Search This Blog

Friday, February 07, 2014

Security Management Weekly - February 7, 2014

header

  Learn more! ->   sm professional  

February 7, 2014
 
 
Corporate Security
Sponsored By:
  1. "Target Breach Began With Contractor's Electronic Billing Link"
  2. "Credit Card Companies’ Compliance Has Gaps, Report Says"
  3. "Senators Call for Update of Data Rules After Target Theft"
  4. "Are Evacuation Practices Flawed?"
  5. "New ASIS PCB President: Blurring Lines Between Public, Private Sectors" Professional Certification Board

Homeland Security
Sponsored By:
  1. "U.S. Moves to Protect Electric Grid"
  2. "U.S. Said to Warn Carriers of Bomb Material in Toothpaste"
  3. "U.S. to Curb Pakistan Drone Program"
  4. "Assault on California Power Station Raises Alarm on Potential for Terrorism"
  5. "Republicans Spar on Leaks and Surveillance, Underscoring Partisan Shake-up"

Cyber Security
  1. "Meehan's Cybersecurity Bill Passed by House Homeland Security Committee"
  2. "Malware Hides Behind JavaScript, PNGs to Bypass Browser Security" PNG Image File
  3. "Senate Cybersecurity Report Finds Agencies Often Fail to Take Basic Preventive Measures"
  4. "App Misconfiguration, Mobile Apps With Poor Encryption Pose Risks, HP"
  5. "Low-Level Exploit Sends Ubuntu, OpenSUSE Kernel Bug Hunting"

   

 
 
 

 


Target Breach Began With Contractor's Electronic Billing Link
Wall Street Journal (02/06/14) Ziobro, Paul

The Pittsburgh-based refrigeration contractor Fazio Mechanical Services is reportedly the vendor whose credentials were stolen by hackers to access Target's payment card system. According to a statement by Fazio Mechanical Services' owner on Feb. 6, the company was the "victim of a sophisticated cyberattack operation" and is cooperating with investigators from the Secret Service and Target to determine how the hackers accessed Fazio's network. Fazio Mechanical began installing and maintaining refrigerator systems at Target stores beginning in 2006 and was remotely linked to Target's computer systems to allow for "electronic billing, contract submission and project management." This link underscores the risks that are opened up when large corporations give contractors the ability to access their computer systems, as hackers commonly attack low-level victims to acquire the credentials that will allow them to attack a bigger company and obtain customer credit and debit card numbers. According to Fazio Mechanical's statement, Target was the only client for which it had remote access. None of Fazio Mechanical's other customers were impacted.


Credit Card Companies’ Compliance Has Gaps, Report Says
Wall Street Journal (02/06/14) DiPietro, Ben

Verizon Communications' 2014 report on compliance with Payment Card Industry Data Security Standards (PCI DSS) has found a pattern of security weaknesses at companies involved with credit card payments. The report found that many companies fail to remain compliant with the minimum in security requirements. Rodolphe Simonetti, the managing director of PCI compliance at Verizon Enterprise Solutions, says the payment system security breaches his company has seen are not the result of compliance failure or technology failure, but rather a failure to fully implement changes to payment system security to ensure continued compliance. Though overall PCI standards compliance was found to have increased substantially from 2012 to 2013, problem areas were found in log-management policies, security testing, protecting sensitive data, controlling access to cardholder data, and the ability to detect and respond to a breach. The report showed that credit card processors are now mostly compliant with PCI standards, while banks are the least compliant - despite the fact that they are liable when breaches occur. Simonetti says he expects banks will move towards PCI compliance during 2014.


Senators Call for Update of Data Rules After Target Theft
Bloomberg (02/04/14) Hopkins, Cheyenne

At the first of three congressional hearings related to the recent cyberattacks on payments systems at Target and other U.S. retailers on Feb. 3, members of the Senate Banking Committee commented that the laws protecting consumer data need to be updated. For example, lawmakers called for granting the Federal Trade Commission wider authority to investigate data breaches and voiced support for requiring retailers to take part in a national data breach notification system. Since the Target breach, lawmakers have made proposals that include creating national standards for database security, the reintroduction of previous data-security bills and new measures that could cover customer notifications in the event of data breaches. Sen. Mark Warner (D-Va.) has also called for retailers to be required to report data security breaches and for the protections for credit and debit cards to be the same.


Are Evacuation Practices Flawed?
Security Management (02/14) Gates, Megan

Companies and institutions of higher learning have a growing number of technological solutions at their disposal to communicate with employees, students, and others in the event of active shooter situations and other emergencies. One such solution is Amerilert, a cloud-based system that allows corporate administrators to create and save custom alerts about emergency response plans before an emergency takes place. In the event of an emergency, these alerts are sent out to employees and others via various communications channels to advise them of the situation and urge them to take the proper precautions. Employees can respond to these alerts to let administrators know that they are safe and unharmed. Such systems can be used to eliminate the practice of having employees assemble at rallying points following an evacuation, which is currently seen as a best security practice even though it could potentially open up the possibility of workers being injured or killed in follow-up attacks, said Nater Associates President Felix Nater. Meanwhile, George Mason University in Fairfax, Va., has begun using a smartphone app called In Case of Crisis to keep students, faculty, and others informed in the event of various emergencies. One of the app's features is a page listing a variety of emergencies, such as a bomb threat or an evacuation, as well as the steps that should be taken in response to each situation.


New ASIS PCB President: Blurring Lines Between Public, Private Sectors
Security Director News (01/31/14) Canfield, Amy

ASIS Professional Certification Board (PCB) President Owen J. Monaghan says that one of his goals for his current term, which will run through the end of the year, is to increase the number of security professionals who are ASIS-certified. Monaghan, who is also the assistant police chief of the New York City Police Department and is the first active-duty police officer to serve as president of the PCB, says one reason why he wants to promote ASIS certification is because he has benefited from having a Certified Protection Professional (CPP) designation himself. Monaghan says that having this designation gives the private private sector partners he works with in securing infrastructure, events, and venues the assurance that he is knowledgeable about security issues. Certification can benefit other security professionals as well, Monaghan says, because PCB's certs are kept up-to-date with changing skill sets and because they are relevant for any industry. In addition, security professionals who are certified have demonstrated that they have a "passion for knowledge" that is valuable in the workforce today, Monaghan says.




U.S. Moves to Protect Electric Grid
Wall Street Journal (02/07/14) Smith, Rebecca

A bipartisan group of lawmakers is calling for the Federal Energy Regulatory Commission (FERC) to be given greater authority to regulate the security of the nation's electric power grid. The push comes in response to reports by the Wall Street Journal and others earlier this week about an April 2013 attack on a Pacific Gas & Electric (PG&E) substation near San Jose, Calif., that resulted in 17 transformers being disabled and caused $16 million in damages. In the Senate, Sen. Dianne Feinstein (D-Calif.) and others will ask the FERC to establish a set of minimum security standards for vital electric substations. The FERC is currently forced to either accept or completely reject, but is not allowed to revise, any proposed electric grid protection standards written by a panel dominated by representatives from the electric power industry. Some lawmakers want to give the FERC the authority to write and impose interim electric grid security standards, while allowing electric power generators to provide input about permanent requirements. In the House, Rep. Trent Franks (R-Ariz.) has also called for electric utilities to do more to protect their infrastructure, saying that doing so will help ensure the nation's security. Meanwhile, the Edison Electric Institute--the electric power industry's primary trade group--says its members are already working with the relevant officials in their efforts to secure the nation's power grid.


U.S. Said to Warn Carriers of Bomb Material in Toothpaste
Bloomberg (02/06/14) Wilber, Del Quentin

A U.S. law enforcement official says that there are indications that terrorists could try to smuggle toothpaste tubes containing bombmaking materials onto airlines flying to Russia. Though the official did not provide more details on the intelligence, it was revealed the alert was sent to U.S. and foreign airline carriers such as American Airlines, Delta Air Lines, and United Airlines. Russian Deputy Prime Minister Dmitry Kozak told reporters that his country's officials were looking into the warning. The alert comes amid ongoing threats against the Winter Olympic Games in Sochi, which are scheduled to begin Feb. 7. Security is tight for the Games. According to Secretary of State John Kerry, the U.S. has 140 people in Russia, including FBI agents and personnel from Homeland Security and the U.S. military, who are assisting with security for the Games. Additionally, the U.S. moved the USS Mount Whitney and the USS Taylor into the Black Sea near Sochi so they would be on hand to assist with security or conduct evacuations of the venue if a terrorist attack is launched.


