STE WILLIAMS

From 2007 through 2015, the US Transportation Security Administration (TSA) spent $1.5 billion trying to identify potentially dangerous travelers by observing their behavior through an ongoing program called SPOT.

SPOT stands for “screening of passengers by observation techniques.” And according to the TSA’s own documents, obtained through a lawsuit filed by the American Civil Liberties Union (ACLU), the techniques employed by the agency to detect untrustworthy travelers are unscientific and unreliable.

The program started as interviews at checkpoints. It expanded beyond checkpoints in 2009 to include roving officers, some undercover, who engage travelers in casual conversation while looking for telltale signs of malicious intent, whatever those might be. Ostensibly, these conversations were voluntary, but seeking to avoid them or being insufficiently forthcoming was treated as an “indicator” that might prompt referral to additional screening.

“The TSA has repeatedly claimed that the behavior detection program is grounded in valid science, but the records that the ACLU obtained show that the TSA has in its possession a significant body of research that contradicts those claims,” the ACLU said in its report.

The civil liberties defender says TSA records include a number of academic studies that show that attempts to detect deception by monitoring behavior are useless. Other documents suggest the TSA exaggerated the science supporting its methods in its communication with Congress and government auditors, or failed to disclose information undermining its position.

The ACLU also criticizes the agency for possessing documents that indicate a religious bias against Muslims – hard as that might be to imagine in the current political climate. For example, it cites a TSA-authored presentation from 2006 that “reflects demeaning stereotypes about Muslims and women.”

The presentation suggests women can be turned into terrorists more easily than men because “females tend to be more emotional and therefore easier to indoctrinate.” It also includes a cartoon that presents a mother and daughter wearing hijabs, arguing over the daughter’s desire for a sixth “suicide bomber martyr Barbie.”

Mattel doesn’t presently sell suicide bomber martyr Barbie. But if it did, and if the doll functioned as advertised, periodic replacement would be necessary.

The ACLU allows that it’s not clear whether the TSA relied on this insensitive material in its behavior detection program. However, it notes that the TSA has engaged in specific instances of racial and religious profiling in Chicago, Honolulu, Miami, and Newark.

The ACLU argues SPOT should be shut down because behavioral observation isn’t a reliable predictor of ill intent.

A 2013 Government Accountability Office report offers a similarly skeptical assessment of TSA’s approach, finding the program to be a waste of taxpayer funds.

Hugh Handeyside, staff attorney with the ACLU National Security Project, in a phone interview with The Register, acknowledged that the TSA continues to defend its program. He said he hopes the documents that have emerged from the ACLU’s lawsuit will help oversight entities keep the heat on the agency.

“Lawmakers from both parties have been quite critical of this program,” Handeyside said. “We don’t see how these kinds of techniques, given decades of research, can be used in a way that’s consistent with passenger civil liberties.”

Handeyside declined to delve into whether observing behavior might be useful for general law enforcement, but said such techniques are particularly problematic in the context of airport screening. “They raise serious civil liberties issues,” he said.

In an emailed statement, the TSA said it stands by its program.

“TSA’s behavior detection approach is designed to identify and engage individuals who may be high-risk (eg, possess malicious intent) on the basis of an objective process using behavioral indicators and thresholds, and then route them to additional security screening,” a TSA spokesperson told The Register.

The agency spokesperson cited the value of behavioral detection in arrests made in Florida, Michigan, and Texas. The cases involved bulk transfer of currency, firearms possession, drugs, and identity fraud, but not terrorism.

The agency insists that behavior detection can be used to address a variety of threats and doesn’t become obsolete in the face of new weapons or tactics. “It is one element of TSA’s efforts to mitigate threats against the traveling public, and is critical to TSA’s systems approach to deter, detect, and disrupt individuals who pose a threat to aviation,” the TSA’s spokesperson said.

The TSA said it continues to rely on behavior detection, though it no longer treats SPOT as a distinct program. The agency has integrated behavior detection officers into its ranks, in keeping with the 2016 FAA Authorization Act. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/aclu_condemns_tsa_quack_science/

Former Booz Allen Hamilton contractor Harold Thomas Martin III allegedly stole secret and top-secret software and documents from American intelligence agencies for up to 20 years. That’s according to a federal grand jury indictment revealed today.

The legal paperwork [PDF] lays out the US Department of Justice’s case against Martin, 52, of Glen Burnie, Baltimore. During those two decades, he worked as a freelancer for seven private companies on various Department of Defense and US intelligence projects. One of those seven outfits was Booz Allen Hamilton, Edward Snowden’s one-time employer.

In a statement, prosecutors said: “Martin held security clearances up to top secret and sensitive compartmented information (SCI) at various times, and worked on a number of highly classified, specialized projects where he had access to government computer systems, programs and information, including classified information.

“Over his many years of holding a security clearance, Martin received training regarding classified information and his duty to protect classified materials from unauthorized disclosure.

“The indictment alleges that beginning no earlier than 1996 and continuing through August 27, 2016, Martin stole and retained US government property, including documents that bore markings indicating that they were property of the US and contained highly classified information, including TOP SECRET/SCI. A Top Secret classification means that unauthorized disclosure reasonably could be expected to cause exceptionally grave damage to the national security of the US.

“Martin allegedly retained stolen documents containing classified information relating to the national defense at his residence and in his vehicle. Martin knew that the stolen documents contained classified information that related to national defense and that he was never authorized to retain these documents at his residence or in his vehicle.”

The list of files Martin is alleged to have stolen and stashed at home is extensive: NSA organization plans from 2014; also from that year, documents detailing potential foreign cyber targets and foreign network hacking techniques; a 2009 US signals intelligence directive describing “specific methods, capabilities, techniques, processes, and procedures” for defending government computer systems; correspondence about NSA overseas projects from 2008; and so on and so forth.

The indictment also lists five US Cyber Command (CYBERCOM) documents, a CIA file, and a 2007 National Reconnaissance Office dossier discussing the launch of a spy satellite with an “unacknowledged ground station.”

Martin was collared and charged in October 2016.

Earlier this week, The Washington Post noted that Zachary Myers, an assistant US attorney with the District of Maryland, told a court last year Martin had 50TB of potentially secret and top-secret data at his home.

It is alleged Martin even copied penetration tools from the NSA’s elite computer hacking squad, the Tailored Access Operations. Part of TAO’s toolkit is believed to have leaked online via the mysterious Shadow Brokers crew of miscreants. Some in the media and infosec world have tried to link Martin to the Shadow Brokers’ leak.

Martin’s lawyers insisted their man wasn’t another document-leaking Edward Snowden, but rather a compulsive hoarder who “loves his family and his country,” and that he simply took the secret files home with him with no ill intentions.

Martin, who is awaiting trial behind bars, is due to appear before US magistrate Judge A. David Copperthite in Baltimore on February 14. The ex-contractor faces up to 10 years in the cooler for each of the alleged 20 counts of willful retention of national defense information. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/us_grand_jury_indicts_harold_martin_nsa/

The new boss of the US Department of Homeland Security plans to dig deeper into the lives of some of those wishing to enter the Land of the Free^TM – even going as far as demanding web passwords and banking records.

In a QA with the House Homeland Security Committee on Tuesday, John Kelly said the previous administration had been hesitant to scrutinize immigrants’ social networking accounts during their vetting, and that this was a “glaring deficiency.” Instead, he wanted “enhanced vetting,” which hopefully isn’t the same as torture enhanced interrogation.

Previously, tourists, travelers and visa holders were warned they may have to hand over their online account names and handles so their public profiles can be studied by border agents and immigration officials.

Now Kelly wants to take that further, by demanding passwords from some visa applicants so g-men can log into Twitter, Facebook, online banking accounts, and so on, and rummage around for any eyebrow-raising non-public posts, messages and transactions. If you refuse, you can’t come in.

