Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Category Archives: Cybercrime

IRS IG – Improvements Are Needed to Ensure the Protection of Data the IRS Transfers to External Partners

“When the Internal Revenue Service (IRS) has shared data, including Personally Identifiable Information, taxpayer information, and other sensitive data, with external entities, it has not always adequately protected the data through secure file transfer technology, according to an audit report that the Treasury Inspector General for Tax Administration (TIGTA) released today. The IRS shares data with various outside entities including Federal, State, and local agencies; financial institutions; and contractors for tax administration purposes. IRS and Federal guidelines require that sensitive data is protected during transmission to prevent unauthorized access or disclosure. TIGTA initiated this audit to determine whether the IRS is properly protecting this data and whether it is maintaining encryption controls and other security configurations in accordance with the National Institute of Standards and Technology. The IRS uses three methods to transfer data to external partners: 1) a commercial off-the-shelf product for transfers over the Internet, 2) a commercial off-the-shelf product for direct mainframe-to-mainframe data transfers, and 3) drop boxes to allow the IRS and its external partners to place and retrieve data transfers. In reviewing all three of these external file transfer methods, TIGTA found the IRS did not ensure that encryption requirements are being enforced and ensure that nonsecure protocols are not being used in order to fully protect information during transmission. These protocols include File Transfer Protocol and Telnet, which are known insecure transfer protocols. The IRS also did not remediate high-risk vulnerabilities or install security patches on file transfer servers in a timely manner. For example, TIGTA found 61 servers with high-risk vulnerabilities, 10 servers with outdated versions of Windows and UNIX operating systems still in operation, and 32 servers missing 18 unique security patches, of which four were deemed as critical. Lastly, the IRS did not ensure that corrective action plans for security control weaknesses met IRS standards. This reduced the assurance that the IRS would correct weaknesses timely. Read the report.”

Report – IBM and Ponemon Study Reveals Organizations Remain Unprepared to Respond to Cyberattacks

PRNewswire – “Resilient, an IBM Company and the Ponemon Institute unveiled the results of the annual Cyber Resilient Organization study, which found that only 32 percent of IT and security professionals say their organization has a high level of Cyber Resilience – down slightly from 35 percent in 2015. The 2016 study also found that… Continue Reading

European Commission target of DDoS attack

Via Politico: “This afternoon, the European Commission was subject to a cyberattack (denial of service) which resulted in the saturation of our Internet connection.” Continue Reading

Audit of OPM Security Systems Shows Continued Material Weakness

OPM IG Federal Information Security Modernization Act Audit – FY 2016: “This audit report again communicates a material weakness related to OPM’s Security Assessment and Authorization (Authorization) program. In April 2015, the then Chief Information Officer issued a memorandum that granted an extension of the previous Authorizations for all systems whose Authorization had already expired,… Continue Reading

Enhanced Cyber Risk Management Standards: Advanced Notice of Proposed Rulemaking

“The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the agencies) are inviting comment on an advance notice of proposed rulemaking (ANPR) regarding enhanced cyber risk management standards (enhanced standards) for large and interconnected entities under their supervision. The agencies… Continue Reading

Check if you have an account that has been compromised in a data breach

“This site [have i been pwned] came about after what at the time, was the largest ever single breach of customer accounts — Adobe. [Troy Hunt, a Microsoft Regional Director] often did post-breach analysis of user credentials and kept finding the same accounts exposed over and over again, often with the same passwords which then… Continue Reading

FCC Adopts Broadband Consumer Privacy Rules

“WASHINGTON, October 27, 2016 – The Federal Communications Commission today adopted rules that require broadband Internet Service Providers (ISPs) to protect the privacy of their customers. The rules ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs. The rules implement the privacy requirements of Section… Continue Reading

What to Do When You Suspect a Data Breach: FTC Issues Video and Guide for Businesses

“If your business has experienced a data breach, you are probably wondering what to do next. The Federal Trade Commission’s new Data Breach Response: A Guide for Business, an accompanying video and business blog can help you figure out what steps to take and whom to contact. Among the key steps are securing physical areas,… Continue Reading

Extensive botnet DDoS attacks take major sites offline

TechCrunch: “Several waves of major cyberattacks against an internet directory service knocked dozens of popular websites offline today, with outages continuing into the afternoon. Twitter, SoundCloud, Spotify, Shopify, and other websites have been inaccessible to many users throughout the day. The outages are the result of several distributed denial of service (DDoS) attacks on the DNS provider… Continue Reading

Former NSA contractor removed 50 terabytes of classified data

ZDNet: “An NSA contractor siphoned off dozens of hard drives’ worth of data from government computers over two decades, prosecutors will allege on Friday. The contractor, Harold T. Martin III, is also accused of stealing thousands of highly classified documents, computers, and other storage devices during his tenure at the agency. It’s not known exactly… Continue Reading

DOT Cybersecurity Incident Handling Is Ineffective and Incomplete

DOT IG Report – October 13, 2016 DOT Cybersecurity Incident Handling Is Ineffective and Incomplete Project ID:  FI-2017-001 “An effective response to cyber incidents minimizes disruptions to information systems and data losses. We conducted this audit because of DOT’s large number of information systems that contain sensitive data as well as the high number of… Continue Reading