Sunday, March 13, 2016

Cybersecurity and Sovereignty

“You know what your problem is, kid? Too much Internet and not enough legwork. A Crime reporter is made in the street. How many times have you hidden behind a tree to watch something…Called a witness to a crime or a victim’s relation posing as Chief Inspector Bloggins?…Get out in the street, learn to assimilate: you have to be the thief, the murderer, the victim, the accomplice, whatever it takes to be inside their heads.”—Jaime Brena, veteran reporter, to “the Crime boy,” new recruit.
~Bathroom Quote

December 2013 in the village of Sâmbăteni, Romania. The air is dull and frosty as Marcel Lazăr Lehel walks out of his mud-brick house, carrying a cheap brand laptop and a mobile phone, and goes to the back garden. Exhaling steam, he places the devices on the ground, picks up his axe and begins to chop with hard, steady blows. Thunk-crunch, thunk-crunch, thunk-crunch.
Lehel gathers the shards of plastic and metal together and dumps them into a metal cauldron, before lighting the whole thing on fire. He looks with apparent unease at the charred remains of his hacking utensils and, putting out the flames, he returns to the house. The foul-smelling pile is still smoking behind him. Lehel (spelled backwards - 2015 Story), a 42-year-old unemployed Romanian citizen with a wife and ten year-old daughter, is better known to the world as the notorious black hat hacker “Guccifer.” Known online as 'Guccifer,' Marcel Lehel, 42, lost his legal case in his home country after Romania's top court of appeal sanctioned a request by the U.S. to extradite him. Romanian hacker 'Guccifer' who released some of Hillary Clinton's private emails and George Bush's family photos to be extradited to US

"Secrecy rules for Supreme Court nominees: 'I felt like a spy.'" Kevin Liptak of has this report.

China has expressed concerns over United States' discussions with Australia to deploy long-range B-1 bombers to the NT Liberation Army of China 

A short story collection by an anonymous North Korean author was smuggled out of the country and will be published in English next year.

 We must here return for a moment to the position which precedes the suppression of democratic institutions and the creation of a totalitarian regime. In this stage it is the general demand for quick and determined government action that is the dominating element in the situation, dissatisfaction with the slow and cumbersome course of democratic procedure which makes action for action’s sake the goal. It is then the man or the party who seems strong and resolute enough “to get things done” who exercises the greatest appeal. “Strong” in this sense means not merely a numerical majority – it is the ineffectiveness of parliamentary majorities with which people are dissatisfied. What they will seek is somebody with such solid support as to inspire confidence that he can carry out whatever he wants.
~ Friedrich von Hayek, The Road To Serfdom, chapter Ten, “Why the Worst Get On Top.” More: Aesop on the Frogs Who Wanted a King, at Cato.

What story is for... Offering insight into humanity that cannot be replicated by psychology, sociology, or any of the social sciences Cold River Lessons

“Whatever people say about the General today, I can only testify that he was a sincere man who believed in everything he said, even if it was a lie, which makes him not so different from most.”   

PwC and London Business, School research June 2015. A gettough approach to poor performance in financial services is creating a climate of fear. And that risks breeding more unethical conduct, not less – exactly the opposite of what regulators, businesses and the public want.

The big data dilemma
UK House of Commons Science and Technology Committee, Feb 2016. Raised a number of issues including, privacy, security and skillsets.

Illuminated with etched light, these business cards are almost too lovely to hand out 

pretty yellow bird links


March 2, 2016

Are companies prepared to handle the increasingly prevalent risk from hackers? A new survey shows many security professionals aren't as confident as they used to be. According to the survey, 2015 saw a sharp 12-point dip -- from 87 to 75 percent -- in the percentage of security professionals who said they were confident in their team's ability to pinpoint and respond to cybersecurity "incidents." 

Narelle Lovett, A/G Chief Information Officer for the Australian Crime Commission, on IT collaboration and consolidation
 The Australian Crime Commission is currently working toward a merger with CrimTrac and the Australian Institute of Criminology (AIC). A lot of this work relates to an internal program of work called Information Data Exploitation Program (IDEP). 
Following up on my previous post, Senate Finance Committee Urges Treasury To Use Section 891 To Combat EU Investigations Of American Companies:  Itai Grinberg (Georgetown), A Constructive U.S. Counter to EU State Aid Cases, 81 Tax Notes Int'l 167 (Jan. 11, 2016):
U.S. Treasury officials and members of Congress from both parties have expressed concern that the European Commission’s current state aid investigations are disproportionately targeting U.S.-based multinational enterprises. At the same time, a Treasury official recently suggested in congressional testimony that there are limits to what Treasury can do beyond strongly expressing its concerns to the commission. In that testimony, Treasury’s representative hinted at two specific pressure points: whether the state aid investigations could undermine U.S. tax treaties with EU member states; and whether any assessments paid by the foreign subsidiaries of U.S. MNEs as a result of state aid investigations would be creditable for U.S. income tax purposes.

