| |
Proposal to Prevent Grid Attack Lacks Power, Critics Say
Wall Street Journal (04/18/14) Smith, Rebecca
Critics say that the North American Electric Reliability Corp.'s proposed rules for protecting the power grid are not strong enough, partly because they do not include specific suggestions made by federal regulators following the 2013 attack on a substation near San Jose, Calif. Those recommendations called for the installation of blast barriers and opaque fencing at substations. The NERC's proposed rules do require utilities to develop their own plans for protecting substations and related facilities which have the largest transformers, and in some cases to cover smaller substations. However, the NERC proposal does not list specific requirements for the plans or deadlines for when they must be implemented. Thomas Popik, the founder of an organization that studies the safety of the electric grid, said that NERC's main goal with these proposed rules is to prevent utilities from suffering financial liabilities. NERC members will vote on the proposed rules beginning April 20, with the goal of presenting new standards to federal regulators no later than June 5. Though federal law gives NERC the exclusive authority to write standards for the nation's electric system, the Federal Energy Regulatory Commission (FERC) has the authority to accept or reject any rules drafted by NERC.
From Shoplifting to Cyber Security, Businesses Advised to Check the Locks
South Coast Today (Massachusetts) (04/16/14) Rios, Simon
While more than $35 million of goods are stolen from U.S. retailers every day — costing businesses more than $13 billion a year — external theft is just one of a host of security threats businesses face. Bristol County, Mass., District Attorney Sam Sutter's office organized an April 15 seminar at Dartmouth on crimes affecting the local business community. Honing in on some of the top security concerns for businesses, experts shared knowledge learned over years in their respective trades. Assistant DA James McKenna said the cooperation of the business community is indispensable in fighting white collar criminals. McKenna also recommended doing criminal background checks on prospective employees, as well as asking their previous employers the simple question: "Would you hire them again?" Alicia Hyde and Nicole Weatherman, loss prevention specialists at Target, spoke to the retailer's efforts to stem shoplifting and other forms of theft. With 1,744 stores and $62 billion in sales, Target goes to serious lengths to ensure loss prevention, whether it's from an opportunistic shoplifter or a trained pro, they said. Stolen goods often trace back to criminal organizations that deal in fenced goods and are then sold through outlets like flea markets or online auction houses. "As an investigator, I want to know where my merchandise is going," Weatherman said. We "have technicians that can monitor any store...at any time with any camera," Weatherman said. "I would be able to log into my laptop right now, look at any camera in any store." Julian Smith of the state Division of Consumer Affairs and Business Regulations said it's important to "make data security a priority," adding that cyber attacks are becoming more prevalent. "Create a culture of security in your business — and it really has to come from the top down."
Brazilian Companies Keeping CEO Pay Secret to Protect Against Kidnappings
Bloomberg (04/15/14) Sciaudone, Christiana
More than 33 percent of Brazil's most-traded companies, all with American depositary receipts, do not publish compensation for top officials in order to discourage abductions of executives, even though securities regulator CVM mandated disclosure of expanded pay details four years ago. Investors say the information ensures CEOs do not overpay themselves at the expense of shareholders, while corporations say the rule breaches managers’ privacy and puts them at risk for kidnapping. “In Brazil, if you say how much you make, you’re an idiot, irresponsible, or an exhibitionist,” says attorney José Roberto de Castro Neves, who filed an injunction against the CVM ruling on behalf of the Brazilian Institute of Finance Executives. Castro Neves' firm went to court to argue that corporations should withhold salary information, and the case is under litigation in a Rio de Janeiro federal court. “As evolved and as sophisticated as some of the criminal groups might be in Brazil, I seriously doubt that kidnappers are reading proxy statements,” says Institutional Shareholder Services' Cristiano Guerra. For minority shareholders, “remuneration is the next hot topic that they’ll start pressuring companies for.” U.S. Securities and Exchange Commission regulations stipulate that companies must disclose compensation paid to CEOs, chief financial officers, and other senior executives in a “clear, concise and understandable” way, including the amount, type, and criteria used in determining salary. The Brazilian regulatory revision was spurred by conflicts in the U.S. over executive compensation in the midst of the 2008 financial crisis, Castro Neves says. He notes that in Brazil “we didn’t have such big distortions.”
Police Arrest 'Raging Anti-Semite' in Kansas Jewish Center Shootings
CNN.com (04/14/14) Ahmed, Saeed; Shoichet, Catherine E.
Three people were killed in two separate shootings at a Jewish community center and a Jewish nursing home in suburban Kansas City on Sunday. The first shooting took place Sunday afternoon at the community center in Overland Park, Kan., when Frazier G. Miller--a Missouri man with a known history of anti-Semitic behavior--allegedly opened fire on a boy and his grandfather while they were in their car. Both were killed. The community center, which was being used for a number of events at the time, was put into lockdown immediately following the shooting. Children were reportedly taken into locker rooms and told to lie on the floor to protect themselves. Miller then drove to the Village Shalom Retirement Community in Leawood, Kan., where he allegedly shot and killed a woman while she was in the parking lot. That shooting also prompted the retirement home to take security precautions, as residents were reportedly told to stay away from windows. Miller is believed to have also shot at two other people at some point, though they were not injured. The gunman, who is not believed to have known any of the victims, was later arrested. Police have not said that the shootings, which took place one day before Passover, were hate crimes.
Workplace Violence: Be Prepared: Businesses and Employees Should Also Be Trained and Prepared for Violence
West Central Tribune (04/13/14) Lange, Carolyn
Vikki Sanders, a member of the Minnesota Department of Labor and Industry's workplace violence prevention resource center, says that businesses should train their employees to be prepared to handle incidences of violence in the workplace. Though businesses are responsible for ensuring the safety of their employees, Sanders noted that most do not have a plan that would guide the response to an active shooter. During a recent presentation, Sanders detailed a new campaign developed by the Department of Homeland Security to encourage businesses to develop such plans. The campaign urges employees to follow three tips: run, hide, and fight. The first priority is for employees to get out of the building or the shooter's line of fire and call 911, but if that is not possible, employees are advised to hide, silence their cell phones and remain as quiet as possible. The last resort, according to the campaign, is to fight against the shooter with whatever is available, though this action is only to be considered if an employee is cornered with no escape route. Sanders noted that another part of the campaign focuses on ways to prevent workplace violence, including listening to all employee concerns and not discounting any potential threats made against an employee or the organization.
A Year Later, Little Government Response to Boston Bombing as Politics of Terrorism Shift
Associated Press (04/17/14)
Unlike the September 11, 2001 terrorist attacks, last year's Boston Marathon bombing has not resulted in any major policy changes at either the federal or state level. The federal government has primarily responded to the attack by launching two probes that examined the effectiveness of the investigation and the sharing of intelligence that occurred before the bombing took place. Massachusetts, meanwhile, has focused on taking steps to memorialize the victims and reimburse police departments involved in the search for the bombers. There are several reasons why the government response to the Boston Marathon bombing has not been as robust as the response to the Sept. 11 attacks, including the fact that the lower casualty Marathon bombing did not capture the public's attention as strongly as al-Qaida did when it killed roughly 3,000 people by flying hijacked airliners into the World Trade Center and the Pentagon. The revelations about the National Security Agency's surveillance programs have also made some lawmakers hesitant to call for greater surveillance to prevent lone wolf attacks like the Boston Marathon bombing. However, Rep. William Keating (D-Mass.) is planning to introduce legislation sometime this year that will call for increased cooperation between federal and local law enforcement agencies, among other things, to help prevent future attacks.
How the U.S. is Vulnerable to Terrorism in Space
National Journal (04/17/14) Ryan, Laura
A new report from the U.S. Council on Foreign Relations says that the threat of an attack on an American asset in space is a growing threat to the nation's security. According to the report, an attack on a U.S. satellite could cause serious damage to national security because the United States relies on satellites to carry out drone attacks against terrorist suspects and to analyze images of nuclear-weapons programs. Report author Micah Zenko says that one potential threat could come from countries such as China, North Korea, and Iran, all of which are developing military space capabilities and could conceivably attack an American satellite.
NYC Police Rolling Back Some Counterterror Efforts
Associated Press (04/16/14) Peltz, Jennifer; Pearson, Jake; Sisak, Michael
New York City Police Commissioner William Bratton has launched a unit-by-unit review of the New York Police Department's counterterrorism and intelligence operations in order to better deploy department resources and to identify and end any possible inefficiencies. For example, the commissioner is evaluating a unit that has stationed NYPD officers in foreign cities around the world in order to provide the department with access to more timely information on possible terror plots. Critics have raised questions about whether the officers deployed to these cities are able to obtain any actionable intelligence. Bratton is also reviewing protocols that guide when and how the department is allowed to conduct surveillance when trying to locate terrorists. The review, which is partially in response to criticism that past actions by the department violated the civil rights of minorities, is expected to place more restrictions on the department's intelligence gathering operations and make them less secretive.
New York Drops Unit That Spied Among Muslims
New York Times (04/16/14) Apuzzo, Matt; Goldstein, Joseph
The New York Police Department (NYPD) announced Tuesday that it has disbanded its controversial Demographics Unit, which was made up of undercover detectives who monitored activities in Muslim neighborhoods in order to identify potential terrorists and break up terrorist plots. The department says the unit has been inactive since January, when Police Commissioner William J. Bratton took office from former Commissioner Raymond W. Kelly, who defended his department's surveillance programs and said they were legal techniques that helped protect New York from terrorist attacks. Bratton, however, has indicated that he was concerned about the distrust that was created in the Muslim community by police officers coming into their neighborhoods to monitor day-to-day activities and document conversations. In addition, the NYPD now says that officers in the Demographics Unit never got a lead on a potential terrorist threat. Meanwhile, the future of other NYPD intelligence gathering efforts--including the infiltration of Muslim student groups at colleges and universities and the surveillance of mosques--remains unclear, as there are pending legal challenges to these and other programs. However, the NYPD says it still plans to strive to understand "certain local demographics" information in order to identify terrorist threats, though it plans to collect that information if it is needed by having officers directly communicate with community leaders.
Boston Marathon Security: How Can You Keep 26.2 Miles Safe?
CNN (04/16/14) Yan, Holly
Boston Police discovered two suspicious bags near the finish line of the Boston Marathon on Tuesday, which was the first anniversary of last year's bombings, though they eventually determined that both bags were safe. Police first became suspicious after noticing a man walking barefoot in the rain near the site of last year's bombing. The man, who was carrying a backpack, began yelling, prompting police to stop him and investigate the bag, which contained a rice cooker. Pressure-cooker bombs were used in last year's attack. A bomb squad determined that the bag was safe, and during the process identified another bag in the area that no one would claim. The second bag was also rendered safe by the bomb squad. According to Police Superintendent Randy Halstead, the man was arrested and charged with possessing a hoax device, as well as disorderly conduct and disturbing the peace. Meanwhile, police in Boston are preparing for the start of this year's Boston Marathon, which will feature 900 more runners than last year's event. The number of spectators is also expected to be higher, and the influx of people has prompted police to double the number of officers assigned to patrol the event. Other efforts to protect the event include a ban on backpacks and rucksacks, bulky clothes, costumes that cover the face, and containers with more than one liter of fluid. The Boston Athletic Association will also be preventing unregistered runners and cyclists from joining the race.
Michaels Hack Hit 3 Million
CNNMoney (04/18/14) Lobosco, Katie
Michaels Stores said Thursday that the previously-announced cybersecurity breach that took place at some of its stores affected roughly 3 million of its customers. The arts and crafts chain also said that the breach lasted from May 8, 2013 through January 27, 2014 and impacted around 7 percent of transactions made with credit or debit cards during that time. Michaels said that there is no evidence that customers' names or PINs were stolen, though some card numbers and expiration dates were compromised and a "limited number" were later used fraudulently. In addition, the company’s Aaron Brothers subsidiary was hacked between June 26, 2013 and February 27, 2014, potentially resulting in the theft of information from some 400,000 other credit and debit cards. Michaels CEO Chuck Rubin says that the company has contained the hack and that the malware used in the breach "no longer presents a threat to customers while shopping at Michaels or Aaron Brothers."
Heartbleed Hackers Steal Encryption Keys in Threat Test
Sydney Morning Herald (Australia) (04/15/14) Robertson, Jordan
At least six hackers who participated in a contest held by the Internet security company CloudFlare over the weekend were able to exploit the Heartbleed vulnerability to steal private encryption keys. Nick Sullivan, a security architect with CloudFlare, said that the contest was designed to be simulate a realistic attack and that the software used by the contest server was the same as that used by one-seventh of all Web sites. The results of the contest suggest that hackers worldwide have been able to steal the encryption keys for vulnerable sites and that they are likely planning attacks that make use of these keys, Sullivan said. CloudFlare had initially launched the test on April 11 after it had appeared that extracting these keys from Web sites would be difficult or impossible to do using Heartbleed. Meanwhile, the researchers who first found Heartbleed believe that the bug could still exist inside of millions of Web sites. But Netcraft, the cybersecurity firm whose data was used to create that estimate, said the number is likely to be closer to 500,000, as only some Web sites have turned on the functionality that Heartbleed made vulnerable. Netcraft noted that only 30,000 of these potentially vulnerable sites have revoked their encryption certificates, suggesting that the rest remain exposed to an attack. So far the fixes introduced to vulnerable systems appear to be functioning properly and should prevent attackers from using the Heartbleed bug to steal private encryption keys or to gain access to other information.
Heartbleed Bug Fixes Threaten to Cause Major Internet Disruptions in Coming Weeks
Washington Post (04/15/14) Fung, Brian
Cybersecurity experts say there are few good options for addressing the Heartbleed vulnerability, particularly now that malicious hackers could potentially exploit the flaw in a way that was previously thought to be impossible. Experts were initially concerned that hackers could take advantage of the Heartbleed vulnerability to steal Internet users' passwords, but it now appears it is also possible for cybercriminals to exploit the flaw to steal legitimate security certificates from websites and use those certificates to create fake sites. Users who visit the fraudulent websites would think they are accessing legitimate sites, since they would not necessarily receive a warning from their browser that the malicious site's certificate was invalid. Experts say these malicious sites could then be used to trick users into divulging sensitive information. Addressing this vulnerability could potentially have a significant impact on the performance of the Internet, since it would require 500,000 websites affected by Heartbleed to revoke their security certificates and issue new ones. Doing so would make the lists of revoked security certificates that are downloaded by Web browsers much longer than normal, which in turn would significantly slow down the process of verifying a site's identity. But Atlantic Council cybersecurity scholar Jason Healey says the only other option is to do nothing—a course of action he says is not realistic.
Aviation Industry and Government to Share Cyber Threats in New Intelligence Center
Wall Street Journal (04/15/14) King, Rachael
The U.S. government and the aviation industry on April 15 launched the Air Domain Intelligence Integration Center and an analysis center, which will be used by government and industry officials to share information on cyber threats. This is the second such announcement in the past week, with the National Retail Federation announcing a cybersecurity sharing project with the Financial Services Information Sharing and Analysis Center. Together, the two initiatives show a new willingness by industry to share information on cybersecurity. The aviation center, for its part, will work with the Air Domain Intelligence Integration Center in the Transportation Security Administration’s secure flight facility in Annapolis Junction, Md. Pilot programs will include analysts working for the Office of the Director of National Intelligence, the FBI, the Federal Aviation Administration, TSA and the Department of Homeland Security.
Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say
New York Times (04/13/14) Sanger, David E.
Senior Obama administration officials said April 12 that the president has asked the National Security Agency (NSA) to reveal any cybersecurity flaws instead of concealing and exploiting them. The president, however, has also created an exception for cases with “a clear national security or law enforcement need,” which would allow the NSA to continue to take advantage of such flaws to crack encryption and design cyberweapons. Despite this exception, the NSA and officials at the U.S. Cyber Command say giving up the ability to leave cybersecurity flaws undisclosed is the equivalent of "unilateral disarmament" because other countries--including Russia and China--will continue to exploit unknown vulnerabilities. This announcement comes as the White House denies that the government had any knowledge of the Heartbleed vulnerability that has jeopardized password security for a wide range of Internet services. It is also part of a larger set of recommendations issued by the president for NSA operations. Other changes ask the NSA to stop weakening commercial encryption systems and building "back doors" in software and to stop exploiting zero-day flaws. The one exception to the zero-day rule allows officials to “briefly authorize using a zero day for high priority intelligence protection.”
Abstracts Copyright © 2014 Information, Inc. Bethesda, MD |
No comments:
Post a Comment