| |
Call for Limits on Web Data of Customers
New York Times (05/02/14) Sanger, David E.; Lohr, Steve
A report released by the White House on Thursday calls for the creation of limits on how consumer data gathered online can be used by private companies. The report made six policy recommendations, including a call for a statutory definition of consumers' rights in regards to how data about their online activities is used. The report also calls for the passage of a national data breach law that would require companies to report major losses of credit card and personal data. In addition, the report recommended that the government look more closely at how intelligence agencies use phone metadata and to take into consideration how much information such data reveals about individuals when deciding whether or not to use it. Internet Association President Michael Beckerman responded to the report by saying that the Obama administration should now turn its attention to updating the Electronic Communications Privacy Act and reforming surveillance laws and practices used by the government. U.S.-based tech companies want a reform of government surveillance because they are concerned that their business could be negatively impact by the belief that their products contain government backdoors.
Italian Officials Probe Criminal Ties to Cancer Drug Theft
Wall Street Journal (05/01/14) Faucon, Benoit; Plumridge, Hester; Falconi, Marta
The Italian Medicines Agency's director for the prevention of counterfeiting, Domenico Di Giorgio, reports that a criminal ring with ties to a variety of organized crime syndicates is responsible for the recent case of counterfeit and stolen cancer drugs being distributed throughout Western Europe. Di Giorgio says that Italy's Camorra crime syndicate, Eastern European crime networks, and a Russian citizen based in Cyprus are all connected to the thefts and counterfeiting. The stolen medications were taken from hospitals and distribution trucks in Italy before being transferred to a licensed wholesaler, who was given fraudulent invoices from fake wholesalers in Hungary, Romania, and Latvia. Among the drugs that were stolen were Herceptin, contaminated vials of which have turned up in several European countries, as well as Alimta and Remicade. Officials say this case may lead to new scrutiny for medical wholesalers who purchase drugs from manufacturers in countries where they are sold at lower prices, relabeled, and sold elsewhere for a profit.
Six People Injured in Ga. FedEx Shooting
Marietta Daily Journal (04/30/14) Wiley, Nikki
Six people were injured Tuesday when an employee at a FedEx sorting facility in Kennesaw, Ga., opened fire on his colleagues. The shooting began when the alleged gunman, 19-year-old Geddy L. Kramer, drove up to the security guard shack at the facility and opened fire on the guard inside. The assailant then moved into the warehouse itself, where he shot five FedEx employees. Two of those individuals sustained life-threatening injuries. Law enforcement from a variety of agencies responded to the shooting, and when they arrived they found the gunman dead from a self-inflicted gunshot wound. A number of unexploded Molotov cocktails were found with the shooter following the attack. Following the shooting, Cobb County Police Chief John Houser praised the officers from his agency and others that responded to the incident. Houser said that his officers in particular showed that they had benefited from the active shooter training that his department has offered for several years. "The officers did exactly what they were trained to do," Houser said, "and without that immediate response, the scene could have certainly been much worse."
Akamai Patent Case Before Supreme Court
Boston Globe (04/30/14) Alspach, Kyle
The U.S. Supreme Court on April 30 heard arguments in a long-running patent infringement case that could widen the use of a legal theory known as "divided infringement," in which a suit is based on infringement committed by multiple parties. The case began when Akamai filed suit against Limelight Networks for allegedly infringing on a method for faster delivery of online content. However, the infringement is considered divided because some of the protected methods are performed by Akamai and some are performed by its customers. A number of technology companies--including Google, Cisco, Facebook, eBay, and Oracle--have filed briefs in support of Limelight over concerns that an expanded definition of divided infringement could allow patent trolls to bring poorly substantiated patent infringement claims since they would not have to prove that anyone is directly infringing a patent. The Supreme Court is expected to issue a ruling by the end of June.
Business Security a Balance of Risk, Cost
Atlanta Journal-Constitution (04/30/14) P. 8A Kanell, Michael E.; Yamanouchi, Kelly
With workplaces being the most common place where mass shootings occur, according to a 2013 report from the Congressional Research Service, businesses want to implement strong security to prevent such incidents from taking place. However, they must balance the risks of a mass shooting with the cost of providing a level of security capable of protecting against these types of attacks. According to Darrell Mercer, the owner of Mercer Protection Agency, this level of security could include armed guards, cameras, electronic badges for employees, locked doors, and metal detectors. One way to keep costs down and avoid implementing excessive security measures is to be on the lookout for indicators that potentially violent employees often display before an incident of workplace violence occurs, said OR3M Chief Security Officer Jeffrey Slotnick. These behaviors can include aggression, depression, threatening behavior, and making references to weaponry. Slotnick says that when these indicators are present in clusters, they should be reported to the organization's crisis management team which can offer assistance or counseling to prevent an incident from occurring.
U.S. and Germany Fail to Reach a Deal on Spying
New York Times (05/02/14) Sanger, David E.
