Monday, May 23, 2016

Data Breaches: Unethical Research: Tannous Playing God At Dinner Times

INK BOTTLE“The surest sign that a man has a genuine taste of his own is that he is uncertain of it.”
~W.H. Auden, “Reading” (from The Dyer’s Hand)

'Sinister forces' are trying to undermine MEdia Dragons in the middle of the night ;-)

“We must always take sides,” Elie Wiesel urged in his spectacular Nobel Prize acceptance speech“Neutrality helps the oppressor, never the victim. Silence encourages the tormentor, never the tormented.” And yet part of the human tragedy is that despite our best intentions and our most ardent ideals, we often lull ourselves into neutrality in the face of injustice — be it out of fear for our own stability, or lack of confidence in our ability to make a difference, or that most poisonous foible of the soul, the two-headed snake of cynicism and apathy. How, then, do we unmoor ourselves from a passivity we so masterfully rationalize, remember that“injustice anywhere is a threat to justice everywhere,” and rise to that awareness with moral courage and imagination?

CompTIA’s 17th annual Cyberstatesis the definitive source for state-by-state analysis of the U.S. information technology industry and the tech workforce. The report quantifies the size and scope of the tech sector and tech occupations across multiple vectors, while providing context with time-series trending, economic impact, average wages, business establishment analysis, IT jobs postings, career opportunities, gender ratios, tech patents, and more. Moreover, Cyberstates helps to connect the dots with emerging trends. Cloud computing, big data, automation, IoT, cybersecurity, and social technologies will continue to reshape businesses large and small, driving innovation and digital business transformation across the U.S. economy. As with any sector-level report, there are varying interpretations of what constitutes the tech sector and the tech workforce. Some of this variance may be attributed to the objectives of the author. Is the goal to depict the broadest possible representation of STEM and digital economy fields, or a more narrowly defined technology subset? Is the goal to capture all possible knowledge workers, or a more narrowly defined technology subset? For the purposes of this report, CompTIA focuses on the more narrowly defined technology subset. See the methodology section for details of the specific NAICS codes and SOC codes CompTIA uses in its definitions of the tech sector and the tech workforce.”

How much is a security flaw worth? An inside look into Yahoo’s bug bounty program Every week, the Paranoids – charged with protecting the digital security of Yahoo's more than 1 billion users – discuss one of the more mysterious parts of the cybersecurity business: How much is a security flaw worth? On a videoconference with digital security teams spanning New York to California, the Paranoids assess weekly reports from freelance security researchers who say they found flaws in Yahoo’s platforms

National Australia Bank, Westpac Banking Corp and Qantas have taken stakes in Data Republic, a Sydney-based start-up that has designed a platform which allows companies and government to exchange data in a secure environment Data Republic

 The Ukrainian Hacker Who Became the FBI’s Best Weapon—And Worst Nightmare
One Thursday in January 2001, Maksym Igor Popov, a 20-year-old Ukrainian man, walked nervously through the doors of the United States embassy in London.

Thieves have again found their way into what was thought to be the most secure financial messaging system in the world and stolen money from a bank. The crime appears to be part of a broad online attack on global banking. New details about a second attack involving Swift — the messaging system used by thousands of banks and companies to move money around the world — are emerging as investigators are still trying to solve the $81 million heist from the central bank of Bangladesh in February. In that theft, the attackers were able to compel the Federal Reserve Bank of New York to move money to accounts in the Philippines. The second attack involves a commercial bank, which Swift declined to identify.  

Unethical Research: How to Create a Malevolent Artificial IntelligenceFederico Pistono, Roman V. Yampolskiy (Submitted on 10 May 2016)
“Cybersecurity research involves publishing papers about malicious exploits as much as publishing information on how to design tools to protect cyber-infrastructure. It is this information exchange between ethical hackers and security experts, which results in a well-balanced cyber-ecosystem.

Chronicle of Higher Education – May 13, 2016 – “We are on the verge of becoming the best trained, and least educated, society since the Romans — and reducing the humanities to a type of soft science will only hasten this trend. As the sciences rightly grow, a free society must ensure that criticism of the sciences grows apace. Effective criticism depends on distance, in this case on an unshakeable difference, between the humanities and the STEM fields.

Washington Post: “In yet another example of fragile security in federal cyber systems, data for 44,000 Federal Deposit Insurance Corp. customers were breached by an employee leaving the agency. The breach occurred in February and was outlined in an internal FDIC memorandum obtained by The Washington Post. The March 18 memo from Lawrence Gross Jr., FDIC’s chief information officer and chief privacy officer, to FDIC Chairman Martin J. Gruenberg said the data were downloaded to a personal storage device “inadvertently and without malicious intent.”

Verizon's annual report into data breaches has triggered an avalanche of criticism that the company made critical errors when studying the most frequently exploited software vulnerabilities. The 2016 Data Breach Investigations report, released on April 27, is considered one of the most comprehensive annual guides on data breach trends, compiling data contributed by a wide range of computer security companies, law enforcement and government agencies. It also draws on more than 3,100 confirmed data breaches, an impressive sampling of attacks.  

Facebook has arranged for hundreds of kids, from middle-school age up, to play a hacking game it’s developed—because it’s having trouble recruiting for security roles. The company has been arranging competitions using the tool for years, but May 11, it open-sourced the game in the hope of exposing more people—including kids, the Facebookers of the future—to the skills involved in cybersecurity work. “A software engineer job gets filled in a month,” said Javier Marcos, a security engineer at Facebook.  
·        Via the Washington Post – a copy of the heretofore confidential IG Investigation of FDIC Division of Information Technology – May 24,2013.
Washington Post: “The Federal Deposit Insurance Corp. on Monday retroactively reported to Congress that five additional “major incidents” of data breaches have occurred since Oct. 30. FDIC also is launching “a new initiative to enhance security.”The incidents involved the breach of taxpayers’ personally identifiable information, The Washington Post has learned. In each case, employees with legitimate access to the information were leaving the agency when they inadvertently downloaded the data along with personal files. The individuals involved provided affidavits saying the data was not shared. FDIC considers these to be low-risk cases, but they each meet the threshold of 10,000 records inappropriately exposed. They are being retroactively reported now because the cases were closed before an FDIC Office of Inspector General decision in February to define “major incident” as one that involves at least 10,000 records…”
Federal News Radio: “A leading technology official in the House says a former Federal Deposit Insurance Corporation employee inadvertently triggered a major cyber breach that compromised 44,000 customers’ data. Rep. Lamar Smith (R-Texas), chairman of the Science, Space, and Technology Committee, says a former FDIC employee breached the information of 44,000 FDIC customers more than a month ago. In an April 8 letter obtained by Federal News Radio, Smith said a departing FDIC employee was transferring files from an office computer onto a personal storage device and “inadvertently” copied sensitive customer data from more than 44,000 individuals. The employee left the agency on Feb. 26, but the agency realized the data was taken three days later. FDIC officials retrieved the device on March 1. Smith called the lapse in security “troubling,” and requested a briefing on the situation from FDIC once more information is available…”
Statement of Acting IG Before the Committee on Science, Space, and Technology Subcommittee on Oversight, U.S. House of Representatives on Cybersecurity Incidents at the Federal Deposit Insurance Corporation May 12, 2016.

The UK financial sector is failing to take cyber crime seriously enough, a report will say on Tuesday, recommending that companies share more information while calling for tax breaks to boost investment in cyber defences. The financial services industry is “the perfect target” for cyber attack, warns the report from lobby group TheCityUK, presenting the results of a six-month review of cyber security in the sector. Underlining the threat to banks from hackers, the Swift global payments system warned last week that it had discovered a second case of a bank being robbed using similar methods to the record digital theft at the Bangladesh central bank in February. UK banks are failing to take cyber crime seriously, warns report 

There is a difference of opinion within the federal government about what counts as a "major" data breach. The debate over the breadth and depth of the adjective is more than semantic. 

More than a year after a hack of Office of Personnel Management systems compromised more than 22 million records, the agency has not been able to encrypt all the sensitive data on 4 million federal employees, including Social Security numbers.   

