Cyber Attacks – “Greater Concern than Terrorism”

Cybersecurity Starts in High School with Tomorrow’s Hires

By Sandrine Rastello & Jeanna Smialek | Article Courtesy of: Bloomberg

Cybersecurity Image via: Devry University

Sean Gallup/Getty Images

Security breaches experienced by institutions ranging from Facebook Inc. to the Federal Reserve are spurring spending on cybersecurity.

Five dozen teenagers hunched over computers in a hotel conference room near Washington, decrypting codes, cleaning malware and fending off network intrusions to score points in the finals of a national cybersecurity contest.

A participant in last year’s CyberPatriot contest earned certifications and went from high-school to a job paying $62,000 said Bernie Skoch, the commissioner for the competition at the Air Force Association, a non-profit, independent, professional military and aerospace education association. Source: Air Force Association via Bloomberg

Just hours later, the high-school students got a glimpse of the labor market’s appetite for their skills as sponsors such as network equipment maker Cisco Systems Inc. described career opportunities. Internships start as young as 16 at Northrop Grumman Corp (NOC)., which reserves 20 spots for participants in the Air Force Association’s contest.

“We’re the largest provider of cybersecurity solutions to the federal government, so we know that we’ve got to help build that talent pipeline,” said Diane Miller, Northrop’s program director for the CyberPatriot contest, on the sidelines of the March event. “We just have a shortage of people applying” for the 700 positions currently open.

Security breaches experienced by institutions ranging from Facebook Inc. to the Federal Reserve are spurring spending on cybersecurity. President Barack Obama describes the threat as one of the nation’s most serious perils, while the Department of Defense has said the Chinese military has targeted government computers. With few specialists trained to respond to evolving attacks and most universities still adjusting to requirements, demand is overwhelming supply.

“I cannot hire enough cyber-security professionals, I can’t find them, they’re not qualified,” said Ryan Walters, who founded mobile data security company TerraWi Inc. in 2009. The company, based in McLean, Virginia, employs 12 people and plans to expand to 20.

CyberPatriot Contest

Walters, who says he has 22 years of experience in the field, helped prepare 48 students from Marshall Academy in Falls Church, Virginia, who competed in the CyberPatriot contest this year. Twelve made it to the finals. He says he’s gotten calls from companies and government agencies to interview his protégés.

“I love the activity, it’s like a passion,” said Ramon Martinez-Diaz, a 16-year-old sophomore coached by Walters. “But it’s also great that there are so many job openings.”

Listings for cybersecurity positions rose 73 percent in the five years through 2012, 3.5 times faster than postings for computer jobs as a whole, according to Boston-based Burning Glass, a labor market analytics firm that collects data from more than 22,000 online jobs sites.

Offers Reposted

“You have to scratch your head and ask whether the supply could possibly keep up with that,” Burning Glass Chief Executive Officer Matt Sigelman said in a phone interview. Data show “employers literally just posting and re-posting their offers, he said.

There were 64,383 jobs related to cybersecurity listed for the twelve months through April, about 3 percent of all information technology positions, according to the company.

Rob Waaser found his skills in high demand. Just more than a month after graduating in December from Carnegie Mellon University in Pittsburgh with a master’s degree in information security technology and management, he started working at defense contractor Raytheon Co. Waaser chose to pursue a master’s because he said the industry is technical enough to justify the extra training.

“Cybersecurity is a good field these days to get into — there are a lot of people out there looking for talent,” said the 24-year-old, who got offers from all six of the potential employers he interviewed with. “I really didn’t have a problem finding job openings.”

Preparing Specialists

To prepare the next generation of specialists, the federal government’s National Security Agency is working to strengthen college-level education through its National Centers of Academic Excellence in Cyber Operations program, which gives a designation to universities that meet curriculum and other criteria.

Companies and government agencies are finding many candidates exiting college programs inadequately prepared for high-skill jobs crucial to cybersecurity, said Frank Reeder, co-founder of the Center for Internet Security in East Greenbush, New York, and former senior official at the U.S. Office of Management and Budget responsible for information policy.

“In the cybersecurity world, it’s still a little bit of the Wild West,” he said. For today’s gap, part of the solution is to train existing workers, he said.

Alan Paller, whose Bethesda, Maryland-based company SANS Institute provides such instruction, said many job candidates lack the hundreds of hours of lab experience needed to develop the highly-specific skills required.

Read the Complete Article…

By Sandrine Rastello & Jeanna Smialek | Article Courtesy of: Bloomberg

Big Data & the Boston Marathon Probe

Extracting Key Investigative Data from the “Noise”

Over Ten Terabytes of Data did not overwhelm federal, local and state investigators.

What follows is a fascinating story involving advanced data access, tracking and retrieval technologies.

