| | Learn more! -> |  | |  |
| |
Maryland Passes Electronic Privacy Bill
Frederick News-Post (MD) (04/11/12) Mlot, Stephanie
The Maryland General Assembly on April 10 passed a bill aimed at preventing employers in the state from accessing the social networking profiles of job candidates and current employees. Under the User Name and Password Privacy Protection and Exclusions bill, employers in Maryland will be forbidden from asking or requiring employees and job candidates to reveal their personal login information. The legislation does not provide for any exclusions. Enforcement of the law, assuming it is signed by Gov. Martin O'Malley, will be the responsibility of job applicants and employers. The passage of the legislation comes after an incident in 2010 in which an employee of the Maryland Department of Public Safety and Correctional Services was asked by his supervisors to hand over his Facebook login information during a reinstatement interview. The legislation is scheduled to take effect on Oct. 1 if it is signed by Gov. O'Malley.
Chase Hit in ATM Skimming Attacks
Bank Info Security (04/09/2012) Kitten, Tracy
A grand jury in Las Vegas has indicted 13 California residents for illegally capturing customer data from Chase Bank ATMs in the Las Vegas area between November 2009 and November 2011. According to the indictment, the suspects were able to use pinhole cameras to capture PIN numbers, card numbers, full names, and card expiration dates. This information allowed them to create counterfeit cards. Exactly how much they stole using the scam has not been released. This indictment is just the most recent case in a series of scams targeting bank customers and stealing card information. Security experts say these kinds of scams show continued vulnerabilities in the nation's banking system. They argue that such fraud will continue to be prevalent until banks and merchants agree to adopt new credit and debit cards equipped with computer chips instead of a magnetic stripe, a change that experts say makes it harder for thieves to counterfeit cards.
A Tale of Two Breaches
BankInfoSecurity.com (04/06/12) Kitten, Tracy; Roman, Jeffrey
It is likely that the recent Global Payments data breach will follow a pattern established by the Heartland Payment Systems breach several years ago, in which recovery will be a long and drawn-out process, according to former Heartland CIO Steve Elefant. "The most important thing right now is plugging the hole and getting compliant again with PCI," he says. The probable similarity in the fallout and recovery of the two breached payment processors stems from them being among the top 10 U.S. merchant acquirers, and the revocation of their PCI-compliant standing from Visa shortly after disclosure of the hack. In the months following the Heartland breach, the processor was hit with many lawsuits by banks, credit unions, and consumers targeted by fraud related to the intrusion, but Elefant dismisses much of the litigation as "frivolous, because the brands protect the issuers, and cardholders are not really affected at all beyond having to use a new card." The suits by card brands were not so easily dismissed, and they were expensive for Heartland to settle. Still, the Global Payments breach appears to be much smaller in scale than the Heartland breach, which will likely add up to fewer penalties, Elefant notes. Global also will likely contend with less litigation, says attorney David Navetta. Global's probe of the breach will probably take a year to complete, but one possible outcome of the incident would be for Global to use the breach as a rallying point for positive action on payment improvement, as Heartland also did.
Training That's on Target
Security Management (04/01/12) Vol. 56, No. 4, P. 102 Stern, R.A.
It is important for armed security guards to undergo training in how to use their weapons. Such training can help companies ensure that their guards know how to use their weapons if needed, and can also help companies protect themselves from being found liable in a lawsuit stemming from a violent incident involving a security guard. An effective training program for armed security guards should include two elements: classroom training and practical training. Classroom training should take place first and should focus on topics such as firearm facts and how to perform first aid on people suffering from gunshot wounds. Trainees should also learn how to write reports that describe shooting incidents without embellishment and without making assumptions. Practical training, which follows classroom training, takes place at a shooting range and possibly a simulator as well. Training that occurs at a shooting range should simulate different kinds of lighting conditions, as well as stressful situations where there is a lot of noise or bad weather. Simulators can be used to supplement the shooting range training, and can help companies save money on ammunition and other handgun training expenses. In addition, simulators can also be valuable because they can provide insight into whether the trainee's shooting stance is correct as well as whether or not he flinches when firing his weapon. All training for armed security guards should be documented so that companies can prove that they provided training to their guards if challenged in court. Once training has been completed and documented, companies should be sure to provide refresher training to armed security guards on a quarterly basis to ensure that their skills remain sharp.
Create an Anti-Fraud Corps
Security Management (04/01/12) Vol. 56, No. 4, P. 58 Sherrod, Mike
With statistics from the Securities and Exchange Commission showing that fraud is a growing problem for U.S. businesses, it is becoming increasingly important for companies to have programs in place to respond to suspected cases of fraud. Such programs should make it clear who within the company is responsible for examining allegations of fraud and responding to them. One way that companies can do this is by creating a fraud, risk, and investigations oversight committee that is made up of members of a number of departments, including security, human resources, and IT. The first issue that such a committee needs to address is the creation of a fraud oversight response plan for dealing with fraud. This plan should detail a process for preserving information that may be relevant to a fraud investigation. The plan should also make it easier to determine who should be involved with investigations into allegations of fraud. The members who are included in the investigative team will vary based on the type of fraud that is being investigated. Once the initial information has been collected and the make up of the investigative team has been determined, the actual investigation can begin. Among the things that the company should do at this point is to prevent the fraud from continuing. After the investigation has been completed, the company will present the findings to the relevant stakeholders, such as the board of directors, the audit committee, and external parties who need to be made aware of the situation. Companies need to carefully consider whether limits should be placed on the disclosure of sensitive information from the investigation. Finally, companies should focus on how to deal with the vulnerabilities that allowed the fraud to occur in the first place. Following these steps is an important part of reducing the likelihood of fraud.
North Korean Launch Fails
Wall Street Journal (04/13/12) Ramstad, Evan ; Meckler, Laura
The launch of a three-stage rocket by North Korea, which Pyongyang said was designed to send a satellite into space but which the U.S. and other countries said was actually a test of long-range missile technology, failed on Friday. The rocket took from a launch facility in northwestern North Korea at roughly 7:40 a.m. local time, and was supposed to have flown south for 10 minutes, entering space somewhere over the Philippines and Indonesia. Instead the rocket exploded less than a minute and a half after it took off, which was about the time that the first stage should have burned out and the second stage should have fired. The rocket then broke into two parts, with one part continuing to fly for a short time after the explosion. Both pieces eventually disintegrated and their fragments fell into the waters off of South Korea's west coast. According to a senior official in the Obama administration, the failure of the rocket shows that North Korea's missile program has not advanced since its last attempt to launch a rocket in 2009, and that the program may even be backsliding. The official noted that sanctions aimed at preventing North Korea from obtaining or trading technologies that could be used in support of its nuclear program may be hampering progress on the development of ballistic missiles, though it is impossible to know for certain if that is the case. The official added that this latest failure will hurt North Korea's ability to sell its nuclear technology to others.
With Time Short for Diplomacy, World Powers Seek Quick Progress in Nuclear Talks With Iran
Associated Press (04/13/12)
U.S. officials have agreed with other world leaders to return to nuclear talks with Iran, with the goal of making enough progress to stop Israel from bombing Iranian nuclear facilities. Secretary of State Hillary Clinton has called on Iran to offer concrete proof that its nuclear program is peaceful and not an effort to develop atomic weapons. Chief Iranian nuclear negotiator Saeed Jalili has promised to suggest new initiatives, such as scaling back uranium enrichment while continuing to make nuclear fuel. That solution is not likely to satisfy G8 negotiators, but could present enough of a compromise to further extend talks. There is also the problem that Iran has proven to be unfaithful to a number of previous agreements. In the face of such doubts, Clinton has said that Iran can demonstrate its seriousness in several ways, including ending production of highly enriched uranium, shipping its current stockpile to another country, opening its facilities to “constant inspections and verifications.”
Pitt Suffers More Threats, Other Schools Targeted
Associated Press (04/12/12)
The bomb threats against the University of Pittsburgh are now beginning to target other colleges and universities in the Pittsburgh area. Several bomb threats were made against the University of Pittsburgh on Thursday, though a threat was also received by the Western Pennsylvania School for the Blind in Pittsburgh. Over the past week, Point Park University, California University of Pennsylvania, and the Community College of Allegheny County have all received threats as well. Threats against the University of Pittsburgh have been found on bathroom walls, while others have been sent to the university and local journalists via e-mail. Some of the e-mails have been traced back to Austria. Lorrie Cranor, the director of Carnegie Mellon's CyLab Usable Privacy and Security Laboratory said that the anonymous e-mail program that is being used to send some of the threats, called MixMaster, has made those messages difficult to trace. Nevertheless, one man was arrested on Wednesday for making separate threats against professors at the University of Pittsburgh, though the arrest did not put a stop to the threats.
Campus Task Force Criticizes Pepper Spraying of Protesters
New York Times (04/11/12) Medina, Jennifer
An internal report from the University of California, Davis has concluded that the pepper spraying of several unarmed, seated protesters from the Occupy movement by campus police on November 18, 2011 "should and could have been prevented." The report criticizes school administrators including campus police chief Annette Spicuzza and Chancellor Linda P.B. Katehi for continuing to assume that university students could be in danger from a large number of outside Occupy protesters, when continued reports indicated that these concerns were unfounded and that the majority of protesters on campus were indeed students. The report also blames Katehi for not concretely communicating to police that she wanted a "limited operation" and that they should use "no other force" other than demanding that tents be taken down. Chief Spicuzza told her officers that they were not to dress in riot gear, but they ignored her orders, saying that past experience had led them to predict the use of batons and pepper spray. Campus police had sued to prevent the public release of the report, which was delayed by more than a month by court hearings. Eventually it was released when the university agreed to redact the names of most police officers involved in the incident.
Terrorism Monitor Closely Watched Occupy Protests
Globe and Mail (CAN) (04/10/12) Mills, Carys
Canada's Integrated Terrorism Assessment Centre (ITAC) is coming under fire for its observation of the Occupy protests that took place in the country last year. ITAC produced three reports on the protest, the first of which was written roughly a week before the demonstrations began. That report included an overview of the protests. A second report was produced by the ITAC two days after the hacking collective Anonymous posted a video on YouTube last November in which it threatened to carry out cyber attacks against the City of Toronto. That report also provided information about previous threats from Anonymous and said that supporters of the group could be identified because they would be wearing Guy Fawkes masks. The third report discussed plans by Occupy protesters to set up a blockade of the Port of Vancouver in order to disrupt the port's operations. The report noted that such a blockade could result in economic harm but that the demonstration at the port was likely to be small, given the "fractured nature" of the Occupy movement. Critics say that the reports are further proof that the Canadian government is conflating dissent and terrorism, and that it is disturbing that the ITAC was monitoring peaceful protesters so closely. A spokeswoman for the Canadian Security Intelligence Service said that the monitoring was part of an effort to determine the potential of politically-motivated violence during the demonstrations.
Get Ready for the Return of the Botnets
Wall Street Journal CIO Journal Blog (04/12/12)
The number of distributed denial-of-service (DDoS) attacks is on the rise, having once been written off by security experts as a fading threat. A new report from the security firm Prolexic has found that the number of DDoS attacks, in which servers are inundated with malicious traffic so that they become overloaded, rose 25 percent in the first quarter of this year. Financial companies monitored by Prolexic observed a 3,000 percent increase in malicious traffic during the same period of time, when hacktivist groups such as Anonymous carried out repeated attacks against banks. Indeed, the rise in the number of DDoS attacks is being fueled by hacktivist groups like Anonymous. DDoS attacks are a popular tool for the politically-motivated cyber attacks carried out by hacktivists. A separate survey by Arbor Networks found that 35 percent of DDoS attacks that took place between October 2010 and September 2011 were motivated by political or ideological causes. Security experts say that there are several things that organizations can do to prepare themselves for possible DDoS attacks, including holding simulations of DDoS attacks to determine how events during such an attack would unfold. But some say that organizations cannot fully prevent DDoS attacks from succeeding, and that they instead need to focus on developing contingency plans so that they can continue to conduct business in the event of a successful attack.
The Flashback Attack: It's Time Mac Users Got Security Aware
Computerworld (04/11/12) Evans, Jonny
Apple is taking steps to protect Mac users from the threat posed by the Flashback Trojan. Flashback exploits weaknesses in Oracle's Java software to install malware. The newly-installed malware then contacts the cyber criminals behind the attack so that the infected machines can be made part of a botnet. Personal data stored on the machines is also collected by the cyber criminals. So far more than 600,000 Macs around the world have been infected by Flashback. Apple has already released a patch for the security vulnerability, and is now working to develop software that is capable of detecting and eliminating the malware from infected Macs. In addition, Apple is working with Internet service providers (ISPs) around the world to neutralize the command networks used by the authors of Flashback. Some say that the Flashback attack underscores the need for Mac users to improve the security of the machines. Although Macs are broadly secure, users still need to be aware of phishing attacks and Web-page-based attacks, which comprise three quarters of all online security breaches.
Anonymous Continues Barrage of Government Hacks
InformationWeek (04/09/12) Hoover, J. Nicholas
Anonymous has carried out cyberattacks on several foreign government targets over the last several weeks, including China, where Web sites have been defaced with messages that say China's government is evil and that it is controlling the Internet. Anonymous says the attacks are intended to protest against the lack of Internet freedom in China. A Twitter account bearing Anonymous' name has been used to send out messages promising to bring down the Internet censorship technology that China uses to block subversive content. Anonymous also has hacked into a number of Chinese sites and government servers. Data that was purportedly stolen from those servers was then posted to Pastebin and Pastebay. Meanwhile, Anonymous has announced plans to begin attacking government servers in Britain. The group has already claimed responsibility for an attack that knocked the Web site of Britain's Home Office offline for several hours on April 7. Finally, Anonymous claims to have hacked into the private email account of Tunisia's prime minister, using the access to that account to steal bank transaction records and messages about political activity in the African nation, among other things.
Employees Who BYOD Leave Basic Security Behind, Study Finds
Government Computer News (04/09/12) McCaney, Kevin
A recent online survey by ESET and Harris Interactive found that more than 80 percent of respondents use a personal device for work, and of those more than half neglect to use basic safety steps to secure their devices. Two out of three respondents who use a personal device for work said their organizations do not have a bring your own device (BYOD) policy, meaning their employers have not explicitly given consent to use non-work devices. Desktop PCs were the devices used most frequently for work purposes, followed by laptops, smartphones, and tablets. Fewer respondents use their own devices to store and/or access company information. Forty-seven percent of respondents do so on their desktop PCs, 41 percent on their laptops, 24 percent on their smartphones, and 10 percent on their tablets. ESET researcher Cameron Camp says those numbers represent a "fairly logical adoption curve," with devices that have been around longer, such as PCs, being used more frequently for work. But agencies have become more concerned about personal devices as more employees work and travel with them, and have been creating BYOD policies to accommodate the use of personal devices. The survey found that these devices are infrequently locked or secured, as only about 10 percent of people who use tablets for work enable the auto-lock feature that offers some protection if the device is lost or stolen, compared to about 25 percent of smartphone users and about one-third of laptop users.
New Security Flaws Detected in Mobile Devices
USA Today (04/09/12) P. B1 Acohido, Byron
Two recent studies of mobile devices highlight how designers of smartphones and tablet computers neglect to fully comprehend the security and privacy risks of these devices. Cryptography Research found in its study that it is possible to eavesdrop on any smartphone or tablet PC as it is being used to buy something, bank online, or access a company's virtual private network. A Cryptography Research executive says a criminal can decipher the process used to encrypt data and can then gain access to a financial account or company network, a type of attack that does not require the device to be modified in any way. The research company says it is working with a major smartphone and tablet manufacturer to put cyber defenses in its devices. McAfee showed in a separate demonstration that there are several ways to remotely hack into Apple iOS, the iPad and iPhone operating system, by remotely activating microphones on a variety of test devices and recording nearby conversations. McAfee also demonstrated that it is possible to swipe keys and passwords and steal sensitive data such as emails and text messages. Researchers in both studies say these attacks can be carried out without the user's knowledge.
Abstracts Copyright © 2012 Information, Inc. Bethesda, MD |
|
No comments:
Post a Comment