This is an interesting article that ran in Bloomberg May 08 covering the growing threat of cyber espionage against critical infrastructure and financial institutions. Threat intelligence, such as described in the article, is shared through the ISAC (Information Sharing and Analysis Center) groups. eSentire provides bi-directional threat intelligence and remedation tactics to FS-ISAC which focuses on threats to financial institutions.
Advanced cyber attack tools have become readily available for use by foreign governments and terrorists to infiltrate or cripple U.S. computer networks, two federal law enforcement officials told a congressional panel.
Dozens of countries now have sophisticated cyber espionage capabilities and terrorists want to “digitally sabotage” U.S. power grids or water supply networks, Joseph Demarest, assistant director of the Federal Bureau of Investigation’s cyber division, said in prepared testimony for a Senate hearing today.
“The tools and expertise to perpetrate a cyber attack with physical effects are readily available for purchase or hire,” he said.
President Barack Obama and intelligence officials have said one of their top policy priorities is preventing cyber attacks that could disrupt banks, telecommunications networks, utilities or other vital services. Lawmakers have renewed their efforts to advance cybersecurity legislation after Congress failed last year to pass a bill. The Senate Judiciary Subcommittee on Crime and Terrorism is holding a hearing today on how the government and private sector are responding to cyber threats.
The advanced cyber tools that Symantec Inc. has found recently being used for attacks include large scale data breaches that last year exposed about 93 million identities, “watering hole attacks” that target visitors to legitimate websites and the use of an estimated 3.4 million bot zombies around the world last year, according to the testimony of Cheri McGuire, Symantec’s vice president for global affairs and cyber-security policy.
Cybersecurity threats posed by foreign governments and terrorist groups against U.S. networks are growing, Jenny Durkan, U.S. Attorney for the Western District of Washington, said in prepared testimony for the hearing.
“Although to date they have resembled in some ways the crimes perpetrated by financially motivated criminals, their emergence and evolution make the threat of cyber-generated physical attacks, like those that might disrupt the power grid, appear no longer to be the stuff of science fiction,” she said.
To help prevent attacks, the Justice Department is establishing cells of cybersecurity specialists “to focus on particular high-priority cyber targets,” Durkan said. She said one cell is operational, without providing details.
There’s been “an uptick” in cyber attacks against U.S. electric companies this year, Carl Herberger, a vice president for the network security firm Radware Ltd. (RDWR), said in a phone interview.
Information-technology systems at three different electric companies were temporarily knocked off-line by cyber-attacks this year, said Herberger, whose company is based in Tel-Aviv with offices in New Jersey. He declined to discuss specifics or name the companies.
“We are being out-gunned,” he said. “The trade of malicious and nefarious tools and techniques is at an ever-increasing high point and has tipped in favor of the perpetrator.”
U.S. intelligence agencies have concluded that groups in China and Russia are responsible for electronic intrusions into U.S. computer networks and the theft of intellectual property, Durkan said.
A bipartisan group of senators introduced a bill yesterday that would require the Obama administration to identify foreign countries that steal U.S. trade secrets, as well as possible actions to punish them, including blocking imports of products from companies that benefit from the theft.
The bill, which didn’t have a number, was introduced by Michigan Democrat Carl Levin, chairman of the Senate Armed Services Committee, and West Virginia Democrat Jay Rockefeller, chairman of the Senate Commerce Committee, along with Arizona Republican John McCain and Oklahoma Republican Tom Coburn.
“We need to call out those who are responsible for cyber theft and empower the president to hit the thieves where it hurts most -- in their wallets, by blocking imports of products or from companies that benefit from this theft,” Levin said.
April 23, 2013, The Charles Schwab & Co. website went down towards the end of the trading day at around 3:45 PM EDT (coincidentally, around the time Apple announced its earnings). In response to the first attack, the following statement was issued on the Schwab press room site:
APRIL 23, 2013 — "Shortly before the stock market closed today, we experienced an exceptionally high volume of website traffic which we believe was related to a denial-of-service attack. At all times, phone access to Schwab service professionals (800-435-4000) was available, although for a brief time immediately before market close call volumes were high. Web access was largely restored in approximately one hour and forty minutes. We deeply apologize to our valued clients for the inconvenience."
A second attack the following day was confirmed by RIA Biz who contacted Schwab's spokesperson, Greg Gable, after they failed to access the site again the next day. The response from Gable was as follows: "We’re having intermittent access issues to our website due to a denial of service attack similar to yesterday which we’re actively addressing."
The US House of Representatives has passed the controversial Cyber Information Sharing and Protection Act.
Cispa is designed to help combat cyberthreats by making it easier for law enforcers to get at web data.
This is the second time Cispa has been passed by the House. Senators threw out the first draft, saying it did not do enough to protect privacy.
Cispa could fail again in the Senate after threats from President Obama to veto it over privacy concerns.
A substantial majority of politicians in the House backed the bill.
The law is passing through the US legislative system as American federal agencies warn that malicious hackers, motivated by money or acting on behalf of foreign governments, such as China, are one of the biggest threats facing the nation.
"If you want to take a shot across China's bow, this is the answer," said Mike Rogers, the Republican politician who co-wrote Cispa and chairs the House Intelligence Committee.
Cispa has also secured the backing of several technology firms, including the CTIA wireless industry group, as well as the TechNet computer industry lobby group, which has Google, Apple and Yahoo as members. By contrast, the social news website Reddit has been vocal in its opposition to the bill. In March, Facebook said it no longer supported Cispa.
The bill could fail again in the Senate after the Obama administration's threat to use its veto unless changes were made. The White House wants amendments so more is done to ensure the minimum amount of data is handed over in investigations.
The American Civil Liberties Union has also opposed Cispa, saying the bill was "fatally flawed". The Electronic Frontier Foundation, Reporters Without Borders and the American Library Association have all voiced similar worries.
Cispa's authors say existing amendments have addressed many of the criticisms and more oversight was being given to data before it was handed over.
Read original article.
are reporting that aviation agencies in Europe and the US are keen to quiz a hacker who targeted flight deck computers. Security researcher Hugo Teso was able to "hijack" the systems to feed false navigation information to a simulated jet that made it change course. Mr Teso built his simulator using spare parts from real jets for sale on the eBay auction site. Authorities say actual flight computers are not compromised by his work but want to find out more. The loopholes in the flight management system were detailed by Mr Teso during a presentation to the Hack In The Box conference in Amsterdam. Mr Teso, who is also a qualified commercial pilot, said he had spent the past four years investigating the many different computer and data systems found on aircraft which help them fly and navigate safely. "I expected them to have security issues but I did not expect them to be so easy to spot," he said. "I thought I would have to fight hard to get into them but it was not that difficult." Mr Teso set out to find a way to subvert the flight management systems (FMS) found on many different aircraft. He planned to feed them fake or booby-trapped data via well-known radio communication systems. Old aviation equipment was bought via eBay to help Mr Teso interrogate the code these systems ran. This hardware was used to build a simulated aircraft that ran many of the systems found on commercial aircraft and could swap data via radio with the air traffic and navigation systems used in the real world. The lab work produced an attack toolkit that could influence the FMS of the simulated aircraft as it was "in flight". "I can influence the guidance and navigation of the aircraft," he told the BBC, adding that the system had "limitations". "It requires some careful planning and timing to achieve results," he said. Despite this, he said, publicity about the talk had led the European Aviation and Safety Agency (EASA) and the US Federal Aviation Administration to get in touch seeking more details. Now, he said, Mr Teso and n.runs, the German security company he works for, are setting up meetings to pass on his findings. In a statement, EASA said it was aware of Mr Teso's work and presentation. "This presentation was based on a PC training simulator and did not reveal potential vulnerabilities on actual flying systems," it said. "There are major differences between a PC-based training FMS software and an embedded FMS software." The version used on flight desks was hardened to avoid many of the loopholes found in the training systems, it added. Mr Teso said there was little risk that malicious hackers would be able to use what he found. "You would have to have solid knowledge of aviation and its protocols and that's not easy to get," he said, adding that he planned to keep on with the research. He said there were lots of other "approach vectors" for hacking aircraft systems.
is reporting a new initiative, the Cyber Security Information Sharing Partnership (CISP), to share information on cyber threats between businesses and government is to be launched. The initiative will include experts from government communications body GCHQ, MI5, police and business and aims to better co-ordinate responses to the threats through a secure web-portal to allow access to shared information in real time. The kind of information shared includes technical details of an attack, methods used in planning it and how to mitigate and deal with one. In 2012, the head of MI5 Jonathan Evans said the scale of attacks was "astonishing". One major London listed company had incurred revenue losses of £800m as a result of cyber attack from a hostile state because of commercial disadvantage in contractual negotiations. One government official told the BBC: "No one has full visibility on cyberspace threats. We see volumes of attack increase and we expect it to continue to rise." Cabinet Office minister Francis Maude said: "We know cyber attacks are happening on an industrial scale and businesses are by far the biggest victims in terms of industrial espionage and intellectual property theft, with losses to the UK economy running into the billions of pounds annually.
The Second post of a Two Part Series from The Regulatory Fundamentals Group. Your personal “mock audit” to determine whether your firm is ready for the SEC.
Part one of this series (here) focused on the SEC’s efforts to communicate to advisers that “the game has changed.” For managers interested in evaluating the effectiveness of their firm’s compliance and other legal risk management initiatives, RFG offers a personal “mock audit” below. Just as a routine check-up at the doctor’s office can prevent a medical emergency, taking this five-minute “mock audit” can help detect a regulatory problem. The questions are not technical. Ready? Read on. Culture of Compliance
(Answer the questions below with a ranking from 1 to 5, with 5 representing the highest possible agreement.)
- Your management team believes that governance processes are important and that proper governance includes risk management of legal and compliance issues.
- Your chief compliance officer has respect, influence and independence in your organization.
- When risk and compliance personnel raise issues that concern a major profit driver, their concerns are promptly heeded and carefully investigated.
- Your chief compliance officer reports to/has direct access to your governing body or executive committee.
- Each of your staff functions understands the legal, contractual and regulatory requirements that are relevant to their role.
Out of a possible total of 25, what is your score? Ideally the score should hit the 20-25 range. If the sum of your answers to the above statements is less than 17, consider whether your firm has significant exposure to legal and regulatory risks. Just as information about critical financial challenges needs to quickly go “up the chain”, it is equally important that senior management be informed about, and weigh in on, regulatory and legal issues. An effective process to identify and escalate legal and compliance risks helps assure that decisions are made at the right level of management, with a full appreciation of all their potential ramifications. The true test of a culture of compliance does not lie with the support staff. It hinges on whether there is meaningful buy-in from profit centers and investment personnel. For this to occur, they must be assured that doing the right thing is important to senior management, and that compliance personnel are respected and feel empowered to speak up — even when profits are at stake. Also, an effective framework must be established to coordinate the work throughout the firm, to reinforce the message and to facilitate escalation of issues –particularly in those instances where business and control groups may have differing viewpoints. To have this type of constructive dialogue, staff must understand what is expected of them, which means that management must take the time to explain the key regulatory and contractual requirements that are relevant to the roles served by each staff function. It must be clear that certain lines are not to be crossed, whatever the staff’s specific objectives may be. Legal and Regulatory Compliance
(Answer these questions yes or no.)
- Have you attempted to identify all the laws in all jurisdictions that apply to your firm, your clients, their investors and your investments?
- Is there a process for keeping the information gathered in #1 current and up to date reflecting both changes to laws and new activities undertaken by the firm?
- Is your compliance manual tailored to your business so that it covers all regulatory requirements, not simply those required by the SEC or CFTC?
- Do you and your employees refer to your compliance manual in order to obtain guidance/clarity on unusual or tricky situations?
If the answer is “no” to any of these questions, you need to address the situation now. In a heavily regulated environment, appropriate vigilance is crucial. Closing your eyes to regulatory requirements is like deciding to cross the street with your eyes closed. Inattentive folks can be hit by an enforcement proceeding — or a truck, as the case may be. Every organization needs to make an effort to determine which laws apply to it. Conducting an initial legal risk assessment and updating it periodically ensures that the firm develops procedures and processes specific to its organization. Once the firm has implemented a system for complying with requirements identified in its initial risk assessment, it must remain up-to-date on changes. Thus, the risk assessment becomes an on-going process. Managers sometimes think that it is enough if their firms have a compliance manual. Many times these manuals, in the case of a U.S.-based adviser, focus only on SEC rules and regulations, without offering a broader coverage of the key risks facing the firm. Having a compliance manual is not the “be all, end all.” An outdated, ignored or off-the-shelf compliance program that is not customized to the business is not sufficient. When examining the effectiveness of the firm’s compliance manual, it is important to check whether it is meaningful to the business and actually followed by staff. A great measure of a compliance manual is frequency of use. Why do these questions in this short “mock audit” matter? The business world is undergoing a powerful regulatory shift in which regulators, the press and investors have less tolerance for regulatory and risk management oversights. Expect this trend to continue for the foreseeable future, at least. Now is the time to get your house in order. When employees take their responsibilities seriously, a compliance program can protect employees, the firm, and its investors. RFG monitors developments that may affect alternative advisers and their funds, and has information to help navigate these issues. To learn more about our offerings in this area, including risk assessments, please feel free to contact us at Information@RegFG.com.
The U.S. General Services Administration (GSA)
is acknowledging a security vulnerability in the financial management system used by all government contractors. The following message was posted on the SAM
(Systems for Awards Management) website: "Recently, U.S. GSA officials identified a security vulnerability in the System for Award Management (SAM), which could allow some existing users in the system to view certain registration information. Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. At this time, GSA is undertaking a full review of the system and investigating any potential additional impacts, to registrants in SAM. The security of this information is a top priority for this agency and we will continue to ensure the system remains secure." The issue was reported on March 8, 2013 and considered resolved on March 10, 2013. During this period, account holders that used their Social Security Numbers as a Taxpayer Identification Number and that “opted in” to public search were most vulnerable. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity's registration information, including both public and non-public data at all sensitivity levels. The GSA site recommends that you should "monitor your bank accounts and notify your financial institution immediately if you find any discrepancies."
The Daily Telegraph is reporting that North Korea blamed South Korea and the United States for cyber attacks that temporarily shut down websites this week at a time of elevated tensions over the North’s nuclear ambitions.
Internet access in Pyongyang was intermittent on Wednesday and Thursday, and Loxley Pacific Co., the broadband Internet provider for North Korea, said it was investigating an online attack that took down Pyongyang servers. A spokesman for the Bangkok-based company said Friday that it was not clear where the attack originated.
North Korea’s official Korean Central News Agency blamed the shutdown on the United States and South Korea, accusing the allies of expanding an aggressive stance against Pyongyang into cyberspace with “intensive and persistent virus attacks.”
South Korea denied the allegation and the US military declined to comment. South Korean security experts questioned North Korea’s quick blame of Washington and Seoul because it can take months to trace the source of a cyber attack and hackers can easily disguise their locations.
Accusations of cyber attacks on the Korean Peninsula are not new, but it is usually South Korea accusing the North of unleashing hackers on its computer networks. Seoul believes Pyongyang was behind at least two cyber attacks on local companies in 2011 and 2012.
The Globe and Mail
reports that a federal grand jury has indicted Matthew Keys, deputy social media editor at Reuters.com, for conspiring with members of the Anonymous hacking collective to break into the computers of his former employer, Tribune Co. The alleged incident occurred before he joined Thomson Reuters Corp, the indictment filed on Thursday indicated. The indictment charged Keys with three criminal counts, including conspiracy to transmit information to damage a protected computer. The indictment said that he promised to give hackers access to Tribune Co. websites and that a story on the Tribune’s Los Angeles Times website was later altered by one of them. Keys did not respond to requests for comment. But several hours after the indictment was handed down, he tweeted: “I found out the same way most of you did: From Twitter. Tonight I’m going to take a break. Tomorrow, business as usual.” His attorney did not return a phone call seeking comment. A Thomson Reuters spokesman said the company was aware of the indictment and added: “Any legal violations, or failures to comply with the company’s own strict set of principles and standards, can result in disciplinary action. We would also observe the indictment alleges the conduct occurred in December, 2010; Mr. Keys joined Reuters in 2012.” The documents in the case paint a picture of a disgruntled former Tribune employee who fell in with some of the most notorious hackers in the country – and then worked with them, as well as against them. Within weeks of the first suspicious e-mail, the affidavit said Keys told the same colleague that he had penetrated an elite chat group used by some of the most sophisticated members of Anonymous. According to the affidavit, Keys said he had learned of upcoming attacks on the Tribune’s Los Angeles Times, eBay’s PayPal and other companies. Two days later, a story on Latimes.com was defaced. When Keys learned that a member of the hacking group had changed the Times story, Keys responded “nice,” according to the indictment. Transcripts of the electronic chats excerpted in the affidavit and the indictment show someone using the nickname AESCracked offered to grant access to Tribune computers to others in the chat group. “Let me see if I can find some other users/pass I created while there,” he wrote after previous credentials were denied access, the indictment said. The indictment says Keys used the nickname AESCracked. The documents appear to show Keys playing a double game for weeks before getting kicked out of the chat group. As a journalist between jobs, he took screenshots of the hacking group’s chats and sent them to media outlets, he wrote later on a personal blog cited by the FBI. Keys, now 26 and living in New Jersey, went to work for another television station before joining Reuters in January, 2012 as deputy social media editor. He was relatively well known on Twitter, amassing more than 23,000 followers for his personal account, apart from his tweets under the Reuters brand.
ZDNet reports that during the hearings of the Senate Armed Services Committee, the U.S. military’s Cyber Command Army General Keith Alexander discussed the threat posed by digital warfare against banks and private firms, mentioning that the rate of attacks against these tempting targets (often full of financial information and potentially the account details of customers) is getting worse, predicting that this threat will do nothing but rise over the next year.
“We’ve seen the attacks on Wall Street over the last six months grow significantly,” he said, mentioning that there were over 160 disruptive attacks on banks within that time frame, according to the Washington Post. This number seems likely to rise. To aid his predictions, within minutes of the speech, hackers attacked the Chase bank’s website using a denial-of-service (DoS) attack. It is unclear whether any financial or account data has been compromised or stolen.