Exclusive: FBI probes FDIC hack linked to China's military -
sources
The FBI is investigating how hackers infiltrated computers
at the Federal Deposit Insurance Corporation for several years beginning in
2010 in a breach senior FDIC officials believe was sponsored by China's
military, people with knowledge of the matter said.
… After FDIC staff discovered the hack in 2010, it
persisted into the next year and possibly later, with staff working
at least through 2012 to verify the hackers were expunged, according to a 2013
internal probe conducted by the FDIC's inspector general, an internal watchdog.
The
intrusion is part of series of cybersecurity lapses at the FDIC in recent years
that continued even after the hack suspected to be linked to Beijing. This year, the FDIC has reported to Congress
at least seven cybersecurity incidents it considered to be major which occurred
in 2015 or 2016.
Will Apple do for Russia what it would not do for the FBI?
I doubt they can.
Swati Khandelwal reports:
Russian Ambassador Andrei Karlov
was shot dead by an off-duty police officer in Ankara on December 19 when the
ambassador was giving a speech at an art gallery. The shooter managed to pretend himself as his
official bodyguard and later shot to death by Turkish special forces.
After this shocking incident,
Apple has been asked to help unlock
an iPhone 4S recovered from the shooter, which could again spark up
battle similar to the one between Apple and the FBI earlier this year.
Read more on The
Hacker News.
(Related). On the
other hand…
Cynthia Kroet reports:
The Belgian federal prosecutor
told newspaper De Tijd in an interview published Friday that cell phone data linked to
the Paris attacks investigation can no longer be accessed because Belgian law
mandates it be deleted after 12 months for privacy reasons.
Frédéric Van Leeuw
said there is still new information to be uncovered on the cell phones
used to plan last year’s Paris attacks, and called upon the government to
resolve the situation.
Read more on Politico.eu.
I try to pound these (and others) into my students’ heads!
Really worth reading!
Craig Hoffman raises some valid points about lessons that
can be learned following a security incident. Here are just a few of his
points:
·
Acknowledging that trust but verify is important
(e.g., if someone says a network is segmented, check the ACLs and firewall
rules to confirm this).
·
Knowing that you can have great security tools
and generate terabytes of logs, but someone has
to review the logs.
·
Determining that assumptions about a vendor’s
role in maintaining and managing the security of the service it is offering may
have been wrong.
Read his full commentary on BakerHostetler Data
Privacy Monitor.
My students might think this is so obvious it doesn’t need
mentioning, but that has never been my experience.
The Unblinking Eye: Employee Monitoring in the IoT Era
… Even if it’s not
their primary function, many IIoT applications could be used to monitor
employees in unintended ways. Use of
such data, if it’s not obtained properly, could damage a company’s reputation
or put it on the defense in litigation.
Take, for example, sensors that some industrial companies
embed in employee uniforms and helmets. These
kinds of sensors can detect hazardous conditions such as toxic gases, or warn
of over-exertion based on the reading of an employee’s heartbeat. Or consider GPS-enabled devices or mobile
applications that permit employers to track the precise physical location of
workers in order to deploy them most efficiently to new work assignments.
But what if information gleaned from these devices was
used to detect patterns about an employee’s movements, which could be used to
draw negative conclusions about the employee’s efficiency or performance? Yet an employee’s slow pace in moving between
work stations, or frequent departures for bathroom breaks, might be due to a
legally protected medical condition rather than laziness. Penalizing the employee based on this data
might set the employer up for a disability discrimination claim. Similarly, an employer may face whistleblower
or retaliation claims if a manager is able to use location data to figure out
which employee went to the human resources office to lodge a complaint about
him or her. It is inevitable that
employers will seek to use IoT data to better manage their employees, as well
as their inventory and equipment, but employers
will need to guard against inappropriate or even unlawful uses of this data.
I will be most amused if there is justification for withholding
this information.
Nicholas Iovino reports:
A federal judge Thursday ordered
the Department of Justice to give her files on a secret telephone data-mining
program so she can determine if it can withhold the records from the public.
The Electronic Frontier
Foundation sued the Department of Justice in July 2015 after it refused to
release files on the Hemisphere Project. The secret program, revealed in a New York
Times article in September 2013, involved placing AT&T employees in law
enforcement agencies to track records on trillions of phone calls dating back
to 1987.
U.S. Magistrate Judge Maria-Elena
James found Thursday that the government failed to justify a slew of Freedom of
Information Act exemptions it cited to avoid revealing details of the
clandestine project. She ordered the
Justice Department to deliver the files for her to review behind closed doors.
Read more on Courthouse
News.
[From the
article:
The Justice Department cited two FOIA exemptions:
Exemption 5, for attorney-client, work-product and deliberative-process
privileges; and Exemption 7, for information that may reveal confidential
sources or law enforcement techniques that could help criminals evade
prosecution.
In the 36-page ruling, James found the government often
recited elements necessary to establish the exceptions without stating why the
records met standards for withholding from the public.
“The government argues the agency’s task should not be
‘herculean’ in providing supporting evidence for its claimed exemptions,” James
wrote. “But while the government need
not expose the very information contained in the withheld documents, here it
does not provide the sufficient information for this Court to assess its
assertion of privilege. The Court is not
asking the government to make a herculean effort, merely something beyond
regurgitation of the elements.”
Brilliant! May we
assume someone will read all the posts to all the social media sites by every
visa applicant? Will they recognize
terrorist writing when they see it? As
the article says, terrorists are unlikely to incriminate themselves.
U.S. asks foreign travelers to voluntarily disclose social
media profiles
Starting this week, the federal government began asking
some travelers to the U.S. to supply details about their social media accounts.
… The collection
of social media data, which was first proposed by Homeland Security this
summer, does not apply to U.S. citizens. Instead, it is for now aimed at foreigners
from 32
countries who apply to arrive in the U.S. under the “visa waiver
program”—an online tool that lets short-term visitors skip the formal process
of applying for a visa.
… The social
networks include VKontakte, which serves as Russia’s Facebook, as well as
JustPaste.it, a text-sharing tool that is popular with the terrorist group
ISIS. Meanwhile, the form also lists
little-used services like Vine and Google+ but omits the wildly-popular
Snapchat.
… Meanwhile, it’s
unclear if the program, first reported by Politico, will improve security. The reason is that would-be terrorists, even a dim-witted ones, would be unlikely
to disclose their social media profile to the U.S. government.
The 32 countries affected by the visa waiver program are mostly
European and affluent ones.
What a brave new world that has such lawyers in it. (Actually, didn’t Shakespeare have a rather
less positive opinion of lawyers?)
Ambrogi – The 10 Most Important Legal Technology Developments
of 2016
by Sabrina
I. Pacifici on Dec 23, 2016
Via LawSites: “What were 2016’s most
important developments in legal technology? Every year since 2013, I’ve posted my picks of
the year’s top developments in legal tech (2015, 2014, 2013). As another year wraps up, it’s time to look
back at 2016. What follows are my picks
for the year’s most important legal technology developments. As in past years, the numbers are not meant to
be rankings — each of these is important in its own way. I also refer you back to my prior years’
posts, as much of what I said in them remains true today…”
A resource for my Computer Security and my Disaster Recovery
students.
NIST – Guide for Cybersecurity Event Recovery
by Sabrina
I. Pacifici on Dec 23, 2016
NIST Special Publication 800-184 Guide for Cybersecurity Event
Recovery, 2016. Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya,
Matthew Smith, Greg Witte. Karen Scarfone. https://doi.org/10.6028/NIST.SP.800-184
“Abstract – In light of an increasing number of
cybersecurity events, organizations can improve resilience by ensuring that
their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization
resources helps to guide effective plans and realistic test scenarios. This preparation enables rapid recovery from
incidents when they occur and helps to minimize the impact on the organization
and its constituents. … This publication provides tactical and
strategic guidance regarding the planning, playbook developing, testing, and
improvement of recovery planning.
There might just be something useful here!
More Than 300 Ed Tech Tutorial Videos
Throughout the year I offer webinars on a variety of
educational technology topics. But I also publish a tutorial or two on my
YouTube channel every week. That playlist now contains more than 300
tutorials on everything from graphics
editing to podcasting to tips for new Chromebook users. The entire playlist can be found here or viewed as embedded below.
This could be amusing, it is only sites on the
register. The little New Jersey town I
grew up in had at least three houses where George Washington spent the night. (“Washington slept here” signs weer really
common throughout NJ)
Explore Maps of Historical Sites in Every U.S. State
The Traveling Salesman Problem is a website developed by William Cook
at the University of Waterloo. The site
features interactive maps that chart the short distance between a series of
places. One of those maps is of all of
the places in the United States National Register of Historic Places, all
49,603 of them. You can view the
whole country in one map or visit each
state's individual map.
Naturally, I jumped to the map of Maine's historic places
to see how many I was familiar with. One
that's close to my home is this old
cattle pound that I often stop at while riding my bike in the summer. I clicked on the image on the map and was able
to click through to the asset detail provided by the National Parks service. The asset detail includes when the site was
added to the national registry and why it is significant.