U.S. to Curb Pakistan Drone Program
Wall Street Journal (02/06/14) Entous, Adam; Gorman, Siobhan; Shah, Saeed

Pakistani officials have been told by their American counterparts that the CIA drone campaign against terrorist targets in Pakistan will be curtailed and brought to an end within the next several years. Under the plan disclosed by American officials, CIA drone strikes will focus on a number of high-profile terrorist targets beginning next year, including al-Qaida chief Ayman al-Zawahiri and several of his top lieutenants. In addition, American officials plan to stop adding new names to the drone program's target list after terrorist suspects are killed. Pakistani officials have long asked the U.S. to stop adding new names to the target list after suspects are killed, since they believe this practice perpetuates the drone strikes they are generally opposed to. Officials believe that these changes will allow the drone strike program to be brought to an end by 2018, when Pakistani Prime Minister Nawaz Sharif's current term ends. U.S. officials believe that the changes will make the drone program less of an issue in the relationship between Washington and Islamabad, though the withdrawal of U.S. troops from Afghanistan is also making drone strikes in Pakistan less feasible. However, the Obama administration still has not set a specific date for ending the drone strike program due to concerns at the CIA that a potential al-Qaida resurgence could require more strikes.


Assault on California Power Station Raises Alarm on Potential for Terrorism
Wall Street Journal (02/05/14) Smith, Rebecca

Former Federal Energy Regulatory Commission (FERC) Chairman Jon Wellinghoff and others are warning that a little-known attack on an electric substation in Santa Clara County, Calif., last year could be a herald for larger attacks aimed at causing widespread power outages. The attack on Pacific Gas & Electric's (PG&E) Metcalf transmission substation on April 16 began when at least two people made their way into a nearby underground vault and cut telecommunications cables owned by AT&T. About half an hour later, the attackers began shooting at the transformers' cooling systems, causing them to leak oil, overheat, and eventually crash. Seventeen transformers were knocked offline, though grid officials were able to avert a widespread power outage. Police arrived at the scene about 20 minutes later but the attackers, who officials have said were likely professionals but not part of a terrorist group, had already escaped. They remain at large. Wellinghoff, who was the chairman of the FERC at the time of the attack, said the lack of any arrests in the case has increased his concerns that an even larger attack against the nation's inadequately-secured electric-grid sites may be in the works. Wellinghoff says that an attack on a small number of substations could cause power outages in most of the U.S. But North American Electric Reliability Corp. CEO Gerry Cauley says that while such a coordinated attack is technically possible, the power grid is resilient enough that most people would not be without power for long.


Republicans Spar on Leaks and Surveillance, Underscoring Partisan Shake-up
New York Times (NY) (02/05/14) Savage, Charlie

At a hearing of the House Intelligence Committee on Feb. 4, Chairman Mike Rodgers (R-Mich.) criticized National Security Agency (NSA) leaker Edward Snowden and compared reporters writing articles based on the documents he provided to criminals fencing stolen material. FBI Director James Comey responded to Rogers' comments, pointing out that journalists may be protected in this respect by constitutional press freedoms. At a hearing of the House Judiciary Committee held on the same day, meanwhile, Rep. Robert Goodlatte (R-Va.) reserved his concerns for the NSA itself, pointing out that the surveillance programs have never stopped a terrorist attack. Rodgers and Goodlatte's comments, observers say, are representative of a divide between congressional Judiciary and Intelligence committees: Judiciary Committee members seem more concerned with the NSA's potential violation of civil liberties, while Intelligence Committee members have defended the agency's actions as necessary for national security.




Meehan's Cybersecurity Bill Passed by House Homeland Security Committee
Delco Times (Pa.) (02/05/14) Kopp, John

The House Homeland Security Committee on Wednesday passed a bipartisan cybersecurity bill designed to strengthen partnerships between the federal government and private industry in order to improve the security of the nation's critical infrastructure networks. The bill, known as the National Cybersecurity and Critical Infrastructure Protection Act of 2013, codifies and provides oversight of the Department of Homeland Security's cybersecurity functions. However, the bill does not provide DHS with further regulatory authority. Rep. Pat Meehan (R-Pa.), a co-sponsor of the bill and the chairman of the House Homeland Security Committee, said the legislation is necessary because it is only a matter of time before the nation's power grids or financial networks are targeted by hackers. The bill is now waiting for a vote from the full House.


Malware Hides Behind JavaScript, PNGs to Bypass Browser Security
InfoWorld (02/04/14) Yegulalp, Serdar

Security researchers at Sucuri have discovered a new cross-site scripting attack that could be used to secretly load malware onto a victim's computer. The technique, which Sucuri researcher Peter Gramantik says could be used in drive-by-download and search engine poisoning attacks, begins with content being loaded with a hidden iframe that contains a JavaScript file called "jquery.js." This file loads a PNG image file from the same domain, from which it extracts a script encoded as binary data inside the image file's metadata. The script extracted from the image file then creates a new iframe located off the victim's screen and loads malicious code from a third-party domain. Experts say this attack is less likely than other attacks to be detected by anti-malware tools because its payload is not actually present on a server, and because the malicious code is being delivered in a way that does not trigger most security tools.


Senate Cybersecurity Report Finds Agencies Often Fail to Take Basic Preventive Measures
Washington Post (02/04/14) Timberg, Craig; Rein, Lisa

The Senate Homeland Security and Governmental Affairs Committee's Republican staffers have released a report that found that federal agencies are not performing even the most basic cybersecurity measures, and are thus vulnerable to attacks by moderately-skilled hackers. The report, which is based on previous investigations by federal inspectors general and the Government Accountability Office (GAO), found that federal officials have routinely failed to install security patches, update anti-virus software, communicate via secure networks, and require the use of strong passwords. Securities and Exchange Commission (SEC) employees, for example, sometimes used their personal e-mail accounts to transmit private information about financial institutions, and on at least one occasion logged onto an unsecured Wi-Fi network at a hacker convention. But the report reserved its toughest criticism for the Department of Homeland Security, saying that it failed to even update essential software. Sen. Tom Coburn (R-Okla.), who oversaw the development of the report, said DHS was setting a bad example for other federal agencies and departments when it comes to cybersecurity. DHS says it has resolved the problems in the report. The problems at DHS and elsewhere have been attributed to a number of factors, including the failure to hire and sufficiently pay IT workers and give them enough authority to ensure basic security practices are being used.


App Misconfiguration, Mobile Apps With Poor Encryption Pose Risks, HP
eWeek (02/03/14) Kerner, Sean Michael

The results of Hewlett-Packard's 2013 Cyber Risk report show that misconfigured apps and apps with poor encryption represent a major security threat to mobile devices. According to the survey, 46 percent of apps do not use encryption properly and 80 percent are misconfigured. HP's Jacob West says the poll results highlight a two-stage problem in app development. He says app developers increasingly have the ability to put solid encryption and other security features into their apps, as many of the most commonly used toolsets and frameworks have such features built in. However, developers often lack the necessary security background to implement such features successfully, and also face pressure to develop and deploy apps fast. Insecurities also can be introduced further down the line by operations people who change secure configurations, leaving apps insecure. West says developers and operations people need to better communicate about app security and configuration. The HP report also notes that HP's Zero Day Initiative, which buys vulnerabilities from researchers, had more vulnerabilities submitted to it in 2013 for Microsoft's Internet Explorer Web browser than any other product.


Low-Level Exploit Sends Ubuntu, OpenSUSE Kernel Bug Hunting
ZDNet (02/03/14) Lee, Michael

Kees Cook, a security engineer for Google's Chrome OS, recently revealed a vulnerability in the Linux kernel affecting distributions such as OpenSUSE and Ubuntu. The vulnerability, which could allow an unprivileged user to escalate their privileges, is tied to the Linux x32 application binary interface (ABI), which lets 32-bit applications take advantage of 64-bit x86 architectures. All Linux kernels since 3.4 have included the option for x32 support. OpenSUSE and Ubuntu are among the distributions that have x32 ABI support enabled by default, leaving them vulnerable to the bug. Red Hat, however, pointedly did not include x32 support in Fedora 18, citing security concerns at the time. A fix has been developed for the vulnerability, and Ubuntu has already issued an update patching the vulnerability. Linux users can test whether or not they are vulnerable by checking their kernel configuration.


Abstracts Copyright © 2014 Information, Inc. Bethesda, MD


  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online

No comments: