The Department of Veterans Affairs still failing to properly secure its information systems from cyberattacks according to an audit conducted by a third party. The audit revealed several typical problems VA blunders through each year including training, access controls and intrusion monitoring.

Maybe we should pile tons of $100 bills into dumpsters and light it on fire because each year the agency continues to fall short of expectations concerning IT.

This year, the company CliftonLarsonAllen LLP conducted the FISMA audit. The company applauded VA for reaching at least 4 of the recommendations from last year and piled on another 29 recommendations the agency is still unable to resolve.

At this rate, in just a few years, VA will have around 500 recommendations to resolve. Some of the findings sound very familiar:

Risk Management Strategy

Some of the problems in risk management seem typical for the agency such as inconsistencies in procedures and documentation along with inaccurate reporting.

According to the report:

VA has not fully developed and implemented components of its agency-wide information security risk management program to meet FISMA requirements. VA has established an enterprise risk management program; however, the policies, procedures, and documentation included in the program were not consistently implemented or applied across all VA systems. 

For example, Risk Assessments did not always consider all known system security risks and threat sources. Specifically, we identified system Risk Assessments that did not address potential external attacks, human error, previously identified security weaknesses, or significant threat sources such as risks associated with systems not managed by the Office of Information and Technology (OI&T). We also identified issues related to the inaccurate reporting of the status for certain system security controls and noted that two systems were granted Authority to Operate without undergoing an assessment of security controls.

Security System Problems

I’m no techy, but inaccurate reporting concerning security controls doesn’t sound like a great problem:

We continue to identify system security plans with inaccurate information regarding operational environments, including system interconnections, accreditation boundaries, control providers, and compensating information security controls. We also noted that VA inaccurately reported the status of certain security controls within their regional level system security plans. Additionally, while medical devices and special purpose systems were appropriately included within the regional network boundaries, the implementation of specific controls for these devices were not addressed within regional level system security plans.

Passwords

VA has increased the overall enforcement of strong authentication for its systems and networks. However, reviews of permission settings still identified numerous instances of unnecessary system privileges, excessive and unauthorized user accounts, accounts without formal access authorizations, and active accounts for terminated personnel. VA Handbook 6500, Appendix F details access management policies and procedures for VA’s information systems. Additionally, we noted that user access requests were not consistently reviewed to eliminate conflicting roles and enforce segregation of duties principles. We also identified inconsistent monitoring of access in production environments for individuals with excessive privileges within certain major applications. This occurred because VA has not implemented effective reviews to monitor for instances of unauthorized system access or excessive permissions. Periodic reviews are critical to restrict legitimate users to specific systems and to prevent unauthorized access by both internal and external users. Unauthorized access to critical systems can leave sensitive data vulnerable to inappropriate modification or destruction.

Audit Logging and Monitoring

While VA continues to improve its centralized Security Incident and Event Management processes, we continue to identify deficiencies with how audit logs and security events are managed throughout the enterprise. For example, VA did not consistently review security violations and audit logs supporting mission-critical systems. Specifically, we noted that security logs were not effectively managed, aggregated, or proactively reviewed for certain significant systems, such as Veterans Health Information Systems and Technology Architecture, and users with elevated privileges. VA Handbook 6500, Appendix F provides high-level policy and procedures for collection and review of system audit logs. Audit log collections and reviews are critical for evaluating security-related activities, such as determining individual accountability, reconstructing security events, detecting intruders, and identifying system performance issues. Moreover, we have identified and reported deficiencies with audit logging for more than 10 years in our annual FISMA reports.

Frankly, there are a ton more comments and recommendations, but I become more bored as I read the report and almost dozed off. So… how about those Yankees?

It would be awesome of some of you more inclined to read through IT grog would check back in here with anything that really jumps about at you.

Source: https://www.va.gov/oig/pubs/VAOIG-17-01257-136.pdf

Stay informed on VA news, scandals and benefits. Get our daily newsletter via email.

17343

DisabledVeterans.org

Get our free daily newsletter.

44 COMMENTS

  1. Bay Pines back in the News.

    Vietnam Veteran Lonnie Kilpatrick is currently going through more than the usual hoops of the VA cycle of Delay Deny Until They Die.

    He has been being treated at Bay Pines VAMC for excruciating back pain for some time now. The VA at Bay Pines told the Lonnie and his family Lonnie’s severe back pain was due to herniated discs and arthritis.

    In January, in agony, Lonnie’s wife Sheila took Lonnie to a civilian hospital. Tests showed he had stage four kidney cancer.

    Area News channel 8 has now gotten involved and their coverage is at the following link.

    News 8 coverage of Lonnie’s story prompted a meeting between the chief of staff and Lonnie’s family where the Chief of staff stated “She said fortunately for us, she wanted us to know that they would try to do a better job in the future,”

    News 8 Coverage at: “http://www.wfla.com/8-on-your-side/investigations/va-rejects-veterans-claim-on-the-heels-of-misdiagnosis/1116088474”

    • Seymore,
      Kinda “coincidental”, that during channel 8’s reporting, they get a “text message” saying his “…claim was denied!”
      Which, in my opinion, tells me – because the news media is involved – the VA denied his claim!
      You know, going to the media means – you’ll be sorry!

      • Don’t know Elf, but feel he would not have even heard anything had it not been for Channel 8 getting involved. Also the more coverage given by Channel 8 the more likely the claim will be approved as it should have been from the getgo.

        Given he had to get a heart transplant in 2010 due to Ischemic heart disease caused by his exposure to Agent Orange during the Vietnam War. Also the fact that Ischemic heart Disease has been listed on the list of conditions cause by Agent orange exposure since 2012.