Talks between American and German officials over an agreement that would have expanded intelligence sharing between the two countries while ending U.S. espionage activities in Germany have reportedly collapsed. The idea for such an agreement was borne out of the controversy surrounding National Security Agency (NSA) surveillance of German Chancellor Angela Merkel's cell phone, as well as reports that NSA was using the American Embassy in Berlin as a base for surveillance operations in violation of German law. U.S. officials say that negotiations over the agreement broke down after German officials demanded an end to American espionage activities in Germany as part of a no-spy agreement. American officials balked at that request because the U.S. has no such agreement with any of its allies, and they feared that if they agreed not to spy on Germany, other major allies would eventually want similar agreements. German officials then reportedly ended the talks because they did not believe it was worth their while to pursue an accord that did not include a no-spy agreement. German officials, however, say that it was the Obama administration that decided to end to the discussions.
Waseca Teen Accused in School Shooting Plot had Been Planning for Months
Star Tribune (Minn.) (05/02/14) Pheifer, Pat
Police say that 17-year-old John David LaDue, who was arrested Tuesday for planning an attack on Waseca Junior/Senior High School in Waseca, Minn., has confessed to hatching the plot. LaDue reportedly told police that he intended to kill his mother, father, and sister with a .22 rifle before setting a fire to draw first responders away from the school. He then planned to set off pressure-cooker bombs in the school cafeteria and gun down students trying to escape the blasts. LaDue had originally planned the attack for April 20, the anniversary of the Columbine High School killings, but there was no school that day. Investigators believe the attack would have occurred in the next few weeks had LaDue not been apprehended. Although LaDue had been setting off practice bombs for about 10 months, he was only arrested after a resident observed him approaching a storage unit through her backyard. Police found LaDue in the storage facility along with bomb-making materials, and he admitted to having ammunition and guns in his home.
Qaeda Affiliates Gain Regional Influence as Central Leadership Fades
New York Times (05/01/14) Schmitt, Eric
Al-Qaida is increasingly becoming a looser association of various regional affiliates, a trend which has resulted in the group's Pakistan-based leaders becoming more and more irrelevant in the terror network's operations, a new State Department report has found. The report, which was released Wednesday, noted that regional al-Qaida affiliates in Somalia, Yemen, Syria, and West Africa became increasingly aggressive and independent from the core al-Qaida leadership beginning last year. These groups still occasionally receive ideological guidance from al-Qaida leader Ayman al-Zawahri, the report found, but they are becoming more and more focused on achieving their own goals. For instance, al-Qaida affiliates in the Middle East and Africa are generally trying to expand the scope of their operations by exploiting the turmoil and lack of effective government in some countries, the report noted. Al-Qaida's core leadership in Pakistan, meanwhile, has been weakened by counterterrorism efforts and is having trouble keeping the terrorist network from breaking up into a number of smaller groups. State Department Counterterrorism Coordinator Tina S. Kaidanow says the shift towards greater decentralization inside al-Qaida poses a challenge for the U.S. because it means that officials will need to have a greater understanding of the conditions in the countries in which al-Qaida affiliates operate.
California Senator Questions TSA Official About Adequacy of San Jose Airport's Security Review
Associated Press (04/30/14) Freking, Kevin
Sen. Barbara Boxer (D-Calif.) on Wednesday raised questions about the thoroughness of the Transportation Security Administration's security review of Mineta San Jose International Airport, which concluded that the airport's perimeter was in compliance with the agency's security requirements and that it had proper security systems in place. But just three weeks after that assessment was made, a 15-year-old was able to make it past the security barrier and stow away in the landing gear of a plane bound for Hawaii. TSA Administrator John Pistole responded to Boxer's remarks, which were made at a Senate hearing, by saying that having proper security systems in place does not guarantee that no one will be able to outwit security, as there is no such thing as a perfect security solution. An airport spokeswoman, Cheryl Marcell, commented that the airport is in compliance with all federal security regulations and standards, and that it is actively reviewing the incident. However, Marcell said it is still too early to discuss potential security changes.
Mission Creep: Homeland Security a ‘Runaway Train’
Albuquerque Business First (04/27/14) Coleman, Michael
The Department of Homeland Security (DHS) has over-expanded its mission in the more than 10 years since it was created, says former Homeland Security Secretary Tom Ridge and other critics. The statute that created DHS stated that the new department would mitigate the threat from terrorist attacks, prevent attacks from occurring, minimize the damage from successful attacks, and help with the response to any attacks that may occur. But now DHS is also questioning people suspected of pirating movies, working to get counterfeit merchandise off the market, and even helping local law enforcement with routine crimes such as street robberies, among other things. A Congressional Research Service report from last year, meanwhile, criticized DHS for not having a single definition for homeland security. These multiple definitions for homeland security, coupled with the numerous missions and a lack of prioritization, have had "consequences" for the nation's security, the report concluded. Other problems at the department include leadership positions that have gone unfilled and low morale, some say. In fact, an Office of Personnel Management report ranked DHS dead last in terms of morale in 2013. Critics say that many of these problems are unlikely to be fixed so long as DHS oversight remains scattered over so many different congressional committees.
Microsoft Patches Internet Explorer Bug for Windows XP
Telegraph.co.uk (05/02/14) Curtis, Sophie
Microsoft has issued patches to all Windows users, including those who use the unsupported Windows XP, for a vulnerability in Internet Explorer that could allow attackers to gain access to users' data. Adrienne Hall, the general manager of trustworthy computing at Microsoft, commented that the company decided to make an exception to its earlier decision to stop providing patches for XP after April 8, "based on the proximity to the end of support" for the operating system. Hall reiterated that, aside from this single exception, Microsoft will provide no further updates for XP. Hall also added that despite the release of the patch, Windows XP users should still consider upgrading to newer versions of the operating system as well as the newest version of Internet Explorer, which she said provide substantially more security for users than past versions.
Internet Security Researchers Use Heartbleed Bug to Target Hackers
Fox News (04/30/14)
Anti-malware researchers have been using the Heartbleed bug to gain access to online forums where hackers congregate after discovering that many private, password-protected hacker forums were hosted on websites that had the Heartbleed flaw in their security technology. Steven K, a French anti-malware researcher, said he was able to gain access to these sites by using specially-written tools to target them, and Heartbleed was able to gain access to everything. A computer security researcher for Sentor, Charlie Svensson, commented that this shows the seriousness of the Heartbleed flaw. Despite the seriousness of the flaw, a new poll released by the Pew Research Center found that while 39 percent of those surveyed have taken steps to protect themselves from the flaw, 36 percent of those surveyed had not heard about Heartbleed.
Researcher Says Traffic Control Systems Can Be Hacked
Help Net Security (04/30/14) Zorz, Zeljka
IOActive researcher Cesar Cerrudo says he has found a massive vulnerability in a system of sensors and controllers used to help manage traffic flow in most major U.S. cities. Sensys Networks VDS240 is a system of magnetic sensors buried under roadways and associated access points, repeaters, and controllers that gather data about traffic flow and use that data to alter traffic lights. Cerrudo found that the proprietary protocol used to transmit data from the sensors to the controllers is insecure, sending data and commands in unencrypted plain text. He says this means an attacker could monitor and initiate these communications themselves by sending arbitrary commands, data, and manipulating devices. Cerrudo does not think that attackers would be able to directly control traffic lights by exploiting the vulnerability, but they could trick controllers into thinking streets are clear when they are not or vice versa, changing the instructions those controllers send to traffic signals. The sensors' firmware also is unsigned, meaning attackers could undermine the firmware and reconfigure sensors. Cerrudo says he was disappointed by the response after he contacted both Sensys and the U.S. Department of Homeland Security, noting ittle is being done to address the issue.
'Triple Handshake' Bug Another Big Problem for TLS/SSL
ZDNet (04/28/14) Seltzer, Larry
Cybersecurity researchers warn that several implementations of SSL/TLS are vulnerable to what they are calling a triple handshake attack—a finding that is raising further doubts about the security of SSL/TLS just weeks after the disclosure of the protocol's Heartbleed vulnerability. The researchers say an attacker who manages to insert himself into a privileged position between two endpoints engaged in SSL/TLS communications could intercept and decode the encrypted traffic or inject malicious commands and data. An attacker can accomplish this by establishing two connections with the same encryption keys and "handshake" used to initiate a connection. The attacker can then insert his data in one connection and renegotiate so that the connections are forwarded to one another. A number of SSL/TLS implementations and applications could be vulnerable to such an attack, including Internet Explorer. Fixes have already been made to Apple iOS, OS X, and Firefox. But some cybersecurity experts say SSL/TLS remains flawed even with the fixes, noting major changes cannot be made so long as the protocol remains in use. The experts say while a new, more secure version of SSL/TLS could be introduced, it could be very difficult to encourage users to adopt the new protocol.
Emergency Update for Apache Struts Fixes Incomplete Patch for Critical Flaw
IDG News Service (04/28/14) Constantin, Lucian
The Apache Software Foundation has released a new security update for the Apache Struts framework that offers greater protection from ClassLoader manipulation attacks than a previously released patch. The new patch fixes a flaw in the framework's CookieInterceptor functionality, which Apache says is otherwise vulnerable to a ClassLoader manipulation attack when it is set to accept all cookies. A patch released last month corrected a flaw in the framework's ParametersInterceptor feature that made it vulnerable to the same type of attack. Struts developer Rene Gielen says white- and grey-hat hackers have determined the vulnerability in the CookieInterceptor functionality could be used to carry out remote code execution in some environments. Struts users are being urged to protect themselves by applying the latest patch as soon as possible. Third-party products that use Struts also may need to be patched.
Abstracts Copyright © 2014 Information, Inc. Bethesda, MD |
No comments:
Post a Comment