will set the standard for awareness training and dramatically reduce risks of cyber breaches caused by human error while significantly lowering training and clean-up costs,” Madon said. “We do this through employing an interactive, gamified and data-driven training platform offering our clients an analytic engine that transforms engagement data into actionable information — replacing guess work with deep understanding.”

Madon PhotoMadon added, “we believe to maximize engagement, the experience should be compelling, informative, participatory [and] applicable. To that end, Ataata creates and curates interactive videos to boost engagement.”

Ataata users have a 90 percent cybersecurity training completion rate versus 50 percent for traditional cybersecurity training videos, Madon said. In addition, Madon said users are three times as engaged in Ataata videos than traditional videos, with longer view times, increased interactions and more sharing.

Just six months after launching, Ataata announced in late June that it closed its series seed preferred founding round led by ARRA Capital with participation from additional investors. Moving forward, the company plans to use funds to drive ongoing creative and technology development and bring its “best-in-class” proprietary content and software to market.

And how did Ataata end up in Arlington? “Arlington chose me,” Madon said. 

Madon was a founding member of Crystal City-based 1776, a global incubator and seed fund. He was looking for a space outside the District with a more cyber focus, and Arlington was an obvious choice.

0 Comments

The Ballston office of Distil NetworksAn tech company with offices in Arlington has raised more than $21 million in its latest round of financing.

Distil Networks, a startup that wages war on online bots, announced the sum of its Series C fundraising period earlier today. The company said it has raised $65 million to date.

The firm will use the money to “bolster global marketing and sales efforts, strengthen core offerings, and double the current workforce over the next 12-18 months,” according to a press release.

Currently headquartered in San Francisco, Distil Networks builds tools to thwart malicious online bots that “are used by competitors, hackers and fraudsters and are the key culprits behind web scraping, account takeovers, competitive data mining, online fraud, and downtime,” the release said.

The company’s clients include Thomson Reuters, Yelp, Staples, easyJet and Stubhub.

More from the Distil Networks press release:

Distil Networks, Inc., the global leader in bot detection and mitigation, today announced that it has closed $21 million in Series C financing. The funding included participation from Silicon Valley Bank and existing venture investors Bessemer Venture Partners, Foundry Group, and TechStars. The new round brings Distil’s total funding to $65 million to date. The company plans to use the investment to bolster global marketing and sales efforts, strengthen core offerings, and double the current workforce over the next 12-18 months. 

Bad bots are used by competitors, hackers and fraudsters and are the key culprits behind web scraping, account takeovers, competitive data mining, online fraud, and downtime. Distil’s 2016 Bad Bot Landscape Report confirms that bots are gaining sophistication, finding that 88 percent of all bad bot traffic has one or more characteristics of an Advanced Persistent Bot (APB).

“As bots learn to better mimic human behavior and become harder to detect, solutions must innovate rapidly to thwart attacks,” said Rami Essaid, CEO and co-founder of Distil Networks. “Our investors understand the enormous challenge that web properties face when it comes to defending proprietary information while maintaining a positive user experience, and they have chosen to support Distil in our pursuit to create a safer web. With this round of funding, we are looking forward to building upon our momentum and continuing to lead the market with our advanced protection against bot activity.”

Since closing Series B financing in June of 2015, Distil has hit several key milestones, including:

Launching Distil API Security to reduce risk and downtime across critical API attack vectors.

Acquiring ScrapeSentry and their expert team of analysts to provide real-time, proactive website traffic analysis, customized reporting, and engineering assistance to enterprise customers.

Securing 100+ enterprise customers, including B&H Photo, Wayfair, and Glassdoor.

Expanding global reach with office opening in London and growing total employee headcount to 140, with built out teams in managed services, support, and data science.

“Since I joined the board of Distil, I’ve been continually impressed by the company’s ability to develop new products, streamline deployment, and exceed sales objectives,” said David Cowan, partner at Bessemer Venture Partners. “Naturally, I was eager to double down.”

Advanced Persistent Bots (APBs) have several advanced capabilities such as mimicking human behavior, loading JavaScript and external resources, cookie support, browser automation, and spoofing IP addresses and user agents. Their persistency aspect comes from their process for evading detection. For example, an APB might use 1000 IP addresses to make one request each, instead of one IP address to make 1000 requests, rendering impotent IP-centric defenses. According to Gartner, “fraudsters are also spreading their attacks over thousands of IP addresses — many of which are purposefully chosen to originate in locations that appear legitimate (for example, in the same geographic area that a target victim lives in). They are also slowing down their scripted attacks to move at the pace of an average human.”

0 Comments

Arlington Dept. of Environmental Services web formArlington County has plugged a vulnerability in its automated services system for homeowners, after the vulnerability was brought to officials’ attention by ARLnow.com and a local IT services provider.

The vulnerability was in a phone system and website used by the Arlington Dept. of Environmental Services to automate waste pickup scheduling and water service changes.

The phone system would allow a caller to enter either an account number or their address. When one entered an address, however, the system would then provide that homeowner’s name and account number.

With the account number, one could theoretically go online and shut off the home’s water service, or order a big pile of mulch to be delivered to their yard and billed to their account.

ARLnow.com tested the vulnerability and came one click away from sending a big mulch pile to the front yard of a national media personality who lives in Arlington. Through a spokeswoman, that individual declined to comment or be identified in this article.

Within a week of ARLnow.com notifying the county, the automated phone system had been taken offline — callers now only have the option of speaking to a customer service representative — and some account number fields were removed from online forms.

“Our approach is customer-focused and to make it convenient for residents to make service requests, order mulch and report problems through the County website or by telephone,” said Dept. of Environmental Services spokeswoman Jessica Baxter. “It is a philosophy our customers value based on their feedback.”

“To date, we have not had a problem with people misusing the system,” Baxter continued. “As with any system, we are always looking for ways to improve while balancing the needs of our customers. Thanks for bringing this matter to our attention.”

Alexander Chamandy, the founder of Arlington-based IT services firm Envescent, LLC, was the first to spot the vulnerability.

“I discovered this unauthorized information disclosure issue by accident when scheduling a curbside pickup with Arlington,” he said. “It was disconcerting that one’s account information, name, address and other details could be shared with an unauthorized party. Because identity theft and data breaches are on the rise I felt it was important to alert ARLnow.com and Arlington County.”

0 Comments
×

Subscribe to our mailing list