| |
New NRF Survey: Retailers Report Average Loss $2.8 Million—Each—to ORC Last Year
Security Director News (05/20/14) Canfield, Amy
The National Retail Federation (NRF)'s 10th Annual ORC (Organized Retail Crime) Survey has found that 88.2 percent of U.S. retailers were victims of organized retail crime in the past year, with the average amount lost per retailer being estimated at $2.8 million. The survey shows the ORC rate down slightly from the 93.5 percent rate recorded the previous year. Seventy percent of retailers said they rank ORC as an "important or severe threat" to their businesses, said Rich Mellor, NRF's senior advisor for asset protection. Nearly 77 percent of retailers have reported that they have had thieves returning stolen merchandise in order to receive store credit. Additionally, nearly half of the retailers surveyed reported that ORC had also impacted their online operations. Mellor commented that the type of people involved in ORC has been changing, as many "hardened criminals" now view ORC as a "low-risk, higher reward crime" following the introduction of elevated felony thresholds in many states. Mellor added that this trend has prompted retailers to train their employees to avoid confronting individuals involved in ORC and instead leave the matter to law enforcement. The survey also found that 74.7 percent of respondents are spending money on combating ORC. Some of this money is going toward adding staff resources and security technologies. Additionally, the survey found that state ORC laws have reduced ORC rates, as the statutes tend to make it easier to prosecute offenders and include stricter punishments.
Physically Securing Medical Equipment With Electronic Access Control
Security Today (05/20/14) Spatig, Steve
Using electronic access solutions can help healthcare providers improve the security of systems that store sensitive data while also helping them demonstrate compliance with the Health Insurance Portability and Accountability Act (HIPAA), writes Steve Spatig of the Electronic Access Solutions Strategic Business Unit at Southco. Electronic access solutions can consist of a variety of access control devices, including biometric readers and keypads, and can be installed outside of rooms where sensitive IT systems are located. These solutions can also be used with electronically-secured cabinets that contain patient information protected by HIPAA. One of the advantages of using an electronic access solution, Spatig writes, is that the technology is designed to log the credentials used to gain access to an area or cabinet as well as the time access was granted. This and other information creates an audit trail that can then be used to investigate a security breach should one occur. In addition, events recorded by an electronic access solution can be monitored remotely. Spatig says that another advantage of using electronic access solutions is the technology's ability to integrate with existing security solutions, such as Internet Protocol (IP) cameras. Integrating electronic access solutions with legacy security systems also makes it possible for employees to access areas protected with electronic access systems with the same credentials they use to enter other areas of the building.
Emergency Messaging Explained
Security Director News (05/19/14) Nacelewicz, Tess
The Fire Protection Research Foundation has created new guidelines that will assist building managers, emergency personnel and system designers in creating the most effective messages for use in emergency communications systems (ECS). The foundation released the new "Guidance Document: Emergency Communication Strategies for Buildings" in April, after a lack of guidance for emergency messaging was identified by the National Institute of Standards and Technology and the National Fire Protection Association (NFPA) 72 Technical Committee for Emergency Communications Systems. The document offers guidelines for the design, planning, installation and use of ECS, as well as different ways to test messages to ensure that they will be clearly understood and will illicit appropriate reactions from building occupants. Sample messages for five different emergency scenarios are included in the document. The guidelines are designed to apply to both audible and visible messaging, and recommend the use of short, simple language, and active, present-tense verbs. The foundation's report on the guidelines said that more work needs to be done to further develop ECS guidelines, including research into the optimal length of emergency messages and the frequency with which they should be sent out during an emergency. The foundation also hopes to eventually develop more specific messaging requirements, rather than suggestions like those included in the guidelines.
Senate Panel Confronts Backlog of Chemical Facility Security Plans
Homeland Security Today (05/19/14) Vicinanzo, Amanda
At a recent Senate Committee on Homeland Security and Governmental Affairs hearing, the Department of Homeland Security (DHS) reported it has taken steps to speed the process of completing the reviews of the approximately 3,120 chemical facility security plans. The plans have been submitted the Government Accountability Office (GAO) as part of the Chemical Facility Anti-Terrorism Standards (CFATS) program. An April 2013 GAO report had estimated that this process would take between seven and nine year to complete with the current processes. Stephen Caldwell, director of homeland security and justice issues at GAO, said it is not known if the new efforts taken by DHS will be able to significantly reduce the time that will be needed to solve the backlog. The DHS efforts will include conducting pre-inspection calls to the facility to resolve technical issues beforehand, supporting the use of alternative security programs to help clear the backlog, revising online data collection tools, and updating the internal case management system. At the hearing, DHS Under Secretary of the National Protection and Programs Directorate Suzanne Spaulding requested long-term authorization of the CFATS program, noting the funding hiatus in October 2013 caused several inspections to be cancelled, and the situation was made more confusing when the CFATS program expired on October 5, 2013. She suggest that formal authorization of five years or longer would provide an incentive for chemical facilities to adhere to regulations and would provide the needed stability to drive industry stakeholders to invest in CFATS.
Shoplifting Getting More Brazen, Violent
Indianapolis Star (05/18/14) Mack, Justin
Shoplifting appears to be on the rise, security experts say, and some also believe that shoplifters are becoming more violent. The increase in both thefts and the level of violence involved may be attributed to organized retail crime. Recent major thefts in Indiana include $45,000 in goods stolen from a Saks Fifth Avenue on March 24, a March 30 incident at a Body Gear store that resulted in the shooting death of a man who tried to stop the shoplifter, and an April 21 theft at an Old Navy in which the suspects stuffed multiple items into their purses and shoved security guards out of the way during their escape. The women detained in that last incident were also found with more than $3,000 worth of items from Deb, Nordstrom Rack and Aeropostale. Some say that Indiana is becoming a magnet for organized retail crime because it has not followed the lead of neighboring states that have implemented tougher penalties for the crime. But violent shoplifting incidents are also on the rise nationwide, according to 2013 National Retail Federation survey, which found that about 18 percent of shoplifting apprehensions led to some sort of violence. That is up from an estimated 15 percent in 2012 and 13 percent in 2011. The NRF is calling on Congress to pass legislation that would make organized retail crime a federal offense and would implement appropriate sentencing guidelines.
House Overwhelmingly Approves Bill to Curb NSA Domestic Spying
Los Angeles Times (CA) (05/23/14) Mascaro, Lisa
The House on Thursday approved the USA Freedom Act, which won overwhelming support from from lawmakers in both parties. This bill will impose new limits on the bulk collection of telephone metadata by the National Security Agency (NSA) by requiring the agency to obtain warrants for the individual collection of records. The government must also limit what it is looking for to a "specific selection" search, which must have the approval of the courts established under the 1978 Foreign Intelligence Surveillance Act. However, the government would be allowed to conduct searches for up to seven days in the event of an emergency. The bill also includes new transparency provisions that will require any deviation from the specific selection practice that could permit bulk data collection to be reported to Congress within one day and to the public within 45 days. The bill has been criticized by some who say that the Obama administration has weakened its privacy protections, though some critics called the bill an important first step in surveillance reform. Both the sponsors and critics of the bill have commented that they intend to add language to the measure to better prevent the NSA from continuing its bulk collection of metadata. The bill now moves onto the Senate for its consideration.
U.S. Sends Troops to Chad to Hunt for Abducted Nigerian Girls
Bloomberg Businessweek (05/22/14) Bala-Gbogbo, Elisha; Magnowski, Daniel
Eighty American soldiers have been sent to the African nation of Chad to take part in the international effort to find and rescue the Nigerian schoolgirls kidnapped in April by Boko Haram. The soldiers "will support the operation of intelligence, surveillance, and reconnaissance aircraft in missions over northern Nigeria and the surrounding area." Several other countries are also providing intelligence and reconnaissance assistance to Nigerian authorities in the search. The announcement that U.S. troops are being sent to Nigeria to aid in the search for the girls comes after a series of attacks in the past two days that have killed at least 155 people. Those attacks included two bombings in the Nigerian city of Jos. No group has claimed responsibility for the bombings in Jos, though Boko Haram is believed to have been responsible. Nigerian President Goodluck Jonathan has deployed additional troops in three northeastern states that have been heavily targeted by Boko Haram, and Nigerian lawmakers have granted a six-month extension of an emergency rule in those states.
Air Force Security Failed Nuke Test
Associated Press (05/22/14) Burns, Robert
An internal Air Force review shows that the 341st Missile Wing at Malmstrom Air Force Base in Montana failed a safety and security test conducted last August because it was unable quickly regain control of a nuclear weapon captured during a simulated attack on one of the base's missile launch silos. According to a report on the drill, the security team failed because it did not take "all lawful actions necessary to immediately regain control" of the weapons. Specifics on those actions or lack thereof were not given in the report, which was obtained via a Freedom of Information Act request. This does not appear to be an isolated event, as there have been several recent reports of a lack of leadership and training as well as discipline and morale problems in the Air Force's nuclear missile corps. However, no security weaknesses were found at Malmstrom Air Force Base when the exercise that was conducted in August was performed again two months later. Defense Secretary Chuck Hagel has ordered two reviews of the way the nation protects its nuclear weapons, both of which are currently underway.
Strategy Shift on Terror Stalls
Washington Post (05/22/14) DeYoung, Karen
Progress has been slow on the Obama administration's efforts to move toward a new counterterrorism strategy outlined by the president in a speech as well as a public policy document issued last year. The strategy, which is intended to take the country off what President Obama called the "perpetual wartime footing" it has been on since the Sept. 11 attacks, in part called for greater oversight of U.S. drone strikes against terrorists. Obama said during his speech that he was open to working with Congress to create a special court or independent oversight board to review drone strikes, though oversight of the attacks remains the same now as it did a year ago when the policy was outlined. The policy also called for the end of the CIA's involvement in drone strikes and for the military to have exclusive domain in carrying out the attacks in order to increase transparency of the drone program and allow the agency to focus on intelligence gathering. That proposal has run into resistance from lawmakers of both parties. In addition, the policy called for drone strikes to be carried out only against terrorists planning attacks on the U.S. or against Americans overseas, and only when officials were almost certain that drone strikes would not result in civilian deaths. Progress in implementing these proposals has been slow in part because of disagreements within the administration, the advent of new terrorism threats, and the need to deal with other issues that are seen as being more important.
Stream of al Qaeda Threats has U.S. Intelligence Concerned
CNN.com (05/21/14) Starr, Barbara
U.S. intelligence officials are concerned that al-Qaida terrorists based in Pakistan, members of Yemen-based al-Qaida in the Arabian Peninsula, and al-Qaida-allied militants who have fought in the Syrian civil war could be planning attacks on American and Western targets. The core al-Qaida group in Pakistan is believed to be deploying operatives to attack targets in the U.S. as well as American interests overseas. Locations in Europe are believed to be among those threatened. The U.S. may respond to those threats by carrying out a drone strike against the American born al-Qaida operative who uses the code name Abdullah al-Shami and is believed to be planning attacks from Pakistan. U.S. officials would not comment on whether there are plans in the works to take out al-Shami with a drone strike. Al-Qaida in the Arabian Peninsula, meanwhile, is believed to be focused on carrying out attacks in Yemen, though the group is also thought to be interested in targets in the U.S. and Europe as well. Finally, U.S. officials are concerned about the possibility that Americans who have fought in the conflict in Syria may carry out attacks. Officials caution that none of the threats have been corroborated, and that there are likely no al-Qaida cells operating in the U.S. at this point.
U.S. Case Offers Glimpse Into China’s Hacker Army
New York Times (05/23/14) Wong, Edward
Cybersecurity experts and an analysis of social media sites have shed some light on the activities of the Chinese Army's Unit 61398, five members of which were indicted by the Justice Department earlier this week for allegedly carrying out cyberattacks on major American companies in order to steal trade secrets. The 24 members of Unit 61398, as well as some members of several other hacking groups with direct ties to the Chinese military, sometimes carry out cyberattacks on behalf of state-owned and private companies in order to supplement their income. Attacks carried out by members of China's People's Liberation Army may be directed at specific foreign companies in order to obtain information on certain critical technologies, says cybersecurity expert Adam Segal. Unit 61398 is believed to be only one of several groups of Chinese hackers that carry out attacks on a variety of targets. The cybersecurity firm FireEye says it knows of at least 25 active Chinese hacker groups, 22 of which are tasked with carrying out attacks on behalf of the Chinese government. For example, the Beijing Group also targets foreign companies and government agencies just as Unit 61398 does, partly through the use of malware. Cybersecurity expert Joe Stewart says that the Beijing Group and Unit 61398 are collectively responsible for creating most of the 300 families of malware that are known to be in existence.
EBay Customers Must Reset Passwords After Major Hack
CNNMoney (05/21/14) Pagliery, Jose
EBay revealed Wednesday that hackers broke into the company's systems two months ago and stole user information, including account passwords, customer names, birth dates, e-mail addresses, physical addresses, and phone numbers. The attack is believed to have been carried out by attackers who obtained the login credentials of "a small number" of eBay employees. The company first discovered that the credentials were stolen two weeks ago, and launched an investigation which determined the extent of the theft. Though eBay has said that all of the passwords were encrypted, it is encouraging its users to reset their passwords. No information was released on how many of the 148 million active eBay accounts were impacted, or of how many customers had their information stored in the affected database. EBay has said that there has been no identifiable increase in fraudulent activity occurring on the site as yet. The data breach did not impact eBay subsidiary PayPal, as its data is kept on a separate network.
U.S. Charges Five in Chinese Army With Hacking
Wall Street Journal (05/20/14) Barrett, Devlin; Gorman, Siobhan
Five officers in China's People's Liberation Army have been indicted by the Justice Department for allegedly carrying out cyberattacks against American companies and organizations as part of a corporate espionage operation. The attacks--which allegedly began in 2010 and continued through 2012--reportedly targeted major companies such as U.S. Steel, Westinghouse, and Alcoa, as well as the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union. All of the attacks were reportedly carried out in an attempt to steal trade secrets held by the targeted organizations. The attacks against Westinghouse, for example, were focused on obtaining information about the company's piping systems for nuclear power plants. The attackers who broke into Alcoa's systems stole thousands of e-mails sent and received by the company's executives, though Alcoa says no material information was compromised. Employee e-mail accounts at the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union were also reportedly broken into. Chinese officials have denied the allegations. Meanwhile, cybercriminals from other countries, including Russia and Iran, are also being investigated in connection with alleged cyberattacks against U.S. organizations.
Alleged Chinese Hacking: Alcoa Breach Relied on Simple Phishing Scam
Wall Street Journal (05/19/14) Yadron, Danny
The Chinese hackers who allegedly infiltrated Alcoa are believed to have used a simple phishing scam to carry out their attack, the indictment in the case states. The hackers reportedly sent e-mails to 19 Alcoa employees impersonating then-board member Carlos Ghosn. The e-mails claimed to include the agenda of a 2008 shareholders' meeting, but actually held malware that allowed the hackers to steal nearly 3,000 e-mails and 863 attachments. Mandiant chief Kevin Mandia observes that the simplicity of this scheme shows that companies are still threatened by some employees who do not think before opening an e-mail attachment. Mandia's company was similarly targeted by members of the Chinese army's Unit 61398, who were charged in the indictment, in 2012. In that incident, the hackers created an e-mail address using Mandia's name at Rocketmail.com and sent a malicious message to his co-workers. "Shall we schedule a time to meet next week? We need to finalize the press release. Details click here," the e-mail said. Similar tactics have been used by the Chinese army unit to target other U.S. companies, investigators and government officials say, allegations that China's Foreign Ministry called "groundless" on Monday.
Experts Fear Major Attack Only Way to Stir Corporate Action on Cyber Security
Insurance Journal (05/19/14) Finkle, Jim; Selyukh, Alina; Chiacu, Doina; et al.
The number of reports of cyber incidents the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team responded to nearly doubled last year from 2012, but critical infrastructure companies remain reluctant to spend the money needed to upgrade their aging equipment. Infrastructure consultants speaking at the recent Reuters Cybersecurity Summit in Washington questioned whether C-level executives understand the risks. "I fear that things won't change until there is a major attack and people are shocked into taking action," said Cylance CEO Stuart McClure. Digital Bond CEO Dale Peterson said the problem lies with programmable logic controllers, which are designed to blindly follow all commands, regardless of the impact. He warned that this weakness would allow someone to only need to hack into a system and send malicious instructions to wreak havoc, such as causing an explosion at an energy facility. Experts also said the government should exert more pressure on critical infrastructure. "I don't want a major disaster being the driver that pushes us," said National Security Agency head Admiral Mike Rogers.
Abstracts Copyright © 2014 Information, Inc. Bethesda, MD |
No comments:
Post a Comment