Search This Blog

Friday, August 19, 2011

Security Management Weekly - August 19, 2011

header

  Learn more! ->   sm professional  

August 19, 2011
 
 
Corporate Security
  1. "BofA Says Some Debit Cards Compromised" Bank of America
  2. "Jihadist Calls on U.S. Muslims to Cut Off Letterman's Tongue" David Letterman
  3. "Unauthorized Earnings Releases Spark Czech Probe"
  4. "Lessons in Security Leadership: David Komendat"
  5. "How Text Messaging Helps Your Security Department"

Homeland Security
  1. "Kabul Attack: Taliban in Six-Hour Gun Battle in British Compound"
  2. "Tampa Police Foil School-Attack Plot"
  3. "Cops: Man Plotted Gas Attack on Anti-Pope Crowd" Madrid
  4. "Terrorism Now on Norway's Radar"
  5. "Bill Calls for Background Checks at Utilities"

Cyber Security
  1. "Report: Spam Is At a Two-Year High"
  2. "California Transit Agency Targeted by Hackers" San Francisco's Bay Area Rapid Transit System
  3. "Mediocre Hackers Can Cause Major Damage"
  4. "Anonymous Breaches San Francisco's Public Transport Site"
  5. "Hackers Shift From Petty Vandalism to Massive Data Theft"

   

 
 
 

 


BofA Says Some Debit Cards Compromised
Bloomberg (08/18/11) Son, Hugh

Bank of America issued some customers new debit cards this week, saying accounts may have been compromised at a merchant. Customers are given new account numbers as a precaution if fraud monitoring detects potential security breaches, says Betty Riess, a BofA spokeswoman. The bank's actions were in response to an “isolated” incident, she adds, and not the result of a security breach of BofA's system.


Jihadist Calls on U.S. Muslims to Cut Off Letterman's Tongue
New York Post (08/18/11) Bennett, Chuck

A jihadist going by the name of Umar al-Basrawi has called on U.S. Muslims to cut off late-night host David Letterman's tongue and "break his neck" in a post on the al-Qaida forum Shumoukh al-Islam. The threat followed jokes made by Letterman about the deaths of Osama bin Laden and his successor, Ilyas Kashmiri. Sources indicate that al-Basrawi must have contacts with al-Qaida because authors who post on the forum must be approved. A New York Police Department official says the department is aware of the threat and that Letterman's employer, CBS, has been notified as well as local police in Westchester, N.Y., where Letterman lives. A representative for Letterman has declined to comment.


Unauthorized Earnings Releases Spark Czech Probe
Wall Street Journal (08/17/11)

Reporters have been able to access quarterly corporate earnings releases from two companies in the Czech Republic before those releases were scheduled to be sent to the country's regulator and the Prague Stock Exchange. On Monday, journalists were able to access the second-quarter earnings information of the Czech power company CEZ AS from the company's Web site. The reporters then published the data about a day before CEZ AS was scheduled to give its earnings information to the regulator and the stock exchange. The incident came after a separate group of reporters found the second-quarter earnings results of the Czech petrochemical company Unipetrol AS on the company's Web site and published them a day before they were set to be released. Officials at CEZ said that their IT network was not secure enough to protect the earnings data from being accessed by outsiders, while Unipetrol blamed technical issues for giving the reporters the ability to access the earnings information. Unipetrol also said that it has taken steps to prevent similar issues from cropping up in the future. Authorities are investigating whether the availability of the earnings data on the two companies' Web sites amounted to a violation of capital market rules, as well as whether the companies are responsible for all of the publicly-accessible data on their Web sites.


Lessons in Security Leadership: David Komendat
Computerworld (08/09/11) Brandel, Mary

David Komendat serves as vice president and CSO at Boeing, and strives to meet the security needs of both the commercial and defense sides of the firm. He has helped elevate the security division as an organization, thereby allowing it to provide internal expertise to Boeing's individual businesses when they secure a contract, thereby eliminating the need for external security consultants. Komendat believes it is essential for the CSO to have strong business knowledge and to oversee the organization like any other department in a company. This means using metrics and governance processes and ensuring the organization's strong financial performance. He also believes security leadership can be enhanced by working with smarter individuals who will help drive improvement and challenge the CSO. These people should themselves be good leaders at every level along with high-potential individuals in the pipeline. Komendat furthermore believes the CSO needs to be a strong communicator who lets others know the vision and how to achieve it. In addition, the CSO needs to be a good listener, request feedback, and be able to make decisions promptly even when all the desired data is not there.


How Text Messaging Helps Your Security Department
SecurityInfoWatch.com (08/05/11) Kohl, Geoff

The use of text message-based programs may give companies a security advantage, especially in multi-floor settings like office towers and corporate campuses. At the recent National Sports Safety and Security Conference and Exhibition in New Orleans, La., one of the key messages that emerged was the increasing use of such programs by leagues and stadiums. Facility operators like the NFL and MLB encourage spectators to send text messages of inappropriate behavior. Sports fans can text their information directly to the command center without others knowing they were one to report the unruly person. Best practices of text message programs include installing signs across the venue about the acceptance of text message reports, including on program guides and parking areas. Security departments should also anticipate having more reports than in the past. Venues should also encourage the use of text messages for guest services, such as finding an ATM, fixing a broken seat, or requesting a hot dog vendor. Many stadiums and teams are forming game day smartphone apps that let fans report unruly behavior as well as allow the security team to alert people of traffic issues, evacuations, or bad weather conditions that would impact spectator safety. Ideally, someone on the security staff should be trained on how to read text messages, which tend to use various kinds of shortened words. Jeff Miller, the director of security for the NFL, says text messaging "allows us to intervene on the early side. We can send someone down to talk to that fan so that we don't have to get to the point where they need to be ejected or arrested." Conference attendees agreed that text message programs can be successfully adapted to workplace settings.






Kabul Attack: Taliban in Six-Hour Gun Battle in British Compound
Guardian Unlimited (UK) (08/19/11) Boone, Jon

At least nine people were killed in a Taliban attack on the British Council building in the Afghan capital of Kabul on Friday. The attack, which was launched to coincide with the anniversary of Afghanistan's independence from Britain, began when a suicide car bomber detonated his explosives at the council building's front gate. Between two to four armed insurgents then ran out from a side street in the direction of the gate while simultaneously firing their guns into the air. Afghan police officers responded to the building after receiving reports of the attack, though three were shot and killed by insurgents. Another five police officers were among the dead, as was one foreign national. Fighting between the insurgents and security forces continued to rage in and around the building six hours after the initial attack. Witnesses reported hearing explosions and gunfire from inside the building while helicopters flying overhead shot counter-missile flares. At least one of the attackers is still in the compound.


Tampa Police Foil School-Attack Plot
USA Today (08/18/11) Dorell, Oren

A 17-year-old boy was arrested in Tampa, Fla., on charges of plotting an attack at his former high school on the first day of classes next week. Police received a tip that an attack was being planned by Jared Cano, who was expelled from Freedom High School last year. After receiving the tip, police searched Cano's home and found a number of bomb making materials, including plastic tubing, a fuel source, shrapnel, and timers and fuses. Authorities believe that Cano had practiced using the devices he collected. Police also found a manifesto in Cano's home that allegedly described his plans for the attack, which included placing bombs in specific locations and detonating them at certain times in order to inflict the highest number of casualties as possible. In addition, police said that the manifesto named two assistant principals at Freedom High School as the main targets of the attack. Schematic drawings of rooms at the school were also included in the manifesto, along with statements about Cano's alleged intent to kill.


Cops: Man Plotted Gas Attack on Anti-Pope Crowd
MSNBC (08/17/11)

Authorities in Spain say they have foiled an attack on events associated with World Youth Day in Madrid. Spanish police say that a 24-year-old Mexican student who specializes in organic chemistry and is in Spain studying with the Spanish National Research Council was arrested Tuesday on charges of planning a gas attack against a group of people protesting Pope Benedict XVI's visit to Spain. A search of the suspect's apartment in Madrid uncovered an external hard-drive and two notebooks with chemical equations that were not associated with the student's studies. Officials also said that the suspect used the Internet to try to recruit people to help him. However, authorities did not say that they recovered chemicals that could be used in an attack during the search of the suspect's apartment. Authorities have also not said whether they believe that the student was capable of carrying out the attack. A protest against Pope Benedict's visit to Spain is scheduled to be held Wednesday night in Madrid, one day before the pontiff arrives in the country to celebrate World Youth Day.


Terrorism Now on Norway's Radar
USA Today (08/16/11) Criscione, Valeria; Johnson, Kevin

Terrorism experts say that the terrorist attacks in Oslo last month will likely force Norway to alter the way in which it handles domestic security risks. For instance, changes could be made to Norway's terrorism law, which defines a terrorist conspiracy as something that involves two or more people. As a result, it is not considered a crime for one person to make theoretical plans for a lone-wolf attack. In the case of the July attacks in Oslo, authorities had little information to go on because they had no idea that the suspect, Anders Behring Breivik, was planning anything. Although Breivik did e-mail several hundred people a manifesto that outlined his extremist views, he did not do so until about an hour and a half before the attack took place. In addition, Breivik's name was given to the Police Security Service by Norwegian Customs after he purchased chemicals from an online retailer in Poland, though the purchase did not attract much attention. Breivik also purchased a large amount of fertilizer that could have been used in a bomb, but that purchase also did not attract any attention because he owned a farm. Some experts say that since Breivik's plans were unknown, it still would have been difficult if not impossible to have prevented the plot even if security in Norway had been tighter. Other security experts say that they do not believe that Norway will make any major policy changes following the attack, with the exception of new limits placed on semiautomatic rifles.


Bill Calls for Background Checks at Utilities
Boston Globe (08/15/11)

Sen. Charles Schumer (D-N.Y.) has introduced legislation that would require all employees at the nation's major power plants to undergo FBI background checks. Employees at nuclear power plants are currently required to submit to such background checks, though workers at utilities and other power plants are not. Schumer's legislation comes after the Department of Homeland Security released a report that found that terrorists could obtain sensitive information from disgruntled former power plant employees. Workers who are currently employed at power plants have already been solicited for information by unidentified individuals, the report said. In addition, the report noted that al-Qaida is recruiting terrorists to work at electric power plants and gas and water utilities. The move is part of an effort to cause significant damage at these facilities, the report said.




Report: Spam Is At a Two-Year High
Network World (08/17/11) Greene, Tim

Spam is skyrocketing, reaching a two-year apex overall, which includes the jump in fall 2010 just before the SpamIt operation shut its doors, according to M86 Security Labs. In fact, spam volumes are about double what they were then. This report coincides with a COmmtouch study which says a jump in email-attached malware has just stopped, but that additional waves are expected. M86 writes in its blog that most of the spam is generated by the Cutwail botnet, and pernicious spam accounted for 13 percent of the mix since the second week of August, which is significantly high, but even that spiked to 24 percent Aug. 16. And it found that a significant portion of the malicious spam was concealed in phony correspondence from UPS, which corroborates Commtouch's findings that UPS spam was much of what Cutwail and Festi are issuing.


California Transit Agency Targeted by Hackers
Associated Press (08/17/11)

Hackers have attacked the Web site of the BART Police Officers Association, the union that represents police officers working for San Francisco's Bay Area Rapid Transit system. The attack resulted in the theft of the personal information, including home and e-mail addresses, of more than 100 police officers. The information was subsequently posted on the Web. The breach was announced in a Twitter post from the hacker group Anonymous, though the group did not claim responsibility for the attack. In fact, Anonymous noted in its Twitter post that no one has claimed responsibility for the breach. The attack on the Web site of the BART Police Officers Association, along with Anonymous' recent attack on BART's marketing site, appear to have been carried out in retaliation for the transit agency's decision to shut off wireless service in the system to help prevent a protest on Aug. 11 over a police shooting.


Mediocre Hackers Can Cause Major Damage
Washington Times (08/16/11) Waterman, Shaun

Even minimally competent hackers can hijack the computer systems that control critical industrial machinery to deadly effect, according to security researchers. NSS Labs researcher Dillon Beresford successfully breached industrial control systems (ICS) from Siemens and other companies despite having no experience with the systems, limited time, and a small budget. He did it by exploiting a back door coded into the Siemens ICS and other vulnerabilities that could permit a hacker with access to the computer network at a target facility to shut down or even damage the equipment that the system controls, says NSS Labs' Vikram Phatak. Security consultant Joe Weiss says this discovery is a game-changing revelation, as it proves that "you don't have to be a nation state" to penetrate an ICS. Last month the U.S. Department of Homeland Security (DHS) issued an advisory to critical infrastructure owners warning that the Anonymous hacker collective had threatened attacks on U.S. and Canadian oil and gas companies, and that the skill level affiliated with such hacks to date was low. A DHS official cautions that "once ... vulnerabilities make their way into open source, that lowers the [skill] bar down to a 'script kiddie' level."


Anonymous Breaches San Francisco's Public Transport Site
PC World (08/15/11) Kirk, Jeremy

The hacking group Anonymous said that it has breached the Web site of San Francisco's Bay Area Rapid Transit (BART) system. During the hack, Anonymous was able to steal the usernames, surnames, addresses, and telephone numbers of 2,400 people who use myBART.org to manage their accounts. The site does not store any type of financial information. Anonymous said that it attacked the Web site in retaliation for BART's decision to shut off cell phone service in the system on Aug. 11. The system said it decided to do this because it had learned that riders were planning some type of disturbance that could have endangered other passengers. In the aftermath of the breach, BART is warning affected customers that the stolen information could be used by scammers to target them. Anonymous, meanwhile, said that it only planned to use the information of BART employees. The hacking collective also said that BART's database was vulnerable to an SQL injection attack, in which commands are entered into a Web-based form in order to provoke a response from the backend database.


Hackers Shift From Petty Vandalism to Massive Data Theft
eWeek (08/14/11) Rashid, Fahmida

Experts say that hackers are being motivated by different factors when carrying out cyberattacks. Although most hackers are still trying to steal money by breaking into online bank accounts or selling stolen data, a growing number of hackers are carrying out attacks for political reasons, says Application Security CTO Josh Shaul. The hacker group Anonymous, for example, urged its supporters to attack the Web sites of the Motion Picture Association of America, the Recording Industry Association of America, and other organizations by downloading a tool known as a Low Orbit Ion Cannon and overwhelming them with millions of packets of data. Shortly after those attacks were carried out, Anonymous began shifting away from vandalizing sites to stealing data. For example, some members of Anonymous breached the email server of HBGary Federal and posted stolen emails and documents on a site similar to WikiLeaks after the CEO of the company bragged that he had uncovered the identities of several Anonymous members. LulzSec, another hacking group, also stole data by breaking into the servers of several media and software companies. Meanwhile, hackers are increasingly using spear-phishing attacks to carry out cybersecurity breaches. Several data security breaches over the last several years, including breaches at Google, RSA Security, and Oak Ridge National Labs, have involved the use of spear-phishing techniques.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: