Georgia Tech Procurement Assistance Center

  • Home
  • About Us
  • Training
    • Class Registration
    • On-demand Training
    • GTPAC COVID-19 Resource Page
    • Cybersecurity
    • Veterans Verification Video
    • GTPAC Community
    • Other Training Audio & Video
  • Useful Links
  • Team Directory
    • Albany Counselor
    • Atlanta Counselors
    • Augusta Counselor
    • Carrollton Counselor
    • Columbus Counselor
    • Gainesville Counselor
    • Savannah Counselor
    • Warner Robins Counselor
  • Directions
    • Atlanta – Training Facility
    • Atlanta – Office
    • Albany
    • Augusta
    • Carrollton
    • Columbus
    • Gainesville
    • Savannah
    • Warner Robins
  • COVID-19
  • New Client Application
  • Contact Us

Bad bid: Malicious actors target government contractors

September 12, 2019 By Andrew Smith

IT personnel working the trenches in the fight against malicious emails know that financial transactions — and the various documents that support and accompany those transactions — provide malicious actors seemingly endless fodder for clever phishing attacks designed to separate legitimate organizations from their money and reputations, as well as their customers, clients, and partners.

Indeed, fake invoices, RFQs, POs, ACH documents, and remittance forms collectively constitute the “social engineering” backbone of innumerable phishing campaigns.  And hapless employees keep falling for them, clicking through malicious links and opening malware-laden attachments — often with nary a thought to the potential consequences — bringing malicious actors and their sophisticated malware inside their employers’ networks.

Over the past few months we have observed the increasing use of yet another type of transaction-based social engineering scheme designed to hook companies dependent on government contracts: the invitation to bid.  In what follows, we’ll take a look at a number of actual phishing emails reported to us by customers using the Phish Alert Button (PAB).

Continue reading at:  SC Magazine

Filed Under: Contracting Tips Tagged With: cyber crime, cybersecurity, fake purchase orders, fake RFQs, phishing

CBP reportedly suspends subcontractor over cyberattack

July 16, 2019 By Andrew Smith

The US Customs and Border Protection has reportedly suspended a subcontractor following a “malicious cyberattack” in May that caused it to lose photos of travelers into and out of the country.  Perceptics, which makes license plate scanners and other surveillance equipment for CBP, has been suspended from contracting with the federal government, The Washington Post reported Tuesday.

On June 12, CBP had confirmed that in violation of its policies, a subcontractor had “transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”  The subcontractor’s network was then compromised by a cyberattack that affected under 100,000 people who entered and exited the US in a vehicle through several specific lanes at one land border during a 1.5-month period.

Continue reading at:  CNET News

Filed Under: Contracting News Tagged With: Customs and Border Protection, cyber crime, cyber incidents, cyberattack, cybersecurity

Facing Chinese cyberthreat, Pentagon to bake better contractor security into buying decisions

July 5, 2018 By Andrew Smith

In the wake of reports China hacked a Navy contractor for sensitive data on submarine warfare, Pentagon officials said they want to build better security into the military’s acquisitions process to better protect the defense industry from Beijing’s tampering.

But it’s unclear whether the defense industry has bought into the nascent effort.

“It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities,” Deputy Under Secretary of Defense for Intelligence Kari Bingen told lawmakers on June 21st.

“We must establish security as a fourth pillar in defense acquisition and also create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”

Keep reading this article at: https://www.fifthdomain.com/congress/2018/06/21/pentagon-to-bake-better-contractor-security-into-buying-decisions/

Filed Under: Contracting News Tagged With: cyber, cyber crime, cyberattack, cybersecurity, cyberthreat, data breach, DoD

Security tips for choosing and using passwords

April 12, 2018 By Andrew Smith

You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of insecure and inadequate passwords. Once a system is compromised, it’s open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to “Il!2pBb.” creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (16–64 characters) when you can. For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters. It also includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don’ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it ­– don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to all of your accounts. Use the following techniques to develop unique passwords for each of your accounts:

  • Do use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system
  • Don’t use words that can be found in any dictionary of any language.
  • Do develop mnemonics to remember complex passwords.
  • Do consider using a password manager program to keep track of your passwords. (See more information below.)

How to protect your passwords

Now that you’ve chosen a password that’s easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up-to-date.
  • Use and maintain anti-virus software and a firewall.
  • Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.

Source: The National Cybersecurity and Communications Integration Center’s (NCCIC) – https://www.us-cert.gov/ncas

Filed Under: Contracting Tips Tagged With: cyber, cyber crime, cyberattack, cybersecurity, cyberthreat, DHS, password, phishing

Atlanta man pleads guilty to cyber crime that cost a Kansas county $566,088

July 10, 2017 By Andrew Smith

An Atlanta-area man pleaded guilty last Thursday (July 6, 2017) to federal charges he was part of an e-mail spoofing scheme that cost Sedgwick County, Kansas more than $566,000, District of Kansas U.S. Attorney Tom Beall said.

George S. James, 49, Brookhaven, Georgia, pleaded guilty to one count of wire fraud.

In his plea, James admitted that on Oct. 7, 2016, Sedgwick County sent approximately $566,088 to his Wells Fargo bank account. James transferred part of the money he received from Sedgwick County to a bank account in Shanghai, China, and part of the money to an account at Deutsche Bank in Bremen, Germany. James also spent some of the money.

In his plea, James denied that the fraud scheme was his idea. He said that on Sept. 23, 2016, he was contacted by a person identified in court records as A.H., who asked to deposit some money into James’ account at Wells Fargo. James said he knew A.H. was engaged in fraud, but James denied knowing that Sedgwick County was the victim.

In his plea, James said it was A.H. – or someone working with A.H. – who sent an email to Sedgwick County on Sept. 23, 2016, purporting to be from Cornejo and Sons, LLC, and requesting the county send future payments to a new account number at Wells Fargo. On Oct. 7, 2016, the county sent $566,088 to James’ account at Wells Fargo. The county learned later that Cornejo did not request the change of account and did not receive the payment.

Sentencing is set for Sept. 21. James faces a penalty of up to 20 years in federal prison and a fine up to $250,000.

 

Source: https://www.justice.gov/usao-ks/pr/georgia-man-pleads-guilty-cyber-crime-cost-sedgwick-county-566000

Filed Under: Contracting News Tagged With: cyber crime, cyber incident, cybersecurity, financial fraud, fraud, wire fraud

Recent Posts

  • Podcast: Buy American executive order and recent changes
  • Podcast: Contractors say they’re seeing a resurgence of LPTA procurements
  • Reminder: If pricing is too high, VA “rule of two” might not apply
  • CPARS challenges: No appeals without contracting officer claim
  • GAO: In “best value” procurement agency has wide discretion to pay price premium

Popular Topics

8(a) abuse Army bid protest budget budget cuts certification construction contract awards contracting opportunities cybersecurity DoD DOJ False Claims Act FAR federal contracting federal contracts fraud GAO Georgia Tech government contracting government contract training government trends GSA GSA Schedule GTPAC HUBZone innovation IT Justice Dept. marketing NDAA OMB SBA SDVOSB set-aside small business small business goals spending subcontracting technology VA veteran owned business VOSB wosb

Contracting News

Podcast: Contractors say they’re seeing a resurgence of LPTA procurements

CPARS challenges: No appeals without contracting officer claim

GAO: In “best value” procurement agency has wide discretion to pay price premium

Contractor settles fraud claims related to 8(a) joint venture

Senator: Pandemic makes anti-fraud law more important than ever

Read More

Contracting Tips

Podcast: Buy American executive order and recent changes

Reminder: If pricing is too high, VA “rule of two” might not apply

Startups should try to win city and school district contracts. Here’s why.

Surviving proposal weaknesses after discussions: what not to do

E-Verify records purge scheduled for May 14, 2021

Read More

GTPAC News

DLA hosting event March 10th with special emphasis on Women-Owned Small Businesses

Navy Office of Small Business Programs holding three events in March

SBA hosting conversations with contracting officers forum Feb. 25th

USACE seeks vaccination center construction support

GTPAC updates cybersecurity resource page to include CMMC guidance

Read More

Georgia Tech News

Future of 5G is under the microscope at Georgia incubator

Collective worm and robot “blobs” protect individuals, swarm together

The Partnership for Inclusive Innovation is now accepting applications for pilot programs

Georgia Tech will help manage DOE’s Savannah River National Laboratory

Dr. Abdallah testifies on U.S. competitiveness, research, STEM pipeline at Congressional hearing

Read More

  • SAM.gov registration is free, and help with SAM is free, too
APTAC RSS Twitter GTPAC - 30th Year of Service

Copyright © 2021 · Georgia Tech - Enterprise Innovation Institute