        No doubt that the VA was withholding proper medical care which resulted in the misdiagnoses of herniated disks and arthritis instead of the true problem of Kidney Cancer. Which by the way was also likely caused by his AO exposure. Also now that the cancer has spread as a result of the VA’s misdiagnoses of herniated disks and arthritis instead of Kidney Cancer. The VA is liable again.

        This is a case of the “VA’s Delay Deny Until they Die” where the Deny includes not only Denying the Claim but also Denying proper medical Care.
        This is a clear case of

      • Update on the Story tonight at 8:24 pm

        “Congressman steps in after VA misdiagnosis and claim denial”
        By: Steve Andrews
        Updated: Apr 12, 2018 08:24 PM EDT

        “HOLIDAY, Fla. (WFLA) – Rep. Gus Bilirakis (R-Palm Harbor) is getting involved in a Pasco County veterans struggle with the Veteran’s Administration.

        The Florida Republican reached out to Target 8 after we reported the agency rejected a claim by Lonnie Kilpatrick, a Navy veteran.”

        Full Report at: “http://www.wfla.com/8-on-your-side/investigations/congressman-steps-in-after-va-misdiagnosis-and-claim-denial/1119285595”

        ____________

        Lonnie’s Congressman who is stepping up is Gus Bilirakis who is also the Vice Chairman of the House Veterans’ Affairs Committee. Apparently much of Lonnie’s records have been marked Classified so they have not been used to give a proper decision in his claim.

        The Congressman is going to get the records declassified so they are used properly for Lonnie’s claim.

        So it is full on “VA Delay Deny Until They Die” and help them die along the way.

  2. Perhaps with all the love shown for veterans of this nation for their service, we could have our beloved Veterans Affairs renamed “Homeland Department of War Against Veterans” ???? At least then, the NAME would be honest even if the “System” is not.

    So they “fixed” four discrepancies, while adding twenty-five more. Sounds like the kind of progress that would get ALL the top management expeditiously fired at any company that had to show a profit.

    It is way past time for some real leadership at the VA. Leadership that speaks truth publicly about how bad things have really gotten. Leadership that develops solutions to take better care of ALL our nations warriors.

    Leadership that recognizes that when they are doing a good job – – – it will be veterans singing their praises, rather than the VA needing a PR Agency to put out “Fluff Pieces” to mislead America and her citizens about what a stellar job they are doing.

    They are not. In fact, they are doing a very piss-poor job. The VA has a first-world budget which they use to provide veterans less than third-world medical care and benefits.

    Current VA leadership has their Brain Housing Group the size of mice and their Heart no bigger. It is about FIFTEEN YEARS PAST TIME TO FIX THE DAMN BROKEN VA:

    1. IMMEDIATELY recognize the problems inherent in the VA are SYSTEM-WIDE, not just limited to a few locations.

    2. Fire all the Lazy No Good Workers. Fire EVERY single AFGE/SES Employee.

    3. Sell off all the VA facilities. Alternatively, they may be converted into military barracks-style housing for homeless veterans. These will be run with military-style rules to promote good order and discipline.

    4. Issue all veterans a card that allows them to choose their own doctors within their community that they can TRUST.

    5. The United States Government will PAY those doctors promptly (Within 45 days) for the care they provide veterans.

    6. ELIMINATE the “Federal Protection” Umbrella for incompetent QUACKS that the VA sends to other states to practice other than their own. Going to practice in XX state? You need to be LICENSED in XX state.

    7. Any claim a veteran submits to the VBA that requires more than 90 days to adjudicate, is automatically found to be in favor of the veteran.Should a veteran file a false claim to scam the system, the VA will have to prove in civil court that the claim was falsely submitted. For filing a false claim, the veteran will be subject to ALL of the following:

    (A). The claim shall be denied. If the veteran has received any form of benefits because of the false claim they will be required to fully repay the benefits at cost.
    (B). The veteran will be banned from all VA facilities for the remainder of their life.
    (C). The veteran will lose any benefits they originally have or had, and will not be allowed to file for further benefits.

    8. All veterans will be allowed to seek/retain the services of a Veterans Rights Attorney from their first initial contact with the VA. This will help to protect the legal rights of veterans against corrupt and incompetent VA employees.

    9. No AFGE, nor any other Labor Union business will be allowed to take place in any Federal Workplace. Conducting Union Business during working hours will be STRICTLY PROHIBITED, and will be STRICTLY ENFORCED. Should any government employee be found violating this provision, it will result in IMMEDIATE LIFETIME DISMISSAL FROM ANY/ALL FEDERAL OR STATE GOVERNMENTAL EMPLOYMENT.

    10. Attorneys for appeal will be retained at the former employee’s PERSONAL expense. U. S. Taxpayer’s will not be subject to payment of legal bills for incompetent or dishonest personnel with regards to Governmental Employment.

    You have my contact information Mr. President. Call me anytime. I have a lot of ideas to help this nation improve the services provided to my fellow veterans. The ones that were promised but have yet to be delivered upon. Veterans have been waiting for over fifty years for the fulfillment of those promises. I will not hesitate to speak up at all.

    For my fellow veterans who have been ill-served by this DERAILED CLUSTERFUCK of an AWFUL TRAIN WRECK CALLED THE VA over the years:

    Our battles overseas were far less stressful than our war here at home. Never Cruel or Cowardly. Never Give Up. Never Give In. We are on the Righteous path.

    POTUS Reagan broke up PATCO in the ’80’s. Time for POTUS TRUMP to break up the AFGE by Executive Order. The vast majority of our current Congress Critters do NOT have Veterans Interests at heart. Perhaps their replacements will. VOTE OUT all these WORTHLESS BASTARDS.

    Give their replacement’s one term to take care of Veterans who put aside their own personal lives to answer this nation’s call when she needed them. Many of those Veterans suffer the remainder of their lives for doing what most of their countrymen had not the courage to do.

    If they cannot MUSTER THE STONES to do it properly – – – vote their worthless asses out as well. Party should NOT MATTER. What SHOULD MATTER is their VOTING RECORDS ON VETERANS ISSUES.

    Rhetoric is cheap. Congressional Voting Records speak louder than words.

    NO Combat Veteran should be surprised when the next McVeigh, Congressional Baseball Team, or Las Vegas Sniper Incident occurs. Bound to happen. Just a matter of time . . .

    We have now reached the next accelerative phase of our country falling apart. Country before Party. Principles before Personalities. Always.

    Want to REALLY fix the VA? The next SecVA needs to be a former Enlisted Man brought in from the general veteran population with a few serious axes to grind against the VA and the AFGE, with zero previous governmental civilian service.

    Apparently, Former Flag Officers and SES appointed Civilians can’t cut the mustard to this point in time . . .

    Maybe a SINCERELY MOTIVATED Gunnery Sergeant or Chief Petty Officer CAN.

    Disgruntled Veteran
    1973 – 1976 USMC
    1978 – 1993 USN
    Wounded Warrior
    Honolulu, Hawaii

  3. VA Sysadmin’s are incompetent, I’ve been telling vets that for years, I think they got there education on the back of a cereal box. Security through obscurity, I one don’t know about it its secure.

    • VA Sysadmins being incompetent is likely because of the VA hiring IT people on the cheap for years. Whoever was hired years ago as a GS-7, 8 or 9 IT person and survived holding down a chair for awhile likely got promoted to GS-11, 12, 13 or higher…with no additional qualifications other than longevity.

      Some years ago when I was watching job announcements on USA Jobs, I saw many VA IT jobs listed as starting at GS-9. GS-9 might be good for some parts of the country, but in places like Chicago, St. Louis or other high cost areas, GS-9 means you get someone who barely knows how to boot a computer.

      Those GS-9 job listings were always re-listed within a year or two. Why? Likely because the person they hired as a GS-9 went to another federal agency as a GS-13, or if they stayed within the VA, they were promoted to a GS-10 or 11.

  4. Wait a minute: How many times did Shulkin alone obtain just in last year or so $2.1 BILLION$$$$$ for…IT “FIXES”????????????????? McDonald before him? The VA Suck before him? Et al…

    I would ASSume, those “FIXES” would include pesky cyber-security “FIXES” considering every single pc. of paper in our files or electronic files, possess our SSA# and enough info for information thieves to steal your benefits if hacked….and likely by someone already working at the VA on probation from former cybercrimes. Wait for it…

    I’ll say again, “IT FIXES” is code for FEED THE BLACK HOLE BEAST, (slushfund yells, FEED ME like the alien man-eating plant ‘Audrey’, in “Little Shop Of Horrors”, ‘FEED ME’).

    The viruses to worry about mostly walk on two legs with donut residue on chiny chin chins and work at the VA.

  5. Well, when you have endless taxpayers’ dollars to spend, why should you care about cyber security?

    We live in a different age, where budgeting for maintenance and protection of information systems should be the norm and you’d think that with all the IT talent and a saturated market of endless IT professionals, that hiring a staff to do this shouldn’t be hard and/or cost much…

    But again, who cares when .gov losers can waste and spend and never be held accountable?

    City of Atlanta right now is under a cyber attack that could have been avoided (and is rumored to have been allowed in order order to have an excuse to scrub its systems to hide evidence of corruption)…and so far it’s causing taxpayers 2.9 million dollars – which could have gone to fix ongoing failures in the City (i.e. infrastructure). But unfortunately no one will investigate and hold anyone accountable for this mess…despite it already being leaked to the press that the City of Atlanta was warned last year about vulnerabilities in the system.

    Without accountability we have nothing…but no worries, FBI and DOJ is on the job..especially when it comes to raiding President Trump’s attorney’s offices in a witch hunt for dirt on Trump for dealings with strippers and locker room talk, and typical business deals that take place every day.

    • Thing is .gov doesn’t want to be efficient. They want red tape to discourage us from seeking benefits/services and to have wiggle room to mess with us.

      For example, the VA for years operated on paper files and OPM still does. Why? The slower they are to process your request, thr longer they can hold onto your money. And, if they wanna hide them messing around in your records…oops!!! They were attacked and all history of access to your file had to be erased!!! How convenient…no?

  6. So, it appears as if the box of crayons keep getting scattered all over the play area again??? Godamn it how many times are we gonna have to tell them little bastards to pick that shit up? Our last audit found the same effing thing!

    The Principal tells them again and again to pick up their crayons but do they listen? NO!!!

    I think some of the little pricks just feign ignorance too about the mess but just try to hold one of them accountable and pretty soon the screaming and crying starts. Don’t even get me started about the toy problem near the potty entrance! An ongoing nightmare… teddy bears are NOT meant for that even if they are pictured on the 12 roll extra soft pack near the door. All of them deny doing this of course but the evidence is conclusive that somebody has cleansed themselves post excretion with Mr. Geezers. Repeatedly.

    I think more training might work….. the obvious question then of course becomes: Who do we train?
    Maybe a refinforcement course for Mr. Geezers is what we need again this year?

      • Sorry for the delay Ben. I am a method actor really for this sort of thing and am practicing hard with my bong and vaporizer to get the method and look down in perfectly authentic fashion. A stoner disabled gray haired veteran is a tough look to get down perfectly and needs practiced. It has to be believable. This could be my big shot at a stoner disabled veteran modeling career and I don’t want to mess it up.

        My agent will be contacting you soon…

    • RAND suggests wrapping “Mr. Geezers” in Constantine Razor Wire in order to inhibit the perpetuation that bears shit in the woods and utilize toilet paper or suggest that Mr. Geezers is an anal Luftwaffe.

      Bears do indeed shit in the woods, but would rather have the VA’s Travel Pay Fraud Warning Posters gig contract over Charmin Toilet Paper any day and put those pesky rumors to rest.

      (crayons that come wrapped in paper easily light like a little jet engine….my mother hated my creative waxing stage,)

  7. One thing that stands out is that all of the Recommendations listed in the full report are followed by the statements:

    1.) This is a repeat recommendation from prior years.

    or in about 5 cases it states;

    2.) This is a modified repeat recommendation from prior years.

    In essences given the prior years reports recommendations have never been followed those reports are just wastes of money. That is unless they are just written to show how incompetent the VA is under the management.

    What about a $1.5 million per report?

    • When you read through the report you have to wonder how the VA gets away with not removing fired employees passwords from the system, or how they get away with having the event tracking system disabled so no-one can tell who is making changes to our medical records.

      Hell as far as that goes why does the janitor need access to our medical records with the ability to change them anyway?

      • What we need is a modified version of the RICO act with a mandatory reporter status for all VA employees. If somebody does something wrong and it isn’t reported immediately then all employees with provable knowledge are culpable and chargeable with the crime of the original perpetrator. Once you pit self interest and self preservation against themselves I imagine the VA would begin to straighten out as the average employee operates by these principles anyway.

  8. Meanwhile, the lying Harvardian thief Zuckerberg was sniveling in front of Congress promising to be a better man. None of those fine statesmen bothered to mention how much money Farcebook has been spreading around DC. Everyone who could fog a mirror knew, knows, that social media has one mission. Mine your personal data for whatever THEY want to do with it. “They”, includes, the government, and anyone else with the money to buy access to YOUR personal. The VA is just another dimly lit avenue with 20 million sources.

    If we didn’t have deliberately leaky information systems, we would not have a $100 Billion cyber security industry projected by 2020. Follow the money

    • Well I suppose the silver lining to this cloud, if there is one, if somebody had some spare money lying around and wanted to start a small portfolio the IT industry as a whole would be worth taking a look at for the next few years or so. That and defense industries maybe.

  9. President Donald Trump on Television right now but he is not saying how he going to improve Veterans Healthcare.

    • Of course he was not! And I would not expect anything major until the next President is sworn into (if then) office.

      State run television and radio this morning in Москва́ had been broadcasting that powdered milk (5 year shelf life) and rice and sugar (8 year shelf life) are good items to stock up on. Also urging citizens to read information on how to survive a war in a bomb shelter, giving particular attention to nuclear aspects.

      Was an article in my feed this morning – – – but seems to have “disappeared” . . .

  10. Interesting.

    With just reading your column Ben, what it says is that the VA has a massive, grab-ass network of computer systems interconnected with little or no knowledge of what is happening on them.

    That they do not have specific procedures to insure employees account access is not turned off immediately after they leave VA for whatever reason is shocking.

    If I were a company CEO and read just your column, I would be on the phone immediately to have my CIO escorted from the building.

    These Information Security standards often flow from NIST or certain federal agencies, through DHS and on down. With someone like Tom Burch running their DHS function at VA, its no wonder their IT security is a sloppy mess.
    It goes deeper than Burch though since the CIO has an army of IT System Admin types and other IT flunkies who should be following policy and procedure to mandate these IT controls, and clearly they are not.

    If the VA wanted to fix this, the CIOs office would be told he will be held criminally liable for data leaks, along with every VISN, VAMC and CBOC director under them. It will be reflected in their performance evaluations, and none of them will see a bonus until the mess is cleaned up, if they are lucky enough to keep their job.

    The VA has dumped billions into IT, so there is no excuse for this other than an unwillingness to fix the problem, laziness and nobody held accountable for it.

    Each VISN or VAMC or CBOC manager should be required to be the System Owner on any IT device in their facility, and held responsible for what goes on with that device. That tends to get attention quick.

    On terms used in the article:

    Interconnections generally means one computer network is connected to another. Some networks have no business being connected to another, such as an Admin network connected to a health network, with the Admin network also connected to a WiFi network. Facilities networks for building automation gave no business being connected to a health network, or even a medical device that can be accessed via a computer network can be hacked as the Stuxnet virus showed us. Somebody in Admin that clicks on an “I hate whitey” virus might shut down your networked heart monitor or your MRI image looks like Oprah.

    The Authorization to Operate generally comes from a high level, and it essentially is a certification that any and all security controls possible are implemented on the system, and that specific, responsible people are identified along with policies and procedures in place for the System to operate as intended. Having no Authority to Operate is like 5 IT guys getting together and adding their X-Box network to the VA healthcare network so they can play games all day long.
    The report suggests IT Admins give fairly wide open permissions to any user getting on their network. That means an Admin person on the Admin network has permissions to access data on a health care network, or has access to view files that their position would not need access to. This is like the mail room clerk reading their email one morning, then surfing over to your mental health records to see what interesting stories they can read.

