With Five New Additions, STRmix™ Now Being Used In 43 Labs Nationwide

With the addition of five new forensic labs, STRmix™ – the sophisticated forensic software used to resolve mixed DNA profiles previously thought to be too complex to interpret – is now being used by 43 federal, state, and local agencies in the U.S.

The five new agencies now using STRmix™ to resolve DNA profiles are:

  • The South Carolina Law Enforcement Division, which provides manpower and technical assistance to law enforcement agencies and conducts investigations on behalf of the state;
  • The Colorado Bureau of Investigation, which performs forensic and laboratory services and criminal investigations at the request of local and state law enforcement, agencies, and district attorneys;
  • Bode Cellmark Forensics, which serves the law enforcement and identification markets and provides both state-of-the-art human DNA analysis and innovative DNA collection products;
  • Nebraska State Patrol, Nebraska’s only statewide full-service law enforcement agency, serving the state since 1937; and
  • University of Nebraska Medical Center Human DNA Identification Laboratory, which provides methods for determining the person of origin for biological specimens to resolve issues of parentage and suspected specimen misidentification, and provide physical evidence for law enforcement agencies and private attorneys.

“STRmix™ software has greatly improved the usability of DNA. Agencies, for example, are reporting an uptick of interpretable DNA in gun cases from approximately 40% to more than 70%,” explains John Buckleton DSc, FRSNZ, Forensic Scientist at the New Zealand Institute of Environmental Science and Research (ESR). “As a result, evidence is available in a much higher fraction of criminal cases than in the past.”

Dr. Buckleton, who developed STRmix™ in collaboration with ESR’s Jo-Anne Bright and Duncan Taylor from Forensic Science South Australia (FSSA), adds, “We need to help labs, prosecutors, and defenders to achieve justice outcomes and avoid labs making extreme efforts to clear cases, but obtaining uninterpretable results.”

According to Dr. Buckleton, this is particularly true with respect to sexual assault cases. Pointing out that labs increasingly are being asked to clear their Sexual Assault Kit backlogs, he notes, “Given the considerable resources being invested in materials and staff time to clear those backlogs, we need to help labs to increase the outcomes from their investment with a higher rate of interpretable results.”

To date, STRmix™ has been used successfully in numerous U.S. court cases, including 28 successful admissibility hearings. It is also in various stages of installation, validation, and training in more than 60 other U.S. labs.

Internationally, STRmix™ has been used to interpret DNA evidence in more than 100,000 cases since 2012. It is currently being used in all nine state and territory labs in Australia and New Zealand, as well as 11 forensic labs in England, Scotland, Ireland, Finland, Dubai, and Canada. The code for three versions of the software has now been independently examined and in all cases admitted.

STRmix™ Ltd. introduced a new version of the software, STRmix™ v2.6, in August 2018. The new version features a user interface that has been completely redeveloped and refreshed, providing users with vastly improved usability and workflow. Version 2.6 also enables a range of contributors to be entered when performing a deconvolution, and any type of stutter to be added and configured.

For more information about STRmix™ visit www.strmix.com.

(112)

Share

The role of Information Assurance in managing data security

A new year is the time for lots of pledges of how things will be done differently: new targets to meet, processes to drive forward and the chance to make positive changes.

It’s not surprising that the information and cyber security industries aren’t exempt from this, as it’s no secret that both industries faced more than a few challenges last year. First came the build-up and introduction of the General Data Protection Regulation (GDPR) in May 2018, putting severe fines in place for any future data breaches. Then there was the challenging political and economic climate, the scare of being the next victim of a high-profile data breach and the rise of new technology such as Artificial Intelligence (AI) and machine learning to contend with. All in all, it wasn’t an easy year.

However, the volume of data breaches alone is not the shocking factor, and should no longer be the focus for any CISO looking to make a difference to their organisation’s cyber security strategy. The difference now is the size and scale of the data breaches and the nature of the sensitive and critical data stolen; hackers have moved on from email addresses to instead seek out passport numbers and CVV data from credit cards, and are able to spend far longer strolling around an organisation’s network without being detected. Take the Marriott International data breach from November 2018 as an example; hackers had been able to access the network for four years with no unusual activity detected or any alerts raised. It has since been revealed approximately 5.25 million unique unencrypted passport numbers were part of the vast volume of data stolen.

Supporting IT evolution

Networks can quickly become a web of users, devices and applications, all requiring different access controls and requirements to keep the data safe. In line with this, organisations have evolved beyond perimeter-only security models to increasingly lock down data – both at rest and in motion. A fundamental part of this is encryption, but to be effective, encryption must enhance, not constrain IT evolution.

