Unfortunately, Heartbleed has become a familiar term to many people across the country. It is a serious vulnerability, a weakness in the widely-used OpenSSL encryption software that protects the electronic traffic on a large number of websites and in scores of devices. Although new computer “bugs” and malware crop up almost daily, this vulnerability is unusual in how widespread it is, it’s ease of use, the potentially damaging information it allows malicious actors to obtain, and the length of time before it was discovered. As the administration has said, the Federal government was not aware of the vulnerability until it was made public in press reports.
It is important to note that it takes time to address this issue properly. As with the private sector, government agencies must analyze their systems to identify where they have the Heartbleed vulnerability, determine how to implement the appropriate response, and then ensure that they can implement the response without disrupting critical operations. Finally, the scope and scale of this vulnerability may continue to evolve as researchers and companies discover new places or devices that may be susceptible.
This analysis has informed how the Federal government has responded to this vulnerability since its public disclosure, working at an aggressive yet appropriate pace in our response and acting out of an abundance of caution. Working with other agencies, we have:
- Enabled our network defenses across the Executive branch to detect someone trying to use the exploit and in many cases to block those attempts
- Begun scanning government networks for this vulnerability to ensure that we know where it exists
- Issued technical alerts and mitigation steps through the our National Communications and Cybersecurity Integration Center
- Engaged with our industry partners to discuss the threat posed by the vulnerability
As we conduct the scans of government systems and agencies conduct their own reviews, many government websites turn out to have never been vulnerable to Heartbleed because they did not use OpenSSL; in those cases, no further action is needed at this time. However, in those cases where agencies determine that a website or system could have been vulnerable to Heartbleed, they are taking the same steps as the private sector:
- Updating to secure versions of OpenSSL
- Re-issuing certificates for the website
- Requiring or asking users to reset their passwords, if the website permits users to login, and alerting users on a website’s homepage to this fact.
- Reminding users not to use a new password on any site that has not clearly been patched.
We will continue to focus on this issue until government agencies have mitigated the vulnerability in their systems. And we will continue to adapt our response if we learn about additional issues created by the vulnerability. The government remains committed to protecting any personally identifiable information it holds and to upholding high standards of cybersecurity.
Posted by Dr. Phyllis Schneck, Deputy Under Secretary of Homeland Security for Cybersecurity and Communications
To date, tens of millions of passengers have enjoyed shorter screening times as a result of TSA Pre✓™.
Travelers interested in applying for TSA Pre✓™ should go here to begin the pre-enrollment process. All TSA Pre✓™ program applicants must then visit an application center— like the new center at Washington Dulles International Airport— in person to verify their identity and citizenship/immigration status as well as to provide biographical information, (e.g. name, date of birth, address, etc.) and fingerprints. You can find a full listing of the more than 200TSA Pre✓™ applications centers here. TSA Pre✓™ is just one way we are moving away from the one-size fits all security. But don’t just take our word for it.
- Dallas Morning News: Editorial: Making airline security less of a headache
- New York Times: PreCheck Meets Its Goal, and Prepares to Expand
- NJ Star Ledger: A less frustrating way to fly: Editorial
- USA Today: TSA expands Pre-check for the military
- Albuquerque Journal: Faster travel via new ABQ PreCheck office
- CNN: Keep your shoes, jackets on: TSA to expand pre-screening program
- FOX News: Your questions answered: Does TSA Pre✓™ really make security faster?
- Portland Tribune: Efficiency part of PDX flight plan
- WCCO-TV (Minneapolis): Is TSA Pre✓™ Status Worth It?
- Salt Lake Tribune: Salt Lake airport opens faster security line program
Posted by NCCIC Director Larry Zelvin
Information sharing is a key part of the Department of Homeland Security’s (DHS) important mission to create shared situational awareness of potential cybersecurity vulnerabilities. DHS, through our National Cybersecurity & Communications Integration Center (NCCIC), actively collaborates with public and private sector partners every day to make sure they have the information and tools they need to protect the systems we all rely on.
When a cybersecurity industry report was published three days ago about a vulnerability known as “Heartbleed” – affecting websites, email, and instant messaging – that can potentially impact internet logins and personal information online by undermining the encryption process, the Department’s U.S.-Computer Emergency Readiness Team (US-CERT) immediately issued an alert to share actionable information with the public and suggested mitigation steps. Subsequently, our Industrial Control System-Cyber Emergency Response Team (ICS-CERT) published information and reached out to vendors and asset owners to determine the potential vulnerabilities to computer systems that control essential systems – like critical infrastructure, user-facing, and financial systems. The National Coordinating Center for Communications (NCC) also provided situational awareness to communications sector partners for their review and action. Importantly, the Federal government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat. We are continuing to coordinate across agencies to ensure that all Federal government websites are protected from this threat.
While there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems. That is why everyone has a role to play to ensuring our nation’s cybersecurity. We have been and continue to work closely with federal, state, local and private sector partners to determine any potential impacts and help implement mitigation strategies as necessary.
Today we’re also sharing some tips on steps you can take to protect your own personal cybersecurity and information online:
- Many commonly used websites are taking steps to ensure they are not affected by this vulnerability and letting the public know. Once you know the website is secure, change your passwords.
- Closely monitor your email accounts, bank accounts, social media accounts, and other online assets for irregular or suspicious activity, such as abnormal purchases or messages
- After a website you are visiting has addressed the vulnerability, ensure that if it requires personal information such as login credentials or credit card information, it is secure with the HTTPS identifier in the address bar. Look out for the “s”, as it means secure.
Cybersecurity is a shared responsibility and when we take steps to ensure our own cyber safety, we are also helping to create a safer Internet for others.
For more cyber resources and tips, please visit www.dhs.gov/stopthinkconnect
Posted by Maria Odom, Citizenship and Immigration Services Ombudsman and Chair of the DHS Blue Campaign
Today, Secretary of Homeland Security (DHS) Jeh Johnson joined key federal partners at the White House for a meeting of the Presidential Interagency Task Force to Monitor and Combat Trafficking in Persons where he highlighted the work of the DHS Blue Campaign, announced new interagency partnerships and highlighted the Department’s ongoing efforts to combat this heinous crime.
During the meeting, Secretary Johnson discussed the Department’s interagency engagement through the efforts of the Blue Campaign, and announced a new partnership with the Department of Education (ED)—working together to develop trafficking indicator training and other resources for school administrators, teachers, and staff. DHS has also been working closely with the General Services Administration to display human trafficking awareness materials in government-owned buildings across the United States.
Over the past year, DHS has focused an unprecedented level of resources and engagement to combating human trafficking through a victim-centered approach . Identifying and rescuing victims, however, is only the first step to end human trafficking.
In 2013, U.S. Immigration and Customs Enforcement (ICE) opened nearly 1,025 cases related to human trafficking, many with the help of the public, resulting in 816 convictions and the identification of more than 330 trafficking victims. Through the ICE Victim Assistance Program, specialists ensure that human trafficking victims are not only rescued, but provided with referrals for medical, mental health and legal assistance, as well as referrals for long term immigration relief, case management and other services.
DHS aims to provide support and assistance for immigrant victims of human trafficking. U.S. Citizenship and Immigration Services provides immigration relief in the form of T visas and U visas, allowing victims to remain in the United States and assist in the investigation or prosecution of the crime. These visas also provide a pathway to lawful permanent residence and permit certain family members to join them in the United States.
DHS and the Blue Campaign will continue our efforts to increase investigations and prosecutions of human traffickers, train more frontline law enforcement partners to recognize the indicators of human trafficking, and further improve victim services.
To learn more about DHS’ efforts to combat human trafficking and what you can do, visit www.dhs.gov/bluecampaign.
Last week marked the 100th day in office for Secretary of Homeland Security Jeh Johnson. Tomorrow Secretary Johnson will host a Twitter chat to discuss what he has seen his first 100 days and highlight his priorities moving forward.
From travel to the southwest border, to meeting with international partners abroad on common homeland security issues, to his recent trip to Washington to view the ongoing response to the tragic mudslide last month, Secretary Johnson has been deeply engaged in the diverse missions of the Department. On top of all that, he also recently threw out the first pitch at Citifield.
Tomorrow he looks forward to discussing these efforts and answering your questions.
Here's how you can participate:
- Starting now, ask questions Secretary of Homeland Security Jeh Johnson on Twitter using the hashtag #DHSchat.
