Are we smarter than the Ukrainians?
Hackers
behind Ukraine power cuts, says US report
The December 2015 incident is thought to be the
first known successful hack aimed at utilities.
The report, written by the Department of Homeland
Security, is based on interviews with staff at Ukrainian
organisations that dealt with the aftermath of the attack.
The DHS report did not name the suspected
perpetrators. [Who are we
afraid of? Bob]
… It said the attack had several stages and
initially involved hackers installing malware on computer systems at
power generation firms in Ukraine. This gave the attackers remote
access to these computers and allowed them to flip circuit breakers
turning off power to 80,000 customers of western Ukraine's
Prykarpattyaoblenergo utility.
… The malware is believed to have been
delivered via email using a technique known as "spear phishing".
This involves sending key employees carefully crafted messages that
use information culled from social media to make them more
convincing.
The world my Computer Security students face.
Breach
Detection Time Improves, Destructive Attacks Rise: FireEye
… According
to the just released report (PDF),
the median number of days that attackers were present on a victim’s
network before being discovered dropped
to 146 days in 2015
from 205 days in 2014—a trend that shows positive improvement since
measuring 416 days back in 2012. However, breaches still often go
undetected for years, Mandiant reminded.
The
breach investigations firm found that during its investigations,
responders saw incidents where attackers destroyed critical business
systems, leaked confidential data, held companies for ransom, and
taunted executives. Some attackers were motivated by money, some
claimed to be political retaliation, and others were to cause
embarrassment, the report said.
(Related)
Another perspective.
Over
700 Million Data Records Compromised in 2015: Report
… The
BLI report (PDF)
started benchmarking publicly disclosed data breaches in 2013 and has
seen over 3.6 billion data records since. Data collected by Gemalto
showed a 3.4 percent drop in the number of data breaches compared to
2014. Additionally, the total number of compromised records dropped
by 39 percent, Gemalto said.
Outside
attackers represented the leading source of breaches, accounting for
964 of them, or 58 percent of the total, as well as for 38 percent of
the compromised records. Accidental loss or exposure of data records
accounted for 36 percent of all exposed records last year, while
malicious insiders accounted for only 14 percent of incidents and 7
percent of compromised records, with 238 attacks.
Confusing the non-lawyer, again. The motion is at
the end of this article. Is it 65 pages or over 350 as the table of
contents suggests?
Apple Files
Motion To Vacate The Court Order To Force It To Unlock iPhone, Citing
Constitutional Free Speech Rights
… In the motion, Apple hinges its argument on
the fact that the FBI is attempting to greatly expand the use of the
All Writs Act:
No court has ever granted the government power to force companies like Apple to weaken its security systems to facilitate the government’s access to private individuals’ information. The All Writs Act does not support such sweeping use of judicial power, and the First and Fifth Amendments to the Constitution forbid it.
[Also
available on Scribed:
(Related) In case you forgot that Apple v FBI is
not the only example of over-reach.
Justice
Department gets earful from Congress over Microsoft case
The
Justice Department faced withering criticism from House
lawmakers at a Thursday hearing for its opposition to
Microsoft-backed legislation aimed at limiting the geographical scope
of a U.S. warrant.
The House Judiciary Committee hearing focused on a
bill aimed at resolving a legal battle in which Microsoft resisted a
U.S. warrant forcing it to turn over a customer’s email account
stored in Ireland.
Rep. Darrell Issa
(R-Calif.) said Microsoft is "being bullied by the Justice
Department," comparing the fight to a case where another country
was trying "to come haul your ass in" without consulting
the United States.
"You are asking for the U.S. courts to
summarily order U.S. corporations … to deliver to you something
from another country and circumvent that other country's opportunity
to tell you 'yes' or 'no.' That is essentially what you are asking
for," Issa told a Justice Department official.
… Deputy Assistant Attorney General David
Bitkower testified that the legislation could cut off a tool used
during law enforcement investigations. The Justice Department has
warned that if this tool is cut off, the government will have to rely
on a slow-moving treaty system to obtain the same information.
Everyone in the room agreed that the current
process of sharing law enforcement data between countries is broken
and will get worse as technology products are used more broadly
around the world, further ignoring national borders.
Looks like a very sweet deal for Vigilant
Solutions if they can keep the public from finding out about it. Is
this the future of law enforcement?
Dave Maass writes:
At the beginning of the year, the City of Kyle, Texas, approved a controversial agreement to install automated license plate recognition (ALPR) technology in its police vehicles. The devices would come at no cost to the city’s budget; instead, police would also be outfitted with credit card readers and use ALPR to catch drivers with outstanding court fees, also known as capias warrants.
With each card swipe, an added 25% surcharge would go to Vigilant Solutions, the company providing the system. As an added bonus the company would also get to keep all the data on innocent drivers collected by the license plate readers—indefinitely.
But before the license plate readers could even be installed, the Kyle city council voted 6-1 to rescind the order. The reason: public and media outcry over how the system would turn police into debt collectors and data miners.
Read more on EFF.
The problem with revealing raw intelligence is
that it discloses the methods used to obtain it and possibly
identifies an individual as the source.
The Obama
administration is on the verge of permitting the National Security
Agency to share more of the private communications it intercepts with
other American intelligence agencies without first applying any
privacy protections to them, according to officials familiar with the
deliberations.
The change would
relax longstanding restrictions on access to the contents of the
phone calls and email the security agency vacuums up around the
world, including bulk collection of satellite transmissions,
communications between foreigners as they cross network switches in
the United States, and messages acquired overseas or provided by
allies.
… The executive branch can change its own
rules without going to Congress or a judge for permission because the
data comes from surveillance methods that lawmakers did not include
in the main law that governs national security wiretapping, the
Foreign Intelligence Surveillance Act, or FISA.
Pointing out a business opportunity? Would
lawyers need a secure systems too? Will the FBI object?
Doctors who use the instant messaging service WhatsApp to communicate with each other about patients should stop doing so, according to the Dutch privacy watchdog Autoriteit Persoonsgegevens.
Read more on DutchNews.nl.
And what apps could American doctors use to
communicate about patients that would be HIPAA-compliant in terms of
security?
[From
the article:
Dutch start-up MDLInking
is currently developing a secure app for doctors which it says will
remove worries about privacy. The Amsterdam-based company will soon
turn a group of hackers loose on its product in a final test before a
formal launch in May [Can
we buy the US franchise? Bob]
The problem with audit reports like this is that
they make you think the entire Department is managed incompetently.
I need to run this by my Data Management students.
GAO reports
on DHS HR IT failures
by Sabrina
I. Pacifici on Feb 25, 2016
Homeland Security: Oversight of Neglected Human
Resources Information Technology Investment Is Needed, GAO-16-253:
Published: Feb 11, 2016. Publicly Released: Feb 25, 2016:
“DHS’s human resources administrative
environment includes fragmented systems, duplicative
and paper-based processes, and little uniformity of
data management practices, which according to DHS, are compromising
the department’s ability to effectively carry out its mission.
DHS initiated HRIT in 2003 to consolidate, integrate, and modernize
DHS’s human resources information technology infrastructure. In
2011, DHS redefined HRIT’s scope and implementation time frames…
The Department of Homeland Security (DHS) has made very little
progress in implementing its Human Resources Information Technology
(HRIT) investment in the last several years. This investment
includes 15 improvement opportunities; as of November 2015.”
-
See also Homeland Security: Weak Oversight of Human Resources Information Technology Investment Needs Considerable Improvement, GAO-16-407T: Published: Feb 25, 2016. Publicly Released: Feb 25, 2016.
(Related) The problem with reports like this is
that we assume DHS ONLY sees the obvious. Perhaps terrorists will
hide behind the “we don't like cops” crowd. After all, nothing
adds to the impact of a terrorist act like the utter failure of
emergency services.
Public Intelligence reports:
Cyber attacks against law enforcement, fire departments and other emergency services have become increasingly common and are likely to increase according to a recent intelligence assessment prepared by the Department of Homeland Security and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The assessment, which was distributed to law enforcement in September 2015 and was obtained by Public Intelligence, reviewed a number of “cyber attacks against the [emergency services sector or ESS] between February 2012 and May 2015,” finding that “targeting of the ESS will likely increase as ESS systems and networks become more interconnected and the ESS becomes more dependent on information technology for the conduct of daily operations—creating a wider array of attack vectors for cyber targeting.”
Read more on Public
Intelligence.
Free stuff for students (and me)
This Is Why
You Should Join the Office Insider Program Now
… You can choose from several
routes to upgrade to Office 2016, including updates that are free
or discounted, depending on which versions of Office you currently
have. The easiest way, however, is to simply purchase
an Office 365 subscription (which
students can possibly get for free).
The Office 365 subscription comes
with a free and voluntary program that you can opt into. This
Office Insider Program provides several benefits
that you might find useful. Here’s why you should enroll today.
No comments:
Post a Comment