Cyber Weekly Roundup – November 24, 2017

Written November 27th, 2017

Post Tags: cyber weekly roundup

By Colby Proffitt

1.) Amazon Web Services Announces Secret Cloud Region For CIA (November 20, 2017)


Summary: Amazon Web Services unveiled a cloud computing region for the CIA and other intelligence community agencies developed specifically to host secret classified data.

Why it matters: GSA may have been the first federal agency to move email to the cloud, but the CIA is now the first to leverage the cloud across all classification levels: unclassified, sensitive, secret, and top secret. There was a time when ‘cloud security’ was thought of as a bit of an oxymoron. Now, the question is no longer, “Is the cloud secure?” but instead, “Are you as secure as the cloud?”

2.) Classified cloud now an option for federal agencies (November 20, 2017)


Summary: Federal agencies now have the option of moving classified data to the cloud with Amazon Web Services’s new AWS Secret Region.

Why it matters: The CIA isn’t the only agency that’s going to start leveraging cloud capabilities across all classification levels. The CIA has the contract with AWS, but all 17 IC agencies will be able to run classified workloads up to the secret level on the new AWS Secret Region. As more and more federal agencies move to the cloud – and move more of their data and applications to the cloud – improvements and efficiencies are just around the corner. It will take time to adjust, re-align processes and resources, and fully understand the potential offered by the cloud, but the initial pain will be worth the benefits for all federal agencies in the long run.

3.) ‘Data is the new oil’: F-Secure man on cartels, disinformation and IoT (November 23, 2017)


Summary: Questions about cyber influence continue to cloud last year’s US presidential elections and recently similar allegations have been levelled against the Brexit vote. Mexican armed forces are apprehensive about upcoming elections in that country but it’s not the US or the Russians they are worried about – it’s the cartels. Mikko Hypponen, chief research officer at Finnish security company F-Secure, relayed the anecdote during a discussion about geopolitics and IoT. Election campaigning on social media should be banned, said Hypponen, pointing out that Japan does this already. As a result, Facebook doesn’t sell in the Asian country. F-Secure found this from Google ad guidelines. Sean Sullivan, a security advisor at F-Secure, saw the same issue differently: “Disinformation exists on Twitter, it’s how it is packaged and exposed on cable news that’s the bigger problem. Bait is put out there and cable news picks it up.” Sullivan, a political science graduate, added that combatting disinformation is more a matter of media literacy and critical thinking than rooting out trolls.

Why it matters: We live in a data-centric world. That surplus of data has done a few things to society as a whole. One the one hand, it has made life easier – answers to complex questions are only a Google search away. On the other hand, the excess of data has deadened our senses. Cyber attacks and bigtime hacks turned heads once upon a time. Now, they’re just another headline we glance over. And, the surplus has increased the pressure on news media to publish ‘news’ or ‘new data’ first, before their competitors. As a result, some would argue that there’s more false information available than true information, and sometimes, that bad information gets published by major media outlets, ultimately affecting the mindset of the end user and consumer. And, because the flood of data has also shortened the attention span of the average user, many will be content with whatever the media releases – the burden of researching and finding the truth falls to the bottom of the to-do list.

In a world full of data, it’s critical that news outlets fact check every story and remain cognizant of the potential social and political impact of releasing false information.

4.) Facebook is struggling to meet the burden of securing itself, security chief says (October 19, 2017)


Summary: Facebook is Struggling to live up to the responsibility it faces for adequately securing the vast amount of personal information it amasses, the social network’s top security executive said in a leaked phone call with company employees.

Why it matters: This article highlights one of the challenges that many organizations are struggling to address. While the government and federal contractors must abide by strict security guidelines – which some would argue limit innovation – they also benefit from increased security. Facebook and other organizations have implemented security measures, but they have intentionally given their engineers freedom to customize and experiment within their environment. That allows speed, but comes with risks.

Facebook’s security stance – and the fact that the CSO of Facebook stated that he doesn’t feel like they have caught up with their responsibility – should serve as a reminder to users that not only do they need to be careful how they use the tool, but also that there’s a chance that their account may be compromised. And, it’s yet another good reason to use a different password for every account – social, banking, email, etc.

5.) Name+DOB+SSN=FAFSA Data Gold Mine (November 17, 2017)


Summary: KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data if the user knows a handful of static details about a person that are broadly for sale in the cybercrime underground, such as name, date of birth, and Social Security Number. Perhaps the most eye-opening example of this is on display at fafsa.ed.gov, the Web site set up by the U.S. Department of Education for anyone interested in applying for federal student financial aid. Short for the Free Application for Federal Student Aid, FAFSA is an extremely lengthy and detailed form required at all colleges that accept and award federal aid to students. Visitors to the login page for FAFSA have two options: Enter either the student’s FSA ID and password, or choose “enter the student’s information.” Selecting the latter brings up a prompt to enter the student’s first and last name, followed by their date of birth and Social Security Number.”

Why it matters: A little bit of data might not be useful to a cyber criminal. But a little bit of data from various sources is exactly what he or she wants. This article highlights some of the basic cyber errors that some organizations have yet to correct. In the pre-breach world, when social security numbers hadn’t been leaked, FAFSA’s password reset option wouldn’t have been as big of a problem. But as this article highlights, it’s not hard to obtain a SSN, and a little social engineering can uncover the individual’s name and DOB.

This article should serve as a reminder to be careful what information (e.g., DOB, address, etc.) you put on social media. And, users have to understand that security is a shared responsibility.