    As for computer logs, these are logs of everything. How the computer is operating, any faults, who logged on to a specific machine and when, who accessed what hard drive, etc. All of those logs can be automatically collected and checked for unauthorized access. That the report so clearly states the VA is failing miserably to do this says the VA has no clue what is going on in their systems.

    Now, imagine if Congressman Pugnuckey had his child porn stash on his P drive. There is no way anyone could tell it was his.

    By the same token, if some outside hacker could easily get to the congressman’s family photos and find out his home address, you can bet your ass Congressman Pugnuckey would be raising hell with some IT admin, and his boss.

    That they don’t do it with veterans personal data shows they don’t give a damn if some hacker gets your STD results, or finds out that nasty file clerk was posting your mental health records online somewhere.

  11. I see the “big six” Anti-Veterans groups — American Legion, AMVETS, DAV, Paralyzed Veterans of America, Veterans of Foreign Wars and Vietnam Veterans of America threw a party in Washington for Shulkin and his partner in Crime Vivieca Wright Simpson.

    His Attorneys have differently hit the kill switch on his BS about how his fight against privatization of the VA was the reason he was fired.

    I also note that the VAOIG has completed 12 reports since Shulkin was fired that are not being listed on the VAOIG website. Guess they must have been referred to other agencies for further actions. Or the VAOIG has decided to not publish the reports because they are too damming for the VA at this time.

    ____________

    Veterans advocates honor fired VA secretary at private DC event

    By: Leo Shane III
    Military Times
    9 hours ago

    “WASHINGTON — Leaders from the country’s largest veterans groups on Wednesday held a private event to honor fired Veterans Affairs Secretary David Shulkin, indicating a growing rift between the administration and some of the most prominent advocates for the veterans community.

    The event, held at the Disabled American Veterans headquarters in town, was a chance for the groups to thank Shulkin for his 13 months leading the department and praise his “bipartisan” approach to the job.

    The evening ceremony also honored Shulkin’s former chief of staff, Vivieca Wright Simpson, who abruptly retired in February amid allegations she doctored internal emails so the department would pay for Shulkin’s wife to accompany him on an overseas trip last summer.”

    Full Article At: “https://www.militarytimes.com/veterans/2018/04/12/veterans-advocates-honor-fired-va-secretary-at-private-dc-event/”

    _______________

    Guess those monthly meeting Shulkin and the Big Six while he was Sec and also while he was Under Secretary of Veterans Affairs for Health earned him a dinner at the DAV. After all they all were partners in crime working against Veterans.

    • A few other reports that seem to be missing from the VAOIG website but are listed in the monthly highlights are very interesting.

      1.) “Former Washington, DC, VA Medical Center Payroll Technician Sentenced for Theft of Government Funds”

      “A former Washington, DC, VA Medical Center (VAMC) payroll technician was sentenced to 24 months’ incarceration, 36 months’ supervised release, and ordered to pay restitution of nearly $312,000. An investigation by the Office of Inspector General (OIG) and Air Force Office of Special Investigations revealed that the defendant, who also previously worked for the Air Force, stole government funds by manipulating employee time cards and financial allotment accounts. The defendant inserted his personal bank account information into the payroll accounts of VA and Air Force employees and channeled additional overtime and special payments to his personal bank account. The loss to the Air Force is about $174,000 and the loss to VA is approximately $137,700.”

      * This one is Very Interesting, but hey with the kickbacks to Congressman and Senators we know why this report isn’t being published*

      2.) “Former Nonprofit Organization Board Member Pled Guilty to Conspiracy to Embezzle from a Nonprofit Organization”

      “A VA OIG, IRS-Criminal Investigation, FBI, Department of Housing and Urban Development OIG, FDIC OIG, Department of Health and Human Services OIG, DOL OIG, and Medicaid Fraud Control Unit of the Missouri Attorney General’s Office investigation revealed that the former board member was part of a conspiracy to unjustly enrich himself and others through a nonprofit organization that contracted with VA to provide substance abuse counseling and housing services for veterans. As part of the conspiracy, the board member and others unlawfully used the nonprofit’s funds for political contributions, excessive lobbying, and political advocacy. They also paid themselves through a system of kickbacks that disguised the nature and source of the payments. To increase the supply of funds from which they could embezzle, the conspirators caused the nonprofit to seek out and obtain additional sources of revenue, including federal program funds, through “political outreach” that violated both law and public policy. As part of the conspiracy, the board member allegedly received $387,500 from a lobbying firm and $63,000 in kickback payments as a result of his participation in the conspiracy. From 2010 to 2016, the nonprofit had revenues of approximately $837 million, to include $1.7 million from VA.”

      • A link to the VAOIG Highlights for last month:

        “https://www.va.gov/oig/pubs/highlights/VAOIG-highlights-201802.pdf”

      • “Former Arkansas legislator Eddie Cooper pleads guilty to embezzlement”

        by Wesley Brown
        TB&P
        February 12, 2018

        “As Arkansas lawmakers headed to Little Rock Monday (Feb. 12) for the fiscal session, former Rep. Eddie Wayne Cooper, D-Melbourne, pleaded guilty in federal court for his role in a conspiracy to embezzle more than $4 million from a Springfield, Mo.-based health care charity.

        Timothy Garrison, U.S. Attorney for the Western District of Missouri, announced that Cooper, 51, waived his right Monday to a grand jury and pleaded guilty before U.S. Magistrate Judge David Rush to charges of one count of conspiracy to embezzle from the nonprofit organization.

        By pleading guilty, the former Democratic legislator-turned-lobbyist admitted he conspired with several executives of Preferred Family Healthcare, a nonprofit charity headquartered in Springfield, to use the charity’s funds for unlawful political contributions, for excessive, unreported lobbying and to financially benefit himself.

        Cooper received at least $387,501 from a lobbying firm and at least $63,000 in kickbacks as a result of his participation in the conspiracy. Under the terms of Monday’s plea agreement, Cooper must forfeit his gain from the conspiracy to the government.

        Cooper was an Arkansas lawmaker from 2006 through January 2011, and a lobbyist registered with the Arkansas Secretary of State beginning Jan. 20, 2011. On April 20, 2009, Cooper was hired to the full-time position of regional director for Preferred Family Healthcare. Cooper’s employment with the charity ended on April 26, 2017. Cooper was a member of the charity’s board of directors from October 2009 through April 2015, and also worked as a lobbyist.

        Full Article At: “https://talkbusiness.net/2018/02/former-arkansas-legislator-eddie-cooper-pleads-guilty-to-embezzlement/”

      • Arkansas lobbyist tied to kickback scheme tried to arrange killing, authorities say

        By Doug Thompson
        Arkansas Online
        March 12, 2018

        “Indicted lobbyist Milton Russell “Rusty” Cranford tried to arrange the slaying of an alleged co-conspirator in a lobbying and kickback scheme, according to a federal court filing Monday in Missouri.

        The intended victim was Donald Andrew “D.A.” Jones, 62, of Willingboro, N.J., the Northwest Arkansas Democrat-Gazette reported.

        Jones is a Philadelphia-based political consultant who accepted money embezzled from Preferred Family Healthcare for years, according to his guilty plea Dec. 18. Preferred Family is a Springfield, Mo.-based nonprofit firm that operates substance abuse and behavioral health treatment centers in five states, including Arkansas.

        Three Preferred Family executives — who are not named in court documents — paid Jones $973,807 in total from February 2011 until January 2017, all taken from the nonprofit, court documents show.

        The money reportedly went to lobby lawmakers for Preferred Family’s benefit and their own. This lobbying included campaign contributions to members of Congress, according to court records. Such lobbying is not allowed for entities such as Preferred Family that receive Medicaid and other government funds.

        Cranford, the nonprofit’s Arkansas 56-year-old lobbyist and a director of some of its Arkansas operations, reportedly helped arrange the deal between the executives and Jones. He received $264,000 in kickbacks from Jones in return for that assistance in setting up the arrangement, according to his Feb. 20 indictment.

        Full article At: “http://www.arkansasonline.com/news/2018/mar/12/arkansas-lobbyist-tied-kickback-scheme-tried-arran/”

        ___________

        A made for tv movie complete with Arkancides. Guess who else is also being investigated in Arkansas at this time for their Foundations connections. If you guessed Hillary you hit it on the nose.

      • More from the article cited above:

        “On Jan. 2 — after Jones pleaded guilty but before Cranford’s arrest — Cranford called a felon that he knew, the filing states. That felon, identified in Monday’s filing as “Person A,” reportedly contacted federal authorities before the meeting took place Jan. 9. The meeting was secretly monitored and recorded by the FBI, court documents show.

        “He’s in Philadelphia. He’s in south Jersey. (Whispered) He needs to go away. He needs to be gone,” Cranford said of Jones, according to the FBI transcript of the meeting. Monday’s court filing states: “While making this statement to Person A, Person A told agents that Cranford used his hand to make a gun-shooting gesture.”

        The alleged murder-for-hire scheme is under investigation in the Western District of Arkansas, according to authorities, and no charges for it have been filed as of yet.

        Cranford faces one count of conspiracy and eight counts of accepting bribes in his indictment. The $264,000 in kickbacks he received from Jones, federal prosecutors say, went to either Cranford or his lobbying firms, with some going to a former lawmaker who was an employee and business associate: Eddie Cooper of Melbourne. Cooper pleaded guilty to his role in the scheme Feb. 12.

        In a related matter, court records state Cranford also played a role in the kickbacks case of former state Sen. Jon Woods and state Rep. Micah Neal, both of Springdale. Cranford has not been charged in that case.”

  12. cj ¯¯̿̿¯̿̿’̿̿̿̿̿̿̿’̿̿’̿̿̿̿̿’̿̿̿)͇̿̿)̿̿̿̿ ‘̿̿̿̿̿̿\̵͇̿̿\=(•̪̀●́)=o/̵͇̿̿/’̿̿ ̿ ̿̿

    .

  13. So, by the numbers…

    1. Risk management. This means trying to identify risks to systems and data stored on them, and how to mitigate those risks. This could be a risk of outside hacking, or a risk of data loss by not having an effective control on some clerk taking an un-encrypted laptop home after being fired.

    2. Sufficient supporting documentation to close out Plans of Action and Milestones. What this means is the VA pulled a plan to fix a problem out of their ass, and then ignored the problem. They couldn’t even be bothered to document how they planned on fixing the problem.

    3. This sounds like a fancy system the VA uses to track the problems they have been told about in prior years, but never used or updated.

    4. The Executive in Charge of IT. This is used repeatedly, and sounds like there is no real identified bureaucrat in charge of IT. This part suggests the VA “Executive in Charge of Ignoring Torpedoes has no policy on Information Security, and even if they did, they have no person identified to take responsibility for it, so even if they had plans and intentions to fix problems that have been identified, they have no person identified to insure it is even done.

    5. This sounds as if the VA has no standardized implementation of security controls. So whatever some IT decides to do at one VA or VISN is likely different than what some other IT person does at another VA or VISN. One guy might like McAfee Anti-virus software, while another IT guy might like Kaspersky.

    6. This section sounds like whatever attempts that were made to identify and document security risks or problems were documented long ago, but never updated. I wonder how many mentions of MS-DOS 3.2 they have in these documents.

    In the section on Identity Management and Access Control. This means they have no clue who is accessing their systems, and no clear plan on how to control that access.

    On password management, many controls require 12, 14 or 16 character passwords. That the VA has no control over how long a password is on a major system database is shocking. Software utilities like L0phtCrack were available almost 20 years ago that could easily crack many passwords using brute force in just a few hours. The longer the password, the harder it is to crack.

    7. The recommendation on enforcing password policies means any IT device within the VA can have whatever password they want, or as short as they want. I imagine many VA hacks have just their initials as their password, their phone number, birth date, etc. Requiring specific password length and whether special characters such as $, & or # are easily enforced…if that is turned on in the system.

    8. Periodic reviews of permissions. This means the VA has no procedure to insure that file clerk that has access to the mental health record actually needs access to the mental health records. Even worse is that if the file clerk is promoted to some job where they can do their job over the internet while working from home…there is no procedure to insure their access to mental health records was revoked when they got their new job.

    9. Implementing audit logs on all critical systems. This is laughable given Shulkin claimed his secretary’s email was hacked. How the hell would he know since the audit logs were never turned on? or checked if they were turned on?

    10. Two factor authentication. VA employees use PIV cards to log into many of their computers. The PIV card is essentially their ID card with a chip in it. When they put the card in a reader, they can enter a PIN number to login. Having 2 factor authentication turned on means they have to enter a second PIN number to authorize that computer to be used with they account for a specified time period. Google turned on 2 factor long ago for accessing email. If you have it turned on, you put in your normal password, then Google will call by phone or send you a text message with the second PIN you have to enter.

    In the section on unsecure web based applications. This means the VA is running some web site like MyHealthEvet, and does not have those applications secured from hacking.

    In the database section stating they have a significant number of unsecure configuration settings. This could be a database thrown together in a sloppy manner using some kind of Java interface to enter or retrieve data, only they are running Java that is 4 generations old.

    Application and System Software Vulnerabilities. This section means they have a number of systems running old, unsecure operating systems like Windows XP, or they have never updated the software on any of their network routers, or they are running software applications on their systems that have never been updated. That they mention software that is no longer supported by the vendor means they are running Operating System software on PC’s or servers that is obsolete. This again is likely old server software like Windows NT or some crap that Microsoft long ago stopped supplying patches for.

    Unsecure Network access controls. This means that while they might have one network separated from another, the controls are so weak they just as well could be connected to each other.

    Baseline Security Configurations. This means the VA put systems on their network with default network or security settings, and never bothered to turn off un-needed services or configurations. This could mean that while the Firewall was turned on, they never configured it to block anything. This could also mean they configured a standard server, but never turned off many standard server settings that allow easy access by hackers.

    12. Implement a way of automatically finding and tracking and applying security patches. This means the “Executive in Charge of IT’ing himself has no way of knowing what system has a security problem, or whether than problem has been patched. I bet they can’t even tell if the automatic Windows Updates are turned on, or whether any IT flunky installs them.

    14. This one is interesting. It says they have no clue what systems or what medical devices are connected to the general network at the VA, or if they have any kind of configuration to stop hacking.

    15. Recommending the EICIT assign responsibility for security to someone at each site.

    17. This means the VA has no control over some IT guy going out and buying incompatible servers or systems, and putting them on the VA network. The guy could be replacing a server running Linux with an Apple Mac, and then wondering why it doesn’t work the way it used to.

    Under Contingency Planning. They mention backup tapes not being encrypted prior to being taken off-site for storage. This means if any IT flunky lost a few or a dozen backup tapes, all the data was in the clear. They also mention Contingency Plans not working to restore financial systems within the stated amount of time. This means some benefit payment system, or some student loan Voc Rehab system was dead in the water for longer than what they claimed when it needed to be restored after their system failed.

    WOW! The VA has 12 network connections to outside “business partners” that are not monitored. I wonder how many drug companies have direct access to veteran records or VA research information. The VA has no clue what those “business partners” are sending and receiving over those network connections.

    It would appear the VA has no clue if some hacker is scanning open network ports they can access to gain entry into their network, and they have no clue if data is transmitted off their networks.

    24. The recommendation on the VA creating a list of approved and unapproved software. This means if some IT guy in Denver wants to set up his own music sharing software, the VA has no problem with it since they have no list of unapproved applications. This could also mean some clerk could set up instant messaging software if they wanted.

    The VA has no idea of the hardware and connections made to their network by contractors, and have no idea if those contractors are storing data in the cloud. It does say VA contractors are as sloppy as the VA in patching security problems on their system.

    After this report showing VA IT systems are a complete disaster much worse than a Domino’s Pizza ordering system, the “Executive in Charge of something other than IT wrote a 12 line response “generally concurring”. That kind of response shows that Executive doesn’t have the first damn clue about the job he/she is supposed to be doing.

    In the Appendix, it states FISMA was signed into law 16 years ago in 2002. That means for 16 years, the VA has known the of the requirements to keep data secured, and they still fail miserably at doing it.

    If you were a hacker bent on just stealing sensitive data and selling anything you could grab, this report not only tells you how bad VA systems are protected, but it gives you a pretty damn clear picture of how to get it.

    The VA needs to stop dumping billions into bullshit IT projects and focus a little more on securing the systems they currently have.

    I cannot fathom why Congress has not stepped in and demanded the VA turn off certain systems immediately until they can prove they are secured. A federal judge did that to the Interior Department several years ago, and that mainly had to do with royalty payments.

    • Although FISMA was sign in to law 16 years ago the following has occurred>

      The Federal Information Security Modernization Act of 2014 (FISMA 2014) amended the Federal Information Security Management Act of 2002 updated the Federal Government’s cybersecurity practices placing by placing the Department of Homeland Security (DHS) as administrators of the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems.

      The bill was signed into federal law by President Barack Obama on December 18, 2014.

      “https://www.dhs.gov/fisma”

      Almost all Federal Agencies currently have now experienced numerous data breaches as a result of the change in supervision.

      A great example is the Consumer Financial Protection Bureau (CFPB) which has suffered at least 240 data breaches and another 800 suspected hacks, according to Mick Mulvaney, the acting director of the bureau in congressional testimony.

      Mick Mulvaney is the director of the Office of Management and Budget but on November 25, 2017 Trump placed Mulvaney in as acting Director of the CFPB.

      That was following the actions of Richard Cordray who just before he resigned at midnight November 25th, 2017 he appointed Leandra English to the Deputy Director of the CFPB on Novmeber 24th, 2017 and on the 25th he sent a letter to CFPB Staff announcing that English would serve as Acting Director. But Trump Trumped him and placed Mulvaney in as Acting Director.

      Mulvaney is the first CFPB official to admit the agency’s massive data mining of consumer mortgage and credit card information is vulnerable to hackers and that data bases have been breached. Former bureau director Richard Cordray and other CFPB officials previously refused to disclose any information about possible data breaches.

      Cordray and Sen. Elizabeth Warren of Massachusetts both embraced the idea of launching a mammoth data mining collection program at CFPB that focused on America’s consumers. They admitted to Congress in 2014 they were in the process of collecting 991 million American credit card accounts and accumulate 95 percent of the 53 million residential mortgages taken out since 1998.

      Warren helped to shape a new economic theory called “behavioral economics” while at Harvard that led to the use of big data by government for research purposes. Her practice relied on massive uses of consumer data and she encouraged its application at the CFPB.

      From an article today at the Daily Caller regarding Mulvaeny’s revelation to Congress.

      “Mulvaney, who has been on the job for less than six months answered, “we have been able to document about 240 lapses in our data security.” Perdue expressed surprise at Mulvaeny’s revelation.

      Their question and answer session continued:

      Senator Perdue: “‘Lapses?’ Is that a breach?”

      Director Mulvaney: “I think data got out that should not have gotten out. There’s another 800 suspected that we haven’t been able to confirm.”

      Senator Perdue: “800 potential exfiltrations so far? And this could be not just social security numbers, but this could be my personal bank account. Is this correct?”

      Director Mulvaney: “It could be a lot of different things, yes. Including those.”

      Later, the acting director told the committee, “Everything we keep is subject to being lost, yes.””

      The full article is at: “http://dailycaller.com/2018/04/12/cfpb-suffered-more-than-1000-data-breaches/”
      Titled “Uh Oh… CFPB Suffered More Than 1,000 Data Breaches”

      By Richard Pollock

      _______________

      What really makes it all so very interesting that every American Citizens Mortgage, Bank account and Credit Card information has been hacked. Is the fact that it was done through an agency set up by Obama with the help of Elizabeth Warren. She basically created the Agency under Obama while she was chair of the Congressional Oversight Panel, which was created to oversee the Troubled Asset Relief Program (TARP). That was before she became a Senator.

      Needless to say the Democratic party has everyone’s info.

      • Something else worth mentioning about this Democrat spy agency. Leandra English the person the former Director tried to put in charge of the Agency. I actively collecting a nearly $200,000 a year salary and doing absolutely nothing for it. But she is spending all of her time fighting Trump in Court claiming she should be the acting director.

        See for Your Self

        Leadership calendar
        At the Consumer Financial Protection Bureau
        “https://www.consumerfinance.gov/about-us/the-bureau/leadership-calendar/”

      • “EXCLUSIVE: CFPB’s Leandra English Prepared Legal Case Against Trump On Government Time, Sources Say”

        By Richard Pollock
        Daily Caller
        4/12/2018

        “What exactly does Leandra English do at the Consumer Financial Protection Bureau as its second-highest official?

        Not much, it seems, except apparently working on her pending lawsuit against the Trump administration — and on government time, according to a Daily Caller News Foundation investigation.

        English, as its current deputy director, also disappeared for five full weeks earlier this year when she inexplicably moved 3,000 miles away from Washington, D.C., to work in the agency’s tiny San Francisco office.

        President Donald Trump initially appointed Office of Management And Budget (OMB) Director Mick Mulvaney to head the agency in November when then-Director Richard Cordray, an Obama appointee, abruptly quit to seek the Ohio Democratic Party’s nomination for governor. Cordray named English his successor upon his departure, but the president invoked the Vacancies Reform Act of 1998 and installed Mulvaney.”

        Full Article At: “http://dailycaller.com/2018/04/12/leandra-english-cfpb-lawsuit/”

    • Hacking the VA, would be about as easy as reaching down and scratching my left nut. You know it and I know it. The VA must have massive data breaches daily, there not reporting. Of course Civilian Hospital systems are just as bad, Even there privacy officers don’t know whats going on.

      • From the report, I think the VA is not competent enough in IT to even know if they are having massive daily data breaches.

    • Thanks 91, and as far as i’m concerned, you have done a great service to veterans and the country by explaining how bad their systems security is. Keep up the good fight

Comments are closed.