Friday, December 30, 2011

Security Management Weekly - December 30, 2011

header

  Learn more! ->   sm professional  

December 30, 2011
 
 
Corporate Security
  1. "US Bills on Curbing Online Piracy Face Strong Opposition"
  2. "Melee at Nation's Largest Mall Leads to More Security" Mall of America in Bloomington, Minn.
  3. "4 Types of Workplace Violence-What’s Your Greatest Risk?"
  4. "Employee Theft: The Grinch of a Retailer's Season"
  5. "Stolen Credit Cards Go for $3.50 at Online Bazaar"

Homeland Security
Sponsored By:
  1. "Tensions Rising Over Drone Secrecy"
  2. "New Year's Eve Security Main Focus for NYPD"
  3. "Under Obama, an Emerging Global Apparatus for Drone Killing"
  4. "Deadly Christmas Blasts Spark Outrage in Nigeria"
  5. "Debate Persists on Deadly Flu Made Airborne"

Cyber Security
  1. "Homeland Security Uncovered Anonymous Attack on Public Advocate’s Office"
  2. "Wi-Fi 'Protected Set-Up' Not So Protected After All"
  3. "'Anonymous' Hackers Target U.S. Security Think Tank"
  4. "Finding the Unique in You to Build a Better Password"
  5. "New Zero-Day Vulnerability in Windows 7 64-Bit May Allow Remote Code Execution"

   

 
 
 

 


US Bills on Curbing Online Piracy Face Strong Opposition
Philippine Star (12/30/11)

Both houses of Congress have proposed bills designed to crack down on online piracy: the Protect Intellectual Property Act (PIPA) in the Senate and the Stop Online Piracy Act (SOPA) in the House. Under SOPA, sites believed to be trafficking in pirated goods could be cut from search engines and deleted from servers. Advertising on such sites would also be prohibited, and those streaming copyrighted material could face up to five years in jail. Critics of the SOPA bill worry that it would ban proxy servers that hide Internet identities and locations and set a wider precedent for Internet censorship. They are also concerned that making Internet services responsible for copyright violations, rather than individual abusers, could put businesses such as YouTube, Vimeo, Flickr, Tumblr, Facebook, eBay, and Etsy out of business while actual pirates would find a way to circumvent the bill. Companies supporting the bill now face boycotts from these objectors. For example, GoDaddy lost 37,000 domains as customers in the first two days of a boycott by users transferring their domains to other hosting companies. GoDaddy has since withdrawn is support of the bill that it initially helped create.


Melee at Nation's Largest Mall Leads to More Security
MSNBC (12/27/11)

The Mall of America in Bloomington, Minn., has implemented additional security following a brawl there on Monday. The fight, which involved a group of young adults and children, started in the mall's food court and eventually spread throughout the rest of the building. During the chaos, some shoppers were knocked down and had their purchases stolen from them. Items were stolen from mall kiosks as well. After the fighting broke out, mall officials ordered a lockdown. Stores in the mall responded by shutting their doors in order to give shelter to frightened shoppers. The fights spilled outside of the mall for a brief period of time after police restored order inside the shopping center. Additional security officers were stationed at the mall on Tuesday in response to the violence the day before.


4 Types of Workplace Violence-What’s Your Greatest Risk?
safety.blr.com (12/23/2011)

According to the National Institute for Occupational Safety and Health, workplace violence comes in one of four forms. Some workplaces may be at higher risk of different types of violence than others, making it essential for companies to determine where their exposures lie so they can better mitigate their risks. The first type of violence is criminal intent, where the violence occurs as part of another crime such as robbery, trespassing, or acts of terrorism. Eighty-five percent of all workplace homicides fall into this category. Companies at higher risk of this type of violence are those that handle cash or drugs or who may be targeted by terrorists. The second type of violence is perpetrated by someone with a connection to the business, such as a student, patient, client, or inmate. The healthcare industry has a particularly high risk of this type of violence, as do police officers, prison staff, flight attendants, and teachers. While this category accounts for only 3 percent of workplace homicides, the majority of non-fatal violence is considered Type II. The third type of violence is worker-on-worker, which accounts for 7 percent of homicides in the workplace. All workplaces carry a risk of this type of violence, but that risk can be reduced by conducting criminal background checks. The final type of violence is carried out by someone with a personal relationship to a worker, and it accounts for approximately 5 percent of workplace homicides. This type of violence also occurs in all workplaces, but may be harder to prevent in those that are accessible to the public and/or only have one location.


Employee Theft: The Grinch of a Retailer's Season
PropertyCasualty360 (12/22/11) Linde, Selena J.; Sharkey, Michael T.

Employee theft is common during the holiday season, due to the surge of seasonal employees, increased store traffic and management's attention to keeping stock available. Store owners often try to address this problem by updating their security policies and ensuring their staff members are well trained. But many large retailers forget to tap their fidelity insurance policies. Many of these insurance assets remain untapped because retailers are unaware they had coverage for loss or because they do not understand certain provisions in the policies. Retailers often fail to access their fidelity insurance assets because they fail to file claims properly. But the fidelity insurance policies can be used to cover such things as loss of money, loss of securities, and loss of inventory due to crime. Liabilities covered by the insurance typically fall into two categories: employee dishonesty coverage and money and securities coverage.


Stolen Credit Cards Go for $3.50 at Online Bazaar
Bloomberg (12/20/11) Riley, Michael

In mid-September, a European hacker nicknamed Poxxie broke into the computer network of a U.S. company and allegedly stole 1,400 credit card numbers, the account holders’ names and addresses, and the security code that comes with each card. With little trouble, he sold the numbers for $3.50 each on his own seller’s site, called CVV2s.in. Customers on CVV2s can search for card numbers by bank, card type, credit limit and zip code, loading them into a virtual shopping basket as they go. The site offers the ability to search by bank identification number. CVV2s even has an automated feature that lets clients validate the numbers in real time, to make sure the bank hasn’t canceled the card. Traverse City, Michigan-based Ponemon Institute, which researches data security, estimates that thieves annually steal 8.4 million credit card numbers in the U.S. alone.




Tensions Rising Over Drone Secrecy
Wall Street Journal (12/30/11) Entous, Adam; Gorman, Siobhan

Some lawmakers are calling for increased congressional oversight of the Obama administration's efforts to use drones to kill terrorists. Among the lawmakers who want more oversight of the program are the members of the House and Senate armed services committees. Earlier this month, a bipartisan group of lawmakers inserted language into defense legislation that would require the Pentagon to provide the committees with updates on counterterrorism operations and related activities involving special operations forces every three months. Members of the armed services committees have said that they want more information about the CIA's drone program. Meanwhile, Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) has asked the Justice Department to allow his panel to review a secret memo that made the case for the killing of U.S. citizens overseas. The House and the Senate Intelligence committees currently provide close oversight over the CIA's drone program. The two committees currently receive phone calls notifying them about CIA drone strikes almost immediately after they take place. In addition, congressional staff participate in monthly meetings about the drone program at the CIA's headquarters. Classified congressional briefings or hearings on the drone program are also held at least every three months. Obama administration officials have defended the oversight of the drone programs run by both the CIA and Joint Special Operations Command, saying that they are closely watched by top officials at the two agencies and by members of the White House National Security Council.


New Year's Eve Security Main Focus for NYPD
CNN.com (12/30/11) Lewin, Khara

Security will be tight in New York City on Saturday night as hundreds of thousands of people gather in Times Square to ring in 2012. More than a dozen checkpoints will be put in place at the entrances to Times Square, each of which will be equipped with metal and radiation detectors. Revelers will also be required to submit to bag searches. Backpacks will not be allowed past the security checkpoint. Meanwhile, at least 500 cameras and a number of helicopters equipped with infrared technology will be in place to scan for security threats in the crowd. COBRA teams will also be deployed to a number of locations in order to look for chemical, biological, or radiological threats. Officers on horses will be on hand as well, as will uniformed and plainclothes officers. Dogs will also be used to detect the presence of explosives. Finally, the Joint Operations Center will be open to allow the New York Police Department to coordinate with federal, state, and local agencies.


Under Obama, an Emerging Global Apparatus for Drone Killing
Washington Post (12/28/11) Miller, Greg

President Obama has ramped up the use of armed drones in attacking terrorists since he took office, partly because his decision to end the CIA 's detention program and end transfers to Guantanamo Bay left him with few other counterterrorism options. According to the New America Foundation, there were 44 drone attacks in Pakistan over the five-year period preceding Obama's inauguration. Roughly 400 people were killed in those attacks. But since January 2009, the number of drone attacks in Pakistan has risen to nearly 240, while the number of those killed has more than quadrupled. Meanwhile, the number of drone strikes in Yemen has risen as well as the U.S. goes after members of al-Qaida in the Arabian Peninsula, which is an affiliate of the main al-Qaida organization and has been responsible for a number of terrorist plots. However, the administration has opted not to expand the use of drones in Somalia, which is home to the militant group al-Shabab. There is concern that attacking al-Shabab could radicalize the group even further and give it a motivation to attack the U.S. The expansion of the drone program comes as some in Congress, including Sen. Dianne Feinstein (D-Calif.), have expressed concern about problems regarding the oversight of the use of unmanned aircraft. Feinstein said that there should be careful oversight by civilians when drones are used to kill terrorists. No one congressional panel currently has full oversight of the program because of the different agencies that are involved.


Deadly Christmas Blasts Spark Outrage in Nigeria
Wall Street Journal (12/27/11) McGroarty, Patrick

A coordinated series of attacks in Nigeria on Christmas Day has killed roughly 40 people and injured dozens of others. The attacks consisted of four bombings at Christmas church services in the city of Jos, which has often been the scene of violence between Muslim and Christians, and the city of Madalla. Nearly three dozen people were killed in one bombing at a Catholic church in Madalla alone. In addition, four people were killed after a suicide bomber drove into a military base in the town of Damaturu. A spokesman for Boko Haram has said that the Islamist group was behind the attack. The spokesman also noted Boko Haram would continue to attack targets in Nigeria until its prisoners were released, Sharia law was put into place, and the country's constitution was suspended. Although Nigerian President Goodluck Jonathan has condemned the attacks, some have said that his government has not done enough to deal with the threat from Boko Haram and that it has also sent the message that attacks by the group are "one of the burdens" that the country must live with. But a spokesman for Jonathan said that the Nigerian government has made progress in going after Boko Haram by arresting the group's members, carrying out raids on its strongholds, and disrupting its operations.


Debate Persists on Deadly Flu Made Airborne
New York Times (12/27/11) Grady, Denise; McNeil Jr., Donald G.

The United States government continues to ask researchers and publications to redact studies, funded by the National Institutes of Health (NIH), detailing the processes used to make the A(H5N1) flu virus airborne. The redactions were requested on the grounds that terrorists, hostile governments, or unscrupulous researchers could potentially replicate the processes used. While scientists and journal editors commonly reject any form of censorship, those involved say in this case it may be true that their work is too dangerous to share. Other biosecurity experts have gone so far to say the knowledge of how to make the often-lethal A(H5N1) virus easily transmittable from person-to-person is so dangerous that it never should have been attempted in the first place. However, Dutch researchers who ran one of the investigations into the virus say they are only cooperating with the redaction order reluctantly, arguing that their legitimate colleagues need the information, because the mutations that occurred in their lab could also occur in nature. They also argue that flu viruses make impractical bioweapons, because they would likely infect whoever deployed them as well and they cannot be targeted. Still, the Dutch lab has been given additional security precautions since their research has been made public.




Homeland Security Uncovered Anonymous Attack on Public Advocate’s Office
New York Daily News (12/28/11) Blau, Reuven

Homeland Security officials discovered that the Web site of the Public Advocate's Office in New York was hacked over Christmas weekend. The federal Multi-State Information Sharing and Analysis Center notified the city's tech department. "They contacted us to confirm the breach," said Public Advocate spokesman Wiley Norvell. "We picked up on suspicious activities earlier in the weekend." Members of the hacking collective Anonymous were behind the attack, posting stolen data on filebeam.com. Norvell said that the Web site removed the information after the Public Advocate's Office contacted them. The stolen data includes the names and e-mail addresses of 6,700 users who had filled out online forms, such as petitions and complaints related to last year's blizzard. The breach involved a "brute-force attack," which involves checking all possible passwords until the right one is found, then breaking down the firewalls that protect data. Public Advocate staffers are examining the reclaimed files and intend to contact those whose data may have been involved. The New York Police Department's crime squad is also investigating.


Wi-Fi 'Protected Set-Up' Not So Protected After All
CNet (12/28/11) Reardon, Marguerite

The U.S. Computer Emergency Readiness Team (US-CERT) cautioned in late December of a security vulnerability in a popular tool meant to make it easier to add additional devices to a secure Wi-Fi network. The organization cited findings from security researcher Stefan Viehbock, who discovered the security flaw in the Wi-Fi Protected Set-Up (WPS) protocol, which is frequently bundled into Wi-Fi routers. The protocol is designed to allow unsophisticated home users to set up secure networks using WPS encryption without much difficulty. Users are then able to enter a shortened PIN instead of a long pass-phrase when adding a new device to the secure network. That method, however, also makes it much easier for attackers to break into a secure Wi-Fi network, US-CERT says. The security threat could impact millions of consumers, since the WPS protocol is enabled on most Wi-Fi routers currently sold. The fundamental flaw is that the security of the eight-number PIN drops significantly with more attempts to key in the password. When an attempt fails, the hacker can determine if the first four digits of the code are correct. From there he can narrow down the possibilities on the rest of the digits until the code is cracked. Viehbock says a hacker can breach a secure Wi-Fi hotspot in roughly two hours using this method to exploit a flaw. US-CERT said in its warning that there is no known fix to the security weakness. Rather, the group urges users to disable the WPS function on their routers.


'Anonymous' Hackers Target U.S. Security Think Tank
Associated Press (12/27/11)

The hacker group Anonymous reportedly stole the confidential client list of the security think tank Stratfor by hacking the organization's Web site. Anonymous said over the weekend that it was able to obtain more than 4,000 credit card numbers, passwords, and home addresses from the list because the information was not encrypted. The stolen credit card numbers were then used to make donations to a variety of different charities. However, proprietary information about the companies and government agencies that subscribe to Stratfor's newsletters—which includes Apple, the U.S. Air Force, and Miami's police department—does not seem to be at risk. In response to the security breach, Stratfor has hired a identity theft protection and monitoring service to work with those affected by the attack, and suspended its servers and email. In addition, the organization is working with law enforcement officials on the investigation into the breach. Stratfor's Fred Burton says the organization had security measures in place to prevent breaches such as the one Anonymous carried out, but notes that it is "extraordinarily difficult" to protect against attacks carried out by highly-motivated attackers.


Finding the Unique in You to Build a Better Password
New York Times (12/23/11) Perlroth, Nicole

As more users store sensitive data on smartphones, mobile devices could become a target for hackers, prompting technology companies and the U.S. government to rethink the way users log onto their devices. IBM recently predicted that traditional passwords may become a thing of the past. "Biometric data--facial definitions, retinal scans, and voice files--will be composited through software to build your DNA unique online password," IBM says. However, biometric passwords also have security issues. The most serious problem with biometrics is that once a biometric signature has been compromised, it is impossible to replace it, says Imperva researcher Tal Be'ery. This problem has led the U.S. Defense Advanced Research Projects Agency to develop ways to identify device owners and account holders using unique behaviors such as hand gestures and typing styles. Meanwhile, Microsoft recently released a behavioral password system for the Windows 8 operating system. "When the types, ordering, and directionality are all correct, we take a look at how far off each gesture was from the ones we’ve seen before, and decide if it’s close enough to authenticate you," says Microsoft's Zach Pace.


New Zero-Day Vulnerability in Windows 7 64-Bit May Allow Remote Code Execution
IDG News Service (12/21/11) Constantin, Lucian

Microsoft is investigating reports of a zero-day vulnerability in Windows 7 64-bit that results in crashes and could allow attackers to run arbitrary code on affected systems. The security weakness can be exploited by opening a Web page containing a specially crafted iframe using Apple's Safari browser. Secunia researchers believe the crash could be leveraged to carry out malevolent code, and the impact could be more serious due to the kind of crash and nature of the vulnerability, such as crashing when attempting to write to invalid memory in a call to memmove, says Secunia's Carsten Eiram. "Based on this we do consider remote code execution a possibility though it has not been proven at this time," Eiram says. The security weakness stems from an error in the win32k.sys kernel-mode driver, a common source for critical Windows vulnerabilities. The exploit has thus far only been verified on Windows 7 64-bit when parsing an iframe with an overly-long height attribute in Safari. However, researchers do not rule out the possibility that other versions of Windows can be affected via different attack vectors. Eiram says that during testing, Secunia observed no crashes on Windows XP SP3 32-bit nor Windows 7 32-bit, but cannot totally rule out that these could be impacted via different approaches.


Abstracts Copyright © 2011 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments:

Post a Comment