Wednesday, April 27, 2016

What did they know and when did they know it? 
Exclusive: SWIFT warns customers of multiple cyber fraud cases
SWIFT, the global financial network that banks use to transfer billions of dollars every day, warned its customers on Monday that it was aware of "a number of recent cyber incidents" where attackers had sent fraudulent messages over its system.
   "SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions' back-offices, PCs or workstations connected to their local interface to the SWIFT network," the group warned customers on Monday in a notice seen by Reuters.
   SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is a cooperative owned by 3,000 financial institutions.
   BAE said it could not explain how the fraudulent orders were created and pushed through the system.
But SWIFT provided some evidence about how that happened in its note to customers, saying that in most cases the modus operandi was similar.
It said the attackers obtained valid credentials for operators authorized to create and approve SWIFT messages, then submitted fraudulent messages by impersonating those people.

As I read this, the FBI intends to claim institutional ignorance.  “We don’t have to share what we know because we don’t know what we know.”  Should be amusing in any case where they need to show more than “It was a miracle!” in court. 
FBI won’t reveal method for cracking San Bernardino iPhone
The FBI intends to tell the White House this week that its understanding of how a third party hacked the iPhone of a shooter in San Bernardino, Calif., is so limited that there’s no point in undertaking a government review of whether the tool should be shared with Apple, officials said.
   Last month, the FBI paid more than $1 million for a tool to crack an iPhone used by one of the shooters in California.  But the contract did not include rights to the software flaws that went into the tool, officials said.
As a result, the bureau has a limited technical understanding of how the method worked, officials said.
   “The threshold is: Are we aware of the vulnerability, or did we just buy a tool and don’t have sufficient knowledge of the vulnerability that would implicate the process?” he said at a cyber conference at Georgetown University.

(Related) Another reason not to share information with Apple. 
Apple says FBI gave it first vulnerability tip on April 14
The FBI informed Apple Inc of a vulnerability in its iPhone and Mac software on April 14, the first time it had told the company about a flaw in Apple products under a controversial White House process for sharing such information, the company told Reuters on Tuesday.
The FBI told the company that the disclosure resulted from the so-called Vulnerability Equities Process for deciding what to do with information about security holes, Apple said.
The process, which has been in place in its current form since 2014, is meant to balance law enforcement and U.S. intelligence desires to hack into devices with the need to warn manufacturers so that they can patch holes before criminals and other hackers take advantage of them.
   The issue of how U.S. government agencies decide to share information about vulnerabilities in computer and telecom products has received renewed scrutiny since the FBI announced last month that it had found a way to break into the iPhone of one of the shooters in December's massacre in San Bernardino, California.
Reuters reported earlier this month that the FBI believed it did not have legal ownership of the necessary information and techniques for breaking into the iPhone so would not be able to bring it to the White House for review under the equities process.
The day after that report, the FBI offered information about the older vulnerabilities to Apple.  The move may have been an effort to show that it can and does use the White House process and disclose hacking methods when it can.

Even banks have customers.  Why are they any different?
James Salmon reports that a new tool for small businesses from Barclays Bank is raising privacy hackles.
The online service will enable small companies – from corner shops to florists and local butchers – to track the performance of similar businesses in their area.
Salmon reports that even though the data will supposedly be anonymous – no individuals or individual firms are supposedly identifiable – privacy advocates such as Privacy International find the service unacceptable:
Banks not only hold our money but also vast quantities of our personal data.  This gives them extraordinary insight, and therefore power, into what we value and how we behave individually and as compared to our peers.
‘Services such as SmartBusiness demonstrate a growing trend of companies exploiting the vast amount of data they collect on their customers.  Such exploitation is done without customers’ informed consent, and is unacceptable.  The notion that any data, in particular financial data, is anonymous is deceitful.
Read more on Daily Mail.

It’s no longer just idle flapping of your lips. 
Gary Ridley reports:
State police officials are using online surveillance to monitor social media comments made about the Flint water crisis, according to emails released by Gov. Rick Snyder’s office.
The emails show that officials attempted on at least one occasion to initiate criminal proceedings against a Copper City man over allegedly threatening comments he made on Facebook about the government’s handling of the crisis.
“It’s time for civil unrest.  Burn down the Governor mansion, elimionate (sic) the capitol where the legislators RE-INSTATED the emergency dictator law after the PEOPLE voted it down, and tell the Mich (sic) State Police if they use military force, we will return with same,” according to a state police email about the Facebook post.
Read more on mLive.

There’s phishing, spear phishing and then there’s whaling. 
Whaling emerges as major cybersecurity threat
A clever variant of phishing scams is proliferating among enterprises, forcing CIOs to up their game even as they are still refining their cybersecurity practices to contend with various zero-day attacks.  Called whaling, the social engineering grift typically involves a hacker masquerading as a senior executive asking an employee to transfer money.
   Whaling is becoming a big enough issue that it's landed on the radar of the Federal Bureau of Investigation, which last week said that such scams have cost companies more than $2.3 billion in losses over the past three years.  The losses affect every U.S. state and in at least 79 countries .  The FBI said that it has seen a 270 percent increase in identified victims and exposed losses from CEO scams since January 2015.  For example, Mattel lost $3 million in 2015 to one CEO fraud scam, while Snapchat and Seagate Technologies also fell prey to similar schemes.

(Related) Some details.
Report says criminals are better communicators than IT staffers
   Verizon, in its just-released annual report of report of cyber incidents, identifies phishing as the major problem.  Of the over 65,200 incidents it gathered data about, about 2,250 resulted in a breach, or confirmed disclosure of data to a third party.  (In Verizon's parlance, a security 'incident' falls short of a breach.)

Should we tell them there is a way bombs can home in on cash?  (Or is all this purely accidental?)
Islamic State: Up to $800m of funds 'destroyed by strikes'
Maj Gen Peter Gersten, who is based in Baghdad, said the US had repeatedly targeted stores of the group's funds.
The blow to the group's financing has contributed to a 90% jump in defections and a drop in new arrivals, he said.
   In a briefing to reporters, Maj Gen Gersten, the deputy commander for operations and intelligence for the US-led operation against IS, said under 20 air strikes targeting the group's stores of money had been conducted.
He did not specify how the US knew how much money had been destroyed.
In one case, he said, an estimated $150m was destroyed at a house in Mosul, Iraq.

A class we will have to teach soon.
Blockchain Data Storage May (Soon) Change Your Business Model
Blockchain is a data storage technology with implications for business that extend well beyond its most popular application to date — the virtual currency, Bitcoin.  To be sure, the financial industry is taking notice of how it might use blockchain.  Even the U.S. Federal Reserve is optimistic, and a consortium of 42 top banks recently demonstrated a proof of concept, with Barclays, BMO Financial Group, Credit Suisse, Commonwealth Bank of Australia, HSBC, Natixis, Royal Bank of Scotland, TD Bank, UBS, UniCredit, and Wells Fargo trading mock shares and money.  These are staid financial institutions, not breathless startups.

A most interesting resource!
Cybersecurity: Overview Reports and Links to Government, News, and Related Resources
by Sabrina I. Pacifici on
“Much is written on the topic of cybersecurity.  This CRS report and those listed below direct the reader to authoritative sources that address many of the most prominent issues.  Included in the reports are resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources.  This report is intended to serve as a starting point for congressional staff assigned to cover cybersecurity issues.  It includes annotated descriptions of reports, websites, or external resources…”

If you could send an email from Hillary to Donald, what would you say?
How Do Scammers Spoof Your Email Address?
We’ve all had questionable emails from miscellaneous folk begging for a wire transfer to Nigeria.  Most of us can spot the signs fairly easily, and know when to delete an email straight away.  In fact, most of these just automatically go into spam and are subsequently swept away by a solid email service.
But then we get emails from family and friends — or sometimes from our own address!  So what’s all that about?  Does this mean you (or someone you know) have been compromised?  Otherwise, how can scammers do that?

What happens if the kid’s arm isn’t long enough?
How to Keep Kids From Holding Phones Too Close to Their Eyes
   If your young children use your phone, part of your phone’s child-proofing process should include a new free Android app from Samsung called Samsung Safety Screen.  The app is simple but important: it uses the device’s front camera to detect if a face is too close to the screen.
Thankfully, you can password protect the app so kids don’t just disable it and go on their merry way.  You might find this app to be overkill, and it won’t be battery-friendly since it needs to constantly access the camera, but for those with young ones concerned about their screen time, it’s worth a shot.

An interesting question.  This is not supposed to work, so why did it? 
Widening Highways Never Fixes Traffic. But Darnit, It Did in Texas
In a true fairy tale of a transportation project, Texas spent a measly $4.25 million widening a highway and, in defiance of conventional wisdom among transportation planners, doubled the speed of rush hour traffic on a notoriously congested highway in Dallas.
The Texas Department of Transportation repaved the shoulders along both sides of a 6.3-mile stretch of State Highway 161 between Dallas and Fort Worth in September.  Then it opened them up to traffic during the daily rush hour, keeping tow trucks on standby in case someone breaks down.  Based on figures released this month, with the extra lanes in place, traffic “started sailing,” The Dallas Morning News reported this week.
It isn’t supposed to work that way.  The rule of induced demand says widening highways does not ease congestion, and often makes it worse.

Reading is good, even if it isn’t your textbook.
How to Find Free Unlimited Content for Your Kindle
   If you’re looking for more things to read on your Kindle, have no fear.  Here are all the websites, tools, and tips you need to fill your e-reader with high-quality free content that will keep you reading for hours without breaking the bank.
   More Articles on Your Kindle
Just because a site doesn’t offer a Send to Kindle button doesn’t mean you can’t get their articles on your e-reader.  There are plenty of apps and extensions that will let you send just about anything to your Kindle (this is great for reading longform articles that might strain your eyes on a backlit screen).
Push to Kindle, for example, has a browser extension that lets you send anything you want with a click of a button.

Will my geeks start wandering the halls with cardboard over their eyes?
How to Get Started With Virtual Reality for Under $30
   2016 looks set to be the year that virtual reality comes into its own, but looking at the most popular devices on the market may discourage you due to the high costs.  That’s why we’re going to show you how to get started with VR on the cheap using the Google Cardboard.

Want a techie job?  Use techie tools to get it.
Supercharge Your Next Job Interview with These 11 Free Tools

We’re trying to put teams together… 
Hacking competitions that will get you noticed
From the Hack the Pentagon announcement to the Facebook Hacker Cup, there are loads of opportunities for those new to security to either participate in educational hacking competitions or simply learn by watching others compete.  Michiel Prins, co-founder, HackerOne, and Ryan Stortz, security researcher, Trail of Bits, offered up a list of popular competitions and what they like most about some of them.

No comments: