Thursday, April 14, 2016

Detterence and Whistlers in Cyber Lands

“O Wind, / If Autumn comes, can Winter be far behind?” 

INK BOTTLE“You and I are worse than characters: we are character-actors.”
George Bernard Shaw, letter to T.E. Lawrence, March 7, 1927

Money, Power, and Monetary Regimes (PDF) Pavlina Tcherneva

It’s exceedingly rare, but sometimes corporate conduct is so egregious that an executive actually gets put behind bars.
A CEO Was Actually Sentenced To Prison Time 

“Does Anyone Get Arrested For Breaking Those Weird Old Laws? This Man Did” [Mental Floss on Michigan swearing law]

The ease of designing sophisticated cyber attacks has seen another sharp increase in attempts to bring down websites, according to a new report on cyber attacks. It underlines the need for agencies to rethink their defence strategy as they move to digitise services

Cloud Computing: Agencies Need to Incorporate Key Practices to Ensure Effective Performance, GAO-16-325: Published: Apr 7, 2016. Publicly Released: Apr 7, 2016.

Internal Revenue Service: Preliminary Observations on the Fiscal Year 2017 Budget Request and 2016 Filing Season Performance, GAO-16-459R: Published: Mar 8, 2016. Publicly Released: Apr 7, 2016.

In its quarterly benchmark report on the State of the Internet, Akamai said web attacks in the fourth-quarter period of 2015 were up 40% on the previous quarter. Repeat attacks are now the norm and, yet again, threats have emerged from new parts of the world, this time Turkey. Prepare for cyber attacks increasingly easier to execute

In what’s perhaps the most enthralling episode of the hacker drama Mr. Robot, one of F-Society’s hackers drops a bunch of USB sticks in the parking lot of a prison in the hopes somebody will pick one up and plug it into their work computer, giving the hackers a foothold in the network. Of course, eventually, one of the prison employees takes the bait. Using booby-trapped USB flash drives is a classic hacker technique. 

With friends like Devil Horn's, who needs enemies?
tiger cub links

for Chad, who made me put the cyber dragons in...
IRS security matters 2016 - database isn't secure

Robert Wood, IRS Admits It Encourages Illegals To Steal Social Security Numbers For Taxes: “The IRS actually wants illegal immigrants to illegally use Social Security numbers, he suggested. IRS Commissioner John Koskinen made the surprising statement in response to a question from Sen. Dan Coats, R-Ind., at a Senate Finance Committee meeting.”

Information Security: IRS Needs to Further Improve Controls over Taxpayer Data and Continue to Combat Identity Theft Refund Fraud, GAO-16-589T: Published: Apr 12, 2016. Publicly Released: Apr 12, 2016

Prime Minister Malcolm Turnbull wasn’t shy about admitting the Digital Transformation Office was a local clone of the UK’s Government Digital Service, and now the pair have joined up officially — at least in terms of lending staff and sharing knowledge.

Australia and UK partner up on digital service progress 

Staff fall victim to cyber criminals hacking into pay 

Public servant hospitalised after workplace coaching session ATO 

Former top public servant Bill Blick says there is no evidence that freedom of information laws inhibit "frank and fearless" advice from the bureaucracy to politicians and that he never lost any sleep over FoI laws when he was a senior public servant and nor should today's crop of mandarins
APS bosses 'self serving' in calls for greater secrecy over FoI laws  

The growing problem of fraudulent tax returns being submitted based on stolen identities is a “tsunami of fraud,” and victims, lawmakers, and law enforcement are struggling with how to deal with the fallout. The issues surrounding identity theft-based tax fraud are complex. Current IRS efforts to stem the tide involve pouring resources into assisting victims, updating IRS processes to detect and prevent refund fraud, and increasing the number of criminal investigations and prosecutions it pursues. The IRS’s approach and pending proposed legislation are not enough to address the problems created by identity theft-based tax fraud. This article argues the IRS and Congress must use a holistic approach to attack this specie of tax fraud. To that end, this article supports enhanced criminal penalties and proposes new civil tax penalties aimed specifically at identity theft tax fraud.

UK cops tell suspect to hand over crypto keys in US hacking case Ars Technica March 31, 2016 At a court hearing earlier this month, the UK's National Crime Authority (NCA) demanded that Lauri Love, a British computer scientist who allegedly broke into US government networks and caused "millions of dollars in damage," decrypt his laptop and other devices impounded by the NCA in 2013, leading some experts to warn that a decision in the government's favor could set a worrisome precedent for journalists and whistleblowers. Arrested in 2013 for the alleged intrusions but subsequently released, Love was re-arrested in 2015 and is currently fighting extradition to the United States. He has so far refused to comply with a Section 49 RIPA notice to decrypt the devices, a refusal that carries potential jail time. However, British authorities have not charged Love with any crime, leading him to counter-sue in civil court for the return of his devices.

Blogging can be dangerous to your livelihood—or at least it can at Marquette University, where a professor may lose his job for expressing the wrong political views.
In November 2014 an undergraduate approached philosophy instructor and PhD candidate Cheryl Abbate, after a class on John Rawls’ theory of equal liberty. The student said he objected to her suggestions during the class that same-sex marriage isn’t open for debate and that “everyone agrees on this.”

A lawsuit filed last week said a hacker targeted the email ofMalcolm Morris, dean of Atlanta's John Marshall Law School and circulated the contents of a confidential report dealing with a "shouting match" between an associate and assistant dean that erupted last year.
Unknown to Ms. Abbate, the student recorded the exchange on his cell phone. During the conversation, she told him “there are some opinions that are not appropriate, that are harmful, such as racist opinions, sexist opinions” and if someone in the class was homosexual, “don’t you think that that would be offensive to them if you were to raise your hand and challenge this?”

Audit Reveals IRS Struggles to Implement Security Controls Gov Info Security March 28, 2016 The Internal Revenue Service continues to struggle to implement proper security controls to protect taxpayers' data, a new audit from the Government Accountability Office  reveals.
See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations
Until the IRS takes appropriate steps to resolve control deficiencies, taxpayer data will remain "unnecessarily vulnerable" to inappropriate use, says Gregory Wilshusen, GAO director of information security issues and co-author of the audit report, which was published March 28.
The audit uncovered IRS's failure to perform comprehensive tests and evaluations of its information security controls. "This is vitally important because this control helps IRS to identify vulnerabilities that they can take action on," Wilshusen says. "But in comparing our test and the result from our procedures, we found a number of vulnerabilities to IRS systems that IRS did not identify and was unaware of. "Past Weaknesses Not 'Effectively Corrected'

In its new audit, GAO says the IRS claimed it had corrected previously identified control weaknesses in 28 cases, but in nine of those instances, auditors determined they were not "effectively corrected." GAO, in the audit, also points out weaknesses in IRS password controls. The auditors say the tax agency used passwords on a number of servers that could be easily guessed. On some servers, password expiration dates were not set. None of the 112 mainframe service accounts was configured to require a password change. As a result of these weaknesses, GAO says the IRS had reduced ability to control who was accessing its systems and data.
The audit also reveals that unpatched and outdated software exposed IRS to known vulnerabilities.
Wilshusen says some of the IRS's policies and procedures no longer reflected its current computing environment and systems security plans. "So, this increases the risk that the controls in place may not be appropriate, given the current environment."


March 31, 2016

Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit. Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added. “We are, and have been, working continuously ... to detect and close any possible vulnerability,” State Department spokesman John Kirby said in a statement to ABC News. After commissioning an internal review of its cyber-defenses several months ago, the State Department learned its Consular Consolidated Database –- the government’s so-called “backbone” for vetting travelers to and from the United States –- was at risk of being compromised, though no breach had been detected, according to sources in the State Department, on Capitol Hill and elsewhere.


March 28, 2016
The FBI is asking businesses and software security experts for emergency assistance in its investigation into a pernicious new type of "ransomware" virus used by hackers for extortion. "We need your help!" the Federal Bureau of Investigation said in a confidential "Flash" advisory that was dated March 25 and obtained by Reuters over the weekend. Ransomware is malicious software that encrypts a victim's data so they cannot gain access to it on their computers, then offers to unlock the system in exchange for payment.  

The Wall Street Journal

March 29, 2016
Hackers broke into the computer networks at some of the country’s most prestigious law firms, and federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. The firms include Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations.  

Russ Fox, Bozo Tax Tip #9 1/2: 300 Million Witnesses Can’t Be Right!. “For a tax blogger, people like Richard Hatch are wonderful.”


April 7, 2016

The Homeland Security Department's efforts to connect with Silicon Valley startups could help it protect the Internet of Things, an official said Wednesday. “Right now, the Internet of Things is taking off," Reginald Brothers, DHS’ undersecretary for Science and Technology, said during a Senate hearing on the agency's budget. 


April 5, 2016
The top watchdogs in the House demanded to know Tuesday why a personal laptop taken from a federal building in Washington state was used to conduct child-support audits, especially because it and other stolen hard drives may have contained millions of names and Social Security numbers.  

April 7, 2016
Federal investigators found significant cybersecurity weaknesses in the health insurance websites of California, Kentucky and Vermont that could enable hackers to get their hands on sensitive personal information about hundreds of thousands of people, The Associated Press has learned.