- On Wednesday, April 9, at 1:00 p.m. EDT Secretary Johnson will begin to answer your questions.
- Follow the chat live on Twitter through the Department’s official Twitter account, @DHSgov and by following #DHSchat. Secretary Johnson’s responses will be tweeted from the @DHSgov account.
Be sure to follow @DHSgov on Twitter for the latest from the Department of Homeland Security and our component agencies. I hope you’ll join the conversation tomorrow at 1:00 PM Eastern.
Yesterday, Secretary Johnson and Federal Emergency Management Agency (FEMA) Administrator Craig Fugate traveled to Washington where they joined Washington Governor Jay Inslee, Senator Patty Murray, Senator Maria Cantwell, and Congresswoman Suzan DelBene to see firsthand the damage cause by the recent mudslide, and thank the responders.
Governor Inslee (left), Secretary Johnson, and FEMA Administrator Fugate (center) arrive in Oso, Washington. Photo courtesy of Governor Inslee’s office.
While on the ground in Washington, Secretary Johnson and Administrator Fugate were briefed on the ongoing recovery efforts. Secretary Johnson and Administrator Fugate met with responders from across government – an Urban Search and Rescue Team activated by FEMA, responders from the state of Washington’s Emergency Management Division, local firefighters and emergency responders from the surrounding community, and volunteers and local community members – many of whom had been on the scene within the first few hours of the tragic slide.
Tim Pierce, WTF1 Leader, Senator Cantwell, and Secretary Johnson (left to right) tour the site. Photo courtesy of FEMA Region 10.
Following the visit to the impacted area, Secretary Johnson made clear that the federal government will continue to stand with the community as the response and recovery continue: “DHS, FEMA and the entire federal government is here to support the Governor and his team. We were here shortly after the disaster occurred, we are here now, and we will continue to be here as the recovery goes on.”
Fire Chief Hots briefs Secretary Johnson. Photo courtesy of Governor Inslee’s office.
Secretary Johnson also met with many of the first responders working at the site of the devastating mudslide and flooding, and highlighted their heroic efforts: “The mudslide is an enormous tragedy, but the efforts by the first responders is an inspirational American story.”
Secretary Johnson thanks Rhonda Cook, a volunteer responder. Rhonda was among the first to arrive at the site of the mudslide, and was instrumental and bringing in search and rescue equipment. Snohomish County Executive Lovick is pictured at left. Photo courtesy of Governor Inslee’s office.
On March 24, President Obama approved an Emergency Declaration providing resources to support the state and local response following the mudslide. A FEMA Incident Management Assessment Team as well as an Urban Search and Rescue Incident Support Team were deployed immediately to support the search and rescue efforts and are still part of the response today. On Wednesday, April 2, at the request of the Governor, the President approved a Major Disaster Declaration for the State of Washington to supplement state, tribal, and local recovery efforts in the area, and providing federal funding to support affected individuals in Snohomish County, including the Sauk-Suiattle, Stillaguamish, and Tulalip Tribes. Assistance to eligible individuals can include including grants for temporary housing and home repairs, loans to cover uninsured property losses and other programs to help place individuals and business owners on a path to recovery.
Secretary Johnson and Administrator Fugate met with search and rescue teams on site, including the New York Task Force 1 Canine Team and Hondo the dog. Photo courtesy of FEMA Region 10.
Due to the localized impacts of the disaster, FEMA is working closely with residents, tribal members and business owners who sustained losses in the designated area on a one-on-one basis. To learn more about FEMA Disaster Assistance, please visit fema.gov.
You can read more about Secretary Johnson and Administrator Fugate’s visit to Washington here.
Posted by Paulette Aniskoff, Deputy Assistant to the President and Director of the Office of Public Engagement at the White House
Here at the White House, we're getting ready for the first America's PrepareAthon!, a national day of action that will take place April 30, 2014.
Join us this Monday, April 7 at 1:00 p.m. ET to discuss America’s PrepareAthon!, a community-based campaign to build a more secure and resilient nation by getting people to understand what disasters could happen in their communities and to take action to increase their preparedness. Actions include signing up for mobile alerts and warnings, holding a preparedness discussion to emphasize the steps people should take to be ready should a disaster occur, and conducting a drill so people are familiar with what to do beforehand.
Join us for a Google+ Hangout to hear from the head of FEMA, an award-winning meteorologist, and leaders from across the nation who share a passion for getting prepared. I will moderate the live discussion.
- Craig Fugate, Administrator of the Federal Emergency Management Agency
- Mike Bettes, The Weather Channel’s award-winning meteorologist
- Cameron Clayton, President of the Digital Division for The Weather Channel
- Nancy LeaMond, Executive Vice President for AARP’s State and National Group
- Jesse Salinas, State Director for AARP Alabama
- Divya Saini, Block Preparedness Coordinator and founder of “Movers and Shakers”
- Chief Roy Acree, City of Smyrna, GA Fire Chief
- Boyce Wilson, Emergency Preparedness Planner for Heart of Texas Council of Governments
Join the conversation now by asking questions on Twitter using #PrepareAthon. And you can watch the Hangout live on Monday, April 7 at 1:00 p.m. by visiting the White House Google+ and YouTube pages. Live closed captioning is also available during the Hangout.
The PrepareAthon! campaign is directed as part of President Obama’s Presidential Policy Directive 8: National Preparedness. On April 30, and throughout the spring, America’s PrepareAthon! activities will focus on preparing individuals, families, workplaces, K-12 schools, institutions of higher education, houses of worship, and community-based organizations for tornadoes, hurricanes, floods, and wildfires.
- Be Smart: Know your hazards in your community. Download guides to learn how to prepare.
- Take Part: Plan activities and host an event locally on April 30.
- Prepare: Practice a drill or have a discussion about preparedness. Participation can include being a part of community emergency planning, hazard-specific drills, group discussions, and exercises.
Editor's Note: This was originally posted on the White House blog on Friday, April 4, 2014.
Yesterday, Secretary Johnson traveled to New York where he delivered remarks at the New York City Police Department (NYPD) SHIELD Conference. Secretary Johnson discussed the importance of the ongoing partnership between DHS and state and local law enforcement to confront a range of threats, before more than 450 representatives from the NYPD, stakeholders, security officers, business executives, and other partners.
Secretary Johnson speaks at the NYPD SHIELD Conference. Photo courtesy of the NYPD.
During his remarks, Secretary Johnson said, “The Department of Homeland Security has a special relationship with the NYPD and the people of New York City. It is critical that the Department of Homeland Security builds strong relationships with local law enforcement officials and community members. I am committed to seeing that relationship grow and flourish – not just during crises, but every day.”
Secretary Johnson answers questions from the audience with Commissioner Bratton and Deputy Commissioner John Miller. Photo courtesy of the NYPD.
Commissioner Bratton thanked Secretary Johnson, and presented him with an NYPD jacket. Photo courtesy of the NYPD.
Later on Wednesday, Secretary Johnson administered the Oath of Allegiance and spoke at a naturalization ceremony held at the U.S. Citizenship and Immigration Services New York District Office. Secretary Johnson, Acting Director of U.S. Citizenship and Immigration Services Lori Scialabba, and New York District Director Phyllis Coven welcomed 150 citizenship candidates from 56 countries as new U.S. citizens.
Secretary Johnson delivers remarks after administering the Oath of Allegiance. Photo courtesy of USCIS.
“To be in my hometown of New York, not far from Ellis Island and the Statue of Liberty, and welcome our newest citizens is indeed a great honor,” Secretary Johnson said. “Over the centuries, America has been enriched by the talents, diversity, cultures, skills, ingenuity, and values brought here by immigrants. I am proud of the accomplishments of these new Americans and of the men and women of our department who helped make this day happen.”
Four candidates for citizenship take the Oath of Allegiance during the naturalization ceremony. Photo courtesy of USCIS.
The new citizens naturalized during the ceremony hailed from: Albania, Antigua and Barbuda, Australia, Bangladesh, Belgium, Brazil, Cameroon, Canada, People’s Republic of China, Colombia, Dominican Republic, Ecuador, Egypt, Ethiopia, Germany, Ghana, Guinea, Guyana, Haiti, Hungary, India, Israel, Jamaica, Kazakhstan, Kenya, Kosovo, Lebanon, Madagascar, Malaysia, Mali, Mexico, Morocco, Nigeria, Peru, Philippines, Poland, Romania, Russia, Senegal, Singapore, Slovakia, South Africa, South Korea, Spain, Sweden, Switzerland, Syria, Taiwan, Thailand, Togo, Trinidad and Tobago, Tunisia, United Kingdom, Venezuela, Vietnam, Yemen.
Secretary Johnson meets with new U.S. citizens and their families. Photo courtesy of USCIS.
While in New York yesterday, Secretary Johnson also met with NYPD Commissioner William Bratton to discuss the important partnership between the Department and state and local law enforcement.
Today, Secretary Johnson continues his visit to New York. This morning he presented the Rick Rescorla National Award for Resilience to the New York Mets, Walgreens and Monsignor John Brown, recognizing their contributions to their communities in the aftermath of Hurricane Sandy. Secretary Johnson threw out the ceremonial first pitch at the second baseball game between the Mets and the Washington Nationals in Citi Field.
After the Rescorla Award presentation, Secretary Johnson also joined fans and players to observe a moment of silence for the victims of the shooting at Fort Hood yesterday.
Be sure to check back on the blog for more updates on the Secretary’s trip to New York.
Not only is April tax season, but it’s also prime time for cyber criminals to try to trick unsuspecting people into sharing personal or financial information. So in addition to filing your taxes, be sure to properly safeguard your data.
If you are among the majority of Americans who file their taxes electronically, the following tips can help you and your information stay safe:
- Don’t give out your personal information, unless it is to a trusted entity. The Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, text messages, or social media to request personal or financial information. If you receive an unsolicited email claiming to be from the IRS, do not click on any links or reply. Instead, forward it to email@example.com and delete it from your inbox.
- Look out for phony messages or websites claiming to be from the IRS. Exercise caution when opening suspicious email attachments and do not click on web links in unsolicited email messages. Scammers who try to access your personal or financial information may use the IRS name or logo in email messages and on fake websites to lure potential victims. Ensure that you have typed www.IRS.gov into your web browser to be certain you are visiting the authentic IRS website.
- Beware of promises of “free money” from inflated refunds. Scammers frequently pose as tax preparers during tax season. If you are contacted by someone who promises a large tax refund or a refund you are not expecting or entitled to, do not give out any personal or financial information. If the offer seems too good to be true, it probably is.
- Back up your data and store your electronic tax files securely. Last year, most Americans opted to file their taxes online. When preparing your tax return for electronic filing, make sure to use a strong password to protect the file. If you are working with an accountant, ask them what security measures they have in place to protect your personal information.
- Only share personal information over a secured network. When at home, if you are using Wi-Fi, make sure you only join a password protected network – don’t connect if the network is publically available. Using free public Wi-Fi makes it easy for cyber criminals to intercept and steal your information. Never prepare your tax return or conduct other online activities such as banking and shopping when connected to an unsecured wireless network.
These tips can help all Americans stay safe online during tax season and all year round. Cybersecurity is a shared responsibility and when we take steps to ensure our own cyber safety, we are also helping to create a safer Internet for others.
Secretary of Homeland Security Jeh Johnson yesterday hosted the Official Portrait Unveiling Ceremony in honor of former Secretary Michael Chertoff. Michael Chertoff served as the nation’s second Secretary of Homeland Security from February 15, 2005 – January 21, 2009.
Deputy Secretary Mayorkas, Secretary Johnson, Former Secretary Chertoff, and Mrs. Chertoff during the Official Portrait Unveiling Ceremony. Official DHS photo.
During the ceremony, Secretary Johnson praised Secretary Chertoff’s leadership of the Department at a critical time in its history and thanked him for his service both to the Department and to the Nation.
Former Secretary Chertoff receives a standing ovation following his remarks. Official DHS photo.
Former Secretary Chertoff addressed the audience - which included family, friends, former colleagues, and current DHS leadership and employees - and expressed his gratitude for the opportunity to serve and his appreciation for those who are continuing to serve the DHS mission.
Secretary Chertoff and his wife, Mrs. Meryl Chertoff, unveil his official portrait. Official DHS photo.
The official portrait, painted by Robert A. Anderson, is a tribute to Secretary Chertoff’s service to the Department and the Nation. The portrait will be placed in the hallway of the Office of the Secretary at DHS Headquarters in Washington.
Secretary Johnson and Former Secretary Chertoff talk after the portrait unveiling. Official DHS photo.