The Homeland Security Department is under the gun to collect massive amounts of data about threats to the nation's physical and network infrastructure, according to contracting documents.  To meet a June 1 deadline to come up with an aggregation strategy, DHS has awarded a contract to Sunesis Consulting LLC without holding a competition, a sole-source justification states. 

The contractor responsible for the hacked Office of Personnel Management’s major IT overhaul is now in financial disarray and no longer working on the project. OPM awarded the Arlington, Virginia-based Imperatis Corporation a sole-source contract in June 2014 as part of an initial $20 million effort to harden OPM’s cyber defenses, after agency officials discovered an intrusion into the agency’s network. In the past week, however, Imperatis ceased operations on the contract, citing “financial distress,” an OPM spokesman confirmed to Nextgov. After Imperatis employees failed to show up for work May 9, OPM terminated Imperatis’ contract for nonperformance and defaulting on its contract. “DHS and OPM are currently assessing the operational effect of the situation and expect there to be very little impact on current OPM operations,” OPM spokesman Sam Schumach said in a statement to Nextgov. Schumach said OPM had been planning for performance on the contract to end in June 2016.

Foreign hackers are going after the wonks. Cyber criminals are targeting policy groups and nongovernmental organizations to get a leg up on U.S. government strategy, according to an executive at cybersecurity company CrowdStrike Inc. Such "nation-state" hackers, often tied to governments including China or Russia, want advanced intelligence on U.S. policy, said Shawn Henry, chief security officer of the Irvine, California-based company. "They want to know what the thought leaders in the United States are considering, what they’re debating,” Henry, who oversaw the FBI’s global cyber investigations before retiring in 2012, said in an interview in Arlington, Virginia. "They’re looking for how policy is being designed. They’re looking at how senior leaders or former senior leaders are advising existing senior leaders -- what the emerging issues are, how the U.S. government is going to implement certain strategy." While Henry wouldn’t provide specifics on targets, Washington has many so-called think tanks and interest groups staffed by former government officials and analysts who stay in close touch with current policy makers.

Data purportedly belonging to five South Asian banks was apparently posted online May 10 by the Turkish hacking group Bozkurtlar that recently also leaked data tied to Qatar National Bank and UAE's InvestBank. The latest banks whose data has been posted online include the Dutch Bangla Bank, The City Bank and Trust Bank, all based in Dhaka, Bangladesh; and two Nepalese banks, Business Universal Development Bank and Sanima Bank, both based in Kathmandu, Nepal. Links to the file archives containing data from all the banks have been posted from a Twitter account supposedly operated by Turkish hacking group "Bozkurtlar" - or "Grey Wolves." The group appears to be making good on their threat to release data of more Asian banks - an indication that more such disclosures may be expected in the region, in the near future.

Russian intelligence agencies were probably responsible for a massive cyber attack on Germany's lower house of parliament last year which forced its computer systems to be shut down for days, Germany's domestic intelligence agency said on Friday. The agency, known as the Federal Office for the Protection of the Constitution (BfV), said a hacker group known as "Sofacy" was behind the attack. "The BfV has indications that it is being steered by the Russian state and has been monitoring it for years," the agency said in a statement. The unusually strong comments come at a time when relations between Berlin and Moscow have sunk to their lowest point since the end of the Cold War following Russia's annexation of Ukraine's Crimea and its intervention in Syria. Hans-Georg Maassen, president of the BfV, said that government, corporate and educational facilities in Germany were under "permanent threat", with critical infrastructure in areas like energy and telecommunications in particular focus.

Commercial Bank of Ceylon, based in Colombo, Sri Lanka, has apparently been hacked, with its data posted online May 12 by the Bozkurtlar hacking group, which has also posted seven other data dumps from banks in the Middle East and Asia since April 26. The group, believed to have Turkish ties, released data from five South Asian banks on May 10. It also dumped data online from UAE-based InvestBank on May 7 and data from Qatar National Bank on April 26.

Inside the detectives world of conmen and murderers Inside Story