Category Archives: Practices

Generally Accepted Practices

1k content moderator Facebook profiles exposed

Last year around November 2, 2016, a bug caused the activity log of Facebook (FB) groups to expose the profiles of its content moderators.   The bug involved the creation of this exposure whenever an administrator was removed for breaching the terms of service (TOS.)  Personal details of moderators who had censored accounts as early as August 2016 were then made viewable to the remaining FB group administrators.

Unfortunately, approximately 40 of those 1,000 content moderators worked in a counter-terrorism unit at Facebook's European headquarters in Dublin, Ireland.  Within those 40, it was determined that at least six had their personal profiles viewed by potential terrorists from US State Department designated groups Hezbollah, ISIS, and the Kurdistan Workers Party.

The detection of the exposure was first suspected when moderators began receiving friend requests from known suspects of the terror organizations they were tasked with analyzing.  Some of the moderators are contractors who are only paid just $15 per hour for scouring often high-disturbing material written in other languages.  Facebook policies allow disturbing imagery with the caveat that it doesn't promote or celebrate terrorism.  

Over 2/3 of states in cyber commitment

A compact of commitment by 35 states and 3 American territories has been signed for a cyber security partnership.  The commitment by each governor is for each of their governments to partner with state universities in the development of cyber policy, incident response, and cyber workforce shortages.

The nature of the compact has been executed through more than 30 governors signing a dozen executive orders, 17 initiatives and 14 signed legislation bills.  One example is Virginia’s recently-approved recipients of the Commonwealth’s first Cybersecurity Public Service Scholarship established during the 2016 General Assembly Session which provides up to $20,000 in tuition assistance to full-time students pursuing cybersecurity degrees in return for one year of public service per scholarship.

WayCare Accident Prediction in Las Vegas

September 2017, the startup WayCare will begin a 6 month pilot of artificial intelligence (AI) in Las Vegas.  The AI will monitor traffic of I-15 and US 95 then predict congestion and possible traffic accidents.  The intent is to predict within 2 hours where first responders within a coalition of city, state, and county agencies should place their vehicles.  The hope is that by preparing resources ahead of time that they may be able to prevent accidents.

Some of the analytics may assess predictions based on the angle of the sun, debris on a lane, or perhaps even a dust cloud.  The WayCare project is estimated to cost tens of thousands of dollars.  The next cities which may potentially explore a pilot with WayCare are Ft Lauderdale and Tampa, Florida.

Feds considering $6M legislation for small biz cyber guidelines

April 20th, 2017, Rep Daniel Webster of Florida introduced a new bill for the National Institute of Standards and Technology (NIST) to disseminate guidance to help reduce small business cybersecurity risks. (NIST already released similar guidelines in November 2016.)  Two Congressional findings stated:

  • 54% of US sales and 55% of US jobs are accounted for by small business
  • 60% of small business cyber attacks close business in 6 months

Requirements of the bill are that the Director (of NIST) should ensure usable, variable, awareness creating, technology neutral, and internally standard resources are disseminated.  Resources would include guidelines, tools, best practices, standards, methodologies, and other ways of providing information.

The Congressional Budget Office (CBO) estimated it to cost approximately $2M for NIST to consult in 2018 and then $4M for maintenance/updates through 2022 – a total cost of $6M for implementation.

Cybersecurity: Home and Small Business

New From: $10.99 USD In Stock

100k FAFSA apps hacked using autopopulate bug

It started with criminals filling out federal application for federal student aid (FAFSA aka federal studnet loan) forms but then circumventing access controls of the website.  The hackers were then able to get other applicants' information used for tax returns and then submit their own phony false tax returns to try to steal refunds.

The hackers were taking advantage of the faulty module in the site called IRS Data Retrieval which auto populates your online federal studnet loan application by using your already known tax return info.

The IRS claimed that in November 2015 they notified the Department of Education about these security concerns (breach) but the IRS didn't actually disable the exposure until March 2017.  The IRS has flagged at least 100,000 accounts as a result.

Individuals can still apply through FAFSA but will need to enter their information manually.