Cyber Security Caucus: May 2015

Saturday 30 May 2015

Lawmakers to automakers: How are you protecting cars from cyberattacks?

The computerized car revolution is here: New cars often contain technology to control or monitor everything from tire pressure to the music you’re listening to. Some even come with WiFi hotspots built into the dashboards. And companies like Google are predicting cars that can drive themselves within a generation.

But in era in which cyberattacks have become an almost daily occurrence, some are increasingly concerned about a potential downside to these advancements.

Ten members of the House of Energy and Commerce Committee are questioning how the government and auto-makers are prepping for the potential cybersecurity risks of reliance on software in vehicles.

“Connected cars and advancements in vehicle technology present a tremendous opportunity for economic innovation, consumer convenience, and public health and safety,” wrote a group led by Chairman Fred Upton (R-Mich.) and ranking Democrat Frank Pallone (N.J.) in letters sent to 17 car manufacturers including Ford, Toyota and General Motors, as well as the National Highway Transportation and Safety Administration on Thursday.

“These benefits, however, depend on consumer confidence in the safety and reliability of these technologies,” they wrote.

The lawmakers want the agency and automakers to provide details on what they are doing to protect against cyber-vulnerabilities now — including how they test vehicles for such vulnerabilities while they are being designed and once they are on the road. Letter recipients were asked to respond by June 11.

NHTSA did not immediately respond to a Washington Post inquiry about the letter, but the issue is on their radar. The agency is researching cybersecurity issues related to cars and released a summary of cybersecurity best practices as well as a report on potential security threats to vehicles last September.

And the industry has also taken note of cybersecurity threats. “Auto engineers are incorporating security solutions into vehicles from the first stages of design and production, and their security testing never stops,” says a fact sheet on the issue from the industry’s The Alliance of Automobile Manufacturers. The Vehicle Electrical System Security Committee. The International Society of Automotive Engineers has a committee that studies the challenges of securing vehicle’s electronic control systems and the U.S. Council for Automotive Research has a “Cyber-Physical Systems Task Force.”

But some cybersecurity experts have warned that the auto industry is lagging behind some other sectors while the increasing complexity of systems in vehicles could leave them vulnerable to hacking. In 2013, researchers Chris Valasek and Charlie Miller were able take over the brakes and steering of a Ford Escape and a Toyota Prius using a laptop connected to the vehicles with a cable. And last year, the pair released a report laying out potential wireless “attack surfaces,” like WiFi connections and Bluetooth in many cars on the market, that might be targeted by a malicious attacker.

Earlier this year, Sen. Ed Markey (D-Mass.) released a report warning that consumers security and privacy were put at risk by the the increasing connectivity of vehicles. Nearly all cars on the market “include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions,” the report, which was based on information solicited from auto-makers, concluded.

Last November, two auto industry groups announced a set of privacy principles for vehicles. But Markey and Sen. Richard Blumenthal (D-Conn.) are currently at work on legislation that would direct NHTSA and the Federal Trade Commission to establish federal standards for vehicular cybersecurity and privacy.

View the original content and more from this author here: http://ift.tt/1FlFtrG

from cyber security caucus http://ift.tt/1PVf26H
via IFTTT

House panel raises concerns over auto cybersecurity

The panel acknowledges the clear benefits of modern transportation and communications technologies such as vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I) and autonomous systems. Committee leaders are worried that such technologies will bring a new era of potential vulnerabilities that regulators may not be currently equipped to handle.

“The explosion of new, connected devices and services is exacerbating existing cybersecurity challenges and has introduced another potential consequence – the threat of physical harm – as products responsible for public health and safety are integrated into the Internet ecosystem,” the bipartisan group wrote. “While threats to vehicle technology currently appear isolated and disparate, as the technology becomes more prevalent, so too will the risks associated with it.”

Legislators wrote letters to 17 automakers asking for more information on current initiatives. The group also calls for cooperation between rival companies and the National Highway Traffic Safety Administration to develop strategies that minimize security risks associated with emerging technologies.

“Threats and vulnerabilities in vehicle systems may be inevitable, but we cannot allow this to undermine the potential benefits of these technologies,” the letters add. “The industry and NHTSA have an opportunity to prepare for the challenges that advanced vehicle technologies present, and to develop strategies to mitigate the risks.”

The automakers have been asked to submit initial responses by June 11.

View the original content and more from this author here: http://ift.tt/1JfaVwx

from cyber security caucus http://ift.tt/1Qi2cu0
via IFTTT

Is the IRS too broke to protect your info?

Either the IRS is too broke to guard your data. Or it’s not spending its $10.9 billion budget the right way.

Let’s consider the first option. The IRS says it’s underfunded. Republicans in Congress have slashed the IRS budget for five years straight — the same politicians who now criticize the IRS for not having better security.

The agency has 10% less money and 13,300 fewer employees than it did in 2010 — but it handles a bigger workload than ever.

It processes 7 million more individual income tax returns. Plus, Obamacare is a huge project at the IRS, forcing it to shift employees and money to coordinate information-sharing with state health exchanges. Last year, the IRS spent $252 million on just the tech and computer side of Obamacare — but got no additional funding to pull off the task.

The result? Its ability to protect its computers and website has suffered.

While companies and government agencies boost their computer security, the IRS has dialed it back. A CNNMoney review of government records found the IRS spent $10 million less on cybersecurity in 2014 than the previous year. And since 2011, its 410-person cybersecurity team — in charge of guarding the entire nation’s tax records — has been cut down to 363 people.

And that’s just the tip of the iceberg.

The IRS still uses Windows XP, which is dangerously outdated, exposed to hackers and no longer supported by Microsoft. IRS Commissioner John Koskinen has said it still uses some tech from the days of the Kennedy administration. Its 19-year-old fraud-catching software is antiquated and ineffective. A project to replace it is severely delayed.

In a speech about budget cuts last year, Koskinen said: “This compromises the stability and reliability of our information systems, and leaves us open to more system failures and potential security breaches.”

In testimony before the U.S. Senate last year, Koskinen admitted the IRS can’t keep up with identity thieves. Imposters file taxes in your name, grab your tax refund, and get away with it. There aren’t enough IRS employees to deal with the flood of phone calls, so it takes six months or more to clear it up.

Even an independent oversight board said the IRS needed $136 million more this year to deal with these tech problems. Instead, Congress cut the IRS budget by $600 million.

The IRS is being punished. House Republicans say so themselves.

In an April 22 report, Republican politicians on the House Ways and Means Committee said they keep choking the IRS to make it pay for unfairly targeting Tea Party and right-wing groups, hosting “extravagant conferences” in the past, and being so wasteful on government projects.

For example, that unfinished and overdue fraud-catching software project is $86 million overbudget, say investigators at the Government Accountability Office. Even the early-stage version that was supposed to be working by 2012 still isn’t up and running in 2015.

But Republicans argue that IRS isn’t really short on money. It’s just bad at spending it correctly. As evidence, they point out that the IRS made Obamacare work — but it still can’t find the money within last year’s $2.5 billion tech budget to swap out old computers and improve its cybersecurity.

But some at the IRS tell CNNMoney it’s not just a matter of budget versus priorities. It’s insanely difficult to create programs to stop fraudsters.

Consider the current IRS pilot program to give Americans special PINs. This six-digit passcode makes it harder for a fraudster to file in your name. Currently, this PIN is only available to tax fraud victims and residents of Florida, Georgia and Washington. But many people lose their PINs. If the program went nationwide, the IRS would be inundated with millions of phone calls it can’t answer.

Whatever the reasons for the IRS failure are, the Senate Finance Committee on Tuesday will hold a hearing to try to figure out why the IRS website failed to stop fraudsters from accessing 104,000 Americans’ tax documents.

View the original content and more from this author here: http://ift.tt/1GcKFUH

from cyber security caucus http://ift.tt/1d62Eir
via IFTTT

Lawmakers Send Letter To Auto Execs And NHTSA With Questions on Car Cybersecurity

In a sign of how lawmakers are turning up the heat on the issue of vehicle cybersecurity, a bipartisan group from the House Energy & Commerce (E&C) committee sent letters on the subject to 17 automakers and the National Highway Traffic Safety Administration(NHTSA) yesterday. The letter, signed by ten members of the E&C committee including Chairman Fred Upton (R-MI), asked auto execs such questions as how cybersecurity is managed at their companies and how possible vulnerabilities are addressed. The letter to NHTSA Administrator Mark Rosekind asked how the federal agency is structured to handle cyber threats to automobiles and what if any steps have been taken to study how security risks can be minimized as cars become more connected.

With in-car Wi-Fi and smartphone apps that connect to the cloud flooding into cars and the U.S. DOT working on mandating vehicle-to-vehicle communication on all new vehicles to reduce accidents, the lawmakers wrote that these technologies offer “tremendous opportunity for innovation, improved performance, convenience … and safety.” But they added that “all of these features …provide a gateway for potential threats. The explosion of new, connected devices and services is exacerbating existing cyber-security challenges and has introduced another potential consequence – the threat of physical harm,” the letter read.

The questions posed by the subcommittee members alluded to the extent of the challenge not just in connected cars, but in devices that connect to them, such as smartphones and OBD-II dongles. The committee members noted that “threats and vulnerabilities in vehicle systems may be inevitable.” But they want to know how the auto industry and NHTSA will address issues of cybersecurity.
Three years ago NHTSA established an office to handle cybersecurity issues and staffed it with around a dozen employees. At the end of 2014, the agency also issued a 40-page report detailing best practices that the auto industry should follow to ward off and deal with cyberattacks.

In a sign that the lawmakers want to get out ahead of the issue, the letter also addressed the nascent approach in automotive of using over-the-air (OTA) updates to add features to cars and also fix security flaws. In February, BMW issued OTA security updates to 2.2 million cars after outside researchers found a vulnerability that allowed hackers to remotely unlock the doors. While wireless OTA software updates can strengthen security and also has the potential to fix recalls issues without mechanics needing to physically access a vehicle, only Tesla has done routine OTA updates.

Lawmaker sent letters to top U.S. executives at Audi, Chrysler, Fiat Chrysler, Ford, General Motors, Honda, Hyundai, Nissan, Kia, Mazda, Mercedes-Benz, Mitsubishi, Porsche, Subaru, Tesla, Toyota, Volkswagen and Volvo. The lawmakers asked NHTSA and the car companies to respond by June 11.

The letter comes on the heels of a report issued in February by U.S. Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) that raised concerns about automotive cybersecurity and called for a rating system for passenger vehicle similar to those used for crash safety. The report was release the day after a 60 Minutes segment that showed correspondent Lesley Stahl helplessly stabbing the brakes, unable to stop an unnamed car after it had been “hacked” by researchers in a parking lot demonstration.

View the original content and more from this author here: http://ift.tt/1dCg9Ho

from cyber security caucus http://ift.tt/1AAWUbt
via IFTTT

Startup Maryland’s Website Was Hacked By A Mysterious Actor

On Thursday, the website for Startup Maryland, a “peer-driven” regional initiative created to help entrepreneurs grow businesses and connect with the innovation community, was hacked. The local Startup America Partnership branch’s website was replaced by a static image. The image shows what seems to be a cartoon illustration of a sunset over a mosque along with a cryptic message written possibly in Turkish.

The Daily Record first caught the hack and snapped a picture of the hacker’s message here:

Credit: The Daily Record

Startup Maryland Founder and CEO Mike Binko told The Daily Record that, “the hack was the result of a security update for WordPress that didn’t install properly over the Memorial Day weekend.”

Startup Maryland’s website was back up and running smoothly before late afternoon Thursday.

Founded in 2012, Startup Maryland serves as platform to connect the state’s community of entrepreneurs, investors, startup enthusiasts and business leaders. “As one of our most active regions over the past year Startup Maryland has attracted more than 500 startups participants in the eight months since officially launching,” Scott Case, CEO of Startup America Partnership, said of Startup Maryland in a statement.

Not to be confused with the Obama administration’s Startup America initiative, Startup America Partnership received its initial funding from the Ewing Marion Kauffman Foundation, the Case Foundation and involves several corporate sponsors, including American Airlines, American Express OPEN, Dell Inc., Intuit Inc., NYSE Euronext, and Microsoft.

View the original content and more from this author here: http://ift.tt/1RyWA0W

from cyber security caucus http://ift.tt/1RyWzKl
via IFTTT

Congress is Worried Your Car Will Get Hacked

Using technology to build cars that can talk to each other and the surrounding environment could make driving safer and easier, but Congress is worried that the development of connected cars holds dangers that aren’t being adequately addressed. Members of the House of Energy and Commerce Committee wrote a letter to 17 carmakers and the National Highway Transportation and Safety Administration asking whether cybersecurity is being taken seriously enough as car software continues to advance.

“Connected cars and advancements in vehicle technology present a tremendous opportunity for economic innovation, consumer convenience, and public health and safety,” lawmakers wrote in theletter. “These benefits, however, depend on consumer confidence in the safety and reliability of these technologies.”

The letter asked the agency and the car companies, which included the biggest brands like Ford and Nissan as well as higher end companies like Porsche and Tesla, about their plans to create cybersecurity measures that will prevent hackers from getting into the system. They asked the companies to sent them details, including testing arrangements and how they measure the success of the security, by June 11.

“The integration and convergence of transportation and communications technologies in connected cars offers tremendous opportunity for innovation, improved performance, convenience and safety,: they wrote. “All of these features, however, provide a gateway for potential threats.”

If the security of a connected car were breached, personal information stored in the car could be stolen. Even worse, it’s not impossible that hackers could take over the actual controls of the car, essentially hijacking it and messing with the systems that control the engine, brakes and other critical systems. As and when self-driving cars start hitting the roads, the problem could be even worse.

Cybersecurity companies, like the local Kaprica Security are working on systems to keep hackers out of transportation technology and the car companies have been talking to each other about setting standards for vehicle cybersecurity. But even with those efforts and work being done by government agencies, it’s going to take a lot of coordination between the government and carmakers to keep people safe from hackers, even as their cars get smarter. The lawmakers say they want it to be a combined effort in order to improve the overall digital safety of connected cars.

“Threats and vulnerabilities in vehicle systems may be inevitable, but we cannot allow this to undermine the potential benefits of these technologies,” they wrote. “The industry and NHTSA have an opportunity to prepare for the challenges that advanced vehicle technologies present, and to develop strategies to mitigate the risks.”

View the original content and more from this author here: http://ift.tt/1BvQDbT

from cyber security caucus http://ift.tt/1HZPtdw
via IFTTT

FBI inches closer to expanded search powers

The Department of Justice (DOJ) is one step closer to making a controversial change in how judges issue warrants for computer searches.

The department confirmed to multiple news outlets that a United States Courts committee has approved its request to give judges the power to authorize warrants for electronic searches in multiple jurisdictions or when investigators don’t know the physical location of a device.Under the current rules, judges can only grant warrants for their own jurisdictions, with some narrow exceptions.

Tech companies like Google, computer scientists and privacy advocates have decried the potential change, which they believe would give the FBI the authority to hack computers with little oversight.

The move, Google argued in a February blog post, would be “a significant change to procedural rules that could have profound implications for the privacy rights and security interests of everyone who uses the Internet.”

The DOJ has argued the alteration is a minor but necessary update to ease the warrant approval process in the digital age.

They point out that a single computer network can span multiple jurisdictions. Having to get a warrant for each jurisdiction instead of just one warrant for the computer network would hinder investigators, officials say. It’s also increasingly difficult to know the physical location of a digital crook, the FBI argued in its request.

“Criminals are increasingly using sophisticated anonymizing technologies when they engage in crime over the Internet,” the bureau said.

The proposal is still a ways off from being implemented. Both the Supreme Court and Congress must eventually sign off on the change, which would go into effect Dec. 1, 2016, if approved.

View the original content and more from this author here: http://ift.tt/1AEhXcV

from cyber security caucus http://ift.tt/1HZJeX9
via IFTTT

Resiliency discussed at Rensselaer’s commencement colloquy

TROY >> Lessons in resiliency, both personally and professionally, was the theme at Rensselaer Polytechnic Institute’s commencement colloquy Friday.

Rensselaer President Shirley Jackson welcomed commencement speaker Admiral Michelle Howard and three other distinguished guests at the annual event, titled “Resilient Leadership for a Resilient World.”

Admiral Howard is the 38th vice chief of the United States Naval Operations and was joined by filmmaker and scholar Henry Louis Gates, Jr, cybersecurity policy expert Craig Mundie and CEO and co-founder of the Carlyle Group David Rubenstein.

Howard spoke of her first lesson in perseverance when she decided at a young age to pursue a career in the Navy but learned women could not join.

“We tend to think about resilience as things … but really it’s the people,” she said.

In 1999, Howard took command of the USS Rushmore, and became the first-African-American woman to command a ship in the US Navy. On July 1, 2014, she became the first female promoted to a four-star rank in the Department of Defense.

Rubenstein described a series of failures in his life as important learning experiences.

“If you don’t fail at things, you don’t experiment, I think you’re not likely to get very much out of life,” said Rubenstein. He said he tried working as a lawyer twice and found he wasn’t very good at it, before going on to trying other things.

“If you don’t find something you love you’ll never be great at it,” he said.

The group discussed cyber security, privacy and other domestic and global challenges faced in this digital age.

“This domain has everybody. It has individuals, it has citizens, it has criminals, it has terrorists it has innovation … and its dense. But it has vulnerabilities whether you’re in the commercial world or the military world. And it’s integrated into how people work and play and operate,” said Howard. “And we as a Navy have to embrace this domain.”

Gates described his work with inner-city students, trying to get young people more interested in biology and history.

“The differences that separate us seem so obvious and apparent … and I think it’s been because we’ve been taught history so poorly,” he said.

The colloquy is part of the university’s 209th commencement. Saturday, 1,672 students will receive a total of 1,838 degrees from Rensselaer, the United States’ oldest technological research university.

Molly Eadie can also be reached at 270-1288.

View the original content and more from this author here: http://ift.tt/1K0T2T2

from cyber security caucus http://ift.tt/1K0SZGE
via IFTTT

Cybersecurity firm Titan IC Systems gets £850,000 investor boost

Titan IC Systems has secured an £850,000 investment boost from investors which it says will be used to support the company’s international sales plans.

The Queen’s University Belfast spin-out, which specialises in cybersecurity systems, accessed the investment from techstart NI and Co-FundNI, which is managed by Clarendon Fund Managers.

Techstart NI is a £23.6 million initiative, managed by Pentech Ventures, which backs early-stage technology businesses and university spin-outs, while Co-Fund NI is a £28 million equity fund that co-invests with angel and private investors. Both funds were established by Invest NI.

Titan IC Systems also won financial support from existing investor QUBIS, the Queen’s start-up company, and angel investors who have not been identified.

The spin-out recently launched next-generation technology which it hopes will transform the cybersecurity industry.

Godfrey Gaston, chief executive of Titan IC, said the latest financial backing would enable it to grow both its business and invest further in product development.

View the original content and more from this author here: http://ift.tt/1HYp8g2

from cyber security caucus http://ift.tt/1GLXvbg
via IFTTT

New commercial cybersecurity joint venture – Raytheon|Websense – completed

WALTHAM, Mass. Raytheon Co. and Vista Equity Partners officials have completed a joint venture transaction that creates a new company combining Websense, a Vista Equity portfolio company, and Raytheon Cyber Products, a product line of Raytheon’s Intelligence, Information, and Services business. The newly-formed commercial cybersecurity company will be named on an interim basis as Raytheon|Websense. Company leaders say they expect to introduce a new brand identity once they complete their integration efforts.

Under the terms of the deal, originally announced on April 20, 2015, Raytheon owns 80.3 percent of the new company, while Vista Equity Partners owns 19.7 percent. The joint venture will start operations immediately and will be headquartered in Austin, Texas. John R. McCormack has been named chief executive officer of the new company.

Raytheon invested $1.9 billion (net of cash acquired) to acquire Websense, of which $600 million is in the form of an intercompany loan to the joint venture. Raytheon has also contributed the assets of Raytheon Cyber Products and related intellectual property, which is valued at $400 million. Vista Equity Partners has made a new cash investment of about $335 million for 19.7 percent of the equity interest in the joint venture. Raytheon will then consolidate the operating results of the joint venture, which will be financially reported as a separate business segment of Raytheon.

Websense, which protects organizations from the latest cyberattacks and data theft, has products such as TRITON APX, which provides adaptive cyber security that protects critical data wherever it resides and gives actionable intelligence across the entire threat lifecycle. For more information on Websense, visit www.websense.com.

View the original content and more from this author here: http://ift.tt/1JeEmz2

from cyber security caucus http://ift.tt/1GbEgcg
via IFTTT

Top 5 ways to immediately improve your security program

By HP Security Strategist Stan Wisseman

When I got started in the computer security business at the National Computer Security Center in the early ‘80’s, we were focused on providing guidance on how best to embed security features and assurance into operating systems, databases, and networks. When firewalls were generally introduced in the mid-90’s, the corporate security model flipped to a dependence on hardening the network perimeter as a preventative control as Internet access increased. While information security practitioners continued to press for defense in-depth, many enterprise security policies assumed that there was a well defended network perimeter within which authorized users could safely access/use firm assets.

Flash forward to 2015. The network security perimeter may not be completely dead, but the demarcation line is certainly fuzzy.

The changes in the way users, third-parties, and customers access systems/applications and their need to access enterprise data remotely or whilst mobile is forcing an IT transformation. Other factors include alterations to how data is stored and moved around the IT infrastructure, ‘virtualized’ environments, and the consumption of cloud services. These factors break the “crunchy” network security perimeter model. I’m not recommending jettisoning perimeter security controls. As reflected by a recent Firemon survey, firewalls still are perceived to have value. Organizations need to maintain perimeter defenses not just for the traditional ingress monitoring, but also for egress visibility to pinpoint large-scale breaches. However, assume perimeter defenses can be by-passed.

As I cited in a previous post, baselining against cyber security frameworks is a useful exercise to help identify security control gaps in your program. Understanding the likely threats and having a means of continuously monitoring the threat landscape can also help you prioritize where best to focus your attention. That said, I think the following 5 high-level actions provide you significant ROSI towarddisrupting the attack life cycle:

1. Reducing your attack surface
2. Employing multi-factor authentication
3. Monitoring the environment for anomalies
4. Utilizing data-centric security
5. Participating in threat intelligence sharing

Reducing the attack surface

Once you understand that you cannot stop every attack, the next logical action to take is to reduce the number of attack vectors that a potential adversary may exploit. HP’s 2015 Cyber Risk Report shows that threat actors use both zero-day exploits along with exploits of older vulnerabilities that have been around for years. As highlighted by Mark Painter’s recent blog post, environmental hygiene can greatly reduce your exposure. If unable to patch in a timely manner, virtually patch vulnerable components. Also reflected in the Cyber Risk Report, applications are taking the brunt of many attacks. I’ve been a longtime advocate ofbuilding security into applications. Those developing and deploying applications should address security throughout the life cycle to reduce architectural and implementation related security flaws and defects. Applications will continue to be subject to attack and we must take the necessary steps to build in resilience for critical applications so they can better resist attack and rapidly recover from failures and outages—whatever their cause.

Employing multi-factor authentication

We have been exclaiming the death of simple passwords for years, yet they persist. Weak or stolen user credentials remain a primary attack vector for adversaries, which is why strong authentication must be included in the overall security plan. Multi-factor authentication is a best-practice approach to help ensure that only legitimate users are accessing your assets, wherever they are located. Ease of integration with cloud applications like GoogleApps, Box, Salesforce and Office 365 is crucial given the risks to these SaaS platforms. Cloud Access Security Brokers (CASBs) should also be considered since they can provide comprehensive visibility into cloud application usage enhanced with user identity for improved security governance.

Monitoring for anomalies

Threat actors are really good at staying nearly invisible inside your environment mapping the network, typically looking for key systems that house sensitive data and IP. Once they are in, it’s very difficult to track their lateral movement and the assets they’ve gained access to. We’ve got to use all of the tools at our disposal to connect the dots through correlation of security-related events, monitoring of suspicious network behavior, and user behavior analytics to rapidly detect bad actors. While the objective is to automate the process of distinguishing normal from abnormal behavior, security teams will still need staff who can think outside the box so that they can flag deviant behavior — also known as the “Hunt team.”

Utilizing data-centric security

We need to be smart about which data matters and apply consistent protections on sensitive data no matter where it resides with minimal impact to business operations. HP’s Cindy Cullen provides a good summary of full lifecycle data protection requirements in her CIO Forum post. Historic security measures can be effective at helping to secure “normal” data but securing distributed data repositories can be challenging. Since data is in SaaS solutions, on mobile devices, and with third parties, I recommend using a data-centric protection scheme wherever possible. For example, leveraging Format-Preserving Encryption (FPE) allows encryption ‘in place’ in databases and applications without significant IT impact while preventing the threat agent’s use of the data even if they gain access to it.

chart

We also need to gain increased visibility into data flows with our cloud service providers and ensure that data protections are consistently applied. HP recently partnered with Adallom which will enable you to keep control of your data wherever it goes with policies and protection that follow your assets even as they are downloaded to unmanaged devices.

Participating in Threat Intelligence sharing

We are faced with numerous attack vectors and increasingly targeted attacks. Many times we are reactive to an event vs. proactive. We need to collaborate just like our adversaries are doing and share threat intelligence within trusted communities.

In this post, I have primarily highlighted five technology-based security controls to mitigate the illusion of an effective network security perimeter. However, to create a reasonable level of assurance, your security model must consider not only the technology, but also the people and processes factors as well.

Learn more about HP Enterprise Security.

from cyber security caucus http://ift.tt/1eG5ZWt
via IFTTT

Friday 29 May 2015

Winning the Cybersecurity War Within

Change is the only constant in cybersecurity. Organizations face a complicated balancing act between managing complex IT infrastructures and defending against threats. In fact, over half of the organizations surveyed in ESG’s recent report, The Endpoint Security Paradox, reported a cybersecurity shortage, and 80% agreed that managing endpoint security has become increasingly difficult over the last two years. Why? Attackers are streamlining and upgrading their techniques while companies struggle to keep pace with defenses. For the first time in the last decade, “addressing new types of malware” replaced “reducing costs” as the top IT priority, according to ESG’s IT Spending Report. Quite simply, what worked in the past is no longer working today, and organizations are learning—sometimes the hard way—that legacy endpoint practices, processes, and technologies are no longer sufficient to block attacks.

How Escalating Threats are Impacting IT Security

Symantec reported in their 2015 Internet Security Threat Report that 317 million new malware variants were introduced in 2014. Keeping up with the sheer volume of variants is daunting for organizations. Establishing visibility across multiple endpoint security products and managing the typical 3+ security clients deployed on each endpoint[i] makes moving from firefighting to process-driven protection a losing battle.

ESG’s research confirmed that too many organizations have allowed “checkbox requirements” and immediate tactical problems to undermine effective long-term security strategy. The irony is that 93% of security professionals believe they have the right endpoint security policies, processes, and technologies in place, yet over 30% are merely focused on meeting compliance requirements and nearly 40% claim that the security staff is overwhelmed with putting out cybersecurity fires.

How to Win the Cybersecurity War Within

The good news is that organizations can immediately improve their security posture by conducting a security self-assessment. Building a strong defense begins by standardizing endpoint protection and learning the product inside and out—including the core technologies beyond antivirus and the integrated advanced capabilities.

What Else Can You Do to Secure Your Organization?

Use layered protection at the endpoint—Enabling the full-protection stack in Symantec Endpoint Protection is the first step in defending against web-based attacks, unpatched vulnerabilities, drive-by downloads, mutating malware, and suspicious file behavior. For example, one of the many protection layers of Symantec Endpoint Protection is the host-based firewall. This can be used to control communication to and from the system as well as prevent someone from trying to fingerprint the system or perform a DOS attack. If the firewall component detects the attempts, it will blacklist the IP and alert the end user and admin of the attack. Other layers of defense against attacks are the Host Intrusion Prevention component, Insight™, and SONAR™. These protection technologies protect the operating system and vulnerable applications from being exploited.
Reduce the attack surface—Reduce the possible points of infection by restricting the applications allowed to run, the devices allowed to connect, and the actions a system can perform.
Keep browser plugins patched—Use the browser’s auto update or software distribution tools to install patches as soon as they become available.
Block P2P usage—Create and enforce a NO-peer-to-peer (P2P) policy, including home use of a company machine.
Turn off AutoRun—Stop network-based worms from jumping from USB keys and network drives without changing company polices on Open Shares.
Ensure all OS patches are applied—Many threats function by exploiting known vulnerabilities for which patches are available.

View the original content and more from this author here: http://ift.tt/1J9IL6m

from cyber security caucus http://ift.tt/1HXHmhC
via IFTTT

ACLU Urges US To Reward Discovery Of Cybersecurity Flaws

Law360, Washington (May 28, 2015, 5:38 PM ET) — The American Civil Liberties Union urged the U.S. government Wednesday to encourage researchers to find online security vulnerabilities by offering them rewards and making it easier to contact security personnel, as many private companies have already done.

All companies and the U.S. government should adopt standards incentivizing, rather than discouraging, reporting online security vulnerabilities, the ACLU said in a letter to the Internet Policy Task Force operating under the U.S. Department of Commerce’s National Telecommunications and Information Administration. There remain many barriers to reporting such flaws…

View the original content and more from this author here: http://ift.tt/1FeT57i

from cyber security caucus http://ift.tt/1SHgiJj
via IFTTT

Portland cybersecurity aces land $6.6M, aren’t quite done fundraising yet

A venerable Portland mobile payments company has landed a solid investment that will help it fund its technology.
Tyfone Inc. has collected $6.6 million in equity investment, according to a May 20 Securities and Exchange Commission filing. The money will fortify Tyfone’s growth efforts as it continues to expand its reach into such areas as mobile wallet protection and other cybersecurity offerings.

The filing didn’t reveal Tyfone’s current partners for the fundraise. The company could do so once the round is fully complete.

CEO Siva Narendra expects to raise another $2 million before closing the round.

The company, which expects to collect around $10 million in sales this year, counts around 200,000 users in the financial sector alone. It holds around 100 patents and employs some 90 workers worldwide.

“We’re just getting started,” Narendra said. “Identities need to be secured, transactions need to be secured and supply chains need to be secured. We’re active in all of them.”

The company raised $5 million in early 2008 and in late 2010. Those rounds backed Tyfone’s research and development as well the start of its commercialization.

Its mobile financial solutions suite includes mobile banking, mobile payments and patented smartcard-based identity management for mobile security. Its technology provides online security across many industries.

View the original content and more from this author here: http://ift.tt/1ECgIWM

from cyber security caucus http://ift.tt/1LOub3P
via IFTTT

China Preps 5-Year Cybersecurity Plan

China is prepping a five-year cybersecurity plan to protect state secrets and data.

According to Reuters, a senior official of the Ministry of Industry and Information Technology has confirmed that among the items covered will be security for software used by government departments, state-owned enterprises and financial institutions.

Former National Security Agency contractor Edward Snowden last year disclosed documents allegedly showing that the NSA and other spy agencies were in a habit of bundling spyware with American tech exports to China, prompting the country to drop several technology brands from its approved state purchase list.

Then in January, China said that they wanted to enact a plan to force foreign technology vendors that supply Chinese banks to fork over intellectual property, like proprietary source code, for inspection. Also, they would be required to adopt Chinese encryption algorithms, which would presumably make it possible for the central government to access sensitive information at will. Most vendors balked at the prospect, thus potentially leaving China with only homegrown solutions. China’s bank regulator put a temporary hold on enacting those guidelines in April while negotiations between governments played out around the proposal.

“What we have been doing very successfully (is) to make clear towards the United States government, the European government, the Japanese government (and) the government of China that this is a concern,” said Victoria Espinel, president of industry group BSA The Software Alliance. “It is not good for Chinese companies to be cut off from being able to choose the best products and services they want, it’s not good for China … as an economy.”

For now, details of the new plan are non-existent, but tech companies in the US and elsewhere are likely waiting with bated breath—clearly, rapidly industrializing China is a major market.

View the original content and more from this author here: http://ift.tt/1FjPgi5

from cyber security caucus http://ift.tt/1SH4nLz
via IFTTT

Cramer Remix: The No. 1 play in cybersecurity

Jim Cramer knows from his years of investing on the stock market that if a theme is strong enough, money will flood into it.

Right now Cramer sees two powerful industries, cybersecurity and the organic and natural food trends, with money going right into whatever investments it can find.

A perfect example of this to Cramer was when Palo Alto Networksreported its quarter on Wednesday night. While this stock may seem expensive to some, Cramer thinks it deserves to be expensive. As the premier, best-in-breed of cybersecurity companies, it stunned investors with 55 percent revenue growth and 8 percent higher sales from the previous quarter.

This all signals nothing but good news for Cramer.

“This may be the single hottest stock I follow,” the “Mad Money” host said.

About a month ago, Palo Alto’s CEO Mark McLaughlin shared with “Mad Money” that the topic of cybersecurity has recently become a board of director’s level issue. Meaning, the board members are spending an increasing amount of time thinking about how to address the problem of hacking and cybersecurity.

What does this mean? More attention to cybersecurity and a growing trend in business. Cramer loves what Palo Alto has to offer, along withCyberArk,FireEye, Fortinet and Cisco.

View the original content and more from this author here: http://ift.tt/1HViFlV

from cyber security caucus http://ift.tt/1SH07vL
via IFTTT

Australian cybersecurity program strengthens information security education

(ISC)², a not-for-profit membership body of certified information and software security professionals, and the Australian Centre for Cyber Security Strategic Alliance are partnering to strengthen cybersecurity education in Australia and Asia-Pacific region.

Through the agreement, (ISC)² will provide UNSW students and professionals in Canberra with educational courseware to help them gain the knowledge, skills and industry certifications needed to enter the cybersecurity workforce.

UNSW Canberra, on the other hand, will provide subject matter experts to assist with the delivery of (ISC)² training courses throughout the region.

The (ISC)² Certified Information Systems Security Professional (CISSP®), Certified Cyber Forensics Professional (CCFP) and Certified Secure Software Lifecycle Professional (CSSLP) CBK, a compendium of information and software security topics, will be incorporated into the existing cybersecurity program curriculum of the university.

ACCS will provide technical advice to (ISC)2 on further expanding cybersecurity education and thought leadership throughout Asia-Pacific.

“We believe that with this strategic alliance, we will together build a cohort of cybersecurity workers to serve as thought leaders in legal, policy and technical domains,” said Prof. Jill Slay AM, director of ACCS at UNSW Canberra.

UNSW Canberra is a campus of UNSW Australia that has provided high-quality undergraduate education to the Australian Defence Force at Australian Defence Force Academy (ADFA) and postgraduate education to the broader community for half a century.

It is an interdisciplinary cybersecurity research and teaching center at UNSW Canberra, which builds on the close relationship with stakeholders in Australia and internationally – industry, government, legislators, civil society and professional bodies.

“Building a global workforce requires a strategic, collaborative approach to education. By teaming up with UNSW Canberra, (ISC)² will be in a stronger position to educate information security professionals in Australia and ultimately, throughout Asia-Pacific,” said Clayton Jones, managing director, Asia-Pacific, (ISC)².

View the original content and more from this author here: http://ift.tt/1JZfagz

from cyber security caucus http://ift.tt/1JZf9Jr
via IFTTT

FDAnews Announces — Medical Device Cybersecurity Quality Assurance: Requirements, Best Practices and Innovative Approaches Webinar, June 23, 2015

Network connectivity opens up a wealth of possibilities for medical devices, but it also exposes a minefield of potential liabilities. Devices transmit data on the user’s condition to healthcare professionals, but can manufacturers be sure the information doesn’t fall into unauthorized hands? Even more vitally, if a device can send data out, malware or hackers could possibly get in. How can a manufacturer guarantee an attacker won’t be able to affect its functionality?

Before risking having devices compromised, learn both sides of the facts from two of the field’s top experts – one in systems engineering and design, the other in hacking and reverse engineering.

Learn what medical device manufacturers should be doing with their quality assurance strategies to protect their devices. Plus, learn how other industries are dealing with this issue through responsible disclosure policies and what these policies mean to the relationship with regulators.

Specifically, attendees will learn:

How a hacker views a target, what motivates them, and what makes a device a target
Real-life scenarios of cybersecurity breaches and their consequences — even an attack not aimed at a device could interfere with it
The path to incorporate cybersecurity into quality assurance and safety risk analysis and why cloud connectivity might not be a good idea
The elements of an effective, cross-functional cybersecurity team
The difference is between a “black hat” and “white hat” hacker
The best practices used to address cybersecurity in other industries, and practical ways medical device manufacturers may apply these
Information about FDA’s pre-market cybersecurity guidance released in October 2014
Policies and procedures companies may consider to prepare for FDA’s upcoming release of post-market surveillance expectations

Meet the Presenters:
Melissa Masters, RAC, (B.S., Electrical & Computer Engineering)
Ms. Masters heads Battelle’s DeviceSecure™ Services and has more than 12 years of experience in product development as a project manager, systems engineer and design engineer. She serves as the project manager and lead systems engineer on medical device development programs, as well as sustaining engineering programs. Her responsibilities include project management, task management, leading risk assessments, writing and testing system and subsystem requirements, testing of clinical and prototype devices and conducting clinical trials.

Stephanie Preston, CEH, GSEC, EIT, (B.S., Electrical & Computer Engineering)
Ms. Preston is a Certified Ethical Hacker (CEH) in Battelle’s Cyber Innovations team, where she focuses on firmware reverse engineering (x86, x86_64, MIPS, 8051), as well as application development (C/C++). She also serves as the team’s intellectual property steward, and chairs the Battelle Vulnerability Disclosure Council. Ms. Preston is a registered engineer in training (EIT) in the state of Ohio, holds a (GSEC) Global Information Assurance Certification (GIAC) Security Essentials certification, and a Certified Ethical Hacker (CEH) certification.

Who Will Benefit:

QA/QC personnel
Data management and statistics personnel
Engineering and design controls teams
Risk management specialists
Compliance officers

Webinar Details:
Medical Device Cybersecurity Quality Assurance:
Requirements, Best Practices and Innovative Approaches
**FDAnews Webinar**
June 23, 2015 — 1:00 p.m. – 3:00 p.m. EDT
http://ift.tt/1EEBoxp

View the original content and more from this author here: http://ift.tt/1EEBmWd

from cyber security caucus http://ift.tt/1EEBoxt
via IFTTT

RSA’s Innovation Sandbox 2015 to discover the next cyber security star

The conference is designed to showcase regional innovation, and will discuss cloud and data security, cyber investigation, law enforcement, among other things

Cyber security has always been an area of concern for governments and private organisations, including startups. Instances of government websites being hacked by terrorists and anti-national elements are increasing by the day, putting national security at risk. From retailers to healthcare, educational institutions to financial services — all companies are vulnerable to data breaches.

Threats aren’t restricted to specific geographic regions or types of businesses, either. Larger organisations, as well as startups, have to work with smaller suppliers and partners to protect all parts of the supply chain. No one is too small in the current security landscape and disruptive products have to be developed to address security threats.

Needless to say, cybersecurity is a headache that needs to be cured. It is with this backdrop that RSA Security — a leading computer and network security player — has been organising a number of conferences designed to encourage innovation in cybersecurity.

Innovation Sandbox Contest

RSA Security’s flagship event — Innovation Sandbox Contest — is dedicated to encouraging out-of-the-box ideas and the exploration of new technologies that have the potential to transform the information security industry. The 2015 event marks 10 years, since the event launched at RSA Conference 2005 as Innovation Station.

This year’s regional event — RSA Conference Asia Pacific and Japan 2015 Innovation Sandbox Most Innovative Start Up — will feature presentations from information security’s new rising stars, as well as demonstrations of their disruptive technologies. The conference is designed to showcase regional innovation, and will discuss topics such as cloud and data security, cyber investigation and law enforcement, governance and risk management, mobile security, security infrastructure, etc.

The shortlisted teams will have the opportunity to meet industry experts, senior-level business practitioners and thought leaders who can provide actionable feedback and guidance on the presentations they give on the day. In addition, teams will be offered a table-top exhibit to showcase their innovative solution alongside the biggest names in the cyber security field across Asia Pacific and Japan.

A representative from the winning team will also be offered a complimentary Full Conference Pass for RSA Conference 2016 (February 29 – March 4) in San Francisco, California, along with one round-trip economy flight to San Francisco and accommodation for the duration of the conference.

Realising the importance of cybersecurity

Every company, including early-stage ventures, needs a holistic security approach. Everything is interconnected, which means the threats are also linked, and we can’t just look at end-point security while neglecting user behaviour auditing. Organisations don’t have a clear picture of what kind of data they have, where they are stored, and how they are stored.

Startups are no exception. In March this year, Slack, a real-time messaging platform, was breached by hackers. Around the same time, US-based video streaming startup Twitch was also hacked. A year ago, TrueCaller, a global app directory, was hacked by hacktivist group Syrian Electronic Army, who openly released its database host ID, username and password on their official Twitter account.

These instances show that companies, irrespective of their size, are vulnerable to cyber attack. However, these incidents have prompted companies to give more importance to cyber security and they have started realising just how valuable all their files and pieces of information sitting around on their computers and servers are.

Recently, AlienVault (a developer and vendor of computer security hardware) surveyed more than 1,100 security professionals on the topic of ethics. The survey revealed that IT professionals use breaches as a way to get more money for security budgets. More than 20 per cent of respondents said they had seen their company hide or cover up a breach. 20 per cent of respondents admitted to steering auditors away from major security gaps during an audit.

The survey also found that more than half the security professionals use hacker forums or associate with black hats to stay up to date with the latest security threats and technologies. Considering the challenge security professionals face of protecting large and vulnerable security networks from nimble and faceless attackers, it’s not surprising they are willing to venture onto hacker forums to get the information they need. But it may be safer and more effective to talk with each other instead.

View the original content and more from this author here: http://ift.tt/1KBQZGa

from cyber security caucus http://ift.tt/1KCEgTI
via IFTTT

Cybersecurity, User Interface and You

Cybersecurity isn’t what it used to be. Safeguarding the information of companies and customers used to be the sole concern for those in the IT security profession—but no longer. Now, the user experience must be considered, as well.

Digital is poised to pervade every facet of life not only because it makes living easier, but also because it’s fun—by design. Likewise, to do security right, companies have to ask not just whether it works, but if it’s user-friendly—simple to navigate, reliable and pleasurable to use.

To get there, cybersecurity professionals might ask what they can learn from other professions. That might require putting on not only thinking caps, but also, at various times, an artist’s beret, Sherlock Holmes’ deerstalker, a brigadier general’s helmet, a blackjack dealer’s visor. It might require a psychologist’s couch, a teacher’s yardstick and a coach’s whistle, as well. And that’s only the beginning.

A few examples:

—Meteorologists track weather systems and consider past events to forecast where those systems will go, how they’ll behave and what risks they pose. Other industries, including retail stores and Wall Street, use trend-tracking maps, as well, and no wonder. Providing an organized, big-picture view, maps are easy to understand. Should information security professionals do the same, using data-generated maps to assess where the next systems attack might come from, who might be targeted and the nature of the breach? This would give the user a useful “big-picture” look at security threats—past, present and future.

—The pharmaceutical industry uses RFID chips to track drug shipments, and law enforcement places them in certain medication bottles to capture thieves, giving customers an added measure of confidence and safety. What if company systems tagged data in a similar fashion, tracking it wherever it goes and allowing users to retrieve theirs—to snatch it back from hackers or even recall files sent in error? Not only would users know precisely where their information was going and who was viewing it—invaluable to law enforcement—but they’d have the power to erase it instantly, hopefully before it reaches the “darknet,” the Internet’s black market.

—Credit-card companies in Europe offer “smart cards” with debit, credit and phone-card features. If lost or stolen, these cards self-destruct after a number of failed attempts to access their data. Could corporate IT security departments program data to self-destruct when someone tries to view it on an unauthorized device? Like the best security measures, this feature would protect a user’s information automatically, with no effort on their part.

—The entertainment industry has already figured out how to transform the security experience. One group of popular theme parks has eschewed the cumbersome password in favor of colorful bracelets that identify their wearers with a swipe of the wrist, unlock hotel rooms, simplify purchases and make efficient and effective security more enjoyable to use.

Most people don’t want to think about breaches, identity theft or hackers. The risks users encounter every time they log on are very real, but users don’t want to be reminded of that. Taking a cue from other professions helps to consider customers’ convenience and even their delight while keeping their information safe. How can IT professionals sugarcoat the security pill to sweeten the user experience?

View the original content and more from this author here: http://ift.tt/1GIMWFQ

from cyber security caucus http://ift.tt/1HRVls6
via IFTTT

CyberSecurity Workshop Set for June 15-19 at UVI Campuses

Sandia National laboratories and the University of the Virgin Islands are offering a CyberSecurity Workshop that will be held from 9 a.m. to 5 p.m. on June 15-19, at UVI locations: Room TED 103 (St. Thomas) and Room RTP 129 (St. Croix).
The workshop will introduce basic techniques used by Cyber Security Incident Response teams during cyberattacks. Experts from Sandia National Labs will give participants an opportunity to walk through an actual attack using artifacts such as network packet captures and physical memory images. Open source tools such as wire shark, volatility and autopsy will be used to conduct forensics on memory images from systems that have been compromised.
The workshop will combine lectures and hands-on exercises that are designed for faculty, college students and IT professionals with basic knowledge of Windows and Linux operating systems, and programming experience. To follow practical labs, participants are required to bring a laptop with at least 8GB of RAM.
The workshop is funded by the U.S. Department of Energy, National Nuclear Security Administration with the support of Sandia National Laboratories and the Consortium Partners.
Register for the workshop at: http://ift.tt/1HAqYRB
Contact and Information:
St. Thomas: Dr. Marc Boumedine at 693-1255 or mboumed@uvi.edu
St. Croix: Dr. Alan Lewit at 692-4147 or alewit@uvi.edu

View the original content and more from this author here: http://ift.tt/1HAqXgv

from cyber security caucus http://ift.tt/1SGA5sm
via IFTTT

Thursday 28 May 2015

Cyber-security: We must step up to the plate before it’s too late

Today, the European Parliament debated cyber-attacks against the media as threats to cyber security reach new heights. The attack on the French TV channel TV5 Monde on 8 April 2015 highlighted Europe’s vulnerability to high-tech cyber criminality. “Our communication infrastructure, our knowledge and our privacy are being challenged in this digital age. Free flows of online services through a better connected digital single market will invariably increase the need for more security, especially more cyber security. Already now we are witnessing new levels of threats to cybersecurity,” said Mr Axel Voss, the EPP Group spokesperson.

At the moment EU lawmakers are negotiating the EU cyber security strategy and the Directive on Network and Information Security (NIS). Just a few weeks ago the European Commission presented its new European Agenda on Security and also separately the Digital Single Market agenda.

Axel Voss coninued: “Cyber-attacks against the media, cyber-attacks against companies and private persons but also cyber-attacks against airplanes are negatively affecting lives of innocent EU citizens. Crime has reached a complete new level in terms of digitalisation. These Cyber-attacks are causing collateral damage as much as arms are. It is our responsibility to fight cyber-attacks through implementing suitable laws and structures to better protect EU citizens and infrastructure.”

View the original content and more from this author here: http://ift.tt/1LIHfXR

from cyber security caucus http://ift.tt/1J9CCad
via IFTTT

ACLU: Feds should offer rewards for finding cybersecurity flaws

The American Civil Liberties Union is calling on federal officials to make it easier for people to report security flaws in government computer systems, including by offering rewards.

The group told the Department of Commerce Internet Policy Task Force in a letter Wednesday to provide financial incentives for security researchers who bring flaws to the government’s attention. Such rewards are common practice at large tech firms.

“For far too long, researchers who discovered a security vulnerability have had to make a difficult choice: do the right thing — by telling the company responsible for the software or warning the general public — or sell the vulnerability, often to a government, which would then quietly exploit that flaw for its own gain,” the group said in its letter.“In an effort to disrupt this shadowy grey market and to provide some financial reward to researchers who notify the responsible vendor or developers, some leading technology companies have created ‘bug bounty’ programs.”

The civil liberties group noted that the U.S. government often pays researchers for vulnerabilities so that federal law enforcement can exploit them — but does not offer payment for simply notifying developers about flaws in their work.

“In spite of the billions of dollars spent annually by the U.S. government on cybersecurity, we are not aware of any U.S government agency that has established a bug bounty program intended to reward researchers who find flaws in U.S. government systems and websites,” the letter said.

The group also asked the task force to recommend that government agencies publish the contact information for their security teams and implement policies to assure researchers they will not face legal troubles if they report a vulnerability.

“It is imperative that government agencies and companies take every possible measure to both protect the security of their systems and websites,” the group said, “and to improve the process of computer security vulnerability disclosure in order to encourage the reporting of exploitable programming flaws and design mistakes.”

View the original content and more from this author here: http://ift.tt/1FFRI4T

from cyber security caucus http://ift.tt/1FFRI4U
via IFTTT

Internet safety lessons make the GCSE syllabus as schools teach awareness of cyber crime

Schools will teach pupils about the threat posed by cyber crime as part of a new computer science GCSE.

They will learn about phishing scams – illegal attempts to obtain passwords or credit card details – and how to stop them, for instance by strengthening passwords.

Steven Kenny, of exam board AQA, said: “Cyber crime is a growing threat and it’s vital young people know how to protect themselves.

“There will also be a greater need for cyber security professionals in the future and this subject will provide them with a knowledge of the basics on which to build.

“Our course isn’t about getting students to regurgitate their knowledge in an exam, but helping them to really understand cyber security from the inside out – from both the point of view of a user and a developer of computer systems.

“The course will really help students to think about the implications and impacts of digital technology.”

Tony Anscombe, of security experts AVG Technologies, said: “Teaching the next generation to be cyber security aware is a really important development.

“A lack of understanding around online security can lead to many issues – in the last 12 months we have seen major data breaches such as Sony, which might directly affect this generation of students.

“A major issue for this generation will be the ability to control data related to their identity and to manage their privacy.”

View the original content and more from this author here: http://ift.tt/1Fd4UuB

from cyber security caucus http://ift.tt/1Fd4Uej
via IFTTT

NYC curtails use of credit history in hiring and other employment decisions; exempts cybersecurity jobs

On May 6, 2015, New York City became one of about a dozen jurisdictions that prohibit or restrict the use of consumer credit history in hiring and other employment-related applications. NYC joins California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont, and Washington. There are exceptions, however, including for some jobs implicating cybersecurity concerns.

Law Intro. 261-A amends NYC’s Human Rights Law and — with exceptions — makes an employer’s use of an applicant’s or employee’s “consumer credit history” for employment purposes an unlawful discriminatory practice. The law prohibits discrimination against an applicant or employee in hiring, compensation, or the terms, conditions, or privileges of employment, based on the individual’s credit history. The bill’s prohibition applies to New York City employers, labor organizations, and employment agencies of four or more individuals.

The law defines “consumer credit history” expansively to include the information candidates and employees might provide directly to the employer. The term encompasses an individual’s credit worthiness, credit standing, credit capacity, or payment history, as this information is reflected by (a) a consumer credit report (generally, at the term is defined in the FCRA); (b) credit score; or (c) information an employer obtains directly from the individual. Within the statute’s scope is the information individuals provide directly to employers regarding their (a) credit accounts, including the number of credit accounts, late or missed payments, charged-off debts, items in collections, credit limit, prior credit report inquiries; or (b) bankruptcies, judgments or liens.

The law sets out several exceptions to the prohibition on use consumer credit reports. Specifically, the prohibition does not apply to:

Positions requiring a high level of public trust, such as police officers or others in a position with a law enforcement or investigative function.
Employers required by state or federal law or regulations, or by a self-regulatory organization, to use an individual’s consumer credit history for employment purposes.
Positions involving regular access to trade secrets, intelligence information, or national security information; notably, the “trade secret” exception does not apply to access to general proprietary company information, such as handbooks and policies or client, customer, or mailing lists.
Positions in which the employee has signatory authority over third party funds or assets valued at $10,000 or more, or that involves a fiduciary responsibility to the employer with the authority to enter financial agreements valued at $10,000 or more on behalf of the employer.
Positions for which an employee is required to possess security clearance under federal law or the law of any state.

In a nod to the ever-present cybersecurity concerns, the law does not apply to positions where the employee has the ability or right to modify digital security systems established to prevent the unauthorized use of the employer’s or client’s networks or database.

The law provides for private right of action, and plaintiffs may seek back pay, reinstatement or other equitable relief, compensatory and punitive damages, and attorneys’ fees and costs.

To assist in monitoring compliance by the city’s employers, the NYC Commission on Human Rights will request employers to provide information about their use of the statute’s exemptions, and will subsequently report back to the New York City Council on the results of the requests and feedback from employers.

Our take

The New York City law further limits a practice that was prevalent in the past, but has lost popularity after the EEOC (unsuccessfully) asserted that the use of credit reports in hiring and other employment context was discriminatory, and many states prohibited the practice.

View the original content and more from this author here: http://ift.tt/1Qdjet6

from cyber security caucus http://ift.tt/1J9p4eF
via IFTTT

National Collegiate Cyber Defense Competition: Addressing The Cybersecurity Professional Gap

A team from the University of Central Florida (UCF) recently showed off their cybersecurity skills when they took home first prize in the National Collegiate Cyber Defense Competition (NCCDC), hosted by the University of Texas at San Antonio (UTSA) last month. This is the second year in a row that UCF has won.

During the NCCDC, college students from 10 universities attempted to keep a business running while weathering constant cyberattacks. The point is to evaluate whether the competitors can keep an online business system up and running against hackers. They are expected to detect and respond to outside threats, keep existing operations such as mail servers running, and balance the needs of the business against the needs of security.

Ten regional competitions were held all over the country, and the winners of these regional competitions advanced to the nationals. The University of California at Berkeley placed second and the Rochester Institute of Technology placed third in the national competition.

In 2005, a group of educators at UTSA founded the first NCCDC. These teachers and administrators wanted to find a way to promote interest in cybersecurity among college students. They thought that a competition might motivate more universities to teach about cybersecurity. The Center for Infrastructure Assurance and Security at UTSA hosted the Southwestern Regional Competition of the Collegiate Cyber Defense Competition in April 2005.

The main sponsor of the event is Raytheon, the fourth-largest defense contractor in the US by revenue, earning approximately $25 billion a year. It manufactures many different communications and intelligence systems, which can be vulnerable to cyberattacks.

Over the past several years, US businesses have discovered their vulnerability to cyberattacks, which continue to grow in number and sophistication. In 2014, hackers referring to themselves as the Guardians of Peace infiltrated Sony Pictures servers and released private information about employees as well as emails and other information. They were attempting to stop the release of the Sony film, The Interview, which revolved around a plot to kill North Korean leader Kim Jong-un. Many cybersecurity experts feel North Korea was behind the attacks, although it has denied any involvement.

In response, as Homeland Security Today previously reported, House Committee on Homeland Security Chairman Rep. Michael McCaul (R-Texas) said, “Nation-state actors are increasingly hacking into US companies and government networks to steal intellectual property and secrets without consequence.”

“If North Korea has these capabilities, imagine what damage nation states like Russia, China, and Iran can cause our nation’s vital networks that control our power grid, energy, and water supplies or other critical infrastructure. We must do more to ensure our nation is able to prevent, detect and respond to the growing cyber threat,” McCaul added.

In addition, a group known as the Syrian Electronic Army has attacked different US news organizations, including the Associated Press and The Washington Post. In 2013, the group briefly shut down The New York Times website.

On February 13, the White House held a cybersecurity summit at Stanford University to address cyberattacks stemming from foreign nations. Many different individuals and organizations attended the summit, from Tim Cook, the CEO of Apple, to law enforcement officials and students.

“It’s one of the great paradoxes of our time that the very technologies that empower us to do great good an also be used to undermine us and inflict great harm,” President Obama said at the summit. “The same information technologies that help make our military the most advanced in the world are targeted by hackers from China and Russia who go after our defense contractors and systems that are built for our troops.”

A study released by Raytheon, 2015 Global Megatrends in Cybersecurity, suggested cybersecurity and cybersecurity experts will become more important. The survey identified trends Raytheon expects to happen in the future: Cybersecurity becoming a comparative advantage by business; employees will receive more training in online security; and cybersecurity readiness will increase, among others.

However, the study suggested there are not enough cybersecurity specialists currently active, with 66 percent of the IT professionals who responded stating that their companies need more such experts.

As we enter a world where cyberattacks become common, the sponsors and hosts of the NCCDC want to focus on getting a new generation of American citizens ready to fight them.

“The talented men and women who demonstrated their impressive skills at the 2015 National Collegiate Cyber Defense Competition give us great confidence in the ability of the next generation of cyber defenders to guard our critical cyber infrastructure,” Dave Wajsgras, president of Raytheon Intelligence, Information and Services, said in a statement. “Because of Raytheon’s efforts and those of the other sponsors, we are helping to develop the cyber security workforce of the future.”

View the original content and more from this author here: http://ift.tt/1G3sTTT

from cyber security caucus http://ift.tt/1HyuwUc
via IFTTT

THE CYBERSECURITY INFANTRY, PART I: RETREAT FOR ADVANTAGE

Read retired Marine H. John Poole’s Phantom Soldier. It doesn’t matter if you’re not in the infantry; read it anyway. It will open your eyes to the Eastern way of small-unit tactics. And while you’re reading it, contemplate the manifold parallels to cybersecurity. It will open your eyes to the global and all-pervading way of modern conflict on the plane of computer and communication systems.

While the squad leader and the cybersecurity professional might consider themselves residents of separate worlds, strong conceptual parallels exist between their domains. Before discussing specifics, it’s worth reviewing some of the core differences between the Eastern and Western perspectives. In Poole’s words,

IF ONE WERE TO SUMMARIZE THE DIFFERENCES BETWEEN EASTERN- AND WESTERN-STYLE ARMIES, ONE MIGHT SAY THAT THE FORMER GENERALLY DO A BETTER JOB OF HARNESSING THE PERCEPTIONS AND COMMON SENSE OF THE PEOPLE IN CONTACT WITH THE ENEMY. DECEPTIVE AND MULTIFACETED, THIS ALTERNATIVE “STYLE OF WAR” IS DIFFICULT FOR THE WESTERN, “TOP DOWN” THINKER TO COMPREHEND. AT TIMES, IT EMPLOYS MASSIVE FIREPOWER; BUT MORE OFTEN, IT RELIES ON SURPRISE. ITS ESSENCE LIES NOT IN ESTABLISHED PROCEDURE, BUT RATHER IN FLEXIBILITY TO CHANGE. IT ENCOURAGES ITS PRACTITIONERS TO SHIFT RAPIDLY BETWEEN OPPOSITES—TO ALTERNATIVELY USE ONE MANEUVER AS A DECEPTION AND ITS REFLECTION AS A FOLLOW THROUGH. ((POOLE, PHANTOM SOLDIER, P. 13.))

To put this in Western terms, the Eastern perspective intuitively embraces systems thinking and includes a strong bottom-up aspect. Throughout his discussion of the Eastern approach, Poole peppers his narrative with multiple examples of how the Eastern approach influenced infantry engagements during World War II and Vietnam. In several of the cases, it’s actually a bit disturbing to read just how obstinate Western tacticians and leaders remained in the face of a more fluid way of fighting. It reinforces the notion that you see precisely what you want to see.

But how does this relate to cybersecurity? Several points of connection exist throughout the book. Here I introduce one with the intent of introducing more in follow-on posts.

Prior to reading Phantom Soldier, I seriously underestimated the importance of the ancient stratagem “[When the situation is growing hopeless,] running away [in good time] is the best stratagem.” ((Harro von Senger, The 36 Stratagems for Business, p. 189.)) I considered this, the last of the 36 stratagems, to be the stratagem of desperation, pursued only when all options have failed. The examples in Phantom Soldier caused me to reconsider. In fact, as Poole notes, “Of the 36 ruses, the last—running away—is probably the most important [italics mine] and least understood. When continuing to fight holds no strategic import, the Easterner will secretly withdraw.” ((Poole, p. 29.))

In support of this point, Poole cites the preface of the version of the 36 stratagems published by the Foreign Languages Press in Beijing. In fact, the opening sentence of the preference is “‘Of the 36 strategies, running away is the best choice.’” ((The Wiles of War: 36 Military Strategies from Ancient China, p. i.)) It’s on my shelf, but I never caught that. I’m not sure how I missed it, but I don’t think it would have meant much without reading the examples in Poole’s book, where he cites several cases of infantry employing efficacious tactical withdrawals. In one case, for example, a Japanese patrol on Guadalcanal engages Evans Carlson’s 2nd Raider Battalion, only to retreat. Poole follows the example by noting once again, that “While considered less than manly in the West, running away has always been tactically valid in the East. It helps a valued resource to live to fight another day. It also helps him to bait a trap.” ((Poole, p. 51.))

In another case, Poole discusses at length a harrowing engagement between U.S. Marines and Chinese troops at the southern end of the Chosin Reservoir in November 1950. Amid Poole’s discussion, we find this quote from Eric Hammel’s Chosin: Heroic Ordeal of the Korean War: “[L]ight probes were launched by very small Chinese groups along the Fox/5 line. The Chinese recoiled whenever they met resistance, but by drawing fire they exposed the locations of … Marine automatic weapons.” ((Hammel, pp. 56–59, as quoted in Poole, p. 90.)) Once again, tactical probing and withdrawal was used intentionally to shrewd effect. This isn’t to say that Western infantry units have never employed such a maneuver; it’s merely another example among many of a common and longstanding theme in Eastern small-unit tactics.

It’s also interesting to note how the various stratagems can be used to complement one another. In the Chosin example, the Chinese units combined stratagem 13 (“Beat the grass to frighten the snake”) with stratagem 36 (running away) to yield a deadly synergy. ((Note that not all presentations of the 36 stratagems employ the same numbering scheme.)) To summarize, then, a tactical engagement followed by a timely withdrawal can be used not only to setup an ambush, it can also be used to reveal information, a fact made clear in the full translation of stratagem 13: “Ascertain the doubtful; find out about the enemy before taking action. Return and bring the enemy’s secrets to light.” ((Wiles of War, p. 115.))

One more point of interest shows up in the Wiles of War translation of stratagem 36: “Evade the enemy to preserve the troops. The army retreats: No blame [italics mine].” ((Wiles of War, p. 328.)) This may be the most significant difference between the Eastern and Western perspective on the timely retreat: in Western culture, a retreat—no matter how justified—is viewed as a failure and subject to blame and recrimination, regardless of the fact that it may represent the best choice and offer a tremendous opportunity for learning. In this, the Eastern way is superior and represents tremendous wisdom. Learning is difficult when superior options are culturally forbidden and, when taken, lead to blame.

Turning to the domain of cybersecurity, it’s possible to extract several lessons. In the highly fluid world of cybersecurity, no attacker should adopt a rigid attitude of “no retreat,” and it’s doubtful that many do. For whatever reason, the nature of conflict on the cyber plane lends itself more intuitively to the systems-oriented, bottom-up perspective. As noted above, however, the value of the stratagem 36 lies not simply in the maxim “don’t retreat” but more importantly in the maxim “retreat for advantage.”

An attacker, for instance, might probe a system and withdraw simply to induce a defender to believe that his or her system is sufficiently secured. Alternatively, an attacker might attack and withdraw repeatedly to condition a defender to look in the direction of the attack and overlook attacks coming at other times from other directions. Finally, an attacker might engage and retreat simply to learn, as stratagem 13 suggests. The options available to the attacker are, if not endless, at the very least abundant enough to put the inelastic defender who thinks only in terms of the tangible at a tremendous disadvantage.

Clearly, a disconnect arises when the culturally “Western” defender views cybersecurity in terms of traditional conflict and expects the adversary to act accordingly. To lessen this disadvantage, the defender should ask (1) if everything is as it appears to be, (2) what the attacker wants the defender to do, and (3) what the attacker might have learned from the engagement. Additionally, the defender should always remember that an apparent retreat on the attacker’s part does not mean that the defender has “won” the engagement; indeed, the defender who believes this is quite possibly facilitating the attacker’s longer-ranged plan to deliver a doubly painful surprise somewhere down the road. Finally, the savvy defender will maintain an active learning loop, in which knowledge gained from observing fluid attackers is fed back into his or her defense.

View the original content and more from this author here: http://ift.tt/1Bq5jcA

from cyber security caucus http://ift.tt/1G3jdbY
via IFTTT

Cybersecurity: Russian crooks suspected in hacking of IRS

WASHINGTON — IRS investigators think the thieves who stole the personal tax information of more than 100,000 taxpayers from an IRS website are part of a sophisticated criminal operation based in Russia, two officials said.

The information was stolen as part of an elaborate scheme to claim fraudulent tax refunds, IRS said Commissioner John Koskinen, who declined to say where the crime originated.

But two officials briefed on the matter said on Wednesday that the IRS thinks the criminals were in Russia, based on computer data about who accessed the information.

An IRS spokeswoman said on Wednesday that the agency couldn’t comment on the investigation.

If true, it’s not the first time the IRS has been targeted by identity thieves based overseas.

In 2012, the IRS sent a total of 655 tax refunds to a single address in Lithuania, and 343 refunds went to a lone address in Shanghai, according to a report by the agency’s inspector general. The IRS has since added safeguards to prevent similar schemes, but the criminals are adapting.

The information was taken from an IRS website called “Get Transcript,” where taxpayers can get tax returns and other tax filings from previous years. In order to access the information, the thieves cleared a security screen that required detailed knowledge about each taxpayer, including their Social Security number, date of birth, tax filing status and street address.

The IRS thinks the criminals originally obtained this information from other sources. They were accessing the IRS website to get even more information about the taxpayers, which would help them claim fraudulent refunds in the future, Koskinen said.

The thieves already have used some of the information to claim as much as $50 million in fraudulent refunds, Koskinen said.

The IRS thinks the thieves started targeting the website in February. Technicians discovered the breach about two weeks ago, when they noticed an increase in the number of taxpayers seeking transcripts. The website was shut down last week.

The IRS said it is notifying taxpayers whose information was accessed and providing them with credit-monitoring services.

View the original content and more from this author here: http://ift.tt/1eA6LV0

from cyber security caucus http://ift.tt/1eA6LV1
via IFTTT

University cybersecurity experts bombarded with smarter, more persistent hackers

Hackers have become more advanced during Carl Powell’s decades of information technology and higher education experience.

“The hackers used to be experimental idiots,” said Powell, the chief information officer atEastern Michigan University. “Nowadays, they are very skilled and knowledgeable. They take their time.”

Powell and other university cybersecurity experts said they are bombarded daily with attempts to hack into their systems to gain access to sensitive information, such as Social Security numbers and medical records.

“There might be higher concentrations at certain times, like long weekends and holidays when things are going to step up,” said Edward Tracy, associate vice president of technology services for the University of Detroit Mercy. “They know your human resources aren’t watching 24-7 but, thankfully, the technology is there.”

That’s a common theme among chief information officers and other college and university cybersecurity experts, who say that trying to thwart hackers is nothing new to them but that it has received more attention recently because of high-profile, large-scale breaches at companies such as Target Corp. and Home Depot Inc.

“It’s a con game that’s been going on for decades,” Powell said.

Experts say colleges and universities are prime targets for attacks because of the vast amount of personal information they keep about students, faculty and employees.

“There are attempts made every day,” said Joseph Sawasky, CIO and associate vice president of computing and information technology at Wayne State University. “On a weekly basis, we are probed millions of times from places in China, primarily. Ninety percent of the probes are turned away at the outset.”

But not all.

Powell said that in 2010, “a guy who hated Microsoft” gained access to an EMU student’s email account so he could “send hate mail to Microsoft on his behalf.”

The Privacy Rights Clearinghouse Chronology of Data Breaches says 727 breaches of education occurred at institutions between 2005 and 2014, making public more than 14 million records. Those breaches were in higher education as well as trade schools, K-12 schools and school districts, and nonprofit organizations in the education sector.

The Privacy Rights Clearinghouse reported that 17 known hacking breaches have occurred in Michigan since 2005, involving Michigan State University, Jackson Community College,Genesee Intermediate School District, University of Michigan, Calhoun Area Career Centerin Battle Creek, EMU, Western Michigan University and Ferris State University.

The Educause Center for Analysis and Research — a nonprofit IT organization with offices in Washington, D.C.; Louisville, Ky.; and Colorado — reports that although the education sector has the second-highest number of reported security breaches, fewer records were exposed during those breaches, representing just over 1 percent of the total records exposed between 2005 and last year.

Donald Welch, chief information security officer for UM, said successful hacks have occurred at the university but he declined to elaborate.

“Every institution fights off attacks all the time, and some of them are successful, but there hasn’t been a huge one like at the University of Maryland,” Welch said.

Last year, the university, in College Park, reported that a database with nearly 280,000 faculty, staff and student records was breached. Those records included names, Social Security numbers, birthdays and university identification numbers of students who attended Maryland between 1992 and 1998 and all faculty, students and staff who had a university ID between 1998 and Feb. 18, 2014. In response to the breach, the university offered free ID protection software for five years, investigated its information and computing systems and formed a task force on cybersecurity, and held seminars on data security. The cause of the breach remains under investigation.

It’s not hacking attempts from students looking to change their grades, for example, that keep college and university cybersecurity experts awake at night. Instead, it’s highly sophisticated organizations and governments outside the United States, Welch said.

“The threats are very real. They range from small operators who may not have much malicious intent, all the way up to organized crime, to national organizations, NGOs (nongovernmental organizations) that want to do our society harm and everything in between.”

Russia. China. North Korea — all are serious causes of concern.

And they are becoming increasingly sophisticated, said UDM’s Tracy, citing a phishing incident involving the university’s president, Antoine Garibaldi, and its controller, James Priskey.

“There was an email that appeared to come from our president to our controller asking him to provide information on how to wire money to a location,” Tracy said. “Our president would never ask for that. He would say, ‘You wire the money to that location.’ Our controller laughed. It was creative because they got the real name of the president and the real name of the controller.’ ”

In their efforts to combat attacks, colleges and universities in Michigan employ a range of strategies, ranging from antivirus software to firewalls to a tactic akin to vaccination and just about everything in between.

“We conduct a periodic penetration test where we hire firms that probe your system and let you know where your vulnerability is,” Sawasky said. “It’s kind of a health check, a full annual physical.”

Barbara Ciaramitaro, a professor of information technology and director of the Center for Cybersecurity Leadership at Walsh College in Troy, said colleges and universities are particularly at risk for hacking because of their culture of openness.

“We don’t do background checks on our students. We don’t control the people who are using the technology,” Ciaramitaro said. “We cannot put the same levels of controls on, so it becomes a tremendous challenge to be able to protect the data.”

She said that the number of attacks will continue to increase and that they will become far more sophisticated, ranging from hackers not merely stealing data but altering it, for example.

“Dick Cheney had to wear a lead vest because pacemakers are connected to the Internet and can be hacked,” she said, referring to the former vice president. “Will it be possible to take control of your insulin pump? Your car?”

And there won’t be a day again when institutions of higher education no longer have to worry about cyber threats, Ciaramitaro said.

View the original content and more from this author here: http://ift.tt/1FEZgF6

from cyber security caucus http://ift.tt/1BrsumV
via IFTTT

IRS cybersecurity breach touches lives of homebuyers, others

Al Radeshak hopes to close on a house in North Irwin in July.

He’s lining up movers and has most of the paperwork in order.

There’s one hang-up: He can’t get his federal tax records.

“It could affect the closing date,” Radeshak said. “I have an (interest) rate locked in for July 1. If that doesn’t happen, my rates could go up and cause a big mess.”

The mess is much bigger than Radeshak. On Tuesday, the Internal Revenue Service said thieves had stolen information of 100,000 taxpayers using the online system for getting transcripts of their federal income tax filings. The breach surfaces as would-be homebuyers, such as Radeshak, have been frustrated by delays in obtaining those transcripts, which more mortgage lenders are requiring since the housing crisis.

It is not clear whether the breach, which occurred February to May, delayed legitimate online requests. An IRS spokeswoman declined to comment while the breach is under investigation. The agency has stopped processing tax transcript requests online temporarily and says it will send them out by mail.

The situation highlights the struggles of a federal agency decimated by budget cuts even as it attempts to improve security and handle a higher volume of work.

Hoping to avoid the poor documentation practices during the housing bubble, many lenders are requiring tax transcripts as proof of a borrower’s income. They want these to come straight from the IRS, instead of from borrowers, to avoid potential forgeries.

That has fed increasing requests for tax transcripts even as the IRS has fewer resources to manage them. The agency’s budget has been cut 10 percent, or $1.2 billion, during the past five years despite having to process more returns. In response, the IRS has been offering more automated services online.

But offering easy access to taxpayer information online exposes the agency to greater risk of fraud, said Andy Tormasi, federal project manager for Tiversa, a Downtown cybersecurity firm.

“They want to make this very user friendly and helpful to people,” Tormasi said. “But they slip up on the security aspect.”

The IRS could put the information in a vault and it would be more secure, or give all taxpayers a personal identification number to enter online that would curtail fraud, Tormasi said. But there is increasing pressure to make tax information easily accessible.

Online tax transcript requests — from individuals, lenders and credit agencies — have more than quadrupled in the past five years, to 18.5 million in 2014 from 3.9 million in 2010, according to IRS data. That higher volume and, more recently, problems related to the breach may have led to delays, Tormasi said.

In the past few months, document requests that once took a day or two are now taking weeks to process, according to real estate professionals, adding another barrier to closing on home purchases at a time when the market is heating up.

Most mortgage companies use third-party data processors, such as CoreLogic, to submit transcript requests to the IRS. Online requests from anyone who is not the actual taxpayer invites heightened scrutiny from the IRS, Tormasi said.

Any inconsistency between the application and the original tax filing — a comma out of place, a dropped initial — results in a rejection from the IRS over fraud concerns, brokers said. Even clean applications are turned away with no explanation.

“We have a perfect request, and it’s still delayed,” said Sonny Bringol, owner of Victorian Finance in Bridgeville. “And I don’t know why.”

Karmen Pugh, 37, of East Pittsburgh said she still doesn’t know why the IRS refused to release her transcripts in April. She called the IRS for an explanation. She was told she had a fraud alert on her account but received no other details.

“I said, ‘I didn’t even know there was a fraud alert on my account,’ ” Pugh said. “(The IRS employee) said, ‘Well, this is to protect you. I said, ‘I understand that, but I’m trying to buy a house. I’m giving you permission to release them.’ ”

Weeks later, she was able to get the documents faxed to her lender in time for her closing this Friday. Until then, she was racked with anxiety.

“It was a very frustrating experience,” she said. “We spend all this time trying to find a particular house in a neighborhood we wanted and it could be gone because of a fraud alert I never knew was on my account.”

Brokers and borrowers have been searching for ways to work around the issue. Bringol said he puts in the request earlier, anticipating delays.

Radeshak is still looking for a way to get his transcripts. The IRS rejected his lender’s request several weeks ago for reasons unknown to him. On Friday, he said, he spent nearly two hours on the phone with the IRS before his phone ran out of power and forced him to hang up.

In the meantime, he is meeting with movers, scheduled a closing date and trying to take care of other details to move.

He is concerned that his information may have been compromised in the IRS data breach, but said he isn’t losing sleep over it. He just wants his documents.

“With everything else going on,” he said. “You don’t need anything else in your life.”

View the original content and more from this author here: http://ift.tt/1QcNogn

from cyber security caucus http://ift.tt/1J4TMXS
via IFTTT