| |
Minn. Police Groups Sue NFL Over Weapons Ban at Stadiums
Star Tribune (Minn.) (02/19/14) Chanen, David
The Minnesota Police and Peace Officers Association and the Police Officers Federation of Minneapolis filed a lawsuit against the National Football League on Tuesday over its weapons ban at stadiums. The policy prohibits off-duty officers from bringing their guns into stadiums. Though Minnesota law allows licensed peace officers to carry weapons in private establishments despite signs banning guns, the NFL announced in September 2013 that it was introducing a new policy the would forbid anyone other than on-duty officers and private security personnel working the games from carrying weapons in stadiums. The lawsuit states that this policy is in violation of state law, in addition to being unenforceable. NFL Chief Security Officer Jeffrey Miller wrote to Dennis Flaherty, the executive director of the Minnesota Police and Peace Officers Association, and to Hennepin County (Minn.) Sheriff Rich Stanek several months ago stating that the league feels that it is best if public safety is left to the on-duty officers assigned to the game, particularly since off-duty officers would be lacking in special training for working in a stadium and would be generally unknown to the assigned officers. Miller has said he is willing to hold further discussions about the policy with police.
When Should Shoppers Hear About Hacks? It's Complicated.
Washington Post (02/18/14) Tsukayama, Hayley
U.S. lawmakers and consumer proponents are pushing for national data breach notification standards that supersede a patchwork of state statutes and guidelines "that are not effective enough in today's national economy," says Sen. Thomas R. Carper (D-Del.). State laws often provide differing rules on when companies should alert consumers of hacks that compromise their personal information, and how much they disclose. A handful of states stipulate that merchants must report a breach within 45 days of its occurrence, while many states excuse companies from disclosure if their data is encrypted and the leak did not include the encryption key. Sens. Carper and Roy Blunt (R-Mo.) are co-sponsoring legislation to set up a comprehensive national framework that would require firms to safeguard their data, evaluate what damage a breach may do, notify the proper federal agencies of breaches, and, when appropriate, inform consumers of all breaches that affect more than 5,000 customers. The retail industry says it supports a national standard since it would simplify procedures in the event of a breach, while Consumers Union policy counsel Delara Derahkshani says a strong federal breach law would apply much needed protection to consumers, especially in states that have no such ordinances.
Surprising Survey: Most Small Businesses Remain Silent Rather Than Report Employee Theft
Phys.Org (02/18/14) Reily, M.B.
A recent survey of small businesses conducted by Jay Kennedy, a doctoral student in the University of Cincinnati's criminal justice program, has found that while 64 percent of those small business surveyed reported experiencing employee theft, only 16 percent reported the thefts to the police. Kennedy surveyed 314 small business owners in Cincinnati and conducted 30 in-person interviews with some of those surveyed. Kennedy found that there were four main reasons why so few small business owners go to the police with reports of theft: thefts were not serious enough to bother with beyond firing the perpetrator; the costs of reporting the theft would outweigh the benefits; emotional obstacles; or the belief that police are either too busy to handle thefts or are ineffective or incompetent. The study found that the most commonly stolen item was cash, and though the amounts stolen varied, the average taken over time was $20,000. Kennedy offered the hypothesis that higher the dollar amounts of an individual theft suggested the the perpetrator was more trusted, and added that contrary to popular belief, the crimes tended to be for lifestyle enhancement and were not driven by desperation. The study found that the majority of employee thefts occur over a time period that can range from two weeks to 20 years, and are called "ongoing schemes."
Ethiopian Airlines Hijacking Shows Continuing Shortfalls in Security
Wall Street Journal (02/17/14) Michaels, Daniel
The hijacking of Ethiopian Airlines Flight 702 on Monday by the plane's co-pilot underscores the continued threat from insiders to the security of the global aviation industry. Authorities worldwide added layers of screening to prevent dangerous materials or weapons from being allowed on airplanes following the September 11, 2001 attacks, but security specialists have said that the increased focus on identifying security threats posed by passengers has given aviation insiders a number of opportunities to sabotage flights. According to the Aviation Safety Network, nine other passenger planes have been hijacked by pilots who were seeing asylum like the co-pilot of the Ethiopian Airlines flight, while financial and other pressures are believed to have driven three pilots to deliberately crash their aircraft. In addition to pilots, aviation employees on the ground can also pose threats to flights, even those who are not in direct contact with the airplanes, as they can orchestrate thefts or be part of smuggling operations. A report issued by the U.S. Military Academy's Combating Terrorism Center in 2011 noted that insider threats "become markedly worse at non-Western airports in regions such as West Africa or South Asia, where local authorities' ability to effectively screen prospective airport employees is frequently negligible due to incomplete or poorly structured terrorist and criminal intelligence databases."
Sen. Charles Schumer: End Power Companies' Veto Rights on Security Measures
CBS New York (02/16/14)
Sen. Charles Schumer (D-N.Y.) has called on the Department of Homeland Security and the Federal Energy Regulatory Commission (FERC) to consider drafting tougher new security standards that would end the power industry's right to veto proposed security requirements. In a letter written to both agencies, Schumer said such new standards would be overseen by Congress. The April 2013 sniper attack on a electric power facility in Silicon Valley prompted Schumer's request, as he believes that the attack showed that terrorists could potentially take down vast stretches of the U.S. power grid. Schumer commented that Americans' entire way of life is dependent on the reliability of the nation's power plants and the electric grid and said that "any potential weakness in this critical infrastructure is troubling and should be addressed immediately." He stated that it is vital for the U.S. to reconsider the way security measures are implemented at power plants, and that this was not something that could be left to the utility industry alone, as the security expertise offered by DHS and the energy expertise offered by FERC could allow for the creation of very strong security measures that will help protect power plants from future attacks.
Negotiators Reach Deal to End Ukraine Crisis
Washington Post (02/21/14) Englund, Will
Ukrainian President Viktor Yanukovych's office announced a deal on Friday that would end the country's violent political conflict, one day after 75 people were killed in clashes between anti-government protesters and security forces in Kiev. The deal calls for an immediate return to the constitution Ukraine adopted in 2004, the creation of a coalition government within the next 10 days, a referendum on a new constitution in September, and new elections three months later. However, anti-government protesters--who are upset with Yanukovych's decision to forge closer ties with Russia rather than the E.U.--may be wary of the provision for elections in December, as they want Yanukovych to step down now. The protesters have vowed to remain in Kiev's Independence Square, the scene of much of Thursday's violence, until he does so. Members of Ukraine's opposition political parties may also want assurances that the prime minister and cabinet that make up the proposed coalition government would not simply be puppets for Yanukovych. Meanwhile, Kiev remains on edge amid the possibility of further violence. Shots were reported at Independence Square on Friday, and protesters in the area are reportedly collecting empty bottles to use in making Molotov cocktails.
Homeland Security Chief Plays Down Latest Shoe Bomb Warning
Los Angeles Times (CA) (02/20/14) Martin, Hugo
Homeland Security Secretary Jeh Johnson on Thursday played down a recent warning that terrorists might try to sneak explosives onto commercial planes in passenger shoes, noting that "concerns about shoe bombs have been out there for years." He added that the advisory was being issued because it was the type of alert that the Department of Homeland Security routinely issues "in response to the latest intelligence." Officials said that the alert was issued because there was new intelligence suggesting that a shoe bomb might be used to blow up a plane heading to the U.S. According to Transportation Security Administration officials, no new security procedures were imposed on commercial travelers in response to the advisory.
Report: Deadly Drone Strike in Yemen Failed to Comply with Obama’s Rules to Protect Civilians
Washington Post (02/20/14) Miller, Greg
Human Rights Watch issued a report on Thursday that found that a Dec. 12 drone strike in Yemen did not comply with President Obama's requirement that such attacks be carried out with near certainty that civilians would not be killed or injured. The human rights organization says the attack, which was carried out by the U.S. military's Joint Special Operations Command, killed 12 people and injured 15 others as they were traveling in vehicles that were part of a wedding procession. The organization's investigation into the attack determined that some if not all of the casualties were civilians, and that the casualties did not include alleged al-Qaida operative Shawqi Ali Ahmed al-Badani, who was the strike's primary target. No other senior al-Qaida operatives were killed or injured in the strike either, Human Rights Watch said, though it said that it could not rule out the possibility that some of the dead may have had ties to al-Qaida. The findings contradict the results of an internal U.S. military investigation, which determined that the targets were al-Qaida militants. National Security Council spokeswoman Caitlin Hayden said that Yemeni officials had also said that the targets were senior al-Qaida militants. She added that the Obama administration takes great pains to avoid civilian casualties in its counterterrorism operations.
NSA Weighs Retaining Data for Suits
Wall Street Journal (02/19/14) Barrett, Devlin; Gorman, Siobhan
Officials with the National Security Agency (NSA) have revealed that the lawsuits attempting to stop the agency's telephone metadata collection program have resulted in the federal government considering whether it will enlarge the collection of phone records. This is now under consideration because several government lawyers involved in these lawsuits believe that federal-court rules on preserving evidence related to lawsuits require the agency to stop routinely destroying older phone records. If this is true, the government would be forced to expand the database beyond its original intent for as long as any lawsuits related to the program remain active. No final decision has been made about preserving the data, but if the database is expanded the information would only be held for use in litigation and would not be subject to searches. Electronic Frontier Foundation legal director Cindy Cohn, whose group has sued the government over the program, said that the government should save the records provided they are not still searchable under the program. Currently, the NSA program database holds about five years of data and twice a year any call record more than five years old is removed from the system. Any move to retain the data for a longer period might require approval from the Foreign Intelligence Surveillance Court, which oversees the phone records program.
Iranian Hacking to Test NSA Nominee Michael Rogers
Wall Street Journal (02/18/14) Gorman, Siobhan; Barnes, Julian E.
One of the issues that could be raised at the upcoming confirmation hearings for President Obama's nominee for director of the National Security Agency (NSA), Vice Adm. Michael Rogers, is the response to last year's Iranian cyberattack on the Navy Marine Corps Internet. Rogers currently serves as the Navy's chief of cybersecurity and oversaw the response to the attack, which was first discovered last summer but was not reported publicly until September. Some in Congress are concerned that it took the Navy until November to completely expel the Iranian hackers from the network, four months after the attack was first discovered. However, some current and former officials have defended the Navy's response to the attack, saying that the response took so long partly because the Iranian hackers were able to penetrate deep into the Navy Marine Corps Internet. In addition, one official noted that the response to the attack took so long because Rogers did not simply attempt to clean up after the attack, but also sought to address the newly-identified security risks that resulted from the intrusion. Despite the concerns some lawmakers have raised about the response to the attack, the issue is not expected to prevent Rogers from winning Senate confirmation.
Microsoft Issues Temporary Fix for IE Zero-Day Targeting Service Members
SC Magazine (02/20/14) Walker, Danielle
Microsoft on Feb. 19 issued a temporary solution for a new zero-day vulnerability in Internet Explorer (IE) 9 and 10 that researchers at FireEye said was exploited in a recent attack. Microsoft said the remote-code execution vulnerability that exists in those two versions of the browser, but not IE 11, affects the way IE accesses an object in memory that has been deleted or not properly allocated. The flaw could corrupt a computer's memory, Microsoft said, which in turn could allow an attacker to execute arbitrary code "in the context of the current user within Internet Explorer." Microsoft also said that cybercriminals could create a Web site designed to exploit this vulnerability and then convince potential victims to visit. Researchers at FireEye said Feb. 13 that a U.S. veterans Web site was compromised to serve the zero-day exploit. A backdoor was then placed on the computers of the site's visitors, possibly in an attempt to steal intelligence from military service members.
U-Md. Computer Security Attack Exposes 300,000 Records
Washington Post (02/19/14) Svitek, Patrick; Anderson, Nick
Brian Voss, the vice president and chief information officer at the University of Maryland, said that 309,079 personal records for faculty, staff and students were compromised in a computer security breach that occurred about 4 a.m. Feb. 18. The breach was carried out by someone outside the university who gained access to a secure records database that holds information on individuals who received identification cards as far back as 1998. Officials believe that the person behind the breach effectively copied and stole the information of people affiliated with the university through its College Park and Shady Grove campuses, including their names, dates of birth, Social Security numbers, and university identification numbers. Voss said it appears that the attackers had a "very significant understanding" of how the university's data are designed and protected, as there was no open door vulnerability that enabled them to slip into the system. The university is investigating the breach and will be taking steps to prevent further incidents. In addition, the university will provide anyone whose information was compromised by the breach with a year of free credit monitoring.
Healthcare Dominates U.S. Data Breach Incidents, Latest Figures Show
Network World (02/19/14) Dunn, John E.
The latest figures from the Identity Theft Resource Center (ITRC) show that the healthcare sector accounted for more than 40 percent of customer data breaches recorded in 2013. The sector experienced 267 breaches, 43 percent of the 619 reported breaches. The healthcare sector did well reporting the number of patient records breached, a total of about 4.7 million, largely due to U.S. Department of Health and Human Services regulations that mandate reporting of breaches affecting more than 500 records. Most healthcare breaches were relatively small, especially in comparison to the massive Target customer data breach, which exposed some 40 million records, the majority of the more than 57 million records exposed in 2013. Data breaches were up by 30 percent compared to 2012. Across all sectors, external hacking was the most common cause of breaches, accounting for 25.8 percent of incidents. Hacking was followed by errors on the part of third-party sub-contractors, data migration, insider theft, and employee error or negligence. Paper breaches, which are often overlooked because many states do not require them to be disclosed, accounted for 12 percent of all breaches.
Hackers Targeted Key U.S. Industries Through Compromised Websites
NextGov.com (02/18/14) Sternstein, Aliya
The U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team has released a report that says the internal networks of more than 50 critical infrastructure operators may have been accessed by cybercriminals through watering hole attacks last year. The report notes that these operators were warned last year about the attacks, in which cybercriminals infected external websites with malware to capture the email addresses and passwords employees of the organizations used to log into the sites. Since the passwords are often reused, cybercriminals may have been able to use them to log into the internal IT resources at some critical infrastructure operators, says security consultant John Bambenek. The report did not mention what sectors the warned critical infrastructure operators were in. However, several watering hole attacks on a variety of organizations last year have been made public, including attacks on the renewable energy technology supplier Capstone Turbine and a Labor Department site used by nuclear weapons personnel.
Kickstarter Hit by Hackers as Usernames and Passwords Stolen
V3.co.uk (02/17/14) Stevenson, Alastair
The CEO of the crowdfunding site Kickstarter, Yancey Strickler, recently confirmed that the company experienced a data breach. According to a statement issued by Strickler, the breach--which was first noticed by law enforcement officials on Feb. 12--resulted in the theft of customer data such as e-mail addresses, mailing addresses, phone numbers and encrypted passwords. Neither credit card data nor customers' bank information was compromised. Strickler noted that customers' accounts should remain safe, as all key items were encrypted, though he noted that passwords should be changed as a precaution. Kickstarter has been working with law enforcement to catch the hackers, said Strickler, who added that the company has improved its security procedures and systems in numerous ways and will continue to do so to protect its customers from further attacks.
Abstracts Copyright © 2014 Information, Inc. Bethesda, MD |
No comments:
Post a Comment