Wednesday, August 03, 2016

Cyber Landscapes: Cyber workforce goes beyond 'coders at the keyboard'

Digital seems to be continuously shapeshifting, making it hard to keep on top of what's hot and what's not. From tactical strategy to integration to the ever-changing communication landscape, opportunities for digital success are abundant, but it's harder than ever to prioritize. With 2017 planning in motion for most organizations, now is the time to ensure you're making the right bets...

Everything is Broken Medium. Brian C: “In light of the recent hacking stories in the news, I thought it would be a good time to share one of my favorite blog posts of all time. I have been reading about information technology and working with it since about 1974, and I have never found a narrative that so perfectly captures my personal observations of the state of computer technology today.”

The leader of a gang of Nigerian business email compromise and romance scammers, who headed a network of at least 40 criminals, has been arrested and his operation disbanded, according to Interpol.  A 40-year-old Nigerian known as "Mike" was arrested by local police in June along with a 38-year old accomplice in Port Harcourt, in the south of the African nation, Interpol said. The pair face charges of hacking, conspiracy and obtaining money under false pretences, and are on administrative bail as police continue the investigation. Aussie businesses hit hard by busted Nigerian email scam ring

Residents are being warned to keep their guard up against bogus callers as a spate of phone scams hits the Gold Coast... Second Commissioner Mr Geoff Leeper said the tax office was very concerned about taxpayer privacy and he reminded people of the key differences between a scam of this nature and a genuine call from the ATO.
“We would never cold call you about a debt, we would never threaten jail or arrest, and our staff certainly wouldn’t behave in an aggressive manner,” he said. “If you have a debt, we will write to you first. If we do ring you, our staff will identify themselves and let you know how you can call us back using our publicly listed phone number. “If the person calling you is rude and aggressive, threatening police or legal action if you don’t do something immediately, it’s not the ATO.”
Mr Leeper said a person’s tax agent would be able to confirm claims of a debt.
“We will never request the payment of a tax debt via gift or prepaid cards such as iTunes and Visa cards. Nor will we ask for direct credit to be paid to a personal bank account,” he said. “If you’re not sure (about a caller), hang up and call us back on 1800 008 540.”
 Gold Coast elderly targeted by Unitycare and ATO scammers

Geoff Leeper from the Client Identity Unit to fight identity fraud. Photo: Lyn Mills

Data warning ... Geoff Leeper works with the Client Identity Unit to fight identity fraud.

Fighting Fraud in the Public Sector III Australian Government agencies name cybercrime as their top fraud risk: PwC

The US Department of Justice has a battle on its hands, as dozens of lawyers question evidence the FBI obtained using hacking techniques across a string of ongoing cases. In 2015, the FBI used a piece of malware to identify suspected visitors of a dark web child pornography site. Now, nearly 30 legal teams across the country have pushed to get all evidence thrown out of court, and many attorneys have decided to pool their efforts in a “national working group.” The cases revolve around Operation Pacifier, in which the FBI briefly assumed control of the “Playpen” website. 

Hacker puppets explain how they find your passwords in non-technical ways
The head of the Digital Transformation Office, Paul Shetler, said one of the biggest attractions of the job was the opportunity to do a few things better than GDS, on which DTO is based
GovHack was originally an Australian initiative by Web Directions. They ran the first GovHack in 2009 which was funded by the Gov 2.0 Taskforce as part of their MashUp Australia initiative.
GovHack is a two-day event held simultaneously around Australia to create working prototypes with government data, and to help find new ways to solve the challenges facing government and contributes towards social and economic development. GovHack includes a number of locations around Australia with participation from federal, state and local governments.
This is a non-profit event proudly run by a team of passionate volunteers and mentors that collaborate from all corners of Australia and New Zealand to form the GovHack Coordination Team GovHackthon 2016 ;      A series of sample files of individual tax return information for more advanced users Australian taxation office taxation statistics individual sample files

Discovery and Reuse of Open Datasets: An Exploratory Study – Sara Mannheimer, Montana State University-Bozeman; Leila Belle Sterman, Montana State Univeristy-Bozeman; Susan Borda, Montana State University-Bozeman. Publication Date 7-19-2016. DOI Link

A panel of private information security experts and a chief with the National Security Agency on Thursday cautioned companies against taking an offensive approach to cybersecurity that could put them at odds with the law in the United States. Just as it would be illegal to break into someone’s home to retrieve property that you believe the occupant stole from you, it’s a violation of the law to break into another party’s network and retrieve data that you think has been stolen from you or your company, according to experts. “I think that’s a good framing point to begin the discussion. Bottom line is, it’s just illegal,” said Rob Joyce, chief of tailored access operations at the National Security Agency. It’s illegal, that is, in the United States.

 Zulfikar bin Mohamad Shariff: Australian resident detained for 'terrorism-related activities' in Singapore 

Will Preemptive Accusations Against Russia Cover Up Voting Fraud? Moon of Alabama 

How Is the Federal Government Using the Internet of Things? By Daniel Castro, Joshua New & Alan McQuinn. July 25, 2016: “The Internet of Things (IoT)—a term used to describe the set of physical objects embedded with sensors or actuators and connected to a network—offers numerous opportunities for the federal government to cut costs and improve citizen services

Qld pays $300k to build an app already available for free

In 2010, analysts working for Russian cybersecurity magnate Eugene Kaspersky discovered Stuxnet, the first cyberweapon ever used for offensive purposes. Last year, they also discovered the Equation Group, one of the most sophisticated cyberweapons to date. Experts say the U.S. and Israel developed Stuxnet to slow the development of Iran’s nuclear program. The terrifying potential consequences of its effect on the global internet grid are the subject of a documentary released earlier this month called Zero Days. He spoke to Newsweek about cyberwar, Edward Snowden and privacy in the digital age


The Digital Transformation Office says transparency and better service delivery are the aims of its new performance dashboard system, which displays live info-graphics about how government initiatives are going. DTO Happy Birthday - Jeden


Health and Human Services Department officials think the public and private sectors need to collaborate to fend off cyberthreats. HHS plans to provide grants to “information sharing and analysis organizations” -- up to $250,000 a year for five years -- that would encourage health care IT professionals and regulators to combine their knowledge about impending cyberthreats.
HHS Will Fund Cyberthreat Information Sharing

Cyber resiliency in the Fourth Industrial Revolution – A roadmap for global leaders facing emerging cyber threats
“The First Industrial Revolution, in the late 18th century, was driven largely by steam engines. The second, in the late 19th century, introduced mass production and the division of labor. The third, in the late 20th century, involved digital automation and information technology.

Who’s Hillary’s Hacker and Why?

For example, at its simplest, I would expect a middling-competency hacker to find an open wifi hub across town to connect to, then VPN to server in, say, Tonga, then VPN from there to another box in Sweden, then connect to a PC previously compromised in Iowa, then VPN to yet another anonymous cloud server in Latvia, and (assuming the mountain dew is running low, gotta get cracking) then RDP to the target server and grab as many docs as possible. RAR those up and encrypt them, FTP them to a compromised media server in South Korea, email them from there to someones gmail account previously hacked, xfer them to a P2P file sharing app, and then finally access them later from a completely different set of servers.
Can we even know who hacked the DNS email

"N.J. Supreme Court to decide if government metadata is public": Jan Hefler of The Philadelphia Inquirer has an article that begins, "The New Jersey Supreme Court has agreed to hear a case brought by an open-government activist who contends that the public should be allowed to view electronic data and metadata kept by local government agencies."

Bill O’Reilly melts down over ‘slaves were well-fed’ criticism: Liberals ‘want me dead’ Raw Story

Mitigating the Cybersecurity Skills Shortage – Top Insights and Actions from Cisco Security Advisory Services
“Increasingly sophisticated threat campaigns. High-profile data breaches. Determined threat actors. The sophistication of the technology and tactics used by criminals has outpaced the ability of IT and security professionals to address these threats. Security Magazine reports that “most organizations do not have the people or systems to monitor their networks consistently and to determine how they are being infiltrated.” Cisco estimates there are more than 1 million unfilled security jobs worldwide.”

Searching for the Internet of Things on the Web: Where It Is and What It Looks Like. Ali Shemshadi, Quan Z. Sheng, Wei Emma Zhang, Aixin Sun, Yongrui Qin, Lina Yao  (Submitted on 23 Jul 2016).
“The Internet of Things (IoT), in general, is a compelling paradigm that aims to connect everyday objects to the Internet. Nowadays, IoT is considered as one of the main technologies which contribute towards reshaping our daily lives in the next decade. IoT unlocks many exciting new opportunities in a variety of applications in research and industry domains.

Dudley Kneller of Madgwicks Lawyers fame: This paper briefly examines some of the new social media technologies available and considers the compliance and risk issues lawyers need to be aware of when advising their clients in this space. It provides some guidance on advising on these compliance risks and makes recommendations on assisting clients to implement a digital marketing strategy which seeks to use such technologies effectively while properly complying with applicable legal and regulatory requirements. So, how best to advise your clients on this new risk to their business?
Technology and compliance — uncomfortable bed-fellows! (via Lexis)

Our Digital Expanses Have Made Us Confidently Arrogant. Where’s The Value In Humility?

PRESIDENTIAL POLICY DIRECTIVE/PPD-41 SUBJECT: United States Cyber Incident Coordination, July 26, 2016
“The advent of networked technology has spurred innovation, cultivated knowledge, encouraged free expression, and increased the Nation’s economic prosperity.

Jack Johnson — whose six-second bursts of comedy on Vine have propelled him to a fledgling pop-rap career — is one of the internet’s biggest stars. Last week he told his nearly four million Twitter followers to send him their passwords. And in an hour, tens of thousands of fans complied — all for the slim chance to see a personalized video from Mr. Johnson pop up inside their accounts. At first glance, this stunt, which Mr. Johnson called “#HackedByJohnson,” looks like another case of teenagers traipsing through a social media minefield, oblivious to the real-world consequences. But Mr. Johnson’s fans are not naïve. Handing over their passwords to some strange, cute boy actually constitutes a minor act of youthful rebellion. The whole encounter delivers a heady mix of intimacy and transgression — the closest digital simulation yet to a teenage crush.

Cyber threats prompt Estonia to set up UK data centre The Financial Times (subscription required)
Fearful of Russian cyber attack or invasion, the Baltic state of Estonia is planning to make a virtual copy of itself — in Britain. Negotiations are under way between Tallinn and London for Estonia to back up terabytes of data — everything from birth records and the electoral roll to property deeds, banking credentials and the entire government bureaucracy — to deposit in a secure location in the UK, according to Estonian officials.

Data modeling or database design is the process of producing a detailed model of a database. The start of data modeling is to grasp the business area and functionality being developed. When we work with an Agile process (in this case, Scrum), there is a tendency to assume that everyone can work with everything. However, I would like to point out flaws in that idea and my recommendations related to data modeling and Scrum.
Data Modeling in Agile Development: One Data Modeler’s Experience

The Defense Department’s R&D group is buying a system that could rely on a network’s behavioral patterns, and any deviation from those, to detect cyberthreats. The Defense Advanced Research Projects Agency awarded a $6 million contract to Galois, a Portland, Oregon-based computer science company, to build out a product that can identify “advanced persistent threats” -- cyberintrusions that allow the actor to remain in the system for an extended period. The solution would detect “subtle but potentially malicious activities” by tracking the behavioral patterns of a complex network and noting “causality in system activity,” according to Galois’ description of the project. The company is also working with the National Institute of Standards in Technology on an internet of things pilot.

While the White House plans to fill thousands of cybersecurity jobs within the federal government this year, the administration is also looking for a host of other professionals — from lawyers to economists to behavioral scientists — to boost agency practices securing digital networks. Two top White House cybersecurity officials — Cybersecurity Coordinator Michael Daniel and Chief of the Office of Management and Budget’s Cyber and National Security Unit Trevor Rudolph — expounded on the recently released cyber workforce strategy Wednesday, saying it’s going to be a large task to cut away the red tape needed to get the right people hired inside agencies. “This is a strategy that will be executed over the long term,” Daniel said at an ACT-IAC event.  “We did not get ourselves into this situation quickly, and we are not going to get out of quickly. It’s going to take a while.” Released last week, the strategy calls for the hiring of 3,500 more IT security professionals before the year ends. While Daniel acknowledged that means thousands of jobs dedicated to the technical part of information security, there are a plenty of other related positions he wants to see filled as well. “It’s not just your coders at the keyboard. We also need, and are short on, lawyers who understand cybersecurity and economists that understand cybersecurity,” Daniel said. “It’s not along a single axis of education to address the problem.”

According to Verizon's 2015 Data Breach Investigations Report, about 50 percent of all security incidents — any event that compromises the confidentiality, integrity or availability of an information asset — are caused by people inside an organization. And while 30 percent of all cases are due to worker negligence like delivering sensitive information to the wrong recipient or the insecure disposal of personal and medical data, roughly 20 percent are considered insider misuse events, where employees could be stealing and/or profiting from company-owned or protected information.

After DNC hack, the case for paper ballots. Are paper ballots really a superior technology to voting machines? Absolutely... (Paper Tax Returns next?)

The FBI should avoid prioritizing cyberthreats on the basis of a "gut check" or assess them based on the "loudest person in the room," according to a report released by the Justice Department’s Office of Inspector General. The FBI should change its procedures to detect cyberthreats in a more timely way and track whether agents’ efforts are aligned to the most serious priorities, the July 21 report by Justice Department IG Michael Horowitz said. The FBI does not prioritize cyberthreats in an agile, objective, data-driven, auditable manner, the report said. 

Leading U.S. banks, and other publicly traded companies, should expect increased cybersecurity scrutiny from the Securities and Exchange Commission. This week, during a meeting of the Treasury Department's Financial and Banking Information Infrastructure Committee, leaders of the SEC and the Commodity Futures Trading Commission, which aims to protect consumers from fraud, shared updates about their agencies' approaches to cybersecurity, as well as an overview of their examination processes, rules and other actions.

The Federal Communications Commission has decided to make a European-owned company the clearinghouse for routing billions of cellphone calls and text messages across the United States, despite claims by critics that the plan poses national security risks, officials said on Thursday. The F.C.C.’s approval, which has not been publicly announced, will give a New Jersey subsidiary of Ericsson, the Swedish technology giant, the obscure but critical job of operating a sprawling national system to track and route wireless calls and texts among hundreds of service providers. The routing system began in the 1990s as a way for people to keep their cellphone numbers when they switched carriers, but intelligence and law enforcement agencies have come to rely on it to track and trace phone numbers in investigations.

A hacking group called the Turk Hack Team is taking credit for a shutdown of the Library of Congress website and hosted systems including, the Copyright Office, Congressional Research Service and other sites.  

The House Science, Space and Technology Committee is questioning whether foreign nationals may have had direct access to sensitive Office of Personnel Management data before a historic OPM hack attack was disclosed last summer.  

A little bit over a year ago, the normally quiet Twitter account of Hacking Team, an Italian company that sells spying tools to governments all over the world, started acting weird. “Since we have nothing to hide, we’re publishing all our e-mails, files, and source code,” read a Tweet published on late Sunday, July 5, 2015. The tweet was accompanied by a link to a torrent file of around 400 gigabytes, practically everything Hacking Team had on its corporate servers: internal emails, confidential documents, and even the company’s source code.

A journalist convicted of hacking was ordered Thursday to begin serving his two-year prison sentence. Matthew Keys was scheduled to begin serving his term last month, but a federal appeals court stayed his custody to determine whether he should remain free from the federal prison camp in Atwater, California pending an appeal of his federal conviction under the Computer Fraud and Abuse Act (CFAA).