E-invoice mandate, Flash malware spike and more
News and notes from around the federal IT community.
OMB mandates electronic invoicing
The Office of Management and Budget has ordered agencies to convert to an all-electronic invoicing system by using a federal shared service provider or an OMB-approved e-invoice system.
An OMB memo sent last week to chief financial officers, chief acquisition officers, senior procurement executives and other officials gives agencies until the end of fiscal 2018 to comply.
Federal News Radio reported that the White House will not approve any agency budget requests to build their own stand-alone systems.
Cisco security report fingers Flash
Cisco's Midyear Security Report revealed a huge spike in Adobe Flash-based malware attacks and said organizations aren't detecting threats fast enough.
"Hackers, being unencumbered, have the upper hand in agility, innovation and brazenness," said Jason Brvenik, principal engineer in Cisco's Security Business Group. "A purely preventive approach has proven ineffective, and we are simply too far down the road to accept a time to detection measured in hundreds of days."
Key findings in the report include:
- Angler is one of the most sophisticated and widely used exploit kits because of its innovative use of Flash, Java, Internet Explorer and Silverlight vulnerabilities. It also excels at evading detection by using domain shadowing, accounting for the lion's share of domain shadowing activity.
- Exploits of Adobe Flash vulnerabilities, which are integrated into Angler and the Nuclear exploit pack, are on the rise due to the lack of automated patching and consumers' failure to update immediately. In the first half of 2015, the number of Adobe Flash Player vulnerabilities reported by the Common Vulnerabilities and Exposures system increased 66 percent over the number reported in all of 2014. At this rate, Flash is on pace to set an all-time record for the number of CVEs reported in 2015.
- Ransomware remains highly lucrative for hackers as they continue to release new variants that are completely automated and carried out through the Dark Web. To conceal payment transactions from law enforcement, ransoms are paid in cryptocurrencies, such as bitcoin.
- The creators of the quickly mutating Dridex campaigns have a sophisticated ability to evade security measures. As part of their tactics, attackers rapidly change email messages' content, user agents, attachments or referrers and launch new campaigns, thereby forcing antivirus systems to detect them anew.
Army Research Lab to team up with outside groups
The Army Research Laboratory said it plans to sign a research agreement this week with several organizations.
Those organizations include Northeastern Maryland Technology Council, Northeastern Maryland University Research Park, Susquehanna Workforce Network and University Center. The agreement will give ARL access to researchers who have worked on science and technology for defense purposes.
Air Force, DLA move to Office 365
The Air Force and the Defense Logistics Agency are headed to the cloud with the award of the Collaboration Pathfinder contract to a team led by Dell, GCN reports.
Along with Microsoft and General Dynamics, Dell will provide a tailored version of Microsoft Office 365 and cloud-based services that include email, instant messaging, desktop voice/video communications, productivity and user storage capabilities.
Meanwhile, Defense Systems reports that as part of the service's plan to move nearly all its IT operations to the cloud, the Air Force Lifecycle Management Center at Hanscom Air Force Base in Bedford, Mass., has issued a request for information for input from vendors on a commoditized cloud infrastructure that could provide standardized, pay-as-you-go cloud services regardless of whether they are acquired on premises or off.