Saturday, April 23, 2016

For my Computer Security students. 
Bangladesh Bank exposed to hackers by cheap switches, no firewall: police
Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said.
The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department.
"It could be difficult to hack if there was a firewall," Alam said in an interview.
The lack of sophisticated switches, which can cost several hundred dollars or more, also means it is difficult for investigators to figure out what the hackers did and where they might have been based, he added.
Experts in bank security said that the findings described by Alam were disturbing.
"You are talking about an organization that has access to billions of dollars and they are not taking even the most basic security precautions," said Jeff Wichman, a consultant with cyber firm Optiv.
Tom Kellermann, a former member of the World Bank security team, said that the security shortcomings described by Alam were "egregious," and that he believed there were "a handful" of central banks in developing countries that were equally insecure.
   The police believe that both the bank and SWIFT should take the blame for the oversight, Alam said in an interview.
"It was their responsibility to point it out but we haven't found any evidence that they advised before the heist," he said, referring to SWIFT.


Another update.  In short, someone with legal access to the database screwed up.  Interesting read.
Overnight, I received a response from the INE with answers to some questions I had posed to them about a massive database leak of Mexican voter data.  The leak had been discovered by MacKeeper researcher Chris Vickery.


Another interesting article for my Computer Security students.  Phishing works! 
After 24 days of updating my scratch list of incidents involving phishing for W-2 information (business email compromise), I decided to take stock and try to organize what we have so far.  I was surprised to see that there were already 90 incidents.  Most of these entries were found via media reports and reports to state attorneys general.  Some were found via KrebsOnSecurity.  In a few cases, it’s not totally clear whether an incident was a phishing attack or some other type of breach that compromised employee information.
[Full list follows… 


Reminds me of my childhood vacations at the Jersey shore.  Something smells fishy.  Is the FBI still trustworthy? 
Federal Prosecutors Drop Court Case to Force Apple to Unlock iPhone
The Justice Department on Friday night dropped a court case trying to force Apple Inc. to help authorities open a locked iPhone, adding new uncertainty to the government’s standoff with the technology company over encryption.
In a one-page letter filed with a Brooklyn federal court Friday night, the government said an individual had recently come forward to offer the passcode to the long-locked phone.  The filing means that in both of the high-profile cases pitting the Justice Department against Apple, the government first said it couldn’t open the phone, only to suddenly announce it had found a way into the device as the case proceeded in court.
   The sudden withdrawal from the case is a setback in more ways than one for the Justice Department.  It leaves unchallenged a 50-page ruling by a magistrate judge concluding the government doesn’t have legal authority to force companies like Apple to help investigators open devices.  It is also likely to spark further criticism from privacy advocates that government officials shouldn’t be believed when they say the only way they can open a device is with help from the manufacturer.
   The government’s move to drop the case means there is no public legal case to fight with Apple, though a February court filing indicated there were a dozen similar such cases, most of them under seal, around the country.

(Related) Erosion of trust? 
Seems a bit like old news by now, but Brad Heath reports:
The FBI guards its high-tech secrets so carefully that officials once warned agents not to share details even with federal prosecutors for fear they might eventually go on to work as defense attorneys, newly disclosed records show.
A supervisor also cautioned the bureau’s “technically trained agents” in a 2003 memo not to reveal techniques for secretly entering and bugging a suspect’s home to other agents who might be forced to reveal them in court.  “We need to protect how our equipment is concealed,” the unnamed supervisor wrote.
Read more on USA Today.

(Related) 
Scott Greenfield writes:
When the existence and capacity of Stingrays came to light, you might have thought all hell would break loose.  After all, it wasn’t just the public that was kept in the dark by this monumental breach of privacy.  It was judges too.
The concealment of the use of Stingray is one thing.  The deceptive claim that Stingray is little more than a trap and trace device is another.   But these emails go to a different place.   It’s not just the government concealing their cool, secret devices from the public.  Not even from criminal defense lawyers.  They are lying to the courts about using them.
Read more on Simple Justice.


Not just the FBI?  Does every government agency have “double secret” technology to spy? 
Derrick Broze reports:
Phoenix resident Brian Clegg was concerned about a box he witnessed being installed on a power pole.  Clegg said the box was facing his house and he believed it may have had cameras inside.  The pole was owned by Arizona’s largest power provider, SRP, who claimed no one had permission to put the box on their pole.  Brian Clegg says shortly afterwards SRP sent a crew to remove the box.
Shortly after ABC15 investigated the matter, the bureau of Alcohol, Tobacco and Firearms and Explosives(ATF), a branch of the U.S. Department of Justice, acknowledged installing the box as part of an ongoing investigation.  Officials with the ATF would not provide details about their alleged investigation and would not confirm if they were conducting surveillance in the area.
Read more on Activist Post.


The “Founding Fathers” of e-government?  Looks like those campaign donations do buy access.  (“What’s good for General Bullmoose is good for the country!” Lil Abner) 
Report finds hundreds of meetings between White House and Google
Google and its affiliates have had at least 427 meetings at the White House during President Obama’s tenure, according data from the Campaign for Accountability and The Intercept. 
The data, gleaned from White House meeting logs, showed that in all, 169 Google employees have met in the White House with 182 government officials. Not surprisingly, Google’s head of public policy, Johanna Shelton, had the most White House meetings of any Google employee, with 128. 
The report highlights the access enjoyed by Google, which has a expansive lobbying operation in Washington and consistently ranks among the highest spenders. In just the first quarter of this year, Google spent $3.8 million to lobby the government. 
   The numbers also show 55 times in which Google employees took jobs in the federal government, and 197 times when government employees went to work for Google. 


I just stumbled across this and had to record it for use later.  Remember the Ferengi? 
Rules of Acquisition


Da bidness of smartifying. 
Hack Education Weekly News
   “A federal judge has ruled that the Consumer Financial Protection Bureau doesn’t have the legal authority to investigate the accreditation of for-profit colleges,” The Chronicle of Higher Education reports.
   The latest in the ongoing battles over teacher tenure: “The North Carolina Supreme Court on Friday ruled unconstitutional a state law that phased out job protections for teachers who had already earned them,” The News & Observer reports.
   Via Reuters: “At least five times in the past three years, U.S. high school students were administered SAT tests that included questions and answers widely available online more than a year before they took the exam.”
   “Richard Payne, director of Douglas County School District security, spent $12,000 on 10 Bushmaster semi-automatic long rifles that will be given to the district’s in-school security guards,” Boing Boing reports.
   “Businesses, nonprofits and communities are turning to private dollars for help in establishing free community college programs,” Inside Higher Ed reports.  Meanwhile, San Francisco Board of Supervisor member Jane Kim has proposed eliminating tuition at the City College of San Francisco for the city’s residents; and Kentucky’s newly approved budget would also offer “last dollar aid” for community college.
   Note-taking by hand > note-taking by computer, according to research published in Psychological Science.

No comments: