How To Know Which NIST Framework To Use

“One of the most important aspects of the recent cybersecurity executive order is also the aspect causing the most confusion.

When President Donald Trump signed the executive order in May, it included the requirement federal agencies use the NIST Cybersecurity Framework to manage their cybersecurity risk. However, some have confused the NIST CSF with the NIST Risk Management Framework, which all federal agencies have been required to follow since its 2010 introduction.

To put it succinctly, they are two different frameworks. As industry and government work together to execute this order, it is very important for everyone to fully understand the two frameworks, and how they differ.

NIST CSF Overview

The NIST CSF was released in February 2014 in response to a 2013 executive order that called for a voluntary framework of industry standards and best practices to help organizations manage cybersecurity risk.

The CSF was created as a result of collaboration between government and the private sector. It “uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.”

The heart of the NIST CSF is the Framework Core, which consists of five functions: identify, protect, detect, respond and recover. The functions and their components aren’t a checklist of actions to be performed in order. Rather, they are concurrent and continuous activities that “provide a high-level, strategic view of the life cycle of an organization’s management of cybersecurity risk.”

Read More

Texas school police to use drones to keep campuses safe

“School district police officers here completed a months-long drone training program at Sanchez Elementary on Friday.

This spring, Drone Pilot Inc., a Central Texas training firm, taught four officers from the McAllen Independent School District Police Department on the usage of drones. The 100-hour training, which began in February, went through various real-life scenarios.

Friday, the officers had their final exam on completing would-be scenarios of search and rescue. Their drone skills were tested on finding a missing child/endangered adult and identifying an unknown object, a skill that could help diffuse a bomb scare. Another mission was going through hazardous materials like an ammonia leak from a car.
Gene Robinson, vice president, co-founder and flight team director of Drone Pilot, said the officers learned to problem solve and jointly worked together in their missions.

“They (officers) will use the skills that we taught them, go out and try to solve,” Robinson said.
The drones will be used for faster response times and be used for investigative purposes to hold aerial views of parking lots, reconstruct collisions, look for evidence/crime scenes, and assess structural damage to buildings after a natural disaster or arson and most commonly, locate intruders in and around campuses.

“This training will be good for the public to keep them safe,” McAllen ISD Police Sgt. Charles Eric Treviño said. “When you look at it at ground level, it doesn’t look the same when you take it at aerial photographs. It’s different.”

“It’ll take minutes versus possible hours bringing an agency to check it out,” Treviño added about response times.

The drone training was divided into three phases. The introductory section covered legal issues and copyright information. Section two, covered the proper usage of equipment and regulations with recording and documenting the missions on logbooks. The final section was team cooperation and following proper procedures before beginning a mission.
Government use of aerial drones became much easier when the Federal Aviation Administration flipped the switch on new regulations last year, prompting some law enforcement agencies to adopt the technology.

The San Marcos Police Department has purchased a drone that will be used for investigations into vehicle crashes involving serious injury or death.

Before the FAA created new regulations last summer, the Austin Fire Department had already been operating drones to monitor and respond to wildfires for more than a year under a rare exemption that made it one of the first public safety agencies in the country allowed to use drones.”

View Source

Congress votes to wipe out landmark internet privacy protections

Congress sent proposed legislation to President Donald Trump on Tuesday that wipes away landmark online privacy protections, the first salvo in what is likely to become a significant reworking of the rules governing internet access in an era of Republican dominance.

In a party-line vote, House Republicans freed internet service providers such as Verizon, AT&T and Comcast of protections approved just last year that had sought to limit what companies could do with information such as customer browsing habits, app usage history, location data and Social Security numbers. The rules had also required providers to strengthen safeguards for customer data against hackers and thieves.

The Senate has already voted to nullify those measures, which were set to take effect at the end of this year. If Trump signs the legislation, as expected, providers will be able to monitor their customers’ behavior online and, without their permission, use their personal and financial information to sell highly targeted ads — making them rivals to Google and Facebook in the $83 billion online advertising market.

The providers could also sell their users’ information directly to marketers, financial firms and other companies that mine personal data — all of whom could use the data without consumers’ consent. In addition, the Federal Communications Commission, which initially drafted the protections, will be forbidden from issuing similar rules in the future.

Search engines and streaming video sites already collect usage data on consumers. But consumer activists claim that internet providers may know much more about a person’s activities because they can see all of the sites a customer visits.

And while consumers can easily abandon sites whose privacy practices they don’t agree with, it is far more difficult to choose a different internet provider, the activists said. Many Americans have a choice of only one or two broadband companies in their area, according to federal statistics.

Advocates for tough privacy protections online called Tuesday’s vote “a tremendous setback for America.”

“Today’s vote means that Americans will never be safe online from having their most personal details stealthily scrutinized and sold to the highest bidder,” said Jeffrey Chester, executive director of the Center for Digital Democracy.

Read More

How To Stop Your Smart TV From Spying on You

THIS WEEK, VIZIO, which makes popular, high-quality, affordable TV sets, agreed to pay a $2.2 million fine to the FTC. As it turns out, those same TVs were also busily tracking what their owners were watching, and shuttling that data back to the company’s servers, where it would be sold to eager advertisers.

That’s every bit as gross as it sounds, but Vizio’s offense was one of degree, not of kind. While other smart TV platforms don’t sell your viewing data at the IP level to the highest bidder without consent, like Vizio did, many do track your habits on at least some level. And even the companies that have moved on from ACR—like LG when it embraced webOS—have older models that liberally snoop.

But good news! There are ways to keep your smart TV from the prying eyes of the company that made it. In fact, there’s one absurdly easy way that will work for any television you can buy. Let’s start there.

Dumb It Down
The single most foolproof way to keep an internet-connected TV from sending data to far-flung ad tech servers around the globe? Disconnect it from the internet. And honestly, you should be doing that anyway.

Think about what you’re really getting from the “smart” part of your high-tech television. A shoddy interface? Voice commands that work half the time, if you’re lucky? A few bonus ads popping up in unexpected places? No thank you! Go to Settings, find the Wi-Fi On/Off toggle, and shut it down.

Read More

Miami Student Sentenced for Cyberstalking on Facebook and Instagram

“A Miami student was sentenced yesterday for cyberstalking on Facebook and Instagram.

Wifredo A. Ferrer, United States Attorney for the Southern District of Florida, and George L. Piro, Special Agent in Charge, Federal Bureau of Investigation (FBI), Miami Field Office, made the announcement.

Kassandra Cruz, 23, of Miami, Florida, was sentenced by U.S. District Judge Frederico A. Moreno to 22 months in prison, followed by three years of supervised release, a $100 special assessment, and $2,178.32 in restitution, stemming from her conviction on one count of cyberstalking, in violation of Title 18, United States Code, Section 2261(A)(2)(B).

According to court documents, beginning in June 2015, victim “S.B.” received a “friend” request from Cruz on her Instagram and Facebook accounts. In an effort to gain “S.B.’s” friendship, Cruz created a false persona on her Instagram account wherein she portrayed herself as a male who was an active duty U.S. Marine. Under that ruse, “S.B.” accepted the friend request.

From late June 2015 until September 2015, Cruz, posing as Giovanni, “liked” and commented on pictures “S.B.” posted on both her Instagram and Facebook accounts. However, when “S.B.” noticed that Cruz had begun “following” and “liking” all of her friends pages and posts, she became suspicious and “blocked” and “unfollowed” Cruz from her social media accounts.

As a result, Cruz threatened that “S.B.” would face repercussions at her job and with her family if she did not comply, and specifically threatened to expose “S.B.’s” past via social media. The threats to “S.B.” persisted from Cruz on social media and later via text messaging, and Cruz ultimately demanded on multiple occasions $100,000 in exchange for no further contact, adding that she “knew where “S.B.’s family lived and they should watch their backs because someone would be heading to…to deal with them.” In total, “S.B.” received over 900 unwanted calls and text messages since the beginning of 2016, and the extortionate and threatening messages continued until late April 2016. Ultimately, Cruz was arrested and taken into custody during a pre-arranged meeting in Miami.

Mr. Ferrer commended the investigative efforts of the FBI. This case is being prosecuted by Assistant U.S. Attorneys Jodi L. Anton and Francis Viamontes.

View Source

What Molecules You Leave on Your Phone Reveal About Your Lifestyle

“We leave behind trace chemicals, molecules and microbes on every object we touch. By sampling the molecules on cell phones, researchers at University of California San Diego School of Medicine and Skaggs School of Pharmacy and Pharmaceutical Sciences were able to construct lifestyle sketches for each phone’s owner, including diet, preferred hygiene products, health status and locations visited. This proof-of-concept study, published November 14 by Proceedings of the National Academy of Sciences, could have a number of applications, including criminal profiling, airport screening, medication adherence monitoring, clinical trial participant stratification and environmental exposure studies.

“You can imagine a scenario where a crime scene investigator comes across a personal object — like a phone, pen or key — without fingerprints or DNA, or with prints or DNA not found in the database. They would have nothing to go on to determine who that belongs to,” said senior author Pieter Dorrestein, PhD, professor in UC San Diego School of Medicine and Skaggs School of Pharmacy and Pharmaceutical Sciences. “So we thought — what if we take advantage of left-behind skin chemistry to tell us what kind of lifestyle this person has?”

In a 2015 study , Dorrestein’s team constructed 3D models to illustrate the molecules and microbes found at hundreds of locations on the bodies of two healthy adult volunteers. Despite a three-day moratorium on personal hygiene products before the samples were collected, the researchers were surprised to find that the most abundant molecular features in the skin swabs still came from hygiene and beauty products, such as sunscreen.

“All of these chemical traces on our bodies can transfer to objects,” Dorrestein said. “So we realized we could probably come up with a profile of a person’s lifestyle based on chemistries we can detect on objects they frequently use.”

Read More

National Cyber Security Awareness Month

Data breaches resulting in the compromise of personally identifiable information of thousands of Americans.

Intrusions into financial, corporate, and government networks.

Complex financial schemes committed by sophisticated cyber criminals against businesses and the public in general.

These are just a few examples of crimes perpetrated online over the past year or so, and part of the reason why Director James Comey, testifying before Congress last week, said that “the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.”

The FBI, according to Comey, targets the most dangerous malicious cyber activity—high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets. And in doing so, we work collaboratively with our domestic and international partners and the private sector.

But it’s important for individuals, businesses, and others to be involved in their own cyber security. And National Cyber Security Awareness Month—a Department of Homeland Security-administered campaign held every October—is perhaps the most appropriate time to reflect on the universe of cyber threats and on doing your part to secure your own devices, networks, and data.

What are some of the more prolific cyber threats we’re currently facing?

Read More

Plastic banknotes: new fingerprint technique means criminals can’t avoid capture

“The UK has just introduced plastic banknotes, almost 30 years after they were used for the first time in Australia. The polymer notes are designed to last longer and be harder to forge. But the new notes, which will replace the old cotton paper ones entirely by 2020, come with a challenge for police detectives and forensic scientists.

The existing techniques for obtaining fingerprints from paper notes won’t necessarily work for the new plastic money. However, our team at the chemistry department of Loughborough University has developed a potential solution.

The use of fingerprints in forensic science may date back to the 19th century, but in the UK alone it still plays a key role in bringing charges in some 27,000 crimes a year, according to Home Office data we obtained. But new materials can pose significant challenges for fingerprinting. We’re forever trying to make things biodegradable, or handling devices that simply didn’t exist a decade or two ago.

The issue is that the new notes have been fashioned from “biaxially oriented” polypropylene, a type of plastic that has been strengthened by stretching it in two directions. They are also, as with all notes, deliberately fiddly in design. Illustrations and security features such as foil and transparent sections make it harder to develop a perfect print.

The key is to try to find a method that will make the design of the note invisible and just highlight the print. Conventional techniques, such as exposing the fingerprint to cyanoacrylate (“superglue”) fumes that stick to the moisture in the ridges of the print and turn them white, can struggle in such circumstances. The developed print simply appears white and so is harder to see against the background, and it leaves an indelible mark or stain that means the note can’t be returned to circulation.”

Read More

New cloud attack takes full control of virtual machines with little effort

“The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It’s a technique that’s so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.

Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit.

Now, computer scientists have developed a significantly more refined Rowhammer technique they call Flip Feng Shui. It manipulates deduplication operations that many cloud hosts use to save memory resources by sharing identical chunks of data used by two or more virtual machines. Just as traditional Feng Shui aims to create alignment or harmony in a home or office, Flip Feng Shui can massage physical memory in a way that causes crypto keys and other sensitive data to be stored in locations known to be susceptible to Rowhammer.”

Read More

Safe Online Surfing Internet Challenge

What do more than 870,000 students across the nation have in common?

Since 2012, they have all completed the FBI’s Safe Online Surfing (SOS) Internet Challenge. Available through a free website at https://sos.fbi.gov, this initiative promotes cyber citizenship by teaching students in third through eighth grades how to recognize and respond to online dangers through a series of fun, interactive activities.

Anyone can visit the website and learn all about cyber safety, but teachers must sign up their school to enable their students to take the exam and participate in the national competition. Once enrolled, teachers are given access to a secure webpage to enroll their students (anonymously, by numeric test keys) and request their test scores. E-mail customer support is also provided. Top-scoring schools each month are recognized by their local FBI field office when possible. All public, private, and home schools with at least five students are welcome to participate.

Now entering its fifth season, the FBI-SOS program has seen increased participation each year. From September 2015 through May 2016, nearly a half-million students nationwide finished the activities and took the exam. We look forward to even more young people completing the program in the school year ahead. The challenge begins September 1.

Read More