Thursday, March 31, 2016

Much easier and cheaper. No need for a get-away car (you can do it from any country that does not have an extradition treaty with your target country). No need for a fence to launder the cash.
When mobsters meet hackers: the new and improved bank heist
The unprecedented heist of $81 million from the U.S. account of Bangladesh’s central bank is the latest among increasingly large thefts by criminals who have leveraged the speed and anonymity of hacking to revolutionize burgling banks.
Hundreds of millions of dollars, and perhaps much more, have been stolen from banks and financial services companies in recent years because of this alliance of traditional and digital criminals, with many victims not reporting the thefts for fear of reputational damage. [Is 'reputational' a real word? Bob]
… There’s no evidence that old-fashioned bank robberies are in the decline. But there are increasing instances of the cyber variety of the crime.
Last year, researchers at Russian security software maker Kaspersky Lab publicized the activities of the prolific Carbanak gang, which it says hacked into banks, then ordered fraudulent money transfers and also forced ATMs to spit out cash. Kaspersky estimates the group hit as many as 100 banks, with losses averaging from $2.5 million to $10 million per heist.

(Related) This is far too complicated for a Hollywood movie plot. (So why haven't they grabbed the money already?)
Philippines Can Recover Big Chunk of Stolen Bangladesh Millions: MP
Almost half of the $81 million that hackers stole from Bangladesh and funneled into Philippine casinos can still be recovered, a senior Filipino lawmaker investigating the audacious cyber heist said Thursday.
As much as $34 million remained in two casinos and a foreign exchange brokerage, senator Ralph Recto said, citing testimonies from a marathon hearing on Tuesday.
A casino junket operator, Kim Wong, testified in the Senate on Tuesday that two high-rollers from Beijing and Macau shifted the $81 million to dollar accounts in Manila's Rizal Commercial Banking Corp (RCBC).
Wong said he did not know that the money was stolen from Bangladesh and that he merely helped the two men – who are also his casino clients – open bank accounts.
He offered to return $4.3 million of the money, which he said remained in his account in Solaire, one of the Philippine capital's gleaming billion-dollar casinos.
But by Recto's own calculations, far more can be recovered including $17 million that Wong claimed was still with exchange brokerage Philrem, $10 million from a destitute casino in the north, $5.5 million that Wong picked up from the house of Philrem's owner and a further $2.3 million in the Solaire casino account of the Macau man who allegedly brought the $81 million to the Philippines.

Where we stand. (For my Computer Security students)
BakerHostetler has released its second annual data security incident response report, which is based on 300 cases they advised on last year. The report provides some statistics on causes of incidents, which industries were most affected, and what happens after a security incident is detected – from containment, to notification, to regulatory investigations and even lawsuits. A final section in the report provides the eight components of being compromise ready and identifies measures companies should take to minimize the impact of an incident.
Key findings from the report include:
  • Cause of incidents: phishing/hacking/malware (31%), employee actions/mistakes (24%), external theft (17%), vendor-related incidents (14%), internal theft (8%), and lost or improper disposal (6%).
  • No industry is immune: the healthcare industry (23%) was affected more than any other. Rounding out the top three are financial services (18%) and education (16%).
  • Number of individuals notified: for incidents in 2015 where notification was made, the average number of individuals notified was 269,609 and the median was 190,000.
  • 52% of the incidents that BakerHostetler helped manage in 2015 were self-detected.
  • Detection time – the time from when an incident first began until it was detected – ranged from 0 days to more than 400 days. The average amount of time from incident to discovery for all industries was 69 days, with healthcare taking nearly twice as long as other industries. Average amount of time from discovery to containment was 7 days.
  • Notification – the average amount of time from discovery to notification – was 40 days.
  • Not all incidents require notification to individuals or the public at large. In about 40% of the incidents that BakerHostetler helped manage in 2015, notification or public disclosure was not necessary.
  • Credit monitoring was offered in 53% of the incidents that BakerHostetler advised on in 2015 and the average redemption rate was 10%. [I don't recall seeing that number before. Bob]
  • Regulatory inquiries resulted from 24% of incidents reported, and litigation commenced after 6% of the incidents were made public.
Note that the average time from discovery to notification was 40 days. For HIPAA-covered entities, that may not be a problem, but some states now have notification requirements where a 40-day gap would be problematic.

I'm so glad the government decided to drop the “Total Information Awareness” program. I'm sure it only looks like they are creating several smaller projects that cumulatively do exactly the same thing.
From EPIC:
In comments to DHS, EPIC criticized a proposedInsider Threat” database that would gather vast amounts of personal data on individuals outside the federal agency. EPIC urged DHS to limit the scope of data collection and drop proposed Privacy Act exemptions. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases.

I suppose this is one way to avoid all those pesky Fifth Amendment issues. This is probably as good a place as any to ask what would happen if the decrypted files documented activity (online or geographic) that showed the suspect was otherwise occupied when the crime(s) took place? (I know I can manufacture 'instant alibis' as needed.)
J. M. Porup reports:
At a court hearing earlier this month, the UK’s National Crime Authority (NCA) demanded that Lauri Love, a British computer scientist who allegedly broke into US government networks and caused “millions of dollars in damage,” decrypt his laptop and other devices impounded by the NCA in 2013, leading some experts to warn that a decision in the government’s favor could set a worrisome precedent for journalists and whistleblowers.
Arrested in 2013 for the alleged intrusions but subsequently released, Love was re-arrested in 2015 and is currently fighting extradition to the United States. He has so far refused to comply with a Section 49 RIPA notice to decrypt the devices, a refusal that carries potential jail time. However, British authorities have not charged Love with any crime, leading him to counter-sue in civil court for the return of his devices.
Read more on Ars Technica.
I think Love’s lawyer, Ekeland, is exactly right in what he told Ars and that any evidence the UK would obtain would be handed on a silver platter to the U.S. for our government’s prosecution of Love.

Why Do the Feds Usually Try to Unlock Phones? It’s Drugs, Not Terrorism
… On Tuesday the ACLU released the results of a series of FOIA requests it filed along with the Stanford Center for Internet and Society to the US Justice Department, seeking information about any cases in which the feds had used the All Writs Act to ask that Apple or Google assist in accessing data on locked phones or tablets. It found that since 2008, there have been at least 63 of those cases across the country, showing that Apple’s standoff with the FBI was about more than “one iPhone,” as FBI director Jim Comey had argued. And in the two-thirds of those cases in which the ACLU could determine the crime being investigated, the group tells WIRED that 41 percent were related to drugs, far more than any other category of crime.
… The ACLU’s numbers contrast slightly with statistics released by the Manhattan District Attorney’s office in March, which showed that of 205 locked iPhones the Manhattan DA’s lab had attempted and failed to access without Apple’s assistance, 25 percent were related to drug cases. It lumped larceny, cybercrime, forgery, and ID theft into another category of cases that accounted for 35 percent of the locked iPhones.
… In fact, federal law enforcement has been so focused on drug cases for the last 30 years that they’ve often been the first domestic cases used to pioneer new surveillance techniques, from thermal imaging cameras to GPS tracking to drones. Even the NSA’s bulk metadata collection that scandalized the public when it was revealed by NSA leaker Edward Snowden was first used by the Drug Enforcement Administration. And in 2014 the FBI went so far as to subpoena security researchers at Carnegie Mellon for a technique that could crack the anonymity software Tor’s protections for hidden websites, which was then used to take down the Silk Road 2 drug market and dozens of other dark web sites.

(Related) If they keep sharing this tool, it will eventually leak to my Ethical Hackers.
FBI agrees to help Arkansas prosecutors open iPhone after hack of San Bernardino device
… Cody Hiland, prosecuting attorney for Arkansas' 20th Judicial District, said that the FBI's Little Rock field office had agreed to help his office gain access to a pair of locked devices owned by two of the suspects in the slayings of Robert and Patricia Cogdell. [So the tool has been distributed to all the field offices? Bob]
It was not immediately clear whether the FBI planned to use the same method it used to access data on Syed Rizwan Farook's phone. [Maybe there was never a “third party tool?” Bob]

I can recall discussing “virtual companies” as far back as the early 1990s. Nice to see that the politicians are about to start thinking about the same things… They might start understanding them in a few decades.
Digital disruption on the Potomac
The way the world conducts business and how we live our daily lives is fundamentally changing. Some has termed this change a "digital disruption wave." Consider the following passage from Tom Goodwin — variations of which have gone viral on social media — that encapsulates this phenomenon:
Uber, the world's largest taxi company, owns no vehicles. Facebook, the world's most popular media owner, creates no content. Alibaba, the most valuable retailer, has no inventory. And Airbnb, the world's largest accommodation provider, owns no real estate.
How does this private-sector digital disruption potentially translate to federal government sectors like health, security, education, transportation, agriculture, energy, etc.? There are recent initiatives (among others) that comprise government's transition to digital citizen services: Open Data, Smart Cities and the Opportunity Project.

Typical government response: The OPM is unmanageable – let's build another agency and put the OPM in charge! Bigger government, higher taxes to pay for it, another slot for political supporters – how could any politician resist?
Following OPM Personnel Data Hack New Agency To Process Federal Security Clearances
by Sabrina I. Pacifici on Mar 30, 2016
Federal News Radio – “The Office of Management and Budget and Office of Personnel Management are standing up a new agency to assume responsibility of the federal security clearance process. The National Background Investigations Bureau (NBIB) will have a specific, presidentially appointed director and member of the Performance Accountability Council, who will report to OPM. The new agency will absorb the Federal Investigative Services (FIS), the organization that currently conducts about 95 percent of federal background checks.”

Has Microsoft made a bunch of money because the NFL uses their Surface tablets? Have a lot of colleges and high schools purchased Surface tablets? Perhaps Microsoft thought football fans would want to see what the coaches see?
Baseball’s Latest Recruit Is an iPad
There will be a new player in Major League Baseball dugouts this season: the iPad. Apple Inc. and MLB signed a multi-year agreement to equip every team with iPad Pro tablets to help coaching staffs make better use of data.
Teams will be able sift through performance stats from current and past seasons, weigh potential pitcher-hitter matchups, look at “spray charts” showing where a player is likely to hit a ball, even cue up videos of plays from previous games.
… The data available on the iPads will be proprietary to each team, rather than drawing from a league-wide database.
At launch, the Dugout app’s data will be preloaded before each game. In the future, the MLB would like to have data that is closer to real time. Testing began in games during the postseason last year.
… Though Microsoft’s investment with the NFL started off badly—with glitchy devices and broadcasters calling Surface tablets “iPads” during games—the exposure has been valuable overall, said Matt Powell, an analyst with the NPD Group Inc. research firm. “Everyone knows that being the ‘official whatever-type-of-product of a league’ is something companies pay for,” Mr. Powell said. “When you see athletes and coaches actually using a product and technology in games, it’s a whole other level.” he said.
… The NFL mandates that Surface tablets must be visible on every sideline during games; MLB is making iPad use optional. But the commissioner thinks that most teams will use the tablets in both dugouts and pitching bullpens during games and training.

(Related) Can technology change this? (The article also gives you some idea how many statistics MLB gathers)
A Baseball Mystery: The Home Run Is Back, And No One Knows Why

My students will enjoy this.
Microsoft unveils Desktop App Converter, a developer tool for bringing existing Win32 apps to the Windows Store
Microsoft today unveiled the Desktop App Converter, which lets developers bring existing Windows applications to the Windows Universal Platform (UWP). The company is hoping to bring the 16 million existing Win32/.Net applications to the Windows Store.
UWP allows developers to build a single app that changes based on your device and screen size. One app can work on your Windows 10 computer, Windows 10 tablet, Windows 10 Mobile smartphone, Xbox One console, and eventually HoloLens headset.
… The best part is that this works for games as well.

My students should be able to do this too. If every technology student in the US does their own App, will the FBI give up?
I don’t know if there’s been any real security audit of this app, but I do love seeing teens focused on developing privacy tools. Gary Haber reports:
A high school student with a cellphone can get into a lot of trouble.
A hastily sent Facebook post or Twitter message can last forever and come back to bite someone when they’re applying for college or a job. Then there are the prying eyes of parents who can see what their children post online.
As a high school student, privacy is something Nick Pitoniak takes seriously.
Pitoniak, a senior at York Suburban High School who lives in Spring Garden Township, developed a cellphone app called Mutter Mail, which he says lets users send messages back and forth without leaving any trace. The messages disappear within 30 seconds, Pitoniak said.
Read more on WUSA.

For the next time I teach Statistics.
The 8-Bit Game That Makes Statistics Addictive
Guess the Correlation is the brainchild of Omar Wagih, a graduate student at the European Bioinformatics Institute, and nefarious devourer of the thing I once called “my free time.” On paper, it sounds incredibly boring. In practice, it is inexplicably addictive. Try it.

A project for my geeky students or maybe all of them?
Google Cardboard

No comments: