Wednesday, July 13, 2016

Eschelbeck on Cyber Wisdom: Going Dark

If you would be a real seeker after truth, you must at least once in your life doubt, as far as possible, all things
~ Renee Descartes

Meet the man behind those bullshit Pokémon Go stories ... A man who identified himself as Pablo Reyes called back, confirmed the stories were fake and explained that he doesn't actually expect people to believe them. He pointed to the website's "Terms and Conditions" (visible at the bottom of the homepage to readers who scroll all the way down), which states that CartelPress is "a satirical website owned by"

If you have installed an unofficial version of Pokémon Go, or are not sure if you have, seek immediate technical advice. If you installed the app from the official Android or Apple app stores, then you do not need to worry about this threat. The security researchers who have discovered the malicious version of Pokémon Go have outlined how to identify an infected computer and actions to take

“The bad guys collaborate, so therefore why don’t we?”
“I believe quite strongly…that we are stronger together,” Steve Glynn of ANZ fame told a CEDA Digital Bytes event in Sydney last week. “And because we form part of a national critical infrastructure there’s almost a moral obligation to extend beyond our organisation and collaborate in order to improve our defences. 
He urged industry to share threat intelligence, despite potential risks, because it was “the right thing to do”. “For us to share this information, it does carry risk. But we do it. And we do it because we feel strongly that it’s the right thing to do. That if we lead, and we do that, others will respond and come up and we will be stronger as a whole as a result.” Moral Obligation to collaborate on cyber security

French bank Crédit Mutuel Arkéa will use blockchain technology to deliver quicker and more cost effective verification of customer identity following a successful pilot.
French bank rolls out Blockchain for Identity verification 

Saba Bazargan-Forward reviews Binary Bullets: The Ethics of Cyberwarfare, by Fritz Alhoff, Adam Henschke, and Bradley Jay Strawser

Researchers Discover Tor Nodes Designed to Spy on Hidden Services. “No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of ‘infowar’ weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered).”

Protect your treasures – these are the 4 things most cybercriminals want from you

One of the telephone numbers that had been repeatedly provided was 02 6100 3027

ABC on People Threatened with arrest by tax office - Phone Scammers

“It is a capital mistake to theorise before one has data.”
~ Sir Arthur Conan Doyle, “A Scandal in Bohemia”

Going Dark, Going Forward: A Primer on the Encryption Debate. This first Congressional in-depth analysis of the issue summarizes the Committee’s findings, based on more than 100 meetings and briefings Committee staff and Members have held with key stakeholders over the past year. In addition to providing insight into arguments on all sides of the encryption debate, the report lays the groundwork for a National Commission on Security and Technology Challenges proposed by Homeland Security Chairman Michel McCaul (R-TX) and Senator Mark Warner (D-VA)

LocationSafe: Granular Location Privacy for IoT Devices – Joshua Joy,Minh LeMario Gerlaar; Xiv:1606.09605v1 [cs.CR] for this version), submitted 30 June 2016

Youtube channel hacked 

He Was a Hacker for the NSA and He Was Willing to Talk. I Was Willing to Listen. Intercept

Better communication between law enforcement and companies could put a dent in ransomware attacks that have been the scourge of corporate America in recent months, according to a top Justice Department official. "As long as people are handling that on their own and making payments, we're funding the development of more of these tools and more of these actors," John Carlin, assistant attorney general for national security, said June 28 at the Center for Strategic and International Studies.

More than a dozen House Democrats’ official websites have been down for days, and the contractor operating the sites told POLITICO that hackers are to blame. The websites were hit shortly after Democrats ended an overnight sit-in to press for a vote on gun control legislation. With the exception of Perlmutter, all of the affected lawmakers have contracts with a company called DCS to manage their websites.  

“The Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) have published the Guidance on cyber resilience for financial market infrastructures (“Cyber Guidance”). This builds on an earlier version of the report that underwent a three-month public consultation. The safe and efficient operation of financial market infrastructures (FMIs) is essential to maintaining and promoting financial stability and economic growth. The Cyber Guidance aims to add momentum to and instil international consistency in the industry’s ongoing efforts to enhance its cyber resilience

The User-Centered Redesign of
DiitalGov, 1/6/16. The website has recently been redesigned using customer-centred design. The website has an extremely easy wizard to click through and it will auto-generate a “Recovery Plan” including dispute letters, steps to contact law enforcement, putting credit freezes, and information on protecting yourself.

Since two-factor authentication became the norm for web services that care about securing your accounts, it’s started to feel like a security blanket, an extra layer keeping your data safe no matter whether your password is as strong as 8$&]$@I)9[P&4^s or as dumb as dadada.  

Researchers have encountered a denial-of-service botnet that's made up of more than 25,000 Internet-connected closed circuit TV devices. The researchers with Security firm Sucuri came across the malicious network while defending a small brick-and-mortar jewelry shop against a distributed denial-of-service attack.  

The Guardian: “Google has rolled out new tools to let users see what its ad-tracking service has learned about them, and to let users opt in or out of a new personalised ads service. The addition to Google’s account settings, called My Activity, allows users to review everything that Google has tracked about their behaviour – across search, YouTube, Chrome, Android and everything else – and edit or delete it at each step. If you use Google for everything you do, you might be surprised by just how much it catalogues about your comings and goings on the internet…”

Mr Eschelbeck, who leads a 600-strong team that protects users from hackers, spammers and spies, says the most critical step for everyone to take is to stay on top of software updates.
"The biggest compromises that have happened over the past six to nine months often happened in an un-patched device that had a security vulnerability, and the patches weren't applied fast enough," he told Fairfax Media.
"Patch often, patch quickly. It's a very good strategy to defend from cyber attacks."
How Google's head of cybersecurity Gerhard Eschelbeck protects his privacy and fights cyber criminals

Jennifer Bird-Pollan, Improving Tax Compliance in a Globalized World (Surly Subgroup)

Singapore banks examine use of Facebook IDs for transfers Financial Times. This is SO evil. So now the officialdom will be able to tie information about you together much more easily.

Where there is highly organized claims fraud, there are often found clusters of lawyers, doctors and their associates. In Las Vegas’s Medical Mafia case, “physicians who played ball are said to have been assured protection from malpractice suits from many feared attorneys, while those not in on the scheme appear in some cases to have been at extra peril.” Fraud week IV: lawyers who should know better

William Gibson, repurposing a Gertrude Stein quip, said about cyberspace “there’s no there, there” capturing the ethos of the internet as a place beyond the physical world of borders and jurisdiction.  Bitcoin melded cryptography and networked processing to attempt to make a currency that was not based in or controlled by any state.
But the internet is based on servers and fiber-optic cable and telecom switching stations that are firmly rooted in the physical world.  The cloud is made out of metal and plastic and glass. And as for Bitcoin, there increasingly is a there, there. And “there” is China. (For a quick background on Bitcoin, see this video, which explains how Bitcoin builds a payment system that replaces trust and personal allegiance with “mathematical confidence” or  this article.)
The New York Times reports how Chinese companies have come to dominate the production of Bitcoins...

The total impact of a 2015 hacker attack against cloud-based electronic health records vendor Bizmatics Inc. might not be known for months because it's still unclear how many of the company's group practice clients were affected - and how many records were compromised. 

 This week, Google security researcher Tavis Ormandy announced that he’d found numerous critical vulnerabilities in Symantec’s entire suite of anti-virus products. That’s 17 Symantec enterprise products in all, and eight Norton consumer and small-business products.

Black hats hack for espionage, crime, and disruption. White hats hack to defend, digging up security vulnerabilities so that they can be fixed. And then there are the confusing ones: hackers whose black hats are covered in the thinnest coat of white paint, or so patchwork that even they don’t seem to remember which color they’re wearing. 

It doesn't take long for compromised data to be shared across the cybercriminal underground. And when the leaking starts, it spreads like wildfire. So it was only a matter of time before data from two of the largest data breaches of all time, the attacks on MySpace and LinkedIn, became easily accessible. 

In the age of big data analytics, the proprietary algorithms web sites use to determine what data to display to visitors have the potential to illegally discriminate against users. This is particularly troublesome when it comes to employment and real estate sites, which could prevent users from having a fair crack at jobs and housing simply by failing to display certain listings to them based on their race or gender.

The Federal Deposit Insurance Corp.'s IT security controls are insufficient to the point of placing "the confidentiality, integrity, and availability of financial systems and information at risk," the Government Accountability Office said in a new report. 

Hacked Emails Reveal NATO General Plotting Against Obama on Russia Policy Intercept

A digital civil liberties group this week issued a stinging criticism of new cyber info sharing guidelines from the Department of Homeland Security. The guidance, released last week, is part of the implementation of a controversial cybersecurity law intended to boost data sharing between the government and business.
FBI source to Fox: Agents are “livid” about plane meeting-not just optics, but BCltn is possible target-witness in Foundation investigation @bretbaier

United States Courts, June 30, 2016: “The number of federal and state wiretaps terminated in 2015 increased nearly 17 percent over 2014, according to an annual report submitted to Congress by the Administrative Office of the U.S. Courts. As in previous years, drug investigations and telephone wiretaps accounted for the large majority of cases. The 2015 Wiretap Report covers intercepts—of wire, oral or electronic communications—that  were concluded between January 1, 2015, and December 31, 2015. The report does not include data on interceptions regulated by the Foreign Intelligence Surveillance Act of 1978.  A total of 4,148 wiretaps were reported in 2015, compared with 3,554 the previous year. Of those, 1,403 were authorized by federal judges, 10 percent more than in 2014, and 2,745 were authorized by state judges, an increase of 21 percent. No wiretap applications were reported as denied in 2015.”

Does myGov need a new bureaucratic supremo?

How to build an analytics-driven agency culture

Elections: Issues Related to Registering Voters and Administering Elections, GAO-16-630: Published: Jun 30, 2016

Freedom of Information Act: Department of Labor Can Improve Management of Its Program, GAO-16-248: Published: Jun 2, 2016

A German intelligence service identified some familiar cyber enemies in its annual report, released Tuesday. 

In the past two years a group of researchers in Israel has become highly adept at stealing data from air-gapped computers—those machines prized by hackers that, for security reasons, are never connected to the internet or connected to other machines that are connected to the internet, making it difficult to extract data from them. 

A hacker is advertising hundreds of thousands of alleged records from healthcare organizations on a dark web marketplace, including social security and insurance policy numbers. The data could be used for anything from getting lines of credit to opening bank accounts to carrying out loan fraud and much more, the hacker selling the data, who goes by the handle "thedarkoverlord," told Motherboard. 

Hackers have reportedly stolen $10m from a bank in Ukraine by exploiting the Swift messaging system, according to reports emerging from the region citing an independent IT monitoring organisation called the Information Systems Audit and Control Association (ISACA). 

When a police officer in Durham, N.H., opened an innocuous looking email last spring, the small New England department became victims of a totally new kind of crime – one that it had no idea how to solve. Criminal hackers had seized the department’s entire network of 28 computers, locking police out of the system that keeps arrest records, outstanding warrants, and incident reports for 24 hours. 

Program Integrity: Views on the Use of Commercial Data Services to Help Identify Fraud and Improper Payments, GAO-16-624: Published: Jun 30, 2016.

Thomson Reuters’ database, called World-Check, is used by over 300 government and intelligence agencies, as well as 49 of the world’s top 50 banks, according to a company fact sheet. World-Check is designed to give insight into financial crime and the people potentially behind it “We monitor over 530 sanction, watch, and regulatory law and enforcement lists, and hundreds of thousands of information sources, often identifying heightened-risk entities months or years before they are listed. In fact, in 2012 alone we identified more than 180 entities before they appeared on the US Treasury Office of Foreign Assets Control (OFAC) list based on reputable sources identifying relevant risks,” the Thomson Reuters website reads. You might not expect one of those sources to be Wikipedia. According to Motherboard’s analysis, over 15,000 entries in the World-Check database reference as a source. These include profiles which have been designated as “political individual,” “diplomat,” and “terrorism.” Over 6,500 of the profiles that include Wikipedia sources are for political individuals, 5074 are for other individuals, 624 are labeled as being involved in some form of crime, such as narcotics or financial, and 178 are suspected of terrorism. Although Wikipedia can be a good source of information, some of the articles cited by World-Check are incomplete or of low quality…”

Follow up to previous posting on this database – Leakedsource – “There are currently 1,933,304,758 accounts in our database” – users may search by term or type.
Via ET Tech – “If you have an account online regardless of the country you reside in, chances are you have been hacked or will be hacked at some point of time. Sounds implausible? Consider this: there are over 1 billion websites in the world today and according to Google, at least 50 million website’s user details have been compromised so far. This is a significant rise from the 17 million compromised websites’ in 2015. Even the likes of Mark Zuckerberg (Facbook), Sundar Pichai’s (Google) social media accounts have been recently hacked…”

Iris Scans, Palm Prints, Face Recognition Data, and More Collected From Millions of Innocent Citizens – “The FBI, which has created a massive database of biometric information on millions of Americans never involved in a crime, mustn’t be allowed to shield this trove of personal information from Privacy Act rules that let people learn what data the government has on them and restrict how it can be used. The Electronic Frontier Foundation (EFF) filed comments today with the FBI, on behalf of itself and six civil liberties groups, objecting to the agency’s request to exempt the Next Generation Identification (NGI) database from key provisions of federal privacy regulations that protect personal data from misuse and abuse. The FBI has amassed this database with little congressional and public oversight, failed for years to provide basic information about NGI as required by law, and dragged its feet to disclose—again, as required by law—a detailed description of the records and its policies for maintaining them. Now it wants to be exempt from even the most basic notice and data correction requirements…”

myGov is a disaster waiting to happen

Does myGov need a new bureaucratic supremo?