For at least the third time since the beginning of this year, the U.S. government is investigating a hack against federal agencies that began during the Trump administration but was only recently discovered, according to senior U.S. officials and private sector cyber defenders. Reuters reports: The new government breaches involve a popular virtual private network (VPN) known as Pulse Connect Secure, which hackers were able to break into as customers used it. More than a dozen federal agencies run Pulse Secure on their networks, according to public contract records. An emergency cybersecurity directive last week demanded that agencies scan their systems for related compromises and report back.

The results, collected on Friday and analyzed this week, show evidence of potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security Agency. "This is a combination of traditional espionage with some element of economic theft," said one cybersecurity consultant familiar with the matter. "We've already confirmed data exfiltration across numerous environments." The maker of Pulse Secure, Utah-based software company Ivanti, said it expected to provide a patch to fix the problem by this Monday, two weeks after it was first publicized. Only a "very limited number of customer systems" had been penetrated, it added.

Over the last two months, CISA and the FBI have been working with Pulse Secure and victims of the hack to kick out the intruders and uncover other evidence, said another senior U.S. official who declined to be named but is responding to the hacks. The FBI, Justice Department and National Security Agency declined to comment. The U.S. government's investigation into the Pulse Secure activity is still in its early stages, said the senior U.S. official, who added the scope, impact and attribution remain unclear. Security researchers at U.S. cybersecurity firm FireEye and another firm, which declined to be named, say they've watched multiple hacking groups, including an elite team they associate with China, exploiting the new flaw and several others like it since 2019.

An anonymous reader quotes a report from Motherboard: The IRS is looking for help to break into cryptocurrency hardware wallets, according to a document posted on the agency website in March of this year. Many cryptocurrency investors store their cryptographic keys, which confer ownership of their funds, with the exchange they use to transact or on a personal device. Some folks, however, want a little more security and use hardware wallets -- small physical drives which store a user's keys securely, unconnected to the internet. The law enforcement arm of the tax agency, IRS Criminal Investigation, and more specifically its Digital Forensic Unit, is now asking contractors to come up with solutions to hack into cryptowallets that could be of interest in investigations, the document states.

"The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations," the document reads. "There is a portion of this cryptographic puzzle that continues to elude organizations -- millions, perhaps even billions of dollars, exist within cryptowallets." The security of hardware wallets presents a problem for investigators. The document states that agencies may be in possession of a hardware wallet as part of a case, but may not be able to access it if the suspect does not comply. This means that authorities cannot effectively "investigate the movement of currencies" and it may "prevent the forfeiture and recovery" of the funds. "The explicit outcome of this contract is to tame the cybersecurity research into measured, repeatable, consistent digital forensics processes that can be trained and followed in a digital forensics' laboratory," the document says.

tsu doh nimh writes: Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau. Bill Demirkapi, an independent security researcher who's currently a sophomore at the Rochester Institute of Technology, said he discovered the data exposure while shopping around for student loan vendors online.

Demirkapi encountered one lender's site that offered to check his loan eligibility by entering his name, address and date of birth. Peering at the code behind this lookup page, he was able to see it invoked an Experian Application Programming Interface or API -- a capability that allows lenders to automate queries for FICO credit scores from the credit bureau. "No one should be able to perform an Experian credit check with only publicly available information," Demirkapi said. "Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian's system." Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the "date of birth" field let him then pull a person's credit score. He even built a handy command-line tool to automate the lookups, which he dubbed "Bill's Cool Credit Score Lookup Utility."

Cybersecurity experts, law enforcement agencies and governments urged the White House to root out safe havens for criminals engaging in ransomware and step up regulation of cryptocurrencies, the lifeblood of hackers, in the hopes of controlling a growing wave of attacks. From a report: These are two of 48 recommendations made by a task force in a report Thursday to the Biden administration aimed at fighting the continuing ransomware episodes that plague major corporations, local governments and health-care providers across the world. The task force, organized by the Institute for Security and Technology, said the cyber-attacks have become a $350 million criminal industry -- a four-fold increase from the previous year. Last week, the U.S. Justice Department created its own, independent ransomware task force, signaling growing awareness inside the U.S. government of the now decade-old threat. Ransomware is a type of malicious code that typically encrypts a victim's data or network of computers. The hackers then demand a ransom to decrypt the information. More recently, ransomware gangs have also stolen data and threatened to make it public unless the victim pays a fee.

DigitalOcean has emailed customers warning of a data breach involving customers' billing data, TechCrunch has learned. Zack Whittaker reports: The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has "confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account." The company said the person "gained access to some of your billing account details through a flaw that has been fixed" over a two-week window between April 9 and April 22. The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date and the name of the card-issuing bank. The company said that customers' DigitalOcean accounts were "not accessed," and passwords and account tokens were "not involved" in this breach.

"To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future," the email said. DigitalOcean said it fixed the flaw and notified data protection authorities, but it's not clear what the apparent flaw was that put customer billing information at risk. In a statement, DigitalOcean's security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.

An anonymous reader quotes a report from The Guardian: Chinese social groups, enterprises and public entities will have increased responsibility to combat foreign espionage under new regulations issued by the country's ministry of state security. The regulations, which were released and took effect on Monday, come amid deepening hostilities between China and some western governments, including over the detention of foreigners accused of national security crimes. According to state media, state security will work with other government departments to "adjust" the list of groups susceptible to foreign espionage and to develop measures to safeguard against it, including Chinese Communist Party and state organs, social groups, enterprises and public institutions.

Once organizations are designated as having anti-espionage responsibility, state security will provide "guidance, supervision and inspection" of their efforts, including personnel vetting, and strict training, monitoring and debriefing for staff trips overseas. Identified organizations must report suspicions and incidents to authorities. It come amid increasing public campaigns to watch out for foreign spies, which state media has warned could be an "intimate lover" or "an online friend with the same interests." According to Li Wei, an expert on national security and anti-terrorism at the China Institute of Contemporary International Relations, the new regulation "places emphasis on companies and institutions taking precautionary measures against foreign espionage." Li said key fields would include companies or institutions working in national defense, diplomacy, economy, finance and tech.

DigitalOcean has emailed customers warning of a data breach involving customers' billing data, TechCrunch has learned. From the report: The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has "confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account." The company said the person "gained access to some of your billing account details through a flaw that has been fixed" over a two-week window between April 9 and April 22. The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date, and the name of the card-issuing bank. The company said that customers' DigitalOcean accounts were "not accessed," and passwords and account tokens were "not involved" in this breach. "To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future," the email said.

Cybersecurity firm Kaspersky said today it discovered new malware that appears to have been developed by the US Central Intelligence Agency. From a report: Kaspersky said it discovered the malware in "a collection of malware samples" that its analysts and other security firms received in February 2019. While an initial analysis did not find any shared code with any previously-known malware samples, Kaspersky has recently re-analyzed the files and said it found that "the samples have intersections of coding patterns, style and techniques that have been seen in various Lambert families." Lamberts is the internal codename that Kaspersky uses to track CIA hacking operations. Four years ago, after WikiLeaks exposed the CIA hacking capabilities to the public in a series of leaks known as Vault7, US security firm Symantec publicly linked the Vault7 hacking tools to the CIA and the Longhorn APT (another industry name for Lamberts).

An anonymous reader quotes a report from Gizmodo: A Maryland defense attorney has decided to challenge the conviction of one of his clients after it was recently discovered that the phone cracking product used in the case, produced by digital forensics firm Cellebrite, has severe cybersecurity flaws that could make it vulnerable to hacking. Ramon Rozas, who has practiced law for 25 years, told Gizmodo that he was compelled to pursue a new trial after reading a widely shared blog post written by the CEO of the encryption chat app Signal, Moxie Marlinspike. It was just about a week ago that Marlinspike brutally dunked on Cellebrite -- writing, in a searing takedown, that the company's products lacked basic "industry-standard exploit mitigation defenses," and that security holes in its software could easily be exploited to manipulate data during cell phone extraction.

Given the fact that Cellebrite's extraction software is used by law enforcement agencies the world over, questions have naturally emerged about the integrity of investigations that used the tech to secure convictions. For Rozas, the concerns center around the fact that "Cellebrite evidence was heavily relied upon" to convict his client, who was charged in relation to an armed robbery. The prosecution's argument essentially turned on that data, which was extracted from the suspect's phone using the company's tools. In a motion recently filed, Rozas argued that because "severe defects" have since been uncovered about the technology, a "new trial should be ordered so that the defense can examine the report produced by the Cellebrite device in light of this new evidence, and examine the Cellebrite device itself." "I think it's going to take a while to figure out what the exact legal ramifications of this are," says Megan Graham, a Clinical Supervising Attorney at the Samuelson Law, Technology & Public Policy Clinic with Berkeley Law School. "I don't know how likely it is that cases would be thrown out," she said, adding that a person who has already been convicted would likely have to "show that someone else identified this vulnerability and exploited it at the time" -- not an especially easy task.

"Going forward, I think it's just hard to tell," Graham said. "We now know that this vulnerability exists, and it creates concerns about the security of Cellebrite devices and the integrity of evidence." But there's a lot that we don't know, she emphasized. Among Graham's concerns, she said that "we don't know if the vulnerability is being exploited," and that makes it difficult to discern when it could become an issue in past cases. "I think there will be cases where defense attorneys are able to get judges engaged [on this issue]. They will present the security concerns, worries about manipulated evidence, and it might be persuasive. I think there will be a wide array of responses when it comes to how this plays out in cases," she said.

The federal government is delaying the deadline for the REAL ID enforcement for a second time. The regulation was put in place in 2005 as a way to ensure travelers' identities following the 9/11 attacks, according to the DHS. Only recently did all 50 states come into compliance. ABC News reports: Every domestic air traveler 18 and older will need a REAL ID-compliant driver's license or identification card, state-issued enhanced driver's license or another TSA-acceptable form of identification beginning on May 3, 2023, the Department of Homeland Security announced Tuesday. The original deadline of Oct. 1, 2020, was postponed for one year due to the pandemic. The second delay is also "due to circumstances resulting from the ongoing COVID-19 pandemic," according to the DHS press release. Currently, only 43% of driver's licenses issued in the U.S. are REAL ID-compliant, according to DHS data.

tiltowait writes: My organization has an acceptable use policy which forbids sending out spam. Every few months, however, the central IT office exempts itself from this rule by delivering deceptive e-mails to all employees as a test of their ability to ignore phishing scams. For those who simply delete the messages, they are a small annoyance, comparable to the overhead of having to regularly change passwords -- also done largely unnecessarily, perhaps even to the point of being another bad practice. As someone working in a departmental systems office, I can also attest that these campaigns generate a fair amount of workload from inquiries about their legitimacy. Aside from the "gotcha" angle, which perpetuates some ill will amongst staff, I can't help but think that these exercises are of questionable net value, especially with other countermeasures, such as MFA and Safelinks, already in place. Is it worth spreading misinformation to experiment on your colleagues in such a fashion?

An anonymous reader quotes a report from CNET: The most recent crash involving a Tesla Model S and alleged connections to running driver-assist features without a driver behind the wheel spurred a lot of talk on how to handle advanced technology and its growing impact on drivers. Following Sens. Richard Blumenthal and Ed Markey's calls for enhanced guidelines from the National Highway Traffic Safety Administration, the two introduced new legislation on Monday that aims to tackle the problem.

With Sen. Amy Klobuchar signed on as a sponsor, the Stay Aware for Everyone Act would compel the Department of Transportation to study driver-monitoring systems installed in vehicles. With findings delivered to the appropriate committees within 180 days, the Transportation Secretary would then need to finalize a rule within four years deciding if the systems should become mandatory on all new vehicles. Not just vehicles with any level of driver-assist system, like Tesla's Autopilot, but all new cars sold. Automakers would then have two model years to meet compliance with any new vehicles going on sale.

The language in this bill, however, is interesting since it covers all new vehicles, rather than vehicles equipped with advanced assist systems. Naturally, this opens up privacy concerns, and all the bill says on this front is that the Transportation Secretary would determine "appropriate privacy and data security safeguards." The SAFE Act is one of four new bills the pair of Democratic senators introduced today, proposing potential legislation to speed up recall reporting from automakers, to bolster vehicle seat backs to reduce related fatalities and to set up a system to help automakers report possible vehicle defects earlier for NHTSA to investigate.

An anonymous reader writes: A ransomware gang is threatening to leak sensitive police files that may expose police investigations and informants unless the Metropolitan Police Department of the District of Columbia agrees to pay a ransom demand. A group that emerged this year called Babuk claimed responsibility for the leak. Babuk is known for ransomware attacks, which hold victims' data hostage until they pay a ransom, often in Bitcoin. The group also hit the Houston Rockets N.B.A. team this month.

In their post to the dark web, Babuk's cybercriminals claimed they had downloaded 250 gigabytes of data and threatened to leak it if their ransom demands were not met in three days. They also threatened to release information about police informants to criminal gangs, and to continue attacking "the state sector," including the F.B.I. and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. The information already released appeared to include chief's reports, lists of arrests and lists of persons of interest.

ADT, a home security company in the United States with over 6 million customers, is suing Amazon's Ring, alleging that the DIY home security company is copying ADT's logo and profiting from customer trust associated with it. From a report: ADT has asked a federal judge in Florida to order Ring to stop using its blue, octagonal signs and to pay unspecified compensation to the security company. In the complaint, ADT said it asked Ring to stop copying its blue octagon logo in 2016, after which the Amazon-owned company removed the blue color from its sign, but kept the octagon shape. In late March, upon releasing a new outdoor siren, Ring added the blue back to its advertising materials. ADT also said in the complaint that it owns 12 trademarks for the shape, color and look of its blue, octagonal sign.

For a second year, the nation's surveillance court has pointed with concern to "widespread violations" by the F.B.I. of rules intended to protect Americans' privacy when analysts search emails gathered without a warrant -- but still signed off on another year of the program, a newly declassified ruling shows. From a report: In a 67-page ruling issued in November and made public on Monday, James E. Boasberg, the presiding judge on the Foreign Intelligence Surveillance Court, recounted several episodes uncovered by an F.B.I. audit where the bureau's analysts improperly searched for Americans' information in emails that the National Security Agency collected without warrants. Rather than a new problem, however, those instances appeared largely to be additional examples of an issue that was already brought to light in a December 2019 ruling by Judge Boasberg. The government made it public in September. The F.B.I. has already sought to address the problem by rolling out new system safeguards and additional training, although the coronavirus pandemic has hindered the bureau's ability to assess how well they are working. Still, Judge Boasberg said he was willing to issue a legally required certification for the National Security Agency's warrantless surveillance program to operate for another year.

An anonymous reader quotes a report from Ars Technica: The US Department of Defense puzzled Internet experts by apparently transferring control of tens of millions of dormant IP addresses to an obscure Florida company just before President Donald Trump left the White House, but the Pentagon has finally offered a partial explanation for why it happened. The Defense Department says it still owns the addresses but that it is using a third-party company in a "pilot" project to conduct security research. "Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life" was the title of a Washington Post article on Saturday. Literally three minutes before Joe Biden became president, a company called Global Resource Systems LLC "discreetly announced to the world's computer networks a startling development: It now was managing a huge unused swath of the Internet that, for several decades, had been owned by the US military," the Post said.

The number of Pentagon-owned IP addresses announced by the company rose to 56 million by late January and 175 million by April, making it the world's largest announcer of IP addresses in the IPv4 global routing table. The Post said it got an answer from the Defense Department on Friday in the form of a statement from the director of "an elite Pentagon unit known as the Defense Digital Service." The Post wrote: "'Brett Goldstein, the DDS's director, said in a statement that his unit had authorized a 'pilot effort' publicizing the IP space owned by the Pentagon. 'This pilot will assess, evaluate, and prevent unauthorized use of DoD IP address space,' Goldstein said. 'Additionally, this pilot may identify potential vulnerabilities.' Goldstein described the project as one of the Defense Department's 'many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated.'"

Private equity firm Thoma Bravo has announced plans to acquire cybersecurity company Proofpoint in a deal worth $12.3 billion. VentureBeat reports: Founded in 2002 by former Netscape CTO Eric Hahn, Proofpoint was originally known for an email security product that helped businesses identify spam, viruses, and other electric correspondence that might contravene company policies. In the subsequent years, the Sunnyvale, California-based company has expanded its scope to include an array of cloud-based security products designed to protect enterprises from targeted threats. Proofpoint went public back in 2012, with its shares initially trading at around $13 -- these have grown steadily over the past decade, hitting an all-time high of $140 earlier this year and giving it a market capitalization of more than $7 billion.

Thoma Bravo has a track record of taking publicly traded cybersecurity companies private, having done just that with network security company Barracuda in a 2017 deal worth $1.6 billion and with Sophos last year for $3.9 billion. The Proofpoint deal, which is expected to close in Q3 2021, sees Thoma Bravo paying a 34% premium on Proofpoint's closing price at the last full trading day (April 23), with shareholders set to receive $176 for each share they own. It's worth noting that the $12.3 billion price tag positions this as the biggest cybersecurity acquisition of all time, putting it ahead of the $7.68 billion Intel shelled out for McAfee 11 years ago. And by VentureBeat's calculations, the Proofpoint acquisition represents one of the biggest overall technology acquisitions ever, putting it in the top 20, alongside megadeals that include Dell's $67 billion EMC purchase, IBM's $34 billion Red Hat deal, and Salesforce's impending $27.7 billion Slack acquisition.

Apple has spent years reinforcing macOS with new security features to make it tougher for malware to break in. But a newly discovered vulnerability broke through most of macOS' newer security protections with a double-click of a malicious app, a feat not meant to be allowed under Apple's watch. From a report: Worse, evidence shows a notorious family of Mac malware has already been exploiting this vulnerability for months before it was subsequently patched by Apple this week. Over the years, Macs have adapted to catch the most common types of malware by putting technical obstacles in their way. macOS flags potentially malicious apps masquerading as documents that have been downloaded from the internet. And if macOS hasn't reviewed the app -- a process Apple calls notarization -- or if it doesn't recognize its developer, the app won't be allowed to run without user intervention.

But security researcher Cedric Owens said the bug he found in mid-March bypasses those checks and allows a malicious app to run. Owens told TechCrunch that the bug allowed him to build a potentially malicious app to look like a harmless document, which when opened bypasses macOS' built-in defenses when opened. "All the user would need to do is double click -- and no macOS prompts or warnings are generated," he told TechCrunch. Owens built a proof-of-concept app disguised as a harmless document that exploits the bug to launch the Calculator app, a way of demonstrating that the bug works without dropping malware. But a malicious attacker could exploit this vulnerability to remotely access a user's sensitive data simply by tricking a victim into opening a spoofed document, he explained.

Earlier this week Greg Kroah-Hartman of the Linux kernel development team banned the University of Minnesota from contributing after researchers there submitted what he called "obviously-incorrect patches" believed to be part of a research project into whether buggy code would be accepted.

Today the professor in charge of that project, as well as two of its researchers, sent an email to the Linux kernel mailing list saying they "sincerely apologize for any harm our research group did to the Linux kernel community." Our goal was to identify issues with the patching process and ways to address them, and we are very sorry that the method used in the "hypocrite commits" paper was inappropriate. As many observers have pointed out to us, we made a mistake by not finding a way to consult with the community and obtain permission before running this study; we did that because we knew we could not ask the maintainers of Linux for permission, or they would be on the lookout for the hypocrite patches. While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research, and to waste its effort reviewing these patches without its knowledge or permission.

We just want you to know that we would never intentionally hurt the Linux kernel community and never introduce security vulnerabilities. Our work was conducted with the best of intentions and is all about finding and fixing security vulnerabilities... We are a research group whose members devote their careers to improving the Linux kernel. We have been working on finding and patching vulnerabilities in Linux for the past five years...

This current incident has caused a great deal of anger in the Linux community toward us, the research group, and the University of Minnesota. We apologize unconditionally for what we now recognize was a breach of the shared trust in the open source community and seek forgiveness for our missteps. We seek to rebuild the relationship with the Linux Foundation and the Linux community from a place of humility to create a foundation from which, we hope, we can once again contribute to our shared goal of improving the quality and security of Linux software... We are committed to following best practices for collaborative research by consulting with community leaders and members about the nature of our research projects, and ensuring that our work meets not only the requirements of the Institutional Review Board but also the expectations that the community has articulated to us in the wake of this incident.

While this issue has been painful for us as well, and we are genuinely sorry for the extra work that the Linux kernel community has undertaken, we have learned some important lessons about research with the open source community from this incident. We can and will do better, and we believe we have much to contribute in the future, and will work hard to regain your trust.
Their email also says their work did not introduce vulnerabilities into the Linux code. ("The three incorrect patches were discussed and stopped during exchanges in a Linux message board, and never committed to the code.")

And the email also clarifies that their research was only done in August of 2020, and "All the other 190 patches being reverted and re-evaluated were submitted as part of other projects and as a service to the community; they are not related to the 'hypocrite commits' paper. These 190 patches were in response to real bugs in the code and all correct — as far as we can discern — when we submitted them... Our recent patches in April 2021 are not part of the 'hypocrite commits' paper either."

UPDATE (4/25): Late Saturday night the kernel team's Greg Kroah-Hartman rejected the apology, writing that "the Linux Foundation and the Linux Foundation's Technical Advisory Board submitted a letter on Friday to your University outlining the specific actions which need to happen in order for your group, and your University, to be able to work to regain the trust of the Linux kernel community.

"Until those actions are taken, we do not have anything further to discuss about this issue."

"Just before the end of the Trump administration, an obscure Florida company began announcing routes to IP addresses owned by the Pentagon," writes long-time Slashdot reader whoever57. The Washington Post calls it "a huge unused swath of the Internet that, for several decades, had been owned by the U.S. military." What happened next was stranger still. The company, Global Resource Systems LLC, kept adding to its zone of control. Soon it had claimed 56 million IP addresses owned by the Pentagon. Three months later, the total was nearly 175 million. That's almost 6 percent of a coveted traditional section of Internet real estate — called IPv4 — where such large chunks are worth billions of dollars on the open market... "They are now announcing more address space than anything ever in the history of the Internet," said Doug Madory, director of Internet analysis for Kentik, a network monitoring company, who was among those trying to figure out what was happening...

The change is the handiwork of an elite Pentagon unit known as the Defense Digital Service, which reports directly to the secretary of defense. The DDS bills itself as a "SWAT team of nerds" tasked with solving emergency problems for the department and conducting experimental work to make big technological leaps for the military... Brett Goldstein, the DDS's director, said in a statement that his unit had authorized a "pilot effort" publicizing the IP space owned by the Pentagon. "This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space," Goldstein said. "Additionally, this pilot may identify potential vulnerabilities...."

The specifics of what the effort is trying to achieve remain unclear... What is clear, however, is the Global Resource Systems announcements directed a fire hose of Internet traffic toward the Defense Department addresses...

Russell Goemaere, a spokesman for the Defense Department, confirmed in a statement to The Washington Post that the Pentagon still owns all the IP address space and hadn't sold any of it to a private party.