Wednesday, December 31, 2014

Lithuania Detains Alleged Russian Spy Ring at Major NATO Airbase

Several members of an alleged Russian spy ring within the Lithuanian armed forces were detained by the national general prosecution on Wednesday in the Lithuanian city of ┼áiauliai, near NATO’s major Baltic air base amidst allegations they had been engaged in espionage for “a foreign intelligence service”, with authorities not ruling out Russian involvement.
Lithuanian lieutenant colonel Vidmantas Raklyavicos told Russian news agency Itar-Tass that one man detained was indeed one of his officers, deployed in the Zoknai air base, a large NATO facility where the organisation’s Baltic patrol flights are coordinated.
“The special services informed me about his capture,” the colonel said, but would not unveil the alleged spy’s identity.

Sunday, December 28, 2014

Electronic eavesdropping: NSA reports on its privacy violations

Responding to a Freedom of Information lawsuit by the American Civil Liberties Union, the National Security Agency has reported instances when it violated individual privacy. The NSA says ‘the vast majority involve unintentional technical or human error.’

The National Security Agency has a lot to keep track of – all those electronic communications and other signals, mostly innocuous but some of which are critical to national security, collectively known as “signals intelligence” or SIGINT.
In the post-9/11 world of terrorist threats, unconventional war, and rapidly advancing technology, sorting through and making sense of all that SIGINT becomes increasingly critical.
So does protecting the civil liberties of individual Americans, whose private and personal information – from cell phone records to email communication – may get vacuumed up (or specifically targeted) in the NSA’s massive electronic spying efforts.

Read More Here.

Thursday, December 11, 2014

3D Printing and Industrial Espionage..

The full extent of industrial espionage is surely more prevalent than reports indicate, and the advent of additive manufacturing with its electronic file-based design processes is a frontier in an ongoing series of skirmishes in technological border wars.

The news that a former employee of United Technologies Corp. was recently placed under arrest by federal authorities for allegedly trying to shuttle sensitive, military aerospace-related documents to China was surely the least of the possible problems facing companies and governments as they increasingly move their design and development work to digital realms.

Federal authorities say Yu Long, who once worked on additive manufacturing and casting processes for Pratt & Whitney, had a history of involvement on projects like the F119 engine, a highly sophisticated powerplant used in the F-22 Raptor, and on the F135 engine which powers the F-35 Lightning II Joint Strike Fighter.

Long was arrested in Ithaca, NY, and the feds say they also found documents in his possession which were deemed to be “critical in the development of technologically advanced titanium for use in advanced aircraft.”

Read more here.

Wednesday, November 26, 2014

Cyber-Roach! Mic-Equipped Bugs

Remote-controlled cyborg cockroaches could one day be among the first responders at disaster scenes to help locate survivors.

A team of researchers at North Carolina State University has created a swarm of cyborg cockroaches, nicknamed "biobots," that are equipped with microphones to pick up sounds and trace them to their sources. The researchers hope the biobots could one day be used in disaster-relief situations to locate survivors.

Each cockroach has a tiny circuit board "backpack" attached to it that researchers can use to control the bug's movement. Some of the biobots have a single microphone that can capture sounds at a disaster scene and send them back to personnel. Others have a series of microphones that can pinpoint the source of a sound and then steer the bug toward it. 

Read more here.

ACLU ally in battle against phone spying

In a new court filing, the American Civil Liberties Union (ACLU) has jumped into the criminal case of a man who federal prosecutors allege orchestrated a murder-for-hire earlier this year in Baltimore, Maryland.

Specifically, in its 29-page amicus (friend of the court) brief filed on Tuesday, the ACLU supports the defendant’s earlier motion that the government be required to disclose information about how it used a stingray, or cell-site simulator, without a warrant, and therefore the court should suppress evidence gathered as a result of its use.

"It is not rare for police to use stingrays in investigations, but it is rare for them to disclose that to defense attorneys, and even more rare for [those attorneys] to understand the implications and even more rare for us to know about it and weigh in," Nate Wessler, an ACLU attorney who authored the amicus brief, told Ars.

The ACLU has not been involved in a stingray case since Daniel David Rigmaiden, an Arizona man convicted of tax fraud who took a plea deal and was released on time served in April 2014. The ACLU hopes that through its assistance to the defendant and his lawyer, the public will be able to learn more about the secretive surveillance devices.

Read more here.

Sony Pictures hacked, computer system reportedly unusable

Reports that Sony Pictures has been hacked have been trickling in this morning, after a thread appeared on Reddit claiming all computers at the company were offline due to a hack.
According to the Reddit thread, an image appeared on all employee’s computers reading “Hacked by #GOP” and demanding their “requests be met” along with links to leaked data.

The Reddit user that posted the thread posted a year ago that they worked at Sony Pictures.

The ZIP files mentioned in the images contain a list of filenames of a number of documents pertaining to financial records along with private keys for access to servers. The message shown on computers mentions “demands” that must be met by November 24th at 11:00PM GMT or the files named will be released.
A source within Sony has anonymously confirmed to TNW that the hack and image that have appeared on computers inside Sony Pictures is real. They said that “a single server was compromised and the attack was spread from there.”
According to our source, everyone was going home following the hack: “We’re all going to work from home. Can’t even get on the internet.”

Read more here.

Wednesday, October 15, 2014

Someone Might Be Spying On Your WebEx Meetings

Cisco has sent a warning to its customers to protect their WebEx meetings after Brian Krebs from KrebsOnSecurity found that almost 50 big players left their online meetings vulnerable and open for all.

Krebs said that he found several organizations did not password protect their WebEx meetings, thus allowing anyone to join and get information about their internal planning. The schedule of these meetings was available through the WebEx Event Center. WebEx is an online conferencing system from Cisco.

These issues were present with audio and video based meetings as well. There are options for companies to password protect their sessions, but many companies do not follow the best practices for online meetings, and thus allow any malicious entity to join the daily conferences and gather details regarding management related topics.

Read more here.

Tuesday, October 14, 2014

Dropbox: We weren’t hacked!

NEW YORK (CNNMoney) — A group of anonymous hackers claims to have stolen nearly 7 million Dropbox username and password combinations. But Dropbox denied that it was hacked.
The hackers have posted several hundred email addresses and passwords so far on, releasing more logins as they receive more bitcoin donations.
“Your stuff is safe,” Dropbox said in a blog post. “The usernames and passwords … were stolen from unrelated services, not Dropbox.”
It’s not clear which service or services the passwords were stolen from. Some third-party apps allow people to manage their Dropbox files, but a Dropbox spokesman wouldn’t name any potential culprit.
It’s possible that some people used the same login information for Dropbox that they used for the third-party app.

Read more here.

Wednesday, September 24, 2014

FBI Warns of Rise in Disgruntled Employees Stealing Data

 Wall Street Journal (09/23/14) Barrett, Devlin

The FBI said Tuesday that it has seen a spike in the number of disgruntled employees who steal company information, sometimes as part of an effort to extort money from previous employers.
 There have been cases in which individuals used their access to destroy data, steal software, obtain customer data, make unauthorized purchases, and gain a competitive edge at a new job, the FBI said. A common way to steal information, the FBI noted, is to use cloud storage accounts and personal e-mail. Sometimes, terminated employees still have remote access to the company's system.

Organizations that have recently been victimized by data theft have suffered losses of $5,000 to $3 million. The FBI reports that some employees have attempted to extort their employer by restricting access to company Web sites, disabling certain functions in content management systems, or conducting distributed denial-of-service attacks. Companies are advised to quickly end departed employees' access to computer systems, and change administrative passwords after IT personnel quit or are terminated.

Read more here.

Tuesday, September 23, 2014

2014 ERII Conference Debrief

2014 Espionage Research Institute International Counterespionage Conference

The Annual ERII Counterespionage Conference was held on September 12, 13 & 14 in Washington, DC.

TSCM professionals from across the globe met to discuss counter espionage news and events, see demonstrations of new TSCM equipment and network with colleagues.
The ERII Conference experience included presentations by top experts in the fields of Technical Surveillance Countermeasures (TSCM) Counterintelligence/Counterespionage, Cyber Countermeasures, Equipment vendors and more.
This year, our Keynote Speaker was Sandra Grimes, Author of  "Circle of Treason",  A CIA Account of Traitor Aldrich Ames and the Men He Betrayed

Read more here.

Thursday, August 28, 2014

Former Cyber Security Chief in Charge of Obamacare Site Going to Jail for Heinous Online Activities

A former acting director of cyber security with top clearance at the Department of Health and Human Services has been convicted of several child pornography charges, after a yearlong investigation by the FBI.
As reported by the New York Daily News:

Timothy DeFoggi, 56, was found guilty of engaging in a child exploitation enterprise, conspiracy to advertise and distribute child pornography and accessing a computer with intent to view child pornography. He was listed as an employee with top clearance at the HHS up until January 2014, though he was charged and held without bail in May 2013.

But DeFoggi wasn’t only looking at pornographic pictures. It’s far worse than that.

His activities on the site included accessing child pornography and expressing sexual fantasies — including raping and murdering children — in his communication with other site members. DeFoggi even suggested meeting one member in person to fulfill their mutual fantasies to violently rape and murder children,” the Department of Justice said of DeFoggi’s activities.
Read more here.

Tuesday, August 5, 2014

FinFisher spyware docs detail surveillance limitations

A parody Gamma International Twitter account is releasing secret documents that detail FinFisher spyware limitations, spying modules, mobile capabilities, price list and antivirus detection of the malware typically sold to governments.

“Phineas Fisher” aka @GammaGroupPR, a parody Twitter account of the Gamma Group that specializes in FinFisher spyware, certainly knows how to snag attention. Its very first tweet announced, “Here at Gamma International, we've run out of governments to sell to, so we're opening up sales to the general public!”

Then come the links to leaked FinFisher documents stored in Dropbox, including a product brochure featuring FinFisher’s selection of monitoring software and capabilities (pdf), user manual with troubleshooting tips for setting up a FinSpy server, price list, release notes for FinSpy Mobile 4.51, and another document that spells out how well the spyware does on Windows Mobile devices.
WikiLeaks Spy Files first released documents detailing FinFisher in 2011. Citizen Lab research from 2012 showed how the sneaky FinFisher surveillance had gone mobile. The leaked documents via @GammaGroupPR are the newest, with some dated April 2014.

Read more here.

Friday, August 1, 2014

Hackers Tap Into USB Devices, Evade All Known Security Protections

BOSTON (Reuters) - USB devices such as mice, keyboards and thumb-drives can be used to hack into personal computers in a potential new class of attacks that evade all known security protections, a top computer researcher revealed on Thursday.

Karsten Nohl, chief scientist with Berlin's SR Labs, noted that hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.

"You cannot tell where the virus came from. It is almost like a magic trick," said Nohl, whose research firm is known for uncovering major flaws in mobile phone technology.
The finding shows that bugs in software used to run tiny electronics components that are invisible to the average computer user can be extremely dangerous when hackers figure out how to exploit them. Security researchers have increasingly turned their attention to uncovering such flaws.

Thursday, July 31, 2014

5 Ways Boards Could Tackle Cybersecurity

A new handbook from National Association of Corporate Directors, titled Cyber-Risk Oversight, offers five principles to guide boards of directors in helping their organizations address IT security threats.
The NACD announced on July 29 the availability of the handbook, which was developed in collaboration with the Internet Security Alliance, a trade group, and insurer American International Group.

"As the intricacy of attacks increases, so does the risk they pose to corporations," says Mark Camillo, AIG's head of cyber products for the Americas region. "Conscientious and comprehensive oversight of cyber-risk at the board level is essential."

The handbook focuses on board-level cybersecurity oversight and is organized around five key principles:
  1. Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprisewide, cyber-risk management framework with adequate staffing and budget.
  5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach. 
Read more here.

Wednesday, July 30, 2014

House Passes 3 Cybersecurity Bills

In what seemed to be a flashback to a more genial era in Congress, when compromise wasn't a dirty word, the House of Representatives passed a key cybersecurity bill, with its conservative Texas sponsor lauding the support for the measure from the liberal American Civil Liberties Union.

By voice votes on July 28, the House passed the National Cybersecurity and Critical Infrastructure Protection Act and two other cybrsecurity measures. Next stop: the Senate.

On the floor, House Homeland Security Committee Chairman Mike McCaul, R-Texas, pointed out that business organizations and the ACLU, groups that often are at odds over legislation, supported the bill, with McCaul alluding to the ACLU's characterization of the bill as being pro security and pro privacy.

"Striking a balance between security and privacy, I believe, is one of the most difficult challenges in developing cybersecurity legislation, and I'm so very proud that this committee and this bill achieves that goal," McCaul said.

The bill, if enacted, would codify the National Cybersecurity and Communications Integration Center, an agency within the Department of Homeland Security that fosters real-time cyberthreat information sharing with critical infrastructure operators. It also would establish an equal partnership between industry and DHS, and ensure that DHS recognizes industry-led organizations to expedite critical infrastructure protection and incident response.

Friday, July 25, 2014

Listening devices found at Ford HQ

Detroit— The FBI searched Ford Motor Co.’s world headquarters while investigating one of the automaker’s engineers and seized listening devices, computers and financial records, according to search warrants obtained by The News on Thursday.

A lawyer for the mechanical engineer said Ford’s security team feared she was stealing trade secrets by hiding secret recording devices in conference rooms at the Dearborn automaker’s headquarters, nicknamed the Glass House.
Court records that would explain why the FBI had probable cause to search Ford and the engineer’s home are sealed in federal court. The government’s lawyer on the case, Assistant U.S. Attorney Jonathan Tukel, heads the National Security Unit in Detroit, successfully prosecuted underwear bomber Umar Farouk Abdulmutallab and specializes in cases involving espionage, counter-terrorism and terrorism financing, among others.

Searching a Fortune 500 company’s world headquarters instead of issuing a subpoena is a rare step and could indicate investigators were worried about someone destroying evidence, said Peter Henning, a law professor at Wayne State University and a former federal prosecutor.
“If it’s an economic espionage case or trade secrets case, that rarely involves one individual,” Henning said. “So the concern is if you send a subpoena and ask for recording devices, those things can be erased.”
The U.S. Attorney’s Office and FBI declined comment Thursday.

Monday, July 21, 2014

Hidden network packet sniffer found in millions of iPhones, iPads

An analysis of iOS by a security expert digging into claims of the NSA spying on Apple products has revealed some unexplained surveillance tools hidden in the operating system.
His study has also shown that a user's data may not be as safe as Cupertino is making out.

Data forensics expert and author Jonathan Zdziarski wrote an academic paper on the topic in March, and gave a talk [PDF] at the Hackers On Planet Earth (HOPE X) conference in New York on Friday showing his findings. The results of his research indicate a backdoor into iOS, although it's not as wide open as some reports have suggested.
"There are certain steps that have to be taken to get this data," Zdziarski told The Register. "Backdoors are guarded, there are things protecting it – you don’t just type 'Joshua' for full access."
Zdziarski's analysis shows that 600 million iOS devices, particularly those running the most recent version 7 builds, have data discovery tools that are separate from those used by Apple for standard backup and storage. These include a file-relay service that can snoop out data, bypassing the Backup Encryption service offered by Apple.

Read more here.

Kerry caught on hot mic disparaging Israel

Secretary of State John Kerry was caught on a hot mic on Fox News Sunday apparently disparaging Israel’s claim to be conducting a “pinpoint” operation in Gaza.

Host Chris Wallace explained that while Kerry spoke with an aide between his interviews with multiple Sunday shows, a microphone picked up his rather candid remarks in what Wallace called an “extraordinary moment of diplomacy” about the violence there.

“It’s a hell of a pinpoint operation,” Kerry said. “It’s a hell of a pinpoint operation … We’ve got to get over there. Thank you, John. I think, John, we ought to go tonight. I think it’s crazy to be sitting around.”
Wallace asked him after playing the recording whether he was upset that the Israelis were going too far, and Kerry appeared to go into damage control mode.

Read more here.

Thursday, July 17, 2014

Former Hospital Worker Faces HIPAA Charges

Federal prosecutors in Texas have taken the relatively uncommon move of pursuing criminal charges against an individual for alleged HIPAA violations. The case serves as a reminder that healthcare workers can potentially face prison time and hefty monetary fines for wrongful disclosures of patient data.

The U.S. Department of Justice earlier this month announced the criminal indictment of Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas.

The indictment, which was filed on March 26 in the U.S. district court in Tyler, Texas, but was sealed until July 3, charges Hippler with wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain. The alleged criminal HIPAA violations began about Dec. 1, 2012, continuing through about Jan. 14, 2013, court documents says.

Read more here.

Wednesday, July 16, 2014

Details Emerge of Boeing Hack

Three Chinese nationals seeking to make "big bucks" broke into the computers of Boeing and other military contractors, stealing trade secrets on transport aircraft, a U.S. criminal complaint says.
The criminal complaint, dated June 27 and made public last week, describes in some detail how the alleged conspirators patiently observed Boeing and its computer network for a year, and then breached the contractor's systems to steal intellectual property on the C-17 military transport. It also casts light on the free-enterprise nature of cyber-snooping, as the co-conspirators allegedly exchanged e-mails about profiting from their enterprise.

U.S. authorities accuse Su Bin, a Chinese businessman residing in Canada, of helping direct two other Chinese nationals in cyberattacks to obtain information about the C-17 and other military projects. The complaint says that Su, who was arrested last month in Canada, and two-unnamed co-conspirators, identified as UC1 and UC2, targeted information related to parts and performance of the C-17 transport and Lockheed Martin's F-22 and F-35 fighter jets. Su, who was arrested last month, is in jail in Canada, awaiting a bail hearing.
The initial attacks against Boeing occurred between Jan 14 and March 20, 2010, and for part of that time Su was in the United States, FBI Special Agent Noel Neeman says in the complaint. The documents do not describe how the information about the Lockheed Martin jet fighters were obtained.

Read more here.

Philadelphia VA tried to bug congressional investigators

During a congressional hearing into alleged intimidation of whistleblowers at the Department of Veterans Affairs, it was revealed that members of the Philadelphia regional office tried to record committee investigators with microphones and cameras earlier in the month.

In the July 2 incident, committee aides met with officials at the office, where they were directed to a workspace equipped with cameras and microphones, ABC News reported.

Once investigators realized they were being taped, they requested to be moved to a new room.

“It has been made clear that there is not a corner that [Veterans Benefits Administration] leadership will not cut, nor a statistic that they will not manipulate to lay claim to a hollow victory,” House Veterans Affairs Chairman Jeff Miller, Florida Republican, said Monday, ABC reported.

Allison Hickey, VA undersecretary for benefits apologized to the committee for the July 2 incident.

“I offer my sincere apologies to your staff and my commitment that it will not happen again. You’ll receive anything you need,” Ms. Hickey said, ABC News reported.

Americans installing 'perfect spying device' in their own living rooms..

(NaturalNews) is building the CIA's new $600 million data center, reports the Financial Times. (1) At the same time is building this massive cloud computing infrastructure for the CIA, the company is also shipping millions of Fire TV set-top devices to customers who are placing them in their private homes. I have one myself, and it's a terrific piece of hardware for delivering Prime video content. In fact, in terms of its usability and specs, it's far superior to Roku or Netflix-capable devices. Fire TV is, hands down, the best set-top video delivery device on the market today.

But there's something about it that always struck me as odd: it has no power button. There's no power button on the remote, and there's no power button on the box. It turns out there's no way to power the device off except for unplugging it.

This is highly unusual and apparently done by design. "It is not necessary to turn off Amazon Fire TV when you are finished using it," says the website. (2) "Your Amazon Fire TV is designed to go into sleep mode after 30 minutes, while continuing to automatically receive important software updates."

Note carefully that this does not say your Fire TV device WILL go into sleep mode after 30 minutes; only that it is "designed" to go into sleep mode after 30 minutes. As lawyers well know, this is a huge difference.

Friday, July 11, 2014

Hotel's Payment System Breached

For six months, cyber-attackers breached the credit card payment system for The Houstonian Hotel, Club and Spa, accessing account information about an undisclosed number of customers.
On June 10, the U.S. Secret Service notified the hotel regarding a potential breach in the organization's payment processing systems; The Houstonian then took mitigation steps, according to a statement provided to Information Security Media Group.

"As of June 20, we had fully replaced and overhauled the breached systems, further restricted access to all our servers and hired a data forensics firm to help us enhance our digital security," the hotel says.
The forensics team determined that an intruder illegally penetrated the hotel's internal computer systems between Dec. 28, 2013, and June 20, 2014. Credit card and payment information was compromised during that time, the hotel says.
State and federal law enforcement investigations into the incident are continuing. The hotel is offering affected individuals one year of free credit monitoring services.
A spokesman for the hotel declined to provide additional information.

Read more here.

Monday, July 7, 2014

Google Glass wearers can steal your password

Remember the kid who tried to cheat off you by looking over your shoulder to copy your test answers? He's baaaack.

But this time he's wearing Google Glass -- and he's after your iPad PIN.

Cyber forensics experts at the University of Massachusetts in Lowell have developed a way to steal passwords entered on a smartphone or tablet using video from Google's face-mounted gadget and other video-capturing devices. The thief can be nearly ten feet away and doesn't even need to be able to read the screen -- meaning glare is not an antidote.
The security researchers created software that maps the shadows from fingertips typing on a tablet or smartphone. Their algorithm then converts those touch points into the actual keys they were touching, enabling the researchers to crack the passcode.

Check out this video.

Read more here.

FCC to Fine Chinese Jammer Retailer $34.9M for Online U.S. Sales

The Federal Communications Commission plans to issue the largest fine in its history against C.T.S. Technology Co., Limited, a Chinese electronics manufacturer and online retailer, for allegedly marketing 285 models of signal jamming devices to U.S. consumers for more than two years.
The FCC applied the maximum fine allowed to each jammer model allegedly marketed by C.T.S., resulting in a planned fine of $34,912,500.

“All companies, whether domestic or foreign, are banned from marketing illegal jammers in the U.S.,” said Travis LeBlanc, Acting Chief of the Enforcement Bureau. “Signal jammers present a direct danger to public safety, potentially blocking the communications of first responders. Operating a jammer is also illegal, and consumers who do so face significant civil and criminal penalties.”

New FFIEC Cyber Exams: What to Expect

"It looks like additional emphasis will be placed on how the bank is monitoring and sharing information about current cyberthreats, and third-party access to internal network resources," likely a reaction to the Target Corp. breach, McHugh says.

Joram Borenstein, a cyber-fraud expert and vice president at NICE Actimize, which provides compliance services to banks and credit unions, says institutions just need to appreciate that the cyber landscape has changed.

"Banks are sharing information and trends informally, and have been doing so for years. What is different now is that the sharing communities have become larger, and the government is also supporting this sharing in a much more robust manner than ever before," he says. "Institutions should assume cybersecurity will become an increasingly regulated area to be handled in the same way other areas of compliance are handled."

Read more here.

Wednesday, July 2, 2014

The NSA Revelations Chart

This is a plot of the NSA programs revealed in the past year according to whether they are bulk or targeted, and whether the targets of surveillance are foreign or domestic. Most of the programs fall squarely into the agency’s stated mission of foreign surveillance, but some – particularly those that are both domestic and broad-sweeping – are more controversial.
Just as with the New York Magazine approval matrix that served as our inspiration, the placement of each program is based on judgments and is approximate.

For more details, read our FAQ or listen to our podcast. Also, take our quiz to test your NSA knowledge.

View the chart here.

Saturday, June 28, 2014

FFIEC Cybersecurity Assessments Begin

FFIEC Cybersecurity Assessments Begin
500 Community Institutions to Be Examined in Pilot

The Federal Financial Institutions Examination Council has started its cybersecurity assessment pilot program, which will examine more than 500 community banking institutions. Plus, the council has launched a Web page dedicated to cybersecurity information.

The pilot program is slated to run through July, says Stephanie Collins, spokesperson for the Office of the Comptroller of the Currency.

The aim of the pilot program is to help smaller banking institutions address potential security gaps. The assessments will be conducted by state and federal regulators during regularly scheduled examinations, the FFIEC says.

"Information from the pilot effort will assist regulators in assessing how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks," the council says.

Areas the regulators will be focusing on during the cyber-assessments include risk management and oversight; threat intelligence and collaboration; cybersecurity controls; service provider and vendor risk management; and cyber-incident management and resilience.

"Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance and examiner training," the FFIEC says.

Read more here.

Thursday, June 26, 2014

Healthcare Cyber Security – TSCM & Risk Management

Healthcare Cyber Security – TSCM & Risk Management

By J. D. LeaSure, President/CEO ComSec LLC

Healthcare related cybercrime continues its very remarkable upward trend. Electronic Health Records (EHRs), online healthcare portals, the street value of stolen Protected Health Information (PHI / e-PHI) / Individually Identifiable Health Information (IIHI) and limited cyber security programs have all contributed to this steady increase. And, as healthcare related cybercrime rises, regulators continue to develop or modify laws and regulations aimed at protecting the information, and ultimately the consumer.

Healthcare companies tasked with protection of personal and/or protected health information must implement a thorough and effective risk analysis and risk management program to comply with the legal and regulatory requirements. If your cyber security risk program focuses too strongly on IT security, the program needs to be reevaluated. Electronic eavesdropping devices are inexpensive, easy to use, and can capture a great amount of data in an inconspicuous manner. Data breaches are costly, create criminal and civil liability and can irreparably damage your company’s reputation and future earnings potential. Omitting Cyber TSCM and TSCM from your risk management process could be a very costly mistake.

Friday, June 20, 2014

TSCM & Cyber TSCM – A Vital Part of Your Financial Institution’s Cyber Security Program

TSCM & Cyber TSCM – A Vital Part of Your Financial Institution’s Cyber Security Program

By J. D. LeaSure, President/CEO ComSec LLC

The cybersecurity programs of American businesses need to improve! Ask consumers and they’ll agree. With major data leaks by large retailers and financial institutions, most consumers have been impacted, either directly or indirectly. Regulators have noticed the frequency and severity of the breaches too, particularly their ultimate impact on our national security.

How can financial institutions improve their cybersecurity programs? Arm yourself with the knowledge you need to protect your organization, and implement an effective cybersecurity program. Helpful information follows:

Wednesday, June 18, 2014

Hackers reverse-engineer NSA's leaked bugging devices

Using documents leaked by Edward Snowden, hackers have built bugs that can be attached to computers to steal information in a host of intrusive ways
RADIO hackers have reverse-engineered some of the wireless spying gadgets used by the US National Security Agency. Using documents leaked by Edward Snowden, researchers have built simple but effective tools that can be attached to parts of a computer to gather private information in a host of intrusive ways.
The NSA's Advanced Network Technology catalogue was part of the avalanche of classified documents leaked by Snowden, a former agency contractor. The catalogue lists and pictures devices that agents can use to spy on a target's computer or phone. The technologies include fake base stations for hijacking and monitoring cellphone calls and radio-equipped USB sticks that transmit a computer's contents.
But the catalogue also lists a number of mysterious computer-implantable devices called "retro reflectors" that boast a number of different surreptitious skills, including listening in on ambient sounds and harvesting keystrokes and on-screen images.
Because no one outside the NSA and its partners knows how retro reflectors operate, security engineers cannot defend against their use. Now a group of security researchers led by Michael Ossmann of Great Scott Gadgets in Evergreen, Colorado, have not only figured out how these devices work, but also recreated them.

Friday, June 13, 2014

Access Health data breach

June 10--State Republicans are raising questions about the security of Connecticut's health care exchange, Access Health CT, after an employee of the exchange's call center left a backpack filled with customer data at a Hartford deli.
But representatives of Access Health and the company that manages the call center said the worker, who has been placed on administrative leave, made an honest mistake and there's no reason to believe the information was misused.
"The individual is deeply sorry and has been cooperating with investigators," said Ilene Baylinson, president of health services of the eastern region of Maximus, the Virginia-based company that runs the Access Health call center.
Vital information
The problem came to light Friday afternoon, when Access Health officials announced that someone had discovered a backpack on Trumbull Street in Hartford containing four note pads with personal information for more than 400 Access Health customers. That information included names, birth dates and 151 social security numbers.
Customers affected by the breach will be notified through certified mail. Both Access Health and Maximus representatives said free fraud prevention services would be offered to affected individuals.
Access Health Chief Marketing Officer Jason Madrak said exchange official learned about the backpack from staffers of state Rep. Jay Case, R-63. A constituent of Case called his office Friday, saying he had found the backpack at New York Deli on Trumbull Street.

Bugging your own office NSA-style

In the past year many have grown increasingly incensed at news regarding pervasive surveillance.
Then again, many have yawned.
For those who remain unconvinced that National Security Agency (NSA)-style blanket surveillance might uncover anything that could come back to haunt them, Project Eavesdrop will hopefully be an eye-opener.
That's the code name for a project designed by the US's National Public Radio (NPR) news agency to find out just what, exactly, the NSA could see about a person if it cared to look.
The answer: a lot.
To get to that answer, Steve Henn, a reporter for NPR, had his office bugged.
NPR worked with Sean Gallagher, a reporter at Ars Technica, and Dave Porcello, a computer security expert at Pwnie Express, to have the internet traffic coming into and out of his home office in California, tapped.
They set up the tap so as to mimic the broad, passive surveillance of internet traffic that's done by NSA systems, and they let it run for a week.

Tuesday, June 10, 2014

Cybercrime and espionage costs $445 billion annually

A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — or almost 1 percent of global income.
The estimate by the Center for Strategic and International Studies is lower than the eye-popping $1 trillion figure cited by President Obama, but it nonetheless puts cybercrime in the ranks of drug trafficking in terms of worldwide economic harm.
“This is a global problem and we aren’t doing enough to manage risk,” said James A. Lewis, CSIS senior fellow and co-author of the report, released Monday.
The report, funded by the security firm McAfee, which is part of Intel Security, represents one of the first efforts to analyze the costs, drawing on a variety of data.
“Cybercrime costs are big, and they’re growing,” said Stewart A. Baker, a former Department of Homeland Security policy official and a co-author of the report. “The more that governments understand what those costs are, the more likely they are to bring their laws and policies into line with preventing those sorts of losses.”
According to the report, the most advanced economies suffered the greatest losses. The United States, Germany and China together accounted for about $200 billion of the total in 2013. Much of that was due to theft of intellectual property by foreign governments.
Though the report does not break out a figure for that, or name countries behind such theft, the U.S. government has publicly named China as the major perpetrator of cyber economic espionage against the United States.

Thursday, May 29, 2014

Former Bard, BD engineer pleads guilty to stealing trade secrets

Ketankumar Maniar pleaded guilty to stealing trade secrets from two former employers, C.R. Bard and Becton, Dickinson and Co. (BD), in federal court in Trenton, NJ, according to a May 28 statement from the Department of Justice. He was charged with two counts of theft and attempted theft of trade secrets for his own economic benefit.

The 37-year-old stole information about the development of the first implantable port used for power injection of pharmaceuticals from Bard, where he worked as an engineer from 2004 to 2011 in the company's Salt Lake City office. Between 2012 and 2013 he stole information about a self-administered disposable pen injector from BD's Franklin Lakes, NJ, headquarters, the statement says.

Maniar stored the information on external hard drives and also sent information from his work email to his personal email account. He admitted to stealing and keeping the information about the products following his resignation from both companies.

Read more here.

Consumers are worried about internet privacy but few do anything to protect themselves

Here’s a wild set of facts:
58% of respondents to an Associated Press poll said they were worried about government spying by the National Security Agency.
41% of consumers don’t know that smart devices collect information about their personal activities.
The truth is, it’s more likely that your new refrigerator is spying on you than the NSA.
Two companies published internet privacy surveys this week, TRUSTe Privacy Indexand one by Consumer Reports, and between them an interesting picture emerged.
Though more than 80% of people said they were concerned about privacy on the internet and from smart devices 62% haven’t done anything about it.
The reason? Most say they simply don’t know how to protect themselves. That’s true. . .up to a point. How about this scenario. I can promise that your personal information will be kept 100% private – all you have to do is stop using a mobile phone.
Yeah, like that’s going to happen.

Friday, May 23, 2014

How much economic espionage is too much?

WASHINGTON — “If we spy for military security, why shouldn’t we spy for economic security?”

Those were the words not of an aggressive Chinese spy but none other than Stansfield Turner, the Carter-era CIA director, who in 1992 argued that the United States should more aggressively carry out intelligence operations aimed at securing America’s leading economic position in the world.
If it weren’t for matters of patriotism, the former CIA director probably wouldn’t raise an eyebrow at allegations of Chinese spying unveiled by a Pennsylvania grand jury and the Department of Justice this week.
Indeed, the tactics the Obama administration has accused China of using have also been debated at the highest levels of the U.S. government as possible instruments of American power.
Other countries haven’t been so gun shy and have carried out operations strikingly similar to those a Pennsylvania grand jury have accused Chinese spies of carrying out.
In the 1970s and 1980s, French agents planted moles inside IBM and Texas Instruments and forwarded the material they collected to a French computer company. Microphones planted in the seats of Air France to pick up talk among traveling businessmen have become a piece of intelligence lore.

Wednesday, May 21, 2014

Sheikh Raed Salah's office bugged by Israeli telecommunications company

The Islamic Movement confirmed that a wiretapping device was concealed inside a telecommunication box installed by a Bezeq (Israeli telecommunications company) employee in the office of Sheikh Ra'ed Salah, chairperson of the Islamic Movement in Israel.
The Islamic Movement reported that a Bezeq employee arrived at the Movement's offices in Umm al-Fahim on the March 13th, following an unexpected fault in the telephone lines, which required Bezeq sending a technician to investigate. 
The technician arrived and after having checked the lines, replaced the telephone wires box and reactivated the line.
Yet the unexpected line fault aroused suspicion and the new box was checked and a sophisticated micro microphone was discovered inside the plastic covering of the new box, almost undetectable, and was only found after the inside layer of the plastic case was broken open.

Friday, May 16, 2014

Spy Chief Sued Over Adviser’s Ties to Chinese Spies

The Office of the Director of National Intelligence (ODNI) has been sued by an advocacy group seeking the release of internal documents of a top intelligence adviser who was also working with a controversial Chinese technology company that has been identified as a potential espionage threat.

The advocacy group Judicial Watch announced on Thursday that it had filed a lawsuit seeking the release of records pertaining to senior DNI adviser Theodore Moran, who was serving as an intelligence adviser while also working as a paid consultant to China’s Huawei Technologies, which has been identified by the House Intelligence Committee “as a potential espionage threat.”

Judicial Watch filed its lawsuit over a Freedom of Information Act (FOIA) request seeking Moran’s internal records.

The group is seeking to determine if and how Moran’s work for DNI conflicted with his paid work for Huawei, which has come under scrutiny for producing phone equipment that congressional investigators believe enabled Chinese spying.

Friday, May 9, 2014

New Anti-Spying Protection for Smartphones Available

Ziklag pioneers technology to protect companies from compromising voice, data hacks
Arlington, VA -- (SBWIRE) -- 05/09/2014 -- Ziklag Systems, the leading developer of next-generation security products for enterprise applications, announced today the launch of Office Anti-Spy™, a new anti-spying App for Android Smartphones. Designed for use by corporations and executives, Office Anti-Spy™ makes it impossible for a hacker, intruder or spy to listen to or record private conversations and meetings.

“People don’t generally realize just how much risk they take when they walk around with Smartphones in their pocket, bag or briefcase” says Dr. Stephen Bryen, former head of the Defense Technology Security Administration. “In some government operations they make you lock them up. But in regular business environments, the vulnerability is there and the potential for being spied on is very great.”

Office Anti-Spy™ also solves the “Bring-Your-Own-Device” (BYOD) problem for companies struggling to secure corporate data on personal devices. Instead of restricting what users can do on their devices, Office Anti-Spy™ allows organizations to retain control of corporate data without touching employee’s personal apps and data.

How It Works...

Read more here.

Wednesday, May 7, 2014

5 Things Every Company's Data Security Program Should Include

What's the one thing every company's data security program must include? That's the question we put recently to experts in the field, knowing that,especially after Heartbleed, the diversity of responses would create an invaluable checklist for all risk managers and corporate leaders charged with the protection of company (and client) data. Here's what we heard back:

1. Ongoing Assessment of Priorities
Effective data security is not a one-size-fits-all concept, and it needs to be nimble so that it can quickly adapt based on your company’s needs, changing technologies, and emerging threats…
From Pat Fowler, partner at Snell & Wilmer: “An effective data security program must include, and arise from, a continuing assessment of the company’s data security needs. The federal government’s new cybersecurity framework would be a reasonable starting point for this assessment. Effective data security is not a one-size-fits-all concept, and it needs to be nimble so that it can quickly adapt to changing technologies and emerging threats. The company needs to establish its priorities for data security – the relative value of the various kinds of data that it collects, maintains or transmits, the risk and liability if such data is lost or breaches – and the assets/resources (financial, technological, human) that it can reasonably commit to meet those priorities. A company’s risk tolerance and various external factors (evolving threats, client/customer requirements, applicable regulatory schemes, industry standards, etc.) also must be included in this continuing assessment in order to have an effective data security program, both today and in the future.”

Cyber Counterespionage

Cloaked in the disguise of a corporate insider, the spy penetrates the outer perimeter, slips past the lurking guardians, cracks the interior vault, loots the corporate secrets—and then turns off the computer and gets another coffee after the high-technology heist. In today’s age of rampant cyber espionage, bet-the-company secrets and billion-dollar technology may be stolen in seconds or exfiltrated for months
before detection. And this threat is here and now—and huge...

Download this excellent pdf on Cyber Espionage from the folks at Crowell & Moring

"Pillaging the Digital Treasure Troves" The Technology, Economics, and Law of Cyber espionage

Tuesday, May 6, 2014

CEO steps down after customer data breach

Note: As you can see from the below, there are consequences to dated or no risk management strategy. Are you in charge of your company's IT or IP? Time to re-think your company's information risk management strategy? Contact me, I can help. ~JDL
Target's CEO has become the first boss of a major corporation to lose his job over a breach of customer data, showing how responsibility for computer security now reaches right to the top.
Gregg Steinhafel, who was also president and chairman, resigned nearly five months after Target disclosed a huge pre-Christmas breach in which hackers stole millions of customers' credit- and debit-card records. The theft badly damaged the chain's reputation and profits.
Steinhafel, a 35-year veteran of the company and chief executive since 2008, also resigned from the Board of Directors, Target announced Monday.
The departure of Steinhafel, 59, suggests the company wants a clean slate as it wrestles with the fallout. Two months ago, Target's chief information officer lost her job.
Steinhafel's resignation leaves a leadership hole at a time when the 1,800-store chain is facing many other challenges.