Thursday, July 31, 2014

5 Ways Boards Could Tackle Cybersecurity

A new handbook from National Association of Corporate Directors, titled Cyber-Risk Oversight, offers five principles to guide boards of directors in helping their organizations address IT security threats.
The NACD announced on July 29 the availability of the handbook, which was developed in collaboration with the Internet Security Alliance, a trade group, and insurer American International Group.

"As the intricacy of attacks increases, so does the risk they pose to corporations," says Mark Camillo, AIG's head of cyber products for the Americas region. "Conscientious and comprehensive oversight of cyber-risk at the board level is essential."

The handbook focuses on board-level cybersecurity oversight and is organized around five key principles:
  1. Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprisewide, cyber-risk management framework with adequate staffing and budget.
  5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach. 
Read more here.

Wednesday, July 30, 2014

House Passes 3 Cybersecurity Bills

In what seemed to be a flashback to a more genial era in Congress, when compromise wasn't a dirty word, the House of Representatives passed a key cybersecurity bill, with its conservative Texas sponsor lauding the support for the measure from the liberal American Civil Liberties Union.

By voice votes on July 28, the House passed the National Cybersecurity and Critical Infrastructure Protection Act and two other cybrsecurity measures. Next stop: the Senate.

On the floor, House Homeland Security Committee Chairman Mike McCaul, R-Texas, pointed out that business organizations and the ACLU, groups that often are at odds over legislation, supported the bill, with McCaul alluding to the ACLU's characterization of the bill as being pro security and pro privacy.

"Striking a balance between security and privacy, I believe, is one of the most difficult challenges in developing cybersecurity legislation, and I'm so very proud that this committee and this bill achieves that goal," McCaul said.

The bill, if enacted, would codify the National Cybersecurity and Communications Integration Center, an agency within the Department of Homeland Security that fosters real-time cyberthreat information sharing with critical infrastructure operators. It also would establish an equal partnership between industry and DHS, and ensure that DHS recognizes industry-led organizations to expedite critical infrastructure protection and incident response.

Friday, July 25, 2014

Listening devices found at Ford HQ

Detroit— The FBI searched Ford Motor Co.’s world headquarters while investigating one of the automaker’s engineers and seized listening devices, computers and financial records, according to search warrants obtained by The News on Thursday.

A lawyer for the mechanical engineer said Ford’s security team feared she was stealing trade secrets by hiding secret recording devices in conference rooms at the Dearborn automaker’s headquarters, nicknamed the Glass House.
Court records that would explain why the FBI had probable cause to search Ford and the engineer’s home are sealed in federal court. The government’s lawyer on the case, Assistant U.S. Attorney Jonathan Tukel, heads the National Security Unit in Detroit, successfully prosecuted underwear bomber Umar Farouk Abdulmutallab and specializes in cases involving espionage, counter-terrorism and terrorism financing, among others.

Searching a Fortune 500 company’s world headquarters instead of issuing a subpoena is a rare step and could indicate investigators were worried about someone destroying evidence, said Peter Henning, a law professor at Wayne State University and a former federal prosecutor.
“If it’s an economic espionage case or trade secrets case, that rarely involves one individual,” Henning said. “So the concern is if you send a subpoena and ask for recording devices, those things can be erased.”
The U.S. Attorney’s Office and FBI declined comment Thursday.

Monday, July 21, 2014

Hidden network packet sniffer found in millions of iPhones, iPads

An analysis of iOS by a security expert digging into claims of the NSA spying on Apple products has revealed some unexplained surveillance tools hidden in the operating system.
His study has also shown that a user's data may not be as safe as Cupertino is making out.

Data forensics expert and author Jonathan Zdziarski wrote an academic paper on the topic in March, and gave a talk [PDF] at the Hackers On Planet Earth (HOPE X) conference in New York on Friday showing his findings. The results of his research indicate a backdoor into iOS, although it's not as wide open as some reports have suggested.
"There are certain steps that have to be taken to get this data," Zdziarski told The Register. "Backdoors are guarded, there are things protecting it – you don’t just type 'Joshua' for full access."
Zdziarski's analysis shows that 600 million iOS devices, particularly those running the most recent version 7 builds, have data discovery tools that are separate from those used by Apple for standard backup and storage. These include a file-relay service that can snoop out data, bypassing the Backup Encryption service offered by Apple.

Read more here.

Kerry caught on hot mic disparaging Israel

Secretary of State John Kerry was caught on a hot mic on Fox News Sunday apparently disparaging Israel’s claim to be conducting a “pinpoint” operation in Gaza.

Host Chris Wallace explained that while Kerry spoke with an aide between his interviews with multiple Sunday shows, a microphone picked up his rather candid remarks in what Wallace called an “extraordinary moment of diplomacy” about the violence there.

“It’s a hell of a pinpoint operation,” Kerry said. “It’s a hell of a pinpoint operation … We’ve got to get over there. Thank you, John. I think, John, we ought to go tonight. I think it’s crazy to be sitting around.”
Wallace asked him after playing the recording whether he was upset that the Israelis were going too far, and Kerry appeared to go into damage control mode.

Read more here.

Thursday, July 17, 2014

Former Hospital Worker Faces HIPAA Charges

Federal prosecutors in Texas have taken the relatively uncommon move of pursuing criminal charges against an individual for alleged HIPAA violations. The case serves as a reminder that healthcare workers can potentially face prison time and hefty monetary fines for wrongful disclosures of patient data.

The U.S. Department of Justice earlier this month announced the criminal indictment of Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas.

The indictment, which was filed on March 26 in the U.S. district court in Tyler, Texas, but was sealed until July 3, charges Hippler with wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain. The alleged criminal HIPAA violations began about Dec. 1, 2012, continuing through about Jan. 14, 2013, court documents says.

Read more here.

Wednesday, July 16, 2014

Details Emerge of Boeing Hack

Three Chinese nationals seeking to make "big bucks" broke into the computers of Boeing and other military contractors, stealing trade secrets on transport aircraft, a U.S. criminal complaint says.
The criminal complaint, dated June 27 and made public last week, describes in some detail how the alleged conspirators patiently observed Boeing and its computer network for a year, and then breached the contractor's systems to steal intellectual property on the C-17 military transport. It also casts light on the free-enterprise nature of cyber-snooping, as the co-conspirators allegedly exchanged e-mails about profiting from their enterprise.

U.S. authorities accuse Su Bin, a Chinese businessman residing in Canada, of helping direct two other Chinese nationals in cyberattacks to obtain information about the C-17 and other military projects. The complaint says that Su, who was arrested last month in Canada, and two-unnamed co-conspirators, identified as UC1 and UC2, targeted information related to parts and performance of the C-17 transport and Lockheed Martin's F-22 and F-35 fighter jets. Su, who was arrested last month, is in jail in Canada, awaiting a bail hearing.
The initial attacks against Boeing occurred between Jan 14 and March 20, 2010, and for part of that time Su was in the United States, FBI Special Agent Noel Neeman says in the complaint. The documents do not describe how the information about the Lockheed Martin jet fighters were obtained.

Read more here.

Philadelphia VA tried to bug congressional investigators

During a congressional hearing into alleged intimidation of whistleblowers at the Department of Veterans Affairs, it was revealed that members of the Philadelphia regional office tried to record committee investigators with microphones and cameras earlier in the month.

In the July 2 incident, committee aides met with officials at the office, where they were directed to a workspace equipped with cameras and microphones, ABC News reported.

Once investigators realized they were being taped, they requested to be moved to a new room.

“It has been made clear that there is not a corner that [Veterans Benefits Administration] leadership will not cut, nor a statistic that they will not manipulate to lay claim to a hollow victory,” House Veterans Affairs Chairman Jeff Miller, Florida Republican, said Monday, ABC reported.

Allison Hickey, VA undersecretary for benefits apologized to the committee for the July 2 incident.

“I offer my sincere apologies to your staff and my commitment that it will not happen again. You’ll receive anything you need,” Ms. Hickey said, ABC News reported.

Americans installing 'perfect spying device' in their own living rooms..

(NaturalNews) Amazon.com is building the CIA's new $600 million data center, reports the Financial Times. (1) At the same time Amazon.com is building this massive cloud computing infrastructure for the CIA, the company is also shipping millions of Fire TV set-top devices to customers who are placing them in their private homes. I have one myself, and it's a terrific piece of hardware for delivering Prime video content. In fact, in terms of its usability and specs, it's far superior to Roku or Netflix-capable devices. Fire TV is, hands down, the best set-top video delivery device on the market today.

But there's something about it that always struck me as odd: it has no power button. There's no power button on the remote, and there's no power button on the box. It turns out there's no way to power the device off except for unplugging it.

This is highly unusual and apparently done by design. "It is not necessary to turn off Amazon Fire TV when you are finished using it," says the Amazon.com website. (2) "Your Amazon Fire TV is designed to go into sleep mode after 30 minutes, while continuing to automatically receive important software updates."

Note carefully that this does not say your Fire TV device WILL go into sleep mode after 30 minutes; only that it is "designed" to go into sleep mode after 30 minutes. As lawyers well know, this is a huge difference.

Friday, July 11, 2014

Hotel's Payment System Breached

For six months, cyber-attackers breached the credit card payment system for The Houstonian Hotel, Club and Spa, accessing account information about an undisclosed number of customers.
On June 10, the U.S. Secret Service notified the hotel regarding a potential breach in the organization's payment processing systems; The Houstonian then took mitigation steps, according to a statement provided to Information Security Media Group.

"As of June 20, we had fully replaced and overhauled the breached systems, further restricted access to all our servers and hired a data forensics firm to help us enhance our digital security," the hotel says.
The forensics team determined that an intruder illegally penetrated the hotel's internal computer systems between Dec. 28, 2013, and June 20, 2014. Credit card and payment information was compromised during that time, the hotel says.
State and federal law enforcement investigations into the incident are continuing. The hotel is offering affected individuals one year of free credit monitoring services.
A spokesman for the hotel declined to provide additional information.

Read more here.

Monday, July 7, 2014

Google Glass wearers can steal your password

Remember the kid who tried to cheat off you by looking over your shoulder to copy your test answers? He's baaaack.

But this time he's wearing Google Glass -- and he's after your iPad PIN.

Cyber forensics experts at the University of Massachusetts in Lowell have developed a way to steal passwords entered on a smartphone or tablet using video from Google's face-mounted gadget and other video-capturing devices. The thief can be nearly ten feet away and doesn't even need to be able to read the screen -- meaning glare is not an antidote.
The security researchers created software that maps the shadows from fingertips typing on a tablet or smartphone. Their algorithm then converts those touch points into the actual keys they were touching, enabling the researchers to crack the passcode.

Check out this video.

Read more here.

FCC to Fine Chinese Jammer Retailer $34.9M for Online U.S. Sales

The Federal Communications Commission plans to issue the largest fine in its history against C.T.S. Technology Co., Limited, a Chinese electronics manufacturer and online retailer, for allegedly marketing 285 models of signal jamming devices to U.S. consumers for more than two years.
The FCC applied the maximum fine allowed to each jammer model allegedly marketed by C.T.S., resulting in a planned fine of $34,912,500.

“All companies, whether domestic or foreign, are banned from marketing illegal jammers in the U.S.,” said Travis LeBlanc, Acting Chief of the Enforcement Bureau. “Signal jammers present a direct danger to public safety, potentially blocking the communications of first responders. Operating a jammer is also illegal, and consumers who do so face significant civil and criminal penalties.”

New FFIEC Cyber Exams: What to Expect

"It looks like additional emphasis will be placed on how the bank is monitoring and sharing information about current cyberthreats, and third-party access to internal network resources," likely a reaction to the Target Corp. breach, McHugh says.

Joram Borenstein, a cyber-fraud expert and vice president at NICE Actimize, which provides compliance services to banks and credit unions, says institutions just need to appreciate that the cyber landscape has changed.

"Banks are sharing information and trends informally, and have been doing so for years. What is different now is that the sharing communities have become larger, and the government is also supporting this sharing in a much more robust manner than ever before," he says. "Institutions should assume cybersecurity will become an increasingly regulated area to be handled in the same way other areas of compliance are handled."

Read more here.

Wednesday, July 2, 2014

The NSA Revelations Chart

This is a plot of the NSA programs revealed in the past year according to whether they are bulk or targeted, and whether the targets of surveillance are foreign or domestic. Most of the programs fall squarely into the agency’s stated mission of foreign surveillance, but some – particularly those that are both domestic and broad-sweeping – are more controversial.
Just as with the New York Magazine approval matrix that served as our inspiration, the placement of each program is based on judgments and is approximate.

For more details, read our FAQ or listen to our podcast. Also, take our quiz to test your NSA knowledge.

View the chart here.