Saturday, December 24, 2016
If you wanted information that would help you understand an adversary and perhaps predict its strategy, what data would you try to collect?
Exclusive: FBI probes FDIC hack linked to China's military - sources
The FBI is investigating how hackers infiltrated computers at the Federal Deposit Insurance Corporation for several years beginning in 2010 in a breach senior FDIC officials believe was sponsored by China's military, people with knowledge of the matter said.
… After FDIC staff discovered the hack in 2010, it persisted into the next year and possibly later, with staff working at least through 2012 to verify the hackers were expunged, according to a 2013 internal probe conducted by the FDIC's inspector general, an internal watchdog.
The intrusion is part of series of cybersecurity lapses at the FDIC in recent years that continued even after the hack suspected to be linked to Beijing. This year, the FDIC has reported to Congress at least seven cybersecurity incidents it considered to be major which occurred in 2015 or 2016.
Will Apple do for Russia what it would not do for the FBI? I doubt they can.
Swati Khandelwal reports:
Russian Ambassador Andrei Karlov was shot dead by an off-duty police officer in Ankara on December 19 when the ambassador was giving a speech at an art gallery. The shooter managed to pretend himself as his official bodyguard and later shot to death by Turkish special forces.
After this shocking incident, Apple has been asked to help unlock an iPhone 4S recovered from the shooter, which could again spark up battle similar to the one between Apple and the FBI earlier this year.
Read more on The Hacker News.
(Related). On the other hand…
Cynthia Kroet reports:
The Belgian federal prosecutor told newspaper De Tijd in an interview published Friday that cell phone data linked to the Paris attacks investigation can no longer be accessed because Belgian law mandates it be deleted after 12 months for privacy reasons.
Frédéric Van Leeuw said there is still new information to be uncovered on the cell phones used to plan last year’s Paris attacks, and called upon the government to resolve the situation.
Read more on Politico.eu.
I try to pound these (and others) into my students’ heads! Really worth reading!
Craig Hoffman raises some valid points about lessons that can be learned following a security incident. Here are just a few of his points:
· Acknowledging that trust but verify is important (e.g., if someone says a network is segmented, check the ACLs and firewall rules to confirm this).
· Knowing that you can have great security tools and generate terabytes of logs, but someone has to review the logs.
· Determining that assumptions about a vendor’s role in maintaining and managing the security of the service it is offering may have been wrong.
Read his full commentary on BakerHostetler Data Privacy Monitor.
My students might think this is so obvious it doesn’t need mentioning, but that has never been my experience.
The Unblinking Eye: Employee Monitoring in the IoT Era
… Even if it’s not their primary function, many IIoT applications could be used to monitor employees in unintended ways. Use of such data, if it’s not obtained properly, could damage a company’s reputation or put it on the defense in litigation.
Take, for example, sensors that some industrial companies embed in employee uniforms and helmets. These kinds of sensors can detect hazardous conditions such as toxic gases, or warn of over-exertion based on the reading of an employee’s heartbeat. Or consider GPS-enabled devices or mobile applications that permit employers to track the precise physical location of workers in order to deploy them most efficiently to new work assignments.
But what if information gleaned from these devices was used to detect patterns about an employee’s movements, which could be used to draw negative conclusions about the employee’s efficiency or performance? Yet an employee’s slow pace in moving between work stations, or frequent departures for bathroom breaks, might be due to a legally protected medical condition rather than laziness. Penalizing the employee based on this data might set the employer up for a disability discrimination claim. Similarly, an employer may face whistleblower or retaliation claims if a manager is able to use location data to figure out which employee went to the human resources office to lodge a complaint about him or her. It is inevitable that employers will seek to use IoT data to better manage their employees, as well as their inventory and equipment, but employers will need to guard against inappropriate or even unlawful uses of this data.
I will be most amused if there is justification for withholding this information.
Nicholas Iovino reports:
A federal judge Thursday ordered the Department of Justice to give her files on a secret telephone data-mining program so she can determine if it can withhold the records from the public.
The Electronic Frontier Foundation sued the Department of Justice in July 2015 after it refused to release files on the Hemisphere Project. The secret program, revealed in a New York Times article in September 2013, involved placing AT&T employees in law enforcement agencies to track records on trillions of phone calls dating back to 1987.
U.S. Magistrate Judge Maria-Elena James found Thursday that the government failed to justify a slew of Freedom of Information Act exemptions it cited to avoid revealing details of the clandestine project. She ordered the Justice Department to deliver the files for her to review behind closed doors.
Read more on Courthouse News.
[From the article:
The Justice Department cited two FOIA exemptions: Exemption 5, for attorney-client, work-product and deliberative-process privileges; and Exemption 7, for information that may reveal confidential sources or law enforcement techniques that could help criminals evade prosecution.
In the 36-page ruling, James found the government often recited elements necessary to establish the exceptions without stating why the records met standards for withholding from the public.
“The government argues the agency’s task should not be ‘herculean’ in providing supporting evidence for its claimed exemptions,” James wrote. “But while the government need not expose the very information contained in the withheld documents, here it does not provide the sufficient information for this Court to assess its assertion of privilege. The Court is not asking the government to make a herculean effort, merely something beyond regurgitation of the elements.”
Brilliant! May we assume someone will read all the posts to all the social media sites by every visa applicant? Will they recognize terrorist writing when they see it? As the article says, terrorists are unlikely to incriminate themselves.
U.S. asks foreign travelers to voluntarily disclose social media profiles
Starting this week, the federal government began asking some travelers to the U.S. to supply details about their social media accounts.
… The collection of social media data, which was first proposed by Homeland Security this summer, does not apply to U.S. citizens. Instead, it is for now aimed at foreigners from 32 countries who apply to arrive in the U.S. under the “visa waiver program”—an online tool that lets short-term visitors skip the formal process of applying for a visa.
… The social networks include VKontakte, which serves as Russia’s Facebook, as well as JustPaste.it, a text-sharing tool that is popular with the terrorist group ISIS. Meanwhile, the form also lists little-used services like Vine and Google+ but omits the wildly-popular Snapchat.
… Meanwhile, it’s unclear if the program, first reported by Politico, will improve security. The reason is that would-be terrorists, even a dim-witted ones, would be unlikely to disclose their social media profile to the U.S. government.
The 32 countries affected by the visa waiver program are mostly European and affluent ones.
What a brave new world that has such lawyers in it. (Actually, didn’t Shakespeare have a rather less positive opinion of lawyers?)
Ambrogi – The 10 Most Important Legal Technology Developments of 2016
by Sabrina I. Pacifici on Dec 23, 2016
Via LawSites: “What were 2016’s most important developments in legal technology? Every year since 2013, I’ve posted my picks of the year’s top developments in legal tech (2015, 2014, 2013). As another year wraps up, it’s time to look back at 2016. What follows are my picks for the year’s most important legal technology developments. As in past years, the numbers are not meant to be rankings — each of these is important in its own way. I also refer you back to my prior years’ posts, as much of what I said in them remains true today…”
A resource for my Computer Security and my Disaster Recovery students.
NIST – Guide for Cybersecurity Event Recovery
by Sabrina I. Pacifici on Dec 23, 2016
NIST Special Publication 800-184 Guide for Cybersecurity Event Recovery, 2016. Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Matthew Smith, Greg Witte. Karen Scarfone. https://doi.org/10.6028/NIST.SP.800-184
“Abstract – In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide effective plans and realistic test scenarios. This preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents. … This publication provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning.
There might just be something useful here!
More Than 300 Ed Tech Tutorial Videos
Throughout the year I offer webinars on a variety of educational technology topics. But I also publish a tutorial or two on my YouTube channel every week. That playlist now contains more than 300 tutorials on everything from graphics editing to podcasting to tips for new Chromebook users. The entire playlist can be found here or viewed as embedded below.
This could be amusing, it is only sites on the register. The little New Jersey town I grew up in had at least three houses where George Washington spent the night. (“Washington slept here” signs weer really common throughout NJ)
Explore Maps of Historical Sites in Every U.S. State
The Traveling Salesman Problem is a website developed by William Cook at the University of Waterloo. The site features interactive maps that chart the short distance between a series of places. One of those maps is of all of the places in the United States National Register of Historic Places, all 49,603 of them. You can view the whole country in one map or visit each state's individual map.
Naturally, I jumped to the map of Maine's historic places to see how many I was familiar with. One that's close to my home is this old cattle pound that I often stop at while riding my bike in the summer. I clicked on the image on the map and was able to click through to the asset detail provided by the National Parks service. The asset detail includes when the site was added to the national registry and why it is significant.