Archive for June, 2015

FARGO, N.D. (AP) – North Dakota State University students and staff will have access this year to a safety and security service that will allow dispatchers to track their whereabouts and let users call for help with one swipe of the smartphone screen.

The app was used by some students in a pilot program last spring and will be available this fall to everyone affiliated with the campus. The system works both on and off campus on a 24/7 basis and is integrated with the current NDSU technology that provides centralized electronic locks and a surveillance camera system.

It will also get students and staff to think about how to defend themselves, said Mike Borr, director of the NDSU police and safety office, and Fargo Police Lt. Joel Vettel.

“Safety and security of our students, staff and faculty is one of our top priorities,” Borr said. “The fact that this application exists and will be promoted again when the students arrive is a chance to get it in the forefront of people’s thoughts.”

Said Vettel, “It’s a way for people to take their own personal safety to the next level.”

Safety has been in the forefront around NDSU since freshman Thomas Bearson was killed by an unknown assailant in September and two students were raped at an off-campus apartment in December. Bearson’s body was found in neighboring Moorhead, Minnesota. Earlier this week a recent NDSU graduate who lives near campus was killed in a random homicide.

“As parents we worry about our children, whether they are 4 or 24,” Vettel said.

The service that NDSU is using had a one-time fee of $10,000 and was paid for with money already allocated for information technology services. NDSU is the only campus in the state using such a service.

To start the safety assist, users type in their destination – which can be keywords like “bookstore” or “union” – and estimated travel time and then select the “Follow Me Now” icon. The user gets texts at different times during the walk, such as one minute before the safety assist timer is about to end or if the user has not moved for a while.

A user can call police with one touch or send a silent alarm to an NDSU dispatcher with the sweep of a finger if he or she feels threatened or there is an emergency.

Borr said the spring launch was a successful test because there were a couple of times when the system was put into action when people went overdue, even though they turned out to be false alarms.

“We haven’t had an actual need to respond,” Borr said. “However, we are treating every alarm as if it is a real event.”

The service gives families a chance to talk about personal safety “without making it a scary issue,” Vettel said.

“I don’t think people should go out and be alarmed or scared and think there is danger around every tree,” he said. “But we really want to stress to folks to be aware of their surroundings, recognizing those times when they’re more vulnerable and take steps to improve your position.”

View Source

Fingerprints have been used by law enforcement and forensics experts to successfully identify people for more than 100 years. Though fingerprints are assumed to be infallible personal identifiers, there has been little scientific research to prove this claim to be true. As such, there have been repeated challenges to the admissibility of fingerprint evidence in courts of law.

“We wanted to answer the question that has plagued law enforcement and forensic science for decades: Is fingerprint pattern persistent over time?” said Anil Jain, University Distinguished Professor, computer science and engineering, at Michigan State University. “We have now determined, with multilevel statistical modeling, that fingerprint recognition accuracy remains stable over time.”

Jain, along with his former Ph.D. student Soweon Yoon, who is now with the National Institute of Standards and Technology, used fingerprint records of 15,597 subjects apprehended multiple times by the Michigan State Police over a time span varying from five to 12 years.

The results show that fingerprint recognition accuracy doesn’t change even as the time between two fingerprints being compared increases.

The paper by Yoon and Jain, published in the Proceedings of the National Academy of Sciences, is the largest and most thorough study of the persistence of Automated Fingerprint Identification Systems, or AFIS, accuracy.

Experts agree that Jain’s research addresses one of the most fundamental issues in fingerprint identification and is of great importance to law enforcement and forensic science:

“This study is one of the fundamental pieces of research on a topic that has always been taken for granted. The permanence of fingerprints has not been systematically studied since the seminal work of Herschel was presented in Galton’s book: Finger Prints (1892, Macmillian & Co.).

Although operational practice has shown that the papillary patterns on our hands and feet are extremely stable and subject to limited changes (apart from scars), the study presented in PNAS provides empirical and statistical evidence.” Professor Christophe Champod, Université de Lausanne, Switzerland.

“This study is a monumental achievement and one that will benefit forensic science teams worldwide.” Capt. Greg Michaud, director of the Forensic Science Division, Michigan State Police.

“Dr. Jain’s analytic quantification on fingerprint persistence of the results significantly support early studies on fingerprint persistence and yet further support legal requirements for peer review and publication.” Jim Loudermilk, senior level technologist at the FBI Science and Technology Branch.

Jain’s research was supported by a grant from the National Science Foundation Center for Identification Technology Research.

View Source

DHS RESTRUCTURES CIO OFFICE

The Department of Homeland Security plans to restructure its Office of the Chief Information Officer, including adding a new position to help the agency better procure technology.

DHS is creating a new deputy chief information officer position, DHS Chief Information Officer Luke McCormack wrote in a blog post. That person’s responsibility will be to oversee enterprise operations monitoring, service operations and service improvement, among other spheres.

McCormack wrote that DHS anticipates “increased competition, flexibility and reliability, decreased time-to-market and cost,” as well as stronger cybersecurity, in the procurement of IT services.

According to the blog post, the restructuring will allow the CIO shop to “transform into a more customer-focused and service-oriented organization.”

McCormack added: “We will take full advantage of emerging technologies from multiple sources, consolidate all service delivery functions, implement a newly revised governance framework and develop more strategic partnerships with our internal lines of business and industry.”

McCormack also announced Michael Hermus would join the department as DHS chief technology officer. Meanwhile, Margie Graves, currently DHS deputy CIO, will be promoted to “principal deputy CIO for strategy, governance and transformation.”

DHS officials were not available for comment as to how this position will differ from her current one.

View Source

TSA WANTS TO TWEET WITH TRAVELERS

The Transportation Security Administration is looking to airlines for customer service tips.

The Department of Homeland Security agency plans to set up a new Twitter account, @AskTSA, to respond directly to customer complaints and questions, according to a new solicitation.

Though its public affairs office currently uses social media to “communicate messages/information to the general public,” other brands, “including airlines, use social media in a different way: communicating directly with their customers, answering questions and resolving issues in real-time,” the solicitation said.

American Airlines’ Twitter handle, @AmericanAir, for instance, has 1.13 million followers and is used to respond publicly, and directly, to individual customers. In one case, on Thursday afternoon, @AmericanAir tweeted directly at a customer to “please advise a crewmember” when she took to Twitter to complain about a potentially faulty cooling system.

The solicitation could be part of TSA’s broader efforts to connect with customers digitally. The agency already has an Instagram account with roughly 303,000 followers, where it often posts photos of confiscated items, such as a set of throwing star weapons discovered last week at Alexandria International Airport in Louisiana. (TSA posted the image with the hashtag #TSAGoodCatch.) The agency’s main Twitter account, @TSA, created in 2011, has more than 46,000 followers.

The notice comes a few days after travel website Travelmath released an analysis of Twitter users’ sentiments toward TSA, using an algorithm to rank Twitter mentions in the United States as positive, negative or neutral. Among states that had enough TSA mentions to process, “nearly three times as many had a negative sentiment than a positive one,” that report said. (Words such as “confiscate,” “grope” and “rude” were among words frequently mentioned in those tweets, according to Travelmath.)

Though TSA’s solicitation is “for market research only,” the agency is searching for small businesses who can provide a Web-based customer engagement platform that up to 10 TSA staffers can log onto concurrently, according to the posting on FedBizOpps.

The Web platform must have many functions, including a “robust content repository to store pre-approved content, canned responses and approved images,” and an “interactive dashboard to engage in real time, one-to one conversations without ticket assignment,” according to the solicitation.

The goal, according to a TSA statement provided to Nextgov, is to “improve the traveler’s experience through one-to-one conversations on Twitter to actively assist customers before, during and after their travel.”

But it’s unclear what the timeline is for @AskTSA, and if TSA even owns the handle — TSA officials could not be reached for interview. Though the handle exists, it has no avatar, bio or tweets, and has so far racked up only two followers.

View Source

Internet pioneer and DNS expert Paul Vixie says ‘passive DNS’ is way to shut down malicious servers and infrastructure without affecting innocent users.
Botnet and bad-actor IP hosting service takedowns by law enforcement and industry contingents have been all the rage for the past few years as the good guys have taken a more aggressive tack against the bad guys.

These efforts typically serve as an effective yet short-term disruption for the most determined cybercriminal operations, but they also sometimes inadvertently harm innocent users and providers, a problem Internet pioneer and DNS expert Paul Vixie says can be solved by employing a more targeted takedown method.

Vixie, CEO of FarSight Security, which detects potentially malicious new domain names and other DNS malicious traffic trends, says using a passive DNS approach would reduce or even eliminate the chance of collateral damage when cybercriminal infrastructure is wrested from the attackers’ control. Vixie will drill down on this topic during his presentation at Black Hat USA in August.

Takedowns typically include seizing domains, sinkholing IPs, and sometimes physically removing equipment, to derail a botnet or other malicious operation.

Perhaps the most infamous case of collateral damage from a takedown was Microsoft’s Digital Crimes Unit’s takeover of 22 dynamic DNS domains from provider No-IP a year ago. The move did some damage to Syrian Electronic Army and cybercrime groups, but innocent users were also knocked offline. Microsoft said a “technical error” led to the legitimate No-IP users losing their service as well, and No-IP maintained that millions of its users were affected.

The issue was eventually resolved, but not after some posturing in hearings on Capitol Hill, and debate over whether Microsoft was getting too heavy-handed in its takedown operations.

Vixie says the key to ensuring innocent users and organizations don’t get swept up in the law enforcement cyber-sweep is get a more accurate picture of just what is attached to and relying on the infrastructure in question. “There is a tool that you can use to find out [whether] the Net infrastructure belongs to bad guys so you don’t target anything else” that shares that infrastructure and is not malicious, Vixie says.

Passive DNS is a way to do that, says Vixie. With passive DNS, DNS messages among DNS servers are captured by sensors and then analyzed. While Vixie’s company does run a Passive DNS database, he says he’s advocating that investigators and task forces doing botnet or domain takedowns use any passive DNS tool or service.

Vixie says the two-part challenge in takedowns to date has been ensuring law enforcement “got it all” while not inadvertently cutting off innocent users and operations in the process.

Passive DNS not only can help spot critical DNS name servers, popular websites, shared hosting environments, and other legit operations so they aren’t hit in a takedown operation, he says, but it can also help spot related malicious domains that might otherwise get missed. That helps investigators drill down to the malicious tentacles of the operation, according to Vixie.

Vixie in his talk at Black Hat also plans to lobby for researchers and service providers to contribute data to passive DNS efforts.

Meanwhile, it’s unclear what long-term effects takedowns have had on the cybercrime underground. “I’m involved in the same [volume] of [takedown] cases than I ever was. The trend of bad guys is on an upward swing,” Vixie says.

View Source

The Defense Department just got more mobile with its classified information.

Pentagon officials announced Wednesday a new Defense mobile capability has moved out of the pilot stage and will be incorporated into agency operations.

The new capability, created through a partnership between DOD’s IT arm, the Defense Information Systems Agency, and the National Security Agency, allows users to access classified voice and data up to the secret level from anywhere in the world.

The Pentagon plans to have 3,000 users by the second quarter of fiscal 2016.

The new mobile classified capability is one piece of the Pentagon’s Joint Information Environment plan, “where our war fighters and national-level leaders can access a secure infrastructure and applications from any device, anytime, anywhere,” said Kim Rice, DISA’s mobility portfolio manager, in a statement.

The new capability will replace the Secure Mobile Environment Portable Electronic Device system, which DISA will phase out July 30. The new program, Rice said, will improve call operability and offer a new mobile device management system expected to enhance security.

Importantly, the new capability offers “a new secure mobile device” with “enhanced graphics, improved sound quality and a longer battery life than earlier pilot devices.” In other words, Pentagon users will be carrying secure mobile devices akin to commercial smartphones with some of the same features, such as cameras, GPS and Bluetooth — although they’ll be disabled for DOD use.

“This release is a big step toward being able to deliver secure mobile capabilities faster than we have ever seen before,” Rice said.

DOD officials plan to triple the number of active users in the near future.

The Defense Department just got more mobile with its classified information.

Pentagon officials announced Wednesday a new Defense mobile capability has moved out of the pilot stage and will be incorporated into agency operations.

The new capability, created through a partnership between DOD’s IT arm, the Defense Information Systems Agency, and the National Security Agency, allows users to access classified voice and data up to the secret level from anywhere in the world.

The Pentagon plans to have 3,000 users by the second quarter of fiscal 2016.

The new mobile classified capability is one piece of the Pentagon’s Joint Information Environment plan, “where our war fighters and national-level leaders can access a secure infrastructure and applications from any device, anytime, anywhere,” said Kim Rice, DISA’s mobility portfolio manager, in a statement.

The new capability will replace the Secure Mobile Environment Portable Electronic Device system, which DISA will phase out July 30. The new program, Rice said, will improve call operability and offer a new mobile device management system expected to enhance security.

Importantly, the new capability offers “a new secure mobile device” with “enhanced graphics, improved sound quality and a longer battery life than earlier pilot devices.” In other words, Pentagon users will be carrying secure mobile devices akin to commercial smartphones with some of the same features, such as cameras, GPS and Bluetooth — although they’ll be disabled for DOD use.

“This release is a big step toward being able to deliver secure mobile capabilities faster than we have ever seen before,” Rice said.

DOD officials plan to triple the number of active users in the near future.
View Source

A privacy advocacy group is urging federal regulators to investigate Uber’s planned changes to its privacy policy.

The new policy, set to take effect on July 15, would give the ride-hailing service access to users’ address books and allow the company to collect location data even when the app is running in the background.

Those changes, the Electronic Information Privacy Center wrote in a complaint filed to the Federal Trade Commission Monday, “threaten the privacy rights and personal safety of American consumers … and constitute an unfair and deceptive trade practice.”

When the company first announced its planned update to its privacy policy in May, it said the changes could help people get rides more quickly and send special offers to friends and family. “In either case, users will be in control: They will be able to choose whether to share the data with Uber,” Katherine Tassi, an attorney for Uber, wrote in a blog post at the time.

But in its complaint, EPIC argues that the policy places an “unreasonable burden on consumers” and that it is “not easy to exercise” the ability to opt out of the data collection.

The complaint also claims that Uber “has a history of abusing the location data of its customers.” The privacy group points to the controversy over the company’s “God View,” which allowed employees to track an individual user’s real-time or historic location. The company restricted access to the view after Buzzfeed reported on it and Sen. Al Franken sent a letter expressing alarm. The controversy is also what prompted Uber to overhaul its privacy policy.

In an emailed statement Monday, Uber said there is “no basis” for EPIC’s complaint and that the company updated its privacy policy to make it more transparent and readable. “These updated statements don’t reflect a shift in our practices, they more clearly lay out the data we collect today and how it is used to provide or improve our services,” the company said.

Monday’s complaint from EPIC doesn’t necessarily mean that the FTC will take any action against Uber. The agency only has authority to pursue cases against companies if their practices are “unfair” or “deceptive.”

“We welcome complaints from consumers and consumer groups and review them carefully,” said FTC spokesman Jay Mayfield.

View Source

4 TOP CHALLENGES FOR FEDERAL CIOS

In today’s tight budgetary climate, chief information officers are being called on to find innovative ways to use technology to perform operations faster and more effectively. Grant Thornton has surveyed federal CIOs and chief information security officers for 25 years, and recently released with the Professional Services Council the 25th survey highlighting some key challenges facing this community.

1. Cybersecurity remains the top priority.

This is no surprise, unless you’ve been hiding under a rock. Ninety percent of CIOs cited an increase in cyberattacks. More than a quarter of the CIOs experienced threat increases of more than 50 percent. CIOs were also asked the extent to which cyber spending increased. Unfortunately, while 90 percent confirmed that cyber spending increased, the majority of the respondents said spending increased between 0 and 10 percent. It is clear, CIOs need additional resources to fight an ever-growing, well-resourced and persistent cyberthreat. Competing for professionals with these highly sought-after skills is becoming increasingly difficult, especially in the federal sector where compensation is limited.

2. CIOs remain focused on cloud but aren’t there yet.

Only 8 percent of CIOs reported that initial cloud efforts are where they want to be. Most have done “the easy stuff,” like migrating email and websites. What’s next? CIOs see cloud-based development platforms as an innovation that can improve efficiency and reduce costs if done right. One CIO said, “We have used cloud to reduce our life cycle costs by 90 percent and bring applications to market in 70 percent less time.” CIOs acknowledged that moving is not easy, citing a number of lessons learned: treating migration as a transformation effort; not underestimating the integration challenges or need for planning; developing clear SOWs with models to pay based on consumption; and creating risk-based security models based on the data in the cloud.

3. Data analytics presents an opportunity for improvement.

Over 80 percent of respondents noted their organizations’ ability to use data to make business decisions were average or below average. Agencies identified the need for help in managing the proliferation of data and developing master data management plans. CIOs commented that data silos litter the enterprise and are not easily accessible. CIOs also stated they have limited people with the expertise to effectively leverage data management solutions and tools.

4. Undergoing Culture Change

In the wake of failed launches of large-scale IT programs, federal IT managers are quickly moving to embrace modular development where failures, if they happen, can be more easily managed. This is causing agencies to go through a culture change focused on building and delivering quickly, allowing for experimentation and failure, and ultimately faster time to stakeholder satisfaction. While agile shows much promise, only one-third of CIOs are using agile as the default, while another third are “in the early stages.” CIOs noted as critical success factors the importance of training; effective metrics; automated platforms; and the ability to commit to working in integrated teams with clearly defined roles.

Between the rapid pace of technological change, ever-increasing cyberthreat and continued financial uncertainty, CIOs will both stay in the spotlight and need strong partnerships to ensure technology is deployed and managed effectively to deliver mission results.

To obtain a copy of the 2015 Federal CIO Survey report, click here.


View Source

McALLEN — Six of the seven Mexican drug cartels have established command and control in Texas and are recruiting at schools across the state, San Juan Police Chief Juan Gonzalez said Thursday at the School-Based Law Enforcement Summit.

For the first time since the annual summit began almost 40 years ago, school police officers spent an entire day focused on border crimes, including sex trafficking of students.

“It was important for us to make this possible because this is about our children and their livelihood,” said Sylvia Cruz, director of security and risk management for the Mission school district, which paid for the extra day of training.

Nearly 200 officers learned about human trafficking, teen suicide, and transnational criminal organizations, among other issues during the four-day summit.

Organized by the Texas State University Institute for Criminal Justice Studies (ICJS), the summit gives officers the chance to earn up to 32 of the 40 training hours mandated by the Texas Commission on Law Enforcement every two years.

Last year, they trained about 1,000 peace officers and have more than 1,200 already registered this year.

The summits aim at providing free research-based training focused on law enforcement issues at both the K-12 and higher education levels, said Joe Muñoz, program manager at the ICJS.

“There’s a wealth of information that we are giving the participants,” Muñoz said. “From gang intervention to mental health expansion, to inappropriate relationships, we are giving them the tools they need to help these kiddos.”

A major focus of this year’s training dealt with domestic sex trafficking and how to detect children who are being targeted by human traffickers, who often use technology to recruit and prey on children with vulnerabilities including those lacking family support.

The average age of children recruited into forced prostitution is 11-14 years old, according to the National Human Trafficking Resource Center (NHTRC).

View Source

PASSWORDS AREN’T THE PROBLEM. YOU ARE.

When you start your first day at Quartz, you get peppered with passwords.

There’s a password to log into your new Mac, which you are immediately prompted to change once you’re up-and-running. The new password allows you log into your email. Once there, you are invited to join our password protected—with double-authentication—CMS. It’s not much of an exaggeration to say your first Quartz workday consists largely of password management.

I had that in mind, as I helped a new hire settle in on Monday. So, I urged him—repeatedly—to take a moment and sign-up for a password client that I had used to help me beat my own long-standing struggle with password amnesia: LastPass. For months, the service, which essentially creates an encrypted vault of all your passwords and protects it with a master password, had made my life much better.

Until Tuesday morning. That’s when I received an opened an from LastPass indicating that the service had been compromised, and that some sensitive information—including email addresses, password reminders—had been taken. For its part, LastPass says its “vaults” where users keep their passwords to various sites and applications were not compromised.

“So no data stored in your vault is at risk,” officials said. But I still had to explain this to the guy I had convinced to use it less than 24 hours before.

A recent survey commissioned by Telesign—a company that sells two-step verification technology—found that roughly 70% of 2,000 people in the UK and US they surveyed don’t trust that their password will protect them. They shouldn’t. After all, it’s abundantly clear that we are living in an era of profound data insecurity.

I mean, Russian hackers read President Obama’s unclassified email. And just to review, over the last few months alone we’ve learned that hackers have breached not only the White House, the but the IRS and the Federal government’s office of personnel management, where they perused—among other things—the form people fill out as they apply for security clearances.

What’s more, today we learned that the FBI is investigating front office officials from the St. Louis Cardinals in connection with hacking into the Houston Astros’ “baseball operations database.” The New York Times reports:

Investigators believe Cardinals officials, concerned that [former Cardinals executive, and current Astros general manager Jeff] Luhnow had taken their idea[s] and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

There’s a reason why hackers—whether they be associated Red China or the St. Louis red birds—aim for passwords. Long ago, we reached the human limits of our ability to remember them. The human mind has pretty strict limitations on remembering long sequences numbers and letters. (Essentially it’s about seven items, plus or minus two.) And they’re best remembered when they’re in familiar chunks, you know, like letters in words. This is why consumers have an average of 24 online accounts, but only about six unique passwords, according to the Telesign study.

In other words, passwords aren’t the problem. We are.

And humans will remain the problem until we get to the post-password era.

Over the next few years we’ll increasingly be authenticating ourselves not with passwords, but with our fingerprints, faces, irises, retinas, palm-prints and speech patterns. But humanity still presents profound engineering problem.

“Passwords or tokens are easy to change while it is compromised. But, biometric traits are inherent and fixed forever, that is, the biometric data is irrevocable,” wrote academics in a paper published in April.

If you think the resetting your password is a pain, trying resetting your fingerprint.

Engineers are addressing the problem, coming up technologies that enable cancelable crypto-versions of our biometric data that can be reset. But I can’t help but be overcome by the suspicion that that the digital world might just work a lot better if it didn’t have to put up with all these people.

View Source