Boston probe’s big data use hints at the future

By Frank Konkel – Article Courtesy of: FCW

Donate to “The One Fund Boston 2013“

Less than 24 hours after two explosions killed three people and injured dozens more at the April 15 Boston Marathon, the Federal Bureau of Investigation had compiled 10 terabytes of data in hopes of finding needles in haystacks of information that might lead to the suspects.

The tensest part of the ongoing investigation – the death of one suspect and the capture of the second – concluded four days later in part because the FBI-led investigation analyzed mountains of cell phone tower call logs, text messages, social media data, photographs and video surveillance footage to quickly pinpoint the suspects.

A big assist in this investigation goes the public, which presented perhaps the best illustration of a crowd-sourced investigation in recent memory.

Not only did the public respond to the FBI’s request for information – the agency ultimately received several thousand tips and loads of additional photographs and video footage – but a citizen’s tip ultimately led to the capture of the surviving suspect.

Still, the investigation showed a glimpse of what big data and data analytics can do — and highlighted how far we yet have to go.

Knowledge is power

Big data is a relatively new term in technology and its definition varies amongst early practitioners, but the main goal of any big data project is to pull insights from large amounts of data.

Prominent statistician Nate Silver describes it as “pulling signal from the noise” – noise that can be a veritable smorgasbord of different kinds of information. The noise can be big, too – some datasets within the federal government are measured in petabytes, each of which is one million gigabytes or 1,000 terabytes.

So the 10 terabytes gathered by investigators is not a large data collection even in today’s relatively early stages of big data technology.

But the investigation’s processes still presented officials with a data crunch due to the volume, variety and complexity, according to Bradley Schreiber, vice president of Washington operations for the Applied Science Foundation for Homeland Security.

To get a sense for the initial complexities of combining various data sets in the early moments of the investigation, consider this: In the aftermath of the bombing, cellular networks in the area were taxed beyond their capacity. AT&T put out a tweet urging those in the area to “please use text & we ask that you keep non-emergency calls to a minimum.”

There was speculation that the bombs could have been triggered remotely by mobile phones, prompting interest in traffic logs from area cell towers to try to get a fix on the culprits.

That geo-location information could then be cross-checked against surveillance video and eyewitness photography – just another layer of data available to law enforcement when trying to stitch together a detailed and textured version of events.

For the complete story and a GREAT READ… CLICK HERE

Can your boss demand Social Media passwords?

Bill amendment would let bosses demand Facebook passwords during investigations in Washington state

Article Courtesy of: The Associated Press

SEATTLE — A bill amendment proposed Tuesday could allow employers to ask for a worker’s Facebook or other social media password during company investigations.

The provision was proposed for a bill that safeguards social network passwords of workers and job applicants. The measure bars employers from asking for social media credentials during job interviews.

The amendment was introduced at the House Labor Committee at the request of business groups.

The Associated Press reported last year that some employers around the country were asking applicants for their social media information.

In 2012 and this year, seven states banned employers from asking job applicants and employees for their social network passwords, with some exceptions.

Another 33 states are considering similar laws, according to the National Conference of State Legislatures.

Proponents say that the original bill would open an avenue for possible illegal activity by employees, such as divulging proprietary or consumer information to outsiders through social networks.

The amendment says that an employer conducting an investigation may require or demand access to a personal account if an employee or prospective employee has allegations of work-place misconduct or giving away an employer’s proprietary information. The amendment would require an investigation to ensure compliance with applicable laws or regulatory requirements.

Under the amendment, employees would be present when their social network profiles are searched and whatever information found is kept confidential, unless it is relevant to a criminal investigation.

“Rather than just referring everything to law enforcement, we have the opportunity to work with the employee and to investigate,” said Denny Eliason, who is representing the banking industry.

He said his clients have had cases where employees transferred sensitive information via email. He was not sure if Facebook or other social networks have been used.

Pam Greenberg of the National Conference of State Legislatures says similar bills being considered around the country have similar provisions allowing for disclosure of passwords during investigations.

California’s law allows “requests” of passwords during investigations. But Washington amendment goes beyond that, said Dave Maass of the Electronic Frontier Foundation, a San Francisco-based online privacy advocacy group.

This amendment “says they have a right to enter your digital home,” Maass said. “It’s astounding that they would try to codify this and that all employers could do this… the national trend is to move away from this. It’s shocking that the amendment is going in the right opposite direction.”

Maass said it’s not only an employee’s privacy that is violated, but also those he has connections with in a social network site.

The amendment “would turn this bill into a privacy bill into an employer fishing expedition,” said Shankar Narayan of the Washington chapter of the American Civil Liberties Union. “That’s the not the bill we signed up for.”

The bill’s sponsor, Democrat Sen. Steve Hobbs of Lake Stevens, said Tuesday that he had not read the amendment, but he was aware of concerns from high-tech industries.

Read the full article on Oregon Live…

Facebook & Big Data Collide

Big Data Could Cripple Facebook

Article Courtesy of: TechCrunch & JON EVANS

So there’s this startup called SmogFarm, which does big-data sentiment analysis, “pulse of the planet” stuff. I spotted them last year, and now they’ve got an actual product with an actual business model up and running in private beta: KredStreet, “The Social Stock Trader Rankings,” which performs sentiment analysis on StockTwits data and a sampling of the Twitter firehose to determine traders’ overall bullish/bearish feeling. They also compare reality against past sentiment to score and rank traders based on their accuracy, which is more interesting.

It’s a first iteration, but it looks pretty nifty, and I like the idea of a ranking system wherein unknowns can leave high-profile loudmouths in their dust by virtue of simply being right more often. Even if I feel slightly uneasy when I imagine such a system being applied to, say, tech bloggers.

Actually being held accountable for what I’ve written in the past?

Doesn’t that just seem terribly wrong?

And of course it’s early days yet for companies like SmogFarm/KredStreet, and sentiment analysis, and natural language processing (such as that which powered Summly), and Palantir-style data mining. Just imagine what they’ll be able to do in five years.

And when they turn all that big-iron, big-data searchlight power on, say, Facebook timelines… what won’t they be able to determine???

A few years ago the EFF discovered that something as simple as your browser settings make you a lot less anonymous online than you might believe. Last week a study found that “human mobility traces are highly unique,” and when polling allegedly anonymous cell-phone location data, “four spatio-temporal points are enough to uniquely identify 95% of the individuals.” Good software can mine a lot of meaning out of apparently sparse and empty data.

So just imagine what happens when next-generation language and image-processing software, and then the generation after that, and the generation after that, is unleashed on your Facebook timeline. It seems very plausible that all those innocuous things you say, and how you say them, and the pictures you post, and the games you play, will subtly and invisibly add up to a terrifyingly accurate portrait of you, including any and/or all of the things about yourself that you never actually wanted to make public.

What’s worse is that it will be ridiculously easy. Would-be employers won’t have to scroll through your Facebook timeline themselves, they’ll just need to point their profiling software in your direction and 30 seconds later read its high-confidence predictions of your work habits, neuroses, personal failures, emotional instabilities, attitude towards authorities, and sexual proclivities, all expertly extrapolated from the tapestry of subtle-to-invisible nuances accumulated from all of your photos, comments, Likes, upvotes, etc.; all individually meaningless, but collectively highly illuminating. Individual profiling is a huge business just waiting to be tapped by ethically challenged startups.

(This could be mitigated somewhat if you were to keep all your activity friends-only, of course; but even then, every app or distant acquaintance you’re connected to will be able to learn more about you than you ever intended. And it’s easy to envision employers requesting that you connect to them on Facebook as part of the job-application process, and filtering out those who refuse…)

I can imagine what that kind of profiling software would have said about me, early in my career: Hopeless bibliophile. Afflicted with incurable wanderlust. Doesn’t like being told what to do. Extremely chancy hire: likely to quit any job after six months to travel or try to write the Great Canadian Novel.

Which, er, would have been one thousand per cent true; but obviously I didn’t want my potential employers back then to know about it.

Read the complete article…

Your Identity Is Your Biggest Asset

5 Places Where You Should Never Give Your Social Security Number

Article Courtesy of: Adam Levin and the Huffington Post

Adam Levin is the Former Director New Jersey Division of Consumer Affairs; founder of Credit.com and Identity Theft 911

Every time you go to a new doctor or dentist and they give you a clipboard brimming with documents to fill out and sign, notice how they always ask for your Social Security number?

Do you dutifully give it up?

Did you ever wonder if they really need it?

I once asked a doctor why he wanted it.

His response: “I don’t really know. I guess it’s because we’ve always asked for it.” (In actuality, most doctors ask in case your insurance doesn’t pay the entire invoice and/or to fill out a death certificate if you die. Offer a next of kin who knows the number instead, and your phone number for billing issues.)

Almost every day somebody asks for your Social Security Number and, like the Grand Marshal of a parade throwing rose petals or candy to the crowd, you probably give it up without giving it a second thought — because that’s what you’ve always done.

So, the next time someone asks you for your Social Security number, reflect on this: In December, the Army announced that hackers stole the Social Security numbers of 36,000 visitors to Fort Monmouth in New Jersey, including intelligence officers. Cyber activists took control of the CIA’s website. The private information, including some Social Security numbers, of celebrities and political leaders including FBI Director Robert Mueller and Secretary of State Hillary Clinton were exposed.

The sensitive data of First Lady Michelle Obama, Vice President Joe Biden and Attorney General Eric Holder, recently were posted on a website for the world to see.

Hackers even listened in on a phone call in which the FBI and Scotland Yard were discussing the criminal investigation against those very same hackers!

And these incidents are only the crumbs on top of the coffee cake when you consider that hackers and thieves have improperly accessed more than 600 million consumer files since 2004.

The moral to these horror stories is that if your Social Security number is stored on any computer anywhere, hackers will find a way to access it, or a compromised or disgruntled employee may well walk out the door with it. If your doctor, gym, or child’s grade school claims otherwise, that their security systems can protect your private data better than the CIA, FBI and Scotland Yard, to quote Monty Python: “Run away!”

Your identity is your biggest asset, and your Social Security number is the key to your personal kingdom. With it an identity thief can wreak havoc, hijacking your old credit accounts, establishing new ones, buying cars and houses, committing crimes, even obtaining medical products and services while pretending to be you, endangering not just your credit and your reputation, but also your life.

Consumers whose Social Security numbers are exposed in a data breach are five times more likely to become fraud victims than those who aren’t, according to the latest identity fraud report by Javelin Strategy & Research.

“Just say no,” should be your motto here. For better or worse, you are the gatekeeper. The person most responsible for shielding your Social Security Number is you. Therefore, your mission is to limit, as best you can, the universe of those who gain access to it.

Here’s a short list of companies and organizations that have absolutely no business requesting your Social Security number:

1. Anyone who calls or sends you an official-looking email, who texts you a link to any site or designates a number to call where you are asked to confirm your SSN. If they call, check the credit or debit card that is the subject of the communication, call the customer service number listed on the back, and ask for the security department. If they email or text, do the same, or go directly to the institution’s website (provided you know who they are). Make sure you type the correct URL, and make sure that the page where you are asked to enter your information is secure. Only provide personal information if you’re the one who controls the interaction.

2. Public schools: Your utility bill confirms your address. Your email and phone number give them channels to contact you in an emergency. Asking for your Social Security number is overkill.

3. Little League, summer camp and the like: For the same reasons as school, a Social Security number should never be required by these groups. If they ask for your child’s birth certificate, show it to them, don’t leave it with them unless they can prove they will protect it. And even then, can you really believe them? If you use credit to pay for the activity, the organization may need your Social Security number. If you pay for it upfront or with a direct debit to your bank account or credit card, they don’t. Period.

4. Supermarkets: A frequent shopper card is neither a loan, nor a bank account. It’s merely a tool grocery stores use to track your purchases, primarily for marketing purposes. Regardless, many supermarket chains request customers’ Social Security numbers on their application forms. Refuse.

5. Anybody who approaches you on the street, whether it’s a cellphone company salesman offering a free T-shirt or someone running a voter registration campaign: Never, ever give your SSN. If you want an ill-fitting T-shirt festooned with corporate logos, buy one. If you want to register to vote, go to your county board of elections in person.

Don’t just hand it over your Social Security number to anyone.

Once you realize how often you are asked for it, you may be surprised. It happens all the time. So, the next time someone does, as they inevitably will, here’s how to handle it:

1. Take a minute and think. Maybe they ask for SSNs blindly, because everyone else does, or because that’s how they’ve always done it. Maybe they actually need it. See if their reason sounds legitimate. (Update: For example, Credit.com’s Credit Report Card does ask for your SSN in order to generate your credit score and credit report summary — an industry standard – but the information is fully encrypted with a bank level authentication process.)

2. Negotiate. There are many different ways to identify you without a Social Security number, including your driver’s license or account number. Fight to use those instead.

3. If you must share your Social Security number, do so, but make sure the people taking it down have strong security measures in place to protect it. That said, you only have their assurance and frankly, in light of the mistakes people make and the sophistication level of hackers, who really knows if they can protect it?

If all this sounds like a giant pain in the neck, you’re right. It is. In the midst of our busy lives, we shouldn’t be the only ones concerned with protecting our most valuable identity asset, but it is what it is. Until somebody creates a Silver Bullet for identity theft, we are forced to take matters into our own hands.

Don’t be passive; ask the companies and nonprofit groups with which you do business how they plan to protect you. Do they password protect and encrypt all the personal information they collect? Do they have strict controls on who has access to computers containing your Social Security number, and do they keep this sensitive data off laptops, tablets and hard drives that are easy to steal or lose?

Like the doctor I met, many companies collect Social Security numbers they don’t need because they’re operating on autopilot. They’ve always done it, and their colleagues at other companies do it, so the practice continues and spreads on the strength of simple, dumb inertia. I believe that we are smarter than that.

By demanding that companies do a better job protecting our personal information, and refusing to hand out our Social Security numbers like candy at a parade, we can force them to get smarter, too. And if they don’t think we’re serious about this and the government doesn’t finally force them off their Social Security number addiction, it is highly likely that the ultimate regulator of the American economic system, class action attorneys, will be knocking on their doors.

Investigative Database

Investigative Database Solutions by LocatePLUS

Posted in locatePLUS