Social Engineering Official Says Russia Tried to Hack 21 States in 2016 ElectionGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-06-21T04:00:00Z, Mark Tarallo<p>​The Russian government tried to <a href="">hack election-related U.S. computer systems in 21 states during the 2016 election,</a> a U.S. Department of Homeland Security (DHS) official testified to a congressional panel Wednesday.</p><p>Samuel Liles, DHS's acting director of the Office of Intelligence and Analysis cyber division, said the hackers appeared to be scanning for vulnerabilities and successfully exploited some networks. He also maintained that vote counting mechanisms were not affected.</p><p>Liles was testifying before the Senate Intelligence Committee, which is investigating Russia's efforts to interfere in the 2016 presidential election.  Bloomberg, citing anonymous sources, reported earlier this month that Russian hackers were able to hack systems in 39 states. </p><p>Officials declined to say which 21 states were targeted.</p><p>Also at the hearing, FBI Assistant Director of Counterintelligence Bill Priestap testified that the Russian government also pushed false news reports and propaganda online. He said Russia has tried to influence U.S. elections for years, but its efforts in 2016 were at a higher scale and level of aggressiveness.</p>

Social Engineering Official Says Russia Tried to Hack 21 States in 2016 Election U.S. Hospitals Have Not Deployed DMARC To Protect Their Email Systems Review: Social Media Risk and Governance Top Five Hacks From Mr. Robot—And How You Can Prevent Them the CEO Review: Cybervetting to Protect PII and Secure Review: Social Crime Review: Online Riskón-del-Internet-de-las-Cosas.aspx2015-11-12T05:00:00ZLa Revolución del Internet de las Cosas IOT Revolution a Man to Phish in Crisis and the Security Implications of the Internet of Things New Recruits Lone Terrorist Answers for Everyone Face in the Crowd

 You May Also Like... to Protect PII<p>​<span style="line-height:1.5em;">If you are an employee, a student, a patient, or a client, your personally identifiable information (PII) is out there—and prime for hacking. In October, the U.S. Government Accountability Office (GAO) added protecting the privacy of PII to its list of high-risk issues affecting organizations across the country. All organizations, from large federal agencies to universities, hospitals, and small businesses, store PII about their employees, clients, members, or contracto</span><span style="line-height:1.5em;">rs. And, as seen in recent large-scale cyberattacks, PII is a hot commodity for malicious attackers. </span></p><p>According to the U.S. Office of Management and Budget, PII is any information that can be used alone or with other sources to uniquely identify, contact, or locate an individual. However, the definition of PII can depend on the context in which the information is used, according to Angel Hueca, information systems security officer with IT consulting company VariQ. For example, a name by itself is innocuous, but that name combined with a personal e-mail address, a Social Security number, or an online screenname or alias could give bad actors all they need to wreak havoc on a person or company.</p><p>And it appears that no one is immune to the risk of compromised PII. According to research by the GAO, 87 percent of Americans can be uniquely identified using only three common types of information: gender, date of birth, and ZIP code. </p><p>If PII is leaked, the consequences for both affected individuals and organizations can be damaging, says Hueca. Companies may face large fines or legal action if the PII they hold is breached, especially if the organization didn’t comply with outlined customer agreements or federal regulations, or if the breach violates the Health Insurance Portability and Accountability Act. A breach can also be reputation-damaging and cost the company employees and clients, Hueca notes. </p><p>Hueca stresses the importance of educating all employees, regardless of whether they have access to the company’s PII, about cybersecurity awareness and online behavior. Even using a personal e-mail at work or posting an image of their workspace on their social media account could lead to the leak of PII—there may be confidential information inadvertently documented in the photo, Hueca points out.</p><p>A more common occurrence is someone with access to an organization’s PII database inadvertently forwarding an e-mail with sensitive information, such as a client’s case number or an employee’s personal contact information. For example, in 2014, a Goldman Sachs contractor accidentally sent an e-mail with confidential brokerage account information to a Google e-mail address instead of to the contractor’s personal e-mail. Goldman Sachs went to the New York State Supreme Court to ask Google to block the recipient from accessing the e-mail to prevent a “needless and massive” data breach. The court didn’t rule on the case, because Google voluntarily blocked access to the e-mail.</p><p>Hueca says that segregating duties and tightly controlling who has access to certain information can help with this issue. Often, HR or administrative employees may need access to some PII, but not all of it—isolating potentially sensitive information can prevent harmful leaks. </p><p>How an organization’s network is set up can help prevent the accidental or malicious transfer of PII. Hueca suggests keeping sensitive information segregated from the rest of the network environment—if there is a breach, hackers will have to break through a second firewall to access the information. Organizations should also take advantage of standard content tracking software to spot suspicious activity.</p><p>“Fortunately, many organizations have something called content filtering, which are tools that are able to filter information as it comes in and out of the organization,” Hueca explains. “If there’s something that looks like a Social Security number, with nine digits, being sent out, the tool will alert an administrator that this activity is happening, which could be accidental or malicious.” </p><p>The U.S. Department of Homeland Security’s (DHS) handbook for safeguarding PII says only secure, organization-issued electronic devices should be used to view sensitive information. If an employee must access PII on a portable device, such as a laptop, USB, or external hard drive, the data should be encrypted. And if PII must be e-mailed within the office, DHS strongly recommends password-protecting the data within the e-mail. </p><p>Lastly, Hueca recommends that all companies have an incident response plan in place specifically for the malicious theft of PII. </p><p>“This is something that most organizations don’t think about, having an incident response plan specifically for a PII breach,” Hueca says. “What happens if you do get breached? What are the steps? Talk about what-ifs. Once you have a notification in place, you get alerted, what do you do? Try to segregate it from other sensitive data and figure out what happened.” </p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 New Recruits<p>​<span style="line-height:1.5em;">“Leave our children alone!” That’s the message a Bolingbrook, Illinois, mother wants Islamic State (ISIS) leaders and recruiters to hear. In January, Zarine Khan’s oldest son, 19-year-old Mohammed Khan, tried to travel with his 17-year-old sister and 16-year-old brother to Istanbul to join ISIS. The three were stopped at Chicago O’Hare International Airport, and Mohammed Khan, an American citizen, is now being charged with attempting to provide material support to ISIS militants.</span></p><p>Zarine Khan told news outlets she believes her children were recruited over social media and secretly saved money to purchase passports and airline tickets. “We condemn this violence in the strongest possible terms,” she said after her son’s courthouse appearance. “We condemn the brutal tactics of ISIS and groups like it. And we condemn the brainwashing and the recruiting of children through the use of social media and Internet.”</p><p>If Mohammed Khan is found guilty of providing material support to a terrorist organization—a provision of the U.S. Patriot Act—he will face up to 15 years in prison. </p><p>Unfortunately, this is not an isolated incident. A new report by the International Centre for the Study of Radicalization and Political Violence (ICSR) found that some 20,000 foreign fighters from 50 countries have traveled to Iraq and Syria to join terrorist organizations since 2012, and more than 4,000 of those are from Western nations.</p><p>Disturbing reports seem to surface every month of Westerners—many of whom are teenagers or young adults—attempting to travel to join ISIS as fighters or brides, often after being recruited over the Internet. </p><p>Another increasingly prevalent issue is the return of radicalized Westerners to their home countries. Governments are struggling to address the issue in the absence of proof that the returning citizen actually committed a crime.</p><p>“The propaganda of the Islamic State, the ability to communicate in message, is better than any I have seen to date since we had the development of Al Qaeda in the early ’90s,” says Charlie Allen, who has served with the CIA and the U.S. Department of Homeland Security (DHS). “It is a very interesting thing—we’re going to have people self-radicalized, and it’s hard to stop traffic and travel to and from Europe.”</p><p>The exodus of American and European citizens to the Middle East—mainly Syria or Iraq—began in 2012 during the height of the Syrian civil war after ISIS urged Muslims to fulfill their religious duty to wage a holy war against the enemies of Islam. Although some foreigners took up arms with other terrorist organizations, such as Al Qaeda and Jabhat al-Nusra, most are flocking to aid ISIS, which is considered to be the dominant force of Syrian opposition and currently controls about a third of Syria. </p><p>More than 100 Americans have traveled to the region to fight, but experts are more concerned about jihadists from European countries, where thousands of citizens—mainly from Belgium, France, Germany, and the United Kingdom—have crossed through Turkey’s porous border into Syria and Iraq.</p><p>Veryan Khan, editorial director for the Terrorism Research and Analysis Consortium (TRAC), a political violence database, says that in terms of modern global jihad movements, the current exodus is the third and the most popular call to jihad. ICSR, which has kept track of the global jihad to Iraq and Syria since 2012, notes that the current numbers surpass those of the Afghanistan conflict in the 1980s and the 2006 flight from Somalia, making the conflict in Syria and Iraq the largest mobilization of foreign fighters in Muslim-majority countries since 1945.</p><p>Veryan Khan says a large percentage of foreign fighters are young men and women—some not even out of their teens. The Bipartisan Policy Center’s 2014: Jihadist Terrorism and Other Unconventional Threats points out that many young adults who attempt to join ISIS “are far from threatening.” At least eight 18- to 20-year-old Americans have been apprehended attempting to join ISIS over the past two years, one of them admitting in court that “concerning my fighting skills, to be honest, I do not have any.” </p><p>Other cases are more serious. One high-profile Western jihadist is 22-year-old Maxime Hauchard, a Frenchman identified as one of the executioners in an ISIS video depicting the decapitated body of American aid worker Peter Kassig. Hauchard converted to Islam when he was 17 and was recruited online to ISIS, according to media outlets. </p><p>Veryan Khan explains that young jihadists may be looking to belong because they do not feel at home in Western culture. “There are many other reasons for radicalization: the need for redemption, the perceived obligation to one’s motherland, the guilt of living a good life in the West while others suffer, a personal retribution for the death of a family member or friend, the list goes on and on,” he explains.</p><p>Europe has taken a step to curb the relentless—and effective—online propaganda by ISIS. Last summer, nine European nations endorsed an initiative to work with Internet providers to take down the hundreds of ISIS recruitment websites and messages. But the biggest online draw may come from radicalized Westerners themselves.</p><p>Foreign fighters who have made the journey to Iraq or Syria have told their stories via Twitter, Facebook, and other blogging websites, encouraging their peers to join them. The posters speak of the friendships they have made with their brothers and sisters of the Islamic State, or the pride they feel in answering the call to jihad.</p><p>“Allahu Akbar, there’s no way to describe the feeling of sitting with the Akhawat [sisters] waiting on news of whose Husband has attained Shahadah [martyrdom],” tweeted one British woman who traveled to Syria and married a fighter. </p><p>The call to join ISIS in the Middle East is not the only trend that concerns experts. Many foreign fighters are returning to their home countries after fighting alongside ISIS in the Middle East, and Allen points out that having trained, radicalized fighters traveling back to their homes in the West is a potentially dangerous situation.</p><p>“We have the worst possible storms that are now erupting in the Middle East, and the foreign fighters, those from North America and Europe, are likely to return,” Allen explains. “Some have been martyred, including Americans, but some will continue their extremist ways and proselytize to get other Americans to join them.”</p><p>Individual governments are left trying to figure out what to do with returning fighters. Turkey, considered the main passageway from Europe to Syria and Iraq, announced at the end of January that it is beefing up security along its borders to stem the flow of potential jihadists to the battlefield. The country is also constantly updating a database of more than 10,000 individuals suspected of traveling through to aid ISIS.</p><p>The problem that Turkey and many other countries face is that they cannot indict individuals for aiding a terrorist organization without proof. Traveling to and from the region alone does not hold enough weight for law enforcement to intercept an individual.</p><p>Some countries have passed laws that make it easier to detain potential jihadists. In Austria, Belgium, Britain, France, and Germany, authorities hastily passed legislation allowing governments to detain individuals suspected of involvement in a terrorist organization abroad. </p><p>Other countries, such as Denmark, are taking a soft-handed approach in handling returning fighters by offering free counseling services, as well as assistance in finding jobs or enrolling in school.</p><p>U.S. lawmakers are worried that foreign fighters coming to America may be able to slip through the cracks—under the Visa Waiver Program, residents of 38 European countries can travel to the United States without a visa. Former Senate Intelligence Committee Chairwoman Dianne Feinstein has announced plans for legislation that would tighten the program.  </p><p>Allen says that most foreign fighters aren’t secretive about their involvement in Syria and can be easily tracked, so the threat of a jihadist slipping into the United States unseen is small.</p><p>“I believe we have good legislation, good tools, and a good understanding of who may be in Syria, and we’re very careful to ensure when they return that we know who they are and what they’re doing,” Allen explains. “The Customs and Border Patrol does an excellent job of sorting through these people as they return. It’s hard to charge them if you don’t know whether they’ve committed crimes, but I think the collaboration between DHS and the FBI is improving.”</p><p>TRAC’s Khan speculates on the bigger picture—why are these young fighters, coming back home? He says the list of grievances from foreign fighters is critical to combatting radicalization efforts. </p><p>“They get to their perceived holy war only to find out that they are just killing other Muslims, which is haram (forbidden),” Veryan Khan explains. “There’s this perceived hypocrisy within the movement, as well as the realization that they are not merely fighting against the Assad regime to create a heavenly Caliphate but more than likely fighting other opposition groups.”</p><p>There are a number of firsthand accounts explaining the grievances, Veryan Khan explains, but they’re not as prevalent as the propaganda-filled tweets and blogs convincing young people to join ISIS in the first place.</p><p>“Using those firsthand accounts to our advantage is the best tool to curb the momentum,” Veryan Khan says. </p><p><em>To read in Spanish, <a href="/Pages/Los-Nuevos-Reclutados.aspx">click here.​</a></em></p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 IOT Revolution<p><em>​To read in Spanish, <a href="">click here​</a>.</em><br></p><p>​<span style="line-height:1.5em;">Brace yourselves: the explosion of the Internet of Things (IoT) is coming. Six years ago the number of devices connected to the Internet surpassed the number of people on the planet. And experts estimate that by the end of 2015 there will be 25 billion connected devices in the world, growing to 50 billion by 2020, according to the Federal Trade Commission (FTC).</span></p><p>“Everything is becoming sensorized—everything we carry, everything that we do is somehow connected or is going to be connected to the network, the global network, and to the cloud,” says Andrew Lee, CEO of ESET, an antivirus and security software company.</p><p>With this increase in interconnectivity also comes an increase in the amount of data collected and shared across the globe, he adds, with many not knowing what’s collected, who’s collecting it, who owns it, or where it’s stored. </p><p>“You stand and look in the mirror and think, ‘Oh my god, I’m all grey hair and all that stuff,’ but you can see everything that you are in the mirror,” Lee explains. “But when you look in the digital mirror, you don’t even know where all your limbs are.” </p><p>And when that digital data gets into the wrong hands or the devices collecting it are compromised, it can be problematic for everyone. The threats include unauthorized access and misuse of personal information, attacks on other systems, and risks to personal safety, the FTC summarized in a report, Internet of Things: Privacy & Security in a Connected World, released earlier this year.</p><p>One specific concern the FTC raised is the IoT being used to launch large-scale denial of service attacks. “Denial of service attacks are more effective the more devices the attacker has under his or her control; as IoT devices proliferate, vulnerabilities could enable these attackers to assemble large numbers of devices to use in such attacks,” the commission’s report said.</p><p>Sensors connected to the IoT—such as those used for building access control—are especially vulnerable because they are typically low-power and low-cost devices. This means there isn’t a lot that can be done to install software on them to improve their security, Lee says.</p><p>And personal devices, like Fitbits and smartphone social media apps, can be just as vulnerable to attack, often providing logistical information about their users if compromised. “If you can compromise [the GPS] and an employee’s working in a secret facility, you can now map out how that facility looks by the people that are tracked around it and where they congregate,” Lee explains. “So without ever going inside the building, you could build a picture of what it really looks like, and that’s the kind of unintended side effect of the Internet of Things.”</p><p>To prevent sensitive information from winding up in the wrong hands, the FTC has called for device manufacturers to limit the amount of data they collect and share with others—referred to as data minimization. “Companies should examine their data practices and business needs, and develop policies and practices that impose reasonable limits on the collection and retention of consumer data,” the FTC said in its report. This will not only protect consumer data, but it will also make companies less attractive to data thieves who might want to hack into their networks to steal that information, the commission explained.</p><p>Lee also says that users need to look at how devices such as sensors and GPS trackers work, map out how the information they collect travels throughout the network, and analyze what normal activity looks like. This will help users see whether a device has been compromised and allow them to respond to an attack quicker, he adds.</p><h4>Device Support</h4><p>More also needs to be done to encourage device manufacturers to make devices safer at inception and support them throughout their lifecycle, says Eric Kobrin, director of adversarial resilience for Akamai Technologies, a cloud service provider. “Where we need to get to in the long term is where manufacturers commit to support for the lifetime of the device—we need to have that upfront when you buy it,” Kobrin says. </p><p>Support for devices in the IoT is becoming increasingly important as they are getting older, especially in the United States. Globally, 53 percent of network-connected devices are either aging, meaning they are not the newest, most current version of the device, or obsolete, meaning that vendor support is no longer available. But in the United States, 64 percent of devices are now aging or obsolete, according to Dimension Data’s Network Barometer Report released earlier this year. </p><p>“The first thing we thought was there’s something wrong with our data because the U.S. number is way too high,” says Andre van Schalkwyk, group practice manager for consulting and networking for Dimension Data, an IT infrastructure services provider. “But then analyzing it a little more carefully, the area that actually does stick out like a sore thumb was specifically around public spaces—public infrastructure, education, and government. We actually saw these networks getting really, really old.”</p><p>Why is this increase in age happening, specifically in the United States? A lot of it is related to the U.S. government sector’s technology habits when it sends out bids for new products and services tied to a five- or seven-year contract. During that contract period, equipment and devices are not changed or replaced, unless there’s a fault on the device itself, van Schalkwyk explains. </p><p>“The majority of those contracts are generally on the seven-year side, and what we’ve actually seen is over the last two years, those contracts are being pushed from seven years into the 10-year period, which means that when you buy a device in 2010, it’ll only be replaced in 2020,” he says.</p><p>This means that a majority of these devices remain fairly static, and during that 10-year life-cycle, the vendor will likely no longer support that device so software patches will not be released for it. </p><p>“At the end of the day, this has a security impact,” van Schalkwyk adds, because aging devices are more vulnerable than current, or even obsolete, devices. This is because security researchers have had time to test them, discover any bugs in the device, and exploit them. (Users more quickly abandon obsolete devices, meaning that there are fewer of them in the marketplace.) </p><p>Additionally, because some patches are still rolled out for aging devices, users can inadvertently create more vulnerabilities each time they fail to patch. “The fact that we’re actually seeing aging devices with a larger amount of vulnerabilities than any other due to life cycle phases, really means that clients aren’t patching networking infrastructure,” van Schalkwyk says. </p><p>Contrary to the U.S. public sector, however, the private sector is doing a much better job of updating and replacing devices. “We’re starting to see in little pockets in the United States, Australia, and in some parts of Europe where clients are starting to actually push from five years all the way down to a three-year cycle for networking equipment refresh,” he explains.​</p><h4>Wi-Fi Vulnerability</h4><p>Also affecting the security of the IoT are the Wi-Fi networks that devices are connected to, which are becoming increasingly more commonplace as companies move to make their facilities more mobile-friendly. </p><p>“If you look five years back, if you deployed a new network, 80 percent of the access to that network would be wired and 20 percent would be wireless,” van Schalkwyk says. “And we’re actually starting to see that switch completely all the way to the other side where we’re seeing 20 percent being wired and 80 percent being wireless.”</p><p>While this might make employees’ lives and jobs easier, wireless access also comes with its own vulnerabilities—84 percent of the “discovered wireless access points were pre-2011 access end points,” van Schalkwyk explains. “So these are really, very old access points that don’t support high throughput and don’t support a huge amount of clients.” With the onset of the IoT, “we feel that wireless is going to become more and more critical,” so it’s crucial to ensure that it’s “deployed properly and that the underlying network can actually support the devices connected to it,” he says. </p><p>One thing that will be key to this effort is the deployment of Internet Protocol version 6 (IPv6), which provides an identification and location system for devices on networks and routes traffic across the Internet. It was developed by the Internet Engineering Task Force to “deal with the long-anticipated problem of IPv4 address exhaustion,” and is designed to replace IPv4, according to the Network Barometer Report.</p><p>Dimension Data is slowly seeing users deploy IPv6 internally, but few projects are deploying it in the United States, and only about 20 percent of networking equipment is capable of supporting IPv6, van Schalkwyk says.  </p><p>“In the majority of cases, they just need a software upgrade to be IPv6 capable,” he explains. “If clients were actually patching over the last three years, chances are pretty good that simply going through the patching cycle would actually give them the ability to support IPv6 within their network.”</p><p>Users who do not deploy IPv6 will expose themselves to unnecessary risk because they won’t be able to monitor and manage devices that operate on that protocol. </p><p>“The lack of visibility of this traffic, and its associated communications profile, introduces a significant security risk as these controls are developed based on device profiles, risk tolerance, and visibility required to maintain the device,” the report said. “Older controls may not be IPv6 compliant, nor able to provide the required visibility and control to effectively protect the data.”  ​</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465