However, embedding cyber security solutions into an organisation’s network creates a number of challenges in itself: higher complexity, scalability becoming a real headache and key management and key rotation becoming almost impossible across large estates. What’s more, as organisations have layered technology on top of technology, the technology stack itself has become complex and huge amounts of resources and operational overhead are needed to manage it. In today’s digital world where flexibility and business agility should be at the top of the agenda, having an unresponsive security solution tied to the network is just not an option; it creates a static environment, uninviting of innovation and new technology.

Introducing Information Assurance

Encryption needs to be deployed as a function within an Information Assurance (IA) security overlay, on top of an organisation’s existing network and independent of the underlying transport infrastructure. This makes the network itself irrelevant, with emphasis instead placed on applications and IA posture.

This approach also has economic and commercial benefits. Taking security intelligence out of the network allows it to focus on its core task: managing and forwarding traffic. With routers and switches no longer needing large security feature sets, organisations can save money and resource and invest this in a true IA security posture with data protection at its core.

Additionally, by introducing a software-defined approach to data security ensures the data is protected in its entirety – regardless of whatever network or transport it goes across. The approach enables a centralised orchestration of IA policy and centrally enforces capabilities such as software-defined application segmentation using cryptography, key management and rotation. Segmentation brings further benefits through its ability to block lateral movement once an attacker has breached the perimeter defences.

It’s no secret that key changes to security strategies throughout 2018 could have prevented or reduced the impact of numerous high-profile data breaches, and it all comes down to a change in mindset. Rather than thinking of network security, the emphasis instead needs to be placed on data security and IA, with security deployed as a network overlay. So, as the new year begins to get into full swing, now is the time to make changes and see what the benefits will be.

Dan Panesar, VP EMEA, Certes Networks

(25)

Share

Lapse in security exposes millions of bank loan and mortgage documents online- Comment

It has been revealed that a security lapse has led to another dramatic Elasticsearch database breach which has left more than 24 million financial and banking documents exposed online, with much of the information linked to some of biggest banks in the U.S.

Commenting on the news are the following security professionals:

 

Jonathan Deveaux,  Head of Enterprise Data Protection at comforte AG:

“Applied for a loan in the past 10 years? Then your personal data may have been exposed.

What’s unique about this cyber security leak, is that the data may have originated at major banks (Citi, HSBC, and Wells to name a few) but they didn’t expose the data. A company who obtains the data for analytical purposes (think Big Data and ML) is most likely the source. It was reported that their servers were misconfigured and there were no password requirements to access the data.

 

If the banks are securing personal data when taking the loan application, but handing the data off to another company *unprotected* then this is a major security gap. And even if the data is secured when given to a company for analytical purposes, the next step is to ensure the data stays protected while they analyze it. 

 

One of the data elements exposed in the report was social security numbers. There’s really no useful reason why a SSN is needed for analysis. SSNs could have been masked or tokenized, while other data was used for analytical purposes.

 

Banks and other Fintech companies need to really understand how other parties will use the personal data they provide them. And maybe it’s time they stop working with companies who don’t do more to secure sensitive data.”

 

Tim Erlin, VP at Tripwire: 

 

“This wasn’t a sophisticated attack by a well-funded nation-state adversary. It was a misconfiguration, a mistake. Organizations need to be able to detect and remediate misconfigurations, period.  This is highly sensitive data that was exposed to anyone willing to look for it. Moving data and applications to the cloud doesn’t magically absolve an organization of its security responsibilities.”

 

(37)

Share

Home Office and Justice Ministers to face questions on the UK’s fragile forensic science market and its effect on the Criminal Justice System

On Tuesday 29th January the House of Lords Science and Technology Select Committee will question representatives from the Home Office, including Rt Hon Nick Hurd MP, and Lucy Frazer QC MP from the Ministry of Justice on the UK’s use of forensic science in criminal investigations.

The Committee has heard concerning evidence that there are differing levels of scientific understanding within the Criminal Justice System by lawyers, judges and jurors on the use of forensic evidence but also a lack of progress in ensuring the UK is equipped with the highest possible standards of forensic science.

The Committee will ask for updates on what their Departments are doing to ensure the quality of forensic science is effective across all areas of the criminal justice system and will quiz Ministers on their plans to stabilise the forensic science market.

The evidence session will begin at 3.30pm in Committee Room 4A of the House of Lords. Giving evidence will be:

  • The Rt Hon Nick Hurd MP, Minister of State, Home Office
  • Professor John Aston, Chief Scientific Adviser, Home Office
  • Christophe Prince, Director of Data and Identity within the Crime, Policing and Fire Group, Home Office.

The Second session will begin at 4:30pm and the Committee will question:

  • Lucy Frazer QC MP, Parliamentary Under-Secretary, Ministry of Justice
  • Fiona Rutherford, Deputy Director of Legal Aid Strategy and Policy, Ministry of Justice
  • Matthew Gould, Deputy Director of Criminal Courts and Criminal Law Policy, Ministry of Justice.

Questions likely to be asked during the sessions include:

  • Has the introduction of mandatory training in scientific principles such as probability for legal professionals been considered?
  • Has the market model of provision of forensic services destabilised effective provision of forensic science to the Criminal Justice System?
  • What guidance has been provided to judges about the timescales needed to analyse digital evidence?
  • Why has no progress been made on providing the Forensic Science Regulator with statutory powers?
  • What are you doing to work with UKRI to provide adequate and strategic support for research and development into forensic science?

(124)

Share

Google’s GDPR fine only the tip of the regulatory iceberg in 2019

In light of the recent breaking story about Google, where they were fined by the French regulator £44 million, below is comment from cybersecurity firm Veracode’s director of solutions architecture (EMEA), Paul Farrington.

Google one of the biggest handlers and processors of data in the world has been subjected to a huge fine of 50 million euros (£44m) for violation of regulation set about by GDPR. The French data regulator CNIL has made an example of Google for their breaches in failing to provide adequate transparency and obtaining valid consent. Veracode believes this fine is the start of a challenging 2019 for businesses when it comes to compliance. 

With International Data Protection Day soon, it should come as timely reminder organisations must get their houses order with data protection and governance. Better data protection can be achieved through four key practices: Visibility, Security, Integrity and Recovery. Failure to adequately adhere to GDPR can see organisations being handed financial penalties like Google. 

Paul Farrington, director of solutions architecture (EMEA) at Veracode

“The fine against Google is an indication of the serious focus on privacy and security by regulators. Global enterprises must take steps to ensure security hygiene and compliance with standards to reduce their risk and protect data.”

(54)

Share

MS Word Documents Spreading .Net RAT Malware – Egress’ CTO comments

A malicious MS Word document, titled “eml_-_PO20180921.doc,” which contains auto-executable malicious VBA code and spreads through phishing campaigns has been found by researchers at Fortinet’s FortiGuard Labs. In the case of this malicious MS Word document, victims who open the document are prompted with a security warning that macros have been disable. If the user then clicks on “enable content,” the NanoCore remote access Trojan (RAT) software is installed on the victim’s Windows system. Egress Software’s CTO, Neil Larkins comments:

“This latest strain of NanoCore RAT (1.2.2.0) is known to execute a series of malicious behaviours, including password stealing and keylogging, and makes it difficult for victims to eradicate by injecting code that preserves the malware in the infected system’s memory. As reports show, this strain is currently being transmitted via an infected Word document attached to phishing campaigns – so it is imperative people are on the lookout for this attachment and therefore, as much as possible, avoid downloading the malware in the first place.

Sophisticated phishing emails are designed to look as real as possible, and can, to the untrained eye, appear nearly identical to an email from a trusted sender or real person, particularly if an email account has been compromised or spoofed. On top of this, the malicious Word document used to transmit NanoCore RAT 1.2.2.0 leverages people’s repeat behaviour of clicking to enable Microsoft macros within Office documents. As a first step, users should always think twice before opening attachments from unknown senders – particularly if they have a suspicious-looking or unfamiliar file name (like ’eml_-_PO20180921.doc’). Often, cyber-criminals take a scattergun approach to sending phishing emails, targeting a large audience with the aim of being successful with a proportion of recipients. As a result, even though the email may look and sound realistic, it’s likely the recipient hasn’t heard of or worked with the sender before – which should raise an immediate red flag. Users should always be encouraged to raise these incidents with their internal security team and, on personal devices, can rely on the research of organisations like Fortinet to steer them in the right direction as well.

Although it’s concerning to see another strain of NanoCore RAT emerge, despite its creator already being sentenced to serve almost three years in federal prison, new technologies are also evolving to help tackle new threat – and organisations should be on the lookout to use these wherever possible. The application of machine learning, deep learning and NLP has made it increasingly possible to mitigate this risk. By analysing various attributes, including the sender’s authenticity, smart technology can now recognise patterns and highlight anomalies – including whether or not the sender of an email can be trusted.”

(80)

Share

Worlds largest youth run agency exposes 4 million intern applications on Elasticsearch server- Comment

It has been reported that AIESEC, labelled as the “world’s largest youth-run organisation,” has been found to have exposed over four million intern applications, which contain sensitive and personal information, after failing to apply a password onto an Elasticsearch server.

The database contained “opportunity applications” contained the applicant’s name, gender, date of birth, and the reasons why the person was applying for the internship.

Full story here: https://techcrunch.com/2019/01/21/aiesec-data-leak/

Commenting on the news is Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG:

“Merry belated Christmas, millennials. By the way, your data was exposed… Of the 4 million intern applications unprotected, a company rep claims only 40 of the records were actually exposed.

No matter what the count is, it just goes to continue prove a major point… companies all around the world are not all protecting personal data. When writing personally identifiable information on to a database or file, organizations need to do more. Even just following the basics sometimes, would help. Even though this company is a Non-profit organization, GDPR fines may still apply.  If “Taylor Smith” was tokenized and protected as “FSLIDB ZPMDQ” we wouldn’t be having this issue.”

 

(38)

Share

FEE Conference Speaker, Dr Gillian Tully, gives evidence to the House of Lords Science and Technology Select Committee

On Tuesday 22nd January the House of Lords Science and Technology Select Committee will question Dr Gillian Tully, the Forensic Science Regulator, on the forensic science market and her ability to enforce standards.

In written evidence to the Committee, the Forensic Science Regulator stated that there is a ‘lack of strategic leadership and clearly understood policy and strategy for forensic science in England and Wales’. The Committee has also heard evidence that there are significant concerns about the sustainability of the current forensic science market in the UK.

Over the course of the session, the Committee will ask Dr Tully what effective oversight of forensic science should look like and whether the criminal justice system is being equipped with the highest quality of forensic science.

The Session will begin at 3:25pm in Committee Room 4 of the House of Lords. Giving evidence will be:

  • Dr Gillian Tully, Forensic Science Regulator

Questions the Committee are likely to ask include:

  • How would statutory powers help with dealing with low compliance to ISO standards and the Regulator codes?
  • Given that the human factor is so important in the interpretation of forensic evidence how do you assess individual competency given that every case is different?
  • Who should be responsible and accountable for forensic science service provision?
  • Is enough being done to prepare for the increasing role that digital forensics will have in the future?

Dr Gillian Tully is also speaking at the Forensics Europe Expo Conference for more information regarding the event please visit: https://www.forensicseuropeexpo.com/conference

DFMag is also exhibiting at the Forensics Europe Expo, register for the event and visit our stand: https://clarion.circdata-solutions.co.uk/Microsites/RFG/publish/FEE19/

(85)

Share

Collection 1 data dump exposes passwords on over 770m records-Comment

Almost 773 million unique email addresses and just under 22 million unique passwords were found to be hosted on cloud service MEGA. In a blog post, security researcher Troy Hunt said the collection totalled over 12,000 separate files and more than 87GB of data. The data, dubbed Collection #1, is a set of email addresses and passwords totalling 2,692,818,238 rows that has allegedly come from many different sources.

Commenting on the news is Javvad Malik, security advocate at AlienVault: 

“Collection #1 is a massive dataset of compromised credentials across many different breaches. It goes to show the magnitude of the breaches and how the cumulative effect is quite devastating. It serves as a reminder of the risks that come with reusing passwords, or how using email addresses as an identifier can compromise individual privacy. The silver lining is that companies can use the data from Collection #1 to enrich their detection capabilities by proactively looking at credential stuffing attacks, or blocking users from reusing passwords that have been compromised.”

(35)

Share

Hackers tricking employees to handover payroll data in latest BEC scam- Comment

Hackers have been found to be impersonating HR staff to gain employee credentials to access employee payroll accounts and banking details.

Commenting on the news is Felix Rosbach, Product Manager at comforte AG:

“Here we have yet another example of how easy it is to steal someone’s identity – given there are no countermeasures in place. The reason for this is simple: most hackers aren’t geniuses, but neither is the average employee. We’re only human after all. Sometimes we make mistakes. Sometimes we get complacent or distracted and, unfortunately, our tendency to slip up every once in a while leaves us open to exploitation. That’s why you always have to have the human element in mind when thinking about security. So the question is: how do we protect our organization from the phishing scheme du jour? With an increasing attack surface and an endless number of ways to get access to a company, the name of the game is sophisticated identity access management coupled with verification from an actual human. And last but not least, having solid data protection will act as a fail-safe to minimize the damage in the event of a breach.”

 

(43)

Share