Tuesday, May 24, 2016

ID Crime: Collection, Use, and Retention of Publicly Available Social Media Information

A gentle reminder that even life’s stormiest spells eventually come to pass, and although we can’t will them away, we can surrender to the credence that the unclouded blue skies will return.

"Never send your credit card number, Social Security number, bank account number, driver's license number, or similar details in an email, which is generally not secure. Think of email as a paper postcard — people can see what's written on it if they try hard enough. Be suspicious of any company that asks for this type of information in an email or instant message. Most legitimate companies will never ask you to confirm sensitive data in an online form or in an email; instead, they'll use postal mail to request this information." - Yahoo Safety Center (How can I prevent identity theft?) Twitter: @Yahoo 

Kay Bell, Milwaukee Bucks’ tax data stolen in phishing scam. “The National Basketball Association team is the latest victim of an email phishing scam in which crooks pose as corporate executives and ask payroll offices for employees’ financial and tax information.”

Hacker Site Removes 117 Million LinkedIn Passwords After Legal Threat

Kay Bell, House passes tougher tax identity theft bill. “Rep. Jim Renacci (R-Ohio) introduced the Stolen Identity Refund Fraud Prevention Act of 2016 last year after he became a tax identity theft victim.”

TaxGrrrl, House Passes Bill Aimed At Assisting Victims of Identity Theft Tax Fraud.

"What Does the Supreme Court Think About Celebrities Being Photoshopped Naked? Yes, that question could come up if the high court agrees to the NCAA's petition to review its dispute with athletes over compensation. " Eriq Gardner has this post today at the "THR, Esq." blog of The Hollywood Reporter.

The Energy and Commerce Committee next week will be briefed by U.S. wireless operators on a security vulnerability in the global cellphone network that experts say may have allowed other countries to eavesdrop on officials’ private conversations.

Management Report: Improvements Are Needed to Enhance the Internal Revenue Service’s Internal Control over Financial Reporting, GAO-16-457R: Published: May 18, 2016
Needed: More Snowdens – Ex-intel analyst USA Today

Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online Activities: These concerns are prompting some Americans to limit their online activity, according to data collected for NTIA in July 2015 by the U.S. Census Bureau. This survey included several privacy and security questions, which were asked of more than 41,000 households that reported having at least one Internet user.

 Collection, Use, and Retention of Publicly Available Social Media Information in Personnel Security Background Investigations and Adjudications, Security Executive Agent Directive 5, May 12, 2016.
“…Social media”: Websites, applications, and web-based tools that allow the creation and exchange of user generated content. Through social media, people or groups can engage in dialogue, interact, and create, organize, edit, comment on, combine, and share content

National Australia Bank, Westpac Banking Corp and Qantas have taken stakes in Data Republic, a Sydney-based start-up that has designed a platform which allows companies and government to exchange data in a secure environment Data Republic

MANAGEMENT ALERT REPORT: GSA Data Breach JE16-004 May 12, 2016
“During the course of an ongoing evaluation, the OIG Office of Inspections and Forensic Auditing identified an issue that warrants immediate attention. Due to authorizations enabled by GSA 18F staff, over 100 GSA Google Drives were reportedly accessible by users both inside and outside of GSA during a five month period, potentially exposing sensitive content such as personally identifiable information and contractor proprietary information. The purpose of this alert is to bring this matter to management’s attention to ensure further vulnerabilities are appropriately mitigated and secured…”

A cargo plane  crashed  into an apartment building near Amsterdam,  193  people were asked   whether  they had seen television footage of  the  plane  striking  the building.  In fact,  the    crash had  not  been  captured on  film.  Nevertheless, 55% claimed to have seen it on  television.  Two  thirds  of  a  group of  law  students claimed to have seen this crash footage    and some of them provided details about what  they had  seen. Evidence

CIA ‘Accidentally’ Deletes Senate Torture Report Charles Pierce, Esquire

The ANAO has made three recommendations aimed at achieving compliance with mandated strategies in the Australian Government Information Security Manual  Cyber Resilience

Congressional gridlock can usually be blamed on stubborn representatives and senators. But a new string of ransomware attacks on the House of Representatives could stall legislation more effectively than party infighting or a filibuster. In an email provided to TechCrunch, the House technology service desk warned representatives of increased ransomware attacks on the House network. The email warns that attackers are focusing their efforts on third-party email apps, like YahooMail and Gmail, and tells representatives that access to YahooMail will be blocked on House networks. “When a user clicks on the link in the attack e-mail, the malware encrypts all files on that computer, including shared files, making them unusable until a ‘ransom’ is paid. The recent attacks have focused on using .js files attached as zip files to e-mail that appear to come from known senders,” the email notes

Terrorist or pedophile? This start-up says it can out secrets by analyzing faces Washington Post 

Readers trust fact-checkers more than traditional media but not blindly, new study finds

The Homeland Security Department is warning that an error in widely used office software is yielding hackers free rein access to networks. The product maker, SAP, notified customers of a fix years ago, but organizations that have been hacked as recently as this year, did not update their software, according to the alert from the U.S. Computer Emergency Readiness Team. The software "contains a vulnerability that was patched by SAP in 2010. However, the vulnerability continues to affect outdated and misconfigured SAP systems," states the May 11 U.S.-CERT alert. Homeland Security cites research by Onapsis, a security provider for SAP, which detected in early 2016 "indicators" of attacks on the SAP business applications of 36 organizations worldwide. The victims, who are not named, include multinational enterprises and government agencies operated in the United States, U.K., Germany, China, India, Japan and South Korea.

TalkTalk profits more than halved following a cyber-attack in which the personal details of thousands of customers were hacked. The telecoms company was hit with £42m in costs when almost 157,000 customers were affected by the attack in October last year. Almost one in 10 of those customers had their bank account numbers and sort codes accessed. Pre-tax profit fell to £14m in the year to 31 March, from £32m a year earlier. 

A judge has refused a request by the UK's National Crime Agency (NCA) to require Lauri Love, a British citizen who is accused of hacking into US computers, to hand over his encryption keys as part of a civil claim. The Courage Foundation, which supports whistelblowers around the world, called Tuesday's ruling a "Victory for all who use encryption in the UK." The case concerns the computer scientist and activist Lauri Love, whom the US authorities wish to extradite in connection with alleged hacking of US government computers.

Cisco Systems Inc., the biggest maker of networking equipment, was ordered by a jury to pay more than $23.5 million to a nonprofit research center for infringing network-surveillance patents designed to identify hacking attacks on computer systems. Jurors in federal court in Wilmington, Delaware, concluded Thursday that San Jose, California-based Cisco used technology owned by SRI International, the former research arm of Stanford University, without permission. The panel rejected Cisco’s arguments that it didn’t infringe or that the two at-issue patents weren’t valid. Officials of Menlo Park, California-based SRI sought more than $50 million in damages for Cisco’s unauthorized use of the patented technology, which allows computers to automatically detect and record suspicious activity on networks.

A website that openly facilitated the brokering of compromised passwords, stolen bitcoins, and other sensitive data has been hacked, exposing login data, IP addresses, e-mail addresses, purchase histories, and private messages for some 500,000 members. Nulled.io, a hacker forum that used the tagline "expect the unexpected," was compromised earlier this month in a hack that exposed virtually all of the private data associated with it, security researchers said. As of publication time, more than a week later, the resulting 1.3 gigabyte compressed archive file remained available on a popular data breach sharing site on the clear Web. It was easily accessible to anyone, including hacking victims, fellow hackers, and law enforcement agents. The dump was discovered by analysis firm Risk Based Security and confirmed by Troy Hunt, operator of the have i been pwned? breach disclosure service.
Hidden Microphones Exposed As Part of Government Surveillance Program In The Bay Area CBS SFBayArea

The Independent: “The CIA inspector general’s office has said it “mistakenly” destroyed its only copy of a comprehensive Senate torture report, despite lawyers for the Justice Department assuring a federal judge that copies of the documents were being preserved. The erasure of the document by the spy agency’s internal watchdog was deemed an “inadvertent” foul-up by the inspector general, according toYahoo News. One intelligence community source told Yahoo News, which first reported the development, that last summer CIA inspector general officials deleted an uploaded computer file with the report and then accidentally destroyed a disk that also contained the document. The 6,700-page report contains thousands of secret files about the CIA’s use of “enhanced” interrogation methods, including waterboarding, sleep deprivation and other aggressive interrogation techniques at “black site” prisons overseas. The full version of the report remains classified, but a 500-page executive summary was released to the public in 2014…”

Vic integrity strategy using behavioural insights to help clean up
=Victoria will use behavioural insights and data mining in its fight to clean up the public service, according to the Victorian Public Sector Commission’s new Integrity Strategy 2016-17.
Working with the Behavioural Insights Unit within the Department of Premier and Cabinet, the VPSC will incorporate a behavioural insights approach into relevant integrity initiatives.

Martin Hawes: Financial good behaviour
=The Financial Markets Authority (FMA) has produced a report which should be required reading. Written with some help from the IRD and MBIE, the report is not, as you might expect, on some obscure part of financial regulation, but instead covers behavioural economics.
*White paper - Using behavioural insights to improve financial capability

  • Evaluating the privacy properties of telephone metadata. Jonathan Mayer, Patrick Mutchler, and John C. Mitchel. Edited by Cynthia Dwork, Microsoft Research Silicon Valley, Mountain View, CA, and approved March 1, 2016 (received for review April 27, 2015. vol. 113 no. 20. doi: 10.1073/pnas.1508081113