The state of ICT Security

State of ICT Security – Attackers take over SCADA controlled steelworks furnace and caused massive damage

The threat to online assets from attackers remains critical according to a report just released on the State of ICT security by the German Government.

Cloud Computing, mobile systems and big data are providing enormous economic prosperity, but have on the other hand opened up large attack surface for organisations.

The German Federal Department for Safety in Information Technology  has just released its annual “State of ICT Security” report for 2014. The German Government’s version of the bit of NSA that helps government and businesses protect themselves online is called the BSI. They are highly skilled and well respected.

As is usual for a government report it is turgid. However there is some really interesting stuff hidden in the morass.  I’ve picked out some of the gems and translated them here.

Complexity is killing information security

The report emphasises that complexity is exposing organisations to attack. Of particular concern is that Internet of Things (Systeme und Dinge) is now moving from the stage where it is mostly about observation of the environment to changing the environment.

Importantly, particularly in light of the Snowden expose, this report is not coming from either the US or UK and so gives a secondary source to some of what those governments are saying.

There are over 250 million individual varieties of Windows malware around now

Other observations which confirm what you may have seen in other places

  1. Spam continues to grow exponentially
  2. Malware is still growing and at least a million devices are being infected annually in Germany. The BSI estimates that the number of different types of Windows malware is at a staggering 250 million. This is up from around 180 million in 2013!
  3. The number of infected sites delivering ‘driveby exploits’ is growing substantially.
  4. Botnets are being used to steal identity information. There are more than one million devices under the control of botnets in Germany.
  5. Phishing continues to yield results for cyber criminals

Advanced Persistent Threats – an increasing threat for government and industry

Germany is constantly being cyber-attacked by foreign intelligence services. The BSI has installed improved sensor technology in the government’s networks following the revelations that came from Edward Snowden in 2013/14. There are a number of methodologies which the BSI has identified. This tallies quite well with some of the things Bruce Schneier has written recently about these issues

  • Strategic enlightenment – whereby the intelligence service identifies connections between various users to gain an intelligence picture
  • Attacks on key individuals – attacking system administrators for key systems to gain access.
  • Influencing Standards – By weakening standards, , the allegation has been that NSA individuals have influenced the NIST standards development process.
  • Manipulation of IT hardware and software – Well they would do that wouldn’t they.

The BSI notes that trusted insiders are being used to enable some attacks by intelligence services, criminals and activists.

This table is reasonably easy to read, even if you don’t understand German. It shows the prognosis (prognose) for threats over the coming year.

Schwachstellen = vulnerabilities
Schadprogramme = malware
Identitaetsdiebstahl = ID theft

Cyber threat prognosis

Casestudies

The report goes through a number of cases where the BSI was called to assist businesses. Here are two that are of particular concern.

Steelworks compromise causes massive damage to furnace.

One of the most concerning was a targeted APT attack on a German steelworks which ended in the attackers gaining access to the business systems and through them to the production network (including SCADA). The effect was that the attackers gained control of a steel furnace and this caused massive damages to the plant.

Dragonfly attacks a dozen companies

The Dragonfly hacker group attacked a number of companies’ SCADA systems and installed the malware ‘Havex’. This was used to gather information about the systems. No damage was done, because the compromise was detected and removed before the hackers had completed the observation and intelligence gathering phase.

Conclusion

It’s worth remembering that there are many other countries dealing with the cyber threat around the world. Germany has always been one of the leading non-UK CAN, US, AUS, NZ countries and it is interesting to see how they view the landscape.

You can download the original Document from the BSI – Bundesamt fuer Sicherheit in der Informationstechnik – in German “Die Lage der IT-Sicherheit in Deutschland 2014”  https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2014.pdf?__blob=publicationFile

Sydney Siege

The siege in a chocolate shop in Sydney’s CBD ended early this morning AEST. Three people died, including one purported to be the gunman Haron Monis.

There will necessarily be intense scrutiny on the forces used to resolve a violent event. However, it is important to remember that they do not happen in isolation.

The factors that lead us to these events are always complex and often have geo-political, sociological and psychological underpinnings.  In this case, the gunman, was a convicted criminal and seems to have latched on to the idea of violent jihad to justify his own failings. 

This is the time for cool heads. It is far more effective and efficient to invest in efforts which counter radicalism before it descends into violence. To that end, we should remember the quiet work of those who enfranchise the disenfranchised and seek to strengthen social cohesion.

It is these people, who make our way of life so great.  

Governments at all levels must lead in these efforts. Politicians must remember, whatever their political colour, that radicalism  is a complex societal issue, not a sound bite. Else we descend into barbarism.

As a society, we must remember that the work of all members of the civil society needs to be focussed on countering radicalism.

This event received so much coverage precisely because it is uncommon in Australia

Just remember that the reason this event received so much coverage in the media is precisely because it is so rare. And of course, it was across the road from the HQ of one of the big Australian TV channels.

Yet, at the same time across the world, six people died, one was wounded, and the gunman escaped in a shooting in Philadelphia. In that case, it seems that the gunman is a mentally disturbed ex soldier.

Yet, although it was reported, multiple shootings are depressingly common in the US. They are even more common in parts of Africa, and often the reports don’t even make it beyond the local news.

It all comes back to risk and societal resilience, because when citizens are allowed to panic, governments start using extreme measures in our names. Professionalism in risk and security is about understanding the difference between perception and reality and taking an evidence based approach to dealing with the issues.

More information

http://www.abc.net.au/news/2014-12-15/sydney-siege-hostages-cafe-martin-place-police-operation/5967232

http://www.nbcphiladelphia.com/news/local/Lansdale-Shooting-285800521.html

http://www.nytimes.com/2014/12/15/us/politics/cheney-senate-report-on-torture.html?_r=0

http://link.springer.com/search?facet-author=%22Roy+Gardner%22

Privacy and Social Login – wins first prize

Privacy and Social Login article wins award

“Privacy and Social Login” an article published in the International Association of Privacy Professionals Australia New Zealand May 2014 edition of “Privacy Unbound” and here won the first prize for article for this year .

The IAPP announced at the 2014 IAPP Privacy Summit “Privacy at Play” held at the Westin on 17 November in Sydney that Alex Webling had won the 2014 award for best article published in the association’s journal “Privacy Unbound”.

The iappANZ is the pre-eminent forum for privacy professionals in Australia and New Zealand. We are affiliated with the International Association of Privacy Professionals (IAPP) which is the largest privacy body at the global level with a membership approaching 20,000. We work with public and private entities across all industry sectors in Australia and New Zealand as well as the Privacy Commissioners in both countries.

The iappANZ Privacy Unbound Journal provides practical thought leadership and case studies along with a popular Q&A with the Australian and New Zealand Privacy Commissioners to keep members in touch with regulators. iappANZ also provides a Weekly and Daily Digest for regular privacy news updates.

UPDATE 23/12/14

The article, along with a profile of Alex Webling was republished in the IAPP December 2014 edition – http://www.iappanz.org/IAPP/eflash/November_December_edition_59_Privacy_Unbound.pdf

Trusted Insider cont.

Trusted Insider continued

Part 2 of 2 talking about the trusted Insider and how organisations can address the problems at an organisational level

In part 1 of this we talked about who are the trusted insiders, why organisations are concerned and what the motivations of the trusted insider are. Part1 is here – https://www.resilienceoutcomes.com/identity/trusted-insider/

In this part, we talk about some approaches to the trusted insider problem.

Organisations are asking “How can we stop employees becoming the next Edward Snowden?”

I think we should question is why aren’t there more people like Edward Snowden? I think it is worth noting that the NSA is huge with an unconfirmed staff count in the order of 30,000-40,000. One or even ten ‘rogue insiders’ is as a percentage very small – even though the damage to the USA and its allies has been very significant.

Organisations, including intelligence organisations, develop very rigorous and reliable procedures to ensure that people who shouldn’t be trusted don’t join their organisations. Good recruitment practices which exclude people who won’t fit and don’t let people become insiders in the first place are the best defence. However, one of the hardest issues to manage is to deal with people who gradually become disgruntled after they’ve been working in an organisation for a while.

Of course, organisations can use infosec procedures such as internal surveillance mechanisms and information compartmentalisation. These can reduce the consequences wrought by trusted insiders. However these mechanisms can inhibit the rest of the employee body from working at their full potential. It also can affect staff morale if not carefully marketed. Interestingly SIG attendees were told that the Attorney-General’s Department was considering the possibility of a continuous disclosure regime for security clearances which would in real or near real time provide information to security officials about whether employees were undertaking activities which might raise eyebrows.

A Sharing economy model?

Considering an organisational ‘sharing economy’ model when considering the trusted insider threat might help. The employee/employer relationship is one of mutual benefit. It can be also one of mutual harm.

http://pixabay.com/

Employees work for their organisation and their identity becomes entwined in the reputation and identity of that organisation. As mentioned previously, the trusted insider that does the wrong thing by their organisation does so for a number of reasons. The most dangerous reason has always been those who are motivated not by money or greed, but by a grievance or revenge.

If we extrapolate using the NSA/Snowden example…. The NSA has built up an impressive reputation over many years for technical excellence. But maybe some of its employees believed the propaganda of their employer. More importantly, it would seem that NSA’s management failed to completely disabuse their employees of the fact that intelligence agencies live in a grey world and do things that are morally grey. Consequently people working inside the NSA seem to have been surprised when they found that some of the things it was doing were dark. Unfortunately for the NSA, brilliant people became disillusioned and turned against it.

This explanation is probably not the whole answer. However a couple of thoughts arise both of which may help to prevent future events:

  • is it possible to develop an internal organisational market for the reputation of the organisation?
  • A meaningful alternative chain of reporting to vent frustrations is vital.

A market of organisational reputation

Many private and public organisations organisations spend significant sums to monitor their public relations posture. There is benefit in understanding what the organisation thinks about itself as well.  An anonymous reporting mechanism can allow an organisation to get some information about whether it is ‘on the nose’. Such data might also be combined with metrics such as the number of relevant social media postings.

http://pixabay.com/

An alternative chain of reporting

Both USA and Australia now have whistle-blower mechanisms for their intelligence services. In Australia, the Inspector-General of Intelligence and Security performs this role.

Many organisations both in the private and public sector could consider the benefits of taking on aspects of this system. It obviously doesn’t work perfectly, but it certainly contributes to the protection of the intelligence agencies from trusted insiders.

Mr Snowden has claimed that “he had raised alarms at multiple levels about the NSA’s broad collection of phone, email and Internet connections.” However, this is disputed by the USA. Whatever the truth of the matter, it seems that Snowden felt he wasn’t being listened to. So maybe the take-home from this aspect is that the ‘alternate chain’ of reporting needs to have big teeth to make changes where there are real problems identified. Balancing natural justice against the consequences of a breach is incredibly important. Not only for the individual concerned, but for the organisation itself, because you know people in organisations gossip about each other!

http://pixabay.com/

This is of course a governance issue, and this makes it very tricky to get right – this is where Resilience Outcomes Australia can help your organisation, because resilience and longevity of organisations is what we do.

Further reading:

Managing the insider threat to your business – a personnel security handbook (PDF) from the Australian Attorney-General’s Department is a good place to start.

Australian IGIS – Inspector-General of Intelligence and Security – the reports are worth having a look at.

USA Department of Defense Whistleblower Program is part of the Office of the Inspector General of the US Department of Defense. One of the sub-programmes it runs is specifically for the US Intelligence Community.

http://pixabay.com/

The trusted insider

The trusted insider.

Helping organisations protect themselves against trusted insiders

I attended the Security in Government (SIG) conference in Canberra earlier this month. I am somewhat biased, but I think that SIG is probably the best annual security related gathering in Australia.

If you compare it to a lot of international gatherings SIG certainly holds its own. Although, the US and German conferences in particular have glitz and size, the quality of the discussion and the more intimate nature is refreshing. SIG, as you may have guessed is primarily targeted at government, but there are good lessons for all organisations to be had there. Ok, enough of the fanboy …

The 2014 SIG theme was the ‘trusted insider’. Whilst the discussions were often very good, I wondered whether there are additional approaches to reducing the problem of the trusted insider. These approaches focus more on the relationship between employees and their organisations.

http://pixabay.com/

Who are the trusted insiders?

A trusted insider is somebody who uses their privileged access to cause harm to their employer or their interests. I’ll be a bit controversial here and note that, whether these people are traitors, spies or whistle-blowers depends somewhat on perspective. In any case these people evoke strong almost visceral emotions in many people.

Why are organisations so concerned about the trusted insider?

Despite fears about rogue hackers attacking organisations from the outside, the trusted insider is still considered the biggest threat to an organisation. In Australia and overseas, trusted insiders ‘going rogue’ have caused the significant damage to national security, government agencies and private organisations. The harm done can be from loss of secrets, money or even life.

Secrets: The most glaring examples in the information security space have probably come out of the USA in recent times. People like Edward Snowden and Chelsea (Bradley) Manning spring to mind in the national security sphere. However, some Swiss banks have also been stung by Bradley Birkenfield whom some in those establishments might call a trusted insider and the US tax agency would call a whistle-blower!

http://pixabay.com/

Money: Fraud is probably the most significant threat to private organisations from trusted insiders, particularly those in the finance and insurance industry. Sometimes the size of an event can be enormous, such as when $2billion was lost in 2011 through ‘unauthorised transactions’ in a Swiss bank.

http://pixabay.com/

Life and property: Whilst we often focus on loss of information confidentiality, trusted insiders were also responsible for assassinating the Indian Prime Minister Indira Gandhi in the 1980s and shooting fellow soldiers in the USA and Afghanistan in the last decade. There have also been a number of cases of ‘issue motivated’ insiders harming organisations by damaging plant and equipment.

http://pixabay.com/

What motivates the trusted insider?  C.R.I.M.E.S.

The motivations of trusted insiders are varied, however they broadly fit under the standard drivers of criminal behaviour as described by the mnemonic ‘crimes’.

Coercion – being forced, blackmailed or intimated

Revenge – for a real or perceived wrong, it could be about disaffection and or a grudge

Ideology – radicalisation or advancement of an ideology /religious objective

Money – for cash, profit, dosh, moolah – whatever you call it, and/or

Exhilaration or Ego– for the excitement or because they think that they are in someway cleverer than their compatriots –  Christopher Cook seemed driven by the excitement..
The USA’s “worst intelligence disaster” was Robert Hanssen, who might be described as an egomaniac.

Sex and personal relationships. The combination of sex and coercion is a lethal one.

Of course, some are also mentally fragile and may not have a motivation that is exactly clear to others.

End of part 1

In the coming part, we talk about some approaches to the trusted insider problem.

Privacy changes in Australia

Privacy strengthened in Australia

The Australian Privacy Principles come into force on 12 March. The APPs extend coverage of privacy laws to most business with turnover of $3 million or more.

Fines of $1.7 million are possible for breaches.

Privacy - Sony executives bow in apology post Playstation breach in 2011
Execs bow post Playstation breach in 2011

Australian Privacy Principles

The Privacy Act now includes a set of 13 new harmonised privacy principles. The APPs regulate personal information handling by the federal government. In addition, the law significantly expands the number of private sector organisations covered.

The new Australian Privacy Principles (APPs) replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organisations. The changes do not generally replace existing state of territory privacy legislation (eg Victoria & ACT) which will probably cause some confusion at the edges

A number of the APPs are quite different from the existing principles, including

  • APP 7  -on the use and disclosure of personal information for the purpose of direct marketing, and
  • APP 8 – on cross-border disclosure of personal information.

The OAIC gets teeth

The Privacy Act now includes greater powers for the OAIC which include:

  • conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
  • accepting enforceable undertakings
  • seeking civil penalties in the case of serious or repeated breaches of privacy

In some ways Australia is just catching up with Europe, Canada and USA, but its worth noting that breaches can mean organisations get fines of up to $1.7 million. It is probably an understatement to say that this could  have a serious impact on company finances as well as reputations.

One thing that is very good about these changes is that there is better alignment with good information security practice. We hope that these changes may help some organisations improve the state of their information security as they become privacy compliant.

For more information on the APPs and the OAIC’s APP guidelines, visit this link –  Australian Privacy Principles.

Credit Reporting is changing too

The Privacy Act now includes new credit reporting provisions including:

  • introduction of more comprehensive credit reporting, a simplified and enhanced correction and complaints process
  • introduction of civil penalties for breaches of certain credit reporting provisions
  • requiring credit providers to have an external dispute resolution scheme if they want to participate in the credit reporting scheme. The scheme must be recognised under the Privacy Act.

For a more detailed explanation of the credit changes see: Privacy business resource 3: Credit reporting — what has changed

A new mandatory credit reporting privacy code (CR code), created by the Australian Retail Credit Association ( OAIC’s Codes Register ) also starts on 12 March 2014.

We can help

We are helping government agencies and businesses assess the privacy impact of their activities in light of these legal changes. In particular, we have recently worked with the health and finance sectors in Queensland, the ACT and Victoria.
Please  contact us at Resilience Outcomes for assistance.

SCADA CERT practice guide

ENISA has released a good practice guide for CERTs that are tasked with protecting industrial control systems  (SCADA).

The European Union Agency for Network and Information Security (ENISA) publishes a lot of advice and recommendations on good practice in information security. Necessarily, it has a European focus, but almost all the advice is applicable to systems in any region.

This SCADA CERT practice guide focuses on how Computer Emergency Response Teams should support Industrial Control Systems (ICS).The terms ‘ICS’ and ‘SCADA’ (Supervisory Control and Data Acquisition) are pretty much interchangeable.

SCADA systems were around before the Internet. The first systems were driven by mainframes and installed to control water and electricity networks. Since then, SCADA has become ubiquitous and systems that were initially designed to work on independent networks have been connected to the Internet.

Connecting SCADA to the Internet has many advantages. It increases system availability and reduces costs of connecting geographically disparate systems. At the same time, connecting SCADA to the Internet decreases system confidentiality and more importantly in this situation, system integrity.

CC Worldbank photo collection
Industrial Control Systems support every aspect of our daily lives. Photo CC WorldBank Photo Collection

The ENISA ICS guide tries to put together in one document, a guide for CERTs that are required to protect SCADA/ICS systems. Importantly, it doesn’t just focus on the technical capabilities required for operations, but also organisational capabilities and what it terms ‘co-operational capabilities’. This last part is important as computer emergency response teams can forget that they are part of a system and the system is only as strong as the weakest link. It is important to remember that preparation for things going wrong involves identifying people, resources and stakeholders that will be required. Developing relationships with other organisations will always pays dividends when an emergency occurs. This is where the ENISA advice is in some ways superior to the advice from the US DOE, although I acknowledge the attractive simplicity of some of their guidance.

It is good that the authors acknowledge that this area is one where there is limited experience and that the guide should be considered a ‘living document’. As usual in cyber-security protection, both technical expertise and organisational /management guidance are required.

 

More information available from ENISA

US DOE SCADA guide

 

 

cyber identity security

Cyber Identity theft service sold personal information on US citizens by compromising multinational consumer and business data aggregators

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of US residents has allegedly infiltrated computers at some of America’s largest consumer and business data aggregators, including Dun & Bradstreet according to Krebs on Security. 

If you’re Australian or a resident of other countries where these guys operate, you had better hope that these companies didn’t leak information between their subsidiaries and the main office – because you know that would never ever (cross fingers) happen !!

This looks like a solid investigation by the guys/gals at Krebs. The hackers at the back of this identity theft service didn’t exfiltrate data from their targets wholesale, they just compromised the targets and allowed their customers to directly query information and charged them between 50c and $2.50 US for personal records and up to $15 for credit checks – via Bitcoin or Webmoney of course!

Compromised systems accessed through the criminal service seem to include

Importantly, the compromise was probably targeted as much on gaining information about companies to take out fraudulent loans  on them according to a Gartner analyst. If a criminal can masquerade as a large company, they can take out a much larger loan on their behalf than they could on all but the richest people.

This may take a little while to play out, but it is likely to have an impact on legislative requirements for information security by data aggregator firms. By their very nature, they hold aggregated data from millions of customers. Each piece of data requires protections, together the data becomes far more valuable and therefore a greater target for cyber criminals and foreign espionage. How we deal with aggregation remains one of the keys to the risk based handling of big data.

NSA/GCHQ built vulnerabilities into encryption?

Have the NSA and GCHQ been building vulnerabilities into commercial encryption products?

If this is true, another argument for open source software has been made. Articles in the New York Times and the Guardian  alleged that  the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” .

The problem with this approach is that the NSA and GCHQ have two roles and it would seem that they have failed to balance them. This is the question of intelligence equities. These organisations are charged to reveal the secrets of their enemies, but also to protect the information of their countries. By building back doors into software and hardware being sold to unsuspecting customers, they are doing what they have accused the Chinese of doing.

Moreover the fact that these backdoor vulnerabilities exist, mean that others can find and use them, not just NSA and GCHQ but also other cyber criminals.

It is the ultimate hubris to think that NSA and GCHQ are the only ones capable of discovering and exploiting these vulnerabilities. “If you want to keep a secret, you must also hide it from yourself.”  George Orwell1984 . No organisation as large as the NSA can do this forever.

The USA tried under President Clinton to make all manufacturers insert a hardware ‘clipper’ chip  into their devices, but the backlash was such that the US government withdrew support for the idea. What this information is telling us is that the NSA didn’t give up and found alternative means to realise the  concept.

The only logical conclusion from this revelation is that the signals intelligence agencies are unable to both reveal the enemies’ secrets and protect those of their citizens at the same time. They should be split. The information assurance role should come under the control of the trade, infrastructure and industry portfolios.

 

You can find the NYT article here – http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all 

You can find the Guardian article here – http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

A culture of entitlement is corrosive

A culture of entitlement is corrosive in a government agency or any organisation

I’ve just come across a USA government document which is both fun to read and educational. Its called the Encyclopedia of ethical failure 2013, its published by the US Defense department. The dry title doesn’t do this piece justice, I think the title should be “A culture of entitlement in an organisation is corrosive”.

http://www.flickr.com/photos/twicepix/ - culture of entitlement is corrosive
A culture of entitlement is corrosive just like acid

The reason that you should be reading it is that it is a series of sometimes funny and tragic stories about how employees forget that the employee/employer relationship is a two-way street. Maybe it is also about how employers forget that their staff are human. They sometimes do dumb things and forget about the consequences of their actions.

Steven Dubner from Freakanomics interviewed the current and past editors Steve Epstein and Jeff Green. Interestingly they said that it was difficult to find common characteristics (M/F, race, religiosity, seniority) between the people who did these things. Green and Epstein suggested that they all didn’t think about the consequences of their actions properly. The other thing to notice is that security people, intelligence officers and lawyers commit these crimes too.

Maybe as a collection these are cases of a man or woman failing to identify the full consequences of their actions. I could put it in risk terms, individual failure to realise initial risk and downstream consequences when the they get caught.

The other observation that is interesting is that some people are cheap to bribe. Some of these people lost their careers and potential earnings of millions of dollars over a lifetime for hundreds of dollars in cash or kind. This is an sign that the perpetrators haven’t thought about personal risk and/or their decision-making is visceral. It makes me wonder whether one possible mitigation against fraud is teaching employees decision-making to improve the way that they weigh up alternatives. Maybe the SWOT analysis is the best preventative tool against fraud!

Because the document was written by the US Defense department, it has a military flavour, but the examples run the gamut of the US Federal public service. Here are some of my favourite excerpts. I’m sure you’ll get a laugh out of these and some food for thought. Maybe some of these are familiar in your organisation…..

FBI Undercover Parties

According to an FBI report, upon the retirement of a senior FBI official, FBI personnel from around the country journeyed to Washington to attend the official’s retirement party.  Many out-of-town G-men traveled on official orders and public expense. According to their travel orders, the purpose of the trip was to attend an ethics conference! According to the news report, only five people actually attended the ethics forum.

“But, Judge, I didn’t get anything!” 

 An offshore safety inspector found much of the Government’s equipment to be in need of repairs to meet safety standards. He then referred the business to his brother-in-law’s repair shop. The rig operators smelled a rat and called the FBI. They discovered that, in return for each referral, the brother-in-law was treating the inspector to an evening with a lady of dubious morals.

The case was brought to trial. In his defense, the inspector claimed that he had not received a “thing of value” in return for the referral. The judge didn’t buy it – and neither did his wife.

Courting Trouble

A former official of the U.S. Tax Court, Fred Fernando Timbol Jr., was sentenced to 18 months in prison and three years of supervised release in connection with a bribery conspiracy.

Timbol was a facilities services officer in the Facilities Management Section of the U.S. Tax Court.  Timbol was responsible for assisting in the award of contracts to contractors who provided maintenance, construction, and other related service to the Court.  Timbol admitted to soliciting and accepting over $12,000 from a government contractor in exchange for rigging the award of at least six inflated contracts.  As part of a plea agreement and by order of the court, Timbol also agreed to pay restitution  of $24,143.

DVD Bootleggers MIA During Government Work Hours

A Federal employee used his Government computer to make illegal copies of commercial DVDs in violation of copyright laws.  He and another employee also used their Government computers and duty time to watch the movies.  The other employee took lunches lasting up to three hours in order to watch the DVDs and take naps.  Initially the employees’ supervisors signed off on this behavior, even assigning extra work to others to make up for the employees’ time wasted napping and movie watching.  The employee who copied the DVDs received a written reprimand.  The supervisor received an oral admonishment for failing to address the misconduct, and another employee received a Letter of Counseling for knowingly accepting a pirated DVD.  In a similar case, a civilian employee working for the U.S. Army in Germany was involved in selling pirated DVDs.  He used the profits from his illegal operation to buy vacation homes and luxury cars and to pay for frequent European ski vacations.  He devoted some of his duty time to the marketing and selling of the bootleg videos, including taking payments while on the job.  Even though the employee had left Federal service by the time the accusations against him were substantiated, administrative action was taken to bar him from US Army Europe installations.

This next one is interesting because of the recent Asiana crash 

FAA Employee Sentenced for Bribery

A former employee of the Federal Aviation Administration (FAA) was convicted of bribery.  In carrying out his primary responsibility of reviewing and processing applications for FAA-issued pilot certificates, the employee accepted bribes of $2,000 and an all-expense paid trip to Korea in exchange for preferential treatment of applications for Korean pilots from the flight school, Wings Over America.

The employee was sentenced to pay a $2,000 fine and serve four months in prison, followed by three years probation for violating 18 U.S.C. 201(b)(2).  Bribery occurs when a public official seeks or accepts anything of value in return for being influenced in the performance of an official act.

government Lawyer  in Tucson Illegally Possesses Sheep Skull and Horns

The Assistant U.S. Attorney (AUSA) prosecuted an individual for illegally killing a bighorn sheep on an Indian Reservation. As a result of the prosecution, the hunter forfeited the bighorn sheep and trophy (skull and horns), valued at approximately $5,000, to the Arizona Game and Fish Department. Pursuant to a request from the AUSA, the Arizona Game and Fish Department entered into an agreement with the AUSA allowing him to publicly display the skull and horns in his office, but requiring their return upon request. However, after leaving employment with the U.S. Attorney’s office, the AUSA took the skull and horns with him and treated them as his personal property. When the former AUSA was questioned a year later about his possession of the skull and horns, he claimed that an unspecified Indian had sent the skull and horns to him in appreciation for his work on the prosecution of the hunter. Investigation showed that such a gift would have been contrary to tribal practices and no member of the tribe could be found who knew anything about the alleged gift.

CIA Employee Drives Overseas Auto Scheme

As a U.S. Federal employee residing in Egypt, the CIA agent discovered that he could purchase an imported vehicle in Egypt without having to pay the normal 150% excise tax. This fact had created a black market in which Egyptian car brokers would pay U.S. employees to register luxury cars in their names in order to allow the dealers to evade import taxes. Investigators found that while in Cairo, Egypt, the employee had agreed to accept $25,000 in exchange for changing the status of his personally-owned vehicle with the Egyptian Ministry of Foreign Affairs, which would allow him to participate in the scheme

———————–

So there’s some of the highlights from my perspective. You can download the full document here (163 pages). You’ll find that it references most vices! What do you think about the alternative title – “A culture of entitlement in an organisation is corrosive”?