Wednesday, June 08, 2016

The Merit Principles: Insurers push for creation of cyber attack database - Beyond Panama

If silos are a fact of life, governments can focus on developing people who can work across them and link up different teams. New research has identified the skills and attributes of an effective boundary spanner...
*Boundary spanners’ key to breaking organisational silos

Have your people call your people. An attorney for Prairie Meadows Racetrack and Casino, Marcus Owens, tells Tax Analysts (free link) that the IRS decision to revoke its Sec. 501(c)(4) tax exemption may be just because IRS people no longer talk to each other.

Cara Griffith, Off the Record, on Background, and Closed Events: A Bias Against Being on the Record? (Tax Analysts Blog). Cockroaches, politicians and bureaucrats all prefer to work in darkness.

Preventing bureaucrats from peddling public offices for private gain is worth the 'red tape'.  The report recognises that this principle is important "to guard against patronage, bias and any other influence, through competitive entry". But it is very critical of how the principle is implemented. In particular, the report refers to a number of "myths" about the merit principle – for example, that it requires complex selection criteria, mandatory interviews and references criteria, and specification of classification levels. The Merit Principles (Currently, a denial is in order of any existing inner circle of resume boy and girl clubs of  this category - You scratch my back ... ;-)

Speaking of Resume on The Merit Principles, Meryl Streep plays Donald Trump: Further proving she is an absolute goddess and there is nothing she cannot do, Meryl Streep just added Donald Trump to her acting resume Watch Meryl Streep play Donald Duck

If you like legal and political mysteries of the Sydney underbelly and lots and lots of questions, but don’t care about satisfying answers to those questions, ABC's Rake is basically the best drama of all time. Not so garden variety Rake features searing performances, a droll sense of parliamentary bear pit humor, slick MEdiaDragon exchanges pregnant with tripple meanings and brilliant writing, engrossing Phillip Street plot-lines, and Richard Shakespearean Richard  chews the face off the scenery. Like earlier series the latest feast for the eyes on the viewing menu is phenomenal ... Rake Richard Roxburgh as Charles Waterstreet merit world wide viewing as both men have strong links to Albury, a border town filled with ghosts Down Under  

An email message does not resemble a letter sent through the Post Office. The text is not enclosed in an envelope. It is more akin to a postcard, albeit much faster and cheaper, where the text is open for all who handle it to see and read. It is also similar to the old-fashioned telegram, the text of which passed through many operators’ hands. If the sender intends the content to be secret or private then it would be sensible to use a code or avoid email He Said-She Said Controversy Over Who Discovered the OPM Hack Is Apparently Solved

Mark Zuckerberg’s password was ‘dadada’. What hope do the rest of us have? Telegraph

IT Dashboard: Agencies Need to Fully Consider Risks When Rating Their Major Investments, GAO-16-494: Published: Jun 2, 2016. Publicly Released: Jun 2, 2016. “Agencies determined investments’ Chief Information Officer (CIO) ratings using a variety of processes, which included the Office of Management and Budget’s (OMB) six suggested factors (including risk management, requirements management, and historical performance). Specifically, all 17 selected agencies incorporated at least two of OMB’s factors into their risk rating processes and 9 used all of the factors. However, agencies’ interpretations of these factors varied. For example, most agencies considered active risks, such as funding cuts or staffing changes, when rating investments, but others only evaluated compliance with the agency’s risk management processes. Further, 13 agencies required monthly updates to CIO ratings as does OMB (as of June 2015), 1 agency scheduled its reviews based on risk, and 3 agencies required updates less often than on a monthly basis. GAO’s assessments generally showed more risk than the associated CIO ratings. In particular, of the 95 investments assessed, GAO’s assessments matched the CIO ratings 22 times, showed more risk 60 times, and showed less risk 13 times…”

 I don’t think I’d sign up for the Yara Greyjoy School of Life Coaching. I’m not sure that “You’re Iron Born, I know you’ve had some bad years but …” and “If you’re really broken then you should kill yourself” counts as great advice:
The real war isn’t between a few squabbling houses. It’s between the living and the dead and make no mistake, my lady, the dead are coming.” Via Cold River and Game of Thrones 7. 7

Screenshot 2016-06-02 at 3
The two members of Congress with degrees in computer science are urging their fellow legislators to be a little more conscientious about their personal and professional cybersecurity. In a "dear colleagues" letter, Reps. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) credited the House CIO with working "to protect our offices from millions of cyberattacks every year" but also noted that members could make the CIO's job easier with a little good cyber housekeeping. The pair asked lawmakers to create strong passwords, use two-factor authentication on web tools such as social media and email, take advantage of strong encryption on voice and data applications, beware of untrustworthy Wi-Fi networks and install antivirus software. Additionally, they urged members to routinely back up their data to render it less vulnerable to ransomware attacks.

New Attack Extracts Cryptographic Keys from a Computer’s Emanated Sounds Communications of the ACM

User accounts for dating site Badoo are being traded in the digital underground, including email address, cracked passwords, names, and dates of birth. Paid subscription-based breach monitoring site 'Leaked Source' uploaded the dataset on Thursday. Other sources known to Motherboard have also obtained the data. “With over 313m users, Badoo is great for chatting, making friends, sharing interests, and even dating!” reads Badoo's website. Leaked Source provided three chunks of data to Motherboard, each containing 10,000 records. Out of 100 accounts tested across the three samples, 54 were linked to an active account on Badoo, while 23 indicated that an account had been created, but that the user had not completed registration by clicking the confirmation link emailed to them.

The Secretive World of Selling Data About You Newsweek 

Reddit on Thursday alerted its community that it has sent out more than 100,000 password-reset notices over the past two weeks. Though Reddit itself hasn't been hacked, it decided to act after seeing an uptick in account takeovers by malicious or "(at best spammy) third parties," the company said in a post. In the post, Reddit refers to millions of passwords being dumped on the hacker market. That includes a Russian hacker who traded 272 million passwords for social media "likes," and the fallout from the LinkedIn data breach in 2012.

The head of the Association of British Insurers has called on the government to create a database where companies would have to record details of cyber attacks. Cyber threats are a growing worry for UK business, and demand for insurance to cover the costs is rising. But some insurers are nervous about offering cover because of a lack of information about the attacks that are taking place. “We have 350 years of fire data and 100 years of motor and aviation data, but we have just a few years of cyber data,” said Huw Evans, ABI director-general, speaking to the Financial Times. “How do you build a business model in such a data light environment? Nothing scares an insurer more than a lack of data.” A database, he argued, would solve the problem. “If it is not mandatory to report these things, then insurers are not going to have the data they need to provide the right cover. It would have to be mandated by parliament, but it would need to be proportionate and manageable.”

Imagine a criminal breaks into your home but doesn't steal anything or cause any damage. Instead, they photograph your personal belongings and valuables and later that day hand-deliver a letter with those pictures and a message: "Pay me a large sum of cash now, and I will tell you how I got in.” Cybercriminals are doing the equivalent of just that: Hacking into corporations to shake down businesses for upward of $30,000 when they find vulnerabilities, a new report from IBM Security revealed. The firm has traced more than 30 cases over the past year across all industries, and at least one company has paid up. One case involved a large retailer with an e-commerce presence, said John Kuhn, senior threat researcher at IBM Security.

Several state officials came to Capitol Hill on May 24 to discuss their cybersecurity challenges and provide Congress with insights into their practices and successes. Like their federal counterparts, state cybersecurity teams are challenged by the velocity and variety of threats, which are growing in sophistication, Connecticut CIO Mark Raymond told a joint House Homeland Security subcommittee panel. “The top three are malicious code, hacktivism and zero-day attacks.”  One way to address those threats is through automated cybersecurity solutions, which can help in two ways, said Raymond, who also serves as the vice president of the National Association of State CIOs. They can act on threat data at machine speed, and they can help reduce demands on government security staff, which are already in short supply.  Uneven software quality also puts strain on cybersecurity teams, according to retired Brig. Gen. Steven Spano, who now runs the Center for Internet Security.  Acknowledging that for software vendors  “ to get the speed and agility” they need to compete, beta releases are inevitable. Yet “ many of the software products are coming out of the box with inherent vulnerabilities… and require a lot of lift” to sustain them, he said.

Federal Chief Information Officer Tony Scott used a congressional hearing Wednesday on the government’s outdated technology to argue for legislation that would create a $3.1 billion modernization fund agencies could borrow against to upgrade their most critical systems. Some of the government’s oldest technology, revealed in a Government Accountability Office investigation and first reported by Nextgov, clearly flummoxed committee members and appeared to bolster Scott’s arguments for the fund. House Oversight and Government Reform Committee Chairman Jason Chaffetz, R-Utah, displayed an 8-inch floppy disk before the committee, marveling that 1970s era hardware is still used in the Defense Department systems that coordinate operations of the United States nuclear forces. The dismay at the age of some of the critical systems that house everything from taxpayer data to benefits claims was bipartisan, with members of both parties, including Gerry Connolly, D-Va., acknowledging the government’s current technology trajectory is risky at best. Scott said he believes the IT modernization fund is the answer. “This is the best we can think of moving forward,” Scott told members of the committee.

The head of Austrian aerospace parts maker FACC has been fired after the company was hit by a cyber fraud that cost it 42 million euros ($47 million). The firm's supervisory board decided at a 14-hour meeting on Tuesday to dismiss CEO Walter Stephan with "immediate effect", the company said on Wednesday. FACC, whose customers include Airbus and Boeing, said on Jan. 19 it had been hit by a cyber fraud in which hackers stole around 50 million euros by posing as Stephan in an email. The hoax email asked an employee to transfer money to an account for a fake acquisition project - a kind of scam known as a "fake president incident". "The supervisory board came to the conclusion that Mr. Walter Stephan has severely violated his duties, in particular in relation to the 'fake president incident'," FACC said.

FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards. The FBI's Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices. "If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."
UK government details plans for National Cyber Security Centre

Neither Australia nor New Zealand has laws requiring organizations to notify people affected by data breaches, but officials in both countries are reviewing proposals and plan to introduce related legislation. Regulators in both countries now generally encourage organizations to report breaches depending on the type of information released and the potential impact. But what constitutes a serious breach could be open to interpretation - a gap that both nations hope to close with new legislation.

In an age when spies carefully hide their tracks through layers of obfuscation and proxy servers, locating the perpetrators of online surveillance is often nearly impossible. But the victims of these spying campaigns can sometimes be easier to place. And one open-source initiative has set out to map cases where state-sponsored malware campaigns target members of civil society, in an effort to show how governments use digital intrusions to control and disrupt their enemies around the globe. An informal group of security researchers calling themselves the Digital Freedom Alliance this week launched a collaborative software project to aggregate and map out government hackers’ attacks against journalists, activists, lawyers and NGOs around the world. The project, whose code is hosted on Github, collects data about state-sponsored malware infections from public sources like the University of Toronto’s Citizen Lab,, and security firms’ research. It then organizes that data into a map that breaks down the attacks by date, target type, the family of malware used, as well as the location of the command and control server used to coordinate each malware campaign.

Nearly a year after its inspector general issued a warning about the increased risk of failure of a major IT project, the Office of Personnel Management is struggling to demonstrate it’s on the right track. The IG issued a third report May 18 on the agency’s “shell” project, highlighting why auditors are “even more concerned about the lack of disciplined capital planning processes” today than they were in June 2015. Auditors say OPM’s “shell” project, which now is referred to as infrastructure-as-a-service (IaaS), to modernize and better secure its networks still doesn’t have a full compliant Circular A-11 business case, is missing a documented analysis of alternatives and its overall funding is at risk. The IG’s report comes soon after the contractor hired to upgrade and secure its systems under the “shell” project recently went out of business. OPM terminated its contract with Imperatis May 9.
           Panama Papers inquiry expected to call George Osborne as witness 

             Beyond Panama: Making the fight against tax avoidance more than a name and shame game  

 Spanish police ask Santander for documents in HSBC tax probe  
  Spanish court investigates 40 cases in HSBC tax probe   
     Police search Santander's Madrid HQ in money-laundering inquiry 

        Political Tax Avoidance Chokes Off Infrastructure Investment 
        The Tiny Malaysian Island of Labuan That Wants to Be a Tax Haven  
      CEO: Pfizer unlikely to pursue another offshore tax deal 

         Two Former Deutsche Bank Employees Indicted on Fraud Charges in Connection with   Long-Running Manipulation of Libor  

            Another Regressive Idea: A Flat Tax And A Fair Tax -- Together  

        The false promise of tax haven blacklists 
      The British Empire's European Union: A Monstrosity Created By The City of London 
 Tax evasion and weapon production  
European Commission says Belgium is tax haven  

     What you need to know about the Swiss basic income vote  
          UK To Close Property Developer Offshore Tax Loophole  
               Messi tax fraud trial: 'I knew nothing' Barcelona star says  
                     Q&A: Why is Lionel Messi on trial over tax fraud accusations?  
                          Introduction of secondary adjustments into the UK’s domestic transfer pricing legislation  

HM Revenue and Customs Brief 12 (2016): Senior Accounting Officer guidance  
    France seeks €356m in unpaid tax from 
       Cutting corporate tax won't create jobs. It's yesterday's solution to our problems  
            Panama Papers inquiry expected to call George Osborne as witness