“We want to say ‘what kind of sites do you visit and give us your passwords,’ so we can see what they do,” Kelly explained, in response to a question from Representative Clay Higgins (R-LA).

“We want to get on their social media with passwords – what do you do, what do you say. If they don’t want to cooperate then they don’t come in. If they truly want to come to America they’ll cooperate, if not then ‘next in line’.”

By “they”, Kelly was referring to refugees and visa applicants from the seven Muslim countries subject to President Trump’s anti-immigration executive order, which was signed last month. Given the White House’s tough stance on immigration, we can imagine the scope of this “enhanced vetting” creeping from that initial subset to cover visitors of other nationalities. Just simply wait for the president to fall out with another country.

Kelly said this invasive vetting of people’s online personas and accounts could take weeks or months, and that applicants would just have to wait until it was done. Representative Higgins said he agreed, and was anxious for Homeland Security and others to start trawling through people’s social media pages. Higgins said handing over such credentials should be mandatory.

President Obama’s administration had requested public comment on allowing agents to ask travelers for their social media account names, on a voluntary basis. But Kelly made it clear that handing over handles wasn’t enough – the DHS could soon demand passwords as well. No new policy has been set in stone, though, Kelly said. No final decisions have been made.

In order to keep America safe, Kelly said he would need between 5,000 and 10,000 new staff. However, he would accept fewer provided they were properly trained and could do their jobs efficiently.

Kelly also said that financial records will be requested of some visa applicants, as vetting staff need to “follow the money,” and where possible, be provided with details of salaries and spending.

All of this is on hold right now, though, while US Department of Justice lawyers, state attorney generals, the ACLU, and the courts sort out whether or not the president’s anti-immigration executive order is legal. Kelly made it clear which side he was on.

“I work for one man, his name is Donald Trump, and he told me ‘Kelly, secure the border,’ and that’s what I’m going to do,” he said.

This did not go down well with Representative Kathleen Rice (D-NY). “You were chosen by him, you work for us. I’m sure that’s what you meant,” she shot back. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/dhs_wants_enhanced_digital_vetting/

You may have heard of the CEO scam: that’s where spear-phishers impersonate a CEO to hit up a company for sensitive information.

That’s what happened to Snapchat, when an email came in to its payroll department, masked as an email from CEO Evan Spiegel and asking for employee payroll information.

Snapchat’s payroll department fell for it. Ouch.

Here’s a turn of that same type of screw: the Internal Revenue Service (IRS) last week sent out an urgent warning about a new tax season scam that wraps the CEO fraud in with a W-2 scam, then adds a dollop of wire fraud on top.

A W-2 is a US federal tax form, issued by employers, that has a wealth of personal financial information, including taxpayer ID and how much an employee was paid in a year.

This new and nasty dual-phishing scam has moved beyond the corporate world to target nonprofits such as school districts, healthcare organizations, chain restaurants, temporary staffing agencies and tribal organizations.

As with earlier CEO spoofing scams, the crooks are doctoring emails to make the messages look like they’re coming from an organization’s executive. Sending the phishing messages to employees in payroll or human resources departments, the criminals request a list of all employees and their W-2 forms.

The scam, sometimes referred to as business email compromise (BEC) or business email spoofing (BES), first appeared last year. This year, it’s not only being sent to a broader set of intended victims; it’s also being sent out earlier in the tax season than last year.

In a new twist, this year’s spam scamwich also features a followup email from that “executive”, sent to payroll or the comptroller, asking for a wire transfer to a certain account.

The wire transfer scam isn’t tax-related: it’s just hitching a ride on the tax-related W-2 scam. Some companies have been swindled twice: they’ve lost both employees’ W-2s and thousands of dollars sent out via the wire transfers.

The IRS is telling organizations that receive the W-2 scam emails to forward them to [email protected], with the subject line of “W2 Scam”.

If your business has already fallen for the scam, it can file a complaint with the Internet Crime Complaint Center (IC3), operated by the FBI. Employees whose W-2 forms have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.

The IRS says that employees should also file a Form 14039 Identity Theft Affidavit (PDF) if their own tax returns get rejected because of a duplicate Social Security number or if instructed to do so by the IRS.

How to sidestep the scam

But before you even get to the sad state of having to file a report about getting ripped off, it’s better to avoid falling for the bait in the first place.

Unfortunately, that’s getting tougher as crooks get more and more cunning. Case in point: the carefully crafted, well-disguised attack that led to the hacking of Clinton campaign chair John Podesta’s Gmail account. The attack relied on a shortened Bitly link to mask nefarious HTML code.

Screenshots of the Bit.ly link used against Podesta show that even the longer links hiding behind rigged Bitly links can be made to look, to an untrained eye, like they’re legitimate.

One step that can protect against phishing attacks is to pick proper passwords. Even though strong passwords don’t help if you’re phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.

Use two-factor authentication whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.

Also, consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.

Here are more tips to help you recognize, and steer clear of, phishing links.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DUI9xZGrfsE/

The day after Donald Trump was inaugurated, the Women’s March in Washington DC (pictured) was remarkably calm. In fact, out of an estimated 500,000 protesters jamming city streets, there were zero arrests.

It was quite a different scene the day before, when a handful of inauguration protesters shattered store windows, set fire to a limo, and hurled projectiles at police in riot gear, who responded with flash-bang grenades, tear gas and pepper spray.

The police did more than that, though. They also started looking for information on the social media accounts belonging to at least two of the people they arrested, CityLab reports.

Many of those arrested had their phones seized by Washington DC police. Facebook – specifically, its Law Enforcement Response Team – subsequently sent an email to one arrestee to inform them that law enforcement had sought information about their account.

The individual had less than 10 days to respond with legal filings, Facebook told him or her. If the accused failed to provide copies of court documents filed to stop the issuance of the information by that deadline, Facebook said it “may need to respond to this legal request”.

A second individual targeted for social media investigation provided CityLab with the subpoena that had been served on Facebook for his or her account information. It was issued by the US Attorney’s Office for the District of Columbia on January 27 – a week after the inauguration – and signed off by a DC detective.

The person who provided CityLab with the subpoena said that redacted blocks on the second page shield columns of phone numbers, which are connected to other arrestees for whom the District Attorney and police were seeking information.

Not all those arrested were protesters: rather, sweeping arrests during the inauguration parade indiscriminately targeted rioters, protesters, medics, lawyers and journalists alike.

There were approximately 230 people concerned with the protest – be they protestors or those helping or reporting on protesters – who were arrested on Inauguration Day. Federal prosecutors have said that 217 will be charged with felony rioting: an offense that’s punishable by up to 10 years in prison and a fine of up to $250,000, though maximum fines are rarely imposed.

Besides Facebook accounts, it appears that police may have been attempting to search arrested people’s devices for content pre-trial. CityLab reported last week that one arrestee’s Gmail account showed account activity from their mobile device while it was in possession of police:

This prompted questions about whether the police had the phones out, instead of properly securing them away in evidence bags, causing concerns that police were mining them for content pre-trial.

DC Metropolitan Police Department declined to comment on “investigative tactics” when CityLab asked if police had asked Facebook to reveal information about the arrestee who got the letter from Facebook. The DC US Attorney’s Office hadn’t responded to an inquiry as of Tuesday.

Neither would Facebook comment on individual requests. But a spokesman did point CityLab to Facebook’s law enforcement guidelines page and to its Government Requests Report database, where the public can see how many legal processes it receives from countries worldwide.

According to Facebook’s database, US law enforcement hit up the platform for information on 38,951 users’ accounts between January and June 2016. Facebook gave them some type of data in nearly 81% of those cases.

According to Facebook, a subpoena can enable police to get at users’ content, including “messages, photos, videos, timeline posts, and location information”. A subpoena or a court order would net the law less information, but would still include the individual’s “name, length of service, credit card information, email address(es), and a recent login/logout IP address(es)”.

Chris Conley, a policy analyst for the ACLU of Northern California, told CityLab that barring an emergency situation, police would need a search warrant to search locked phones.

Jeffrey Light, an attorney representing several of those arrested, said he hasn’t been informed of DC police having gotten warrants to search through protesters’ phones. But one person arrested told CityLab that while they were being detained, they’d heard police claiming to have a warrant.

A warrant may grant investigators the legal right to get at information in a locked phone, but how does it happen from a technological standpoint?

If we learned anything from the epic battle between the FBI and Apple over encryption in the case of the San Bernardino shootings, it’s that there are ways to get into locked phones, even if Apple steadfastly refuses to break its own encryption at the government’s request.

Last April, the government got past Apple’s encryption on terrorist Syed Farook’s phone, with the help of a unnamed third party.

Besides the government’s success in backdooring the terrorist’s phone, there are cellphone extraction devices that can be used to crack the locked devices and to extract data including deleted call histories and text messages, as well as data collected by the phone and apps that the user is unaware is being collected, as The Intercept has reported.

In other surveillance news, Reuters reports that the House has passed a bill requiring warrants to search old emails. The news outlet called it a win for privacy advocates fearful the Trump administration may work to expand government surveillance powers, but the House passed it unanimously last year only to have the Senate quash it.

The same is likely to happen this time around, given Senate opposition.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nH3D7zw3lRs/

Your daily round-up of some of the other stories in the news

Kelly moots requiring social media passwords from visitors

People wanting to visit the US might be asked to hand over passwords to their social media accounts, homeland security secretary John Kelly told Congress yesterday.

He told a congressional hearing: “We want to say, for instance, which websites do you visit, and give us your passwords, so we can see what they do on the internet. If they don’t want to give us that information, they don’t come in.”

While Kelly said that this was “a work in progress”, the advice from our security bods here at Sophos stands: we would never recommend that you give anyone your password, and we hope that this does not become a real thing.

Meanwhile, we’ll just note that Facebook clearly states in its terms and conditions: “You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.”

BlackBerry brings BBM technology to developers

Blackberry, which has been struggling ever since the market for its smartphones fell off a cliff, is to make its security-focused BBM messaging technology available to developers who want to beef up the security of their products.

The software development kit (SDK) it’s making available later this month to iOS and Android developers will include messaging, video and voice calling and file-sharing, and will support push notifications.

ZDNet reported that the pricing will be in the form of a monthly subscription, based on the number of users and which services the developer adds to their app.

City decries Uber’s ‘one-way street’

Pittsburgh is fed up with Uber, which has been testing autonomous cars in the city since September and, according to officials, has given very little back in return.

Michael Lamb, the city’s Controller, recently urged mayor Bill Peduto to make clear what benefits the city was getting in return for supporting Uber‘s programme to test driverless cars, saying that the relationship between the taxi platform and the city had become a “one-way limited access highway”.

Lamb raised the pertinent point of data collection, saying: “At Uber’s request, the city of Pittsburgh has opened its streets to a fleet of data collecting robotic vehicles. This is much more than ride sharing. These vehicles are capable of collecting endless amounts of data about our city. Who owns that data? In your negotiations with Uber, was this ever discussed? Can Uber turn around and sell that data without our consent? And do we get a share of any royalties? Do we even have free access to the data that our city streets generate?”

Uber in December pulled its fleet of driverless cars from San Francisco after falling out with regulators there and decamped to Arizona instead.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8HwLcTinDr8/

Earlier this week, the lawyer representing Syrian refugee Anas Modamani challenged Facebook on whether the company had the technical capability to detect a specific selfie and prevent it from being spread further.

It all started with an innocent selfie, which was taken by Modamani in 2015 and features him standing next to a smiling German chancellor Angela Merkel:

Anas Modamani’s selfie with Angela Merkel has appeared in several fake news reports. He’s now suing Facebook. https://t.co/7NUe5TDVtq pic.twitter.com/DTYGukGhzN

— The New York Times (@nytimes) February 7, 2017

After the photo went viral, it began appearing alongside statements claiming, according to Gizmodo, that Modamani was a “terror suspect”. Meanwhile, a number of fake news reports on Facebook falsely linked him to terror attacks in Brussels and Berlin.

Facebook defended itself in court against claims that it does too little to counter abusive content on its platform. One of its lawyers claimed:

There are billions of postings each day. You want us to employ a sort of wonder machine to detect each misuse. Such a machine doesn’t exist.

Does such a machine exist?

As Forbes points out, Facebook is a technology company with a heavy investment in deep learning and filtering technologies. It has repeatedly been criticized by free-speech advocates for its aggressive content removal, with these concerns raised by cartoonist Jerm just the latest example. Forbes questions:

How much truth is there that the number of daily posts and limitations of current technology mean that it really is impossible for social media platforms to better enforce their bans on hate speech, harassment and threats of violence?

Let’s explore.

What is deep learning?

Before we begin, if you’re not already familiar with deep learning, it’s branch of machine learning where computers can use algorithms to teach themselves to model abstract ideas. After feeding the computer a learning algorithm, programmers then train it using hundreds of thousands of images or speech samples.

This interesting Fortune blog post, which also uses the term “deep neural networks” since deep learning has its roots in neural networks, explains how the computer is then allowed to “figure out for itself how to recognize the desired objects, words, or sentence”.

The article also touches on the concepts of supervised and unsupervised learning, noting that most solutions today use supervised learning, where the computer is trained on labelled data. With unsupervised learning, however, it is simply asked to look for recurring patterns in unlabelled data.

Unsupervised learning, it notes, still remains “uncracked”:

Researchers would love to master unsupervised learning one day because then machines could teach themselves about the world from vast stores of data that are unusable today.

Facebook and deep learning

Facebook is not unfamiliar with deep learning. An article posted on its website last June describes its DeepText technology as “a deep learning-based text understanding engine that can understand with near-human accuracy the textual content of several thousands posts per second, spanning more than 20 languages”.

According to an article in Motley Fool, Facebook plans to use this technology to match users with material that will be of interest to them. It reports that this technology will also reportedly:

help match users with advertisers, weed out prohibited content, rank search results and identify trending topics.

It seems that Facebook will soon have some technology ready to detect misuse, though we have yet to see how effective it will be. It does need to be trained and we don’t know if it can learn enough and fast enough to keep with online abuse.

Amazon, Apple, Google, IBM, Microsoft and other technology big hitters also all have their own individual deep learning initiatives. Wouldn’t it be great if they could all pool resources to help fight online harassment?

Maybe they’ll do this under the Partnership on AI program. After all, they do all agree that

… artificial intelligence technologies hold great promise for raising the quality of people’s lives and can be leveraged to help humanity address important global challenges such as climate change, food, inequality, health, and education.

With many eggheads focusing on this being better than one, let’s see if they can get a solution to this growing problem cracked.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AmO0Mjh8WPM/

Petty criminals in Britain will soon be found guilty and sentenced by computers, under new government plans.

Originally floated last year in a public consultation scheme, the UK government has now announced it will press on with its scheme to persuade low-level lawbreakers that pleading guilty online is a good idea.

“Under this proposal, defendants who opt into the online procedure and plead guilty will be offered the option to accept a pre-determined penalty (including the payment of any appropriate compensation and costs), be convicted and pay the amount immediately,” said the government paper published earlier today on the scheme.

Railway and tram fare evasion and unlicensed fishing are the two categories of criminal offence that the Ministry of Justice wants to try this out with. In England and Wales one needs a rod licence to go fishing.

Train fare evasion is nominally a private matter between the privatised operating company and the passenger but is enforced through archaic 19th century laws that make it a criminal offence. Private prosecutions are regularly brought in the magistrates’ courts by rail companies.

Defendants persuaded to plead guilty online will automatically be issued a fine, prosecution costs, ordered to stump up an amount for compensation and be made to pay the appropriate victim surcharge, which is effectively a tax levied on convicted criminals. Some of the proceeds are paid into a fund used to support various charities for victims in the criminal justice system.

Of the 280 people who responded to the consultation about the plans, 59 per cent agreed and 20 per cent disagreed. Some were not happy with the plans at all, and the government noted this:

Some respondents who opposed the principle raised concerns around the lack of judicial involvement in the procedure. These respondents suggested that in some cases there might be mitigating circumstances which a judge should take into consideration when setting an appropriate sentence. Similarly, some respondents have raised concerns about ‘sentencing by algorithm’, the idea that decisions currently made by judges will now be made by computer programs.

The official response was: “We have considered the responses in full and think it is possible to prosecute low-level cases via an automatic online conviction procedure and impose an automated, standard penalty in these cases without compromising the principles of our justice system.

“The automatic online conviction procedure will contribute to the government’s aim of delivering a service that is just, proportionate, accessible to all and works better for everyone,” the statement continued, adding that only defendants who choose to plead guilty, offer no mitigating circumstances and who opt into the automated process will be able to be prosecuted in this manner.

So that’s alright, then.

Under the sketchy details available in the consultation response [PDF], the system appears to be designed so the guilty party clicks “guilty” on the screen and makes a credit card payment online there and then.

It is not hard to imagine this system rapidly evolving into a central government version of local council parking fine systems, which typically use underhand tactics such as imposing fines of several hundred pounds that are “discounted” to £80 or so if paid within a certain period of time – say, two weeks. Appeals mechanisms against these systems, which must be provided by law, are normally designed so their time scales run well beyond the “discount” payment period, acting as a deterrent to people who challenge wrongly issued tickets.

Similarly, it is not hard to imagine this system being deliberately weighted against defendants, with far higher costs being payable if one opts for a proper trial in a court. Such moves have already been taking place in the criminal justice system, with people acquitted of crimes in the magistrates’ courts having had the amount of their recoverable costs capped at paltry legal aid rates – and were even, for a time, banned altogether from recovering any costs in the Crown courts.

With the British state merrily tilting the justice system further and further against defendants, it is a surprise that more than half the respondents to the consultation were in favour of conviction by computer.

Still, if you’re rich enough, you can just pay to make the bad men go away. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/ministry_justice_conviction_by_computer_scheme_go_ahead/

US-based industrial computer supplier Logic Supply has reset user passwords following a suspected security breach.

Unauthorised access through the firm’s website on 6 February may have exposed customer/company names, usernames and passwords, and order information. Payment card details were not exposed, Logic Supply reassured customers in a breach notification email (extract below) forwarded to El Reg.

Yesterday we discovered unauthorised access to our website, which made some customer information vulnerable. Once we discovered the breach, we blocked their access, deployed a security patch and took other security measures. We believe the vulnerability and access was for roughly 30 minutes. There were no breaches of any of our other internal applications, resources or ERP system.

In stark contrast to well publicised retail breaches, no credit card or other financial information was involved in the attack. (We do not keep credit card numbers on file.) Additionally, because the breach was limited to our website, the breach did not involve any customer software imaged onto our PCs or other proprietary product information.

Security breaches are increasingly becoming an everyday threat for business. A component of managing the problem involves accepting the possibility that breaches might occur even after putting well thought-out defences in place. Detecting breaches quickly before much harm is caused is therefore important. Having an incident response plan in place so that customers can be notified promptly is also highly desirable. Logic Supply ought therefore to be credited for getting on top of a security problem within days, in contrast with other firms that take months or in extreme cases years (ahem Yahoo!) to notify customers when something goes wrong.

A representative of Logic Supply confirmed the breach in an email to El Reg that explained its incident response handling.

“We constantly monitor our systems for any signs of incursion, which is why we were able to identify and react to this event in real time,” he said. “We took immediate action to block any external access to our systems, identify what information was subject to exposure and protect our customers.”

“Only limited information from our website was subject to any exposure and no credit card, payment or other financial information was involved or at risk,” he concluded, adding that the password reset was purely a precautionary measure rather than a response to secondary attacks or attempted customer account hijacks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/08/logic_supply_breach/

A renowned security veteran shares his RSA dance card, offering views on technologies destined for the dustbin of history and those that will move the industry forward.

As tens of thousands of IT executives, security leaders, and cyber engineers prepare to attend the 2017 RSA Security Conference in San Francisco next week, I put together a list of what I feel are the top technologies and areas to look at, both at the conference, and in the coming year.

First, a quick overview of the dinosaurs – technologies I am not interested in seeing, mainly because I don’t believe that these incremental approaches have  made significant progress against hackers.  

• Endpoint Protection, including, for example, “next-gen,” money-backed guarantees, and other “gimmicks.” It seems to me that these technologies are always trying to keep up versus actually being proactive by constantly learning and adapting to new threats and attacks. 
• SIEM. This is perhaps one of the least sexy sectors in the vast cybersecurity landscape. As more and more devices become part of the overall elastic network perimeter, the rate of data being produced is explosive. Once again, this is a technology that is always trying to catch up even though the operational costs of running and maintaining it are not trivial.
• Incident Response Automation. (Otherwise known as, “How can we get the post-mortem completed as quickly as possible?”) Instead of trying to solve for something that’s already occurred, how about we start focusing on actually preventing the majority of incidents from happening in the first place? Advancing automation for more secure products and processes is good but right now the emphasis is in the wrong place.  

These are the areas that I believe are extremely compelling, and if developed and implemented correctly, can help security teams move in a positive direction towards improving their overall resiliency.

• IoT Security. Internet-enabled now seems to be table stakes for any new device being released to the market. Given the recent large scale attacks caused by IoT devices, there needs to be an overall standard, and I really hope that UL starts being more transparent. Its Cybersecurity Assurance Program is a good start, but there needs to be far greater diligence applied to it.
• Identity Management. Infrastructure has transformed into software-defined and elastic, yet most identity provider solutions still remain quite rigid. Many also only focus on the AuthN (authentication) part of identity versus AuthZ (Authorization),  where innovation should occur, combined with simple best practices such as “least privileges.’’ In the age where everything has an identity, there should be a platform that is adaptive enough to support this. 
• Artificial Intelligence + Machine Learning. Skills shortage or not, scaling out human capital to attempt to keep pace with “The Singularity” is not an option. Continuous analysis and learning using a variety of techniques, including Behavioral Analysis and Game Theory, is what is required to truly move the needle in cybersecurity. This area also overlaps with my next area – DevOps – and the goal of creating a true culture of DevSecOps. In other words, an AI/ML solution has to be an API-driven platform solution, not another point-solution tool. (Note: If you are learning or hyperfocused on AI in general, you may want to check out Gigaom AI, also taking place in SF during RSAC).
• DevSecOps. One of my core assertions is that security engineers need to adopt a software engineering mindset and approach to solutions. This is not dissimilar to what happened to “classic” system administrators during the shift to DevOps. Security needs to be seamlessly integrated into the entire software development lifecycle, instead of being a barrier to deploy and the “Department of No.”

Whether you agree with my choices or not, I hope that I have given you a different perspective into a variety of cybersecurity technologies. Controversial and innovative thinking is what drives progress! Share your thoughts in the comments.

Related Content:

• 10 Essential Elements For Your Incident-Response Plan
• The Promise Peril Of The App Era
• Cloud Security IoT: A Look At What Lies Ahead

 

Mike D. Kail is Chief Innovation Officer at Cybric. Prior to Cybric, Mike was Yahoo’s chief information officer and senior vice president of infrastructure, where he led the IT and global data center functions for the company. Prior to joining Yahoo, Mike served as vice … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/what-to-watch-(and-avoid)-at-rsac-/a/d-id/1328083?_mc=RSS_DR_EDT