PwC Global Economic Crime Survey 2016: “More than one in three organisations (36%) experienced economic crime in the last two years, with cybercrime affecting almost a third (32%), the highest ever level in PwC’s biennial survey of Global Economic Crime. The PwC Global Economic Crime Survey 2016 interviewed over 6000 participants in 115 countries. Despite the marginal decline in economic crime reported overall, the financial cost of each fraud is on the rise. 14% of respondents experienced losses of more than $1m in the last two years.

·        Overall rates: The overall rate of economic crime reported has fallen for the first year since the financial crisis, but only marginally – to 36% from 37% in 2014. Regionally, lower levels of economic crime are reported in North America (37% vs 41%), Eastern Europe (33% vs 39%), Asia Pacific (30% vs 32%) and Latin America (28% vs 35%). It rose in Africa (57% vs 50%), Western Europe (40% vs 35%) and the Middle East (25% vs 21%).

·        Most common economic crimes: Asset misappropriation (64%), cybercrime (32%), and bribery and corruption (24%).
·        Highest increases: 68% of French and 55% of UK respondents reported economic crimes in the past 24 months, up 25% when compared to 2014. 61% of Zambian respondents reported economic crime, up 31% over 2014.
Industry sector impacts: Financial Services reported the most economic crimes over the two year period, followed by government and state owned enterprises, and retail and consumer industries. Aerospace & Defence was the biggest riser in the period at 9%. Specific crimes are affecting different industries, with Transportation & Logistics for example experiencing a 16% increase in Bribery & Corruption.

·        Cybercrime: Incidents reported were up 8% to 32% and over half (53%) of respondents perceived an increased risk of cyber threats over the last 24 months. 34% believe it is likely that their organisations will experience cybercrime in the next 24 months.  Despite big financial losses reported linked to cybercrime, respondents reported the greatest impact to their organisations coming from damage to their reputation and legal, investment and enforcement costs.

·        Response to cybercrime: Only 37% of respondents reported having a fully operational incident response plan in place. Almost a third have no plan at all, with 14% of respondents not even intending to implement one. 45% of respondents do not believe that their local law enforcement agencies have the required skills and resources to combat cybercrime…”

February 28, 2016

Hackers supporting the Islamic State group launched an attack on a small solar energy company in Sussex with just 11 members of staff. The so-called Caliphate Cyber Army (CCA) said it took down the Solar UK site in revenge for a drone strike which killed Junaid Hussain, a British hacker in Syria. It later released a video which boasted of its attack on the firm. Duncan Lee, a founder of Solar UK, said the attack was "ridiculous". "I'm not expecting masked gunmen to appear on my doorstep at any point soon," he said. Birmingham-born Junaid Hussain was described as a "top cyber jihadist" and played a key role in radicalising and recruiting others to plan attacks. He was married to former punk musician Sally Jones from Chatham in Kent, who remains at large in Syria. The initial cyber attack on Solar UK happened at the end of January, when the company discovered its website was down and replaced with CCA material. Mr Lee said: "We just thought, 'ah well, we've been hacked, fair enough'. We didn't know we were on a video at that stage."

March 2, 2016

Hackers are selling their services to take down websites on the internet for significantly less than the minimum wage they would get if they had regular jobs. The attacks carried out by the hackers are known as a distributed denial of service (DDoS) and occur when a website is overloaded with traffic, causing it to crash. DDoS attacks are not particularly sophisticated. The idea of selling such a service online is not new, but cybersecurity company Arbor Networks, managed to track a hacker known as "Forceful" down and get an insight into how it works, and more importantly how much the person is earning from their services. In the case of Forceful, the hacker posted an advertisement on a Russian-language forum online, listing prices and contact information. People can then use secure messaging apps to get in touch and negotiate the logistics. There's little information on how much this kind of service sells for currently but Arbor tracked down one offering. Starting on August 8, 2015 at around 08:47 in the morning, an attack was launched by Forceful on a website, and it lasted for two days and about 21 hours. Forceful charges $60 per day, which is $2.50 an hour. Arbor worked out this attack cost just $172.50.

The Atlantic
March 2, 2016
Sick of trawling through endless job boards and firing off résumés into the black? Thinking about turning to a life of crime, just to avoid having to put on a nice shirt and a forced smile for another interview? A career as a criminal hacker may not be the best place to escape the job-search tedium, according to new research from the cybersecurity firm Digital Shadows. Looking at about 100 million websites on both the surface Web and Dark Web, the researchers found that the process hackers use to recruit new hires mirrors the one most job-seekers are used to. (The interview, for example isn’t gone—it just might involve some anonymizing technology.) Just like in any other industry, hackers looking for fresh talent start by exploring their network, says Rick Holland, the vice president of strategy at Digital Shadows. “Reputation is really, really key,” Holland says, so a candidate who comes highly recommended from a trusted peer is off to a great start.


March 4, 2016

Students from MIT and Britain's University of Cambridge will spend the weekend hacking one another's computers, with the blessing of their national leaders. The two schools are competing in a hacking contest that U.S. President Barack Obama and British Prime Minister David Cameron announced last year among other joint cybersecurity projects between the two nations. The White House billed it as a showdown between the two prestigious schools, both known as heavyweights in the world of computer science. But the colleges opted to make it a friendlier match. Instead of facing off against each other, the schools assigned their top hackers to six teams made up of students from both institutions. 

Wired Mach 3, 2016

It was 3:30 p.m. last December 23, and residents of the Ivano-Frankivsk region of Western Ukraine were preparing to end their workday and head home through the cold winter streets. Inside the Prykarpattyaoblenergo control center, which distributes power to the region’s residents, operators too were nearing the end of their shift. But just as one worker was organizing papers at his desk that day, the cursor on his computer suddenly skittered across the screen of its own accord. He watched as it navigated purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline. A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. Somewhere in a region outside the city he knew that thousands of residents had just lost their lights and heaters.

March 3, 2016
It's a chilling moment when a small business owner discovers hackers have stolen thousands of dollars from the company checking account. Cybercriminals took an average $32,000 from small business accounts, according to a December survey of owners by the advocacy group National Small Business Association. And businesses don't have the same legal protection from bank account fraud consumers have. The Electronic Funds Transfer Act, passed in 1978, states that it's intended to protect individual consumers from bank account theft, but makes no mention of businesses. Whether a business is protected depends on the agreement it signs with a bank, says Doug Johnson, a senior vice president with the American Bankers Association, an industry group. If the business hasn't complied with any security measures required by the agreement, it could be liable for the stolen money, he says. Any business is vulnerable, but small companies are less likely to have security departments and procedures to guard against online theft than big corporations do. They also don't have big revenue streams that are better able to absorb losses from a theft. And even if they get the money back, they still have to spend time and money dealing with the hassles of closing accounts and opening new ones.

Krebs on Security

March 2, 2016

A number of credit unions say they have experienced an unusually high level of debit card fraud from the breach at nationwide fast food chain Wendy’s, and that the losses so far eclipse those that came in the wake of huge card breaches at Target and Home Depot. As first noted in January, Wendy’s is investigating a pattern of unusual card activity at some stores. In a preliminary 2015 annual report, Wendy’s confirmed that malware designed to steal card data was found on some systems. The company says it doesn’t yet know the extent of the breach or how many customers may have been impacted. According to B. Dan Berger, CEO at the National Association of Federal Credit Unions, many credit unions saw a huge increase in debit card fraud in the few weeks before the Wendy’s breach became public. He said much of that fraud activity was later tied to customers who’d patronized Wendy’s locations less than a month prior. “This is what we’ve heard from three different credit union CEOs in Ohio now: It’s more concentrated and the amounts hitting compromised debit accounts is much higher that what they were hit with after Home Depot or Target,” Berger said. “It seems to have been been [the work of] a sophisticated group, in terms of the timing and the accounts they targeted. They were targeting and draining debit accounts with lots of money in them.”

The relationship between the head of the Independent Commission Against Corruption and its inspector is dysfunctional, says the chairman of the parliamentary oversight committee of the anti-corruption body. ICAC