Friday, February 26, 2016

Are we smarter than the Ukrainians?
Hackers behind Ukraine power cuts, says US report
The December 2015 incident is thought to be the first known successful hack aimed at utilities.
The report, written by the Department of Homeland Security, is based on interviews with staff at Ukrainian organisations that dealt with the aftermath of the attack.
The DHS report did not name the suspected perpetrators. [Who are we afraid of? Bob]
… It said the attack had several stages and initially involved hackers installing malware on computer systems at power generation firms in Ukraine. This gave the attackers remote access to these computers and allowed them to flip circuit breakers turning off power to 80,000 customers of western Ukraine's Prykarpattyaoblenergo utility.
… The malware is believed to have been delivered via email using a technique known as "spear phishing". This involves sending key employees carefully crafted messages that use information culled from social media to make them more convincing.

The world my Computer Security students face.
Breach Detection Time Improves, Destructive Attacks Rise: FireEye
According to the just released report (PDF), the median number of days that attackers were present on a victim’s network before being discovered dropped to 146 days in 2015 from 205 days in 2014—a trend that shows positive improvement since measuring 416 days back in 2012. However, breaches still often go undetected for years, Mandiant reminded.
The breach investigations firm found that during its investigations, responders saw incidents where attackers destroyed critical business systems, leaked confidential data, held companies for ransom, and taunted executives. Some attackers were motivated by money, some claimed to be political retaliation, and others were to cause embarrassment, the report said.

(Related) Another perspective.
Over 700 Million Data Records Compromised in 2015: Report
The BLI report (PDF) started benchmarking publicly disclosed data breaches in 2013 and has seen over 3.6 billion data records since. Data collected by Gemalto showed a 3.4 percent drop in the number of data breaches compared to 2014. Additionally, the total number of compromised records dropped by 39 percent, Gemalto said.
Outside attackers represented the leading source of breaches, accounting for 964 of them, or 58 percent of the total, as well as for 38 percent of the compromised records. Accidental loss or exposure of data records accounted for 36 percent of all exposed records last year, while malicious insiders accounted for only 14 percent of incidents and 7 percent of compromised records, with 238 attacks.

Confusing the non-lawyer, again. The motion is at the end of this article. Is it 65 pages or over 350 as the table of contents suggests?
Apple Files Motion To Vacate The Court Order To Force It To Unlock iPhone, Citing Constitutional Free Speech Rights
… In the motion, Apple hinges its argument on the fact that the FBI is attempting to greatly expand the use of the All Writs Act:
No court has ever granted the government power to force companies like Apple to weaken its security systems to facilitate the government’s access to private individuals’ information. The All Writs Act does not support such sweeping use of judicial power, and the First and Fifth Amendments to the Constitution forbid it.
[Also available on Scribed:

(Related) In case you forgot that Apple v FBI is not the only example of over-reach.
Justice Department gets earful from Congress over Microsoft case
The Justice Department faced withering criticism from House lawmakers at a Thursday hearing for its opposition to Microsoft-backed legislation aimed at limiting the geographical scope of a U.S. warrant.
The House Judiciary Committee hearing focused on a bill aimed at resolving a legal battle in which Microsoft resisted a U.S. warrant forcing it to turn over a customer’s email account stored in Ireland.
Rep. Darrell Issa (R-Calif.) said Microsoft is "being bullied by the Justice Department," comparing the fight to a case where another country was trying "to come haul your ass in" without consulting the United States.
"You are asking for the U.S. courts to summarily order U.S. corporations … to deliver to you something from another country and circumvent that other country's opportunity to tell you 'yes' or 'no.' That is essentially what you are asking for," Issa told a Justice Department official.
… Deputy Assistant Attorney General David Bitkower testified that the legislation could cut off a tool used during law enforcement investigations. The Justice Department has warned that if this tool is cut off, the government will have to rely on a slow-moving treaty system to obtain the same information.
Everyone in the room agreed that the current process of sharing law enforcement data between countries is broken and will get worse as technology products are used more broadly around the world, further ignoring national borders.

Looks like a very sweet deal for Vigilant Solutions if they can keep the public from finding out about it. Is this the future of law enforcement?
Dave Maass writes:
At the beginning of the year, the City of Kyle, Texas, approved a controversial agreement to install automated license plate recognition (ALPR) technology in its police vehicles. The devices would come at no cost to the city’s budget; instead, police would also be outfitted with credit card readers and use ALPR to catch drivers with outstanding court fees, also known as capias warrants.
With each card swipe, an added 25% surcharge would go to Vigilant Solutions, the company providing the system. As an added bonus the company would also get to keep all the data on innocent drivers collected by the license plate readers—indefinitely.
But before the license plate readers could even be installed, the Kyle city council voted 6-1 to rescind the order. The reason: public and media outcry over how the system would turn police into debt collectors and data miners.
Read more on EFF.

The problem with revealing raw intelligence is that it discloses the methods used to obtain it and possibly identifies an individual as the source.
Obama Administration Set to Expand Sharing of Data That N.S.A. Intercepts
The Obama administration is on the verge of permitting the National Security Agency to share more of the private communications it intercepts with other American intelligence agencies without first applying any privacy protections to them, according to officials familiar with the deliberations.
The change would relax longstanding restrictions on access to the contents of the phone calls and email the security agency vacuums up around the world, including bulk collection of satellite transmissions, communications between foreigners as they cross network switches in the United States, and messages acquired overseas or provided by allies.
… The executive branch can change its own rules without going to Congress or a judge for permission because the data comes from surveillance methods that lawmakers did not include in the main law that governs national security wiretapping, the Foreign Intelligence Surveillance Act, or FISA.

Pointing out a business opportunity? Would lawyers need a secure systems too? Will the FBI object?
Doctors who use the instant messaging service WhatsApp to communicate with each other about patients should stop doing so, according to the Dutch privacy watchdog Autoriteit Persoonsgegevens.
And what apps could American doctors use to communicate about patients that would be HIPAA-compliant in terms of security?
[From the article:
Dutch start-up MDLInking is currently developing a secure app for doctors which it says will remove worries about privacy. The Amsterdam-based company will soon turn a group of hackers loose on its product in a final test before a formal launch in May [Can we buy the US franchise? Bob]

The problem with audit reports like this is that they make you think the entire Department is managed incompetently. I need to run this by my Data Management students.
GAO reports on DHS HR IT failures
by Sabrina I. Pacifici on Feb 25, 2016
Homeland Security: Oversight of Neglected Human Resources Information Technology Investment Is Needed, GAO-16-253: Published: Feb 11, 2016. Publicly Released: Feb 25, 2016:
“DHS’s human resources administrative environment includes fragmented systems, duplicative and paper-based processes, and little uniformity of data management practices, which according to DHS, are compromising the department’s ability to effectively carry out its mission. DHS initiated HRIT in 2003 to consolidate, integrate, and modernize DHS’s human resources information technology infrastructure. In 2011, DHS redefined HRIT’s scope and implementation time frames… The Department of Homeland Security (DHS) has made very little progress in implementing its Human Resources Information Technology (HRIT) investment in the last several years. This investment includes 15 improvement opportunities; as of November 2015.”
  • See also Homeland Security: Weak Oversight of Human Resources Information Technology Investment Needs Considerable Improvement, GAO-16-407T: Published: Feb 25, 2016. Publicly Released: Feb 25, 2016.

(Related) The problem with reports like this is that we assume DHS ONLY sees the obvious. Perhaps terrorists will hide behind the “we don't like cops” crowd. After all, nothing adds to the impact of a terrorist act like the utter failure of emergency services.
Public Intelligence reports:
Cyber attacks against law enforcement, fire departments and other emergency services have become increasingly common and are likely to increase according to a recent intelligence assessment prepared by the Department of Homeland Security and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The assessment, which was distributed to law enforcement in September 2015 and was obtained by Public Intelligence, reviewed a number of “cyber attacks against the [emergency services sector or ESS] between February 2012 and May 2015,” finding that “targeting of the ESS will likely increase as ESS systems and networks become more interconnected and the ESS becomes more dependent on information technology for the conduct of daily operations—creating a wider array of attack vectors for cyber targeting.”
Read more on Public Intelligence.

Free stuff for students (and me)
This Is Why You Should Join the Office Insider Program Now
… You can choose from several routes to upgrade to Office 2016, including updates that are free or discounted, depending on which versions of Office you currently have. The easiest way, however, is to simply purchase an Office 365 subscription (which students can possibly get for free).
The Office 365 subscription comes with a free and voluntary program that you can opt into. This Office Insider Program provides several benefits that you might find useful. Here’s why you should enroll today.

No comments: