| |
Mexican Governor Calls Utilities Sabotage 'Terrorism'
Agence France-Presse (10/29/13)
Fausto Vallejo, the governor of the Mexican state of Michoacan, said Monday that the attacks on power stations that occurred over the weekend were related to a feud between two rival drug cartels. Vallejo called the attacks "acts of terrorism," and added that while authorities had heard chatter about possible attacks on power stations last week, they were not expecting such large attacks. Six fuel stations and several power plants were attacked on Sunday by assailants armed with guns and Molotov cocktails. Around 420,000 people in 14 towns were left without electricity for hours. To date, three people have been arrested on suspicion of taking part in the attacks, and an ongoing investigation is looking into who was responsible. Authorities believe that the regional drug gang the Knights Templar attacked the power stations in retaliation for the Oct. 26 march of unarmed vigilante groups into the town of Apatzingan, which is dominated by the cartel. The march was carried out in an attempt to end the drug gang's control of the town.
Ram Raids: Sometimes ORC, Sometimes Drunken Stupidity
Security Director News (10/28/13) Canfield, Amy
"Ram raid" robberies are a fairly common occurrence in the United States, says Rob Reiter, the co-founder of the Storefront Safety Council. A ram raid is a theft in which an SUV or truck is intentionally driven into the front of a store, providing the opportunity for thieves to steal merchandise. According to Reiter, there are about three such robberies every day across the country, often targeting convenience stores, particularly those with ATMs; pawn shops that advertise "gold and guns"; scrap metal yards; jewelry stores; and Apple computer stores. He pointed out that the thefts are so problematic because they cause significant damage to stores and can potentially result in injuries to employees as well as losses from the theft. Reiter recommends that stores install bollards or other barriers to prevent this brand of robbery. Tiffany & Co., for example, has installed bollards in front of its jewelry stores to foil ram raiders, while Houston and Atlanta require stores with ATMs to install bollards. Alternatively, retailers might consider different parking lot or building designs to protect themselves, Reiter said.
Cancer Hospital Employees Better Not Go Where They Don't Belong
Security Director News (10/28/13) Canfield, Amy
The Dana Farber Cancer Institute (DFCI) in Boston, Mass., says that upgrading its access control system from Tyco's CCure 800 to the CCure 9000 allowed it to introduce Wi-Fi locks without building a new system to manage them. Ralph Nerette, DFCI's manager of security services, said that the upgrade also provides more information about access control cardholders, including their functions in the organization, which allows the security staff "to make better decisions about access control." By being able to look at automatic reports of those who have been denied access at a door, Nerette said, the staff is able to look at the cardholder's function and work hours to determine whether the action was a "legitimate access attempt." He added that because DFCI did not need to build a new system to manage the Wi-Fi locks, the system upgrade did not make a large dent in the DFCI's security budget. The costs of training employees to use the new system are lower because its ease of use has reduced the amount of time needed for training, Nerette said. The CCure 9000 also offers key integration capabilities, as it enables the introduction of third-party technologies in a way that does not require the introduction of "new interfaces," Nerette said. In addition, the system has increased the efficiency of workflow and other processes. The system is used to provide access control to all 15 buildings of the DFCI, and to manage security throughout the institute's four campuses.
Theft Policing in Spotlight
Wall Street Journal (10/25/13) Shallwani, Pervaiz
The methods that retailers and police use to combat theft have come under intense scrutiny after two black shoppers said that they had been accused of committing credit card fraud after making legitimate purchases at Barneys New York. One of those shoppers, Trayon Christian, filed a lawsuit against Barneys and the New York Police Department on Monday, saying that he had been stopped on the sidewalk outside the store by undercover officers after making a purchase, and was then arrested, accused of using a fake card in the transaction, and held for two hours before being released. It was revealed shortly after that Kayla Phillips had filed a notice of claim against the city last summer after she was stopped and questioned for 20 minutes after making a purchase at Barneys with a temporary debit card she was given after she opened a bank account. There have been allegations that the two shoppers were racially profiled. NYPD spokesman John McCarthy said in Christian's case, police were at the store to arrest someone else and said the reason Christian was arrested is under investigation. He noted that police were responding to a complaint from the store that Phillips' card had raised suspicions when they stopped and questioned the 22 year old. McCarthy added that the NYPD's Internal Affairs Bureau is investigating the incidents, which is a standard practice. Retailers in Manhattan's main shopping districts and the NYPD have maintained that they are simply being vigilant about theft given the fact that the crime is on the rise in the area.
Reducing the Shrink
Security (10/13) Vol. 50, No. 10, P. 42 Ritchey, Diane
Pharmacies can be appealing targets for criminals looking to steal painkillers such as OxyContin and resell them on the street. James Hughes, a member of the North Texas Chief of Police Association, says that pharmacies face a risk of robbery and theft that is similar to that of jewelry stores. He noted that large quantities of in-demand prescription drugs worth tens of thousands of dollars can be taken out of a pharmacy in a small shopping basket, just as thousands of dollars of jewelry can be stolen from a jewelry store and placed in a small bag. Hughes notes that pharmacies will not be able to adequately protect themselves from the threat of criminals breaking in to steal prescription drugs by relying on standard burglar alarms, since police departments in a number of cities across the country are no longer responding when these alarms are triggered. According to Hughes, a better alternative to standard burglar alarms is a new type of alarm system that films a crime in progress and sends the video to law enforcement for them to review. Hughes notes that the use of video is an effective way to elicit a response from law enforcement, even in cities that have stopped responding to classic alarm systems.
Amid NSA Spying Revelations, Tech Leaders Call for New Restraints on Agency
Washington Post (11/01/13) Timberg, Craig; Nakashima, Ellen
Six major technology companies sent a letter to Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) on Thursday expressing their support for a bill that would reform the National Security Agency's surveillance practices. Facebook, Google, Apple, Yahoo, Microsoft, and AOL said in their letter that the latest revelations about the extent of the NSA's surveillance programs--particularly reports that the agency collects user information as it moves between Google and Yahoo data centers abroad-- show that there is a need for "substantial enhancements to privacy protections and accountability mechanisms for those programs." The companies said they favored a bill sponsored by Leahy that would end the bulk collection of Americans' telephone records and would create a privacy advocate that would push the Foreign Intelligence Surveillance Court, which oversees the NSA, to protect civil liberties. The letter represents a shift in the approach the tech companies are taking to the issue of government surveillance. Until now, tech companies have largely asked the government to simply be more open about its surveillance requests. Center for Democracy and Technology Chief Technologist Joseph L. Hall says that the tech industry is changing its approach because it believes that the collection of Google and Yahoo user information is more intrusive than what many thought was possible.
NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents Say
Washington Post (10/31/13) Gellman, Barton; Soltani, Ashkan
The National Security Agency (NSA) and the U.K.'s Government Communications Headquarters (GCHQ) are jointly operating a surveillance program called MUSCULAR in which they tap the main communication links between Yahoo and Google data centers around the world. The existence of the program is mentioned in documents released by Edward Snowden and has been confirmed by knowledgeable officials. The surveillance program consists of NSA and GCHQ tapping into the communications links from interception points located outside the U.S., thereby allowing them to copy entire data flows--including e-mail metadata and content such as text, audio, and video--as the data traverses the links. One top secret document released by Snowden noted that the NSA acquisitions directorate sends millions of records from Yahoo and Google's internal networks to data warehouses at the agency's headquarters each day. Many of the hundreds of millions of user accounts that MUSCULAR collected information from likely belonged to Americans. The program is legal because the NSA intercepts communications overseas, where restrictions on surveillance are looser. Some of the documents note that MUSCULAR has produced important intelligence leads against hostile foreign governments. Google and Yahoo said that the surveillance was being carried out without their knowledge or consent.
Tech Firms Race to Encrypt More Data After NSA Leak
Wall Street Journal (10/31/13) Gorman, Siobhan; Yadron, Danny
Tech companies, including Google and Yahoo, are working to develop new encryption methods to prevent the National Security Agency (NSA) from accessing information as it traverses their networks. According to documents leaked by former NSA contractor Edward Snowden, the NSA collects user data from the companies as it travels in an unencrypted state between data centers. That may be changing, however, with Google saying it is working to encrypt more data traveling between its servers. While Yahoo has declined to comment, Microsoft said that it is "evaluating additional changes that may be beneficial to further protect consumers." Trevor Timm of the Electronic Frontier Foundation says that such actions will be important for tech companies to keep their customers' trust. “Companies need to realize that intelligence agencies—not just the NSA—will attack their weakest point,” Timm said.
Senate Hearing to Explore Security Clearances in Aftermath of Deadly Shooting at Navy Yard
Associated Press (10/31/13)
The Senate Committee on Homeland Security and Governmental Affairs will hold a hearing on Thursday to discuss the security clearance process for government employees--a process that committee Chairman Tom Carper has said is "fundamentally flawed." Federal officials who oversee the security clearance process, including acting Office of Personnel Management (OPM) Director Elaine Kaplan, are scheduled to appear at the hearing to discuss the adequacy of the background checks that are performed on security clearance holders. The federal security clearance system has come under fire in the aftermath of the Washington Navy Yard shooting. The gunman, Aaron Alexis, was a defense contractor who was granted a security clearance in 2008 despite the fact that had been arrested, but not charged, in 2004 for shooting the tires of a vehicle. The arrest was discovered during an FBI fingerprint check, though an investigative report by an OPM contractor did not mention that Alexis had fired the shots. Alexis subsequently had several other encounters with police as well as potential mental health issues, though he continued to hold on to his security clearance. Kaplan has said that Alexis' file met the applicable standards but that OPM is reviewing his case. Thursday's hearing comes as Congress is considering legislation that would require OPM to perform surprise audits of existing security clearances in order to encourage security clearance holders to volunteer potentially derogatory information.
White House Offers Tentative Support for Plans to Rein in NSA Surveillance
Guardian (CAN) (10/29/13) Roberts, Dan; Ackerman, Spencer
White House officials said on Oct. 29 that they may throw the administration's support behind some congressional initiatives to limit the National Security Agency's (NSA) surveillance programs. The announcement follows the introduction of bipartisan legislation in the House and the Senate that would reform surveillance. Both the White House and Congress have launched reviews of the programs, but it is unclear as of yet what changes, if any, will come of them. Sen. Diane Feinstein (D-Calif.), the chair of the Senate Intelligence Committee, did say that "collection on our allies will not continue," referring to the uproar over revelations that the NSA may have tapped German Chancellor Angela Merkel's cell phone. Intelligence community leaders, on the other hand, remain adamant that surveillance programs are necessary for the government's counterterrorism efforts. In his congressional testimony on Tuesday, NSA chief Gen. Keith Alexander and Director of National Intelligence James Clapper both warned against the "risks of overcorrection," as Clapper put it. Some have taken the remark as a suggestion that Clapper believes that restrictions on surveillance programs could put the country at risk of a terrorist attack.
Concerns Raised About Security of Health Website
Associated Press (10/30/13) Kellman, Laurie
During a House Energy and Commerce Committee hearing on Oct. 30, lawmakers confronted Department of Health and Human Services (HHS) Secretary Kathleen Sebelius with a government memo raising fresh concerns about the glitch-ridden Web site that consumers are using to enroll in health insurance plans. The document shows that Obama administration officials at the Centers for Medicare and Medicaid Services were worried that a lack of testing posed a potentially "high" security risk for the HealthCare.gov Web site serving 36 states. It was given a temporary security certificate so it could operate. Rep. Mike Rogers (R-Mich.) told Sebelius that she "accepted a risk on behalf of every user" that potentially exposed their personal financial information. Sebelius responded that the system is sound, even though the site has a temporary certificate, which is known in government parlance as an "authority to operate." She said a permanent certificate will only be issued once all security glitches are addressed. The HHS secretary is vowing to have the problems fixed by Nov. 30.
House Homeland Security Committee Clears Two DHS Cybersecurity Bills
Warren Communications News (10/30/13) Phillips, Jimm
The House Homeland Security Committee on Tuesday approved two Department of Homeland Security-centric cybersecurity bills: the Critical Infrastructure Research and Development Advancement Act (HR-2952) and the Homeland Security Cybersecurity Boots-on-the-Ground Act (HR-3107). According to committee Chairman Michael McCaul (R-Texas), HR-2952 will "enhance DHS's research and development tools, streamline its public-private coordination efforts" and make certain the DHS and its public-sector partners will be able to share technological solutions. One of the bill's amendments will extend the scope of the measure's required DHS-developed strategic plan that would guide federal cybersecurity and physical security research, as well as development efforts for the protection of critical infrastructure, so that they include "all threats." HR-3107 includes provisions for the creation of a new cybersecurity occupation classification system in order to strengthen the quality of DHS's cybersecurity workforce by identifying gaps in cyber knowledge and other assessments. The bill will also create a cybersecurity fellowship program that would pay for the undergraduate and graduate tuition of those who agree to work for DHS for a set period, mandate that DHS use the cybersecurity occupation classification system, and expand DHS's cybersecurity workforce recruitment efforts. The two bills have been sent to the full House for consideration.
Open Source Software Projects Need to Improve Vulnerability Handling Practices, Researchers Say
IDG News Service (10/30/13) Constantin, Lucian
Many open source software developers need to improve the way in which they handle vulnerability reports, according to Rapid7 researchers who recently reported vulnerabilities in seven popular open source software applications. Starting in August, the researchers chose seven of the most popular open source Web applications and looked for vulnerabilities in them. Within two weeks the researchers found security flaws in all of them, say Rapid7's Christian Kirsch. The researchers found an issue that could enable remote authenticated attackers to execute commands on the underlying operating system in six applications, including Moodle, vTiger, Zabbiz, ISPConfig, OpenMediaVault, and NAS4Free. After discovering the vulnerabilities, the researchers alerted the developers and worked with the Computer Emergency Response Team Coordination Center to coordinate the disclosures. Just two of the seven projects patched the issues disclosed to them, while four projects say they will not correct the authenticated remote command execution issue because they think it is by design. One project failed to communicate its plans, Kirsch says. Across the seven projects, the researchers found at least seven different approaches to handling incoming vulnerability reports, says Metasploit's Tod Beardsley.
Obama Meets CEOs Amid Privacy Criticism of NIST Standards
Wall Street Journal (10/29/13) Rubenfeld, Samuel
Chief executives of companies in the energy, financial services, and information technology sectors met with President Obama on Tuesday to discuss efforts to improve the cybersecurity of the nation's critical infrastructure. The conversation reportedly focused on how to encourage the adoption of the preliminary framework on voluntary cybersecurity standards released into the Federal Register by the National Institute of Standards and Technology (NIST) on Oct. 22. According to cybersecurity lawyers, the framework will be quite influential, though there have been some concerns raised about the privacy portions of the framework since the release. A client alert from Mintz Levin notes that in earlier versions of the framework, very little attention was given to the importance of having critical infrastructure organizations address privacy as part of their cybersecurity plans. However, the alert noted that the framework does include a detailed methodology to protect privacy and civil liberties that industry reviewers should scrutinize closely. The framework's newly expanded appendix on privacy has also sparked concerns among experts about its lack of flexibility, outdated privacy principles that are not linked to the rest of the framework, and blunt language that could create more problems than it hopes to prevent.
Researchers Integrate Social Science in Cybersecurity Project
The Tartan (10/28/13)
Carnegie Mellon University (CMU) researchers are helping to develop methods for computers to make security decisions in cyberspace by investigating psychological and human factor issues. Researchers have developed techniques that enable computers to distinguish between real and false cyberattacks, and this capability could lead to computer systems that respond with human decision making and without physical human intervention. The research is part of the five-year, $23.2 million Models for Enabling Continuous Reconfigurability of Secure Missions project, which uses human behavior models to enable computers to predict the motivations of users, defenders, and attackers. The project uses human behavior models to detect attacks, measure and manage risk, and alter the environment to optimize results. Humans are integral to maintaining cybersecurity, notes CMU professor Lorrie Cranor. "Their behavior and cognitive and psychological biases have to be integrated as much as any other component of the system that one is trying to secure," she says. The Army Research Laboratory, Pennsylvania State University, Indiana University, the University of California, Davis, and the University of California, Riverside also are participating in the project.
Abstracts Copyright © 2013 Information, Inc. Bethesda, MD |
No comments:
Post a Comment