Search This Blog

Friday, July 20, 2012

Security Management Weekly - July 20, 2012

header

  Learn more! ->   sm professional  

July 20, 2012
 
 
Corporate Security
Sponsored By:
  1. "14 Dead, 50 Wounded in Shooting at Colorado Theater, Police Chief Says"
  2. "Riot Hits Big India Auto Maker"
  3. "Suspect Charged in Alabama Bar Shooting That Wounded 17"
  4. "Government-Data Leak Includes NIH Files" National Institutes of Health
  5. "Business Continuity Plans Can Make All the Difference"

Homeland Security
  1. "Hezbollah is Blamed for Attack on Israeli Tourists in Bulgaria"
  2. "FBI Fell Short in Probe of Suspect Before Fort Hood Killings"
  3. "Syrian Defense Minister Killed in Bombing, State-Run Media Report"
  4. "Airport Scrutinized After Colorado Murder Suspect Steals SkyWest Plane in Utah"
  5. "U.S. Report Says HSBC Handled Iran, Drug Money"

Cyber Security
  1. "Targeted Cyber Attacks Against Large Organizations Common, Often Effective"
  2. "Grum Botnet Still Alive After Suffering Significant Blow"
  3. "Cyber-Criminals Craft Malware Kits to Zero In on Java Flaws"
  4. "Yahoo Breach Highlights Password Reuse Threat"
  5. "In Face of Flame Malware, Microsoft Will Revamp Windows Encryption Keys"

   

 
 
 

 


14 Dead, 50 Wounded in Shooting at Colorado Theater, Police Chief Says
CNN.com (07/20/12)

Dozens of people were killed or wounded in a shooting at an Aurora, Colo., movie theater early Friday morning. Witnesses and police say that the incident began when a man in his early 20s who was armed with a rifle and a shotgun kicked in an emergency door in a theater showing "The Dark Knight Rises." The gunman, who was also wearing a bulletproof vest and a gas mask, then reportedly threw a smoke bomb into the theater and began randomly shooting at moviegoers. Those who were in the theater at the time of the shooting reported massive confusion, as moviegoers were not sure whether the sound of gunfire was coming from the movie or someplace else. Cell phone video taken at the scene showed people screaming and running to escape the gunman. In all, at least 14 people were killed and 50 others were injured in the shooting. Police were able to catch the gunman in the theater's back parking lot. The assailant did not resist. Police say that there is no evidence that a second gunman was involved.


Riot Hits Big India Auto Maker
Wall Street Journal (07/19/12) Gulati, Nikhil; Choudhury, Santanu

A deadly riot by workers at a manufacturing plant belonging to Maruti Suzuki India Ltd., India's largest car manufacturer, resulted in damage to the facilities and left over 100 managers injured and one company official dead on Wednesday. The plant, located in the northern state of Haryana, is one of Maruti's largest, producing several of the company's highest-selling vehicles, and has been the site of worker unrest for the last year. Managers at the plant characterized Wednesday's riot as unprovoked and say it broke out during negotiations surrounding the reinstatement of a worker fired for assaulting a manager. "The workers grabbed whatever they could, split up in small groups and attacked us," said one manager being treated at an area hospital for a broken elbow and various other injuries. Workers involved in the riot could not be contacted. The plant is now under the control of police, who say they have arrested some 88 rioters so far and plan to charge them for the murder of Awanish Kumar Dev, the plant's human resources manager, who was killed during the riot.


Suspect Charged in Alabama Bar Shooting That Wounded 17
Reuters (07/17/12) Gates, Verna

A 44-year-old man was taken into custody in Jasper, Ala,. on Tuesday after confessing to family and friends that he was responsible for a shooting at a downtown Tuscaloosa bar early Tuesday morning. According to Jasper Police Captain Larry Cantrell, Nathan Van Wilkins immediately surrendered to police when confronted in a Jasper store, and confessed, saying, "I wanted to die and I was hoping the Tuscaloosa Police would kill me, but I got scared and left." Early on Tuesday morning Van Wilkins approached the Copper Top bar and opened fire with an assault rifle, injuring 17 people. Police initially thought the shooter had been targeting someone based on his odd behavior captured by a surveillance camera, and are still investigating a potential link between the Copper Top shooting and an earlier residential shooting in nearby Northport that left one injured. Most of the victims have been successfully treated for minor shrapnel wounds and released, though five were admitted to the hospital.


Government-Data Leak Includes NIH Files
Wall Street Journal (07/16/12) Burton, Thomas

An accidental disclosure of documents from a number of federal agencies that came to light on Monday revealed attempts by Food and Drug Administration officials to monitor the computers of a number of dissident employees who had been in contact with government whistleblower advocates. The disclosure was the result of an unsecured server belonging to the document management company Quality Associates of Fulton, Md., on which investigators found thousands of pages of National Institute of Health documents that were available to the public. In a letter to Quality Associates President Paul Swidersky, Sen. Chuck Grassley (R-Iowa) says that files from other agencies were also found on the server, most notably documents and e-mails detailing the FDA monitoring scandal. According to the documents found on the Quality Associates server, the FDA began monitoring five scientists' computer use in 2010 after they were suspected of leaking documents submitted to the FDA by medical device manufacturers seeking approval. The monitoring managed to capture e-mails between the scientists and the U.S. Special Counsel, which represents federal government whistleblowers. The FDA has been sharply criticized for the monitoring by Grassley and Rep. Chris Van Hollen (D-Md.) who said it, "sends a terrible message to those who are prepared to expose waste, abuse, or wrongdoing in government."


Business Continuity Plans Can Make All the Difference
Acumin (07/12/12) Newton, Jane

There are a number of factors that businesses should consider when developing a business continuity plan, says Robert Rutherford of the British information technology firm Quostar. For instance, businesses need to consider how long they can go without having access to vital systems and data, Rutherford says. In addition, Rutherford notes that the business continuity plan should be all-encompassing and take into account a number of different possible problems, not just those that are IT-related. This can be done by examining how all systems and processes affect the business and considering how the business would be impacted should any of these systems and processes suffer some type of failure, Rutherford says. Suppliers should also be examined, Rutherford says, since problems that they experience could have an impact on their customers as well. Next, businesses should consider using technologies that might help them keep their operations going in the event of some type of problem, be it virtualization, replication, or vaulting--all of which small-to-medium sized businesses should be able to afford without breaking their budgets, Rutherford says. Finally, Rutherford says that businesses should not wait until an emergency occurs before they check to see how their continuity plans work. Such plans should be tested at least once a year, Rutherford says, though it would be better to test the plans every three to six months.




Hezbollah is Blamed for Attack on Israeli Tourists in Bulgaria
New York Times (07/20/12) Kulish, Nicholas; Schmitt, Eric

U.S. officials on Thursday confirmed earlier assertions by Israeli Prime Minister Benjamin Netanyahu that the Lebanon-based terror group Hezbollah was behind Wednesday's suicide bombing of a bus transporting Israeli tourists from an airport in Burgas, Bulgaria. According to U.S. officials, the bomber was a member of a Hezbollah cell that was operating largely independently, under orders to seek Israeli targets of opportunity. It is believed that these orders came down to Hezbollah from Iran, which is the group's primary sponsor and is one of two organizations that are seeking to destroy Israeli targets in revenge for the killing of Iranian nuclear scientists by Israeli agents. Bulgarian police have not yet identified the bomber, who was carrying a fake Michigan driver's license with a false name. Finger prints and DNA have been taken from the bomber's remains and police released a video of the suspect wandering the arrivals terminal an hour before the attack. In the video the bomber is carrying a bulky backpack police believe contained the bomb he detonated an hour later. It is not known if the bomber meant to kill himself in the explosion, or if he suffered what one Israeli official characterized as a "work accident."


FBI Fell Short in Probe of Suspect Before Fort Hood Killings
Wall Street Journal (07/19/12) Barrett, Devlin

A new report by William Webster, the former head of the FBI and the CIA, maintains that the bureau failed to sufficiently investigate the background of Army Maj. Nidal Hasan prior to his alleged 2009 shooting rampage at Fort Hood, Texas. According to the report, FBI agents in San Diego asked agents in Washington, D.C., to look more closely at Hasan because he had been sending e-mails to the Yemen-based radical cleric Anwar al-Awlaki. Webster says that the FBI failed to give enough weight to the communications Hasan had been sending, and that it did not alert the military to its concerns. However, Webster did say that the fault was not necessarily with the agents, as the FBI lacked clear policy guidance on who was to follow up on leads in this type of situation. "Individuals who handled the Hasan information made mistakes," the report concluded. "We do not believe it would be fair to hold these dedicated personnel, who work in a context of constant threat and limited resources, responsible for the tragedy at Fort Hood." FBI Director Robert Mueller thanked Webster for his investigation and said the bureau had already taken steps to change policies cited by the report.


Syrian Defense Minister Killed in Bombing, State-Run Media Report
CNN (07/18/12)

Syria's state-run media is reporting that the country's defense minister, Dawood Rajiha, was killed in a suicide car bombing targeting a national security building in Damascus on Wednesday. The bombing was timed to coincide with a meeting of ministers and security officials. The Syrian Observatory for Human Rights confirmed that it appears a car bomb caused an "intense explosion" in Damascus. Rajiha is the highest-ranking official of President Bashar al-Assad's embattled regime to be killed in the ongoing conflict there. Other reports indicate that Damascus was in chaos, with explosions and heavy gunfire heard throughout the city. Opposition media said that a total of 15 people were confirmed killed throughout the country by the middle of the day on July 16. Meanwhile, the U.N. Security Council is scheduled to vote on whether to continue the 300-member U.N. observatory mission in Syria, which has been severely restricted due to the intensity of the violence. Western countries are pushing for strict sanctions against Assad's regime, with the intention of renewing the observer mission for 45 days. Both Russia and China have vetoed such moves by the Security Council in the past.


Airport Scrutinized After Colorado Murder Suspect Steals SkyWest Plane in Utah
Associated Press (NY) (07/18/12)

Questions have been raised about the state of perimeter security at the nation's airports after a Colorado man suspected of murdering his girlfriend snuck onto a small Utah airfield and attempted to steal a small jetliner operated by regional carrier SkyWest. Brian Hedglin had previously worked as a pilot for SkyWest before being put on administrative leave and having his security access cards deactivated July 13 following the stabbing murder of his girlfriend, Christina Cornejo. Early Tuesday morning Hedglin apparently scaled the fence at the St. George Municipal Airport in Utah, somehow gained access to an empty 50-passenger Bombardier CRJ200 jet, and revved up the engines. Hedglin did not get airborne, but instead appears to have crashed the jet into the airport parking lot before shooting himself in the head. The incident has caused some experts to express concern about the security at St. George and other airports in the U.S. Aviation professor Jeff Price of the Metropolitan State University of Denver says that the incident demonstrates a need for better perimeter security and notes that if the airport and the airplane itself had been properly secured, Hedglin should have been completely unable to access the jet. "Today, perimeter security at airports, it's just a fence," said Price, adding that intrusion protection systems and closed-circuit TV cameras are another rarity on the perimeters of most airports, making them vulnerable to just this sort of intrusion.


U.S. Report Says HSBC Handled Iran, Drug Money
Reuters (07/17/12) Mollenkamp, Carrick

A new U.S. Senate report released on Monday is characterizing the corporate culture of the British bank HSBC Holdings as being "pervasively polluted" and accuses the firm of acting as financier for clients with ties to terrorists, drug runners, criminals, and countries under U.S. sanctions, such as Iran. The report, which focuses on the bank's American unit, is the result of a year-long inquiry into HSBC's practices, including a review of some 1.4 million documents and interviews with employees and regulators. The report surmises that inadequate staff and high turnover in the bank's compliance department were to blame for its ongoing associations with numerous dubious clients, such as the Saudi bank Al Rajhi, which has been accused to handling money for clients involved in terrorism. Evidence of Al Rajhi's behavior came to light shortly after the 9/11 attacks, yet it was not until 2010 that HSBC stopped helping the Saudi bank procure bulk shipments of U.S. currency. HSBC also had a long association with Casa de Cambio Puebla, a Mexican foreign-exchange dealer known to act as a hub for money laundering, and HSBC only stopped dealing with Puebla after being served a seizure warrant for Puebla funds by the Mexican government, the report found. Finally, the report found that between 2001 and 2007 HSBC carried out more than 28,000 transactions that would have violated U.S. sanctions on various countries, and of those 25,000 involved Iran.




Targeted Cyber Attacks Against Large Organizations Common, Often Effective
TechJournal (07/18/12)

Targeted cyberattacks, in particular spear phishing, are becoming an increasingly common and highly effective threat, according to a new Proofpoint survey of more than 330 security IT decision makers about their organizations' email security. The survey found that spear phishing was by far the biggest threat, with 51 percent of respondents saying their organizations were targeted by spear phishing in the last year. Larger organizations appeared to be targeted more often, with 56 percent of those working for organizations with more than 1,000 employee email accounts reporting they had been targeted. More than 33 percent of those who reported spear phishing attempts said those attempts had resulted in compromised log-in credentials or unauthorized access to the network. Asked which of five vectors posed the greatest risk for data loss, 22 percent said outbound email, 19 percent said file sharing services such as Dropbox, 18 said lost or stolen devices, and 17 percent said social media sites. Three percent named messaging services such as texting or Twitter, and 21 percent replied that they do not know.


Grum Botnet Still Alive After Suffering Significant Blow
IDG News Service (07/17/12) Constantin, Lucian

One of the world's most active botnets, Grum, was weakened after two of its command and control (CnC) servers hosted in the Netherlands were taken down, but researchers say it could just be a temporary victory since the botnet's creators still operate two CnC servers hosted in Russia and Panama. FireEye's Atif Mushtaq says Grum relies on two types of control servers to carry out its functions: One is used to send configuration updates to the infected machines, and the other is used to tell the botnet what spam emails to send. It was only the second type of servers that were dismantled, meaning that Grum's operators can still theoretically use the two remaining configuration servers to update the botnet and direct it to new spam template servers. Mushtaq says this has not happened so far. FireEye has contacted the two remaining servers to ask them to shut down the abusive servers, but so far the ISPs in Russia and Panama have not responded. According to spam statistics amassed by Trustwave, since the beginning of the year, Grum and two other botnets, Cutwail and Lethic, have been responsible for most of the malware sent globally, with Grum accounting for almost 35 percent of the world's spam traffic as of mid July.


Cyber-Criminals Craft Malware Kits to Zero In on Java Flaws
eWeek (07/16/12) Lemos, Robert

The hackers behind the Blackhole exploit kit, which automates the creation of programs to infect victims' computer systems and targets vulnerabilities in Java, updated the framework earlier in July with a component that can attack computer systems using a month-old Java flaw, according to Websense. Researchers say the exploit will likely be effective for some time in the near future, since it takes most PC users and companies months to update third-party software. Websense says Java has become the top point of attack for exploit kits, primarily because it runs on a large number of operating systems, it gives attackers a potentially wide array of victims, and its software update mechanism is not automatic, so often older and more vulnerable versions of the software are found on machines. According to Hewlett-Packard's DVLabs, updates are so confusing that Java exploits boast a very high level of success. Many security professionals recommend that users disable the Java browser plug-in to protect against Web-based attacks that use the plug-in to compromise vulnerable machines. Security researcher Websense researchers say the latest Java exploit will likely be copied by other toolkits since the authors of these attacks tend to borrow from each other.


Yahoo Breach Highlights Password Reuse Threat
eWeek (07/13/12) Lemos, Robert

The hack of nearly 500,000 passwords from Yahoo Voices highlights the fact that many people continue to expose their information to attackers by using the same password on multiple accounts, according to researchers who studied the leak. By locating account holders with the same email address, security analyst Troy Hunt matched users listed in the recently compromised Yahoo Voices password file and a similar file leaked last year in an attack on Sony, and matched 302 users in the two files, of whom 59 percent used the same password on both sites. Security professionals in the past urged users to create strong passwords with at least eight characters, no commonly known words, and using the full character set including uppercase letters, numbers, and special characters. Such passwords are hard to remember, leading users to recycle passwords throughout multiple accounts. The problem of getting individuals to use unique passwords for every account is even more difficult within organizations, which have no control over employees' password use outside the corporate firewall. To protect critical resources, organizations should require two-factor authentication, which could include the use of a one-time password generated by a keyfob or smart card. Verizon's RISK Intelligence group says it is equally important that security rules are followed at all levels of an organization, since just one weak spot will often be the point of access in a data breach.


In Face of Flame Malware, Microsoft Will Revamp Windows Encryption Keys
Network World (07/11/12) Greene, Tim

Beginning in August, updated Windows operating systems will reject encryption keys smaller than 1,024 bits, which means customer applications accessing Web sites and email platforms that use the keys could run into problems. The change is part of Microsoft's response to security issues that surfaced after Windows Update became an unwitting party to Flame malware attacks, and impacts Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems, says Microsoft's Kurt Hudson. He says organizations should prepare for this update by determining whether they are currently using keys less than 1,024 bits, and if so, steps should be taken to update cryptographic settings so that keys under 1,024 bits are not in use. Even after taking these steps, machines may still receive error messages when browsing to Web sites with SSL certificates that are below 1,024, or when enrolling for certificates when certificate requests use a 1,024-bit or less key, according to Microsoft. Security leaders say the biggest challenge for organizations will likely be readying legacy, in-house applications that interact with Windows platforms.


Abstracts Copyright © 2012 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: