Cyber Round Up: FCC Plans to Roll Back Net Neutrality; Cyber Bug in Intel Chips; Uber Hid Major Breach;

  • FCC Plan to Roll Back Net Neutrality Rules Sets Up Win for Cable, Wireless Firms (WSJ): Federal Communications Commission Chairman Ajit Pai outlined the agency’s plans to undo Obama-era open internet regulations on Tuesday.  According to one article, major internet service providers will be able to cut deals with websites and media firms to offer higher speed services while potentially slowing other websites. The old rules required providers to treat all web traffic equally, the article says.  The full article, which provides a lengthy analysis from both proponents and critics of the change, can be read here.

  • Uber hid hack that exposed data of 57M customers (Fox Business): Uber joins the ranks of the many major companies who failed to report a major data breach, new reports say. The breach occurred in late 2016 and Uber was able to keep the news quiet after paying the two hackers $100,000 not to reveal that they had stolen the information, one article says. The report also says that that payment resulted in the stolen data being deleted and the company says customers should not worry about their personal information. The full article can be read here, but if there was no harm from the theft, then why did they keep it under wraps for a year?
  • U.S. government warns businesses about cyber bug in Intel chips (Reuters): The Department of Homeland Security advised businesses to take action regarding a recently discovered vulnerability in some Intel software, a recent article said. The government issued the guidance for remote management software known as “Management Engine” which can be found in devices made by Dell, Lenovo, HP and other manufacturers.  The article explained that it was unclear how the vulnerability could potentially be exploited, but the concern stemmed from how widespread the affected chips are used. The full piece can be found here.

Tags: , , ,

Cyber Round Up: Pentagon program finds 2,800 vulnerabilities; New SEC Data Breach Regs; Cyber Crime Update

  • Pentagon’s hacker disclosure program defangs 2,800 security flaws (The Hill):  Last year, the Pentagon ran a bug bounty program called ‘Hack the Pentagon.’  Since then, it has opened up a vulnerability disclosure program that, although lacking incentives, has still proven to be very useful, according to a recent article. The article says that nearly 650 hackers from 50 different countries have reported flaws in the Pentagon’s cyber security, over 100 of which were deemed “critical” or “severe.” The program is run by a firm called HackerOne. The full report can be found here.

  • SEC Says Companies Can Expect New Guidelines on Reporting Cybersecurity Breaches (WSJ): The SEC will likely issue new guidelines on what to do after cyber incidents, a recent Wall Street Journal article suggests. According to the article, the agency last issued guidelines about six years ago but feels the need to revamp its policies after major breaches such as Equifax and the SEC itself.  The article highlights two major issues that need to be considered, including what level of intrusion requires public notification and companies’ internal monitoring of potential insider trading after cyber incidents. Read the full article here.

  • Cybercrime Roundup: Ex-Employees and a Serial Sextoritionist (Lawfare): A post on Lawfare last week did a roundup similar to this one focused on recent developments in cyber crime. The blog highlighted three different criminal cases involving cyber, including cases where an IT provider held a website hostage, a former government contractor inserting malicious code into an Army program, and one involving a serial sextortionist. The full recap of those cases can be read here.

 

Tags: , , ,

Cyber Round Up: Apple v. FBI 2.0; ‘Instant Replay’ for Cyber Attacks; Former Yahoo CEO blames Russia

  • Texas gunman’s iPhone could reignite FBI-Apple feud over encryption (Washington Post): The recent tragedy in Texas may bring the Apple and FBI feud back in the spotlight, a recent article says. The two companies have not publicly battled since their 2016 battle following the San Bernardino  shooting, the article says, but the FBI has yet to be able to access the Texas shooter’s phone.  The article reports that the FBI has not asked Apple to unlock the device yet and is looking for other ways to access the information, such as cloud storage or a linked laptop. The article also suggests that if the phone had “Touch ID” activated, the FBI could have used the dead man’s finger to unlock the phone during the first 48 hours. The full report can be read here.
  • “Instant Replay” for Computer Systems Shows Cyber Attack Details (GA Tech IISP): Figuring out what happened after a cyber attack may be getting much easier, according to a recent article. Researchers at Georgia Tech have developed a software program that will provide an automated process for determining how intruders gained accessed to a system, what data was taken, and which systems were affected, the article says. The program, called Refinable Attack INvestigation (RAIN), continuously monitors systems and records ‘interesting’ events, the article says. The full description and details of RAIN can be read here.
  • Former Yahoo CEO apologizes for data breaches, blames Russians (Reuters): When in doubt, blame Russia.  At least that’s what former Yahoo CEO Marissa Mayer is doing, a recent Reuters report says. Mayer apologized for two major data breaches that occurred under her watch, according to the article.  The article notes that although federal prosecutors did charge Russian agents in connection to one of the breaches, others are still asking why it took three years to identify the breach and its scope. The full article can be read here.

Tags: , ,

ABA Cybersecurity Handbook

As Paul Rosenweig explained in a recent post on Lawfare,  the ABA released the second edition of “The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals.”  Rosenzweig explains that the book is intended to provide guidance to lawyers in a wide variety of cyber related issues.  The Table of Contents is included in this post to provide more context for what the book covers.

The book is available through the ABA here for a price of $89.95, or $71.95 for members. That page also includes the book’s Table of Contents, Introduction, and About the Editors.

Table of Contents (1)

Tags:

Cyber Round Up: Senator Calls for Cyberwar Strategy; DoD Cyber Teams ‘Fully Capable’; Germany Attemps to Reduce Hate Crimes and Fake News

  • Mark Warner: It’s time for the US to create a cyber strategy to fight back against Russia, China (Washington Examiner):  Senator Mark Warner says it’s time we come up with a ‘cyber doctrine.’  According to a recent article, Warner wants the U.S. to develop a strategy for how it operates in cyberspace, both offensively and defensively. Warner specifically referenced cyber attacks from China and Russia. He also noted that the strategy should be careful about relying on private companies to do too much, the article said. Warner’s comments can be read here.
  • DoD declares Army, Navy cyber teams fully capable (Federal News Radio):  According to one article, the Department of Defense announced that both the Army and Navy cyber teams are fully operational a year ahead of schedule. The report says that CYBERCOM certified the Army’s 41 teams in late September and the Navy’s 40 teams received their certificated in early October. The article noted that while being ahead of schedule shows the priority that leaders have placed on cyber, it does not mean that either branch of the military has met all its objectives. The full report can be read here.

  • Germany’s Bold Gambit to Prevent Online Hate Crimes and Fake News Takes Effect (Lawfare): Last week, a post on Lawfare evaluated a recently enacted law in Germany known as the Network Enforcement Law or the NetzDG.  The post explains that the law takes full effect on January 1 and that lawmakers are struggling to work out the details. According to the post, fines as large as €50 million can be imposed on social networks that don’t remove offensive material within 24 hours. The post explains who the new regulation applies to, what content must be taken down, the criticisms of the law, and what might happen next.  It can be read here.

Tags: ,

Raytheon Report – Securing Our Future: Cybersecurity and the Millennial Workforce

Raytheon recently conducted its fifth annual study to evaluate the future of the cyber workforce. This necessarily involved reaching out to 3,000 young adults from that generation across nine different countries to obtain their views on cyber security.  The full report is included in this post and can be found here. The main observations as listed in the report were:

  • Millennials believe cybersecurity is important; however, they generally practice cyber behavior that could put their employer at risk.
  • There is an increased level of awareness about cybersecurity career options, but that hasn’t translated to a higher interest in the field.
  • Various types of role models are key to inspiring young people to choose cybersecurity careers.
  • Women continue to say they run into more hardships and have fewer opportunities than their male counterparts.
  • Improvements in education have raised cybersecurity awareness.
  • Millennials believe, often incorrectly, that they are unqualified for cyber careers.
  • Young adults want to feel personally connected to the goals of their employers.
  • Millennials in the U.S. blame cyberattacks for their loss of trust in the electoral system.

2017_cyber_report_rev1

Tags: , , ,

Small Business and CyberSecurity

Senator Jim Rasich (R-Idaho) wrote in The Hill, that small businesses are particularly vulnerable to cyber crime and are arguably one of the entities least able to combat this.  The article indicates that this is the impetus behind the Small Business Cyber Training Act which would allow existing small business development centers to teach entrepreneurs about cyber hygiene and ways to keep their businesses safe.  This is supplemented by legislation that would result in the National Institute of Standards and Technology (NIST) creation of a framework targeted specifically at small businesses, according to Rasich’s article.  The article concludes by saying that given the proper education, small businesses can outsmart hackers and survive cyber attacks.


Opinion:

It certainly is admirable that Rasich is attempting to help small businesses combat and counter cyber crime.  Given the fact that many breaches arise from poor employee practices and a general lack of training on cyber hygiene.  That is just one part of the puzzle and that will only get you so far.  I would argue that entrepreneurs trying to get a new business running are possibly the least likely to engage in cyber training and education, and I would further argue that their resources might be better directed elsewhere.  Just as an entrepreneur will turn to an attorney to handle the entity creation aspects, will utilize the accountant to manage the myriad intricacies and regulatory and taxing authority issues, so too should they look to cyber professionals to assess, plan, and execute their cyber protection.  This is a specialty and while an entrepreneur could get by doing their own in-house IT perhaps 5-10 years ago, in the age of cyber crime, information security cannot be overlooked.

Again, training is great, and just as an entrepreneur should have a basic, rudimentary understanding of business organizations, accounting principles, insurance and liability, cyber should also not be overlooked.  However, crafting legislation to create a new framework for small businesses and enabling training for small businesses is perhaps akin to offering a course in small business creation and then advising people to draft their own LLC agreements or their own article of incorporation.  There is a reason the cyber workforce is nearing a shortfall 0f 1.5M people.  It is not because you can train someone in the span of a few weeks, or months to gain the skills they need to “outsmart hackers, and survive cyber attacks.”

My solution work with NIST and the SBA to vet cyber professionals and managed security providers so that small businesses can choose from a pool of cyber resources that are proven and trusted.  Allocate funding to the SBA to enable security providers to provide low-cost information security and training to small and mid-sized businesses.  Allow these same resources to be used for larger companies as well — just modify the percent allocation that the entity has to contribute.  Leverage the cyber resources that exist and help augment that by encouraging providers to work with small and mid-sized businesses to enhance the overall cyber hygiene landscape across the U.S. business scene.

Also, involve cyber insurance companies and provide similar incentives so that small and mid-sized businesses can take advantage of reduced rates and lower startup and operating costs once they sign up with an information security group.

Tags:

Cyber Round Up: Darknet and Quantum as Grid Security; Censorship in Egypt; Banks prepare for N. Korea;

  • ‘Darknet’ and quantum communications could enhance grid cybersecurity, scientists tell Senate (Utility Dive): Scientists often have a different view of cyber security than lawyers and policymakers, as evidenced in a recent  on grid security. Scientists told the Senate that one possible solution is to build a second internet for the grids to run on that is private and more secure, the article said.  If you were able to also add in quantum computing, according to the report, the security would be even stronger.  Unfortunately, the article notes that the U.S. is way behind when it comes to quantum computing. The full article can be read here.
  • The Slippery Slope of Internet Censorship in Egypt (Net Monitor): A recent post highlighted the slippery slope effect of internet filtering by using Egypt as an example. The article explains that what started as the government blocking a few sites has expanded greatly over the last five months.  It also provides statistics and explanation as to how the Egyptian people have responded to the censorship, including a huge spike in social media activity. The full piece can be read here.
  • Banks fearing North Korea hacking prepare defenses (Reuters): Hackers from North Korea have stolen hundreds of millions of dollars from financial institutions in recent years and don’t plan to slow down, according to a Reuters report. In fact, the article says that banks across the world are expecting North Korea’s attacks to become more destructive, much like the recent ones in South Korea. The article explains that there isn’t a whole lot of separation between what it takes to steal and what is required to cause destruction.  While banks have begun to conduct ‘war game’ exercises, they aren’t the only ones concerned about escalation in cyber space.  The full article can be read here.

Tags: , , , ,

Cyber Round Up: Google vulnerabilities exposed; AI helping fill cyber shortage; U.S. can learn from Europe on Russian Info War

  • A flaw in Google’s bug database exposed private security vulnerability reports (ZD Net):  A report yesterday explained how Google’s own internal bug tracker exposed it’s most serious vulnerabilities. The article described how a researcher spoofed his way into gaining access as a Google employee and was able to view all of its bug reports, which the researcher called “the holy grail.”  The researcher, as he was so kindly described by the article, reported the vulnerabilities to Google and received over $15,000 in bounties. The full article can be read here.
  • For Cybersecurity, AI Helps Alleviate Shortage of Human Experts (WSJ): This article, like many others, begins by noting the shortage of a cyber security work force while the demand one for continues to rise.  Meanwhile, the article explains, cyber criminals utilize thousands of computers to conduct their activity. The article discusses how companies are utilizing AI to help defend themselves, citing PWC and Booz Allen Hamilton as a few prominent examples. The article concludes by reiterating that AI is not an adequate solution and human talent is still needed. The full piece can be read here.

  • What Europe gets about cyber threats that the US hasn’t — yet (CNN): With indictments coming yesterday against members of President Trump’s campaign and Facebook revealing more about Russian influence on its platform, an article on CNN says we need to look to Europe for guidance.  The article explains that Europe has been victim to Russian information warfare and election meddling for several years and previous administrations have ignored or minimized Russia’s potential capabilities.  Europe, according to the article, has taken substantive steps to counter Russia’s activity, citing different methods used in Latvia, Sweden, and the EU. The full article can be read here.

Tags: , , , ,

Cyber Round Up: Bad Rabbit Spreads Worldwide; Predictability and NoKo in Cyber; How Kaspersky Can Regain Trust

  • New Ransomware Outbreak Spreads Through U.S., Russia and Ukraine (WSJ): The most recent wave of ransomware has had widespread effect, freezing computers all over the world, according to a Wall Street Journal article. The software, which is called Bad Rabbit, started with computers of visitors to Russian language websites but ultimately made it to the U.S., the article said.  The ransom was .05 bitcoin, which the report says is equivalent to $275. The full implications of the attack and the rest of the report can be read here.

  • The immediate threat from North Korea is in cyber space (Financial Times):  Predictability matters when it comes to state activity in cyber space, a recent article says. A piece in the Financial Times explains that all of Russia’s and Iran’s cyber attacks and interference are expected.  The problem, however, is that collateral damage in cyber is much more widespread than it is in physical space, the article suggests. The article then goes through a history of North Korea’s cyber operations and suggests that those activities are evidence of their rationality. The full story can be read here.
  •  How Kaspersky Can Regain Trust (Lawfare):  A report yesterday from Reuters gives Kaspersky’s explanation of how it ended up with code that ended up being a hacking tool from an NSA employees private computer.  It claimed that the code was destroyed and that no third parties, including the Russian government, ever saw the code.   Earlier this week, a post on Lawfare explained how Kaspersky could regain trust in the U.S. The post explains how antivirus software works and why that matters in this instance. The author suggests filtering every communication between customer computers and Kaspersky computers through an independent monitoring network. Read the full post here.

Tags: , , , ,

Next Page »

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories